Resilient Consensus for Multi-Agent Systems in the Presence of Sybil Attacks

: This paper investigates the problem of resilient consensus control for discrete-time linear multi-agent systems under Sybil attacks. We consider a node to be a Sybil node if it can generate a large number of false identities in the graph as a way of gaining disproportionate inﬂuence on the consensus performance of the network. Such attacks can easily invalidate existing resilient consensus algorithms that assume an upper bound on the number of malicious nodes in the network. To this end, we ﬁrst built a new attack model based on the characteristics of the Sybil nodes. In addition, a quantized-data-based transmission scheme was developed for identifying and resisting Sybil nodes in the network. Then, an attack-resilient consensus algorithm was developed, where each normal node sends the quantitative data information with a speciﬁc label, which is generated by truncated normal distribution sampling to their neighbors. We give sufﬁcient graphical conditions for attack models considering limited energy to ensure the consensus of linear multi-agent systems. Finally, numerical simulation examples are provided to validate the effectiveness of the proposed methods.


Introduction
In the last decade, cooperative control of multi-agent systems (MASs) has attracted significant attention from researchers and can be found in various fields [1][2][3], for instance, distributed computing, sensor networks, autonomous vehicles, and the Internet of Things. As one of the fundamental problems of MASs, consensus control is the combination of graph theory and control systems, which aims to make these distributed and locally cooperative agents reach an agreement in terms of some interests. However, as MASs are often in an open environment, some agents may become non-cooperative or crash when cyber attacks or network failures occur in the system, which will lead to the failure of consensus. Therefore, resilient consensus, the consensus in the face of some agents in the network subject to faults or attacks, has been investigated by many researchers in recent years.
Recently, many works have been dedicated to resilient consensus for MASs with different network situations or types of cyber-attacks [4][5][6][7]. Roughly speaking, the goal of resilient consensus is to prevent the malicious agents from influencing the system's consensus process by appropriate consensus strategy and designing sufficient redundancy in the underlying network [8][9][10]. For the case of a time-varying network, the authors in [11] provided sufficient and necessary conditions for the design of resilient consensus protocols. Furthermore, the author in [12] studied the resilient consensus problem for switched MASs. On the other hand, based on the impact of different cyber-attack characteristics on MASs, constructing corresponding control system attack models is also a research hotspot [13][14][15]. In MASs, the most commonly used attack strategy is data falsification (Byzantine) attack, where the attackers, in an adversarial manner, send inconsistent information to their neighboring nodes [16][17][18][19]. In [5], DoS attack models in multi-agent networks are discussed, and a resilient consensus control law is given based on the static output feedback mechanism.
Utilizing the information of the neighbors, a distributed event-triggered algorithm for resilient consensus is provided in [20] by considering the impact of deception attacks on the MASs. Moreover, crashed attack models are also one of the research fields that have recently been considered in the resilient consensus problem [21][22][23]. However, nearly all of the existing work designed the consensus protocol on the assumption that there is an upper bound on the number of malicious nodes in the multi-agent network.
A particularly challenging attack on this assumption is the so-called Sybil attack [24], in which a malicious agent can create multiple fake or captured identities to gain a disproportionate influence on the distributed networks. The Sybil attack was first studied by Douceur in the context of peer-to-peer networks [25]. Such an attack has a devastating effect on routing distributed networks such as voting, resource storage, and social networks. To date, there have been some works on MASs under Sybil attacks. Dong and Liu [26] considered the Sybil attack in sensor networks and proposed a robust and secure time-synchronization protocol with a graph-theoretical approach. Jamshidi et al. [27] recently introduced a precise and straightforward algorithm for detecting Sybil attacks in WSNs with the observer monitoring behavior of nodes. Huang et al. [28] introduced a so-called "ScatterID" system which attaches backscatter tags to single-antenna robots to defend against Sybil attacks in multi-robot networks. Wheeler et al. [29] proposed a secure consensus algorithm against Sybil attack by controlling the network communication topology through Wi-Fi signals. A proof-of-concept protocol called ReCon is presented in [30], where the nodes in the network achieve Sybil-resistant consensus by establishing blockchain technology.
It is important to note that the majority of the existing defensive methods against Sybil attack benefit from specific mechanisms, such as central trust authority, and reliable methods to distinguish the physical fingerprints of signals from neighboring nodes [14,[31][32][33]. However, in practice, the trust central authority mechanism is not suitable for the large-scale distributed MAS network. In addition, fingerprint recognition and reputation mechanisms mean extra network components and computing expenditure, which may not be ideal for the MASs, because each agent is resource-limited. Thus, the lightweight attack-tolerant consensus algorithm becomes promising to effectively resist such scenarios that are challenging to be handled otherwise. To the best of our knowledge, the integration of an identity authentication mechanism with an agent update and lightweight Sybil defense algorithm is still a gap in the research of MASs.
Inspired by the above facts, the purpose of our paper is to investigate the resilient consensus problem for MASs under Sybil attacks, where the malicious agents attempt to multicast an excessive amount of state information with different fictitious identities to cause the normal agent state value to be unable to reach a consensus. To describe the characteristics induced by the Sybil attacks in the multi-agent networks, a novel attack model focus on the internal relationships of nodes is introduced for the first time in this paper. Based on the attack model, necessary network topology conditions are obtained for the MASs under a directed graph. Inspired by [34,35], we propose a random label generation and verification mechanism that uses the truncated normal distribution. Such a mechanism can help us to identify the Sybil nodes in the distributed MASs. Then, as a natural extension to our previous work [36], and inspired by the work of Dibaji et al. [37], here, we employ a quantized version of the mean sub-sequence reduced (MSR) algorithm called the QW-MSR algorithm to reach a consensus on the state value of all nodes, which can also effectively reduce the calculation and communication burden of the system. Specifically, we set the state value of each agent to be composed of the integer part generated by the quantization process and the fractional part generated by the label sampling mechanism. It is worth noting that the values generated by the sampling mechanism are time-sensitive and independent and will not affect the integer state value. Some numerical examples are given to demonstrate the effectiveness of our methods. So, focused on the characteristics of the Sybil attack and compared with the existing literature, which utilizes detection and verification mechanisms against the Sybil attack with extra components, our contributions with this paper can be summarized as follows: • Compared with [4,9,10], we give a novel network attack model to describe the behavioral characteristics of Sybil attack in MASs. • Compared with [28][29][30], we propose a random label generation and verification mechanism incorporating the node information transmission process to detect and mitigate Sybil attacks in the network. • Compared with [26,27], we propose a novel quantization mechanism during the computation and update of node state information, which makes the consensus algorithm more lightweight and consumes less energy.
The paper is organized as follows: In Section 2, we present some notions in graph theory and propose the Sybil attack model. The node label sampling and verification mechanism and the consensus algorithm are proposed in Section 3. The main results are given in Section 4. Simulation tests are performed to show the effectiveness of our results in Section 5, and the conclusions are presented in Section 6.

