A Distributed Observer-Based Cyber-Attack Identification Scheme in Cooperative Networked Systems under Switching Communication Topologies

: This paper studies an approach for detecting cyber attacks against networked cooperative systems (NCS) that are assumed to be working in a cyber-physical environment. NCS are prone to anomalies both due to cyber and physical attacks and faults. Cyber-attacks being more hazardous given the cooperative nature of the NCS may lead to disastrous consequences and thus need to be detected as soon as they occur by all systems in the network. Our approach deals with two types of malicious attacks aimed at compromising the stability of the NCS: intrusion attacks/local malfunctions on individual systems and deception/cyber-attacks on the communication between the systems. In order to detect and identify such attacks under switching communication topologies, this paper proposes a new distributed methodology that solves global state estimation of the NCS where the aim is identifying anomalies in the networked system using residuals generated by monitoring agents such that coverage of the entire network is assured. A cascade of predeﬁned-time sliding mode switched observers is introduced for each agent to achieve a fast estimate of the global state whereby the settling time is an a priori deﬁned parameter independently of the initial conditions. Then, using the conventional consensus algorithm, a set of residuals are generated by the agents that is capable of detecting and isolating local intrusion attacks and communication cyber-attacks in the network using only locally exchanged information. In order to prove the effectiveness of the proposed method, the framework is tested for a velocity synchronization seeking network of mobile robots.


Introduction
Networked Control Systems are control systems where the control loops are closed through a communication network whereby necessary signals for the control mission are exchanged among the system components through a network, namely wireless. Indeed, one of the main advantages of such systems is the capability of connecting their cyberspace to their physical space thus enabling the execution of several tasks from long distance. Figure 1 represents an example of a NCS, its environment and basic components. These systems, sometimes referred to as cyber-physical systems (CFS) [1,2] or multi-agent systems (MAS) in the literature [3], have attracted a lot of research interest in recent (1) The design of a bank of distributed predefined-time sliding mode observers (SMO) for global state estimation for a multi-agent system with integrator dynamics whereby the convergence time is an a priori user defined parameter, in order to overcome the problem of attack detection under switching topologies. (2) A residual based approach is proposed where the equivalent control concept is used to detect different faults and attacks that might occur anywhere in the system (i.e., an intrusion attack reflective of a local malfunction in agent or a cyber-attack affecting a communication link between two agents) in a distributed way based on the topological properties of the network. This allows detection and identification of multiple simultaneous attacks and intrusions. The rest of the manuscript is organized as follows: Section 2 provides a brief background on graph theory. Section 3 introduces some important definitions, lemmas and the problem formulation of the global fault detection and identification issue. Section 4 presents the main results, namely the design of banks of distributed predefined-time sliding mode observers for state estimation and residual generation based on local information. Section 5 presents numerical simulation results, where our approach is applied in the context of a practical application to consensus seeking fleet of mobile robots, in order to show the efficacy of our approach. Finally, Section 6 draws the main conclusions of this work and present future scopes for research on the considered topic.
Notations: The superscript T stands for the matrix transpose and we denote by I the identity matrix and by 1 the vector with all elements one, both with appropriate dimensions. The set of real-valued m × n matrices is given by IR m×n . λ min (·) represents the smallest non-zero eigenvalue of a square matrix [·]. · 1 and · 2 denote the 1-and 2-norms, respectively. (·) eq refers to the equivalent control value of (·) and D + (·) refers to the upper right-hand Dini derivative of (·). For the sake of simplicity, the time argument is omitted when it is not required for clarity. Table 1 presents a list of the employed acronyms:

