Veriﬁcation of Approximate Initial-State Opacity for Control Systems via Neural Augmented Barrier Certiﬁcates

: In this paper, we propose an augmented barrier certiﬁcate-based method for formally verifying the approximate initial-state opacity property of discrete time control systems. The opacity veriﬁcation problem is formulated as the safety veriﬁcation of an augmented system and is then addressed by searching for augmented barrier certiﬁcates. A set of well-deﬁned veriﬁcation conditions is a prerequisite for successfully identifying augmented barrier certiﬁcates of a speciﬁc type. We ﬁrst suggest a new type of augmented barrier certiﬁcate which produces a weaker sufﬁcient condition for approximate initial-state opacity. Furthermore, we develop an algorithmic framework where a learner and a veriﬁer interact to synthesize augmented barrier certiﬁcates in the form of neural networks. The learner trains neural certiﬁcates via the deep learning method, and the veriﬁer solves several mixed integer linear programs to either ensure the validity of the candidate certiﬁcates or yield counterexamples, which are passed back to further guide the learner. The experimental results demonstrate that our approach is more scalable and effective than the existing sum of squares programming method.


Introduction 1.Research Motivation
Cyber-physical systems (CPSs) consist of tightly coupled physical components and software systems and are deeply involved in safety-critical infrastructure, such as power plants, medical devices, and self-driving cars.In the last two decades, formal verification of the safety properties for cyber-physical systems has gained considerable attention [1,2].However, security properties have not been investigated thoroughly for cyber-physical systems utill very recently [3,4].Cyber-physical systems are security-critical, since the tight interaction between physical components and software systems may have the potential to release secret information and expose the system to malicious intruders.Therefore, ensuring the security of cyber-physical systems has become significantly important.
For cyber-physical systems, opacity verification is a vital requirement.Opacity is an information flow security property that captures whether or not the "secret" of the system can be revealed to an intruder that can infer the system's actual behavior based on the information flow [5,6].Opacity has been widely investigated in the domain of discrete event systems [7][8][9][10].For continuous state-space CPSs, the opacity verification can be performed by abstraction-based techniques in which continuous-space models are approximated by discrete ones [11,12].
The approximate initial-state opacity property requires the outside intruders to infer whether the initial state of the system is a secret one by observing the output trajectories of the system [8].A discretization-free barrier certificate-based approach for verifying the approximate initial-state opacity of discrete-time control systems was developed in [11].The barrier certificate-based method is quite popular for the safety verification of CPSs [13][14][15], and in [11,12], an augmented barrier certificate is defined for an augmented system constructed by augmenting a control system with itself, while the initial and unsafe sets are designed to capture the secret and initial sets of the original system.Then, the existence of such barrier certificates can guarantee the approximate initial-state opacity of the original system.Moreover, a sum of squares (SOS) programming-based methodology is presented for the construction of the augmented barrier certificates.However, this methodology may suffer from scalability issues since it requires discretization of the state and input sets of the original system.
Motivated by the limitation of [11], in this work, we present a novel barrier certificatebased method for formally verifying the approximate initial-state opacity of discrete-time control systems.First, we suggest a new type of augmented barrier certificate which can produce a weaker sufficient condition for the approximate initial-state opacity.Intuitively, the augmented barrier certificates introduced in [11] guarantee that for any state run of the system starting from a secret state, all state runs starting from the non-secret state set have similar output trajectories.Therefore, the sufficient condition for the approximate initial-state opacity yielded from the augmented barrier certificates introduced in [11] is more conservative.Usually, a weaker condition for the augmented barrier certificates means that more augmented barrier certificates can be synthesized, as the expressiveness of the augmented barrier certificates is stronger.
We then suggest an algorithmic framework for synthesizing augmented barrier certificates in the form of neural networks.Our framework draws insight from the existing methods for learning the barrier certificates of hybrid systems [16][17][18] and consists of two modules.The learner trains a neural augmented barrier certificate that satisfies the barrier certificate conditions over a set of sampled data, and the verifier solves a mixed integer linear program (MILP) to either ensure the validity of the candidate augmented barrier certificate or yield counterexamples, which are passed back to further guide the learner.The loop is repeated until a trained candidate augmented barrier certificate is successfully verified.The main contributions of this paper are summarized as follows:

•
We define a new type of augmented barrier certificate, which can produce a weaker sufficient condition for the approximate initial-state opacity.

•
We present a framework for synthesizing neural augmented barrier certificates.In the framework, a counterexample guided procedure is adopted to speed up the construction of networks, and the verification of Rectified Linear Unit (ReLU) networks can be efficiently performed via an MILP.

