Consensusbased distributed intrusion detection for multirobot systems.
ABSTRACT This paper addresses a security problem in robotic multiagent systems, where agents are supposed to cooperate according to a shared protocol. A distributed Intrusion Detection System (IDS) is proposed here, that detects possible noncooperative agents. Previous work by the authors showed how single monitors embedded onboard the agents can detect non cooperative behavior, using only locally available information. In this paper, we allow such monitors to share the collected information in order to overcome their sensing limitation. In this perspective, we show how an agreement on the type of behavior of a targetrobot may be reached by the monitors, through execution of a suitable consensus algorithm. After formulating a consensus problem over nonscalar quantities, and with a generic update function, we provide conditions for the consensus convergence and an upper bound to its transient duration. Effectiveness of the proposed solution is finally shown through simulation of a case study.

Conference Paper: A decentralized observer for a general class of Lipschitz systems
[Show abstract] [Hide abstract]
ABSTRACT: The paper presents a decentralized observer for a class of multiagent systems. The proposed observer allows each robot of the team to estimate the overall system state provided that the communication network is connected and that the motion control law is Lipschitz. In case of perfect measurements the observer error is proved to be exponentially convergent to zero, while global uniform ultimately boundeness is proved for the case of bounded nonvanishing noise on the state measurements. The approach is validated via numerical simulations considering, as a case study, the decentralized control of the centroid and the formation of a team of robots.IEEE International Conference on Information and Automation; 08/2013  SourceAvailable from: Reinaldo A. C. Bianchi[Show abstract] [Hide abstract]
ABSTRACT: Trust and reputation are concepts that have been traditionally studied in domains such as electronic markets, ecommerce, game theory and bibliomet rics, among others. More recently, researchers started to investigate the benefits of using these concepts in multirobot domains: when one robot has to decide if it should cooperate with another one to accomplish a task, should the trust in the other be taken into account? This paper proposes the use of a trust model to define when one agent can take an action that depends on other agents of his team. To implement this idea, a Heuristic Multiagent Rein forcement Learning algorithm is modified to take into account the trust in the other agents, before se lecting an action that depends on them. Simulations were made in a robot soccer domain, which extends a very well known one proposed by Littman by ex panding its size, the number of agents and by us ing heterogeneous agents. Based on the results it is possible to show the performance of a team of agents can be improved even when using very sim ple trust models. 
Conference Paper: Distributed realtime fault detection and isolation for cooperative multiagent systems
[Show abstract] [Hide abstract]
ABSTRACT: In this paper we propose a distributed realtime fault detection, isolation and mitigation framework for multiagent systems performing cooperative tasks. Various system models and detection schemes with respect to communication and sensing are considered. Two communication protocols for fault detection are introduced first and proved to be effective. Then a scheme based on limited relative state measurements is developed. Furthermore, we propose fault isolation and mitigation steps to guarantee the accomplishment of a global objective. All schemes are distributed in the sense that at each step of the fault detection, isolation and mitigation every agent only uses locally available information. One key feature of the framework is the significant reduction of required computational resource when compared with the fault detection and isolation schemes based on unknown input observers. Later we show that the proposed framework can be applied to the consensus and other cooperative formation problems. Several computer simulations are presented to demonstrate the efficiency of the framework.American Control Conference (ACC), 2012; 06/2012
Page 1
Consensus–based Distributed Intrusion Detection
for Multi–Robot Systems
Adriano Fagiolini, Marco Pellinacci, Gianni Valenti, Gianluca Dini, and Antonio Bicchi
Abstract—This paper addresses a security problem in robotic
multi–agent systems, where agents are supposed to cooperate
according to a shared protocol. A distributed Intrusion Detec
tion System (IDS) is proposed here, that detects possible non–
cooperative agents. Previous work by the authors showed how
single monitors embedded on–board the agents can detect non–
cooperative behavior, using only locally available information.
In this paper, we allow such monitors to share the collected
information in order to overcome their sensing limitation. In
this perspective, we show how an agreement on the type of
behavior of a target–robot may be reached by the monitors,
through execution of a suitable consensus algorithm. After
formulating a consensus problem over non–scalar quantities,
and with a generic update function, we provide conditions for
the consensus convergence and an upper bound to its transient
duration. Effectiveness of the proposed solution is finally shown
through simulation of a case study.
I. INTRODUCTION
In the last few years, there has been a great effort to
define decentralized and cooperative control strategies for
applications, such as intelligent transportation, surveillance,
etc., requiring the employment of teams of robots (see e.g.
[1], [2]). The development of such strategies is motivated by
the so–called divide et impera principle, according to which
the original problem is reduced to find solutions for sub–
problems of less complexity, and indeed the actions of each
robot can be seen as a partial contribution to solving the
complete problem.
Furthermore, the redundant number of robots allows a
higher level of robustness against simple faults to be reached
e.g. by a possible task–reallocation whenever a faulty robot
is discovered within the system. However, in the absence of a
centralized monitoringinfrastructure, byzantine behaviors [3]
of a robot, arbitrarily deviating from the nominal cooperation
strategy, may remain undiscovered for a long time. As a
matter of fact, a malicious robot may “play” with the model
of cooperation and deceive any of its neighbors monitoring
its behavior, by leveraging on their partial knowledge of the
system’s state.
