Distributed coordination of multi-agent systems has been discussed extensively in control, communication and computer science literature. The wide range of applications in this area includes multiple robot coordination , cooperative control of vehicle formations , flocking  and spacecraft formation flying . A strong body of literature exists on the state synchronization of homogeneous multi-agent systems with identical dynamics. In many practical applications of multi-agent systems, however, individual systems may have different dynamics with different state-space dimensions. This has instigated the need for the design of output-based control frameworks which do not require the full knowledge of dynamic states and the focus on synchronization of multi-agent systems with different dynamics based on their output information. The problem of synchronization naturally arises when a group of networked agents are seeking output-based agreement according to a certain quantity of interest that depends on the overall goal of the multi-agent system. More specifically, synchronization for a multi-agent system is defined as the agents following a desired output behavior that is achieved thorough local cooperation of neighboring agents. This cooperation is based on a feedback mechanism consisting of a weighted sum of the differences of the outputs of the neighboring agents. Some examples of systems under cooperative control resulting in sophisticated dynamic patterns which cannot be achieved by individual members are migration (or flocking), swarming, and torus.
There exists a large body of valuable works in the area of synchronization and control. The problem of synchronization for multi-agent systems with dynamic communication edges has been explored in . Adaptive synchronization of diffusively coupled systems is discussed in . Synchronization of multi-agent systems that are physically coupled is discussed in . Another interesting sub-field of synchronization in multi-agent system consists of leader-follower synchronization problems, such works include [5, 8, 9, 10]. The relationship amongst dissipativity, passivity and output synchronization has been explored in the literature as well [11, 12, 13]. Synchronization under switching topologies is discussed in . Cluster-based synchronization in which only the synchronizations of separate clusters are achieved is discussed in . Some of the other recent notable works in the area of synchronization in multi-agent systems are given in [16, 17, 18, 19, 20, 21, 22, 23, 24].
In none of the works above, the problem of security and the negative effects of malicious attacks on synchronization have been discussed. In this work, we consider the effects of a Byzantine attack on the multi-agent network. Byzantine attacks were first proposed by  and may cover different types of malicious behaviors . In our work, Byzantine agents intelligently falsify their data —Similar to the adversaries defined in [27, 28, 29]. The Byzantine agents are assumed to be powerful in the sense that they have the complete knowledge of the whole system and can update their information in an arbitrary way and send different data to distinct neighbors at the same time. Additionally, the Byzantine nodes are capable of disturbing the structure of the underlying communication graph by manipulating their feedback weights —The communication graph is usually required to meet certain conditions for synchronization to happen [11, 12, 13]. Lastly, we propose a distributed method of detection and mitigation as opposed to the more common centralized methods where a fusion center takes upon itself the responsibility of detecting and mitigating the attacks. There is obviously always a limitation to this approach as the central fusion unit may be compromised as well. Our proposed distributed detection and mitigation framework will eliminate this possibility. In the consensus literature, the decentralized method of detection has been proposed in works such as [30, 31, 32, 33]. In  for example, it is assumed that through collaboration, the Byzantine agents are aware of the true hypothesis, which is similar to the assumption we make in the present work. As another example, in 
, the authors rely on a sequential decentralize probability ratio test that is modified via a reputation-based mechanism in order to filter out the false data and only accept reliable messages. Lastly, most detection and mitigation frameworks in the literature rely on exclusion of Byzantine agents from the synchronization algorithm[34, 35]. For example, in 
, the authors propose an adaptive outlier detection framework, based on which, the outside of the bound received information are excluded from the consensus process. In our work, we propose a mitigation scheme that takes advantage of the falsified information received from the Byzantine agents and mitigates the effects of the attack without excluding the Byzantine neighbors. This is due to the fact that excluding the Byzantine agents usually is not the best practice as most synchronization algorithms[11, 12, 13], rely on balancedness and connectedness of the underlying communication graph and exclusion of Byzantine agents may contradict these conditions.