•
We carry out proof-of-concept case studies to empirically show the efficiency and practicability of the approach.
The structure of this paper is as follows.Section 1.2 introduces the related works.In Section 2, we give a less conservative sufficient condition with two relation functions to verify the approximate initial-state opacity, and then we train neural networks to synthesize the candidate neural barrier certificates and relation functions in Section 3.1 and convert the verification problem to a group of MILP optimization problems for validation in Section 3.2.In Section 3.3, we illustrate the barrier certificate and relation function synthesis algorithm.Section 4 provides an experimental evaluation of our algorithm with three examples, including linear, three-dimensional and non-polynomial examples.We conclude and introduce future work in Section 5.

Relate Work
Opacity is an important information flow property that was initially introduced in [5].Specifically, the concept of language-based opacity was proposed in [19].Aside from that, several state-based opacities were proposed, including initial-state opacity [20], K-step opacity [21], current-state opacity [22], and infinite-step opacity [23].However, the conditions of exact opacity could be too strong for the systems.Consequently, they need to be relaxed in some application scenarios.In [8], approximate opacity was introduced and verified by approximate opacity preserving the simulation relation.In [24,25], the authors synthesized a supervisor such that the closed-loop system was opaque.
The verification of opacity has also been widely studied in [26][27][28].Four types of opacity properties have been verified: language-based opacity, initial-state opacity, currentstate opacity, and initial-and-final-state opacity [7].In [20], the verification problem of initial-state opacity to an initial-state estimation problem was translated, and this was addressed by the construction of initial-state estimators.Moreover, current-state and initialstate opacity problems in bounded Petri nets can be efficiently solved by adopting a compact representation of the reachability graph [29].In [30], initial-state opacity for networks of interconnected control systems was verified.In [31], the verification of opacity for recursive tile systems is presented.Note that in [32], a finite abstraction-based technique was presented for verifying approximate opacity of the class of discrete-time stochastic systems, where the original control systems were approximated by discrete ones.For continuous state-space CPSs, a barrier certificate was used to verify the approximate initial-state opacity in [11,12].However, this methodology may suffer from scalability issues since it requires discretization of the state and input sets of the original system.
Synthesizing augmented barrier certificates via deep learning methods is subject to further verification, which is related to formal verification of the neural networks, and much research focused on formal verification of the neural networks [33][34][35].The problem of neural network verification is NP-hard [36], where a tool was implemented called Reluplex for validating neural networks with a ReLU activation function.In [37], a framework to verify deep neural networks based on Satisfiability Modulo Theory (SMT) was introduced.The verification of the properties of deep neural networks was finished based on the simplex method in [38].The neural network with a ReLU activation function was verified by exploiting the dependencies between the ReLU nodes [39].Furthermore, with the candidate network with ReLU, the non-linear SMT solver iSAT3 was used for verification [35].In [17], candidate neural barrier certificates were synthesized with a specially structured network, which transformed the verification problems of neural networks into a group of mixed-integer linear programming problems and a mixed-integer quadratically constrained problem.Zhao et al. [40] provides an innovative method for synthesizing neural networks as barrier certificates, which can give safety guarantees for neural network-controlled systems.

An Augmented Barrier Certificate for Approximate Initial-State Opacity
We denote R, R ≥0 , Q, and N as real numbers, non-negative real numbers, rational numbers, and natural numbers, respectively, and appropriate subscripts are used to restrict the sets.The empty set is represented by ∅.Given a vector x, we use R n to represent an n-dimensional Euclidean space and || x || to represent the Euclidean norm.For a, b ∈ N, and a ≤ b, we use [a, b] to represent a closed interval.Given two sets A and B with A ⊂ B, we define the complement of A with respect to B as B\A = {a | a ∈ B, a / ∈ A}.The Cartesian product of two sets A and B is defined as

