# Consensus-based distributed intrusion detection for multi-robot systems.

**ABSTRACT** This paper addresses a security problem in robotic multi-agent systems, where agents are supposed to cooperate according to a shared protocol. A distributed Intrusion Detection System (IDS) is proposed here, that detects possible non-cooperative agents. Previous work by the authors showed how single monitors embedded on-board the agents can detect non- cooperative behavior, using only locally available information. In this paper, we allow such monitors to share the collected information in order to overcome their sensing limitation. In this perspective, we show how an agreement on the type of behavior of a target-robot may be reached by the monitors, through execution of a suitable consensus algorithm. After formulating a consensus problem over non-scalar quantities, and with a generic update function, we provide conditions for the consensus convergence and an upper bound to its transient duration. Effectiveness of the proposed solution is finally shown through simulation of a case study.

**0**Bookmarks

**·**

**135**Views

- [Show abstract] [Hide abstract]

**ABSTRACT:**In this paper we describe a security suite for Underwater Acoustic Sensor Networks comprising both fixed and mobile nodes. The security suite is composed of a secure routing protocol and a set of cryptographic primitives aimed at protecting the confidentiality and the integrity of underwater communication while taking into account the unique characteristics and constraints of the acoustic channel. By means of experiments and simulations based on real data, we show that the suite is suitable for an underwater networking environment as it introduces limited, and sometimes negligible, communication and power consumption overhead.Sensors 01/2012; 12(11):15133-58. · 1.95 Impact Factor - SourceAvailable from: Alessandro Marino
##### Conference Paper: A decentralized observer for a general class of Lipschitz systems

[Show abstract] [Hide abstract]

**ABSTRACT:**The paper presents a decentralized observer for a class of multi-agent systems. The proposed observer allows each robot of the team to estimate the overall system state provided that the communication network is connected and that the motion control law is Lipschitz. In case of perfect measurements the observer error is proved to be exponentially convergent to zero, while global uniform ultimately boundeness is proved for the case of bounded non-vanishing noise on the state measurements. The approach is validated via numerical simulations considering, as a case study, the decentralized control of the centroid and the formation of a team of robots.IEEE International Conference on Information and Automation; 08/2013 -
##### Conference Paper: Distributed real-time fault detection and isolation for cooperative multi-agent systems

[Show abstract] [Hide abstract]

**ABSTRACT:**In this paper we propose a distributed real-time fault detection, isolation and mitigation framework for multiagent systems performing cooperative tasks. Various system models and detection schemes with respect to communication and sensing are considered. Two communication protocols for fault detection are introduced first and proved to be effective. Then a scheme based on limited relative state measurements is developed. Furthermore, we propose fault isolation and mitigation steps to guarantee the accomplishment of a global objective. All schemes are distributed in the sense that at each step of the fault detection, isolation and mitigation every agent only uses locally available information. One key feature of the framework is the significant reduction of required computational resource when compared with the fault detection and isolation schemes based on unknown input observers. Later we show that the proposed framework can be applied to the consensus and other cooperative formation problems. Several computer simulations are presented to demonstrate the efficiency of the framework.American Control Conference (ACC), 2012; 01/2012

Page 1

Consensus–based Distributed Intrusion Detection

for Multi–Robot Systems

Adriano Fagiolini, Marco Pellinacci, Gianni Valenti, Gianluca Dini, and Antonio Bicchi

Abstract—This paper addresses a security problem in robotic

multi–agent systems, where agents are supposed to cooperate

according to a shared protocol. A distributed Intrusion Detec-

tion System (IDS) is proposed here, that detects possible non–

cooperative agents. Previous work by the authors showed how

single monitors embedded on–board the agents can detect non–

cooperative behavior, using only locally available information.

In this paper, we allow such monitors to share the collected

information in order to overcome their sensing limitation. In

this perspective, we show how an agreement on the type of

behavior of a target–robot may be reached by the monitors,

through execution of a suitable consensus algorithm. After

formulating a consensus problem over non–scalar quantities,

and with a generic update function, we provide conditions for

the consensus convergence and an upper bound to its transient

duration. Effectiveness of the proposed solution is finally shown

through simulation of a case study.

I. INTRODUCTION

In the last few years, there has been a great effort to

define decentralized and cooperative control strategies for

applications, such as intelligent transportation, surveillance,

etc., requiring the employment of teams of robots (see e.g.

[1], [2]). The development of such strategies is motivated by

the so–called divide et impera principle, according to which

the original problem is reduced to find solutions for sub–

problems of less complexity, and indeed the actions of each

robot can be seen as a partial contribution to solving the

complete problem.

Furthermore, the redundant number of robots allows a

higher level of robustness against simple faults to be reached

e.g. by a possible task–reallocation whenever a faulty robot

is discovered within the system. However, in the absence of a

centralized monitoringinfrastructure, byzantine behaviors [3]

of a robot, arbitrarily deviating from the nominal cooperation

strategy, may remain undiscovered for a long time. As a

matter of fact, a malicious robot may “play” with the model

of cooperation and deceive any of its neighbors monitoring

its behavior, by leveraging on their partial knowledge of the

system’s state.

