Almost k-Step Opacity Enforcement in Stochastic Discrete-Event Systems via Differential Privacy

Abstract

This paper delves into current-state opacity enforcement in partially observed discrete event systems through an innovative application of differential privacy, which is fundamental for security-critical cyber–physical systems. An opaque system implies that an external agent cannot infer the predefined system secret via its observational output, such that the important system information flow cannot be leaked out. Differential privacy emerges as a robust framework that is pivotal for the protection of individual data integrity within these systems. Motivated by the differential privacy mechanism for information protection, this research proposes the secret string adjacency relation as a novel concept, assessing the similarity between potentially compromised strings and system-generated alternatives, thereby shielding the system’s confidential data from external observation. The development of secret string differential privacy is achieved by substituting sensitive strings. These substitution strings are generated by a modified Levenshtein automaton, following exponentially distributed generation probabilities. The verification and illustrative examples of the proposed mechanism are provided.

1. Introduction

Opacity, an information flow property, has garnered significant attention in recent years on discrete-event systems (DESs) that are a mathematical generalization of various contemporary technological systems characterized by computer integration and critical safety [1,2,3]. Typical discrete-event systems include various cyber–physical systems, concurrent computing systems and programming, logistics, etc., where the state transition is triggered by the occurrences of events, i.e., system evolution is driven by events not time, in contrast to the conventional continuous-variable dynamic systems. Due to their inherent characteristics in structure, function, and organization of DESs, privacy and security are paramount concerns in system design and development. For example, current-state opacity characterizes an information flow, originally proposed in the community of computer science, which provides a guarantee that an external observer or intruder cannot decide or infer whether a system’s current state is a secret. Several types of opacity have been proposed, including, in addition to current-state opacity, language-based opacity, initial-and-final-state opacity, k-step opacity, and infinite-step opacity.

As a common DES model, finite state automata are instrumental in modeling, analyzing, and controlling contemporary cyber–physical systems, which are interconnected via computer or communication networks, thereby making them vulnerable to external malicious cyber-attacks [4,5]. External attackers can potentially uncover sensitive information, such as secrets, by observing the generated strings from a DES. Roughly speaking, opacity serves as a security property that assesses whether outside attackers can infer sensitive data or information from a system, assuming that they know the system’s structure.

As noted, k-step opacity [6] is introduced to determine whether an attacker is able to deduce that a system is in a secret state within a certain number of steps before a specific moment. As the parameter k increases, the attacker’s ability to discern the system’s secret within k observation steps becomes restricted. When k approaches infinity, k-step opacity transitions into infinite-step opacity [7,8], signifying that the system prevents the attacker from ever definitively ascertaining the occurrence of a secret state at any point of time, regardless of how far back they inspect the system’s behavior.

The enforcement of infinite-step opacity and k-step opacity in DESs by using an insertion function is proposed [9], which acts as a monitoring interface to insert fictitious events into the output as needed. Two new automata are developed to recognize safe languages for infinite-step and k-step opacity, ensuring that the output is secure. The insertion function leverages these automata to determine the appropriate points for event insertion. This method extends the insertion mechanism from current-state opacity [10] to infinite-step and k-step opacity.

Recent studies have explored weak and strong k-step opacity as extensions of both current-state opacity and infinite-step opacity [11]. An algorithm for verifying weak k-step opacity, independent of k, has been proposed. These works examine strong k-step opacity by reducing it to weak k-step opacity.

The traditional definitions of infinite-step opacity and k-step opacity offer a binary assessment, classifying systems as either opaque or non-opaque. However, in practical scenarios, a non-opaque system might still possess a low probability of violation, which could be acceptable in many real-world applications. Recognizing this case that is of practical value, recent research has shifted towards quantitatively evaluating opacity by leveraging probabilistic models [12,13], particularly in the context of stochastic DESs.

By incorporating probabilistic considerations, the related works aim to provide a more nuanced understanding of system opacity, allowing for a quantitative assessment of the likelihood of opacity breaches. This approach enables a finer-grained analysis, facilitating the identification of acceptable levels of opacity for different applications and system requirements. By accurately modeling the transition probabilities within the system, it becomes possible to assess the likelihood of security vulnerabilities in a more nuanced manner, rather than relying solely on binary classifications, thus providing a detailed evaluation of the system’s susceptibility to breaches.

Existing research on opacity analysis in a stochastic DES [13,14] primarily focuses on current-state-type opacity, neglecting the consideration of delayed information in evaluating infinite-step opacity and k-step opacity. While initial-state opacity can be considered a current-state-type property when incorporating initial states into the system’s state space, the evaluation of opacity becomes more complex when future information influences our understanding of the system’s current status.