Graph Theory
We model the MAS with a directed graph which is defined as a triple G = {V, E , A}, where V donates the node set, E = V × V represents the directed link set and A ∈ R n×n represents the adjacency matrix. In this paper, the node set is composed of the normal node set V n and Sybil node set V S , i.e., V = V n ∪ V S , V n ∩ V S = ∅. The directed edge (j, i) is called the incoming edge of i, which means node i can receive information from node j. For node i, the set of its neighbors is denoted by N i = {j : (j, i) ∈ E }, and the number of neighbors is noted by |N i |. The element a ij in A is defined by a ij ∈ [µ, 1) if (i, j) ∈ E where µ > 0, otherwise a ij = 0. Next, several concepts of the so-called robust graph are introduced below. Further details and examples can be found in [4]. Definition 1. r-reachable set: A nonempty set S ⊆ V is said to be r-reachable if there exists at least one node i ∈ S that |E i | ≥ r, r ∈ Z + , where E i donates the set of incoming edges that are outside the set S. Definition 2. (r, s)-reachable set: A nonempty set S ⊆ V is said to be (r, s)-reachable if there are at least s nodes in node set S, each of which has at least r neighbors outside of S, where r, s ∈ Z + . Definition 3. r-robustness: A directed graph is said to be r-robust if for every pair of nonempty disjoint subsets in V, at least one of the subsets is r-reachable.