Approximate Initial-State Opacity for Discrete-Time Control Systems
In this subsection, we will introduce some preliminaries: Definition 1 ([11]).A discrete-time control system (dt-cs) is defined by a tuple Π = (X, X 0 , X s , X ns , U, f , Y, h) where the following are true: • X, U, and Y are the state set, control input set, and output set, respectively; • X 0 , X s , and X ns are the initial state set, secret state set, and non-secret state set, respectively, where X 0 , X s , X ns ⊆ X, and X s X ns = ∅; Intuitively, the discrete-time control system Π can be modeled by the following difference equations: where x: N → X, u: N → U, and y: N → Y are the state signal, control input signal, and output signal, respectively.We use x x 0 ,u (k) to denote the state reached at time k of Π from the initial state x 0 ∈ X 0 under the input signal u and use y x 0 ,u (k) = h(x x 0 ,u (k)) to denote the output corresponding to the state x x 0 ,u (k).
Given a discrete-time control system Π, we want to verify the approximate initial-state opacity; that is, for each finite state run whose initial state is a secret state, there exists another finite state run starting from a non-secret state with a similar output trajectory.The following definition describes the approximate initial-state opacity of the system Π: Definition 2 ([8]).Consider a discrete-time control system Π = (X, X 0 , X s , X ns , U, f , Y, h) and a constant δ ∈ R ≥0 .The system Π is δ-approximate initial-state opacity if for any x 0 ∈ X 0 X s and any finite state run x x 0 ,u = {x 0 , x 1 . . ., x n }, there exists x0 ∈ X 0 X ns and a finite state run where the threshold parameter δ can be interpreted as either the measurement imprecision of the intruder or the security level the system can guarantee.
It is assumed that the secret of the system is not revealed initially; otherwise, it will violate δ-approximate initial-state opacity initially.Therefore, we assume that ∀x 0 ∈ X 0 X s , where {x ∈ To verify the approximate initial-state opacity of discrete-time control systems, the authors of [11,12] achieved the goal with the help of barrier certificates.In detail, for a discrete-time control system Π, the approximate initial-state opacity verification problem can be cast into checking a safety property of the associated augmented system Π × Π using barrier certificates.More concretely, there is the augmented system which can be regarded as the product of a dt-cs Π and itself.We denote a pair of states in Π × Π by (x, x) ∈ X × X and use Θ = X × X to represent the state space of the augmented system.Given the initial state (x 0 , x0 ) of the augmented system Π × Π and input run (v, v), we denote the state trajectory of Π × Π with (x x 0 ,v , xx 0 , v).
In order to leverage barrier certificates to verify the approximate initial-state opacity for a given discrete-time control system Π, the initial state set Θ 0 and the unsafe state set Θ u are defined as follows: The following theorem introduces a sufficient condition for verifying the approximate initialstate opacity of discrete-time control systems via a concept of augmented barrier certificates: Theorem 1.Given a dt-cs Π, the associated augmented system Π × Π and the sets Θ 0 , Θ u in Equation ( 4), if there exists a function B : where the constants 1 , 2 ∈ R ≥0 , and 2 > 1 are present, then the δ-approximate initial-state opacity of the dt-cs Π is guaranteed.
The function B(x, x) in Theorem 1 is called an augmented barrier certificate of the augmented system Π × Π. Intuitively, the augmented barrier certificate B(x, x) ensures that all trajectories of the system Π × Π originating from the initial state sets Θ 0 never reach the unsafe region Θ u , and then the safety of the dt-cs Π is guaranteed.
In this paper, we focus on the nonlinear discrete-time control systems, where the state transition function and output function are represented by multivariate elementary functions, and the sets X, U, Y, X 0 , X s , and X ns are bounded polyhedrons each defined by linear inequalities over a variable x.Concretely, multivariate elementary functions are expressed by the following grammar: rational constant, and x can be any system variable.

A New Augmented Barrier Certificate for Approximate Initial-State Opacity
The augmented barrier certificates introduced in Theorem 1 guarantee that all trajectories of the augmented system Π × Π starting from the initial state set Θ 0 never reach the unsafe states in Θ u .This means that for any state run of the discrete-time control system Π starting from a secret state x 0 ∈ X 0 ∩ X s , all state runs starting from the non-secret state set X 0 \X s have similar output trajectories.However, according to Definition 2, the δ-approximate initial-state opacity just requires that for each finite state run whose initial state is a secret state, there exists another finite state run starting from a non-secret state with a similar output trajectory.Clearly, the sufficient condition of the augmented barrier certificates introduced in Theorem 1 is more conservative, which may make the problem of δ-approximate initial-state opacity verification infeasible.
In the following, we introduce a less conservative augmented barrier certificate for the verification of approximate initial-state opacity: Theorem 2. Consider a dt-cs Π and the associated augmented system Π × Π.If there exists a function B : X × X → R that satisfies the conditions in Equations ( 6) and ( 7) in Theorem 1 and moreover ∀x ∈ then the δ-approximate initial-state opacity of the dt-cs Π is guaranteed.
Proof.Consider an arbitrary initial secret state x 0 and an input sequence u, as well as the corresponding state sequence x x 0 ,u in Π.First note Equations ( 3) and ( 8), where {x ∈ X 0 | h(x) − h(x 0 ) ≤ δ} ⊆ X ns .It follows that there exists an initial state x0 ∈ X 0 \X s for every initial state x 0 ∈ X 0 ∩ X s such that h( x0 )− h(x 0 ) ≤ δ, based on Equation (8).Therefore, the system is initially satisfied for δ-approximate initial-state opacity.The existence of an augmented barrier certificate B(x, x) as described in Theorem 1 guarantees that for any x 0 ∈ X 0 ∩ X s , there exists x0 ∈ X 0 \X s and a control policy û such that any state sequence of Π × Π starting from (x 0 , x0 ) never reaches the unsafe region Θ u under input run (u, û).In other words, the following is true: Since x 0 and x x 0 ,u are arbitrarily chosen, we conclude that Π is the δ-approximate initial-state opacity.
Since the condition in Equation ( 8) is weaker than the initial condition in Theorem 1, Theorem 2 produces a less conservative sufficient condition for the δ-approximate initialstate opacity of the dt-cs Π. Usually, a weaker condition on augmented barrier certificates means that more augmented barrier certificates can be synthesized, as the associated expressiveness is stronger.Therefore, the problem of verifying the δ-approximate initialstate opacity for the dt-cs Π can be transformed into the problem of computing the relaxed augmented barrier certificates defined in Theorem 2.
However, the forall-exists quantifiers make the problem of computing the augmented barrier certificates given in Theorem 2 computationally difficult.From a computational point of view, the forall-exists statement in Equation ( 8) can be encoded as where Θ 0 is defined as follows: by introducing a function p over x to describe the relation between x and x.Similarly, we introduce another relation function q over x, x, and u to encode the forall-exists statement: Theorem 3. Consider a dt-cs Π and the associated augmented system Π × Π.If there exist functions B : X × X → R, p : X → R and q : X × X × U → R which satisfy the conditions in Equations ( 6) and ( 10) and moreover then the δ-approximate initial-state opacity of the dt-cs Π is guaranteed.
Now, the problem of verifying the δ-approximate initial-state opacity for the dt-cs Π can be transformed into the problem of computing the relaxed augmented barrier certificate B(x, x) and the relation functions p(x), q(x, x, u) defined in Theorem 3.

