Controller Synthesis for Linear Time-varying Systems with Adversaries

# Controller Synthesis for Linear Time-varying Systems with Adversaries

## Abstract

We present a controller synthesis algorithm for a discrete time reach-avoid problem in the presence of adversaries. Our model of the adversary captures typical malicious attacks envisioned on cyber-physical systems such as sensor spoofing, controller corruption, and actuator intrusion. After formulating the problem in a general setting, we present a sound and complete algorithm for the case with linear dynamics and an adversary with a budget on the total L2-norm of its actions. The algorithm relies on a result from linear control theory that enables us to decompose and precisely compute the reachable states of the system in terms of a symbolic simulation of the adversary-free dynamics and the total uncertainty induced by the adversary. With this decomposition, the synthesis problem eliminates the universal quantifier on the adversary’s choices and the symbolic controller actions can be effectively solved using an SMT solver. The constraints induced by the adversary are computed by solving second-order cone programmings. The algorithm is later extended to synthesize state-dependent controller and to generate attacks for the adversary. We present preliminary experimental results that show the effectiveness of this approach on several example problems.

C
\numberofauthors

4

yber-physical security, constraint-based synthesis, controller synthesis

## 1 Introduction

We study a discrete time synthesis problem for a plant simultaneously acted-upon by a controller and an adversary. Synthesizing controller strategies for stabilization in the face of random noise or disturbances is one of the classical problem in control theory [1, 2]. Synthesis for temporal logic specifications [3, 4, 5], for discrete, continuous, and hybrid systems have been studied in detail. The reach-avoid properties that our controllers target are special, bounded-time temporal logic requirements, and they have received special attention as well [6]. Unlike the existing models in controller synthesis literature, however, the system here is afflicted by an adversary and we would like to synthesize a controller that guarantees its safety and liveness for all possible choices made by the adversary.

This problem is motivated by the urgent social to secure control modules in critical infrastructures and safety-critical systems against malicious attacks [7, 8]. Common modes of attack include sensor spoofing or jamming, malicious code, and actuator intrusion. Abstracting the mechanisms used to launch the attacks, their effect on physical plant can be captured as a switched system with inputs from the controller and the adversary:

 xt+1=fσt(xt,ut,at),

where is the state of the system, and are the inputs from the controller and the adversary. The problem is parameterized by a family of dynamical functions , a switching signal , a time bound , the set of initial sates (), target states (), safe states (), the set of choices available to the adversary () and the controller (). A natural decision problem is to ask: Does there exist a controller strategy such that for any initial state in , and any choice by the adversary in the system remains and reaches within time . A constructive affirmative answer can be used to implement controllers that are -resilient, while a negative answer can inform the system design choices that influence the other parameters like , and .

We provide a decision procedure for this problem for the special case where is a linear mapping, the sets , , , and sets are given as by polytopic sets and is given as an ball in an Euclidean space. The idea behind the algorithm is a novel decomposition that distinguishes it from the LTL-based synthesis approaches [3] and reachability-based techniques of [6]. The key to this decomposition is the concept of adversarial leverage: the uncertainty in the state of the system induced by the sequence of choices made by the adversary, for a given initial state and a sequence of choices made by the controller. For linear models, we show that the adversary leverage can be computed exactly. As a result, an adversary-free synthesis problem with a modified set of and requirements, precisely gives the solution for the problem with adversary.

We implement the algorithm with a convex optimization package CVXOPT [9] and an SMT solver Z3 [10]. We present experimental results that show the effectiveness of this approach on several example problems. The algorithm synthesizes adversary-resilient control for systems with up to 16 dimensions in minutes. We have that the algorithm can be applied to to analyze the maximum power of the adversary such that a feasible solution exists and to synthesize attacks for adversary.

Scientific security analysis is necessarily parameterized by the the skill and effort level of the adversary. In this paper we combine these parameters into a single parameter called the budget of the adversary which can model sensor attacks and actuator intrusions with different strengths and persistence. We present the foundations for analyzing cyberphysical systems under attack from these adversaries with different budgets. Specifically, we develop algorithms for both automatic synthesis of safe controllers and for proving that there exists no satisfactory controller, when the adversary has a certain budget. These algorithms can be also used to characterize vulnerability of system states in terms of the adversary budget that make them infeasible for safe control. In summary, we present a framework for algorithmically studying security of cyberphysical systems in the context of model-based development.

