Privacy-Preserving Co-synthesis Against Sensor-Actuator Eavesdropping Intruder

TL;DR

This paper presents a novel co-synthesis method for privacy-preserving supervisory control in cyber-physical systems, ensuring secrets remain hidden from passive intruders while maintaining safety and nonblockingness.

Contribution

It introduces an incremental synthesis heuristic for dynamic masks, edit functions, and supervisors to enforce opacity and covertness against sensor-actuator eavesdropping intruders.

Findings

Successfully enforces location privacy in autonomous vehicles.

Ensures system safety and nonblockingness.

Achieves opacity and covertness against passive intruders.

Abstract

In this work, we investigate the problem of privacy-preserving supervisory control against an external passive intruder via co-synthesis of dynamic mask, edit function, and supervisor for opacity enforcement and requirement satisfaction. We attempt to achieve the following goals: 1) the system secret cannot be inferred by the intruder, i.e., opacity of secrets against the intruder, and the existence of the dynamic mask and the edit function should not be discovered by the intruder, i.e., covertness of dynamic mask and edit function against the intruder; 2) the closed-loop system behaviors should satisfy some safety and nonblockingness requirement. We assume the intruder can eavesdrop both the sensing information generated by the sensors and the control commands issued to the actuators, and we refer to such an intruder as a sensor-actuator eavesdropping intruder. Our approach is to model the co-synthesis problem as a distributed supervisor synthesis problem in the Ramadge-Wonham supervisory control framework, and we propose an incremental synthesis heuristic to incrementally synthesize a dynamic mask, an edit function, and a supervisor, which consists of three steps: 1) we first synthesize an ensemble ME of dynamic mask and edit function to ensure the opacity and the covertness against a sensor eavesdropping but command non-eavesdropping intruder, and marker-reachability; 2) we then decompose ME into a dynamic mask and an edit function by using a constraint-based approach, with the help of a Boolean satisfiability (SAT) solver; 3) finally, we synthesize a supervisor such that opacity and covertness can be ensured against the sensor-actuator eavesdropping intruder, and at the same time safety and nonblockingness requirement can be ensured. The effectiveness of our approach is illustrated on an example about the enforcement of location privacy for an autonomous vehicle.