We focus on systems where cooperation is obtained by

sharing a common set of decentralized rules R, i.e. we

consider systems where each robot plans its motion based

on rules that dictate actions depending on the configuration

A.Fagiolini,G.Valenti,andA.Bicchiarewiththe

Interdepartmental Research Center “E. Piaggio” of the Universit` a di

Pisa,Italy,

{a.fagiolini, bicchi}@ing.unipi.it,

posta@gianni.valenti.name.

M.Pellinacci,andG.Dini

mentodell’Informazione,Faculty

sit` a ofPisa,Italy,

marco.pellinacci@alice.it,

gianluca.dini@ing.unipi.it.

are

of

with

Engineering,

theDiparti-

Univer-

of the robot itself and of its neighbors (see e.g. [4]–[6]).

The challenge in these systems is to find strategies to detect

possible non–cooperative robots, without the use of any form

of centralization. Bearing this in mind, our objective is to

develop a synthesis technique that makes it possible to build

a distributed Intrusion Detection System (IDS) [7], [8] for

securing the considered class of robotic multi–agents. The

proposed IDS consists of two main “ingredients”: a decen-

tralized monitoring mechanism, by which every robot assigns

all its neighbors with a direct reputation, a measure of their

cooperativeness, and an agreement mechanism, by which all

of such monitors sharing locally collected information can

“converge” to a unique network decision.

The concept of reputation is normally employed in Peer–

To–Peer (P2P) systems, and in Mobile Ad–hoc NETworks

(MANET), where a form of cooperation is required, e.g.

for establishing a message routing service that enables the

communication among all agents. In these systems — see

e.g. the works of LeBoudec [9], [10] —, each agent assigns

its neighbors with a reputation rate that depends on whether

they display a collaborative behavior, e.g. with respect to

message forwarding. Our problem is different and more

difficult due to the fact that each robot has only partial

knowledge of the system’s state, and thus it can not estab-

lish with certainty whether a given behavior of one of its

neighbors is cooperative or not. The challenge of a robot

acting as a decentralized monitor is indeed to distinguish a

faulty or malicious robot in its neighborhoodfrom a correctly

cooperating robot whose actions may be influenced by other

robots out of the monitor’s range. Furthermore, the fact that

the topology of interaction and exchange of information

among mobile robots is changing and unknown should be

taken into account. These reasons make the problem we deal

with quite distinct from those tackled in the current Security

and Fault Detection [11]–[16] literatures, and indeed a very

challenging one.

In previous work [17], [18], we proposed a scheme by

which each robot can independently establish a reputation

of all its neighbors, using only locally available information.

This paper addresses the problem of reaching an agreement

on such reputations, and indeed the possibility that the mon-

itors share locally collected information is considered. To

achieve this, the florishing literature on distributed consensus

algorithms [19]–[21] represents a quite natural framework

under which the problem should be treated. Indeed, the

system–theoretic approach (used e.g. in Murray’s works) to

represent the dynamic behavior of such algorithms makes it

possible to find useful results on the rate of convergence,

Page 2

and on the conditions under which an agreement can be

established. However, such algorithms involve the exchange

of scalar quantities and allows the use of very simple rules

only, such as weighted average, to combine measures of

different distributed sensors. In our application scenario,

robots need to exchange locally reconstructed “evidences”

of the reputation of their neighbors that are not scalars, as

it will be discussed afterward, and hence a more complex

combination rule is required. In this vein, the works on

set–membership [22] and the so–called Marzullo’s algorithm

[23] define rules to combine sets or intervals, respectively,

estimated by different sensors. Such works may indeed

provide useful hints to solve our problem. Due to this fact, we

believe that the consensus literature can still be enriched, and

we present a convergenceresult when more general functions

are used to combine different measures, which may represent

a first step in this direction.

II. HYBRID MODEL OF ROBOTIC AGENTS

The class of robotic systems of interest is represented

by teams of robots that plan their motions according to a

set of decentralized and cooperative rules R. In particu-

lar, we assume that the set R defines κ possible actions

Σ = {σ1,σ2,...,σκ} that robots can perform, and specifies

ν logical conditions on the state of their neighborhoods

requiring a change of maneuver. Let E = {e1,e2,...,eν}

be the set of discrete events associated with such conditions.

For the sake of clarity, consider as an example the case

of n cars moving on a multi–laned highway. Such cars

are supposed to have the same dynamics, and pilots are

supposed to decide the current maneuver based on its goal,

the configurations of the car and of other neighboring cars.

In this example, the actions defined by R are accelerate,

decelerate, and change to the next left or right lane. The

logical conditions for a change of maneuver are represented

by e.g. a slower car in the front, and a free lane on the left

requiring the execution of an overtake.

Robotic systems composed of a physical plant and a

control system implementing such a kind of cooperation rules

R can be modeled as hybrid systems. The components of

such hybrid models H are depicted in Fig. 1 and explained in

the following. Let qi∈ Q be a vector describing the physical

state of the i–th robot and taking value in the configuration

space Q, and let σi∈ Σ be the maneuver that the robot is

currently performing. The i–th robot’s configuration qi has

a continuous dynamics

˙ qi= f(qi,ui),

where ui ∈ U is a control input. In particular, ui is a

feedback law generated by a low–level controller g : Q ×

Σ → U, i.e.

ui= g(qi,σi),

so that the robot’s trajectory qi(t) corresponds to the desired

current maneuver σi. The i–th robot’s current maneuver has

a discrete dynamics δ : Σ × E → Σ, i.e.