We focus on systems where cooperation is obtained by
sharing a common set of decentralized rules R, i.e. we
consider systems where each robot plans its motion based
on rules that dictate actions depending on the configuration
A.Fagiolini,G.Valenti,andA.Bicchiarewiththe
Interdepartmental Research Center “E. Piaggio” of the Universit` a di
Pisa,Italy,
{a.fagiolini, bicchi}@ing.unipi.it,
posta@gianni.valenti.name.
M.Pellinacci,andG.Dini
mentodell’Informazione,Faculty
sit` a ofPisa,Italy,
marco.pellinacci@alice.it,
gianluca.dini@ing.unipi.it.
are
of
with
Engineering,
theDiparti
Univer
of the robot itself and of its neighbors (see e.g. [4]–[6]).
The challenge in these systems is to find strategies to detect
possible non–cooperative robots, without the use of any form
of centralization. Bearing this in mind, our objective is to
develop a synthesis technique that makes it possible to build
a distributed Intrusion Detection System (IDS) [7], [8] for
securing the considered class of robotic multi–agents. The
proposed IDS consists of two main “ingredients”: a decen
tralized monitoring mechanism, by which every robot assigns
all its neighbors with a direct reputation, a measure of their
cooperativeness, and an agreement mechanism, by which all
of such monitors sharing locally collected information can
“converge” to a unique network decision.
The concept of reputation is normally employed in Peer–
To–Peer (P2P) systems, and in Mobile Ad–hoc NETworks
(MANET), where a form of cooperation is required, e.g.
for establishing a message routing service that enables the
communication among all agents. In these systems — see
e.g. the works of LeBoudec [9], [10] —, each agent assigns
its neighbors with a reputation rate that depends on whether
they display a collaborative behavior, e.g. with respect to
message forwarding. Our problem is different and more
difficult due to the fact that each robot has only partial
knowledge of the system’s state, and thus it can not estab
lish with certainty whether a given behavior of one of its
neighbors is cooperative or not. The challenge of a robot
acting as a decentralized monitor is indeed to distinguish a
faulty or malicious robot in its neighborhoodfrom a correctly
cooperating robot whose actions may be influenced by other
robots out of the monitor’s range. Furthermore, the fact that
the topology of interaction and exchange of information
among mobile robots is changing and unknown should be
taken into account. These reasons make the problem we deal
with quite distinct from those tackled in the current Security
and Fault Detection [11]–[16] literatures, and indeed a very
challenging one.
In previous work [17], [18], we proposed a scheme by
which each robot can independently establish a reputation
of all its neighbors, using only locally available information.
This paper addresses the problem of reaching an agreement
on such reputations, and indeed the possibility that the mon
itors share locally collected information is considered. To
achieve this, the florishing literature on distributed consensus
algorithms [19]–[21] represents a quite natural framework
under which the problem should be treated. Indeed, the
system–theoretic approach (used e.g. in Murray’s works) to
represent the dynamic behavior of such algorithms makes it
possible to find useful results on the rate of convergence,
Page 2
and on the conditions under which an agreement can be
established. However, such algorithms involve the exchange
of scalar quantities and allows the use of very simple rules
only, such as weighted average, to combine measures of
different distributed sensors. In our application scenario,
robots need to exchange locally reconstructed “evidences”
of the reputation of their neighbors that are not scalars, as
it will be discussed afterward, and hence a more complex
combination rule is required. In this vein, the works on
set–membership [22] and the so–called Marzullo’s algorithm
[23] define rules to combine sets or intervals, respectively,
estimated by different sensors. Such works may indeed
provide useful hints to solve our problem. Due to this fact, we
believe that the consensus literature can still be enriched, and
we present a convergenceresult when more general functions
are used to combine different measures, which may represent
a first step in this direction.
II. HYBRID MODEL OF ROBOTIC AGENTS
The class of robotic systems of interest is represented
by teams of robots that plan their motions according to a
set of decentralized and cooperative rules R. In particu
lar, we assume that the set R defines κ possible actions
Σ = {σ1,σ2,...,σκ} that robots can perform, and specifies
ν logical conditions on the state of their neighborhoods
requiring a change of maneuver. Let E = {e1,e2,...,eν}
be the set of discrete events associated with such conditions.
For the sake of clarity, consider as an example the case
of n cars moving on a multi–laned highway. Such cars
are supposed to have the same dynamics, and pilots are
supposed to decide the current maneuver based on its goal,
the configurations of the car and of other neighboring cars.
In this example, the actions defined by R are accelerate,
decelerate, and change to the next left or right lane. The
logical conditions for a change of maneuver are represented
by e.g. a slower car in the front, and a free lane on the left
requiring the execution of an overtake.
Robotic systems composed of a physical plant and a
control system implementing such a kind of cooperation rules
R can be modeled as hybrid systems. The components of
such hybrid models H are depicted in Fig. 1 and explained in
the following. Let qi∈ Q be a vector describing the physical
state of the i–th robot and taking value in the configuration
space Q, and let σi∈ Σ be the maneuver that the robot is
currently performing. The i–th robot’s configuration qi has
a continuous dynamics
˙ qi= f(qi,ui),
where ui ∈ U is a control input. In particular, ui is a
feedback law generated by a low–level controller g : Q ×
Σ → U, i.e.
ui= g(qi,σi),
so that the robot’s trajectory qi(t) corresponds to the desired
current maneuver σi. The i–th robot’s current maneuver has
a discrete dynamics δ : Σ × E → Σ, i.e.