Graph Theory
In this paper, we are going to refer to networked systems as multi-agent systems and given that networked multi-agent systems need to exchange information amongst them, it is natural to model them using graph theory. In general, a communication topology composed of N systems is represented by Q = (N , F ) whereby N = {1, ..., N} is the node set consisting of N nodes/vertices each representing an agent, and F ⊆ N × N is the edge set representing the communication links between two agents. Here, we shall assume that Q is connected, undirected and N i ⊂ {1, ..., N}\{i} is a non-empty subset of agents that agent i can interact with. In this work, we shall further assume that the communication topology is time-varying. As a result, we denote byT = {τ 1 , τ 2 , ..., τ M } set of all possible known topologies and by M := {1, ..., M} the set of indices corresponding to these topologies. More precisely, the communication topology is characterised by a switching graph Q σ(t) = Q(t) where σ(t) : [0, ∞) −→ M is piecewise constant switching signal and determines the communication topology with 0 = t 0 < t 1 < t 2 ... being the switching instants of σ(t). Furthermore, it is assumed that σ(t) satisfies the minimum dwell time condition [37], and t w+1 − t w = τ w < T w with T w a known constant. Therefore, when σ(t) = s ∈ M, the topology Q(t) = Q σ(t) = Q s is activated. For the rest of this paper, we refer to the active mode using the superscript s. The adjacency matrix A s = [a s ij ] ∈ IR N×N is defined by a s ij > 0 when the i th agent can receive information from the j th agent and a s ij = 0 otherwise. The diagonal of matrix A s is null since self-connections are not allowed. Let D s be the in-degree diagonal matrix with entries d s i = ∑ N j=1 a s ij . Then, the Laplacian matrix L s is defined as: Let us denote by L s i ∈ IR (N−1)×(N−1) the Laplacian matrix L s defined without agent i, and by: the associated diagonal matrix defining the interconnections between agent i and the remaining agents under the active topology s, i,s k > 0 if information of agent i is accessible by the k th agent; otherwise i,s k = 0.

Preliminaries and Problem Statement
Before stating the main results, a brief overview of the techniques employed in our work are presented hereafter.

Definitions and Useful Lemmas
Consider the following nonlinear system: where ξ(t) ∈ IR n is the state and φ ∈ IR g where g ∈ IN is the system parameters considered to be constant (φ = 0). Φ : IR + × IR n is assumed to be a nonlinear function with its origin as an equilibrium point, i.e., Φ(t, 0; φ) = 0.

Definition 3 ([36]
). For the parameter vector φ of system (1) and a constant T p := T p (φ) > 0, the origin of (1) is said to be predefined-time stable if it is fixed-time stable and the settling-time function Γ : IR n → IR is such that for all ξ 0 ∈ IR n , Γ(ξ 0 ) T p and T p = sup ξ 0 ∈IR n Γ(ξ 0 ).
Let us recall some lemmas concerning predefined-time stability.

Remark 1.
The concept of predefined-time stability is introduced where a settling time bound T p is set in advance as a function of system parameters φ, i.e., T p = T p (φ), and a strong notion of this class of stability is given when T p = T f , i.e., T p is the least upper bound of the settling time.

Lemma 2 ([40]
). Let us consider the nonlinear system (1) with ξ(0) as the initial condition, where ξ(t) ∈ IR n is the state and φ ∈ IR u with u ∈ IN, is the system parameters considered to be constant. Φ : IR + × IR n is assumed to be a nonlinear function with its origin as an equilibrium point. Suppose there exists a continuous radially unbounded candidate Lyapunov function V : IR n → IR such that and its derivative along the trajectories of (1) satisfies T p (αV p + ηV q ) r , ∀ξ ∈ IR n \{0}, with α, η, p, q, r > 0, rp < 1, rq > 1, γ(φ) is given in (2) and D + V is the upper right-hand Dini derivative of V(ξ). Then, the origin is predefined-time stable with predefined time T p .
Now, let us recall some complementary key lemmas that will be used throughout this paper.

