Resilient Consensus Control for Multi-Agent Systems: A Comparative Survey

Due to the openness of communication network and the complexity of system structures, multi-agent systems are vulnerable to malicious network attacks, which can cause intense instability to these systems. This article provides a survey of state-of-the-art results of network attacks on multi-agent systems. Recent advances on three types of attacks, i.e., those on DoS attacks, spoofing attacks and Byzantine attacks, the three main network attacks, are reviewed. Their attack mechanisms are introduced, and the attack model and the resilient consensus control structure are discussed, respectively, in detail, in terms of the theoretical innovation, the critical limitations and the change of the application. Moreover, some of the existing results along this line are given in a tutorial-like fashion. In the end, some challenges and open issues are indicated to guide future development directions of the resilient consensus of multi-agent system under network attacks.


Introduction
An agent is an independent individual who can achieve control goals autonomously through environmental perception according to preset knowledge. Usually, an agent only has simple intelligence and basic structure. A multi-agent system (MAS) refers to a networking system composed of a number of intelligent agents who can coordinate and manage through information interaction, so as to achieve complex control objectives that cannot be reached by an agent itself [1]. The distributed consensus control of a MAS is generally to achieve synchronous behavior by constructing a fully distributed controller for each agent. Due to its potential application in broad areas, the consensus control problem has been extensively studied and a lot of significant results have been established in the literature.
In recent years, the coordination control of a MAS has become a hot research topic and has been widely applied in areas such as unmanned aerial vehicle systems, industrial internet of things and wireless sensor networks [2][3][4][5][6][7]. Its research directions mainly include consensus control, formation control and flocking/swarming behavior. As the most fundamental and important topic, consensus has been widely debated and discussed. Consensus requires that a partial state quantity or a full state quantity of agents in a MAS reach an agreement [8,9]. In the ideal case of no interference and attack, there are tremendous amounts of control strategies to enable a MAS to realize the consensus requirements and even to improve the consensus performance [10].
However, due to the openness of the communication environment and the complexity of the system structure, a MAS is very vulnerable to network attacks, which brings the risk of system instability. Fundamentally, a MAS benefits from the high efficiency of the system, but it is bound to lack a central integrated device to monitor and manage the activities of all nodes in the network. While high-intensity information exchange is required, it cannot verify the information flow in the system, making the system at risk of security problems. Therefore, it is necessary to study the resilient control structure of a MAS under fault and attack.
As for MASs, the cyber attacks that scholars have studied at present mainly include: denial of service (DoS) attacks [11], spoofing attacks [12], Byzantine attacks [13], replay attacks [14], covert attacks [15], actuator attacks [16], communication attacks [16], intelligent attacks [17], policy attacks [13] and so on. Among them, DoS and spoofing attacks are the two most typical and common network attacks in the field of MASs at present. In addition, the Byzantine attack has become an emerging and significant research topic in recent years. Thus, there are tremendous results concentrating on DoS attacks, spoofing attacks and Byzantine attacks. For this reason, this survey focuses on these three kinds of cyber attacks to illustrate the recent advances in these fields.
The motivations for the survey are twofold. Firstly, diverse control methods have been developed in the published literature throughout the last decade to explore the defense mechanisms for MASs under network attacks, which are not covered in the existing surveys [18][19][20][21][22]. Secondly, the related fields are mature enough to deserve a survey classifying the existing analytical approaches, the models used and the results achieved for the MASs under attacks from both systems and control perspectives. The contributions of this survey can be summarized as follows: • It develops a comprehensive classification of resilient consensus strategies. The attack types discussed are more basic and comprehensive and can cover many special attacks developed from these three main attacks. • It reviews an extensive set of more than 100 consensus algorithms and discerns the classes they are associated with. The attack mechanism and the corresponding security control protocol are described in terms of the formula definition and algorithm construct. The shortcomings of the control protocols are explained according to the specific parameters, so as to clearly analyze the corresponding security control framework. • The algorithms in the same class are compared regarding their attack types, centralization, scalability and so on. This survey summarizes the main elastic control schemes corresponding to each attack as much as possible, which can be applied to a variety of actual scenarios and attack situations and provide solutions to security control problems.
The remainder of this paper is as follows. Section 2 presents the preliminary on graph theory and the consensus problem of MASs. Section 3 is dedicated to reviewing the work on DoS attacks, spoofing attacks and Byzantine attacks. Some challenging issues are raised in Section 4 to guide the future research.

Preliminaries and Consensus Problem for MASs
This section recalls some preliminaries about graph theory and some fundamentals on the consensus problem of MASs.

Preliminaries about Graph Theory
The information connection among agents can be modeled by a graph G(V, E ), where V denotes the set of vertices {v 1 , v 2 , . . . , v N } which represents the set of agents in the system, and E ⊆ V × V gives the set of links which mimics the connection among agents. Given nodes i and j ∈ V, i can send information to j if there exists a directed edge from i to j, which is in the form of (j ← i). The adjacency matrix associated with graph G is denoted by A = [a ij ], where a ij = 1 if (j, i) ∈ E ; 0, otherwise. G(V, E ) is called an undirected graph if A is symmetric. The Laplacian matrix of G is defined by L = [l ij ], where l ij = −a ij if j = i; l ii = ∑ N j=1 a ij otherwise.
At time t, denote by G(t) the pair (V, E (t)), where the edge set E (t) varies with time. If there is a random process governing the change of G(t), one calls the communication graphs to be randomly switching.

Consensus Problem for MASs
The consensus control problem of MASs has attracted tremendous attention from researchers in the past decades. In general, suppose that the MAS consists of N agents with first-order integrator continuous-time dynamics described bẏ of which x i (t) ∈ R n and u i (t) ∈ R n denote, respectively, the state and control input of agent i at time t. The consensus problem for agents described by (1) can be divided into the leaderless consensus problem and the leader-following consensus problem, according to the theoretical frameworks.