Sybil Attack Model
As discussed earlier in this paper, we focus on the case of having a small number of Sybil nodes in a MAS network. Each Sybil node can generate multiple fabricated (or fake) identities to gain a disproportionate advantage to control or affect a large number of legitimate nodes in the network. It is worth noting that although the network with Sybil nodes seems to add multiple nodes (fake identities), the number of physical nodes in the network has not increased. Multiple fabricated identities, which are called child nodes, generated by the first Sybil node, which is called parent node, simultaneously send malicious messages to their neighbors.
Next, we define two types of Sybil nodes in the MAS for Sybil attackers.
Definition 5. (Sybil parent node and Sybil child node) Consider a MAS under Sybil attacks, where each agent is regarded as a node in a directed graph, denoted by G = {V, E }. The first compromised or captured node is called the Sybil parent node, and the fabricated identities generated by the Sybil parent node are called the Sybil child nodes.
We denote by V Sp the set of Sybil parent nodes, and by V Sc the set of Sybil child nodes. The whole Sybil node-set is composed of the Sybil parent nodes and the Sybil child nodes, which we denote by V S = V Sp ∪ V Sc .

Remark 1.
In the previous research on Sybil attack or spoof attack [13,14,27,32], researchers usually identify these Sybil nodes by their attack behavior and characteristics. For the nature of Sybil attack-forged identities, we believe that the internal relationship and generation order of Sybil nodes can be used for Sybil node detection and exclusion. Thus, we divide Sybil nodes into parent nodes reprogrammed with physical entities and replica-forged identities as child nodes.
In this paper, we assume the Sybil attack dimensions are direct, fabricated, and simultaneous, which means that Sybil nodes as well as fabricated identities can directly connect to their neighboring nodes and send malicious information simultaneously. An example of the type of Sybil nodes discussed in the above definition is shown in Figure 1.
Here, we consider a group of six agents with the directed communication topology. The attacker compromised agent 1 and turned it into a Sybil parent node, as shown in Figure 1a. Then, the Sybil parent node generated two Sybil child nodes, i.e., node 1a and node 1b. The entire communication network under Sybil attacks is shown in Figure 1b Considering the limited ability and spending, the attackers often cannot compromise all nodes in the network. A standard assumption model in the area of resilient consensus problems is the so-called F-local attack model or F-total attack model. In such a model, the scope of the malicious nodes is usually assumed to be bounded by a constant F in the neighborhood of each node (F-local attack model) or the total area of all nodes (F-total attack model) [4,12,15]. The above assumptions are invalid for Sybil attacks that can arbitrarily generate fabricated nodes. Therefore, it is necessary to redefine the scope model of Sybil attacks according to the different types of Sybil nodes. In this paper, we have the following definitions.  To achieve the purpose of destroying the system consensus process, both Sybil parent node and child node will behave as malicious nodes that will not obey the pre-designed control rules and update their state information arbitrarily. This paper assumes that the information generated and sent by the Sybil child node is the same as that of its own Sybil parent node.

Node Verification Mechanism and Consensus Algorithm
Here, we consider a MAS of N agents cooperating over a directed graph G = (V, E , A). All the agents take the following form: ∈ R is the state of node i at time step k, and u i [k] is the control input of node i to be designed.

Information Processing and Verification Framework
The information that the agent communicates in the network consists of two parts, namely, the status value in integer form and the validation value in decimal form. The status value in integer form is achieved by designing an appropriate quantizer, while the validation value in decimal form is realized by designing a reasonable random distribution function.

State Value Probabilistic Quantization
Inspired by the consensus problem for MASs with quantized communication, in this section we propose a distributed local quantizer q(·) : R → Z aiming to transform each agent's real-valued state to a quantized integer value.
Each agent adopts a uniform integer quantization function q(·) with quantization step ∆: where y ∈ R is the real-valued state input, and s is the quantization level. In this problem, we only set quantization step ∆ = 1, as we wanted each agent to have an integer state value.
Consider the deterministic quantization error e(y), which is defined as: According to Equation (2), it is easy to find that e(y) is variable in the interval [−1/2, 1/2]. Then, the quantizer for the MAS (1) is presented as follows: where the quantizer uses the percentage of the quantization step size occupied by the quantization error as the probability to select the upper and lower bounds of the quantization result. Combining the control input with the quantizer q(·) yields where a ij [k] is the (i, j) entry of the adjacency matrix A of the graph at time k. We assume that the probabilistic quantizer in each node is independent but share the same quantization step at each time. Thus, the control law (5) can be implemented in a distributed fashion. Next, we will present an identity verification mechanism using random labels in the following subsection, aiming to tackle Sybil child nodes' fabricating identities in the network.