Synthesis of an Augmented Barrier Certificate via Learning and Verification
In this section, we introduce an iterative framework to synthesize neural barrier certificates and relation functions to complete the verification of the approximate initialstate opacity of the dt-cs Π.As shown in Figure 1, the procedure is structured as an inductive loop between a learner and a verifier.At first, we present a less conservative augmented barrier certificate for the validation of approximate initial-state opacity.Then, the learner trains the certificate functions simultaneously over sampled data points from the initial set, the unsafe set, and the state space.After that, the trained candidates are formally verified by the verifier according to the conditions in Theorem 3. Due to the structure of ReLU neural networks, the verification problem can be transformed into a set of efficiently solvable MILP problems.

Neural Certificate Training
In this subsection, we give the details for training the neural barrier certificates.

The Structure of Neural Networks
Consider a dt-cs Π as defined in Definition 1, where state x and control input u are of n and m dimensions, respectively.Now, we provide the specific structure of neural networks for certificate functions B(x, x), p(x) and q(x, x, u).

•
One input layer, one output layer, and several hidden layers; • The number of input neurons for B, p, and q is 2n, n, and 2n + m, respectively; • Both B and q have one output neuron, while p has n output neurons; • The ReLU function is the only legal activation function.
For the above feedforward neural network, a non-input layer neuron value is computed by the preceding layer neuron values, the layer weight matrix, and the bias vector.Let x 0 denote the given neuron value of the input layer, z k and x k (1 ≤ k ≤ η − 1) denote the neuron value of the hidden layer L k before and after ReLU activation function, respectively, and x η denote the neuron value of the output layer.Then, the forward propagation of the neural network is as follows: where η − 1 is the number of hidden layers of the neural network.Intuitively, the output layer of neural network B and q has only one neuron, and hence their outputs are real numbers.As for the output of p, it is a vector and in the same form of the corresponding input vector.
According to Universal Approximation Theorem, we can approximate any complex rational function by the above neural network with the ReLU activation function, which makes it possible for us to synthesize the barrier certificate and relation functions.By restricting the number of hidden layers and the type of activation function, the verification problems of Equations ( 6), (10), and (12) can be transformed into a set of MILP problems.Then, the verification can be accomplished with the help of the optimization tool Gurobi.

Training Dataset Generation
The procedure for synthesizing neural networks takes a data-driven approach.Here, we discuss how to generate adequate datasets for training the candidate network.Datasets are generated while aiming at making the network fulfill the barrier certificate conditions given by Theorem 3. We sample points from the domain Θ, initial secret region X 0 ∩ X s , and unsafe region Θ u of the considered system Π × Π for obtaining datasets D 1 , D 2 , and D 3 , respectively.
The method employed for sampling is mesh generation.At first, we mesh the super rectangles in the sampling regions bounded with a fixed mesh size.Then, we filter out the points that do not satisfy the constraints of Equations ( 6), (10) and (12).As for the dataset D 4 of neural networks q, it is essentially a vector splicing of D 3 with the control input u.Finally, we obtain four finite data sets, D 1 , D 2 , D 3 , and D 4 .