To avoid privacy leakage to an attacker with full knowledge of a security-critical system that is usually networked, the notion of differential privacy has been proposed as a method to mathematically safeguard individual privacy [15,16,17]. Initially, differential privacy was used to solve pricing and auction problems [18]. Shortly, it was extended in a widespread way to protect sensitive data by adding random noise, thereby preventing user privacy from being leaked to attackers. The classic differential privacy mechanisms include the Laplace mechanism [19], the exponential mechanism [20], the Gauss mechanism [21], and the geometric mechanism [22]. These mechanisms achieve differential privacy by satisfying different distributions of query results. The probabilities of two datasets outputting the same results are approximate when an attacker conducts a differentiated attack by using two datasets that differ by only one record.

In traditional differential privacy, adding noise does not apply to non-numerical or symbolic data. In [23,24], differential privacy frameworks for symbolic systems are presented to protect trajectories generated by symbolic systems. The new differential privacy mechanisms in [23,24] approximate a sensitive word using a random word that is likely to be near it. However, in the framework of DESs, the approximate word generated in this way may not belong to the system language. An attacker who knows the structure of a system can detect the existence of the protection mechanism by discovering an output that does not belong to the language of the system.

In recent advancements, differential privacy has been increasingly applied to DESs to enhance state protection. One notable development is the introduction of state-protecting differential privacy [25,26], which primarily focuses on safeguarding state data, particularly the initial state privacy in systems with multiple starting states. For system architectures that do not inherently satisfy state differential privacy requirements, supervisory control can be implemented to enforce privacy protection.

Another method for achieving differential privacy in DESs is to design a mechanism that processes system observations [27]. It ensures that potentially sensitive observations and randomly generated ones are modified probabilistically, making their output probabilities nearly equal to obscure sensitive information.

This paper focuses on almost k-step opacity enforcement in stochastic DESs while considering data statistics and analysis. A potentially malicious attacker who monitors a system is modeled as a passive observer. A system is deemed opaque if the probability of strings that violate k-step opacity is smaller than a given threshold that is a real number less than one but greater than zero.

We aim to thwart external attackers from deducing the presence of a secret state within a system by reducing the probability of strings that breach k-step opacity. Simultaneously, we prioritize preserving the information utility of observed strings, ensuring that they adhere to a differential privacy mechanism. This dual objective allows us to enhance system opacity while maintaining the integrity of shared data for statistical analysis and other purposes. Our focus lies in elevating system opacity to meet stringent standards while safeguarding the statistical properties of strings and facilitating secure and efficient data-sharing practices. The main contributions of this work are summarized as follows:

• The almost k-step opacity enforcement problem in stochastic systems is formalized by leveraging differential privacy. This novel privacy mechanism addresses the need in the context of DESs to balance privacy preservation with utility in the context of a dynamic and uncertain environment.
• A probability mechanism is constructed to adhere to almost k-step differential privacy requirements. This mechanism utilizes a modified Levenshtein automaton, offering a practical approach to ensuring privacy while maintaining the integrity and usefulness of the data.
• A policy is reported for enforcing almost k-step opacity by reducing the occurrence probability of strings that violate k-step opacity, thus enhancing system security while preserving data utility.

The remaining sections of this paper are organized as follows. Section 2 introduces the basic notions of stochastic system models, the Levenshtein automata, and differential privacy. The notion of almost k-step opacity and problem formulation is given in Section 3. Section 4 formally defines a utility function and a sensitivity bound. In Section 5, a substitution string generation mechanism is proposed. Section 6 presents the construction of modified Levenshtein automaton and the policy of enforcing almost k-step opacity. Finally, Section 7 concludes this work.

2. Preliminaries

This section reviews the basic notions of finite state automata, Levenshtein automata, and differential privacy. The set of whole numbers (non-negative integers) is denoted by $\mathbb{N}=\{0,1,2,\dots \}$.

2.1. System Model

In this paper, a DES is modeled as a finite state automaton $A=(Q,\Sigma ,\eta ,q_0,Q_m)$, where Q is the set of finite states, $\Sigma$ is the set of events (called alphabet that is usually finite), $\eta :Q\times \Sigma \to Q$ is the (partial) transition function, $q_0$ is the initial state, and $Q_m$ is the set of marked states that is of no interest in this paper unless otherwise stated. The transition function can be extended from the domain $Q\times \Sigma$ to the domain $Q\times {\Sigma }^{\ast }$. For a string $s\in {\Sigma }^{\ast }$ and an event $\sigma \in \Sigma$, the extended transition function can be recursively defined as $\eta (q,\epsilon )=q$ and $\eta (q,s\sigma )=\eta \left(\eta \right(q,s),\sigma )$, where $\epsilon$ is the empty string containing no event. We write the transition function from the initial state to a certain state through a string $s\in {\Sigma }^{\ast }$ as $\eta \left(s\right)=\eta (q_0,s)$, where ${\Sigma }^{\ast }$, called the Kleene closure, is the collection of finite strings defined over $\Sigma$, including the empty string $\epsilon$. Note that $\eta \subseteq Q\times {\Sigma }^{\ast }\times Q$ admits a relation representation of the transition function.