σi+= δ(σi,e),

A

ei= D?qi,vi,ζi

?

ui= g(qi,σi)

qi

qi

qi

ei

σi

ui

˙ qi= f(qi,ui)

vi

ζi

H

Fig. 1.Depiction of the hybrid model of robotic agents.

where e is an event requiring a change of maneuver from

σi to σi+. Event activation is detected by a static map D :

Q × Qp× Z → E, where p is the maximum number of

neighbors whose configurations may affect the robot, and

ζi ∈ Z is a parameter that may be reset at any maneuver

transition. Map D encodes conditions such as the presence

of a slower car in the front, and a free lane on the left. The

currently detected event is then

e = D(qi,vi,ζi),

where vi= (qi1,...,qip) is a vector impiling the configura-

tions of the i–th robot’s neighbors. In conclusion, the hybrid

dynamics of the i–th robot is

qi= H(qi,qi1,...,qip),

where H : Q × Qp→ Q, and i1,...,ipare the indices of

its neighbors. Hence, qi1,...,qiprepresents H’s input and

qiits output.

III. CONSTRUCTION OF LOCAL MONITORS FOR

INTRUSION DETECTION

We first give the following

Definition 1: A non–cooperative robot, or intruder, is a

faulty or malicous robot whose behavior arbitrarily deviates

from the one imposed by the cooperation rules R.

In practice, the i–th robot is deemed non–cooperative if

its trajectory ¯ qi(t) differs from the output ˜ qi(t) of the hybrid

model H derived from R and excited by the configurations

qi1(t),...,qip(t) of its neighbors. In formula, the condition

is the following:

¯ qi(t) ?= ˜ qi(t) = H(qi(t),qi1(t),...,qip(t)).

The problem of a robot h acting as a monitor of the

behavior of robot i is due to its partial knowledge of i’s

neighborhood. In the example in study, some cars affecting

Page 3

Ounobs

0

Oobs

0

Qa(q4)

Fig. 2.

corresponding partition of the input space of robot 4.

Partition of the configuration space due to robot 0’s visibility, and

the behavior of robot i may be out of robot h’s sensing range

since they remain hidden by other cars (see Fig. 2). To model

this, we first partition the configuration space Q according

to the h–th monitor’s visibility:

Q = Oobs

h

∪ Ounobs

h

,

where Oobs

able regions, respectively, from the perspective of h. Then,

we can partition the i–th robot’s input space Qa(qi) due to

the h–th monitor’s visibility:

h

and Ounobs

h

are the observable and the unobserv-

Qa(qi)=

=

Qa(qi) ∩?Oobs

Qobs

h

∪ Qunobs

h

∪ Ounobs

h

?=

h

.

The goal of the monitoring robot h is to establish whether

the trajectory ¯ qi(t) of robot i is compliant with its partial

knowledge of i’s neighborhood and the cooperation rules R.

From a mathematical point of view, we need to solve the

following

Problem 1: Consider the hybrid model H of a robot i, and

a partition Qa(qi) = Qobs

monitor h. Given the trajectory ¯ qi(t), and noconfigurations

q1(t),...,qno(t) of known neighbors in Qobs

it exists, a choice of p − noconfigurations qno+1,...,qpin

Qunobs

h

such that the expected behavior

h∪Qunobs

h

of its input space due to

h, determine, if

˜ qi= H(¯ qi,q1,...,qno,qno+1,...,qp)

equals the given one, i.e. ˜ qi(t) = ¯ qi(t).

Solving this problem can be hard due to non–linearities

and differential equations of the hybrid model H, and it

would require the construction of an “unknown input ob-

server” (UIO) H†of the hybrid model itself, as we have

discussed in [17]. Furthermore, a direct approach for the

computation of such a UIO leads to find ad–hoc solutions

for very specific cases. In contrast, we showed how this can

be avoided and solutions can be found for the considered

class of robotic multi–agent systems. The property that

in our opinion makes our approach appealing is that all

components of the proposed decentralized monitor can be

automatically generated once the dynamics f of the plant,

and the cooperation rules R are given. The reader may refer

to our work [17] for a complete description of the method

and can assume the existence of a procedure to build a UIO,

H†, such that

(ˆ qno+1,..., ˆ qp) = H†(¯ qi,q1,...,qno),

where ˆ ql for l = no+ 1,...,p are estimates of p − no

configurations of robots in Qunobs

behavior ¯ qiof the monitored robot i.

In cases where the monitoring robot h has complete

knowledge of robot i’s neighborhood, it will be able to

distinguish a cooperative from a non–cooperative robot, and

accordingly decide on its reputation rih. Whenever this is

not true, the monitor tries to reconstruct any information

on Qunobs

h

according to robot i’s behavior and the partial

knowledge of its neighbors. In these cases, as long as

a choice for ˆ ql exists, the reputation of robot i remains

“uncertain” (indeed the robot may be correctly following

the cooperation rules R or not). Otherwise, the reputation

becomes “noncooperative”. In brief, the reputation rihof

robot i according to robot h is a discrete variable taking

values in the set:

h

that can “explain” the

R = {cooperative,noncooperative,uncertain,unknown}.

The introduction of the value “unknown” is instrumental for

the purpose of communication. Indeed, whenever a monitor

robot h does not see robot i, but has to participate in

an agreement on the value of its reputation, will initially

exchange the value unknown.