Our framework is based on each individual agent locally deciding, based on its local test statistics that contain the information received by the agent from its neighbors, whether the entire multi-agent system has reached synchronization. We also show synchronization for an event-triggered control framework. This is motivated by the fact that event-triggered control frameworks can considerably reduce communication and computation load on the band-limited communication network. Additionally, it has been shown that event-based control methods can maintain the same performance index as their continuous and periodic based control counter-parts [38, 39]. First, we show that, under no attack, the entire event-triggered multi-agent network system is capable of reaching synchronization and that each agent may decide correctly on synchronization based on their local summary statistics, if our proposed triggering-based control framework and the underlying communication graph meet certain conditions. Next, we propose a method of identifying Byzantine agents based on the statistical distribution of Byzantine agents’ outputs. We characterize and analyze the performance of the detection unit. Lastly, we propose a method of mitigation for the attacks in order to maintain the synchronization of the entire event-triggered multi-agent network system. In this vein, the contributions of our work are listed below,
We show synchronization for an event-triggered multi-agent network system with output passive agents. We introduce a local decision making process based on which each individual agent decides whether the entire system has reached synchronization or not.
We propose a simple design-oriented event-triggering control framework based on simple output-based triggering conditions which guarantees synchronization and positive lower-bounds for the inner-event time-instances (lack of Zeno behavior).
We define a rather general Byzantine attack framework, and characterize the effects of the attack on passive qualities of the multi-agent system in particular and synchronization of the entire system in general.
We introduce a decentralized detection framework for detecting the Byzantine attack.
We analyze the performance of the proposed detection framework. We characterize both the steady-state and transient performance of the detection framework.
We propose a specific method of identifying individual Byzantine neighbors and learning their attack parameters.
Lastly, we introduce two different learning-based mitigation processes; one based on the passive properties of the agents, and one based on the statistical distribution of the data received from the neighboring agents. Based on which, we propose a learning-based control framework that can considerably mitigate the negative effects of the attack.
Ii Mathematical and Statistical Preliminaries
Consider the dynamical system ,
where and are Lipschitz functions, , and , and are respectively the state, input and output of the system, and , and are the state, input and output spaces.
() The supply rate is a well-defined supply rate, if for all , where , and all solutions , , and of the dynamical system, we have,
Dissipativity and passivity are energy-based notions that characterize a dynamical system by its input/output behavior. A system is dissipative if the change in the system’s stored energy is upper-bounded by the energy supplied to the system. The energy supplied to the system is mathematically modeled by the supply function, and the energy stored in the system is mathematically modeled by the storage function.
() System is dissipative with respect to the well-defined supply rate , if there exists a nonnegative storage function such that for all , where , and all solutions , , and of the dynamical system,
is satisfied. If the storage function is differentiable, we have,
() As a special case of dissipativity, system is called passive, if there exists a nonnegative storage function such that,
is satisfied for all , where , and all solutions , , and of the dynamical system.
() System is considered to be Output Feedback Passive (OFP), if it is dissipative with respect to the well-defined supply rate,
for some . Additionally, if the storage function is differentiable, we may have,
The above definition presents a more general form for the concept of passivity. Based on Definition 4, we can denote an output passive system based on its output passivity index. If then the system has a shortage of passivity. A positive value for the passivity index indicates an excess in passivity. If , then the system is called output strictly passive (OSP).
() System is called finite-gain -stable, if for the smallest possible positive gain , and , a exists such that over the time interval and for any positive , we have,
Here, and represent the -norm of truncated signals over the time interval . For instance,
In probability theory, the expected value
of a random variable, intuitively, is the long-run average value of repetitions of the experiment it represents, in the continuous sense, this is defined as,
represents the probability density function (PDF) of a distribution. Expectation of the random variableconditioned on the hypothesis (or random distribution) is represented as
. The complementary distribution function of the standard normal Gaussian distribution with zero meanis denoted as . The Gaussian distribution with mean
and varianceis denoted as . Null and alternative hypotheses are represented as and . Probability of an event is represented as
. Probability of false alarm (type 1 error) or accepting the alternative hypothesis and rejecting the null hypothesis mistakenly is shown asand probability of detection is .