σi+= δ(σi,e),
A
ei= D?qi,vi,ζi
?
ui= g(qi,σi)
qi
qi
qi
ei
σi
ui
˙ qi= f(qi,ui)
vi
ζi
H
Fig. 1.Depiction of the hybrid model of robotic agents.
where e is an event requiring a change of maneuver from
σi to σi+. Event activation is detected by a static map D :
Q × Qp× Z → E, where p is the maximum number of
neighbors whose configurations may affect the robot, and
ζi ∈ Z is a parameter that may be reset at any maneuver
transition. Map D encodes conditions such as the presence
of a slower car in the front, and a free lane on the left. The
currently detected event is then
e = D(qi,vi,ζi),
where vi= (qi1,...,qip) is a vector impiling the configura
tions of the i–th robot’s neighbors. In conclusion, the hybrid
dynamics of the i–th robot is
qi= H(qi,qi1,...,qip),
where H : Q × Qp→ Q, and i1,...,ipare the indices of
its neighbors. Hence, qi1,...,qiprepresents H’s input and
qiits output.
III. CONSTRUCTION OF LOCAL MONITORS FOR
INTRUSION DETECTION
We first give the following
Definition 1: A non–cooperative robot, or intruder, is a
faulty or malicous robot whose behavior arbitrarily deviates
from the one imposed by the cooperation rules R.
In practice, the i–th robot is deemed non–cooperative if
its trajectory ¯ qi(t) differs from the output ˜ qi(t) of the hybrid
model H derived from R and excited by the configurations
qi1(t),...,qip(t) of its neighbors. In formula, the condition
is the following:
¯ qi(t) ?= ˜ qi(t) = H(qi(t),qi1(t),...,qip(t)).
The problem of a robot h acting as a monitor of the
behavior of robot i is due to its partial knowledge of i’s
neighborhood. In the example in study, some cars affecting
Page 3
Ounobs
0
Oobs
0
Qa(q4)
Fig. 2.
corresponding partition of the input space of robot 4.
Partition of the configuration space due to robot 0’s visibility, and
the behavior of robot i may be out of robot h’s sensing range
since they remain hidden by other cars (see Fig. 2). To model
this, we first partition the configuration space Q according
to the h–th monitor’s visibility:
Q = Oobs
h
∪ Ounobs
h
,
where Oobs
able regions, respectively, from the perspective of h. Then,
we can partition the i–th robot’s input space Qa(qi) due to
the h–th monitor’s visibility:
h
and Ounobs
h
are the observable and the unobserv
Qa(qi)=
=
Qa(qi) ∩?Oobs
Qobs
h
∪ Qunobs
h
∪ Ounobs
h
?=
h
.
The goal of the monitoring robot h is to establish whether
the trajectory ¯ qi(t) of robot i is compliant with its partial
knowledge of i’s neighborhood and the cooperation rules R.
From a mathematical point of view, we need to solve the
following
Problem 1: Consider the hybrid model H of a robot i, and
a partition Qa(qi) = Qobs
monitor h. Given the trajectory ¯ qi(t), and noconfigurations
q1(t),...,qno(t) of known neighbors in Qobs
it exists, a choice of p − noconfigurations qno+1,...,qpin
Qunobs
h
such that the expected behavior
h∪Qunobs
h
of its input space due to
h, determine, if
˜ qi= H(¯ qi,q1,...,qno,qno+1,...,qp)
equals the given one, i.e. ˜ qi(t) = ¯ qi(t).
Solving this problem can be hard due to non–linearities
and differential equations of the hybrid model H, and it
would require the construction of an “unknown input ob
server” (UIO) H†of the hybrid model itself, as we have
discussed in [17]. Furthermore, a direct approach for the
computation of such a UIO leads to find ad–hoc solutions
for very specific cases. In contrast, we showed how this can
be avoided and solutions can be found for the considered
class of robotic multi–agent systems. The property that
in our opinion makes our approach appealing is that all
components of the proposed decentralized monitor can be
automatically generated once the dynamics f of the plant,
and the cooperation rules R are given. The reader may refer
to our work [17] for a complete description of the method
and can assume the existence of a procedure to build a UIO,
H†, such that
(ˆ qno+1,..., ˆ qp) = H†(¯ qi,q1,...,qno),
where ˆ ql for l = no+ 1,...,p are estimates of p − no
configurations of robots in Qunobs
behavior ¯ qiof the monitored robot i.
In cases where the monitoring robot h has complete
knowledge of robot i’s neighborhood, it will be able to
distinguish a cooperative from a non–cooperative robot, and
accordingly decide on its reputation rih. Whenever this is
not true, the monitor tries to reconstruct any information
on Qunobs
h
according to robot i’s behavior and the partial
knowledge of its neighbors. In these cases, as long as
a choice for ˆ ql exists, the reputation of robot i remains
“uncertain” (indeed the robot may be correctly following
the cooperation rules R or not). Otherwise, the reputation
becomes “noncooperative”. In brief, the reputation rihof
robot i according to robot h is a discrete variable taking
values in the set:
h
that can “explain” the
R = {cooperative,noncooperative,uncertain,unknown}.