We point out that the estimates ˆ ql, for all l, are evidences

or unobservable explanations that the monitoring robot h

has derived from the behavior of robot i. Depending on the

existence of such possible explanations, robot h assigns a

neighboring robot i with a suitable reputation value. Fig. 3

shows a simulation run with a non–cooperativerobot, vehicle

0 in the figure, that keeps traveling on the second lane,

even though the lane on the right is free. The behavior of

vehicle 0 is monitored by its neighbors that reconstruct dif-

ferent estimates ˆ qno+1,..., ˆ qpof their unobservable regions.

Such estimates are possibly non–convex regions where the

presence of a robot is required (when reported in red) or is

excluded (when reported in green).

IV. OVERCOMING LOCAL MONITORING LIMITATION

THROUGH COMMUNICATION

The second “ingredient” of the proposed IDS is a dis-

tributed agreement mechanism by which monitors share

locally collected information so as to reduce their uncertainty

and eventually “converge” to a unique network decision. The

communication among monitors is indeed necessary since

they can not verify the actual correctness of the reconstructed

hypotheses or explanations ˆ qno+1,..., ˆ qpon Qunobs

over, reaching an agreement is paramount before starting any

emergency procedure whenever a non–cooperative robot is

detected.

h

. More-

A. Consensus algorithms and centralized decision

Consider a piecewise–constant communication topology

represented by the undirected graph Gc(V,Ec), where V is

a set of nodes, and Ecis a set of edges. The presence of an

edge ei,jconnecting viwith vjmeans that node viis able to

share its knowledge with node vj. Now, we can recall from

e.g. [20] the following

Page 4

Fig. 3.

traveling on the second lane, even though the lane on the right is free

(first picture). Monitor robots’ point of views are reported in the other three

pictures, where red and green colors indicate regions where the presence of

a robot is required or is excluded, respectively.

Simulation run where robot 0 is non–cooperative as it keeps

Definition 2 (Consensus Algorithm): Given a set V

{v1,...,vn}

of nodes,and

Gc(V,Ec), a (distributed) consensus algorithm is an iterative

interaction rule that specifies:

• which information d ∈ D is shared among neighbors,

• and how each node vi updates its estimate di based

on any received value dj, i.e. which update function

Ω : D × D → D is used to compute

=

a communication graph

di+= Ω(di,dj), for i = 1,...,n.

Let us also define a centralized decision d∗as the value

that would be chosen by a hypothetical monitor collecting

all initial measures d1(0),...,dn(0), and combining them

according to Ω. The quantity d∗can be seen as a result limit-

ing the performance of any distributed computation strategy

as it represents the choice taken without any information

loss. This motivates the effort that is often spent to design

consensus algorithms converging to d∗(these algorithms are

said to achieve the so–called f–consensus), irrespectively of

the distributed nature of the computation.

B. Which Information To Share

In our application scenario, nodes in V are robots that

are monitoring a common neighbor and that are supposed to

communicate as in Ecin order to reach an agreement on the

reputation of such neighbor. Consider vector

r(k) = (r1(k),...,rn(k))

that is obtained by impiling all monitors’ decisions after k

steps of a suitable consensus. Our objective here is to design

a distributed consensus algorithm guaranteeing that, for any

initial condition r(0), we have r(∞) = 1r∗, where r∗is the

centralized decision.

A simple solution where the i–th monitor shares the

locally established reputation ri(k) is sufficient to reach

an agreement. To achieve this, well–known consensus al-

gorithms for scalar quantities can indeed be used (see e.g.

[19]–[21]). However, in the majority of the cases, monitors

are likely to have partial knowledge of the monitored robot’s

neighborhood and remain uncertain about its actual behavior.

Then, the whole network of robots will remain uncertain,

except at the occurrence of fortunate cases where manifest

faulty behaviors [24] that can trivially be detected.

For this reason, we propose a solution where monitors

share any information that is directly measured or recon-

structed by exploitation of H†. Namely, each monitor h

shares the following data related to a common neighbor i:

ξh

i

=

=

{¯ qi,q1,...,qno,H†(q1,...,qno)} =

{¯ qi,q1,...,qno, ˆ qno+1,..., ˆ qp}.

Theoretically, after having established the so–called “same

context” for the value of such a neighborhood, they will

use the same decision rule and hence decide for the same

reputation value.

C. More General Consensus Algorithms

Well–known consensus algorithms are appealing since

they are obtained through very simple combination rules,

such as weighted average, or maximum occurrence value.

However, they are applicable only with scalar quantities,

whereas ˆ qno+1,..., ˆ qp are possibly non–convex sets or in-

tervals (recall the example of Fig. 3).

Motivated by this fact, we introduce a more general

class of consensus algorithms, partially inspired from the

Computer Science literature (see e.g. Lynch’s works):

Definition 3 (General Consensus Algorithm): Given a set

V = {v1,...,vn} of nodes, and a communication graph

Gc(V,Ec), a (distributed) general consensus algorithm is an

iterative interaction rule that specifies:

• which information ξ ∈ Ξ is shared among neighbors,

• how each node vi updates its knowledge ξi based

on any received value ξj, i.e. which update function

Ω : Ξ × Ξ → Ξ is used to compute

ξi+= Ω(ξi,ξj), for i = 1,...,n,

• and how each node videcides on the value di∈ D of

a common quantity of interest for which an agreement

is desired, i.e. which decision function Θ : Ξ → D is

used to compute

di= Θ(ξi), for i = 1,...,n.