Iii The Communication Graph Model
The communication flow between agents may be represented as a weighted directed graph . A graph is directed, if its edges have direction. We consider a finite positively weighted directed graph with no loops and with the adjacency matrix , where the entry , if there is a directed edge from vertex to vertex , otherwise . The adjacency matrix represents both the link weights and the topology of the graph. is the vertex set including all vertices (all agents), . is the edge set including all edges (communication links), . The agent can send information to agent , if and . The in-degree of a vertex is given by and the out-degree of a vertex is given by where respectively represents the in-neighbor () and out-neighbor () agents that have a communication link in common with agent . We introduce the diagonal degree matrix with . The weighted Laplacian matrix of the graph is defined as . For the graph presented in Fig. 1, we have,
 A vertex is balanced, if its in-degree is equal to its out-degree. A directed wighted graph is balanced, if all of its vertices are balanced.
It is important to note that the followings hold for a balanced directed graph, and , where
is a vector of size. The graph presented in Fig. 1 is balanced.
 A path of length in a directed graph is a sequence of distinct vertices such that for every , is an edge. A weak path is a sequence of distinct vertices such that for every , either or is an edge. A directed graph is weakly connected if any two vertices can be joined by a weak path.
 A directed graph is connected, if for any pair of distinct vertices and , there is a weak path from to . A directed graph is strongly connected, if for any pair of distinct vertices and , there is a directed path from to .
The connectivity measures of directed graphs are related to the algebraic properties of their Laplacian matrices .
 For a directed graph with the Laplacian matrix , the algebraic connectivity is a real number defined as
For a balanced connected graph G with nonnegative weights and Laplacian matrix , we have , where
is the second smallest eigenvalue of the matrix() . Lastly, we define and . denotes the set of all neighboring nodes that send information to agent including the weights associates with their communication graph topology. denotes the set of all neighboring nodes that receive information from agent including the weights associates with their communication graph topology. For a balanced graph, the cardinality of these two are equal . For instance, for the graph presented in Fig. 1, we have: and .
Iv Problem Statement
We consider the problem of synchronization for a multi-agent system consisting of agents under an event-triggered network control framework. We assume that agents are output passive,
We consider an efficient event-based framework where agents communicate with each other only when necessary. In other words, agent sends new information to its neighboring agents when the last information sent to other agents is outdated and requires a new modification based on ’s current dynamics and the event-triggering condition. This considerably decreases the communication load on the shared network. Consequently, it is assumed that the agents that will receive the new information from will update their control inputs accordingly. Each agent establishes a new communication attempt with its neighboring agents over a band-limited networks when its triggering condition is met. The triggering conditions are output-based and simple to design,
The event-detector is located on the output of each agent to monitor the behavior of its output. An updated measure of is sent to the communication network when the error between the last information sent () and the current one, (for ) exceeds a predetermined threshold established by the designer based on the relation given in Eq. 1 and the design parameter . At instances for which the triggering condition is met, and new information is successfully exchanged and the error is set back to zero, . These simple triggering conditions will facilitate the design process by making it easier for the designer to understand and analyze the trade-offs amongst synchronization, performance and communication load. Each agent has its own respective sampler condition which is designed based on its passivity properties and its location in the underlying communication graph. This will be analytically presented in Section VII. Theorem 1 outlines the design condition for each . The control input for each agent is represented by the summation of the differences between the agent’s output and the output of its neighboring agents multiplied by respective positive control gains,
More specifically, the input for agent consists of the summation of , where represents agent ’s last output sent to its neighbors, and represents the last received output from the neighboring agent where . represents a control gain established by agent for each neighboring agent,
One can represent the underlying communication graph according to Section III, in which case the control gains represent the arc weights in the graph. The assumption made here is that during the initialization and design of the gains and communication links for the entire multi-agent, the underlying communication graph is connected and balanced. We denote the outputs of agents by the vector . We define the matrix as follows,
where . Matrix exhibits the following properties: , , and,
To measure synchronization mathematically, we define,
represents a measure for synchronization of agents. only happens when all agents reach the same synchronized state . We have . Further,
Lastly, we can show that,
where represents the algebraic connectivity of the underlying communication graph and is the Laplacian matrix. In Section VII, we represent the results for synchronization of the entire event-triggered multi-agent system and the design conditions for each event-detector based on the passivity properties of agents and algebraic properties of the communication graph.