Definition 1.
The leaderless consensus problem is to construct a controller for a MAS given by (1) such that lim where z i (t) ∈ R m and z j (t) ∈ R m denote the state or output of agent i and j, respectively; N i represents the neighbor set of the i-th agent.

Definition 2.
The leader-following consensus problem is to construct a controller for a MAS given by (1) such that lim where z i (t) ∈ R m and z 0 (t) ∈ R m denote the state or output of agent i and the leader, respectively.
Moreover, the first-order discrete-time MAS is composed of N agents with dynamics given byẋ of which x i (k) ∈ R n and u i (k) ∈ R n denote, respectively, the state and control input of agent i at time point k ∈ N. The above definitions can be correspondingly extended to the MAS given by (4). Recently, the consensus problem for MAS with linearized or nonlinear dynamics have been studied in [23][24][25].

Resilient Control for MASs
This section reviews the results reported for the resilient consensus of MASs based on the limitations of the information interaction level and the constraints of the system level, respectively. Table 1 summarizes the classification of common cyber attacks of MASs. The information security problem of MASs is mainly carried out in three directions: information availability [26,27], confidentiality [28] and integrity [29]. It was gradually evolved into three specific research topics: attack detection, state observation and security control. Common network attacks mainly include denial of service attack that hinders information transmission [26,27,30,31], replay attack that repeatedly sends harmful information [32], deception attack (spoofing attack) that tampers with communication data [33], etc. From the limitations of information interaction, we focus on reviewing the following important and popular topics: the DoS attack, the spoofing attack and the Byzantine attack.