From a system theoretic point of view, the i–th node

participarting in the consensus is a discrete sub–system,

where ξiis the state (a.k.a. the context), all ξjs are inputs, and

di is the output (a.k.a. the decision) (see Fig. 4). Now the

Page 5

∆

ΘΩ

ξ+

i

ξi

ξj,...,ξk

di

Fig. 4.

algorithm.

Depiction of i–th node participating in the general consensus

12

3

6

4

5

7

Fig. 5.A connected communication graph Gc(V,Ec).

centralized decision d∗is the value that would be chosen

by a hypothetical monitor collecting all initial measures

ξ1(0),...,ξn(0), combining them according to Ω, and then

applying Θ.

V. ON THE ABSTRACT CONVERGENCE OF CONSENSUS

ALGORITHMS WITH UNCERTAIN MEASURES

Let ξ ∈ IR be a scalar quantity of interest for the network,

and let ξ1,...,ξnbe n elements on a σ–algebra Σ over IR,

representing uncertain estimates of a particular value¯ξ of

ξ. Consider a consensus algorithm as in Def. 3, and assume

that neighbors of a given communication graph Gc(V,Ec)

(as the one of Fig. 5) exchange the estimates ξ1,...,ξn, in

order to reach an agreement on¯ξ.

It is worth noting that, even though the update function

Ω : Σ × Σ → Σ in Def. 3 may be general, some essential

properties are required to make it a legittimate update func-

tion for the distributed algorithm. In particular, we require

that, for any ξ1, ξ2, and ξ3,

• Ω(ξ1,ξ2) = Ω(ξ2,ξ1) (commutative);

• Ω(ξ1,Ω(ξ2,ξ3)) = Ω(Ω(ξ1,ξ2),ξ3) (associative).

Indeed, without such assumptions, we have to specify further

constraints concerning how each node updates its knowledge,

and even how the centralized estimate is defined (the order

by which estimates ξjs are considered is important).

In the remainder of this section, we will make a change in

the notation of the update function Ω to make the exposition

clearer. In particular, in place of the functional notation ξ+

Ω(ξi,ξj), we will use an equivalent form involving a binary

operator: ξ+

(distributed) consensus algorithm in Def. 3 can be written

as:

ξi(k + 1) = ?j∈Vi(1)ξj(k),

i=

i= ξi?ξj. Accordingly, the iterative rule of the

(1)

where Vi(p)

neighborhood of order p of the i–th node in V , and d(i,j) is

the geodesic distance, i.e. the shortest path length, between

i and j (recall that d(i,i) = 0, ∀i ∈ V ).

First, we give the following

△

=?j ∈ V | d(i,j) ≤ p?is the communication

Definition 4: A binary operator ? is said to be idempotent

if, and only if, for any ξ ∈ Ξ, it holds

ξ ? ξ = ξ .

(2)

Lemma 1: Consider n initial estimates ξ1(0),...,ξn(0)

that are exchanged between neighbors of a given communi-

cation graph Gc(V,Ec) according to a consensus algorithm

as in Def. 3. If the binary operator ? in Eq. 1 is commutative,

associative, and idempotent, then it holds

ξi(k) = ?j∈Vi(k)ξj(0),

(3)

for all i and all k.

Proof: Lemma 1 can be proved by logical induction.

Consider the evolution of the i–th agent estimate, starting

from the initial value ξi(0). After one consensus step, we

have

ξi(1) = ?j∈Vi(1)ξj(0), ∀i ∈ V ,

(4)

from Eq. 1.

Furthermore, assume that Eq. 3 holds for a certain value

of k. Then, from Eq. 1 and Eq. 2, we obtain:

ξi(k + 1)=

=

?j∈Vi(1)

?m∈Vi(k+1)ξm(0) ,

??m∈Vj(k)ξm(0)?=

(5)

where the commutative, associative, and idempotency prop-

erties of ? have been exploited.

Observe that Eq. 3 holds also for k = 1, as it is shown in

Eq. 4. Then, the general expression for ξi(k) in Eq. 3 can

be obtained by induction.

We are now ready to give the main result in the following

Theorem 1 (Abstract convergence): Consider n initial es-

timates ξ1(0),...,ξn(0) ∈ σ(IR) of a scalar ξ ∈ IR, a

communication graph Gc(V,Ec), and a legittimate update

function Ω : σ(IR) × σ(IR) → σ(IR) or the corresponding

bynary operator ?. The (distributed) general consensus al-

gorithm

ξi(k + 1) = ?j∈Vi(1)ξj(k)

(6)

converges to a unique network decision on the centralized

estimate

ξ∗= ?j∈Vξj(0),

(7)

i.e. ξ(∞) → 1ξ∗, if

• ? is idempotent, and

• Gcis connected.

Furthermore, the convergence is guaranteed in a finite num-

ber of steps ˜ n given by:

˜ n ≤ max

i,j∈Vd(i,j) = diameter(Gc).

Proof: Sufficiency of the conditions on ? can be proved

by observing that, if n = maxi,j∈Vd(i,j), then, since graph

Gcis connected,

(8)

Vi(k) = V , ∀k ≥ n ,

(9)

and, for Lemma 1 and Eq. 7, we have

ξi(k) = ?j∈Vi(n)ξj(0) = ?j∈Vξj(0) = ξ∗,

(10)

for all i ∈ V , and for all k ≥ n. Thus, we obtain the thesis.