V Sensing, Detection and Fusion Frameworks
The three most popular signal detection approaches for spectrum sensing are matched filtering detection method, feature detection method, and energy detection method . Here, we adopt an energy-based detection approach for the detection center on each agent [45, 46]. The energy detector measures the energy in the input wave over a specific time interval. This means that our framework is based on detecting a deterministic signal over a noisy communication channel. The energy detection method, however, cannot differentiate between noise and signal, but at the same time does not need any prior knowledge about the signal’s distribution. It is assumed that the detection center makes decisions under a Neyman-Pearson (NP) set-up, and that the adversary is aware of it . The local summary statistic of each agent is calculated from the received signal energy from the neighboring agents. As mentioned, at each triggering instance, each agent communicates with its neighbors. In our detection framework, this means that each communication attempt will update the summary statistic of neighboring agents. This process continues until the whole multi-agent system synchronizes to a steady-state. This steady-state represents the global test statistic at which the entire multi-agent system has reached synchronization. At each updating instance, each agent makes a decision whether the entire system has reached synchronization or not. As later defined, this process also decides if a neighboring agent is Byzantine or not. In order to fulfill the premise behind this framework, each agent is equipped with a detection unit that has access to the network topology in order to gain information . We explain this in more details in this section.
The signals received by each agent’s detection unit are assumed to be unknown in details but deterministic. The band-limited communication environment in which signals travel is known. The noise is assumed to be Gaussian and additive with zero mean. Based on the assumption of a deterministic signal, we know that the input with signal present is Gaussian with a nonzero mean. For agent , at time instant , the sensed signal received from the neighboring agent , is given as,
where represents the channel gain and represents the noise for the communication link from agent to agent ( and here represent the hypotheses under which, the signal is present or not). The channel gain in the communication link between each two agents, models the effects of channel shadowing, channel loss and fading. is additive Gaussian noise with zero mean and variance . It is assumed that the noise and signal are statistically independent. The channel gains and noise variances for channels are readily available for each agent. These assumptions are justified by the fact that each detection unit can perform simple noise power estimation and channel gain estimation (by averaging the signal-to-noise ratio over a certain time interval) between consecutive sensing intervals to accurately obtain these values . Additionally, we assume that is considered larger than the estimate value to compensate for any overhead .