DoS Attack
Network attacks can be divided into point attacks (agent dynamic behavior) and edge attacks (topology communication behavior) according to the attacked object. The former can be seen as the attacked agent being "moved out" of the topology [34], while the DoS attack belongs to the latter. That is, the control/measurement transmission channel is truncated by the attack, so that the target agent cannot obtain the signal, thereby damaging the availability of information, as shown in Figure 1. The DoS attack can be implemented by the attackers in several ways: filling buffers in a user or the kernal domain, blocking or jamming the communication among key components, and altering a routing protocol. Refs. [26,27,30,35], respectively, analyze the DoS attack in the form of centralized control and distributed control. Due to the excellent robustness of the latter, it has a broader theoretical exploration prospect than the former, but there is less relevant research at present. Researchers usually simulate the impact of the attack on the system through packet loss, serious delay or communication interruption. With the gradual progress of research, the hypothetical limitation of DoS attack model has been issued from the period known in advance [36] and gradually relaxed to the random occurrence mechanism of [30,31]. Generally speaking, the attack energy is always limited; that is, there is a period of energy accumulation time between adjacent attacks, which is called sleep time. During this period, communication can be carried out normally. If the sleep time is too short, the system will not be able to complete the transmission of control signals and the update of state values in time when the input information is lost for a long time, which may cause the irreparable loss of consensus. In existing studies, in order to avoid the above extreme attacks, the attack frequency F a and attack duration T a of DoS attacks are generally limited according to the designed control structure parameters [30][31][32][33]37,38]. Their definitions in the time period [T 1 , T 2 ) are as follows: where N a denotes the attack number in the time period [T 1 , T 2 ), T 2 ≥ T 1 ≥ t 0 ; T 0 > 0 and τ 0 > 1 are scalars. DoS attacks can paralyze the communication between agents, making the target agent unable to obtain the state information of the neighbor agents, thus, increasing the state error of the system. The trigger function of the event-triggered control mechanism is generally related to the state error, which can effectively judge the divergence of the system state error under the DoS attack, and can timely suppress the error divergence behavior. Therefore, the security control under DoS attack is mostly associated with the event-triggered mechanism [39]. While realizing flexible control, compared with periodic sampling control, it is more conducive to saving communication resources and avoiding network congestion. The event-triggered mechanism was proposed in [40,41] and then widely used in [31,[42][43][44]. Event-triggered mechanism means that when the state deviates from the balance and exceeds the set threshold, the system stops feedback and triggers events to perform preset tasks, such as transferring information between neighbors or updating the controller. Compared with continuous-time control, an event-triggered mechanism requires additional consideration of the avoidance of Zeno behavior: that is, the situation of infinite triggering in an instant. This can be done by agreeing on the lower bound of the interval between two adjacent triggered instants [30,31] or introducing a bounded attenuation function into the event-triggered condition [44]. It can also be proved from the stability analysis that Zeno behavior does not exist [45].
According to the control structure, there are several schemes to achieve security consensus. The simplest attack model is given in [31]; that is, the attack cycle and maximum duration are known in advance and constant, and a control scheme based on event-triggered mechanism under the leader-following topology is designed. It only allows events to be triggered during the communicable time period of the system. Under the condition that the attack parameters meet some system structural constraints, when the most serious imbalance occurs-that is, the time when the longest continuous attack ends-through the intervention of the control signal, the state quantity that deviates from the equilibrium can still be corrected, proving the feasibility of the elastic structure.
In the attack environment of random mechanism, an open-loop observer is designed in [30], as shown in Figure 2. t i k i denotes the time series updated for the controller. x l and x i represent the state quantity of the leader and the observed state quantity of followers, respectively. When the communication of the system is interrupted due to the attack, the observer is used to estimate the control signal and transmit it to the controller. The observer is as follows:˙x x j (t where the matrix A denotes the system matrix; N defines the set of integers. The control protocol for the multi-agent system is given by: where K is the control gain matrix, and It follows from (10), thatξ i (t) depends solely on the observed state, instead of the true state. The event-triggered condition is: where e i (t) =x i (t) − x i (t) denotes the observed error. When MASs suffer from DoS attacks, the control protocol proposed by [46,47] may collapse because the control signal cannot be updated as expected (e.g., set to zero). Then, the system cannot reset the e i and gradually loses consensus. The above event-trigger strategy (11) and observer structure (7) and (8) can achieve resilient consensus under DoS attack. Setting the threshold depends on the state difference of the agent, which is the simplest form of the state-dependent triggered mechanism. The parameter β i needs to be selected from the compromise between the performance measurement of system convergence speed and communication frequency.  (7) and (8), respectively. x j (t j k j ) is the state value at the triggering time t i k i , where t i k i is determined by the trigger function (11). Under the influence of DoS attack, (11) can be triggered by the system, so as to update the state estimated value according to (8) and adjust the control signal on the basis of (9).
Since this estimate is designed based on the model, it means that the system can be unstable. The update process of the system can be summarized as follows: the observer calculates and estimates the state value of the neighbor according to the dynamic equation until the next triggered time t j k j comes.x j (t) is updated to the state value passed by the neighbor at this time, and its own state value x i (t) is read and updated at the same time. The significance of signal separation is that if continuous communication cannot be achieved, it will not affect the triggering of events. When the system is attacked by DoS, the control signal will not be set to zero for a long time due to the failure to reset e i (t), thereby losing consensus [40,47].
The scheme in [40,47] can achieve exponential consensus in the two cases of leaderless and leader-following under DoS attacks, but the corresponding topology requirements are different: the former requires that the topology graph should be connected, while the latter requires that a directed spanning tree should be included. At the same time, both schemes can only be achieved when the attack frequency and duration have upper bounds. Additionally, both control schemes are not completely distributed. They use global information, namely the eigenvalues of the Laplace matrix, to design the matrix parameters of the controller, which is not conducive to the application of large-scale agent systems. The core of this scheme is to solve the problem of control interruption caused by failure to communicate by observing the state of neighbors. In addition, additional error variables can be introduced into the triggering function, where t m is the starting time of the attack, which can effectively reduce the number of unnecessary triggers of events [44].