The introduction of the value “unknown” is instrumental for
the purpose of communication. Indeed, whenever a monitor
robot h does not see robot i, but has to participate in
an agreement on the value of its reputation, will initially
exchange the value unknown.
We point out that the estimates ˆ ql, for all l, are evidences
or unobservable explanations that the monitoring robot h
has derived from the behavior of robot i. Depending on the
existence of such possible explanations, robot h assigns a
neighboring robot i with a suitable reputation value. Fig. 3
shows a simulation run with a non–cooperativerobot, vehicle
0 in the figure, that keeps traveling on the second lane,
even though the lane on the right is free. The behavior of
vehicle 0 is monitored by its neighbors that reconstruct dif
ferent estimates ˆ qno+1,..., ˆ qpof their unobservable regions.
Such estimates are possibly non–convex regions where the
presence of a robot is required (when reported in red) or is
excluded (when reported in green).
IV. OVERCOMING LOCAL MONITORING LIMITATION
THROUGH COMMUNICATION
The second “ingredient” of the proposed IDS is a dis
tributed agreement mechanism by which monitors share
locally collected information so as to reduce their uncertainty
and eventually “converge” to a unique network decision. The
communication among monitors is indeed necessary since
they can not verify the actual correctness of the reconstructed
hypotheses or explanations ˆ qno+1,..., ˆ qpon Qunobs
over, reaching an agreement is paramount before starting any
emergency procedure whenever a non–cooperative robot is
detected.
h
. More
A. Consensus algorithms and centralized decision
Consider a piecewise–constant communication topology
represented by the undirected graph Gc(V,Ec), where V is
a set of nodes, and Ecis a set of edges. The presence of an
edge ei,jconnecting viwith vjmeans that node viis able to
share its knowledge with node vj. Now, we can recall from
e.g. [20] the following
Page 4
Fig. 3.
traveling on the second lane, even though the lane on the right is free
(first picture). Monitor robots’ point of views are reported in the other three
pictures, where red and green colors indicate regions where the presence of
a robot is required or is excluded, respectively.
Simulation run where robot 0 is non–cooperative as it keeps
Definition 2 (Consensus Algorithm): Given a set V
{v1,...,vn}
of nodes,and
Gc(V,Ec), a (distributed) consensus algorithm is an iterative
interaction rule that specifies:
• which information d ∈ D is shared among neighbors,
• and how each node vi updates its estimate di based
on any received value dj, i.e. which update function
Ω : D × D → D is used to compute
=
a communication graph
di+= Ω(di,dj), for i = 1,...,n.
Let us also define a centralized decision d∗as the value
that would be chosen by a hypothetical monitor collecting
all initial measures d1(0),...,dn(0), and combining them
according to Ω. The quantity d∗can be seen as a result limit
ing the performance of any distributed computation strategy
as it represents the choice taken without any information
loss. This motivates the effort that is often spent to design
consensus algorithms converging to d∗(these algorithms are
said to achieve the so–called f–consensus), irrespectively of
the distributed nature of the computation.
B. Which Information To Share
In our application scenario, nodes in V are robots that
are monitoring a common neighbor and that are supposed to
communicate as in Ecin order to reach an agreement on the
reputation of such neighbor. Consider vector
r(k) = (r1(k),...,rn(k))
that is obtained by impiling all monitors’ decisions after k
steps of a suitable consensus. Our objective here is to design
a distributed consensus algorithm guaranteeing that, for any
initial condition r(0), we have r(∞) = 1r∗, where r∗is the
centralized decision.
A simple solution where the i–th monitor shares the
locally established reputation ri(k) is sufficient to reach
an agreement. To achieve this, well–known consensus al
gorithms for scalar quantities can indeed be used (see e.g.
[19]–[21]). However, in the majority of the cases, monitors
are likely to have partial knowledge of the monitored robot’s
neighborhood and remain uncertain about its actual behavior.
Then, the whole network of robots will remain uncertain,
except at the occurrence of fortunate cases where manifest
faulty behaviors [24] that can trivially be detected.
For this reason, we propose a solution where monitors
share any information that is directly measured or recon
structed by exploitation of H†. Namely, each monitor h
shares the following data related to a common neighbor i:
ξh
i
=
=
{¯ qi,q1,...,qno,H†(q1,...,qno)} =
{¯ qi,q1,...,qno, ˆ qno+1,..., ˆ qp}.
Theoretically, after having established the so–called “same
context” for the value of such a neighborhood, they will
use the same decision rule and hence decide for the same
reputation value.
C. More General Consensus Algorithms
Well–known consensus algorithms are appealing since
they are obtained through very simple combination rules,
such as weighted average, or maximum occurrence value.
However, they are applicable only with scalar quantities,
whereas ˆ qno+1,..., ˆ qp are possibly non–convex sets or in
tervals (recall the example of Fig. 3).
Motivated by this fact, we introduce a more general
class of consensus algorithms, partially inspired from the
Computer Science literature (see e.g. Lynch’s works):
Definition 3 (General Consensus Algorithm): Given a set
V = {v1,...,vn} of nodes, and a communication graph
Gc(V,Ec), a (distributed) general consensus algorithm is an
iterative interaction rule that specifies:
• which information ξ ∈ Ξ is shared among neighbors,
• how each node vi updates its knowledge ξi based
on any received value ξj, i.e. which update function
Ω : Ξ × Ξ → Ξ is used to compute
ξi+= Ω(ξi,ξj), for i = 1,...,n,
• and how each node videcides on the value di∈ D of
a common quantity of interest for which an agreement
is desired, i.e. which decision function Θ : Ξ → D is
used to compute
di= Θ(ξi), for i = 1,...,n.