Loss Function Encoding
Given datasets D 1 , D 2 , D 3 , and D 4 , according to Equations ( 6), (10) and (12) given by Theorem 3, the neural network B is trained to satisfy the following conditions: According to Equations ( 14)-( 16) and the output bound of the control policy given by the control input u and p, we construct sub-loss functions that lead the optimizers to build the network by minimizing the loss.
For satisfying Equation ( 14), with the input from dataset D 1 , the output of B should satisfy B(x, p(x)) ≤ 0. Otherwise, there would be a non-zero loss.Let c 1 be a small non-negative tolerance.The first sub-loss function is defined as follows: Similarly, for Equation (15), the output of the neural network is supposed to conform with B(x, x) > 0. A non-zero loss is also incurred if the condition is violated.Given a small positive constant c 2 , the second sub-loss function is defined as follows: To meet Equation ( 16), with a small positive number c 3 , the third sub-loss function is defined as follows: Aside from this, the output of the control policy q has upper and lower bounds, since the value of the control input is within the given closed interval.Let l q , u q be the upper and lower bounds of the control input, respectively.The output of q is between l q and u q (i.e., q(x) ∈ [l q , u q ]).After that, the fourth sub-loss function which leads the training of q is defined as follows: According to Equation (11), we know that p(x) ∈ X 0 \X s when input x ∈ X 0 ∩ X s .Furthermore, each unit of the output of p will be in [l p , u p ]. Then we obtain the sub-loss function L 5 as: where c 4 is a small positive constant.The role of the four tolerances c 1 , c 2 , c 3 , and c 4 is to make the non-sampled points in the neighborhood of the sampled data obtain a loss of zero.Finally, let α 1 , α 2 , α 3 , α 4 , α 5 > 0 denote the weights of the sub-losses.The total loss function for training B, p, q can be expressed as Significantly, the sub-loss L 3 is related to the training of networks B and q.Hence, we can make α 3 slightly larger to promote effective training.We minimize the total loss L for training three neural networks and adopt an Adam optimizer, which achieves quick training.When L decreases to zero, we obtain candidate networks B, p, and q at the same time.

Certificate Function Verification
Since the candidate neural certificate functions B, p, and q are trained over the sampled datasets, the empirical loss L converges to zero, which only guarantees that the candidate certificate functions satisfy the barrier certificate conditions in Theorem 3 over such sampled datasets.Thus, the candidate neural certificate functions require further verification.In this section, we present an approach to formally check whether the candidate neural certificate functions B, p, and q precisely satisfy the following barrier certificate conditions in Theorem 3: By utilizing the special structure of ReLU networks, the problem of verifying the candidate neural certificate functions B, p, and q can be encoded as several optimization problems, whose globally optimal objective values can be computed efficiently via the optimizer Gurobi.In the following, we will verify the neural certificate functions via MILP-based encoding.Verifying Condition (Equation ( 23)).According to Equation ( 23), the neural augmented barrier certificate B(x, x) should be nonpositive over the initial set Θ 0 .To ease the presentation, we use y 0 and y η to denote the input and output of the neural certificate B(x, x), respectively, where y 0 = (x 0 , x0 ) and y η = B(y 0 ).Based on the forward propagation of the neural networks in Equation ( 13), the problem of verifying the condition in Equation ( 23) can be transformed into the following optimization problem: where η is the number of hidden layers of the neural certificate B and ρ * Init is the globally optimal solution.Clearly, if the globally optimal solution ρ * Init > 0, then the condition in Equation ( 23) is verified to be satisfied.
The application of ReLU activation functions improves the approximation capability of the neural networks, but additionally, the nonlinearity of the ReLU function makes the problem in Equation ( 26) difficult to solve directly.Fortunately, an exact MILP-based encoding of ReLU functions is introduced to treat ReLU [33].More concretely, the ReLU function, which is defined over z ∈ [l z , u z ], can be encoded by the following linear and binary constraints: where t is a binary variable and l and u are constants satisfying l ≤ l z and u ≥ u z , respectively.Now, by utilizing the above MILP-based encoding, the optimization problem in Equation ( 26) can be rewritten as the following MILP problem: For simplicity, we set l k = −10 9 and u k = 10 9 .This MILP problem (Equation ( 28)) can be solved via the optimizer Gurobi.Indeed, Gurobi returns the optimum ρInit and the corresponding optimal solution xInit , together with the maximum relative error ξ Init between ρInit and the globally optimum ρ * Init , which is formally expressed as As stated in [17], if ξ Init < 1, then ρInit and ρ * Init have the same sign.Therefore, if ρInit ≤ 0 while the maximum relative error ξ Init < 1, then ρ * Init ≤ 0, which means that the condition in Equation ( 23) is verified to be satisfied.Otherwise, we randomly sample a set of points in a neighborhood of the optimal solution xInit and add those data points that violate the condition in Equation ( 23) to the training dataset D 1 in the next iteration to refine the networks.Verifying Condition (Equation ( 24)).According to Equation ( 24), the neural augmented barrier certificate B(x, x) should be positive over the unsafe set Θ u .The verification of the condition in Equation ( 24) takes the same form.Based on the forward propagation of neural networks in Equation ( 13) and the MILP-based encoding of ReLU functions, the problem of this verifying condition (Equation ( 24)) can be transformed into the following MILP problem: By solving the above MILP problem via the optimizer Gurobi, we can obtain the optimum ρUnsa f e and the corresponding optimal solution xUnsa f e together with the maximum relative error ξ Unsa f e .If ρUnsa f e ≥ 0 while the maximum relative error ξ Unsa f e < 1, then the globally optimum ρ * Unsa f e ≥ 0, and the condition in Equation ( 24) is verified to be satisfied.Otherwise, we randomly sample a set of points in a neighborhood of the optimal solution xUnsa f e and add those data points that violate the condition in Equation ( 24) to the training dataset D 2 in the next iteration to refine the networks.Verifying condition (Equation ( 25)).For the condition in Equation ( 25), the difference between B( f (x, u), f ( x, û)), and B(x, x) should be non-positive over the state set Θ and input set U × U. Here, û = q(x, x, u).Note that the condition in Equation ( 25) involves the valve of y 0 after the transition function; in other words, y 0 = (x 0 , x 0 ) = ( f (x 0 , u), f ( x0 , û)).Therefore, the problem of B( f (x)) − B(x) < 0 can be transformed into finding whether the maximum value of B(y 0 ) − B(y 0 ) is negative.
Based on the forward propagation of neural networks in Equation ( 14) and the MILPbased encoding of ReLU functions, the problem of this verifying condition (Equation ( 25)) can be transformed into the following optimization problem: However, there may exist nonlinear terms in transition function f involved in the condition in Equation (25).To handle the nonlinearity, a piecewise linear approximation method is utilized.For a non-linear function g(x) with x ∈ [l x , u x ], it can be approximated by two piecewise linear functions g l (x), g u (x) with the controlled approximation error ζ, defined as Consider the condition in Equation ( 25) again.By utilizing the piecewise linear approximation method, the optimization problem in Equation ( 30) can be transformed into an MILP problem and be solved via the optimizer Gurobi.Thus, we can obtain the optimum ρEvol and the corresponding optimal solution xEvol together with the maximum relative error ξ Evol .If ρEvol ≥ 0 while the maximum relative error ξ Evol < 1, then the globally optimum ρ * Evol ≥ 0, and the condition in Equation ( 25) is verified to be satisfied.Otherwise, we randomly sample a set of points in a neighborhood of the optimal solution xEvol and add those data points that violate the condition in Equation (25) to the training dataset D 3 in the next iteration to refine the networks.

