# Self-triggered Coordination over a Shared Network under Denial-of-Service

## Abstract

The issue of security has become ever more prevalent in the analysis and design of cyber-physical systems. In this paper, we analyze a consensus network in the presence of Denial-of-Service (DoS) attacks, namely attacks that prevent communication among the network agents. By introducing a notion of Persistency-of-Communication (PoC), we provide a characterization of DoS frequency and duration such that consensus is not destroyed. An example is given to substantiate the analysis.

## 1 Introduction

In recent years, the issue of security has become ever more prevalent in the analysis and design of cyber-physical systems (CPSs), namely systems that exhibit a tight conjoining of computational resources and physical resources.
As argued in [1, 2], security in CPSs drastically differs from security in general-purpose computing systems since attacks can cause disruptions that transcend the cyber realm and affect the physical world. In CPSs, attacks to the communication links can be classified as either deception attacks or Denial-of-Service (DoS) attacks. The former affect the trustworthiness of data by manipulating the packets transmitted over the network; see [3]-[5] and the references therein. DoS attacks are instead primarily intended to affect the timeliness of the information exchange, *i.e.*, to cause packet losses; see for instance [6, 7] for an introduction to the topic. This paper is concerned with DoS attacks.

In the literature, the problem of securing robustness of CPSs against DoS has been investigated by many research groups [8]-[13]. In these papers, however, the analysis is restricted to a *centralized* setting, namely to a classical (single-loop) plant-controller configuration. On the other hand, no quantitative results are available for *distributed* settings. The purpose of this paper is to explore this topic.

We investigate the issues of DoS with respect to *consensus* networks. Specifically, inspired by [14], we consider a *self-triggered* consensus network. At each sampling time, a certain subset of active agents poll their neighbors obtaining relative measurements of the consensus variable of interest: the available information is then used by the active agents to update their controls and compute their next update times.
The attacker objective is to prevent consensus by denying communication among the agents.
Consensus is a prototypical problem in distributed settings with a huge range of applications, spanning from formation and cooperative robotics to surveillance and distributed computing; see for instance [14]-[18].
On the other hand, self-triggered coordination turns out to be of major interest when consensus has to be achieved
in spite of possibly severe communication constraints. In this respect, a remarkable feature of self-triggered
coordination lies in the possibility of ensuring consensus properties in the absence of any
global information on the graph topology and with no need to synchronize the agentsÃ local clocks.

A basic question in the analysis of distributed coordination in the presence of DoS is concerned with the modeling of DoS attacks. In this paper, no assumption is made regarding the DoS attack underlying strategy. We consider a general attack model that only constrains the attacker action in time by posing limitations on the frequency of DoS attacks and their duration. This makes it possible to capture many different types of DoS attacks, including trivial, periodic, random and protocol-aware jamming attacks [19]-[22]. One contribution of this paper is an explicit characterization of the frequency and duration of DoS attacks under which consensus properties can be preserved. The result is intuitive as it relates consensus with the ratio between the on/off periods of jamming.

The analysis taken here reminds of stability problems for switching systems. More specifically, since DoS generates communications failures, the problem is naturally casted as a consensus problem for switching topology networks. This problem is certainly not new in the literature. For instance, [15] shows that agreement can be reached whenever the graph connectivity is preserved point-wise in time; [17] suggests a *Persistency of Excitation* (PoE) condition, which stipulates that graph connectivity be established over a period of time, rather than point-wise in time, which is similar to joint connectivity assumption in [16].
In CPSs, however, the situation turns out to be drastically different. In fact, one needs to deal with the fact that networked communication is inherently digital, which means that the rate at which the transmissions are scheduled cannot be arbitrarily large.
Under such circumstances, the aforementioned tools turn out be ineffective.

In order to cope with this situation, we introduce a notion of *Persistency of Communication* (PoC). This notion naturally extends the PoE condition to a digital networked setting by requiring that the graph connectivity
be established over periods of time that are consistent with the constraints imposed by the communication medium.
A characterization of DoS frequency and duration under which consensus properties can be preserved is then obtained by exploiting the PoC condition.

The remainder of this paper is organized as follows. In Section II we formulate the control problem along with a characterization of the considered class of DoS signals. The main results in Section III. A numerical example is given in Section IV. Finally, Section V ends the paper with concluding remarks.

*Notation*. The notation adopted in this paper is in the main standard.
We denote by , , the sets of real, positive, and nonnegative numbers, respectively. Also, we denote by the set of nonnegative integers.