Given an automaton $A=(Q,\Sigma ,\eta ,q_0,Q_m)$, we denote the operation of deleting all the states that are not accessible from $q_0$ and not coaccessible to $Q_m$ by $Trim\left(A\right)$ [28]. For any string $s\in {\Sigma }^{\ast }$, let $\left|s\right|$ be the length of s and ${\sigma }_s^i$ be the i-th event in s. The language generated by an automaton A is defined as $L\left(A\right)=\{s\in {\Sigma }^{\ast }\mid \eta (q_0,s)\mathrm{is}\mathrm{defined}\}$. A language defined over $\Sigma$ is a subset of ${\Sigma }^{\ast }$, i.e., $L\subseteq {\Sigma }^{\ast }$. If there exists $v\in {\Sigma }^{\ast }$ and $uv=s$, $u\in {\Sigma }^{\ast }$ is said to be a prefix of s, denoted by $u⪯s$. The set of all prefixes of s is $\left[s\right]=\{u\in {\Sigma }^{\ast }|u⪯s\}$. Given a language $L\subseteq {\Sigma }^{\ast }$, the prefix of L is defined as $\overline{L}={\cup }_{s\in L}\left[s\right]$. Given a letter $t\in \Sigma$ and a string $s\in {\Sigma }^{\ast }$, write $t\in s$ if t appears in s at least once. We denote by $t\le s$ if $t\in s$ and $t<s$ if $t\in \left[s\right]\setminus \left\{s\right\}$. For any prefix $t\le s$ of s, we denote $s/t$ as the post string of t in s, i.e., $t(s/t)=s$, where $t(s/t)$ is the concatenation of t and $s/t$.

In general, a system is partially observable. The event set $\Sigma$ can be partitioned into an observable set ${\Sigma }_o$ and an unobservable set ${\Sigma }_{uo}$, i.e., $\Sigma ={\Sigma }_o\dot{\cup }{\Sigma }_{uo}$. The natural projection $P:{\Sigma }^{\ast }\to {\Sigma }_o^{\ast }$ is defined as follows:

(1)

$P\left(\epsilon \right)=\epsilon$;

(2)

For any event $\sigma \in \Sigma$, $P\left(\sigma \right)=\sigma$ if $\sigma \in {\Sigma }_o$, and $P\left(\sigma \right)=\epsilon$ if $\sigma \in {\Sigma }_{uo}$;

(3)

For any string $s\in {\Sigma }^{\ast }$ and any event $\sigma \in \Sigma$, $P\left(s\sigma \right)=P\left(s\right)P\left(\sigma \right)$. We also define the inverse projection $P^{-1}:{\Sigma }_o^{\ast }\to 2^{{\Sigma }^{\ast }}$ as $P^{-1}\left(t\right)=\{s\in {\Sigma }^{\ast }\mid P\left(s\right)=t\}$.

Definition 1. 

(Observer automaton): The standard observer automaton [28] of an automaton $A=(Q,\Sigma ,\eta ,q_0)$ that can be established by subset construction is defined as $O\left(A\right)=(Q_o,{\Sigma }_o,{\eta }_o,q_{0,o})$, where $Q_o\subseteq 2^Q$ is the set of states, ${\Sigma }_o$ is the set of observable events, ${\eta }_o:Q_o\times {\Sigma }_o^{\ast }\to Q_o$ is the transition function, and $q_{0,o}\in Q_o$ is the initial state.

In this paper, a stochastic discrete-event system is modeled as a probabilistic finite-state automaton (PFA) $(G,p)$, where $G=(Q,\Sigma ,\eta ,q_0,Q_m)$ is a finite state automaton and $p:Q\times \Sigma \to [0,1]$ is the transition probability function. For any $q\in Q,\sigma \in \Sigma$, we write $p\left(\sigma \right|q)$ as the probability that event $\sigma$ occurs in state q. For every state $q\in Q$, the sum of the probabilities of all possible events in this state ${\sum }_{\sigma \in \Sigma }p\left(\sigma \right|q)=1$. And for every state $q\in Q$, if $\sigma \in \Sigma$, then $p\left(\sigma \right|q)>0$ means that transition $\eta (q,\sigma )$ exists or $\eta (q,\sigma )$ is defined. Given a string $s\in {\Sigma }^{\ast }$, the probability of string s is denoted by $Pr\left(s\right)$, i.e., $Pr\left(s\sigma \right)=Pr\left(s\right)p\left(\sigma \right|\eta \left(s\right))$ where $\sigma \in \Sigma$.

2.2. Levenshtein Distance and Levenshtein Automaton

To compare two strings with the same length, we introduce the concept of the Levenshtein distance to measure the difference or edit distance between two strings [24]. The Levenshtein distance indicates the minimum number of single-character edits (insertions, deletions, or substitutions) required to transform one string into another.

Definition 2. 