Algorithm
In the previous section, we introduced the complete synthesis process of candidates B, p, and q and the MILP-based verification method.Next, the synthesis process of the barrier certificate and relation functions is given in Algorithm 1.

Require:
Dt-cs Π, control input u, maximum epoch number n epoch , data batches n batch , loss function parameters α 1−5 , c 1−4 , learning rate lr.Ensure: B, p, q 1: Initialize parameters of neural network B, p and q 2: Generate training datasets D 1 , D 2 , D 3 , D 4 and generate n batch batches 3: for i = 1 to n epoch do: return candidate B, p, q; 11: Validation of candidate B, p, q by solving MILP problems ( 28)-( 30); 12: The optimizer returns the optimal solution; ρInit , ρUnsa f e , ρEvol and the corresponding input xInit , xUnsa f e , xEvol ; 13: If ρInit , ρUnsa f e , ρEvol have the expected signs and ξInit , ξUnsa f e , ξEvol < 1: 14: Return success and B, p, q; 15: Else: First, the respective weights among the layers and biases of neural networks B, p, and q are stochastically initialized with a standard Gaussian distribution.Then, the training datasets are generated (lines 1-2).In each epoch, with the loss function according to Equation ( 22) and the Adam [41] optimizer, the weights and biases of the networks are updated in a backpropagation.By minimizing L to zero, we find the candidates B, p, and q (lines 3-10).With the help of the optimization tool Gurobi, the verification of candidates B, p, and q can be transformed into the optimization problems in Equations ( 28)- (30).We find the current optimal solutions ρInit , ρUnsa f e , ρEvol and the corresponding inputs xInit , xUnsa f e , xEvol respectively.If the current optimal solutions ρInit , ρUnsa f e , ρEvol have the expected signs, and ξInit , ξUnsa f e , ξEvol < 1, then the candidates B, p, and q are globally consistent with the constraints in the conditions in Equations ( 23)- (25).Then, we return success and B, p, and q (Line 14).Otherwise, the sampling data points around the counterexamples are returned and added to the corresponding training datasets to refine the networks (lines [16][17].The training method based on Counterexample-Guided Inductive Synthesis (CEGIS) can train the neural network quickly and accurately.The candidates are trained and refined continuously until finding the real B, p, and q or reaching the maximum epoch number.Figure 2 is the flowchart of Algorithm 1.