Problem Statement
Consider a homogeneous multi-agent system composed of N agents labelled by i ∈ {1, ..., N}, and described by the following nth-order dynamics IR is a process fault affecting the dynamics of the agent which could be exogenous and might correspond to an internal malfunction, local intrusion attack, etc, u i (t) ∈ IR is the control input and z i (t) ∈ IR is agent i's internal measurement. Note that there is a multitude of practical applications of such systems, namely robotic systems, power systems, etc. Research on cyber-attack identification for such systems is of both practical and theoretical significance.
Furthermore, it is considered that agents have access to their control inputs, but they do not receive their neighbours' inputs. If needed, they have to reconstruct them using state estimates from exchanged information which are possibly corrupted. The exchanged information is expressed as where z ki (t) ∈ IR is agent i's output signal sent to agent k with z kk (t) = z k (t), andẑ kj i (t) ∈ IR is agent j's estimate of agent i's output which is sent to agent k, the termẑ j i (t) will be defined in the next Section. Both pieces of information are subject to an edge fault denotedf e ki (t) ∈ IR and f e kj (t) ∈ IR, respectively. Note that, these types of faults may affect all broadcasted information of an agent to another. This might include DoS, FDIA, deception attacks, cyber-attacks, etc. In this paper, a solution to the following questions is investigated:

•
How can we detect a cyber-attack anywhere in the MAS while keeping a distributed approach of the detection scheme? • How can we distinguish said attacks from local malfunctions/intrusions?
The conceptual idea in this work is that information locally produced by the sensors is considered to be secure, while the one sent over the communication network/cyber layer of the system is vulnerable to external attacks. The next section lays out our main results.

Proposed Methodology
The proposed distributed bank of predefined-time observers for output and state estimation and global cyber-attack detection scheme is laid out in this section.

Global Output and State Estimation
Let us define the 'monitored' agent i as the agent to be diagnosed by a 'monitoring' agent k. First, let us consider the case of a fixed communication topology, where no cyber-attack exists in the system (i.e.,f e ki = f e kj = 0). Denote byξ k i,l , agent k's estimate of the l th state variable of agent i and byẑ k i , agent k's estimate of agent i's output. The proposed distributed switched observer takes the following structure: The auxiliary state variablesξ k i,m , ∀m ∈ {2, ..., n} are defined as where the subscript eq denotes the equivalent value of sign function. In the following, it is assumed that the effect of the filter dynamics is negligible w.r.t. those of the observer. Let us define the errors as Differentiating them yields the following error dynamics: can be expressed in terms of the output estimation errors as Putting (8) in compact form, the following is obtained: where for each agent ∀i ∈ {1, ..., N} and ∀l ∈ {1, ..., n}, the estimation errors, the state estimates and the auxiliary variables are concatenated in the vectors: Theorem 1. Given Assumption 1, for a fixed communication topology and in the absence of cyber-attack, for each agent, the observation errors (9) converge towards zero in a predefined time T s = ∑ n−1 j=1 T j,s p independently of initial conditions, with the observer gains: (2), E s m represents the observer switches and T m,s p is the settling-time for each dynamic which is an user-defined parameter, considered to be the same for all of the m th dynamics of the agents for notational convenience.
Proof of Theorem 1. The proof is done step by step by taking advantage of the switching conditions. Indeed, due to this, at each step, only a one-dimensional, corresponding sub-dynamical system is studied.
Step 1: Initially, E s 1 = E s 2 = ... = 0, the error dynamics are expressed as Consider the following Lyapunov function associated with the concatenated first error dynamics of the agents Differentiating it results in By setting S 1 = [s 1 1 , . . . , Then, it follows that Considering Lemma 3, and taking into account the fact that Using Lemma 5, it can be shown that By expressing E i,1 as a linear combination of the eigenvectors of L s Thus, using Lemma 4, one has On the other hand, from the second term ∆ 2 (S 1 ), the following can be deduced By combining (16) and (17), the following is obtained from (13) Therefore, in accordance with Lemma 2, E i,1 converges towards the origin with the settling time T 1,s p (i.e., E i,1 =Ė i,1 = 0). As a result, at t = T 1,s p (E s 1 = 1), we have Hence, one getsX i,2 = X i,2 . At this point, one can go to the next step.
Step 2: At t = T 1,s p , the error dynamics become Selecting the Lyapunov function V i 2 = 1 N E T i,2 E i,2 and by following the same reasoning as before, Then, it is straightforward to show that Consequently, E i,2 converges towards the origin with the settling time T 1,s p + T 2,s p (i.e., E i,2 =Ė i,2 = 0). Therefore, at t = T 1,s p + T 2,s p and E s 2 = 1.
Step n: Now, fast forward to the nth step, at t = ∑ n−1 j=1 T j,s p , the error dynamics becomė Taking as the Lyapunov function V i n = 1 N (E i,n ) T (E i,n ) and by setting S n = [s 1 n , . . . , s N n ] T = E i,n , and following the same procedure as before, the following inequalities are obtained for the terms ∆ 1 (S n ) and ∆ 2 (S n ) The proof is thus concluded at the nth step. Now, let us consider the presence of a possible cyber-attack in the network. Due to the presence of these attacks, the output estimation errors is expressed as In this case, the following theorem can be stated. Proof of Theorem 2. When cyber-attacks are considered, (6) becomes Furthermore, the auxiliary variables (7) become and the concatenated errors are expressed as The rest of the proof straightforwardly follows the same reasoning as Theorem 1 and is thus omitted for brevity.
Note that the use of the predefined-time concept is very useful when dealing with switching topologies. Indeed, using our proposed scheme, one can immediately derive the following proposition: Proposition 1. Consider the switching topologies described in Section 2. Selecting T s such that T s < T w , ∀s ∈ M and observer parameters (25), the distributed switched observers guarantee the predefined-time stability of the estimation errors regardless of initial conditions at each switching instant.