## 2 Problem Formulation

### 2.1 Distributed Control System

We assume to have a set of nodes representing our agents and an undirected connected graph with a set of unordered pairs of nodes, called edges. We denote by and the Incidence and Laplacian matrix of , respectively, where the latter is a symmetric matrix. For each node , we denote by the set of its neighbors, and by its degree, that is, the cardinality of

We consider the following hybrid dynamics on a triplet of -dimensional variables involving the consensus variable , the controls , and the local clock variables . All these variables are defined for time . Controls are assumed to belong to . The specific quantizer of choice is , defined according to

(1) |

where is a sensitivity parameter, which can be used at the design stage for trading-off frequency of the control updates vs. accuracy of the consensus region.

The system in the *nominal operating
mode*, *i.e.*, in the absence of DoS,
satisfies the following continuous evolution

(2) |

except for every such that the set is non-empty. At such time instants, the system satisfies the following discrete evolution

(3) |

where for every the map is defined by

(4) |

where, for conciseness, we have defined

(5) |

Self-triggered coordination algorithms such as (2)-(4). turn out to be of major interest when consensus has to be achieved in spite of possibly severe communication constraints. In this respect, a remarkable feature of self-triggered coordination lies in the possibility of ensuring consensus properties in the absence of any global information on the graph topology and with no need to synchronize the agents local clocks [14].

### 2.2 Denial-of-Service

We shall refer to DoS as the phenomenon by which communication across the network is not possible. More specifically, we assume that the network nodes make use of a shared communication medium. Under DoS, none of network nodes can send or receive information. This scenario is representative of several possible DoS threats. In order to maintain continuity, a discussion on this point is deferred to Section II-C. Here, we proceed with the DoS modeling and introduce a number of assumption on its frequency and duration.

Let , where , denote the sequence of DoS off/on transitions, *i.e.*, the time instants at which DoS exhibits a transition from zero (communication is possible) to one (communication is interrupted). Then

(7) |

represents the -th DoS time-interval, of a length , over which communication is not possible. Here and in the sequel, it is understood that for all , otherwise could be regarded as a single DoS interval.

Given , with , let

(8) |

represent the sets of time instants where communication is denied and

(9) |

represent the sets of time instants where communication is allowed, where denote the relative complement and accounts for the set of all elements belonging to the time interval , but not to the set .

In connection with the definition of the DoS sequence in (7), the first question to be addressed is that of determining the amount of DoS that the network can tolerate before consensus, as defined in Theorem 1, is lost. In this respect, it is simple to see that such an amount is not arbitrary, and that suitable conditions must be imposed on both DoS frequency and duration.

Let us first consider the frequency at which DoS can occur. First notice that provides a lower bound on the inter-sampling rate of the -th node of the network, as imposed by the communication medium. Let now , with , denote the time elapsing between any two successive DoS triggering. By letting , one immediately sees that if

then consensus could be destroyed irrespective of the adopted communication strategy. This is because DoS would be allowed to occur at a rate faster than or equal to the sampling rate of some network node, which would clearly preclude the possibility to achieve consensus. It is intuitively clear that, in order to get stability, the frequency at which DoS can occur must be sufficiently small compared to sampling rate of the network nodes. A natural way to express this requirement is via the concept of average dwell-time, as introduced by [23]. Given with , let denote the number of DoS off/on transitions occurring on the interval .

###### Assumption 1 (DoS frequency)

There exist and such that

(10) |

for all and .

In addition to the DoS frequency, one also need to enforce constraints on the DoS duration, namely the length of the intervals over which communication is interrupted. To see this, consider for example a DoS sequence consisting of the singleton . Assumption 1 is clearly satisfied with . However, if (communication is never possible) then stability is lost regardless of the adopted control update policy. Recalling the definition of the set in (8), the assumption that follows provides a quite natural counterpart of Assumption 1 with respect to the DoS duration.

###### Assumption 2 (DoS Duration)

There exist and such that

(11) |

for all and .

### 2.3 Discussion

The considered assumptions only constrains the attacker action in time by posing limitations on the frequency of DoS and its duration. Such a characterization can capture many different scenarios, including trivial, periodic, random and protocol-aware jamming attacks [19]-[22]. For the sake of simplicity, we limit out discussion to the case of radio frequency (RF) jammers, although similar considerations can be made with respect to spoofing-like threats [24].