## 2 Related Work

In this work, we employ SMT solvers to synthesize controllers for reach-avoid problems for discrete-time linear systems with adversaries. Our problem is formulated along the line of the framework and fundamental design goals of [7, 11]. The framework was applied to study optimal control design with respect a given objective function under security constraints [12] and the detection of computer attacks with the knowledge of the physical system [13]. Similar frameworks were adopted in [14] where the authors proposed an effective algorithm to estimate the system states and designed feedback controllers to stabilize the system under adversaries, and in [15] where a optimal controller is designed for a distributed control system with communication delays. Although the motivation of the above studies are similar to ours, we focus on another aspect of the problem which is to synthesize attack-resilient control automatically.

The idea of using SMT solvers to synthesize feedback controllers for control systems is inspired by recent works [16, 17]. In [16], the authors used SMT solvers to synthesize integrated task and motion plans by constructing a placement graph. In [17], a constraint-based approach was developed to solve games on infinite graphs between the system and the adversary. Our work extend the idea of constraint-based synthesis by introducing control theoretic approaches to derived the constraints.

The authors of [6, 18] proposed a game theoretical approach to synthesize controller for the reach-avoid problem, first for continuous and later for switched systems. In these approaches, the reach set of the system is computed by solving a non-linear Hamilton-Jacobi-Isaacs PDE. Our methodology, instead of formulating a general optimization problem for which the solution may not be easily computable, solves a special case exactly and efficiently. With this building block, we are able to solve more general problems through abstraction and refinement.

## 3 Problem Statement

In this paper, we focus on discrete linear time varying (LTV) systems. Consider the discrete type linear control system evolving according to the equation:

 xt+1=Atxt+Btut+Ctat, (1)

where for each time instant , is the state vector of the controlled plant, is controller input to the plant, and is adversarial input to the plant. For a fixed time horizon , let us denote sequences of controller and adversary inputs by and . In addition to the sequence of matrices , , , and a time bound , the linear adversarial reach-avoid control problem or in short is parameterized by: (i) three sets of states called the initial, safe and goal states, (ii) a set called the controller constraints, and (iii) a set called the adversary constraints. We will assume finite representations of these sets such as polytopes and we will state these representational assumptions explicitly later. A controller input sequence is admissible if it meets the constraints , that is, , and a adversarial input sequence is admissible if . We define what is means to solve a problem with an open loop controller strategy.

###### Definition 1.

A solution to a is an input sequence such that for any initial state and any admissible sequence of adversarial inputs , the states visited by the system satisfies the condition:

• (Safe) for all , and

• (Winning) .

In this paper we propose an algorithm that given a problem, either computes its solution or proves that there is none. In the next section, we discuss how the problem captures instances of control synthesis problems for cyberphysical systems under several different types of attacks.

### Helicopter Autopilot Example

To make this discussion concrete we consider an autonomous helicopter. The state vector of the plant ; the control input vector with bounded range of each component. The descriptions of the state and input vectors are in Table 1. The dynamics of the helicopter is given in [19], which can be discretized into a linear time-invariant system: . The auto-pilot is supposed to take the helicopter to a waypoint in a 3D-maze within a bounded time () and avoid the mapped building and trees. The complement of these obstacles in the 3D space define the set (see Figure 1).

The computation of the control inputs () typically involves sensing the observable part of the states, computing the inputs to the plant, and feeding the inputs through actuators. In a cyber-physical system, the mechanisms involved in each of these steps can be attacked and different attacks give rise to different instances of .

Controller and Actuator attacks. An adversary with software privileges may compromise a part of the controller software. A network-level adversary may inject spurious packets in the channel between the controller and the actuator. An adversary with hardware access may directly tamper with the actuator and add an input signal of . Under many circumstances, it is reasonable to expect these attacks to be transient or short-lived compared (for example, otherwise they will be diagnosed and mitigated). Then the actual input to the system becomes and the dynamics of the complete system is modified to , which gives an instance of .

Sensor attacks. Another type of adversary spoofs the helicopter’s sensors, the GPS, the gyroscope, so that the position estimator is noisy. Consider a control systems where the adversary-free control is a function on the sequence of sensor data. If the adversary injects an additive error to the sensors, then the control inputs computed based on this inaccurate data will be added an error; also the initial state will have uncertainty. We model the additive error by the adversary input . Once again, this gives rise to an instance of . Assuming that the injection of requires energy and that the adversary has limited energy for launching the attack then gives rise the adversary class where is the energy budget.