Residual Definition and Cyber-Attack Identification
The idea is to compute the difference between the actual input of an agent and the estimated input effort. The difference should indeed be null in the case of no attacks or faults. The next step is to identify the source and type of faults, specifically deception attacks and thus trigger the appropriate alarms and further corrective measures. Note that, for Theorems 1 and 2, the upper bounds of the control inputs are used in Assumption 1 to design the predefined-time distributed observers. In this section, we will show through a residual based approach how one can detect process or communication faults/cyber-attacks with a global approach using input estimates if the control structure is known. In the following, let us consider the following typical linear higher-order consensus control algorithm [42,43], used with the available information where ∀l ∈ {1, ..., n} , ∀i ∈ {1, ..., N} , γ s l and µ s i are the consensus gains. It can be noticed that communication faults spread in the MAS through u i , and thus need to be detected as they occur. In the absence of edge faults, consensus is achieved provided a suitable selection of µ s i , γ s 1 and γ s m due to the fixed-time stability property of the proposed distributed observers [44].

Proposition 2.
Define agent k as the monitoring agent, agent i as the monitored agent, agents p ∈ N k as agent k's neighbours and agents j ∈ N i as agent i's neighbours, where agent i may or may not be a direct neighbour of k and j = i. Using protocol (29), an agent k can detect a deception attack on a communication link incident to agent k or i and local malfunctions/intrusions f a i anywhere in the fleet, given one type fault happens at a time, using the following residual signal: is agent i's reconstructed input by agent k withû k k = u k .