Verification Using Random Labels
Using information labels to verify a node's identity is one of the typical methods in distributed networks against malicious attacks. It usually requests a specific label verification algorithm and labels information storage space. It should be noted that if a Sybil child node copies the legal label of their parent, the verification mechanism of the fixed label will be invalid. Thus, we develop a random decimal label instead of a fixed one to ensure that the label can be uniquely generated, used, and thrown away, not taking up any extra memory space. With the quantizer transforming the real-valued input into an integer value, the decimal part is used to restore the label information. Thus, the message sent by a normal node i to its neighbors is composed of the latest integer state value and its label value, i.e.,x wherex i [k] represents the message sent by node i, and L i [k] represents the decimal label generated by random sampling at time step k. Equation (7) below shows the messages sent by Sybil nodes in the network: where V p Sc denotes the set of Sybil child nodes generated by the Sybil parent node p. For the Sybil child node, due to the lack of a physical entity, we assume that all the child nodes in V p Sc use the same label, generated by its Sybil parent node.

Remark 2.
Each normal node will generate a random decimal label before it sends information to its neighbors each time. Then, the generated label is combined with the quantized state value to generate new information for transmission. The advantage of such processing is that no additional computing equipment is required and the computing consumption within the node itself is reduced.
Since sending the messages of agents uses the integer value plus decimal value label, . Combining Equation (6), it is easy to find that the following formula is established.
All Sybil parent nodes have a physical entity that is used for executing the corresponding label generation algorithm, while all Sybil child nodes have no exclusive labels for their spoof identities. This is the break-point that we use to distinguish the Sybil child nodes. We give the relevant label generation requirement of such a quantization network in the face of Sybil attacks below: • To avoid affecting the status value during the process of quantification, the label value shall be strictly less than one quantization step; • To avoid different nodes generating the same label, the random label range of one agent shall be an open interval; • To make labels time-sensitive, one node generates a random label at each time step.
According to the above requirements for labels, we set the sample range of random labels in one quantization step, i.e., ∆ = 1. Then, according to the number of agents, we ensure that the random distribution range can not coincide. When all agents generate labels by sampling from one normal distribution, the labels of different agents have a chance to be identical. Therefore, we use the sampling method based on a disjoint truncated normal distribution to generate labels to avoid being identified. Each agent generates a random label by sampling distribution to select one item from the range of legal values, using the probability density function as the probability of selection. Figure 2 is a schematic diagram of our sampling process. In the figure, the sum of random label sample ranges of n agents is one quantization step ∆ = 1 in one time step, and those ranges have the same length on the axis, i.e., r L i = 1 n , ∀i ∈ V, where n = |V n ∪ V Sp |. As we know, the Sybil parent node is the first compromised agent. Thus, parameter n is the number of agents in the original system. According to the total number of agents n and the value of quantization step ∆ = 1, we have the maximum and minimum of the label of each node at time step k as L i,min = i−1 n and L i,max = i n . and σ = |r L i | 2 , respectively. To eliminate the probabilities of the same labels, the random label value distribution range of agent i is modified to an open interval (L i,min , L i,max ). Thus, the probability density function of the corresponding label value is given as where µ i and σ represent the mean of i' label and standard deviation, respectively. Parameter c i is used to make sure the cumulative probability of f (L i ) is 1 in the interval (L i,min , L i,max ). . According to the total number of agents and the quantization length, parameters in Equation (9) can be set as follows: The truncated normal distribution function F can be calculated according to the following three situations: With label sampling from such a truncated normal distribution, each agent can generate the corresponding random label. The random label generation model complies with a truncated normal probability density function as In Figure 3, we give an example of the probability distribution function of 10 agents in quantization step ∆ = 1, where different colors represent the label probability density curve of 10 different nodes. The random label of each agent is distributed in the corresponding truncated range centered on the half of r L i .  The main idea of the label generation design is that the label value merges with the quantized status value and becomes a quantified part. Since each agent label is sampled from the corresponding truncated normal distribution range L i [k] ∈ (L i,min , L i,max ), one can identify each individual agent in the MAS. At the same time, since the child node and the parent node have the same label value, the redundant fake child nodes that have been generated can be easily distinguished and ignored by the normal nodes. After label verification and the removal of redundant individuals with the same label, the total number of nodes in the network is maintained at n.
In the following subsection, we provide the solution to the resilient consensus problem with Sybil nodes in the network.