Different from [30] and using the state measurement error e i (t) as the triggered condition, ref. [38] designs a control scheme based on the topology input triggered mechanism and gives the corresponding state observer: Given i, j = i = 1, . . . , N, and i = j, define the state corresponding to edge (i, j) as which satisfiesω where B is the input matrix. After the control is triggered, the variables ω ij cannot be measured until the next triggered time comes. Considering this fact, use an observer for estimation:ω When the triggered time of the sleep time comes, assign the value directly as follows: Define topology state prediction error as: When the triggered time t i ijk i comes, the real value ω ij is assigned to the estimated valueω ij . Before the time t i ijk i+1 comes, the estimated value is provided as an input to the controller for adjustment: where the scalar α denotes the coupling gain. The triggered instant and the triggering function corresponding to edge (i, j) is where When the topological edge is attacked by DoS, ω ij (t) will break through the normal upper bound and the above triggered conditions will be met. β ij is the parameter of triggering function corresponding to the edge (i, j). Thus, the triggering threshold and the lower bound of adjacent triggered time can be flexibly set according to different edges, which reflects the distributed characteristics of event-triggered control. f ij just depends on u i and x i , which are the state values of an agent itself. Unlike [30], which uses the neighbor's state difference as the triggered condition, ref. [38] does not require each agent to continuously broadcast its own control input and state quantity, which well maintains their own information privacy. In addition, the communication and the update of the state value can only be carried out when the state of the topological edge meets the triggering function, compared with the continuous information transmission and reception required in [30] to calculate the state observation value of the neighbor and its own real state value.
Thus, the former obviously reduces the communication cost and calculation complexity, but the corresponding parameter design is much more difficult. Moreover, compared to the general state consensus realized in [30], ref. [38] can achieve more accurate consensus results as exponential consensus.
Based on the information of the Laplace matrix eigenvalues of the communication topology, the control scheme designs the trigger parameter β ij in the normal communication scenario, and then, achieves the state consensus of the system. In the case that the communication situation is under DoS attack, it can be shown that when the DoS attack frequency and the attack duration satisfy the inequality condition (related to the sleep time of DoS attack), the controller (17) can mitigate the communication anomaly caused by the DoS attack and achieve the security consensus of the system. Meanwhile, the design of parameters in both the controller (17) and the trigger function (18) relies on global information such as the non-zero minimum eigenvalue of the Laplace matrix. Thus, it is not a fully distributed control structure.
Considering the periodic DoS attack, ref. [48] models the error dynamics of the MASs as a switched time-varying delay system and proposes an event-triggered mechanism control protocol using the input time delay method, finally achieving the exponential consensus of the system. Its highlight is that, based on the existing theoretical research of time delay MASs, it converts the sampled-data term into a time delay term in the system. In addition, according to the sleep time of different DoS attacks, ref. [48] also puts forward an optimization algorithm to select the control parameters of the distributed event-triggered protocol. However, the attack is required to occur periodically. Meanwhile, the exact value of attack cycles and sleep time need to be known in advance, which makes [48] less applicable.
To sum up, for the resilient consensus problem under DoS attack, the current control scheme with high feasibility is to use the observer to simulate the evolution of normal state values during the communication paralysis period and combine the asynchronous triggered scheme to achieve consensus under the premise of limiting the attack frequency and duration. According to the accuracy and complexity of the observer and the sensitivity of the triggered mechanism, the conservatism and practicality of the corresponding consensus conclusions are different. To improve the practicability of the conclusion, the key lies in whether the attack model can fully ensure the accuracy of the prediction of the attacked object and the reduction of the actual damage.
In order to give a clear survey, we summarize the relevant work in Table 2 according to DoS type, centralized, scalability, results and references. Ref. [47] studies the problem of fault detection and consensus control under DoS attack and proposes an attack model based on the hidden semi Markov process for the first time. It can effectively meet the conditions of stealth of attack strategy and complexity of behavior. When a DoS attack comes, the zero-order holder will maintain the amplitude of the last normal input signal. At this time, the system will change from the original uniform sampling system to the non-uniform sampling system, and the sampling period will also change. Using this property, we can define a working mode set φ(k) k∈N ∈ R {1, 2, . . . , R} when the system is attacked, so that we can obtain the emission probability of the system by using a semi Markov kernel and probability density function of modedependent dwell time τ only through sample data: where η δ k k ∈ M denotes the set of attack models observed by the system, and δ k ≤ τ defines the running time of current mode. Let l(δ k ) be the δ k -th observer mode, when the real attack mode is a ∈ R. Through hidden Markov theory [50], a finite set of observation patternsM a can be obtained: where g |M a |, R a=1M a = M and It follows from (23) that in the observation pattern set, there will always be patterns that match the real attack situation. According to the observation mode obtained by the system, the detection and control structure solely depend on the sampled data without knowing the attack statistics.
In addition, ref. [43] discusses the secure synchronization of MAS with linear dynamics under DoS attack with Markov model, but the communication resources are required to be infinite. Refs. [50,51] study the robust tracking problem when the system encounters two kinds of network attacks: communication hold and communication interruption. The switching state of the system under intermittent communication is described by the stochastic Markov process, and the control goal is achieved by using the periodic sampling control scheme based on time series. Ref. [44] discusses the situation that different topological edges of the system are attacked by different DoS at the same time: according to the number of attacked edges, it defines different limiting conditions for the attack and different triggering conditions for the controller. However, it essentially designs different schemes for all subsets of topological edges that are attacked by the same kind of DoS at the same time. Recent studies have also shown a new trend that combines DoS attacks with other system constraints such as failures, interference, saturation, etc. For example, ref. [37] combines DoS attacks with input saturation. On the premise that the system can be stabilized, it uses the small gain theory to linearize, realizing the semi-global security consensus of the system. Ref. [52] designs an observer to solve the synchronization problem of a discrete MAS when the lossy sensor with state threshold exists simultaneously with the network attack. According to whether the communication topology is directed or not, whether the leader exists or not, as well as the system order and isomorphism, the attack model will also be adjusted accordingly, and different theoretical results will be obtained: for example, ref. [10] studies the exponential consensus problem under the directed topology, and [45,53] achieve the ultimate bounded consensus under the undirected topology. Ref. [54] explores a robust output consensus scheme for heterogeneous multi-agent systems under random DoS attacks. Refs. [55,56] design a control scheme based on self triggering, bypassing the disadvantage that event triggering requires continuous monitoring. As long as the current state value of the agent is known, the next triggering time can be calculated. In the case of maximizing the limitation of attack frequency and duration, a pulse controller with observer structure is proposed in [49] and a state reset method based on measurement error is given. In [57], considering the saturation of the system state and the gain disturbance of the control protocol caused by the network attack and communication congestion of the MAS, combined with the polling method, a robust optimal controller is given to achieve the security consensus of the MAS in the infinite time domain. Ref. [58] points out the challenges that network security brings to MAS in terms of autonomy and information interdependence. They provide a set of basic principles of network security science. The detection algorithm and mitigation algorithm of MAS for network attack are studied in [59], and a practical application example is given based on the distribution automation system. We addressed the robust secure consensus problem in [3] and the antiwindup secure control consensus issue in [35]. It is worth mentioning that the secure consensus protocols proposed in [3,35] are fully distributed secure consensus protocols without using any global information of the communication topologies.