(Levenshtein distance): Given two strings $s_1,s_2\in {\Sigma }^{\ast }$ with $|s_1|=|s_2|$, $s_1={\sigma }_{s_1}^1\dots {\sigma }_{s_1}^n$, and $s_2={\sigma }_{s_2}^1\dots {\sigma }_{s_2}^n$, the Levenshtein distance between the strings $s_1$ and $s_2$, denoted as $d(s_1,s_2)$, is the count of events ${\sigma }_{s_1}^j\ne {\sigma }_{s_2}^j$, where $j\in \{1,\dots ,n\}$.

In this paper, we consider a restricted version of the Levenshtein distance that only accounts for substitution operations on strings of the same length. Under this condition, it is equivalent to the Hamming distance [23]. In order to correspond to the Levenshtein automaton below, it is still called the Levenshtein distance. Based on this setting, given two strings $s_1,s_2\in {\Sigma }^{\ast }$, we conclude that $d(s_1,s_2)$ is the minimum number of changes that convert $s_1$ to $s_2$. Moreover, it is feasible to extend the Levenshtein distance for two strings with different lengths. For example, given two strings $s_1$ and $s_2$ with $|s_1|=n$, $|s_2|=m$, and $n>m$. Write $s_1=s_1^{\prime }{s}_1^{″}$ with $|s_1^{\prime }|=m$. Then, we can define $d(s_1,s_2)=d(s_1^{\prime },s_2)+(n-m)$.

Example 1. 

Given an alphabet $\Sigma =\{a,b,c,d,e\}$, the Levenshtein distance between the strings $abcdd$ and $abbae$ is 3, since the third event c is substituted to b, the fourth event d is substituted to a, and the fifth event d is substituted to e.

Given a string s and a specific Levenshtein distance $\omega$, a Levenshtein automaton can be used to determine whether the Levenshtein distance between the string s and another string is within $\omega$ [29]. Note that the Levenshtein automaton used in this work is a restricted version specifically tailored for substitution operations on equal-length strings.

Definition 3. 

(Levenshtein automaton): Given a string $s\in {\Sigma }^{\ast }$ and an integer $\omega \in \mathbb{N}$, a Levenshtein automaton (with respect to the string s and integer ω) is a finite state automaton $A_{s,\omega }=(Q_{\left|s\right|,d}$, $\Sigma ,{\eta }_{s,\omega },q_{0,0})$, where $L\left(A_{s,\omega }\right)=\{s^{\prime }\in {\Sigma }^{\ast }|d(s,s^{\prime })\le \omega \}$, $Q_{\left|s\right|,d}$ is the set of states, Σ is the set of events, ${\eta }_{s,\omega }$ is the transition function, and $q_{0,0}$ is the initial state.

Example 2. 

Consider $\Sigma =\{a,b,c\}$, a string $bbc$, and a distance $\omega =2$. The Levenshtein automaton $A_{bbc,2}$ is shown in Figure 1. The horizontal arrow at the bottom line represents the original events in the string, and the slanted arrow represents the events that can be used to substitute the original event. For the slanted arrow from the initial state $0^0$ to the state $1^1$, the events a and c can substitute the first event b in the string $bbc$. The path from the initial state to another state constitutes the possible output string of the Levenshtein automaton, i.e., the output string can be $ab$, $cb$, $ba$ or $bc$ in the state $2^1$.

2.3. Differential Privacy

Differential privacy provides a query method to protect records, maximizing the accuracy of the overall record while preventing the risk of leakage of single records. From its definition, differential privacy is enforced by a mechanism (i.e., a randomized function) that necessarily produces outputs with almost equal probabilities for adjacent sensitive data specified by an adjacency relation [30].

A randomized function M satisfies $ϵ$-differential privacy if for all $\mathcal{S}\subseteq range\left(M\right)$ and all adjacent sensitive data $D_1$ and $D_2$:

$$\begin{array}{c}\hfill Pr[M\left(D_1\right)\in \mathcal{S}]\le e^{ϵ}Pr[M\left(D_2\right)\in \mathcal{S}].\end{array}$$

(1)

where $rang\left(M\right)$ is the range of function M, $Pr[M\left(D_i\right)\in \mathcal{S}]$ is the probability that the output of algorithm M under the input $D_i$ ($i=1,2$) falls into $\mathcal{S}$, e is the natural constant, and the parameter $ϵ$, which is usually a real number, depends on a privacy policy and affects the degree of privacy protection. With the increase in $ϵ$, the data availability becomes higher, while the privacy becomes lower. Typically, $ϵ$ is set to a small constant, such as 0.1 to $ln\left(3\right)$.

In some scenes, Markov Decision Processes (MDPs) [31] are useful for privacy–utility trade-offs in optimal control problems, as they model state transitions probabilistically and optimize decision-making based on predefined reward functions. However, MDPs require carefully designed reward structures tailored to specific systems, making them less adaptable across different applications. In contrast, differential privacy provides a formal and universal privacy guarantee without relying on system-specific rewards, ensuring protection through controlled randomness.