From a system theoretic point of view, the i–th node
participarting in the consensus is a discrete sub–system,
where ξiis the state (a.k.a. the context), all ξjs are inputs, and
di is the output (a.k.a. the decision) (see Fig. 4). Now the
Page 5
∆
ΘΩ
ξ+
i
ξi
ξj,...,ξk
di
Fig. 4.
algorithm.
Depiction of i–th node participating in the general consensus
12
3
6
4
5
7
Fig. 5.A connected communication graph Gc(V,Ec).
centralized decision d∗is the value that would be chosen
by a hypothetical monitor collecting all initial measures
ξ1(0),...,ξn(0), combining them according to Ω, and then
applying Θ.
V. ON THE ABSTRACT CONVERGENCE OF CONSENSUS
ALGORITHMS WITH UNCERTAIN MEASURES
Let ξ ∈ IR be a scalar quantity of interest for the network,
and let ξ1,...,ξnbe n elements on a σ–algebra Σ over IR,
representing uncertain estimates of a particular value¯ξ of
ξ. Consider a consensus algorithm as in Def. 3, and assume
that neighbors of a given communication graph Gc(V,Ec)
(as the one of Fig. 5) exchange the estimates ξ1,...,ξn, in
order to reach an agreement on¯ξ.
It is worth noting that, even though the update function
Ω : Σ × Σ → Σ in Def. 3 may be general, some essential
properties are required to make it a legittimate update func
tion for the distributed algorithm. In particular, we require
that, for any ξ1, ξ2, and ξ3,
• Ω(ξ1,ξ2) = Ω(ξ2,ξ1) (commutative);
• Ω(ξ1,Ω(ξ2,ξ3)) = Ω(Ω(ξ1,ξ2),ξ3) (associative).
Indeed, without such assumptions, we have to specify further
constraints concerning how each node updates its knowledge,
and even how the centralized estimate is defined (the order
by which estimates ξjs are considered is important).
In the remainder of this section, we will make a change in
the notation of the update function Ω to make the exposition
clearer. In particular, in place of the functional notation ξ+
Ω(ξi,ξj), we will use an equivalent form involving a binary
operator: ξ+
(distributed) consensus algorithm in Def. 3 can be written
as:
ξi(k + 1) = ?j∈Vi(1)ξj(k),
i=
i= ξi?ξj. Accordingly, the iterative rule of the
(1)
where Vi(p)
neighborhood of order p of the i–th node in V , and d(i,j) is
the geodesic distance, i.e. the shortest path length, between
i and j (recall that d(i,i) = 0, ∀i ∈ V ).
First, we give the following
△
=?j ∈ V  d(i,j) ≤ p?is the communication
Definition 4: A binary operator ? is said to be idempotent
if, and only if, for any ξ ∈ Ξ, it holds
ξ ? ξ = ξ .
(2)
Lemma 1: Consider n initial estimates ξ1(0),...,ξn(0)
that are exchanged between neighbors of a given communi
cation graph Gc(V,Ec) according to a consensus algorithm
as in Def. 3. If the binary operator ? in Eq. 1 is commutative,
associative, and idempotent, then it holds
ξi(k) = ?j∈Vi(k)ξj(0),
(3)
for all i and all k.
Proof: Lemma 1 can be proved by logical induction.
Consider the evolution of the i–th agent estimate, starting
from the initial value ξi(0). After one consensus step, we
have
ξi(1) = ?j∈Vi(1)ξj(0), ∀i ∈ V ,
(4)
from Eq. 1.
Furthermore, assume that Eq. 3 holds for a certain value
of k. Then, from Eq. 1 and Eq. 2, we obtain:
ξi(k + 1)=
=
?j∈Vi(1)
?m∈Vi(k+1)ξm(0) ,
??m∈Vj(k)ξm(0)?=
(5)
where the commutative, associative, and idempotency prop
erties of ? have been exploited.
Observe that Eq. 3 holds also for k = 1, as it is shown in
Eq. 4. Then, the general expression for ξi(k) in Eq. 3 can
be obtained by induction.
We are now ready to give the main result in the following
Theorem 1 (Abstract convergence): Consider n initial es
timates ξ1(0),...,ξn(0) ∈ σ(IR) of a scalar ξ ∈ IR, a
communication graph Gc(V,Ec), and a legittimate update
function Ω : σ(IR) × σ(IR) → σ(IR) or the corresponding
bynary operator ?. The (distributed) general consensus al
gorithm
ξi(k + 1) = ?j∈Vi(1)ξj(k)
(6)
converges to a unique network decision on the centralized
estimate
ξ∗= ?j∈Vξj(0),
(7)
i.e. ξ(∞) → 1ξ∗, if
• ? is idempotent, and
• Gcis connected.
Furthermore, the convergence is guaranteed in a finite num
ber of steps ˜ n given by:
˜ n ≤ max
i,j∈Vd(i,j) = diameter(Gc).