Spoofing Attack
A MAS can be regarded as a special cyber-physical system. Its controller not only needs to obtain data from sensors, but also needs to send control information to actuators. Network attacks may occur on the channels from a sensor to a controller and from a controller to a actuator-even the controller itself may be attacked. For attackers, in addition to interrupting the information loop, tampering with the data being used for communication can also achieve destructive effects, which is a deception attack.
A spoofing attack refers to an attack in which an attacker can obtain system information and perform arbitrary operations on measurement data and control instructions. It can bypass the detection device and make the agent adopt an error value. Common false data injection (FDI) [60] attacks also fall into the scope of spoofing attacks, as well as data replay [61], data change [12] and other types of attacks. Compared with DoS attacks, deception attacks are more difficult to detect. They exist in power networks [62], smart grids [63] and other fields, which greatly threaten the integrity of data [64].
Refs. [64,65], respectively, consider the spoofing attack on the sensor-controller channel and the controller-actuator channel. Ref. [66] uses the indicator vector to model the deception attack and discusses the situation that the attack occurs on the sensor and actuator at the same time. Generally speaking, the establishment of attack model always revolves around the change of data. Similar to DoS attacks, the research of deception attacks is generally carried out in discrete-time systems, and the control methods adopted include periodic control, event-triggered control, pulse control, etc. Among them, pulse control is more commonly used because it allows discontinuous input and has the characteristics of instantaneous jump, which is very appropriate to deal with some deceptive attacks that implement state mutation.
In [67], for a Lipschitz-type nonlinear MAS under deception attack, a mean-square bounded synchronization control scheme based on distributed impulse control is proposed. Given i = 1, . . . , N, the Bernoulli distribution with parameter β is used to model the displacement type spoofing attack behavior on the controller-actuator channel, as shown in Figure 3. When the attack succeeds, replace the control input signal u i with an error signal ψ i : where Prob{β i (t) = 1} =β; Prob{β i (t) = 0} = 1 −β; δ denotes the Dirac pulse; d i is the corresponding element value of the i-th degree matrix; c is the coupling strength, and it is assumed that β i is independent and the attack signal is bounded: For the MASs with the following nonlinear dynamics: x l (t) = Ax l (t) + B f (x l (t)), where x i is the state of the i-th follower, x l is the state of the leader and f (·) is a Lipschitz type nonlinear function. The protocol defines a parameter µ, which corresponds to the Laplace matrix, degree matrix, coupling strength and attack strength. By limiting the value range of µ, the communication topology can be appropriately designed according to the attack situation. At the same time, when µ satisfies the linear matrix inequality condition of the pulse interval parameter h 2 -that is, when the pulse interval as well as the topological coupling coefficient match the strength of the deception attack and the attack probability-the control protocols (24) and (25) can successfully defend the deception attack and the followers (26) track the leader (27) in the mean square sense. The selection of coupling strength c and pulse interval parameter h 2 are related to the global information of communication topology, so the control protocol is not completely distributed. In addition, the system dynamics contains random variables about deception attack as β i . Thus, it can only realize the target of bounded synchronous tracking in the mean square sense. Compared with the case of no attack,β increases the upper bound of the synchronization error and narrows the pulse spacing, which also puts forward corresponding requirements for c. That is whyβ is always restricted.
Compared with [67], ref. [68] studies the overlay spoofing attack on the sensor-controller channel, as shown in Figure 3. The attack causes the normal state value to be superimposed with the error value q i (t): Ref. [68] also achieves mean square bounded synchronization, but only the size of the upper bound of the error is affected byβ. Regardless of the attack mode, the synchronization performance is mainly affected by the coupling strength, degree matrix, attack probability and pulse spacing. In particular, the first two terms play a decisive role in reducing synchronization error when the probability of each side being attacked is the same.
Most of the above research fail to effectively eliminate the impact of spoofing attacks on MASs, resulting in the boundedness of their final consensus. As for that, ref. [69] proposes a distributed filter with adaptive compensator as follows: where ψ i (t) andε i (t) are the states of the observer and filter, respectively. ε a q,i (t) is the relative observation, and ρ a, is the estimate of the spoofing attack signal.
Under the function of the filter, the system can compensate the offset of consensus error variables caused by spoofing attacks and achieve accurate consensus result without error. The distributed controller only uses the local information of the agent itself and does not need to use the random characteristic and upper bound of the attack signal, which is more conducive to distributed applications. However, the design complexity of the controller is related to the dimension of the system state, which makes it extremely difficult to design its control parameters for complex systems.
The assumption that the attack is bounded and obeys Bernoulli distribution made in [67,68] is very conservative. It also stipulates that the error values received by the attacked agents are the same and will not vary as the topology changes, resulting in low practicability of the conclusion. Ref. [70] studies the substitution spoofing attack on the transmission channel of the neighbor node, as shown in Figure 3. It only borrows the concept of the "F-local" to limit the maximum number of simultaneous attacks: where E A (k) is the topological edge set that is attacked at time point k. Let E T (k) be the trust edge set that is known to not be attacked: where x i j (k) denotes the information received by node i through the edge (j, i) at time point k, and d i j (k) represents the error value. It can be proved that as long as the agent has a trust entry edge, all of its state values will always fall under a trust state value on the interval. Suppose that H(k) and h(k), respectively, represent the largest and minimum state values. When the deception attack occurs on the entry edge of agent i, one has x ij / ∈ [h(k), H(k)]. If x ij is used to update the controller, the agent i may output an abnormal state value, which can lead to the extension of adjustment time, or even system instability. Then, one can design a weighted average sub-sequence reduction algorithm with trust edge set based on [71], so as to complete the screening of problematic state values. The algorithm can be summarized as the following: when there is no trust edge, from the sequence of state values sorted according to size obtained at each time, taking its own state value as the boundary, the first F and the last F state values are screened out; However, if there are trust edges, only the trust values will be sorted and directly used for updating, and other state values will not be processed: where R i (k) is the set of state values for updating after screening. If updated according to the above method, x i (k + 1) ∈ [h(k), H(k)] will always be satisfied and extreme deviation due to attack will not occur. When there is no trust edge set in the system, if the topology has 2F + 1 robustness [71], the system can achieve elastic consensus under F-local deception attacks. Compared with [67,68], (32) does not introduce random variables of spoofing attacks, so it can achieve more accurate consensus. When the system topology is timevarying G(k) = (V, E (k)), the robustness condition needs to be satisfied in a sufficiently long continuous time series to ensure that each node is sufficient to screen the sequence and broadcast the state values accurately. When the system has a trust edge set, the situation is similar, except that the condition of robustness should be consistent with the trust edge set: that is, it should have 2F + 1 generalized robustness with respect to E T [70]. In order to further improve the practicability of the conclusion, ref. [70] also considers the situation that the topology does not meet the robustness. If the topology G(k) = (V, E (k)) has a spanning tree in a sufficiently long continuous time-that is, the consensus topology has a spanning tree-it can also achieve elastic consensus in a time-varying topology. Further, when G T (k) = (V, E T (k)) contains a spanning tree, the goal can also be achieved. When the F-local hypothesis is no longer satisfied-that is, when the number of attacks is uncertainas long as G T (k) = (V, E T (k)) has a spanning tree and the root node only has a trust entry edge, consensus can also be achieved. Since spoofing attacks involve the operation of communication data, they are generally more difficult to deal with than DoS attacks that truncate channels. On the one hand, according to the constraint conditions of the attack, the transmission frequency of the control signal and the coupling strength of the communication topology can be designed, and the distributed pulse control can be used to achieve the certain state synchronization. However, the restrictions on the attack situation are generally strong and conservative; On the other hand, a filtering algorithm can be designed to exclude data values suspected of tampering. After this, a secure state update can be carried out, but the corresponding topology needs to be specially constructed. At the same time, since the algorithm can only screen out problematic extreme values, it may be difficult to deal with more complex attacks.
In addition, there are also methods performing security control through state observation [72]. Ref. [60] establishes an observer based on the Kalman filter and realizes the system mean square consensus under the influence of Gaussian white noise and FDI attack. Different from the former, while observing, it also proposes a threshold comparison scheme to decide whether to use the observed value as the input of the next time step, as shown in Figure 4: Figure 4. The schematic diagram of the screening mechanism. x j (k) represents the state value of agent j obtained by the sensor, and v ij (k) is the sensor noise in agent i.x i j (k) is the state value estimated by agent i, andx j (k) is the state value that may be tampered by the deception attack. Through the screening mechanism of the protector, the system can finally obtain the secure state value x sec j (k).
When the difference between the actual value of the statex j (k) and the observed valuê x i j (k) does not meet the preset threshold, observation will be enabled for control. That is, However, the observer embedded in each agent contains the information of system dynamics structure and communication topology. The control structure is thus not completely distributed.
Ref. [73] studies the detection and identification of physical faults and FDI attacks and designs an exception handling mechanism with independent detector and cooperative detector through a H ∞ multi-objective optimization method. The former is used to judge whether faults and attacks exist, and the latter is used to distinguish the two kinds of anomalies. At the same time, it puts forward the concept of intermediary centrality, which well describes the possibility of different topological edges being attacked so that detection resources can be reasonably allocated. Then, sensitivity and accuracy can be improved. However, there is a compromise between the accuracy and the robustness of the system to disturbances.
Ref. [74] obtains the necessary and sufficient conditions for the system under FDI attack to lose security consensus, according to which the prediction error can be set to an arbitrary value by bypassing the detection mechanism. Ref. [75] constructs a distributed filter against spoofing attacks by using a network composed of sensors of itself and of neighbors. Starting from the characteristic that both belong to opposite side attacks, ref. [76] studies the discrete-time stochastic system under DOS attack and deception attack and achieves consensus through event-triggered control. Ref. [77] gives a detection structure based on a neural network to judge whether the system is attacked by FDI. Ref. [78] proposes the concept of "competitive interaction" to design a flexible and cooperative control mechanism to achieve consensus under FDI attacks.
In order to give a clear survey, we summarize the recent work in Table 3 according to methodologies, attack location, spoofing attack type, centralized, scalability and references.