Proof of Proposition 2.
After the convergence of errors, the actual applied control input for each agent becomes Furthermore, the reconstructed input generated by the monitoring agent k is expressed aŝ kp Therefore, the residual signals (30) become where Θ k f e is Note that, when the control efforts u i are known to other agents in the network, the term (u i −û k i ) in Equation (31) disappears. In this case, the residual signals become where ki − ∑ p∈N k a s kp f e (n) kp . As a result, the defined residual signals (30) generated by the monitoring agent k are able to detect the presence of a cyber-attack or a local malfunction.
Residual evaluation: Once the residual signals are generated, it is important to be able to interpret them in order to find the root of the fault and thus make corrective measures accordingly. Indeed, from Equation (30), it can be noticed that, when a cyber-attack incident to agent k or i occurs while there is no local malfunction, agent k's generated residual signal for itself is r k k = 0 and r k i = 0 for all k = i regardless of whether or not agent i is a neighbour of k. On the other hand, when there is no cyber-attack, the residuals provide explicit estimations of the local malfunctions/intrusions, with r k k = f a k and r k i = f a i . r k k is thus used to identify a cyber-attack in the system as it is only sensitive to local malfunctions/intrusions. The proposed cyber-attack identification scheme is thus summarized in the following Algorithm 1:

Algorithm 1: Observer Design and Decision Logic
Result: Distributed Cyber-attack Identification while communication topology s is active do Choose observer convergence time T s in accordance with Proposition 1; Define Laplacian sub-matrices L s i and L i,s ; Compute observer gains from Theorems 1-2; Define a monitoring agent k; for q ∈ {1, 2, ..., N} do Generate residual signals r k q from Equation (30); end if r k k = 0 and r k i = 0 then No cyber-attack or local malfunctions/intrusions exist in the network; else if r k k = 0 and r k i = 0, ∀i = k then A cyber-attack has occurred in the network; else if r k k = 0 and r k i = 0 then A local malfunction has occurred in agent k; else if r k k = 0 and ∃!i = k such that r k i = 0 then A local malfunction has occurred in agent i; end end Remark 3. Note that our approach does not present limitation with respect to the number of detectable attacks in the system, contrary to some existing works, for instance in [26]. Indeed, Proposition 2 can be used to detect simultaneous local malfunctions/intrusions and cyber-attacks, and discern them from each other thus achieving the cyber-attack identification objective. Moreover, the predefined-time stability principle is useful to design fast converging switched observers to solve the problem of switching communication topologies as pointed out in Proposition 1. This allows for avoiding false alarms and achieving fast convergence of the estimation errors before the next topology switching instant. Furthermore, it is worth mentioning that our proposed approach can also be used when sudden communication breaks occur or when communication attacks on the communication weights and sudden abnormal quality drops of the exchanged information (i.e., attacks on communication parameters a s ij defined in Section 2) are considered. Indeed, these types of attacks manifest themselves in the generated residuals as exponentially decaying signals.