## 4 Algorithm for Linear ARAC

### 4.1 Preliminaries and Notations

For a natural number , is the set . For a sequence of objects of any type with elements, we refer to the element, by . For a real-valued vector , is its -norm. For , the set denotes the closed ball centered at . For a parameter and a compact set , an -cover of is a finite set such that . For two sets , the direct sum . For a vector , we denote as . Sets in will be represented by finite union of balls or polytopes. An -dimensional polytope is specified by a matrix and a vector , where is the number of constraints. A polytopic set is a finite union of polytopes and is specified by a sequence of matrices and vectors. A polytopic set can be written in Conjunctive Normal Form (CNF), where (i) the complete formula is a conjunction of clauses, and (ii) each clauses is disjunction of linear inequalities.

In this paper, we will assume that the initial set is given as a ball for some and . We also fix the time horizon . The set is specified by a budget : . The set is specified by a polytopic set.

For a sequence of matrices , for any , we denote the transition matrix from to inductively as and .

A trajectory of length for the system is a sequence such that and each is inductively obtained from Equation (1) by the application of some admissable controller and adversary inputs. The state of a trajectory is uniquely defined by the choice of an initial state , an admissible control input and an admissible adversary input . We denote this state as .

The notion of a trajectory is naturally extended to sets of trajectories with sets of initial states and inputs. For a time , a subset of initial states , a subset of adversary inputs , and a subset of controller inputs , we define:

 Reach(Θ,U,A,t)={ξ(x0,u,a,t):x0∈Θ ∧ a∈A\/}.

For a singleton , we write as . To solve then we have to decide if

 ∃ u∈Ctr :(∧t∈[T+1]Reach(Init,u,t)⊆Safe)∧ Reach(Init,u,T)⊆Goal. (2)

This representation hides the dependence of the sets on the set of adversary choices.

### 4.2 Decoupling

In this section, we present a technique to decouple the problem. The decomposition relies on a result from robust control that enables us to precisely compute the reachable states of the system in terms of a symbolic simulation of the adversary-free dynamics and the total uncertainty induced by the adversary. In Section 4.6, we present an algorithm that performs this decomposition such as to eliminate the universal quantifier on the adversary’s choices and initial states in Definition 2 and 3.

###### Definition 2.

For any , the adversary leverage at , initial state , and any control , the adversary leverage is a set such that

 Reach(x0,u,t)=ξ(x0,u,0,t)⊕R(x0,u,t) (3)

Informally, the adversary leverage captures how much an adversary can drive the trajectory from an adversary-free trajectory.It decomposes the reach set into two parts: a deterministic adversary-free trajectory , and the reachtube that captures the nondeterminism introduced by the adversary. Our solution for heavily relies on computing over-approximations of reach sets and to that end, observe that is suffices to over-approximate adversary leverage. For certain classes of non-linear systems, it can be over-approximated statically using techniques from robust control, such as control. It can also be approximated dynamically by reachability algorithms that handle nondeterministic modes (see, for example [20, 21]).

For the problem with linear dynamics described in (1), where the adversary input is defined by a budget , we can compute adversary leverage precisely. The following lemma is completely standard in linear control theory.

###### Lemma 1.

For any time , if the controllability Gramian of the adversary is invertible, then

 R(x0,u,t)={x∈Rn:xTW−1tx≤b}

is the precise adversary leverage at .

###### Proof.

For , we have

 xt=α(t,0)x0+t−1∑s=0α(t,s+1)Bsus+t−1∑s=0α(t,s+1)Csas. (4)

Since we have

 R(x0,u,t)={x∈Rn:x=t−1∑s=0α(t,s+1)Csas ∧ T−1∑t=0||as||2≤b},

which is the set , with controllability Gramian . ∎

The above lemma establishes a precise adversary leverage as an ellipsoid defined by the controllability Gramian and . In this case, the ellipsoid is independent of an and only depends on . Here on, we will drop the arguments of when they are reduandant or clear from context. If is singular for some , then replace the inverse of by its pseudo-inverse and the set is an ellipsoid in the controllable subspace.

### 4.4 Uncertainty in Initial Set

Following the above discussion, we show that a similar decomposition of the reachable states is possible with respect to the uncertainty in the initial state.