Byzantine Attack
Imagine a group of unmanned aerial vehicles (UAVs). If the attacker knows several UAVs in the group in advance and continuously sends wrong navigation data to nearby aircraft groups through them, it is obvious that this will cause the group to deviate from the pre-orientation as a whole. It can even cause the group to crash due to the lack of coordination between the air frames. We call these UAVs that continuously launch attacks "abnormal agents". We call the problem that the system must achieve consensus to a variety of state variables in this environment "elastic consensus".
Abnormal agents are generally divided into two types: fault agents and malicious agents. The former is caused by changes in the environment, without human subjective factors, and may cause abnormal updates of the agent's state; The latter is a malicious agent designed by human beings to damage the testability of the system, which may block the operation of the system.
Byzantine attacks describe the attack situation when there are malicious agents in the agent network. Specifically, a malicious agent is an agent that satisfies one of the following three conditions: The state value will not be updated as set.

2.
Do not transmit its real state value to at least one outgoing neighbor.

3.
The state values transmitted to different outgoing neighbors at the same time are inconsistent.
The focus of their attacks is to send malicious state values to normal agents to make the system disordered. That is, the agent group mistakenly regards the malicious agent as the leader of the system, so that the system state value is guided to a harmful range, as shown in Figure 5. The malicious state value refers to a value that does not conform to the change direction of the normal state value of the system. The key to the problem is to screen out the malicious state value or shield its impact to the maximum extent. Figure 5. The diagram of a Byzantine attack. When the communication topology of agent i meets certain conditions, each follower x i can not only directly receive the data of neighbor agent x j (a ij = 0), but also directly receive data from leaders x l (l ij = 0) and adversarial agents x k (h ik = 0). It is worth noting that the abnormal state information sent by x k may lead the system to an unexpected direction or even cause the system to crash. Different from the error state value of the above substitution type spoofing attack, the malicious state value of the Byzantine attack is sent by an agent that originally exists in the system topology, while the former is sent by an external attacker. In terms of detection and security control, there will be differences between the two.
To achieve security consensus under the Byzantine attack, there are three main solutions: scheme one is to detect and screen malicious agents in advance, scheme two is to set up trusted decision-making agents, and scheme three is to propose an elastic control structure to maintain the system state or output within a tolerable range. Among them, scheme one is based on the robust structure of the graph, while scheme two generally sets up "trust nodes" to relax the robustness conditions of the graph. The two principles are similar. If the research object of scheme three is a heterogeneous system, it needs to use adaptive control structure or output feedback control structure to adjust under the premise of considering sensor error. The introduction of the concept of topology robustness gradually extends the deployment conditions of attack coping strategies to the communication structure, which can be achieved by modifying on the original topology [79] or constructing a special k-cycle graph [80].
Most of the existing research refers to the mean subsequence reduction (MSR) algorithm under the branch of distributed fault-tolerant control algorithm in the computer field to screen out the state values. However, it can only screen out the state variables with extreme values and has no ability to detect abnormal state values. In order to ensure that the screened state sequence still retains enough state quantity to maintain normal operation, the MSR algorithm generally needs to be applied in combination with graph robustness theory. At the same time, the concept of "F-total" and "F-local" should be used to limit the maximum number of malicious agents in the system [71]. In fact, the F-local type Byzantine model can be transformed into the above F-local type deception attack model as long as the outgoing edge of the Byzantine node is regarded as suffering from a substitution type deception attack. Otherwise, it is not true.
In the absence of external input, the final state value of the consensus achieved by this method always falls in a convex hull composed of the initial state value of the normal agents [81]; this final value will be affected by the behavior of the malicious agent. For the leadership system, the ideal situation is to track the leader's state reference value by followers while shielding the impact of attacks. However, since the reference value may not fall into the above convex hull, further improvement is required.
Ref. [82] uses the modified sliding window MSR algorithm to solve the problem of elastic inclusion control in multi-leader systems and successfully makes followers track leaders whose state values are outside the convex hull. The parameter F in the algorithm is the corresponding parameter F in the F-local model to limit the maximum number of malicious agents. The time window loosens the robustness requirements of the topology map and no longer requires robustness to be maintained at every time step. It can be proved that, under the condition that graph G(T) has strong (T, t 0 , 2F + 1) robustness to the leader set L, the system can track the leader state values outside the upper convex hull. This is because the robustness of the topology ensures that there is at least one state value of a normal leader in the filtered state value sequence. Since the design of MSR algorithm needs to obtain the maximum number F of malicious agents in advance, the control protocol is not completely distributed. At the same time, the controller puts forward robustness requirements for communication topology, which makes the controller unsuitable for large-scale MASs.
In the context of the security consensus of MAS on network attacks, in [83] for Byzantine attacks, two improved schemes based on MSR algorithm which relax the strict restrictions of the algorithm on network topology, improve the convergence speed of the system and solve the compatibility problem with clock synchronization are proposed.
