Supervisory Control of Discrete-event Systems under Attacks
For cyber defense systems, this provides a formal framework to design supervisors robust to sensor tampering, with efficient algorithms for specific attack types.
The paper addresses supervisory control of discrete-event systems under attacks where an adversary corrupts sensor observations. It shows that a solution exists iff the desired language is controllable and observable in a new sense, and for insertion/removal attacks, supervisor synthesis avoids exponential complexity.
We consider a multi-adversary version of the supervisory control problem for discrete-event systems, in which an adversary corrupts the observations available to the supervisor. The supervisor's goal is to enforce a specific language in spite of the opponent's actions and without knowing which adversary it is playing against. This problem is motivated by applications to computer security in which a cyber defense system must make decisions based on reports from sensors that may have been tampered with by an attacker. We start by showing that the problem has a solution if and only if the desired language is controllable (in the Discrete event system classical sense) and observable in a (novel) sense that takes the adversaries into account. For the particular case of attacks that insert symbols into or remove symbols from the sequence of sensor outputs, we show that testing the existence of a supervisor and building the supervisor can be done using tools developed for the classical DES supervisory control problem, by considering a family of automata with modified output maps, but without expanding the size of the state space and without incurring on exponential complexity on the number of attacks considered., we construct observers that are robust against attacks and lead to an automaton representation of the supervisor. We also develop a test for observability under such replacement-removal attacks by using the so-called product automata.