###### Definition 3.

Consider the initial set to be for some and . For a and a control input , the initialization factor at is a set , such that

 Reach(Bδ(x0),u,0,t)=ξ(x0,u,0,t)⊕B(x0,u,t). (5)

The initialization factor captures the degree to which the uncertainty in the initial set can make the adversary-free trajectories deviate. For general nonlinear models, we will have to rely on over-approximating initialization factor , but for the liner version of the following lemma provides a precise procedure for computing it.

###### Lemma 2.

For an initial set , for any , input , if the matrix is invertible then

 B(θ,u,t)={x∈Rn : xT[αT(t,0)α(t,0)]−1x≤δ1/2}

is the precise initialization factor at .

If the matrix is singular, then a similar statement holds in terms of the pseudo-inverse of . Thus, initialization factor is an ellipsoid defined by and and is independent of an . We will drop the arguments of when they are redundant or clear from context.

Using the decomposition of the reach set given by the above lemmas, we will first solve a new reach-avoid synthesis problem for the adversary-free system. To construct this new problem we will modify the safety and winning constraints of the . For a given time instant, the new constraints are obtained using the same approach as in robotic planning with The synthesis problem requires a solution to a sequence of such problems.

###### Definition 4.

Given a set and a compact convex set , a set is a strengthening of by if

 S′⊕R⊆S. (6)

A strengthening is precise if it equals . The strengthening is a subset of that is shrunk by the set . If is a polytopic set and is a convex compact set then exact solutions to the following optimization problem yields precise strengthening.

###### Lemma 3.

For a half hyperplane and a convex compact set , a precise strengthening of by is such that

 x∗=argminx∈R−cTx. (7)

.

###### Proof.

Fix any and . From the definition of , . Since minimizes in and , we have . It follows that . Thus and therefore .

For any , it holds that . Let . It follows that . Thus . Combined with , . Therefore . ∎

Since a polytopic set is a union of intersections of linear inequalities, the above lemma generalizes to polytopic sets in natural way.

###### Corollary 4.

For a polytopic set and a compact convex set ,

 S′={x∈Rn : ⋁i∈[m]Aix≤bi−b∗i},

is a precise strengthening of by . Here the element of equals with being the row of and is the solution of (7).

### 4.6 An Algorithm for Linear ARAC

We present algorithm 4.6 for solving the linear version of the problem.

{algorithm}

\SetKwInOutInputinput \SetKwInOutOutputoutput \For \Return

The subroutine computes a precise adversary leverage for every time . From Lemma 1, is an ellipsoid represented by the controllability Gramian and the constant . The subroutine computes a initialization factor described in Lemma 2 for each . The subroutine computes a precise strengthening of the safety constraints by both sets and . From Corollary 4, the strengthening is computed by solving a sequence of optimization problems. Since and are both ellipsoids (Lemma 1 and 2), the optimization problems solved by are quadratically constrained linear optimization problems and are solved efficiently by second-order cone programming [22] or semidefinite programming [23]. For each , the set is strengthened by the corresponding adversary drift to get . The set is strengthened respect to the adversary drift at the final time to get . Finally, makes a call to an SMT solver to check if there exists a satisfiable assignment for quantifier-free formula (8):

 ∃ u ∈Ctr ∧(∧t∈[T+1]ξ(θ,u,0,t)∈Safe′t) ∧ ξ(θ,u,0,T)∈Goal′. (8)

For the class of problems we generate, the SMT solver terminates and either returns a satisfying assignment or it proclaims the problem is unsatisfiable by returning . If , and compute adversary leverage, initialization factor and strengthening precisely, then Algorithm 4.6 is a sound and complete for the linear problem.

###### Theorem 5.

Algorithm 4.6 outputs if and only if solves .

###### Proof.

Suppose Algorithm returns . We will first show that solves . Since satisfies constraints (8), for every , . Since is a strengthening of by and , we have . Thus,

 ξ(θ,u,0,t)⊕St⊕Bt⊆Safe. (9)

By Definition 2 and 3, we have

Combining (9) and (10), we have . That is the safety condition of (2) holds. Similarly, since is the strengthening of by and , we have . The winning condition also holds.