Ref. [82] proposes using the sliding window approach to transform the elastic consensus problem in the continuous domain into the discrete domain, making it possible to further improve the scheme through the event-triggered mechanism [84]. The main difficulty in applying event-triggered control to MSR is the processing of the difference between the current state value and the last passed state value. Ref. [84] regards the difference of the above state variables as non-attenuated noise and uses it as the basis for triggering. They give two control schemes to achieve elastic consensus of the system. However, the consensus still has bounded error. At each discrete time, the state value of the agent will be updated. Whether to broadcast it will be decided according to whether the triggered conditions are met: save the last broadcast value as an auxiliary state value; compare it with the updated state value; and trigger if the difference is greater than the threshold value. The author used the modified MSR algorithm and event-triggered mechanism to achieve consensus with bounded error, under the condition that the robustness of relevant topology is satisfied.
Under the event-triggered mechanism, the system cannot achieve accurate consensus and must leave an upper bound of error c that grows exponentially with the number of normal agents. One can set the triggering parameter c 0 by 0 to achieve error free consensus, but the number of triggers will increase. When t → ∞, the event-triggered mechanism will lose its effect due to attenuation. The final conclusion is almost the same as that in [82]. Consider reducing the conservatism of the conclusion by adjusting the update structure. Since the update structure reduces unnecessary state updates, under the same error c, the number of system triggers will be less, but the convergence speed will be slower. In short, the accuracy of event-triggered mechanism and consensus cannot be reconciled well in the context of MSR algorithm. Compared with periodic sampling control, event triggering reduces the number of information exchanges. However, due to the existence of triggering parameters, there is always an error in the consensus state value. At the same time, for the threshold-triggered mechanism, it is also necessary to consider the balance between the convergence performance and the communication frequency caused by the threshold value. Ref. [85] proposes a sliding-mode control method, which only makes periodic judgment when the state is measurable, does not need continuous triggering condition detection and has better economic benefits, which also belongs to a feasible improvement direction.
Ref. [86] focuses on the observation of the state rather than screening. They achieve the uniform ultimate boundedness of the system ouput. In consideration of malicious agent attacks and bounded sensor errors, it designs an observer so that the outputs of all followers in a heterogeneous system converge successfully to a dynamic convex hull composed of the outputs of complex leaders. For a heterogeneous system with leaders and attackers: where F ,L,Ā are respectively a collection of followers, leaders and attackers. The controller is whereē yi = ∑ j∈F a ij (ȳ j −ȳ i ) + ∑ l∈L a il (y l −ȳ i ) + ∑ k∈Ā a ik (y k −ȳ i ).x i = x i + δ i is the measurable state value considering the sensor error δ i ,z i is the corresponding state compensation value, andd i is the compensation signal given by the observer. Matrices K i , H i , F i and G i are control gains to be designed. By establishing a judgment mechanism to set a ij or a ik to zero, malicious output signals outside the preset range can be effectively excluded from the update calculation. For malicious values within the range, good fault-tolerant control can be achieved through real-time compensation ofd i . Based on the internal model principle and output-feedback control, the following observer scheme can obtain the compensation signald i :x where The introduction of term B i H i ω i in Equation (39) makes the real-time feedback adjustment of the observer more flexible, Since ω i is only related toē yi , this term can change dramatically with the change of sensor error and attacker's behavior.d i is mainly affected by ω i and θ i . The former can be considered as an elastic index to measure the propagation of errorē yi in the communication network, while the latter can reflect the observation accuracy of state variables and sensor errors. The introduction of the above parameters makes it have better compensation effects than the traditional observer [87].
One can get the closed-loop error equation of the system by defining x i = x T i ,ẑ T i T and combining the augmented output regulation equation. Then, by proving the stability of the error system, it can be proved that the output feedback control protocol can make the followers' output values converge to a dynamic convex hull composed of the leader's output value. In addition, the design of the parameters requires the spectral information of the adjacency matrix, so the protocol is not fully distributed. At present, there are two main coping strategies for Byzantine attacks: identify malicious agents and move out of the topology [88,89] or design an elastic control structure to maintain the system feature quantity within a tolerable range in the presence of malicious nodes. Ref. [82,84] belong to the latter because the MSR algorithm does not have a detection function. In addition, since the state values are directly screened out, it is equivalent to malicious nodes being invisibly moved out of the topology, which will adversely affect the overall connectivity of the network. For small-scale network topology, the scheme of repairing by real-time compensation is more ideal.
Refs. [90,91] try to improve the algorithm by embedding an input observer. However, this method needs to know the total number of agents attacked and global information such as topology in advance. Ref. [92] breaks through the above limitations and gives a fully distributed observer based on local information for isomorphic systems. The breakthrough of the research still lies in proposing more efficient detection schemes, writing more intelligent screening algorithms and designing more versatile distributed observers.
In addition, refs. [93,94] study the high-order discrete-and continuous-time systems under attack, respectively, by using the robustness of topology. Ref. [95] adopts a robust control scheme based on game theory to achieve elastic consensus. Refs. [96,97] select the weighted MSR algorithm to complete the tracking control of any reference value. Ref. [98] then discusses the security consensus of Byzantine attacks through trusted nodes and also considers setting up decision nodes to avoid malicious values while making specific quantities that tend to be leaders outside the convex hull. Ref. [99] studies the left reversibility of the structure by using the concept of topology node separation, which makes it possible to design communication topology and then realize accurate attack detection. Ref. [90] regards a linear network with abnormal agents as a linear system with sparse actuator anomalies and observes the state with a decoder. Ref. [100] explains the observability of the state of the problem system by using the orthogonal complement matrix, successfully distinguishing the fault agent from the malicious agent, and applying the switched gradient descent algorithm to reduce the computational complexity of the traditional state observation method.
In order to give a clear survey, we summarize the above work in Table 4 according to methodologies, Byzantine attack type, centralized, scalability and references.