It has been shown that control gain designs that compensate for the negative effects of the communication channel comparatively perform better . As a result, one can design the optimal control gains (explained in details in Section IV) according to to compensate for channel effects. This is not a necessary rule to follow for the results presented in this paper. This weight design, however, will efficiently assign higher weights to channels with higher Signal-to-Noise ratio (more confidence in the received data) and vice-versa . Lastly, the channel gains are assumed independent of each other, known and constant over each sensing period. This is justified by the slow-changing nature of the communication links where the delay requirement is short compared to the channel coherence time . Each agent calculates a local summary statistic over a detection interval of samples, from the information received from its neighboring agent ,
It can be assumed that where is an integer representing the time-bandwidth product of the energy detector with standing for the effective spectrum sensing time-interval and standing for the bandwidth of the sensing spectrum . represents the last output sent from agent to its neighboring agents at instance , which is also utilized in calculating the local summary statistic over the detection interval of . The energy in a finite number of samples for the local summary statistic can be approximated by the sum of squares of statistically independent Gaussian random variables having certain means (
) and equal variances. This sum has a Chi-Square distribution withdegrees of freedom in the absence of signal. In the presence of a deterministic signal ( hypothesis), the sampling plan yields an approximation to the energy consisting of the sum of squares of random variables, where the sum has a non-central Chi-Square distribution with degrees of freedom with the non-centrality parameter ,
V-a Decision Making Step
Each agent makes local decisions as to whether the entire multi-agent system has reached synchronization or not. The summary statistic for synchronization, given the entire system, may be represented as , where for . This then can be compared against a threshold in order to decide if the system has synchronized. If this holds for the entire event-triggered multi-agent system then the entire multi-agent network has synchronized. Each agent , however, makes its own decision on the synchronization hypothesis using the predefined threshold ,
Where, (see (20)). is a positive constant representing the allowed margin of error (or our confidence in the process). The exact choice of depends on the desired detection and false alarm rates and is beyond the scope of work presented here. This is explained in more details in Section VIII. We assume the threshold has already been selected based on performance, detection and false alarm criteria. The relation in (V-A) means that if sums of differences between an honest agent’s output and the outputs of all its neighboring agents is small enough, then the honest agent may decide that the multi-agent system has reached synchronization. In other words, the entire event-triggered multi-agent system has reached synchronization, if for .
Vi Byzantine Attack
Multi-agent systems are vulnerable to attacks due their strong reliance on secure communication links and legitimate exchange of information. One of the most common type of such attacks is named Byzantine. Originally, proposed in , a Byzantine attack may take different forms [52, 53], our focus in this paper remains with intelligent data-falsification and weight manipulation attacks [28, 27]. The main goals of Byzantine attackers is to first decrease the detection probability and increase the probability of false alarms, and then to degrade the multi-agent system’s performance. This makes the problem of the Byzantine attack and defending against it very challenging and complicated. For the Byzantine agents, we adopt an approach that leaves the attacker with more power than usually allowed in practice. This leads to a conservative assessment of security risks but helps with analytical tractability. In this vein, we assume that Byzantine agents in fact know the true hypothesis and they use this knowledge to construct the most effective fictitious data in order to confuse the synchronization goal. This assumption obviously is difficult (but not impossible) to satisfy in practice. For this to be possible, the attackers should have a separate network for the cooperation amongst themselves.
As we will show in Section VII, for the entire event-triggered multi-agent network system to reach synchronization, a connected balanced communication graph is required. In Section VII, we also quantify the negative effects of weight manipulation resulting in an unbalanced underlying communication graph. We assume that Byzantine agents attack the multi-agent system from two different angles. First, the Byzantine agents disturb the underlying premise behind the convergence of the multi-agent system by introducing new weights that will undermine the balanced property of the underlying communication graph. Second, the Byzantine agents falsify their own information sent to other honest agents in order to conceal their identity and also to coerce the entire multi-agent system into following their desired behavior. The attack model, we consider is extremely general and covers several different Byzantine plots. To be more specific, if the event-triggered multi-agent network system is designed and initialized according to Theorem 1 by the designer to reach synchronization, then we assume that at the initialization instance, the Byzantine agents introduce the following fictitious weights into the underlying communication graph,
Additionally, at each communication instance, we assume that the Byzantine agents falsify their information according to,
Where may represent the power of the attack inflicted by the Byzantine agent . The model presented above allows the Byzantine nodes to manipulate their weights and falsify their information in a completely arbitrary manner based on their desire. As a result, the Byzantine agents are able to conceal themselves while degrading the performance of the entire system.