On the other side, suppose solves , it satisfies (2). Since the adversary leverage , initialization factor and strengthening are computed precisely, Equations (9) and (10) take equality. Thus, for any , and . Therefore is returned by Algorithm 4.6. ∎

The completeness of the algorithm is based on two facts: (i) adversary leverage, initialization factor and strengthening can be computed precisely, and (ii) the SMT solver is complete for formula (8). The exact computation of adversary leverage and initialization factor require that the initial state and admissible adversary are described by balls. Since , and are polytopic sets, formula (8) is a quantifier-free theory in linear arithmetic, which can be solved efficiently for example by algorithm DPLL(T) [24].

## 5 Generalizations

In this section, we discuss two orthogonal generalizations of linear and algorithms for solving them building on the algorithm . First in Section 5.1, we present an approximate approach to solve a problem where , and are general compact convex sets. Then, in Section 5.2, we modified the definition of linear problem such that the controller can be a function of the initial states. A solution of this problem is a look-up table, where the controller choose a sequence of open loop control depending on the initial state.

### 5.1 Synthesis for Generalized Sets

We generalize the linear problem described in Section 4.1 such that , and are assumed to be some compact subsets of Euclidean space. For a precision parameter , the generalized problem can be approximated by a linear problem. We define robustness of a problem.

We present an extension of to solve this problem. For a parameter , and compact convex sets , we construct a tuple such that

1. is an -cover of initial set , that is, .

2. is an -cover of the adversary. Here each is seen as a vector in Euclidean space and the union of -balls around each over-approximates .

3. is a polytopic set such that , That is, under-approximates the actual constraints of control , with error bounded by measured by Hausdorff distance.

The modified algorithm to approximately solve the generalized problem follows the same steps as Algorithm 4.6 from line 4.6 to line 4.6. The only change is in line 4.6, where instead of solving an SMT formula (8) we solve (11).

 Extra open brace or missing close brace (11)

The soundness of this modified algorithm is independent of the choice of . That is, if it returns a satisfiable assignment , then solves the problem.

###### Lemma 6.

If the modified algorithm returns , then solves linear generalized .

###### Proof.

Suppose satisfies (11). Since and are -cover of and , there exist a initial state for any we have

Let and be the precise adversary leverage and initialization factor as in Algorithm 4.6. From Lemma 1 and 2, and are independent on the initial state and adversary input. Therefore,

From formula (11) implies that for any and . Since is an strengthening of , it follows from Definition 4 and (12) that for all and . That is, solves the generalized linear . ∎

We observe that if the approximated algorithm successfully synthesize a control, the control solves the generalized linear problem, no matter what value takes. Moreover, as the parameter converges to 0, we have , and converge to the exact , and , respectively.

### 5.2 State-dependent Control

In this section, we keep the same definition of , and as in Section 4.1, however, we consider a variant of that allows the choice of control to be depend on the initial state of the system. That is, we have to decide if

 ∀ x0∈Init : ∃ u∈Ctr :(∧t∈[T+1]Reach(x0,u,t)⊆Safe)∧ Reach(x0,u,T)⊆Goal. (13)

A solution to this generalized problem is a look-up table such that (i) the union covers the initial set, and (ii) for every , is an admissible input such that the constraints in (13) hold.

We present an Algorithm 5.2 to solve this problem and it uses as an subroutine. If the algorithm succeeds, it returns a look-up table Tab which solves the above state-dependent variant of .

The parameters are invariant in the algorithm, thus we omit it as arguments of . The variable is initialized as the diameter of the initial set (line 5.2). The subroutine Cover() in line  first computes an -cover of , and then append each with the parameter . The set stores all such pairs , such that the -ball around is yet to examined by the algorithm for . For each ball in , the subroutine is possibly called twice for both the ball and the single initial state to decide whether the is successful, a failure, or whether further refinement is needed.

{algorithm}

DiaCover  Tab\While For \uIf returns Tab Tab\uElseIf failed \Return(,Failed) \Else \Return(Tab, Success)

###### Theorem 7.

If TableSynthesis returns (Tab,Success), then Tab solves the state-dependent . Otherwise if Tablesynthesis returns (,Failed), then there is no solution for initial state .

###### Proof.

We first state an invariant of the while loop which can be proved straightforwardly through induction. For any iteration, suppose Tab and are the valuations of and at the beginning of the iteration. Then we have .

Suppose returns (Tab,Success) with Tab. From line 5.2, . From the loop invariant, we have . Moreover for any Tab, from line 5.2 and Theorem 5, for any , is an admissible input such that constraints in LABEL:eq:problem:init hold. Thus Tab solves the state-dependent .