Page 6

Fig. 6.

driving rules.

A 2–lane automated highway with a set of common individual

In the example in study, the update function Ω, or equiva-

lently the operator ?, involved in the agreement mechanism

is the set–intersection?, which satisfies the hypotheses of

Theorem 1. Moreover, the decision function Θ is the decen-

tralized monitoring mechanism based on the construction of

the UIO H†.

VI. APPLICATION

A. An Automated Highway

The case study considers a scenario where n mobile robots

are traveling along a highway with different maximum speed

and may want to reach different desired positions. Robots

are supposed to cooperate according to the common driving

rules (the above set R) in order to avoid collisions. More

precisely, any robot is allowed to perform at any instant one

of the following maneuvers based on logical conditions on its

neighborhood (the associated events are in Table I and II1):

• proceed at the maximum speed along the rightmost free

lane when possible (fast maneuver);

• if a slower vehicle proceeds in front on the same

lane, then overtake the vehicle if the next lane on the

left is free (left maneuver), or reduce the speed (slow

maneuver) otherwise;

• as soon as the next lane on the right becomes free,

change to that lane (right maneuver);

• overtaking any vehicle on the right is forbidden.

Our task is to detect misbehaving vehicles.

The physical state of the i–th robot is qi= (xi,yi,θi,vi)

(refer to Fig. 6) and has the following continuous unicycle–

like dynamics f:

˙ xi= vicos θi,

˙ yi= visin θi,

˙θi= ωi,

˙ vi= ai,

where ai and ωi are linear acceleration and angular veloc-

ities, respectively. According to the set R, the maneuver

σi of the i–th robot may take value on the set Σ =

{fast,left,right,slow} and has the discrete dynamics δ of

the automaton in Fig. 7, where the low–level feedback con-

troller g ensures that the current maneuver σiis performed.

1Observe that xj and lj are short–hands for xijand lij, being relating

to the j–th neighbor of vehicle i.

ω =

?

Ω

0

if θ < θMAX

otherwise

a =

?

A

0

if v < VMAX

otherwise

L

ω = −(y − yf)sin(θ)

θ

v − kv θ

a =

?

A

0

if v < VMAX

otherwise

F

ω =

?

−Ω

0

if θ > −θMAX

otherwise

a =

?

A

0

if v < VMAX

otherwise

R

ω = −(y − yf)sin(θ)

θ

v − kv θ

a =

?

−A

0

if v < VMAX

otherwise

S

eF→L

i

eF→R

i

eL→F

i

eR→F

i

eF→S

i

eS→F

i

eS→L

i

Fig. 7.

control g ensuring that the plant f behaves according to the rule set R.

Discrete dynamics δ of the automaton, and low–level feedback

TABLE I

LIST OF EVENTS FOR VEHICLES MOVING ALONG A 2–LANE HIGHWAY

eF→L

i

=

∧

(∃j ∈ Ni|l1(qi,qj)) ∧

(∄k ?= j ∈ Ni|l2(qi,qk)) ∧ ¬l4(qi)

eF→S

i

eF→S

i,1

eF→S

i,2

=

=

=

eF→S

i,1

(∃j ∈ Ni|l1(qi,qj)) ∧ (∃k ?= j ∈ Ni|l2(qi,qk))

(∃j ∈ Ni|l1(qi,qj)) ∧ l4(qi)

∨ eF→S

i,2

eF→R

i

=

(∄j ∈ Ni| l5(qi,qj) ∧ ¬l3(qi)

eL→F

i

=

l4(qi),eR→F

i

= l3(qi)

eS→L

i

=

eF→L

i

,eS→F

i

= (∄j ∈ Ni| l1(qi,qj))

TABLE II

LIST OF LITERALS FOR VEHICLES MOVING ALONG A 2–LANE HIGHWAY

l1(qi,qj)

l2(qi,qj)

l3(qi)

l4(qi)

l5(qi,qj)

=

=

=

=

=

(xj− xi≤ d) ∧ (xj≥ xi) ∧ (⌊yj⌋ = ⌊yi⌋)

(|xj− xi| ≤ d) ∧ (⌊yj⌋ > ⌊yi⌋)

⌊yi⌋ = 1

⌊yi⌋ = 2

(|xj− xi| ≤ d) ∧ (⌊yi⌋ > ⌊yi⌋)

B. Consensus Simulation

Consider the following simulation run where robot 1 is

non–cooperative since it remains in the second lane, whereas

it should start a right maneuver as the next lane on its right

is free (see Fig. 8–a). Furthermore, assume that the other

robots, 2, 3, 4, and 5 in the figure, are acting as monitors

of robot 1 and share their local estimates ξis of vehicle 1’s

neighborhood.Assume that communication occurs according

to the following (undirected) graph Gc(V,Ec), where is V =

{2,3,4,5}, and Ec = {e2,2,e2,3,e2,5,e3,3,e3,4,e4,4,e5,5}.

Then, for the given communication graph Gc, we obtain the

following instance of consensus algorithm:

ξ2+(k + 1) = ξ2(k) ∩ ξ3(k) ∩ ξ5(k),

ξ3+(k + 1) = ξ2(k) ∩ ξ3(k) ∩ ξ4(k),

ξ4+(k + 1) = ξ3(k) ∩ ξ4(k),

ξ5+(k + 1) = ξ2(k) ∩ ξ5(k).