Vi-a Modeling of the Data Falsification Attack
The main goal of the Byzantine agents is to manipulate the sensing results in a stealthy way and to reverse the synchronization status. In the presence of a synchronized state, the goal is to ”vandalize” and move the multi-agent’s state back to the state of lack of synchronization (), and in the absence of synchronization, the goal is to ”exploit” and to move the current state to the state of the presence of synchronization at the desired value set by the Byzantine agents (). This type of data injection attack is adaptive and extremely general. Each Byzantine agent may perform a stealthy manipulation of sensing data independently. The attack is ”adaptive”, in the sense that the data-falsification is based on the neighbors’ states, and with the assumption that the adversary has prior knowledge on the detection algorithm. The attack is ”covert”, in the sense that the adversary manipulates the sensing data without being detected. Outsider attackers can be effectively expelled from the network with an authentication mechanism. In this work, we focus on insider attackers that reside in legitimate nodes.
Based on the assumption that Byzantine agents are intelligent and know the true hypothesis, we analyze the worst case detection performance of data-falsifications and define the attack devised by the agent as follows,
where is the attack probability and is the Byzantine agent’s true time-variant output. is a constant value that represents the strength of the attack. is set by the Byzantine agent based on the information it receives from its neighbors and may be positive or negative to fulfill the ”exploitation” and ”vandalism” objectives. For example, under the hypothesis , we may define the test statistics . The Byzantine agent by utilizing the attack parameter or may commit vandalism (, ). Under the hypothesis , we may define the mean values , , and for an honest communication from agent to the host agent and for a Byzantine communication from agent to the host agent over the detection interval . One can see that, , hence the Byzantine agent with the selection of may commit an exploitative attack (). Lastly, the Byzantine agent can adaptively estimate the relationship between its true output and its neighboring outputs based on the information it receives and accordingly set the value of .
This modeling of Byzantine attacks is quite common in literature and covers a vast domain of adversary models . The above inequalities show the basic principle in terms of the amount of changes an attacker has to inject in order to fulfill ”exploitation” and ”vandalism” objectives, respectively. Lastly, as shown later, Byzantine agents will use large values for
’s so that the magnitude of the local test statistics are dominated by the Byzantine agents’ outputs and the degradation of the detection performance and the overall system’s performance is maximized. This is, however, in odds with the Byzantine agents’ other objective to conceal themselves. As a result, the Byzantine agents will have to choose their parameters wisely in order to fulfill both concealment and performance degradation objectives.
Vii Main Results
Vii-a Synchronization Results
Consider the event-triggered multi-agent system described in Section IV, where each sub-system is output passive with the output passivity index and is controlled by the input mechanism given in (2). If the underlying connected communication graph is balanced, the communication time-delays and disturbances are negligible, and the communication attempts amongst all agents where , are governed by the triggering conditions,
where the design parameters are chosen such that,
where and are design variables and is the connectivity of the underlying communication graph, then the entire event-triggered multi-agent system achieves output synchronization asymptotically.
Each agent is output passive with the storage function (Lyapunov function) where,
where the output passivity level is indicated by . are the inputs and outputs of appropriate dimensions for the agent . The error of the triggering condition for agent is defined as for triggering instances . Accordingly, for each agent, we have between each two triggering instances. Given the control input in (2), and the framework described in Section IV, the input to the agent is defined as,
where are the triggering instances. The relationship for the storage function of agent becomes,
In order to show synchronization for all agents, we consider the following storage function for the entire multi-agent system,
As we explained in Section III and Section IV, the flow of information amongst agents may be represented by the Laplacian of the underlying communication graph . Moreover, if we define the matrix , then we have,
where represents the algebraic connectivity of the underlying connected communication graph. Next, we may show the following,
For all and , we can have: and where . Utilizing these relationships in (12), we have,
This can be further simplified to have,
Further, we know that between any two triggering instances, one can show . This further gives us,
We have assumed that the underlying communication graph is balanced. This property implies that . This leads to,
We introduce the square diagonal matrix