Consider for instance the case of
*constant jamming*. Constant jamming is one of the most common threats that may occur in a wireless network
[26, 25]. By continuously emitting RF signals on the wireless medium,
this type of jammer can lower the Packet Send Ratio (PSR)
for transmitters employing carrier sensing as medium access policy
as well as lower the Packet Delivery Ratio (PDR) by corrupting packets at the receiver.
In general, the percentage of packet losses caused by this type of jammer
depends on the Jamming-to-Signal Ratio and can be difficult to quantify
as it depends, among many things, on the type
of anti-jamming devices, the possibility to adapt the signal strength threshold
for carrier sensing, and the interference signal power, which may vary with time.
In fact, there are several provisions that can be taken
in order to *mitigate* DoS attacks, including spreading techniques, high-pass filtering
and encoding [21, 22]. These provisions
decrease the chance that a DoS attack will be successful,
and, as such, limit in practice the frequency and duration of the time intervals
over which communication is effectively denied. This is nicely
captured by the considered assumptions.

As another example, consider the case of *reactive jamming* [26, 25].
By exploiting the knowledge of the 802.1i MAC layer protocols, a jammer may
restrict the RF signal to the packet transmissions. The collision period need not be long since
with many CRC error checks a single bit error can corrupt an entire frame.
Accordingly, jamming takes the form of a (high-power) burst of noise,
whose duration is determined by the length of the symbols to corrupt [21, 27].
Also this case can be nicely accounted for via the considered assumptions.

## 3 Main Results

### 3.1 Modified Consensus Protocol

The consensus protocol in (3) needs to be modified in order to achieve robustness against DoS. In this respect, for every such that the set is not nonempty, the nominal discrete evolution is modified as follows:

(12) |

In words, when a network node attempts to communicate
and communication is denied, the control signal is set to zero
until the subsequent attempt
^{1}

It is worth noting that, although an absolute time variable is used in the description of the system dynamics, the various nodes implementing the consensus protocol need not to be aware of such an absolute time. Instead, they rely on their local clocks . As the nodes rely on their local clocks the jump times of each variable naturally define a sequence of local switching times, which we denote by . In particular, we have

(13) |

The modified algorithm basically consists of a two-mode sampling logic, where the sampling times in presence of DoS are chosen different, possibly much smaller, than in the nominal situation where DoS is absent. As it will become clear later on, this is in order to maximize the robustness of the consensus protocol against DoS. By (13), it is an easy matter to see that the sequences of local switching times satisfy a “dwell time” property since

(14) |

for every and , where .

For the sake of clarity, the modified consensus protocol is summarized below.

Modified Consensus Protocol (for each )

We are now in position to characterize the overall network behavior
in the presence of DoS. In this respect, the analysis is subdivided
into two main steps: i) we first prove that
all the network nodes eventually stop to update their
local controls; and ii) we then provide conditions on the DoS frequency
and duration such that consensus, in the sense of (6), is preserved.
This is achieved by resorting to a notion of
*Persistency-of-Communication* (PoC), which
stipulates that disruptions of the graph connectivity
cannot exceed a prescribed threshold.
For convenience the proofs are reported in
Section III-B.

As for ii), the following result holds true.

###### Proposition 1

Clearly, the above result does not allows one to conclude anything about the final disagreement vector in the sense that given a pair of nodes the asymptotic value of can be arbitrarily large. In order to recover the same conclusions as in Theorem 1, bounds on the parameters and in Assumption 1 and 2 have to be enforced.

Consider a sequence of sampling times, along with a DoS sequence . Let

(15) |

denote the set of integers related to a control update attempt occurring under DoS. Notice that, due to the finite sampling rate, a time interval will necessarily elapse from the time at which DoS ceases, to the time at which the nodes successfully sample and transmit. By construction, this interval can be upper bounded as

(16) |

Notice now that the last transmission attempt (if any) of node over the -th DoS interval necessarily falls within . This means that the next sampling falls by construction within . Hence, we conclude that a DoS free interval of a length greater than guarantees that all nodes are able to sample and transmit. Accordingly, define the following sets that account for the DoS-induced actuation delay,

(17) | |||

(18) |

where

By the previous arguments, a sufficient condition under which all the network nodes are able to communicate at least once within is that has positive measure.

The following result then holds.

###### Proposition 2

Combining Proposition 1 and 2, the main result of this paper follows at once.

###### Theorem 2

A few remarks are in order.