Distributed Consensus Control Law Design
Recall that the malicious nodes in MAS shall be divided into a Sybil parent node and Sybil child node. Thus, V S = V Sp ∪ V Sc . Combined with the local quantification process, the updated rule for the nodes can be written in the following form: The existing typical methods against Sybil attacks are adopting a strict identity distribution mechanism or using physical fingerprints as authentication. Such methods always require extra modules and computing consumption. Before giving our distributed control protocol, we first need to introduce the notion of resilient consensus for the network of probabilistic quantized agents in the face of malicious attacks.

2.
Agreement condition: There exists a finite time k c ≥ 0 such that Prob{x V n (k c ) ∈ C V n |x(0)} = 1, where the consensus C V n is defined as Next, we give our distributed consensus algorithm, which is mainly inspired by the weighted mean subsequence reduced (QW-MSR) algorithm [37], and incorporates the previously designed label generation and verification mechanism, referred to as the QWL-MSR algorithm.

Description of QWL-MSR Algorithm
At each time step k, the normal node i will receive the messages of its neighbors. We assume that there are at most f Sybil parent nodes among the node i' neighbors, and each Sybil parent node can generate up to n Sybil child nodes. Therefore, node i will receive at most n f + f pieces of malicious messages. The pseudocode of QWL-MSR can be seen in Algorithm 1.

Algorithm 1 QWL-MSR
9: 10: In Algorithm 1, node i first generates a truncated normal distribution function based on the input values, and then generates label L i [k] by sampling in the generated function. Subsequently, node i merges the state value and the label value and sends it to its neighbor nodes. When node i receives the message value MSG j [k] from its neighbor node j ∈ N i , the label value and state value will be separated. The Sybil nodes are excluded into the Sybil node-set N S though label verification and state filtration. Under this mechanism, node i will update its own state value without interference from Sybil nodes. Specifically, the following five steps can be used to describe the whole process of node information processing.

1.
Label Generation: At each time step k, each node i ∈ V (including Sybil nodes) calculates and generates an exclusive random label L i [k]; 2.
Message Exchange: Once node i updates its own state value, it will combine the message value with its newly generated status value and label value, i.e., . Then, it sends this message to its neighbors, and receives the message values from its neighbors j ∈ N i .

5.
State Update: According to the set N S [k] obtained by the above operation, node i applies the following update: Figure 4 shows the data flow model of QWL-MSR for normal agent i. In the figure, the state value x i [k] of node i, is subtracted from each of the other states, including its own state in the memory. The resulting relative states are verified and filtered by order. Finally, the remaining elements are weighted, summed, and quantized to the next state.

Main Results
We now present our main theorems for quantized resilient consensus in the presence of Sybil attacks. The network underlying a robust graph that guarantees sufficient connectivity and information redundancy for agents strengthens the incoming counter attacks. Let us revisit the definition of security interval S by where min x V n [0] and max x V n [0] represent the minimum and maximum initial state values of all nodes in the MAS, respectively. Note that we assume that the initial value of each agent is an integer, i.e., x i [0] ∈ Z, i ∈ V.
Since we choose to run probability quantization during the node state value update process, the discussions of consensus under probabilistic conditions are inevitable. The following three conditions, which are argued in [37] for the probabilistic quantized consensus problem, are also adopted in our paper.

1.
C1. There is a finite state set S for each normal node i, such that, for any k ≥ 0, C2. There exists a finite time k x , such that, for state value