Proof: Sufficiency of the conditions on ? can be proved
by observing that, if n = maxi,j∈Vd(i,j), then, since graph
Gcis connected,
(8)
Vi(k) = V , ∀k ≥ n ,
(9)
and, for Lemma 1 and Eq. 7, we have
ξi(k) = ?j∈Vi(n)ξj(0) = ?j∈Vξj(0) = ξ∗,
(10)
for all i ∈ V , and for all k ≥ n. Thus, we obtain the thesis.
Page 6
Fig. 6.
driving rules.
A 2–lane automated highway with a set of common individual
In the example in study, the update function Ω, or equiva
lently the operator ?, involved in the agreement mechanism
is the set–intersection?, which satisfies the hypotheses of
Theorem 1. Moreover, the decision function Θ is the decen
tralized monitoring mechanism based on the construction of
the UIO H†.
VI. APPLICATION
A. An Automated Highway
The case study considers a scenario where n mobile robots
are traveling along a highway with different maximum speed
and may want to reach different desired positions. Robots
are supposed to cooperate according to the common driving
rules (the above set R) in order to avoid collisions. More
precisely, any robot is allowed to perform at any instant one
of the following maneuvers based on logical conditions on its
neighborhood (the associated events are in Table I and II1):
• proceed at the maximum speed along the rightmost free
lane when possible (fast maneuver);
• if a slower vehicle proceeds in front on the same
lane, then overtake the vehicle if the next lane on the
left is free (left maneuver), or reduce the speed (slow
maneuver) otherwise;
• as soon as the next lane on the right becomes free,
change to that lane (right maneuver);
• overtaking any vehicle on the right is forbidden.
Our task is to detect misbehaving vehicles.
The physical state of the i–th robot is qi= (xi,yi,θi,vi)
(refer to Fig. 6) and has the following continuous unicycle–
like dynamics f:
˙ xi= vicos θi,
˙ yi= visin θi,
˙θi= ωi,
˙ vi= ai,
where ai and ωi are linear acceleration and angular veloc
ities, respectively. According to the set R, the maneuver
σi of the i–th robot may take value on the set Σ =
{fast,left,right,slow} and has the discrete dynamics δ of
the automaton in Fig. 7, where the low–level feedback con
troller g ensures that the current maneuver σiis performed.
1Observe that xj and lj are short–hands for xijand lij, being relating
to the j–th neighbor of vehicle i.
ω =
?
Ω
0
if θ < θMAX
otherwise
a =
?
A
0
if v < VMAX
otherwise
L
ω = −(y − yf)sin(θ)
θ
v − kv θ
a =
?
A
0
if v < VMAX
otherwise
F
ω =
?
−Ω
0
if θ > −θMAX
otherwise
a =
?
A
0
if v < VMAX
otherwise
R
ω = −(y − yf)sin(θ)
θ
v − kv θ
a =
?
−A
0
if v < VMAX
otherwise
S
eF→L
i
eF→R
i
eL→F
i
eR→F
i
eF→S
i
eS→F
i
eS→L
i
Fig. 7.
control g ensuring that the plant f behaves according to the rule set R.
Discrete dynamics δ of the automaton, and low–level feedback
TABLE I
LIST OF EVENTS FOR VEHICLES MOVING ALONG A 2–LANE HIGHWAY
eF→L
i
=
∧
(∃j ∈ Nil1(qi,qj)) ∧
(∄k ?= j ∈ Nil2(qi,qk)) ∧ ¬l4(qi)
eF→S
i
eF→S
i,1
eF→S
i,2
=
=
=
eF→S
i,1
(∃j ∈ Nil1(qi,qj)) ∧ (∃k ?= j ∈ Nil2(qi,qk))
(∃j ∈ Nil1(qi,qj)) ∧ l4(qi)
∨ eF→S
i,2
eF→R
i
=
(∄j ∈ Ni l5(qi,qj) ∧ ¬l3(qi)
eL→F
i
=
l4(qi),eR→F
i
= l3(qi)
eS→L
i
=
eF→L
i
,eS→F
i
= (∄j ∈ Ni l1(qi,qj))
TABLE II
LIST OF LITERALS FOR VEHICLES MOVING ALONG A 2–LANE HIGHWAY
l1(qi,qj)
l2(qi,qj)
l3(qi)
l4(qi)
l5(qi,qj)
=
=
=
=
=
(xj− xi≤ d) ∧ (xj≥ xi) ∧ (⌊yj⌋ = ⌊yi⌋)
(xj− xi ≤ d) ∧ (⌊yj⌋ > ⌊yi⌋)
⌊yi⌋ = 1
⌊yi⌋ = 2
(xj− xi ≤ d) ∧ (⌊yi⌋ > ⌊yi⌋)
B. Consensus Simulation
Consider the following simulation run where robot 1 is
non–cooperative since it remains in the second lane, whereas
it should start a right maneuver as the next lane on its right
is free (see Fig. 8–a). Furthermore, assume that the other
robots, 2, 3, 4, and 5 in the figure, are acting as monitors
of robot 1 and share their local estimates ξis of vehicle 1’s
neighborhood.Assume that communication occurs according
to the following (undirected) graph Gc(V,Ec), where is V =
{2,3,4,5}, and Ec = {e2,2,e2,3,e2,5,e3,3,e3,4,e4,4,e5,5}.