2.4. Word Differential Privacy

In the traditional supervisory control theory of discrete-event systems, system behavior is represented by formal languages. A language is a subset of the Kleene closure of the alphabet of a system, which is a set of finite strings or words composed of the event labels of the system. As stated previously, differential privacy is maintained by a mechanism that acts as a randomized function; for similar sensitive data, the mechanism produces roughly distinguishable outputs. The notion of “similarity” is defined by an adjacency relation, such as word adjacency in [23,24]. We recall the notions of word adjacency and word differential privacy in [24] as follows.

Definition 4. 

(Word adjacency): Given a length $n\in \mathbb{N}$ and a distance $\omega \in \mathbb{N}$, the word adjacency relation with two strings $s_1$ and $s_2$ on ${\Sigma }^n$ with respect to ω is defined as

$$\begin{array}{c}\hfill A{R}_{n,\omega }=\left\{(s_1,s_2)\in {\Sigma }^n\times {\Sigma }^n|d(s_1,s_2)\le \omega \right\}.\end{array}$$

(2)

where ${\Sigma }^n=\{s\in {\Sigma }^{\ast }\mid \left|s\right|=n\}$ is the set of strings with length n.

Given a parameter $\omega$, two strings that have the same length are similar (or adjacent) with respect to $\omega$ if the Levenshtein distance between them is less than or equal to $\omega$. Further, any pair $(s_1,s_2)$ in $A{R}_{n,\omega }$ contains two similar strings. It is obvious that $A{R}_{n,\omega }$ is a tolerance relation over ${\Sigma }^n$.

Definition 5. 

(Word differential privacy [24]): Consider a probability space $(\Omega ,\mathcal{F},Pr)$ that is a measure space such that the measure of the whole space is equal to one, where, as conventionally defined, Ω is a sample space, collecting all possible outcomes, $\mathcal{F}$ is a set of events, and $Pr$ is a probability function that assigns each event in the event space a probability, which is a number between 0 and 1. Given a length $n\in \mathbb{N}$, a distance $\omega \in \mathbb{N}$, and a privacy parameter $ϵ>0$, a mechanism $M:{\Sigma }^n\times \Omega \to {\Sigma }^n$ is word ϵ-differentially private if for all $L\subseteq {\Sigma }^n$ and all $(s_1,s_2)\in A{R}_{n,\omega }$:

$$\begin{array}{c}\hfill P{r}_{\Omega }[M\left(s_1\right)\in L]\le e^{ϵ}P{r}_{\Omega }[M\left(s_2\right)\in L].\end{array}$$

(3)

Note that the elements belonging to $\Omega$ in the mechanism M are omitted in the paper. As defined, if the mechanism M meets word $ϵ$-differential privacy, the mechanism M can approximate similar strings with randomized versions, i.e., M should ensure that the randomized outputs of two adjacent strings are approximately indistinguishable for any attacker such that the attacker is not able to identify or estimate the real output of a system. Such an idea will be formalized in the following sections of the paper.

3. Problem Formulation

3.1. Intruder Model

In this section, we consider the problem of achieving differential privacy in stochastic DESs under partial observation to enforce almost k-step opacity. To address this problem, we define string adjacency and differential privacy with respect to the secrets of a system. Denote a probabilistic finite automaton by $(G,p)=(Q,\Sigma ,\eta ,q_0,p,Q_s)$, where $Q_s\subseteq Q$ is the set of secret states, and $p:Q\times \Sigma \to [0,1]$, as defined before, is the transition probability function.

An attacker can infer from the observed strings at which state the system might be upon observation. Formally, let $\alpha \in P\left(L\right(G,p\left)\right)$ be an observed string (an observation). Then, the current state estimate upon the occurrence of $\alpha$ is defined by ${\widehat{Q}}_{G,p}\left(\alpha \right)=\{q\in Q\mid \exists s\in L\left(G\right):P\left(s\right)=\alpha ,q=\eta \left(s\right)\}$. The current state estimate can be computed by building an observer automaton (current state estimator) [28].

In some situations, an attacker is also interested in knowing which state the system could be in for some particular previous instant. Assume that an observation $\alpha \in P\left(L\right(G,p\left)\right)$ is obtained, and we are interested in the state estimate of the system for the instant when only $\beta ⪯\alpha$ is executed. We define the delayed state estimate at the time instant when $\beta ⪯\alpha$ is exactly observed by ${\widehat{Q}}_{G,p}\left(\beta \right|\alpha )=\{q\in Q\mid \exists s,t\in {\Sigma }^{\ast }:st\in L\left(A\right),P\left(s\right)=\beta ,P\left(st\right)=\alpha ,q=\eta \left(s\right)\}$. Intuitively, ${\widehat{Q}}_{G,p}\left(\beta \right|\alpha )$ estimates the state of the system $\left|\alpha \right|-\left|\beta \right|$ steps prior to the instant when $\alpha$ is observed. Write ${\widehat{Q}}_{G,p}\left(\beta \right|\alpha )$ as ${\widehat{Q}}_G\left(\beta \right|\alpha )$ if p is of no concern.