Experimental Results and Analysis
We have implemented an augmented barrier certificate synthesis tool based on Algorithm 1 using the Pytorch 1.7 platform and Gurobi 9.5.We apply our tool to verify a number of benchmark examples from the literature comprising both polynomial and non-polynomial dynamics and compare it with the SOS programming method proposed in [11].

Examples
Vehicle Model.Consider the following vehicle model [11]: where x 1 and x 2 denote the absolute position and velocity of the vehicle, respectively, u is the control input (acceleration), and ∆τ is the sampling time.The output is assumed to be the position of the vehicle on the road (i.e., h(x(t)) = x 1 (t)).Suppose that the initial positions of the vehicle contain critical information which needs to be kept secret and there is a malicious intruder who can observe the behavior of the vehicle and intends to carry out an attack.Thus, we aim to verify the δ-approximate initial-state opacity property for this system, where δ captures the security guarantee level in terms of the measurement precision of the intruder.
Figure 3 (left) depicts a phase portrait of the augmented system Π × Π with x 2 = x2 = 0.It is seen that in the projection space on the position plane, the zero sublevel set of the barrier certificate B(x, x) (the yellow surface) separates Θ u (the red region) from all trajectories starting from Θ 0 (the pink line).Note that the initial set Θ 0 (the pink line), described by the neural relation function p, is a subset of the initial set Θ 0 (the green triangle), which is defined in [11].This means that our relaxed augmented barrier certificate yields a weaker sufficient condition for the δ-approximate initial-state opacity.Figure 3 (right) shows the projection of a number of state trajectories on the position plane of the augmented system Π × Π starting from the random initial states in Θ 0 under control input û = q(x, x, u), with u taking values in U.It can be seen that any trajectory starting from Θ 0 does not reach the unsafe set Θ u (the blue region) as the time increases.Three-dimensional model.In this example, we consider the following three-dimensional system: and the control input set U = [0.03,0.05].For the augmented system Π × Π, the initial set , where p(x) is a relation function defined in Equation (10) and the unsafe set We aim to verify the δ-approximate initial-state opacity property for the system, where δ = 2.2 captures the security guarantee level in terms of the measurement precision of the intruder.
It suffices to synthesize certificate functions B, p, and q, satisfying the conditions in Theorem 3. By applying our approach, we successfully obtain the neural augmented barrier certificate B, represented as two hidden layer ReLU activated neural networks with 16 neurons per layer, and the neural relation functions p and q, represented as one hidden layer ReLU activated neural networks with 10 neurons per layer.Therefore, the δapproximate initial-state opacity of the given system Π is guaranteed.
Figure 4 (left) depicts phase portrait of the augmented system Π × Π with x 2 = x2 = 0.05 and x 3 = x3 = 0.1.It is seen that in the projection space on the position plane, the zero sub-level set of the barrier certificate B(x, x) (the yellow surface) separates Θ u (the red region) from all trajectories starting from Θ 0 (the pink line).Compared with the initial set Θ 0 (the green triangle), which is defined in [11], the initial set Θ 0 (the pink line) is much smaller, which means that our relaxed augmented barrier certificate yields a weaker sufficient condition for the δ-approximate initial-state opacity.Figure 4 (right) shows the projection of a number of state trajectories on the position plane of the augmented system Π × Π starting from the random initial states in Θ 0 under control input û = q(x, x, u), with u taking values in U.It can be seen that all such trajectories do not reach the unsafe set Θ u (the blue region).Non-polynomial model.Consider a non-polynomial system Π: , the non-secret set X ns = X\X s , and the control input set U = [0.03,0.05].We aim to verify the δ-approximate initial-state opacity property for the system, where δ = 0.95 captures the security guarantee level in terms of the measurement precision of the intruder.
For the augmented system Π × Π, the initial set , where p(x) is a relation function defined in Equation (10) and the unsafe set It suffices to synthesize certificate functions B, p, and q, satisfying the conditions in Theorem 3. By applying our approach, we successfully obtain the neural augmented barrier certificate B, represented as two hidden layer ReLU activated neural networks with 16 neurons per layer, and the neural relation functions p and q, represented as one hidden layer ReLU activated neural networks with 16 neurons per layer.Therefore, the δ-approximate initial-state opacity of the given system Π is guaranteed.
Figure 5 (left) depicts a phase portrait of the augmented system Π × Π with x 2 = x2 = 0.It is seen that in the projection space on the position plane, the zero sub-level set of the barrier certificate B(x, x) (the yellow surface) separates Θ u (the red region) from all trajectories starting from Θ 0 (the pink line).Clearly, the initial set Θ 0 (the pink line) is much smaller than the initial set Θ 0 (the green triangle), which is defined in [11].Figure 5 (right) shows the projection of a number of state trajectories on the position plane of the augmented system Π × Π, starting from the random initial states in Θ 0 under control input û = q(x, x, u), with u taking values in U.It is obvious that such trajectories does not reach the unsafe set Θ u (the blue region) as the time increases.