Then, for the given communication graph Gc, we obtain the
following instance of consensus algorithm:
ξ2+(k + 1) = ξ2(k) ∩ ξ3(k) ∩ ξ5(k),
ξ3+(k + 1) = ξ2(k) ∩ ξ3(k) ∩ ξ4(k),
ξ4+(k + 1) = ξ3(k) ∩ ξ4(k),
ξ5+(k + 1) = ξ2(k) ∩ ξ5(k).
The first column of Fig. 9 is a graphical representation of
the initial estimates ˆ qno+1,..., ˆ qpof robot 1’s neighborhood
Page 7
(k = 0)(k = 1)(k = 2)(k = 3)
ξ4(1)
ξ3(1)
ξ2(1)
ξ5(1)
ξ4(2)
ξ3(2)
ξ2(2)
ξ5(2)
ξ4(3)
ξ3(3)
ξ2(3)
ξ5(3)
Fig. 9.Consensus run for the given communication graph Gc. Robot 1’s non–cooperation is detected, and an agreement is reached on its reputation.
faulty agent
(a)(b)
Fig. 8.
decision d∗where the non–cooperation is detected (b).
Simulation run with a non–cooperative robot (a), and centralized
reconstructed by all the monitors. The corresponding central
ized estimate ξ∗= ξ2(0)∩ξ3(0)∩ξ4(0)∩ξ5(0) is illustrated
in Fig. 8–b, where robot 1’s non–cooperation is detected
(the centralized decision is indeed d∗= noncooperative).
This observation along with the fact that the communication
graph Gc is connected ensure that the same decision can
be reached by the distributed computation (see Theorem 1).
Simulation results are reported in Fig. 9, where the k–th
column shows the monitors’ reconstructed neighborhood of
vehicle 1, after k steps of consensus.
define relative uncertainty measures of the monitors w.r.t.
the desired centralized estimate ξ∗reported in Fig. 8–b as
Moreover, we can
µi(k) = µ(ξi(k) \ ξ∗), for i = 2,3,4,5,
where µ is a function that computes the area of the set
received as argument. Such uncertainties converge to 0
during the consensus run (see Fig. 10). Finally, robot 1’s
non–cooperation is detected, and an agreement on d∗is
reached for its reputation in ˜ n = 3 steps as expected from
theory (see Fig. 11).
Similar consensus runs can be shown for cooperative
robots, and the agreement on the centralized decision for
the reputation is always achieved. Notwithstanding, there are
configurations for which it is not possible to distinguish a
0123456
−1
0
1
2
3
4
5
6
Consensus steps
Uncertainty (µ)
Agent 2
0123456
−1
0
1
2
3
4
5
6
Consensus steps
Uncertainty (µ)
Agent 3
0123456
−1
0
1
2
3
4
5
6
Consensus steps
Uncertainty (µ)
Agent 4
0123456
−1
0
1
2
3
4
5
6
Consensus steps
Uncertainty (µ)
Agent 5
Fig. 10.
for i = 2,3,4,5.
Convergence of the uncertainty measures µi(k) = µ(ξi(k)\ξ∗),
0123456
F
U
C
Consensus steps
Reputation
Agent 2
0123456
F
U
C
Consensus steps
Reputation
Agent 3
0123456
F
U
C
Consensus steps
Reputation
Agent 4
0123456
F
U
C
Consensus steps
Reputation
Agent 5
Fig. 11. Agreement on the centralized estimate d∗for robot 1’s reputation.
Page 8
Fig. 12.
paths. Vehicles are supposed to give way to vehicles coming from their right.
In the figure, vehicle 0 is monitoring all vehicles that are in line–of–sight
with it and reconstructs information about its unobservable regions.
Simulation run of a system of vehicles travelling along crossing
cooperative from a non–cooperativerobot (we omit examples
for space reasons). However, this limitation is due to the
instantaneous distribution of the sensors, and it is not due to
the consensus algorithm.
Although results have been presented only from the same
case study, the synthesis technique remains valid also for
other multi–robot systems. Indeed, in Fig. 12, a snapshot
from the simulation run of a system of vehicles travelling
along crossing paths is reported. Vehicles are supposed
to give way to vehicles coming from their right. In the
figure, vehicle 0 is monitoring all vehicles that are in
line–of–sight with it and reconstructs information about
its unobservable regions. The reader may refer to the site
http : //www.piaggio.ccii.unipi.it/˜fagiolini/icra2008 for
some relevant videos.
VII. CONCLUSION
In this paper, we presented work aimed at developing
a synthesis technique that makes it possible to build a
distributed Intrusion Detection System (IDS) for securing
a class of robotic multi–agents. The proposed IDS consists
of a decentralized monitoring mechanism, by which every
robot assigns all its neighbors with a direct reputation of their
cooperativeness, and an agreement mechanism, by which all
of such monitors sharing locally collected information can
“converge” to a unique network decision. Many problems
remain to be addressed, such as the presence of malicious
monitors sharing false information and thus leading the
system to incorrectly classify any monitored robot.
VIII. ACKNOWLEDGMENTS
Authors wish to thank Dr. L. Pallottino for useful dis
cussions. The work was partially supported by EC Network
of Excellence HYCON (Contract IST2004511368), and by
Cassa di Risparmio di Pisa, Lucca e Livorno.
REFERENCES
[1] R. OlfatiSaber, “Flocking for multiagent dynamic systems: algo
rithms and theory,” Automatic Control, IEEE Transactions on, vol. 51,
no. 3, pp. 401–420, 2006.