3.2. Almost k-Step Opacity

In the k-step opacity problem in the context of DESs, a secret refers to a set of states that need to be protected and kept hidden from external observers. In practical applications, some strings (i.e., observations) can be observed by controllers and external observers, which can facilitate the supervisory control of a system or meet the needs for information disclosure. However, sharing information with third parties can create some security issues. Once a secret state is visited, in the next k steps, strings generated by the system may lead attackers to infer that the system is or was in a secret state. For an automaton $G=(Q,\Sigma ,\eta ,q_0)$, the language as the set of strings that violate k-step opacity is defined as $L_k=\left\{s\in L\left(G\right)\mid \exists \alpha ⪯P\left(s\right):\left|P\left(s\right)\right|-\left|\alpha \right|\le k,{\widehat{Q}}_G\left(\alpha \right|P\left(s\right))\subseteq Q_s\right\}.$

Then, the k-step opacity requires $L_k=\varnothing$.

The definition of almost k-step opacity [14] is proposed to refine privacy protection for stochastic DESs based on the notion of almost current state opacity [13]. The concept of almost k-step opacity addresses the limitation that k-step opacity only offers binary classifications of system opacity without quantifying it, extending opacity evaluation to stochastic systems under partial observation. This extension provides a quantitative measure of the opacity, enhancing its applicability in various security-sensitive applications.

Note that once a string exposes the system’s secret, any subsequent continuation of that string will also divulge the secret. We define the language (a subset of $L_k$) $L_k^P=\left\{s\in L_k\mid \forall t\prec s:t\notin L_k\right\}$ as the set of strings that violate k-step opacity for the first time. In essence, almost k-step opacity necessitates that the combined probability of strings violating k-step opacity logic is below a specified threshold $\theta$. Almost k-step opacity introduces a probability threshold into k-step opacity, refining the concept for stochastic DESs.

Definition 6. 

(Almost k-step Opacity): Let $(G,p)$ be a PFA, ${\Sigma }_o\subseteq \Sigma$ be the set of observable events, $Q_s\subseteq Q$ be a set of secret states, $k\in \mathbb{N}$ be an integer, and $\theta <1$ be a threshold value. The PFA $(G,p)$ is said to be almost k-step opaque if ${\sum }_{s\in L_k^P}Pr\left(s\right)<\theta$.

In this paper, we mainly guard against attackers capable of inferring that a system is or was in a secret state by observing the output strings. In a logical DES, almost k-step opacity can be verified by building the observer of a system that is represented by $O\left(G\right)=(Q_o,{\Sigma }_o,{\eta }_o,q_{0,o})$ [28]. In the setting of this paper, an attacker can partially observe the system $(G,p)$, and all the observations belong to $P\left[L\right(G,p\left)\right]$, i.e., $L\left(O\right(G,p\left)\right)$, where $O(G,p)$ is the observer of $(G,p)$.

The strings observed after a secret state is reached within k steps, for which there exist no equivalent strings bypassing a secret state in k-steps, are called sensitive strings. We define $L_s=\left\{s\in L\left(G\right)\mid \exists \alpha ⪯P\left(s\right):\left|P\left(s\right)\right|-\left|\alpha \right|=k,{\widehat{Q}}_G\left(\alpha \right|P\left(s\right))\subseteq Q_s\right\}$ be the set of all the sensitive strings in $L\left(O\right(G,p\left)\right)$. To ensure that a system is almost k-step opaque, we need to protect the sensitive strings with a mechanism that satisfies differential privacy.

Note that in this paper, observations are divided into input observations (i.e., the projections of the strings generated by a system) and output observations (i.e., the strings observed by an external attacker). Let us abuse the terminology to say that these two types of observations correspond to the inputs and outputs of a system, respectively. A non-numerical query function f is proposed to describe the relation between the input and output of a system. If a system generates a string s, an observer will observe $f\left(P\right(s\left)\right)$ (i.e., an output observation) instead of $P\left(s\right)$ as shown in Figure 2. Generally, if no mechanism that can affect the output observations exists, we assume that $f\left(P\right(s\left)\right)=P\left(s\right)$.

Example 3. 

As shown in Figure 3a, there is a probabilistic automaton $(G,p)=(Q,\Sigma ,\eta ,q_0,p,Q_s)$ with two secret states marked in yellow, i.e., $Q_s=\{3,8\}$. The probability of an event occurring in a certain state is marked in red. Let $\Sigma =\{a,b,c,d\}$ and ${\Sigma }_o=\{a,b,d\}$. In the observer of $(G,p)$ as depicted in Figure 3b, there exists a secret state 3. In an almost k-step opacity problem, given ω = 1, we can obtain the sensitive string $s_s=abd$, i.e., an attacker will be sure that secret state 4 was reached in one step before the current state when $s_s\in L_k$ is observed. The string $ab\in L_k^P$ that leads the system to the secret state 3 is included in string $s_s=abd$ (as a prefix of $s_s=abd$). Therefore, there is no need to deal with it separately. For secret state 8, string $ba=P\left(bcac\right)$ is not a secret since string $bca$ with $P\left(bca\right)=ba$ exists such that non-secret state 7 is reached. The probability of occurrence of the string that violates k-step opacity is ${\sum }_{s\in L_k^P}Pr\left(s\right)={\displaystyle \frac{1}{2}}$, and the system is almost k-step opaque if the given threshold θ is greater than 0.5.