Otherwise suppose returns (,Failed). From line 5.2 and Theorem 5, there is no admissible solve the from . ∎

The Algorithm 5.2 is sound, that is, if the algorithm terminates, it always returns the right answer. For general sets of and the approach from Section 5.1 can be combined Algorithm 5.2 to get state dependent (but and oblivious) controllers.

## 6 Implementation and Experimental Evaluation

We have implemented the algorithm in a prototype tool in Python. The optimization problem presented in Lemma 3 is solved by a second-order cone programming solver provided by package CVXOPT [9]. The quantifier-free SMT formula (8) is solved by Z3 solver [10]. In Section 6.1 and 6.2, we present the implementation of the basic algorithm , show an example in detail, present the experiment results and discuss the complexity of the algorithm. In Section 6.3 and 6.4, we present several different applications of .

### 6.1 Synthesizing Adversary Resistant Controllers

We have solved several linear problems for a 16-dimensional helicopter system (as described in 3) and a 4-dimensional vehicle.

We illustrate an instance of the synthesis of the helicopter auto-pilot for time bound in Figure 2. The state variables, control input variables and the constraint of the system are listed in Table 1. We model an actuator intrusion attack such that the control input is tempered by an amount of at each time . The total amount of spoofing is bounded by a budget .

A control is synthesized by . We randomly sample adversary inputs with , and visualize the corresponding trajectories with control in Figure 2.

Besides the Helicopter model, we studied an discrete variation of the navigation problem of a 4-dimensional vehicle, where the states are positions and velocities in Cartesian coordinates, and the controller and adversary compete to decide accelerations in both direction.

The experimental results for different instances are listed in Table 2, where the columns represent (i) the model of the complete system, (ii) the dimension of state, control input and adversary input vectors, (iii) the time bound, (iv) the length of formula representing and number of obstacles, (v) the length of formula representing and , (vi) the length of the quantifier-free formula in (2), (vii) the synthesis result, and (vii) the running time of the synthesis algorithm.

From the result, we observe that the algorithm can synthesize controller for lower dimensional system for a relatively long horizon () for reasonable amount of time. For higher dimensional system (16-dimensional), the approach scales to an horizon . The run time of the algorithm grows exponentially with the time bound . By Comparing row 2-4, we observe that the runtime grows linearly with the number of obstacles.

### 6.2 Discussion on Complexity of Safety Constraints

Let the quantifier-free constraints in (2) be specified by an CNF formula , where each atomic proposition is a linear constrain. We denote as the length of the CNF formula which is the number of atomic propositions in . Notice that if we convert an CNF formula into a form of union of polytopes, the size of the formula can grow exponentially. Similarly, let CNF formula , and specify the constraints and . It can be derived from (2) that . If fixed the length of the projection of on control for each , that is, we assume the controller constraints at different times are comparably complex, then grows linear with the time bound . Suppose the length of are constant, then the length of is linear to the time bound .

The length of is a function of the number and complexity of obstacles. Suppose that the safe region is obtained by adding an polytopic obstacle to a safe region . One measure of complexity of the obstacle is the number of rows of the matrix . Then, the resulting safe region is , which implies

 ϕSafe′=ϕSafe∧¬(Ax

where is the row of . Therefore the length of increases linearly with the number of obstacles and the number of faces in every obstacle.

In the experiments, we observe that the running time of Z3 to solve the SMT formula varies on a case by case basis. The size of obstacles, the volume of the obstacle-free region and the length of significant digits of entries the constraints and dynamic matrices also affect the running time.

### 6.3 Vulnerability Analysis of Initial States

Using , we can examine the vulnerability of initial states to attackers. Fixing a controller constraint , a time bound , safety condition and winning condition , for each initial state , there exists a maximum critical budget of the adversary , such that beyond this budget, the problem becomes infeasible. The lower the for an initial state is, it is vulnerable to a weaker adversary. The maximum budget can be found by a binary search on the adversary budget with Synthesis.

We examine the vulnerability of an instance of the 4-dimensional autonomous vehicle system. The result is illustrated in Figure 3, where the box at the bottom represent the , the red regions represent the obstacle whose complement is the , the green-black on the top region is the . The black regions are most vulnerable with and the lightest green region are least vulnerable with . We see that the region closer to an obstacle are darker as an adversary with relatively small budget () can make the vehicle run into an obstacle. We also observe that the dark regions are shifted towards the center since the obstacles are aggregated at the center of the plane. Avoiding them may cause a controller run out of the time bound.