[2] L. Figueiredo, I. Jesus, J. Machado, J. Ferreira, and J. Martins de
Carvalho, “Towards the development of intelligent transportation sys
tems,” Intelligent Transportation Systems, 2001. Proceedings. 2001
IEEE, pp. 1206–1211, 2001.
[3] L. Lamport, R. Shostak, and M. Pease, “The Byzantine Generals Prob
lem,” ACM Transactions on Programming Languages and Systems
(TOPLAS), vol. 4, no. 3, pp. 382–401, 1982.
[4] C. Tomlin, G. J. Pappas, and S. Sastry, “Conflict resolution for air
traffic management: A case study in multiagent hybrid systems,”
vol. 43, pp. 509–521, 1998.
[5] R. Ghosh and C. J. Tomlin, “Maneuver design for multiple aircraft
conflict resolution,” Chicago, IL, 2000.
[6] L. Pallottino, V. Scordio, and A. Bicchi, “Decentralized cooperative
conflict resolution among multiple autonomous mobile agents,” in
Proceedings of the Conference on Decision and Control, vol. 5, Dec.
2004, pp. 4758–4763.
[7] T. Bass, “Intrusion detection systems and multisensor data fusion,”
Commun. ACM, vol. 43, no. 4, pp. 99–105, 2000.
[8] S. Snapp, J. Brentano, G. Dias, T. Goan, L. Heberlein, C. Ho,
K. Levitt, B. Mukherjee, S. Smaha, T. Grance et al., “DIDS (Dis
tributed Intrusion Detection System)Motivation, Architecture, and an
Early Prototype,” Proceedings of the 14th National Computer Security
Conference, pp. 167–176, 1991.
[9] S. Buchegger and J. Le Boudec, “Performance Analysis of the
CONFIDANT Protocol: Cooperation Of NodesFairness In Dynamic
Adhoc NeTworks,” Proceedings of IEEE/ACM Symposium on Mobile
Ad Hoc Networking and Computing (MobiHOC), pp. 226–236, 2002.
[10] ——, “A Robust Reputation System for Mobile Adhoc Networks,”
Proceedings of P2PEcon, June, 2004.
[11] T. Yoo and S. Lafortune, “Polynomialtime verification of diagnosabil
ity of partially observed discreteevent systems,” Automatic Control,
IEEE Transactions on, vol. 47, no. 9, pp. 1491–1495, 2002.
[12] M. Sampath, R. Sengupta, S. Lafortune, K. Sinnamohideen, and
D. Teneketzis, “Failure diagnosis using discreteevent models,” Con
trol Systems Technology, IEEE Transactions on, vol. 4, no. 2, pp. 105–
124, 1996.
[13] ——, “Diagnosability of discreteevent systems,” Automatic Control,
IEEE Transactions on, vol. 40, no. 9, pp. 1555–1575, 1995.
[14] C.¨Ozveren and A. Willsky, “Invertibility of DiscreteEvent Dynamic
Systems,” Mathematics of Control, Signals, and Systems (MCSS),
vol. 5, no. 4, pp. 365–390, 1992.
[15] G. Fourlas, K. Kyriakopoulos, and N. Krikelis, “Diagnosability of
Hybrid Systems,” Proceedings of the 10th IEEE Mediterranean Con
ference on Control and Automation, 2002.
[16] ——, “A Framework for Fault Detection of Hybrid Systems,” Pro
ceedings of the 9th IEEE Mediterranean Conference on Control and
Automation, 2001.
[17] A. Fagiolini, G. Valenti, L. Pallottino, G. Dini, and A. Bicchi, “De
centralized Intrusion Detection For Secure Cooperative Multi–Agent
Systems,” IEEE International Conference on Decision and Control,
2007.
[18] ——, “Local Monitor Implementation for Decentralized Intrusion
Detection in Secure Multi–Agent Systems,” IEEE Conference on
Automation, Science, and Engineering, 2007.
[19] R. OlfatiSaber, J. A. Fax, and R. N. Murray, “Consensus and
Cooperation in Networked Multi–Agent Systems,” Proceedings of the
IEEE, 2007.
[20] R. OlfatiSaber, , and R. N. Murray, “Consensus Problems in Net
works of Agents with Switching Topology and Time–Delays,” IEEE
Transactions on Automation and Control, 2004.
[21] N. Lynch, Distributed Algorithms.
San Mateo, CA, 1996.
[22] M. Di Marco, A. Garulli, A. Giannitrapani, and A. Vicino, “Simul
taneous localization and map building for a team of cooperating
robots: a set membership approach,” Robotics and Automation, IEEE
Transactions on, vol. 19, no. 2, pp. 238–249, 2003.
[23] K. Marzullo, “Maintaining the time in a distributed system: An exam
ple of a looselycoupled distributed service.” Dissertation Abstracts
International Part B: Science and Engineering[DISS. ABST. INT. PT.
B SCI. & ENG.],, vol. 46, no. 1, 1985.
[24] P. Lincoln and J. Rushby, “A Formally Verified Algorithm for In
teractive Consistency Under a Hybrid Fault Model,” FaultTolerant
Computing, 1995,’Highlights from TwentyFive Years’., TwentyFifth
International Symposium on, 1995.
Morgan Kaufmann Publishers,
View other sources
Hide other sources
 Available from Gianluca Dini · Jun 4, 2014
 Available from unipi.it