Relevant Application Scenarios
In some fields closely related to MASs, the above resilient control algorithms are gradually deployed. For example, in the field of intelligent transportation systems, ref. [101] develops a distributed control strategy based on event-triggered mechanism to deal with deception attacks on the sensor-controller channel and achieves the stability of the vehicle platoon system. Ref. [102] designs a resilient controller composed of observers using sliding mode and adaptive estimation theory, focusing on the detection of the vehicle platoon system under DoS attack. In the field of smart grid, ref. [103] establishes a distributed observer structure based on the principle of consensus control, so as to detect FDI attacks in Distributed Generation Units and isolate infected information channels in DC microgrids. Ref. [104] explores the security control of modern power generation systems under DoS attack and proposes an adaptive resilient control protocol based on event-triggered communication scheme. It applies Lyapunov-Krasovskii functional theory to prove the exponential stability of the smart grid system. More relevant studies can be found in [105]. In the field of sensor networks, ref. [106] discusses the H ∞ observation problem under the two-channel FDI attacks. It constructs a distributed observation model against the attack on the basis of the sensor's own information and neighbors' information. In the field of multi-robot systems, ref. [107] provides a distributed switching control protocol based on the consensus control theory for DoS attacks and deception attacks. On the one hand, it gives a coordination-free consensus protocol to adjust the weight of each robot under deception attack. On the other hand, based on the control theory of the leader-following system, it converts the robot compromised by DoS attack into a sub-robot following the specific leader.

Remark 1.
It is worth mentioning that all the works reviewed in this survey are gathered in a systematic way: first connecting keywords such as DoS attacks and Byzantine attacks on Google scholar. Then, the reference list of the relevant articles were obtained, followed by narrowing and refining the searching results by year, authors and, finally, source type.

Conclusions and Future Directions
In conclusion, we have provided a survey regarding some recent developments on resilient consensus control of MASs. To sum up, for the security consensus of MAS under network attack, there are two main solutions: designing elastic control structure or anomaly observer. It involves a wide range of research fields, such as adaptive control, feedback control, robust control for controller design, stochastic process theory and probability statistics knowledge for attack modeling, and H ∞ -control theory and optimization methods for system optimization. Some screening algorithms and judgment algorithms in the computer field can even be applied. The main thinking directions for different cyber attacks can be summarized as the following: for DoS attacks with communication interruption, the key is how to intervene in the control of MASs during the period of network paralysis, so that it will not have irreparable consensus deviation. For example, building a tighter topology or a more accurate state observer is a good method. Since deception attacks that tamper information involve data operations, we can choose from schemes such as detecting and moving out of topology or constructing observers and compensators to compensate the error value in real time; For the Byzantine attack that implements induced confusion, it is necessary to design a better malicious agent screening algorithm or repair scheme.
However, the survey is by no means complete. Note that there are still many interesting and yet critical issues concerning MASs under cyber attacks that deserve further study, even though a variety of efficient tools have been successfully developed to solve various challenging problems in this active research field. Some interesting yet important future research issues are provided as follows.

1.
Since the effectiveness of network attacks is often accompanied by the appearance of physical faults, an interesting problem is to study network security issues together with fault detection, removal and isolation or integrating other abnormal work issues to improve the practicability of the conclusions, such as saturation problems, measurement noise, communication delay, quantization errors and parameter uncertainty. Especially when complex situations such as mismatched disturbances and multiple time delays are involved, some of the elastic control structures obtained for specific models need to be converted into data-driven ones. Otherwise, it is difficult to play its role. When the detection mechanism confuses faults and attacks, the system may crash. Therefore, the screening methods of the two also belong to the feasible scope of discussion.

2.
In the consideration of improving the existing research, another interesting topic is to optimize the control structure, improve the attack stochastic model, achieve more accurate consensus conclusions, relax the theoretical assumptions of the original system and improve the performance of the trigger structure. The further relaxation of the assumptions on the topology network and communication environment is beneficial to the compatibility of the elastic control technology.

3.
In the case of actual application, an elastic control scheme need to be designed and modified based on the site situation, so as to boost the feasibility of the excellent theory. For example, in reality, the event-triggered mechanism is often less reliable than the periodic sampling control within the allowable range of communication costs due to noise interference, data clutter, processor performance, sensor sensing abnormalities caused by external factors and actuator failures. Compared with information systems, the control parameter requirements applied to industrial systems are often more stringent because of their high risks.