Performance Evaluation
The statistics of our case studies are summarized in Table 1.|x| denotes the number of augmented system variables, B, p, and q denote the structure of the neural network barrier certificates and relation functions, and lr denotes the learning rate.α 1 , α 2 , α 3 , α 4 , and α 5 denote the weights of the sub-losses.The tolerances c 1 , c 2 , c 3 , and c 4 are used for training neural barrier certificates and relation functions.For the vehicle model, note that the SOS programming method is presented in [11] for computing the augmented barrier certificates, but it lacks soundness due to numerical errors.More concretely, for the augmented barrier certificate B(x, x) and corresponding control policy û(x, x, u) given in [11], there exist some counterexamples, such as (x 1 , x1 , x 2 , x2 ) = (0.5, 1.25, 0, 0), (0, 1.0312, 0.0625, 0.0625), (0.25, 0.0625, 0.0625, 0.0977, −0.0488), which violate the three conditions of the augmented barrier certificates defined in Theorem 1.
For the three-dimensional model, we also apply the SOS programming method presented in [11] to search for the augmented barrier certificate and the relation functions.However, the SOS programming method cannot yield such certificate functions with a degree less than six within one hour.The reason for this is that the size of the optimization problem derived from opacity verification grows exponentially with the number of state variables and the degree of the polynomial involved in the system, which imposes a serious size limitation on the system to be verified.For the augmented system Π × Π, the number of state variables is six, and the degree of the involved polynomials is three.Therefore, due to the large size, the bilinear SOS program associated to opacity verification cannot be solved efficiently.
For the non-polynomial model, note that SOS programming method in [11] cannot deal with this non-polynomial model directly, and one should combine a recasting procedure to transform it into an equivalent polynomial model with a much higher dimension.
It is interesting to investigate what impact a less conservative sufficient condition on the synthesis of neural networks as barrier certificates and relation functions to verify the approximate initial-state opacity has.For the three examples mentioned above, there still exist counterexamples after multiple iterations of synthetic neural barrier certificates and relation functions based on the conditions in [11], and there are also counterexamples based on the SOS programming.This is because the conditions in [11] are too strict on the initial region.Based on Theorem 3, we can synthesize the valid neural barrier certificates and relation functions successfully with no counterexamples.As shown in the left part of Figures 3-5, the initial region becomes much smaller under the premise of satisfying the approximate initial-state opacity.

Conclusions
In this paper, a method for synthesizing neural augmented barrier certificates to verify the approximate initial-state opacity of discrete-time control systems is presented.The existence of augmented barrier certificates can serve as a guarantee for approximate initial-state opacity.We propose a novel form of augmented barrier certificates that generates a weaker sufficient condition for the approximate initial-state opacity.We then employ an algorithmic framework involving a learner for training neural certificates via the deep learning method and alternate a verifier for verifying the candidate certificates by solving several mixedinteger linear programs.The verifier either ensures the validity of the candidate certificates or yields counterexamples for further training.The effectiveness of the proposed approach is illustrated via several numerical examples.

Figure 1 .
Figure 1.The framework for verifying approximate initial-state opacity.

16 :
For the violation xInit , xUnsa f e , xEvol , sampling around them and add them to the training set

Figure 3 .
Figure 3. (Left) Phase portrait of Example 1 with x 2 = x2 = 0.The pink line and the green, red, and yellow regions are the initial sets Θ 0 and Θ 0 , the unsafe set Θ u and the sub-level set of B(x, x), respectively.(Right) State runs of Π × Π on the projection of the position plane starting from Θ 0 .The blue region represents the unsafe set Θ u .

Figure 4 .
Figure 4. (Left) Phase portrait of Example 2 with x 2 = x2 = 0.05 and x 3 = x3 = 0.05.The pink line and the green, red, and yellow regions are the initial sets Θ 0 and Θ 0 , the unsafe set Θ u , and the sub-level set of B(x, x), respectively.(Right) State runs of Π × Π on the projection of the x 1 plane starting from Θ 0 .The blue region represents the unsafe set Θ u .

Figure 5 .
Figure 5. (Left) Phase portrait of Example 2 with x 2 = x2 = 0.05.The pink line and the green, red, and yellow regions are the initial sets Θ 0 and Θ 0 , the unsafe set Θ u , and the sub-level set of B(x, x), respectively.(Right) State runs of Π × Π on the projection of the x 1 plane starting from Θ 0 .The blue region represents the unsafe set Θ u .