Theorem 1.
Under the f -parent total Sybil attack model, the MAS (1) for which each node updates its state according to the QWL-MSR algorithm with parameter f reaches quantized resilient consensus almost surely if, and only if, the system's network topology is ( f + 1, f + 1)-robust.
Proof of Theorem 1. (Necessity) Although all Sybil child nodes could be removed after the step of label verification, there are still f values of Sybil parent nodes retained in the network. Then, in the step of state filtration, if the underlying graph G is not ( f + 1, f + 1)robust, the node-set includes two disjointed and nonempty subsets, V 1 and V 2 , that do not meet any conditions in Definition 4. Thus, the incoming edges of any disjointed and nonempty subset V 1 or V 2 is less than f + 1. With the QWL-MSR algorithm, the normal node will ignore all of its neighbors' values that are different from its state and will not update its state, which will cause the state value consensus process to fail to complete.
(Sufficiency) We first show that the state value of each normal node in the update process satisfies the safety condition. We denote the minimum and maximum values of normal nodes at time step k by Since we consider the f -parent total Sybil attack model, that means there are at most f Sybil parent nodes in the network. Each Sybil parent node will fabricate n Sybil child nodes. Therefore, it is equivalent to the existence of at most (n + 1) f malicious nodes in the entire network. At each time k, all the Sybil child nodes' values will be ignored in the step of label verification of the QWL-MSR algorithm. Then, in the step of state filtration of our algorithm, the normal node i will remove the first f and last f values in the sorted list of its all neighbors. This ensures that the information used in the update of node i is not According to the update rule (18) and the remain neighbor set φ i [k] = {N i ∪ {i}}\N S [k]}, the value of next time step of normal node i will be upper bounded by This implies that is a monotonically non-increasing function of time. Hence, node i's value at the next time step has a lower bound value function x[k], i.e., Consequently, node i's state value satisfies for all time steps, which implies that the safety condition of MAS (1) is ensured.
We next show that the state value of each normal node i ∈ V n in the update process (18) satisfies the agreement condition. Let the set S be a set of all normal nodes' state values at all times. Since x[k] and x[k] are both monotone functions, they will eventually converge to the values x * and x * with probability at a finite time k , respectively. We will show that x * and x * tend to be the same as the time becomes infinite. We prove this by contradiction. Assume that x * < x * . In this case, the shortest distance between x * and x * is one quantization step ∆, thus x[k] − x[k] = ∆. As the state values tend to remain unchanged, we denote the set of nodes (including Sybil nodes) for which state values are greater than or equal to x * and the set of nodes (including Sybil nodes) for which state values are less than or equal to x * by X 1 [k] and X 2 [k], respectively, i.e., Since the network of MAS (1) satisfies a ( f + 1, f + 1)-robust graph, we know that for any pair of nonempty disjointed subsets of V, at least one of the three conditions in Definition 4 is satisfied. We let X 1 [k] and X 2 [k] be such a pair of subsets. In this case, there always exists a normal node i, either in . We suppose node i in X 1 [k] has this property and its state value is x i [k] = x * . If there are any Sybil nodes around node i, in the step of label verification, node i will ignore at most n f incoming edges from them. Then, in the step of state filtration, node i will neglect at most f values from V \X 1 [k] and at most f values larger than x * which are sent from f Sybil nodes. That means node i will receive at least one node's value in X 2 [k], which is smaller than x * . Thus, by the update rule (18), we have where a < 1 is node i' self-weight. With random quantizer (4), we have q(x * − a) = x * − 1 with probability 1 − a. Thus, This indicates that there is at least one node in X 1 [k] that will update and decrease its state value at time step k.
We now show that there is a positive probability that none of the nodes in V \X 1 [k] will be placed into set X 1 [k + 1] at the next time step. According to (18) and (22), the normal node i will choose the value x * − 1 with probability a. In another words, node i will not be placed into X 1 [k + 1] with probability 1 − a. By applying the same argument, nodes in V \X 2 [k] will not be placed into X 2 [k + 1] according to their updated state values.
By the above analysis, we conclude that for any k ≥ k + |V n |, one of sets (X 1 [k] and X 2 [k]) will be empty with a positive probability. Clearly, it arrives at a contradiction with the definition of a ( f + 1, f + 1)-robust graph. Hence, we proved x * = x * .
According to the above discussion, one can clearly see that the safety condition of node i in MAS (1) also satisfies the C1 in the quantized consensus problem, while the agreement condition of node i in MAS (1) also satisfies the C2 and C3 in the quantized consensus problem. Thus, the proof is completed.