###### Remark 1

Condition (19) in Proposition 2 amounts to
requiring that the DoS signal does not destroy communication in a
persistent way. This requirement is indeed reminiscent of
*Persistency-of-Excitation* (PoE) conditions that are found in
the literature on consensus under switching topologies, *e.g.*, [17].
There are, however, noticeable differences. In the present
case, the incidence matrix of the graph is a time-varying
matrix satisfying: i) in the presence of DoS; and ii)
in the absence of DoS, where represents
the incidence matrix related to the nominal graph configuration.
Consider now a DoS pattern consisting of countable number of singletons, namely , with . It is trivial to conclude that there exist
constant and
such that (*cf*. [17])

for all , where is a suitable projection matrix. However, in accordance with the previous discussion, consensus can be destroyed. The subtle, yet important, difference is due to the constraint on the frequency of the information exchange that is imposed by the network. In this sense, the notion of PoC naturally extends the PoE condition to digital networked settings by requiring that the graph connectivity be established over periods of time that are consistent with the constraints imposed by the communication medium.

### 3.2 Convergence Analysis

This section is devoted to the proof of Proposition 1, Proposition 2 and Theorem 2.

Proof of Proposition 1. Let

where . Consider the evolution of along the solutions to (2). Following the same steps as in [14], it is easy to verify that

(21) |

In words, the derivative of decreases whenever, for some node , two conditions are met: i) , which means that node has not reached the consensus set; and ii) communication is possible.

From (21) we deduce that there must exist a finite time such that, for every node and every with , either or . This is because, otherwise, the function would become negative contradicting the fact that is non-negative definite since is the Laplacian graph. Thus the proof follows simply by recalling that in both the cases and the control is set to zero.

Proof of Proposition 2 By definition of and in view of Assumption 1 and 2, the following bounds on is readily obtained:

(22) | |||||

Finally notice that

(23) |

Combining the two equations above, one sees that a sufficient condition for PoC is that , which, in turn, is implied by

(24) |

This is equivalent to

(25) |

which concludes the proof.

*Proof of Theorem 2*.
The proof follows immediately by combining
Proposition 1 and 2. In fact, by Proposition 1,
all the local controls converge to zero in a finite time.
In turn, Proposition 2 excludes the possibility
that this is due to a persistence of the DoS status.
This means that converge to the set
is necessarily achieved.

## 4 Numerical Example

In what follows we see a numerical example of the proposed consensus protocol in presence of DoS. A sustained DoS attack with variable period and duty cycle, generated randomly. The resulting DoS signal has an average duty cycle of .

We assume completely connected undirected graph with nodes. During times over which communication is possible each agent is connected to the other agents, namely , while in presence of DoS graph becomes edgeless. A sample evolution of (2) and (12) starting from the same initial condition and on the same graph is depicted in Fig. 1 and Fig. 2. Initial conditions are generated randomly between and . The vertical gray stripes in Fig. 1 represent the time-intervals over which DoS is active.

Consistent with the results in [14, 18], system (2),(12) converges in finite time to values close to average-maxâmin-consensus, namely . Presence of DoS bring about latency in coordination of the agents, this is due to controls remaining constantly to zero during this period. Consensus time in Fig. 1 is almost twice the consensus time in Fig. 2.

## 5 Conclusion

We investigated coordination of distributed networked systems in the presence of DoS attacks. We argued persistency of excitation condition is not enough to achieve consensus. An explicit characterization of the frequency and duration of DoS attacks under prsistency-of-communication is found. Condition under which agents can transmit information and update their control value frequently enough in sequence of time.

As an additional future research topic, we can compute the required consensus time taking into account DoS attack. Beside the time cost in [14], this clarifies the consensus time gap in presence and absence of DoS. Furthermore, partial communication failure can also be investigated separately. This problem is motivated by using a point to point communication medium.

### Footnotes

- It is worth noting that this implicitly requires that the nodes be able to detect the DoS status. This is the case, for instance, when jamming causes the channel to be busy. Then, transmitters employing carrier sensing as medium access policy can detect the DoS status. Another example is when transceivers employ TCP acknowledgment.