The first column of Fig. 9 is a graphical representation of

the initial estimates ˆ qno+1,..., ˆ qpof robot 1’s neighborhood

Page 7

(k = 0)(k = 1)(k = 2)(k = 3)

ξ4(1)

ξ3(1)

ξ2(1)

ξ5(1)

ξ4(2)

ξ3(2)

ξ2(2)

ξ5(2)

ξ4(3)

ξ3(3)

ξ2(3)

ξ5(3)

Fig. 9.Consensus run for the given communication graph Gc. Robot 1’s non–cooperation is detected, and an agreement is reached on its reputation.

faulty agent

(a)(b)

Fig. 8.

decision d∗where the non–cooperation is detected (b).

Simulation run with a non–cooperative robot (a), and centralized

reconstructed by all the monitors. The corresponding central-

ized estimate ξ∗= ξ2(0)∩ξ3(0)∩ξ4(0)∩ξ5(0) is illustrated

in Fig. 8–b, where robot 1’s non–cooperation is detected

(the centralized decision is indeed d∗= noncooperative).

This observation along with the fact that the communication

graph Gc is connected ensure that the same decision can

be reached by the distributed computation (see Theorem 1).

Simulation results are reported in Fig. 9, where the k–th

column shows the monitors’ reconstructed neighborhood of

vehicle 1, after k steps of consensus.

define relative uncertainty measures of the monitors w.r.t.

the desired centralized estimate ξ∗reported in Fig. 8–b as

Moreover, we can

µi(k) = µ(ξi(k) \ ξ∗), for i = 2,3,4,5,

where µ is a function that computes the area of the set

received as argument. Such uncertainties converge to 0

during the consensus run (see Fig. 10). Finally, robot 1’s

non–cooperation is detected, and an agreement on d∗is

reached for its reputation in ˜ n = 3 steps as expected from

theory (see Fig. 11).

Similar consensus runs can be shown for cooperative

robots, and the agreement on the centralized decision for

the reputation is always achieved. Notwithstanding, there are

configurations for which it is not possible to distinguish a

0123456

−1

0

1

2

3

4

5

6

Consensus steps

Uncertainty (µ)

Agent 2

0123456

−1

0

1

2

3

4

5

6

Consensus steps

Uncertainty (µ)

Agent 3

0123456

−1

0

1

2

3

4

5

6

Consensus steps

Uncertainty (µ)

Agent 4

0123456

−1

0

1

2

3

4

5

6

Consensus steps

Uncertainty (µ)

Agent 5

Fig. 10.

for i = 2,3,4,5.

Convergence of the uncertainty measures µi(k) = µ(ξi(k)\ξ∗),

0123456

F

U

C

Consensus steps

Reputation

Agent 2

0123456

F

U

C

Consensus steps

Reputation

Agent 3

0123456

F

U

C

Consensus steps

Reputation

Agent 4

0123456

F

U

C

Consensus steps

Reputation

Agent 5

Fig. 11. Agreement on the centralized estimate d∗for robot 1’s reputation.

Page 8

Fig. 12.

paths. Vehicles are supposed to give way to vehicles coming from their right.

In the figure, vehicle 0 is monitoring all vehicles that are in line–of–sight

with it and reconstructs information about its unobservable regions.

Simulation run of a system of vehicles travelling along crossing

cooperative from a non–cooperativerobot (we omit examples

for space reasons). However, this limitation is due to the

instantaneous distribution of the sensors, and it is not due to

the consensus algorithm.

Although results have been presented only from the same

case study, the synthesis technique remains valid also for

other multi–robot systems. Indeed, in Fig. 12, a snapshot

from the simulation run of a system of vehicles travelling

along crossing paths is reported. Vehicles are supposed

to give way to vehicles coming from their right. In the

figure, vehicle 0 is monitoring all vehicles that are in

line–of–sight with it and reconstructs information about

its unobservable regions. The reader may refer to the site

http : //www.piaggio.ccii.unipi.it/˜fagiolini/icra2008 for

some relevant videos.

VII. CONCLUSION

In this paper, we presented work aimed at developing

a synthesis technique that makes it possible to build a

distributed Intrusion Detection System (IDS) for securing

a class of robotic multi–agents. The proposed IDS consists

of a decentralized monitoring mechanism, by which every

robot assigns all its neighbors with a direct reputation of their

cooperativeness, and an agreement mechanism, by which all

of such monitors sharing locally collected information can

“converge” to a unique network decision. Many problems

remain to be addressed, such as the presence of malicious

monitors sharing false information and thus leading the

system to incorrectly classify any monitored robot.

VIII. ACKNOWLEDGMENTS

Authors wish to thank Dr. L. Pallottino for useful dis-

cussions. The work was partially supported by EC Network

of Excellence HYCON (Contract IST-2004-511368), and by

Cassa di Risparmio di Pisa, Lucca e Livorno.

REFERENCES

[1] R. Olfati-Saber, “Flocking for multi-agent dynamic systems: algo-

rithms and theory,” Automatic Control, IEEE Transactions on, vol. 51,

no. 3, pp. 401–420, 2006.