3.3. String Differential Privacy

For a symbolic system, word adjacency [23,24] explains the similarity of two words, and the word differential privacy mechanism ensures that the random outputs of two $\omega$-adjacent words are indistinguishable (with respect to the parameter $\omega$) for any recipient of their privatized forms. Based on word adjacency, we propose the sensitive string adjacency for partially observed stochastic systems to consider the similarity between sensitive strings and other available observations. Note that a “new” string that violates k-step opacity may appear; however, as long as the probability is small enough, the system can still be almost k-step opaque.

Definition 7. 

(Sensitive string adjacency): Let $(G,p)$ be a system containing secret states. Given a distance $\omega \in \mathbb{N}$ and a sensitive string $s_s\in L_s$ where $L_s$ is the set of all sensitive strings, for a string s, the sensitive string adjacency relation with $s_s$ is defined as

$$\begin{array}{c}\hfill A{R}_{s,\omega }=\{(s_s,s)\in L_s\times ({\Sigma }_o^{\ast }\setminus L_s)|d(s_s,s)\le \omega ,|s_s|=|s\left|\right\}.\end{array}$$

(4)

For an attacker with knowledge of a system’s structure, he/she may potentially infer that a secret state is or was reached by observing sensitive strings. Therefore, we devise a mechanism that adheres to differential privacy standards to generate similar output, thereby replacing the original sensitive strings. We propose a concept called string differential privacy to ensure that the random outputs of two $\omega$-adjacent strings (one of them is a sensitive string) are similar for observers. In certain cases, some of these random outputs can be strings that violate k-step opacity, i.e., the string $s\in L_k$, as long as their output probability is less than the preset threshold $\theta$.

Definition 8. 

(String differential privacy): Given a system $(G,p)=(Q,\Sigma ,\eta ,q_0,p,Q_s)$ with $Q_s\subseteq Q$, a probability space $(\Omega ,\mathcal{F},Pr)$, a distance $\omega \in \mathbb{N}$, and a privacy parameter $ϵ>0$, a mechanism $M_s:{\Sigma }^{\ast }\times \Omega \to {\Sigma }^{\ast }$ is string-ϵ-differentially private if for all $(s_1,s_2)\in A{R}_{s,\omega }$

$$\begin{array}{c}\hfill P{r}_{\Omega }[M_s\left(s_1\right)\in {\Sigma }_o^{\ast }]]\le e^{ϵ}P{r}_{\Omega }[M_s\left(s_2\right)\in {\Sigma }_o^{\ast }].\end{array}$$

(5)

Our primary goal is to provide privacy protection for the sensitive strings (i.e., input observations) by reducing the probability of strings that violate k-step opacity in output observations, and the length of the output observations remains unchanged after being substituted. We study the problem of designing a mechanism that satisfies string differential privacy to protect privacy and preserve the statistical value of the output for analysis.

Problem 1. 

Consider a probability space $(\Omega ,\mathcal{F},Pr)$. Given a system $(G,p)$ and a sensitive string $s_s$, design a policy for generating substitution strings to enforce the system to be almost k-step opaque with a generation mechanism $M_s:{\Sigma }^{\ast }\times \Omega \to {\Sigma }^{\ast }$ that satisfies string differential privacy.

To prevent sensitive strings from being exposed to attackers, we integrate a differential privacy mechanism into opacity enforcement and devise a protective policy. The differential privacy mechanism not only guarantees that the random output of a sensitive string is indistinguishable from that of another input observation but also ensures that the output maintains similarity to the sensitive string. Consequently, attackers are unable to discern the exact input observation (i.e., sensitive strings), and it becomes exceedingly improbable for them to determine whether the system has reached a secret state within k steps of the current state.

Example 4. 

As shown in Figure 4a, there is a PFA $(G,p)=(Q,\Sigma ,\eta ,q_0,p,Q_s)$ with a secret state 2 marked in yellow, i.e., $Q_s=\left\{2\right\}$. Let the set of observable events be ${\Sigma }_o=\{a,b,c\}$. The probability of an event occurring in each state is marked in red. The observer of $(G,p)$ is shown in Figure 4b. Since there exists the state $2\in Q_s$ in the observer, given $k=1$, string $s_s=aab$ is a sensitive string, and string $aa$ belongs to $L_k^P$. We then have ${\sum }_{s\in L_k^P}Pr\left(s\right)=Pr\left(aa\right)={\displaystyle \frac{1}{2}}·{\displaystyle \frac{2}{3}}={\displaystyle \frac{1}{3}}$. If the given θ is less than ${\displaystyle \frac{1}{3}}$, the system is not almost k-step opaque, and we need to enforce almost k-step opacity. Given the parameter $\omega =2$, the sensitive string $aab$ can be replaced with 12 substitution strings, and its generation probability mechanism satisfies string differential privacy. There are four substitution strings that belong to $P\left[L\right(G,p,s\left)\right]$, i.e., $acc$, $bac$, $bab$, and $bcc$, and other substitution strings belong to $L_k$. To enforce almost k-step opacity, we need to design a policy such that the mechanism for generating substitution strings satisfies string differential privacy, and the substitution strings satisfy ${\sum }_{s\in L_k^P}Pr\left(s\right)<\theta$.