### 6.4 Attack Synthesis

The subroutine can also be used to generate attacks by swathing the roles of the adversary and the controller. In this section, we synthesize adversarial attacks to the 4-dimensional vehicle such that the system will be driven to unsafe states in a bounded time . That is, for a state , we decide whether

Notice that (14) is essentially the same as (2) by switching the roles of and , and negating to get .

We suppose that the set of adversarial input is a polytopic set and the control is specified by budget . For general convex compact sets and , one can come up with an under approximated as polytopic set and an over-approximated with budget . As we discuss in Section 5.1, this approximation is sound.

We synthesize a look-up table as the strategy of the adversary, such that (i) , and (ii) for each state , the corresponding adversary satisfies (14). During the evolution of the plant under controller, the adversary act only when the system reaches a state for some in the look-up table, then the corresponding attack is triggered at which breaks the safety of the system.

The synthesis of attacks uses similar idea of creating covers of the states as in without refinements. Suppose the set of states is compact. An adversary first creates a uniform cover of the state space, then search for an attack for each cover. If the synthesis succeed and returns an attack , then the cover is vulnerable and is stored in the look-up table of attacks paired with the attack .

A result of the synthesis is illustrated in 4, where the red boxes specify obstacles. The vulnerable covers, each of which is a subset of , are projected on the 2-D plane and visualized as blue regions, where the white region are not vulnerable to attackers. The darkness of a region corresponds to the number of vulnerable covers have projection in the region. That is, if the vehicle is in a dark region, a large portion of its velocity space is vulnerable under attacks that makes the system unsafe. A sample trajectory is captured by the green curve, where, as it enters light shadow region, its velocity does not fall into a vulnerable cover right away. As it approach further, it enters a vulnerable cover and an attack is triggered at the point with cross mark.

## 7 Conclusion

We present a controller synthesis algorithm for a discrete time reach-avoid problem in the presence of adversaries. Specifically, we present a sound and complete algorithm for the case with linear time-varying dynamics and an adversary with a budget on the total L2-norm of its actions. The algorithm combines techniques in control theory and synthesis approaches coming from formal method and programming language researches. Our approach first precisely converts the reach set of the complete system into a composition of non-determinism from the adversary input and the choice of initial state, and an adversary-free trajectory with fixed initial state. Then we enhance the and conditions by solving a sequence of quadratic-constrained linear optimization problem. And finally we derive a linear quantifier-free SMT formula for the adversary-free trajectories, which can be solved effectively by SMT solvers. The algorithm is then extended to solve problems with more general initial set and constraints of controller and adversary. We present preliminary experimental results that show the effectiveness of this approach on several example problems. The algorithm synthesizes adversary-resilient controls for a 4-dimensional system for 320 rounds and for a 16-dimensional system for 15 rounds in minutes. The algorithm is extended to analyze vulnerability of states and to synthesize attacks.

### Future Direction

There are several interesting follow-up research topics. For example, the solution of linear can be used to solve adversary-free nonlinear avoid-reach problems, where the dynamics can be linearized along a nominal trajectory and the linearization error is modeled as adversary.

We also planned to extend the approach to synthesize switched controller for infinite horizon by applying a similar approach as suggested in [25].

Another interesting direction is to precisely define a dual problem of the linear . Since reachability is dual to detectability, we envision that there exists a detectability type problem dual to , such that the adversary adds noise to the measurements. The question is then how well we can estimate whether the system is in unsafe state based on the noisy measurements.