Cyber-Attack Identification in Cooperative Multi-Robot Systems
In this section, an illustrative numerical example is given for a practical application in order to show the effectiveness of the proposed global cyber-attack identification protocol. For this, let us consider a team of N = 5 omnidirectional wheeled mobile robots (WMR) that are labelled with numbers 1 through 5 and are moving in a two-dimensional plane (see Figure 2). In this example, the robots have to cooperate in order to render the steady state axial jerk null and thus achieve constant linear acceleration synchronization of the network of WMR. Here, we assume non-slipping and pure rolling conditions and since our aim is to achieve linear acceleration synchronization, only the dynamics along the x-direction are considered. In this case, each robot can be modelled with the following simplified triple integrator dynamics which is a special case of system (3): 3 (t) and f a i (t) are the x-position, the linear velocity on the x-axis, the linear acceleration on the x-axis and an internal fault affecting the local jerk of a robot. The proposed residual observer-based cyber-attack identification algorithm can be implemented on the on-board micro-controllers as depicted in Figure 2. Furthermore, the robots are assumed to be equipped with WiFi modules and broadcast their information through a wireless network described by the graph topologies illustrated in Figures 3 and 4 respectively, which are characterised by the Laplacian matrices: The communication topology is assumed to switch from L 1 to L 2 at t 1 = 12 s. In this example, in order to achieve acceleration consensus, the following cooperative control is used for each robot where ∀i ∈ {1, ..., N}, µ s i , γ s 1 , γ s 2 and γ s 3 are the consensus gains set to 5, 4, 3, and, 2.5, respectively, for both possible communication topology modes s ∈ {1, 2}, and a r i (t) = −µ s i 1 m s −2 is the reference acceleration. Hence, ∀s ∈ {1, 2}, the exchanged signals between agents are given as where ∆z ki (t) = 0.1 sin(z ki (t)), and ∆ẑ kj i (t) = 0.01 sin(ẑ kj i (t)) are noise due to some communication uncertainties. The initial positions of the five agents on the x-axis are given as ξ 1,1 (0) = 0 m, ξ 2,1 (0) = 1.5 m, ξ 3,1 (0) = 3 m, ξ 4,1 (0) = 4.5 m and ξ 5,1 (0) = 0.5 m respectively, while the initial velocities and acceleration are set to 0. For each of the mobile robots, the distributed observers are designed to estimate the global state in the desired predefined time T 1 = T 2 = 3 s with T 1,1 p = T 2,1 p = T 3,1 p = T 1,2 p = T 2,2 p = T 3,2 p = 1 s which satisfies the conditions of Proposition 1. The observer parameters are chosen as φ = [α, η, p, q, r] T = [1, 2, 1.5, 3, 0.5] T used for each corresponding topology. On the other hand, to obtain the equivalent values, first-order low pass filters are used with cut-off frequency of 100 s −1 for the first dynamics and 10 s −1 for the second and third dynamics. In order to verify the performance of the proposed scheme, the following two simulation scenarios are carried out on MATLAB.
First Scenario: In the 1st scenario, an intrusion occurs in robot 3 causing an out of control situation that affects its local jerk simulated by the following function f a 3 (t): This fault only represents a local malfunction in the robot 3 and thus needs to be distinguished from a cyber-attack. It can be clearly seen from Figure 5 corresponding to the 1st scenario that the residuals generated by the monitoring agents for the monitored agent 3, i.e., r 1 3 , r 2 3 , r 4 3 and r 4 3 respectively, provide an explicit estimation of f a 3 . Second Scenario: In the 2nd scenario, a communication fault occurs in exchanges flowing from robots 1 to 2 at t = T e = 10 s, for the first topology such thať f e 12 (t) = f e 12 (t) = 0 t < 10 s 100(1 − e 1−0.1t ) t 10 s Note that the topology switches at t 1 = 13 s andf e 12 (t) = f e 12 (t) remains throughout the topology change (see Figure 4). Therefore, the gains are computed from Theorem 2 and Remark 2 as It should be recalled that these gains are valid for both scenarios. Figure 6 corresponding to the 2nd scenario shows that a cyber-attack in the form of the simulated functionsf e 12 (t) and f e 12 (t), incident to agent 1 in both topologies, can be distinguished even in the presence of some reasonable communication noise. Indeed, the residual signals r 1 1 , r 2 2 , r 3 3 , r 4 4 and r 5 5 stay around 0 after the cyber-attack appears in the system and throughout the topology change.
Consequently, according to Proposition 2, one can distinguish and identify a cyber-attack in the networked system.

Conclusions and Future Work
In this paper, a novel distributed cyber-attack identification scheme was proposed for NCS with switching topologies subject to cyber-attacks, where any agent/node can act as a monitor to the whole system behavior and can thus detect and identify intrusion and cyber attacks. This is done by employing a bank of distributed predefined-time observers to estimate the global system state through auxiliary states whereby the settling time is an a priori user defined parameter, independently of the initial conditions. Numerical simulation results have been carried out by implementing the proposed scheme on a synchronization seeking network of mobile robots. Future works will include the design of a control reconfiguration algorithm based on the estimated faults from our FDI scheme.

Conflicts of Interest:
The authors declare no conflict of interest. The funders had no role in the design of the study; in the collection, analyses, or interpretation of data; in the writing of the manuscript, or in the decision to publish the results.