[2] L. Figueiredo, I. Jesus, J. Machado, J. Ferreira, and J. Martins de

Carvalho, “Towards the development of intelligent transportation sys-

tems,” Intelligent Transportation Systems, 2001. Proceedings. 2001

IEEE, pp. 1206–1211, 2001.

[3] L. Lamport, R. Shostak, and M. Pease, “The Byzantine Generals Prob-

lem,” ACM Transactions on Programming Languages and Systems

(TOPLAS), vol. 4, no. 3, pp. 382–401, 1982.

[4] C. Tomlin, G. J. Pappas, and S. Sastry, “Conflict resolution for air

traffic management: A case study in multi-agent hybrid systems,”

vol. 43, pp. 509–521, 1998.

[5] R. Ghosh and C. J. Tomlin, “Maneuver design for multiple aircraft

conflict resolution,” Chicago, IL, 2000.

[6] L. Pallottino, V. Scordio, and A. Bicchi, “Decentralized cooperative

conflict resolution among multiple autonomous mobile agents,” in

Proceedings of the Conference on Decision and Control, vol. 5, Dec.

2004, pp. 4758–4763.

[7] T. Bass, “Intrusion detection systems and multisensor data fusion,”

Commun. ACM, vol. 43, no. 4, pp. 99–105, 2000.

[8] S. Snapp, J. Brentano, G. Dias, T. Goan, L. Heberlein, C. Ho,

K. Levitt, B. Mukherjee, S. Smaha, T. Grance et al., “DIDS (Dis-

tributed Intrusion Detection System)-Motivation, Architecture, and an

Early Prototype,” Proceedings of the 14th National Computer Security

Conference, pp. 167–176, 1991.

[9] S. Buchegger and J. Le Boudec, “Performance Analysis of the

CONFIDANT Protocol: Cooperation Of NodesFairness In Dynamic

Ad-hoc NeTworks,” Proceedings of IEEE/ACM Symposium on Mobile

Ad Hoc Networking and Computing (MobiHOC), pp. 226–236, 2002.

[10] ——, “A Robust Reputation System for Mobile Ad-hoc Networks,”

Proceedings of P2PEcon, June, 2004.

[11] T. Yoo and S. Lafortune, “Polynomial-time verification of diagnosabil-

ity of partially observed discrete-event systems,” Automatic Control,

IEEE Transactions on, vol. 47, no. 9, pp. 1491–1495, 2002.

[12] M. Sampath, R. Sengupta, S. Lafortune, K. Sinnamohideen, and

D. Teneketzis, “Failure diagnosis using discrete-event models,” Con-

trol Systems Technology, IEEE Transactions on, vol. 4, no. 2, pp. 105–

124, 1996.

[13] ——, “Diagnosability of discrete-event systems,” Automatic Control,

IEEE Transactions on, vol. 40, no. 9, pp. 1555–1575, 1995.

[14] C.¨Ozveren and A. Willsky, “Invertibility of Discrete-Event Dynamic

Systems,” Mathematics of Control, Signals, and Systems (MCSS),

vol. 5, no. 4, pp. 365–390, 1992.

[15] G. Fourlas, K. Kyriakopoulos, and N. Krikelis, “Diagnosability of

Hybrid Systems,” Proceedings of the 10th IEEE Mediterranean Con-

ference on Control and Automation, 2002.

[16] ——, “A Framework for Fault Detection of Hybrid Systems,” Pro-

ceedings of the 9th IEEE Mediterranean Conference on Control and

Automation, 2001.

[17] A. Fagiolini, G. Valenti, L. Pallottino, G. Dini, and A. Bicchi, “De-

centralized Intrusion Detection For Secure Cooperative Multi–Agent

Systems,” IEEE International Conference on Decision and Control,

2007.

[18] ——, “Local Monitor Implementation for Decentralized Intrusion

Detection in Secure Multi–Agent Systems,” IEEE Conference on

Automation, Science, and Engineering, 2007.

[19] R. Olfati-Saber, J. A. Fax, and R. N. Murray, “Consensus and

Cooperation in Networked Multi–Agent Systems,” Proceedings of the

IEEE, 2007.

[20] R. Olfati-Saber, , and R. N. Murray, “Consensus Problems in Net-

works of Agents with Switching Topology and Time–Delays,” IEEE

Transactions on Automation and Control, 2004.

[21] N. Lynch, Distributed Algorithms.

San Mateo, CA, 1996.

[22] M. Di Marco, A. Garulli, A. Giannitrapani, and A. Vicino, “Simul-

taneous localization and map building for a team of cooperating

robots: a set membership approach,” Robotics and Automation, IEEE

Transactions on, vol. 19, no. 2, pp. 238–249, 2003.

[23] K. Marzullo, “Maintaining the time in a distributed system: An exam-

ple of a loosely-coupled distributed service.” Dissertation Abstracts

International Part B: Science and Engineering[DISS. ABST. INT. PT.

B- SCI. & ENG.],, vol. 46, no. 1, 1985.

[24] P. Lincoln and J. Rushby, “A Formally Verified Algorithm for In-

teractive Consistency Under a Hybrid Fault Model,” Fault-Tolerant

Computing, 1995,’Highlights from Twenty-Five Years’., Twenty-Fifth

International Symposium on, 1995.

Morgan Kaufmann Publishers,

#### View other sources

#### Hide other sources

- Available from Gianluca Dini · Jun 4, 2014
- Available from unipi.it