### References

1. S. P. Bhattacharyya, H. Chapellat, and L. H. Keel, “Robust control,” The Parametric Approach, by Prentice Hall PTR, 1995.
2. T. Basar, G. J. Olsder, G. Clsder, T. Basar, T. Baser, and G. J. Olsder, Dynamic noncooperative game theory.   SIAM, 1995, vol. 200.
3. P. Tabuada and G. J. Pappas, “Model checking ltl over controllable linear systems is decidable,” in Hybrid systems: computation and control.   Springer, 2003, pp. 498–513.
4. A. Ulusoy, T. Wongpiromsarn, and C. Belta, “Incremental controller synthesis in probabilistic environments with temporal logic constraints,” The International Journal of Robotics Research, p. 0278364913519000, 2014.
5. E. M. Wolff, U. Topcu, and R. M. Murray, “Optimization-based trajectory generation with linear temporal logic specifications,” in 2014 IEEE International Conference on Robotics and Automation, ICRA 2014, Hong Kong, China, May 31 - June 7, 2014, 2014, pp. 5319–5325. [Online]. Available: http://dx.doi.org/10.1109/ICRA.2014.6907641
6. Z. Zhou, R. Takei, H. Huang, and C. J. Tomlin, “A general, open-loop formulation for reach-avoid games.” in CDC, 2012, pp. 6501–6506.
7. A. A. Cárdenas, S. Amin, and S. Sastry, “Research challenges for the security of control systems.” in HotSec, 2008.
8. F. Pasqualetti, F. Dorfler, and F. Bullo, “Attack detection and identification in cyber-physical systems,” Automatic Control, IEEE Transactions on, vol. 58, no. 11, pp. 2715–2729, Nov 2013.
9. J. Dahl and L. Vandenberghe, “Cvxopt: A python package for convex optimization,” in Proc. eur. conf. op. res, 2006.
10. L. De Moura and N. Bjørner, Z3: An efficient SMT solver.   Springer, 2008.
11. A. Cardenas, S. Amin, B. Sinopoli, A. Giani, A. Perrig, and S. Sastry, “Challenges for securing cyber physical systems,” in Workshop on future directions in cyber-physical systems security, 2009.
12. S. Amin, A. A. Cárdenas, and S. S. Sastry, “Safe and secure networked control systems under denial-of-service attacks,” in Hybrid Systems: Computation and Control.   Springer, 2009, pp. 31–45.
13. A. A. Cardenas, S. Amin, Z.-S. Lin, Y.-L. Huang, C.-Y. Huang, and S. Sastry, “Attacks against process control systems: risk assessment, detection, and response,” in Proceedings of the 6th ACM symposium on information, computer and communications security.   ACM, 2011, pp. 355–366.
14. H. Fawzi, P. Tabuada, and S. Diggavi, “Secure estimation and control for cyber-physical systems under adversarial attacks,” IEEE Transactions on Automatic Control, vol. 59, no. 6, pp. 1454–1467, June 2014.
15. Y. Shoukry, J. Araujo, P. Tabuada, M. Srivastava, and K. H. Johansson, “Minimax control for cyber-physical systems under network packet scheduling attacks,” in Proceedings of the 2nd ACM international conference on High confidence networked systems.   ACM, 2013, pp. 93–100.
16. S. Nedunuri, S. Prabhu, M. Moll, S. Chaudhuri, and L. E. Kavraki, “Smt-based synthesis of integrated task and motion plans from plan outlines.”
17. T. Beyene, S. Chaudhuri, C. Popeea, and A. Rybalchenko, “A constraint-based approach to solving games on infinite graphs,” in Proceedings of the 41st annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages.   ACM, 2014, pp. 221–234.
18. J. Ding, E. Li, H. Huang, and C. J. Tomlin, “Reachability-based synthesis of feedback policies for motion planning under bounded disturbances,” in Robotics and Automation (ICRA), 2011 IEEE International Conference on.   IEEE, 2011, pp. 2160–2165.
19. B. Mettler, T. Kanade, and M. B. Tischler, System identification modeling of a model-scale helicopter.   Carnegie Mellon University, The Robotics Institute, 2000.
20. O. Botchkarev and S. Tripakis, “Verification of hybrid systems with linear differential inclusions using ellipsoidal approximations,” in Hybrid Systems: Computation and Control.   Springer, 2000, pp. 73–88.
21. T. A. Henzinger, B. Horowitz, R. Majumdar, and H. Wong-Toi, “Beyond hytech: Hybrid systems analysis using interval numerical methods,” pp. 130–144, 2000.
22. F. Alizadeh and D. Goldfarb, “Second-order cone programming,” Mathematical programming, vol. 95, no. 1, pp. 3–51, 2003.
23. L. Vandenberghe and S. Boyd, “Semidefinite programming,” SIAM review, vol. 38, no. 1, pp. 49–95, 1996.
24. B. Dutertre and L. De Moura, “A fast linear-arithmetic solver for dpll (t),” in Computer Aided Verification.   Springer, 2006, pp. 81–94.
25. J.-W. Lee, “Inequality-based properties of detectability and stabilizability of linear time-varying systems in discrete time,” Automatic Control, IEEE Transactions on, vol. 54, no. 3, pp. 634–641, March 2009.