### References

- A. Cardenas, S. Amin, and S. Sastry, ”Secure control: towards survivable cyber-physical systems”, Proc. of The 28-th International Conference on Distributed Computing Systems Workshops, 2008.
- Y. Mo, T. Hyun-Jin Kim, K. Brancik, D. Dickinson, H. Lee, A. Perrig, and B. Sinopoli, ”Cyber-physical security of a smart grid infrastructure”, Proceedings of the IEEE, vol. 100, pp. 195-209, 2012.
- H. Fawzi, P. Tabuada, and S. Diggavi, ”Secure state-estimation for dynamical systems under active adversaries”, Annual Allerton Conference on Communication, Control, and Computing, 2011.
- A.Teixeira, K. Sou, H. Sandberg, and K. Johansson. ”Secure Control Systems: A Quantitative Risk Management Approach”, Control Systems, IEEE 35, no. 1 (2015): 24-45.
- F. Pasqualetti, F. Dorfler, and F. Bullo, ”Control-Theoretic Methods for Cyberphysical Security: Geometric Principles for Optimal Cross-Layer Resilient Control Systems”, Control Systems, IEEE 35.1 (2015): 110-127.
- W. Xu, K. Ma, W. Trappe, and Y. Zhang, ”Jamming sensor networks: Attack and defense strategies”, IEEE Network, vol. 20, pp. 41â47, 2006.
- D. Thuente and M. Acharya, ”Intelligent jamming in wireless networks with applications to 802.11b and other networks”, Proc. 25th IEEE Communications Society Military Communications Conference, Washington, DC, USA, 2006.
- A. Teixeira, I. Shames, H. Sandberg, and K.H. Johansson. ”A secure control framework for resource-limited adversaries”, Automatica 51 (2015): 135-148.
- C. De Persis and P. Tesi. ”Input-to-state stabilizing control under denial-of-service”, IEEE Trans. on Automatic Control, in press, 2015. DOI: 10.1109/TAC.2015.2416924
- C. De Persis and P. Tesi, ”Resilient control under denial-of-service”, in Proceedings of the IFAC World Congress, Cape Town, South Africa, 2014.
- S. Amin, A. Cardenas, and S. Sastry, ”Safe and secure networked control systems under denial of-service attacks”, In Hybrid systems: Computation and Control, pp. 31-45, 2009.
- A. Gupta, C. Langbort, and T. Basar, ”Optimal control in the presence of an intelligent jammer with limited actions”, Proc. of the 49th IEEE Conference on Decision and Control, Atlanta, GA, USA, 2010.
- H. Shisheh Foroush and S. Martinez, ”On event-triggered control of linear systems under periodic denial of service attacks”, Proc. of the IEEE Conf. on Decision and Control, Maui, HI, USA, 2012.
- C. De Persis and P. Frasca, ”Robust self-triggered coordination with ternary controllers”, IEEE Trans. on Automatic Control, vol. 58, pp. 3024-3038, 2013.
- R. Olfati-Saber, R M. Murray. ”Consensus problems in networks of agents with switching topology and time-delays”, Automatic Control, IEEE Transactions on 49, no. 9 (2004): 1520-1533.
- A. Jadbabaie, J. Lin, A. Morse. ”Coordination of groups of mobile autonomous agents using nearest neighbor rules”, Automatic Control, IEEE Transactions on 48, no. 6 (2003): 988-1001.
- M. Arcak. ”Passivity as a design tool for group coordination”, Automatic Control, IEEE Transactions on 52, no. 8 (2007): 1380-1390.
- J. CortÃ©s. ”Finite-time convergent gradient flows with applications to network consensus”, Automatica 42, no. 11 (2006): 1993-2000.
- D. Thuente and M. Acharya, ”Intelligent jamming in wireless networks with applications to 802.11b and other networks”, Proc. 25th IEEE Communications Society Military Communications Conference, Washington, DC, USA, 2006.
- W. Xu, W. Trappe, Y. Zhang, and T. Wood, ”The feasibility of launching and detecting jamming attacks in wireless networks”, ACM International Symposium on Mobile Ad-Hoc Networking & Computing, 2005.
- B. De Bruhl and P. Tague, ”Digital filter design for jamming mitigation in 802.15.4 communication”, in Int. Conf. on Computer Communications and Networks, Maui, Hawaii, 2011.
- P. Tague, M. Li, and R. Poovendran, ”Mitigation of control channel jamming under node capture attacks”, IEEE Transactions on Mobile Computing, vol. 8, pp. 1221â1234, 2009.
- J. Hespanha and A. Morse, ”Stability of switched systems with average dwell-time”, Proc. of the 38th IEEE CDC, Orlando, Florida USA, 1999.
- J. Bellardo and S. Savage. ”802.11 denial-of-service attacks: Real vulnerabilities and practical solutions”, Proc. of USENIX Security Symposium, 2003.
- M. Iliofotou K. Pelechrinis and S.V. Krishnamurthy. ”Denial of service attacks in wireless networks: The case of jammers”, IEEE Communications Surveys & Tutorials, 13:245-257, 2010.
- W. Xu, K. Ma, W. Trappe, and Y. Zhang. ”Jamming sensor networks: Attack and defense strategies”, IEEE Network, 20:41-47, 2006.
- A.D. Wood and J.A. Stankovic. ”Denial-of-service in sensor networks”, EEE Computer, 10:54Ð62, 2002.