Theorem 2.
Under the f -parent local Sybil attack model, the MAS (1) that each normal node updates its state value with according to the QWL-MSR algorithm with parameter f reaches quantized resilient consensus almost surely if, and only if, the network's topology is (2 f + 1)-robust.
Proof of Theorem 2. (Necessity) We will prove by contradiction. Assume the network topology does not satisfy a (2 f + 1)-robust graph; each node in the nonempty disjoint subsets V 1 or V 2 will have at most f neighbors from the outside. Although the Sybil child nodes could be removed after the step of label verification, the normal nodes in V 1 and V 2 will ignore all of the neighbors that have different values. This will cause the normal nodes not to update their state values. This also means that consensus cannot be achieved.
(Sufficiency) The proof is similar to the proof of the sufficiency of Theorem 1 and hence is omitted here. Note that by the steps of label verification and state filtration of QWL-MSR algorithm, the safety condition and agreement condition are guaranteed if the network is (2 f + 1)-robust.

Numerical Simulation
In this section, a numerical simulation is proposed to illustrate the effectiveness of the theoretical results for MAS under f -parent total model and f -parent local Sybil attack model, respectively.
Consider the MAS with n = 7 agents. The connections among agents are represented in Figure 5a,b. According to Definition 4, one can verify that the graph in Figure 5a is (2, 2)-robust, and the graph in Figure 5b is 3-robust. Suppose node 4 is infected by a Sybil attack and becomes a malicious Sybil parent node. Then, node 4 generates two Sybil child nodes, 4a and 4b. The figure shows that the Sybil child and Sybil parent nodes share the same adjacency matrix. Hence, the normal nodes connected to the Sybil parent node will also receive malicious information from Sybil child nodes. The initial values of all nodes are x[0] = [2, 3, 4, 10, 5, 6, 7] T . Thus, the safety interval is [2,7]. Let all Sybil nodes maintain their values x 4 [k] = x 4a [k] = x 4b [k] = 10 for the entirety of the time step k. In this scenario, the adversary is aimed at driving the system out of the safe set [2,7].  First, we will check the state value trajectories of all nodes applying the existing QW-MSR algorithm in the (2, 2)-robust graph under 1-parent total Sybil attack. It is observed in Figure 6 that all normal nodes are misguided by the malicious values and reach the consensus value x * = 10, which is out of the safety interval [2,7]. This means that the traditional QW-MSR algorithm is insufficient for such Sybil attacks.
Next, we examine the performance of the case with the same network communication topology, but each node runs our proposed QWL-MSR algorithm. First, each node generates its own label according to a truncated normal distribution in the value range of the corresponding label. With a total number of agents n = 7, the sampling of each agent's label conforms to the truncated normal distribution ). Figure 7a shows the probability distribution function curve of random label sampling for each agent. The scatter points in Figure 7b more intuitively indicate that the random labels of each agent generated at each time step k are distributed in the corresponding range and will not overlap with each other.
Under the one-parent total Sybil attack, with the QWL-MSR algorithm applied to the MAS of seven agents, the trajectory of each agent state value is shown in Figure 8. From the figure, we can see that all normal agents reach a consensus value x * = 6 after 38 steps. This simulation result verifies the validity of Theorem 1. Now, we consider the case when the MAS topology satisfies a 3-robust graph (see Figure 5b). The attack model, in this case, is a one-parent local Sybil attack model. The simulation results are shown in Figure 9. The figure shows that all normal agents acquire a consensus value x * = 6 after 19 time steps. This simulation result verifies the validity of Theorem 2.
In order to verify the necessity of network robustness for our proposed algorithm, we design a (2,1)-robust graph by deleting links (1,3), (3,1), (5,7) and (7,5) from Figure 5b. The newly designed network communication topology is shown in Figure 5c. Likewise, we newly design a graph (see Figure 5d) that no longer satisfies 3-robust but that is still strongly connected by reducing links. Under the same network attack situation and running the same control algorithm, the state value trajectories of all normal agents are shown in Figures 10 and 11, respectively. It can be seen from the simulation results that the node state value cannot reach consensus, which further verifies the correctness of our theories.      State Node 1 Node 2 Node 3 Node 4 Node 5 Node 6 Node 7 Node 4a Node 4b Figure 11. Simulation results of proposed algorithm under strongly connected network.

Conclusions
In this paper, we considered the distributed resilient consensus problem of MASs under Sybil attacks. A consensus algorithm based on random label values was applied to each agent to determine valid neighbor agents and realize the state value convergence under Sybil attacks. The proposed algorithm is computationally lightweight and suitable for use in distributed MASs. Using graph theory and mathematical analysis, we have proved the effectiveness of the consensus algorithm under consideration. Numerical simulations are also provided to confirm our methods.