4. Utility and Bound

Typically, a method leveraging differential privacy introduces random noise to a dataset, rendering it challenging or impossible for attackers to single out individual records. However, for non-numerical data like text or categorical data, preserving privacy while retaining data utility through noise addition may not be viable [32]. We adopt an exponential mechanism to uphold differential privacy for strings that fall under non-numerical data.

4.1. Information Utility

The exponential mechanism [20] selects outputs that balance privacy and utility in a principled manner, ensuring a trade-off between the privacy of the output and its utility. This approach utilizes the edit distance to quantify the deviation between two strings and privatizes the input string by randomly outputting a string close to the input. Generally, the information value of the output string is inversely proportional to its distance from the input string. A substitution string (i.e., output observations) that closely resembles the sensitive string (i.e., input observations) carries a higher information value. The utility function quantifies the information value of possible output strings generated by the exponential mechanism.

In a symbolic system, the utility of a private output string, as outlined in [23], is defined as the negative of the Hamming distance between the given input string and its corresponding output string. The utility function is defined as $u(s_i,s_o)=-d(s_i,s_o)$, where $s_i$ is the input string, and $s_o$ is the output string. However, a negative utility does not conform to general cognition. In this paper, we define a utility function based on two positive numbers and the Levenshtein distance between an input string and an output string as follows.

Definition 9. 

(Information utility): Given two positive numbers $\alpha >0$ and $\beta >0$ and an input string $s_i\in P\left[L(G,p)\right]$, the information utility of an output string $s_o\in P\left[L(G,p)\right]$ (with respect to α, β, and $s_i$) is

$$\begin{array}{c}\hfill u_{\alpha ,\beta }(s_i,s_o)={\displaystyle \frac{1}{d(s_i,s_o)+\beta }}+\alpha .\end{array}$$

(6)

From Equation (6), the utility $u_{\alpha ,\beta }(s_i,s_o)$ is a positive number due to $\alpha >0$ and $\beta >0$, and a larger value of $\alpha$ will give a larger value of $u_{\alpha ,\beta }(s_i,s_o)$ given $s_i$ and $s_o$. The value of $\alpha$ can be set to any positive number to act as an offset, affecting the overall utility of an output string $s_o$ regardless of the Levenshtein distance between $s_i$ and $s_o$. When the length of the string is not critical information, we can set $\beta$ to a smaller value close to 0.

For different systems, we can use the parameter $\beta$ to adjust the effect of the Levenshtein distance on utility. When $\alpha$ is a small value close to 0, the information utility is mainly affected by $\beta$. A larger value of $\beta$ makes the effect of the Levenshtein distance on utility smaller. When both $\alpha$ and $\beta$ are close to 0, as the disparity between the input and output strings widens, the information utility diminishes rapidly.

In terms of substitution operations, we inherently attribute higher utility to a substitution string (i.e., an output observation) that closely aligns with the sensitive string (i.e., an input observation). The information utility facilitates versatile comparisons and evaluations across various systems, ensuring equitable comparisons between strings.

4.2. Sensitivity Bound

In an exponential mechanism, the sensitivity bound of a utility function offers a framework to set boundaries that delineate the acceptable level of dissimilarity between two input strings [16]. By defining sensitivity bounds, we can efficiently restrict the potential disclosure of private data while holding the information utility.

The utility of two adjacent strings can be calculated by the utility function $u_{\alpha ,\beta }(·,·)$. For the sake of simplicity, write $u_{\alpha ,\beta }(·,·)$ as $u_{\beta }(·,·)$ or simply $u_{\beta }$. Given two adjacent input strings $s_1,s_2\in P\left[L(G,p)\right]$ and an output string $s_o\in P\left[L(G,p)\right]$, the sensitivity bound [24] of $u_{\beta }$ is defined as

$$\begin{array}{c}\hfill \Delta u_{\beta }=\underset{s_o\in P\left[L(G,p)\right]}{max}\underset{(s_1,s_2)\in A{R}_{s,\omega }}{max}|u_{\beta }(s_1,s_o)-u_{\beta }(s_2,s_o)|.\end{array}$$

(7)

Given $\beta >0$ and $\omega \in \mathbb{N}$, the sensitivity bound of $u_{\beta }$ satisfies

$$\begin{array}{c}\hfill \Delta u_{\beta }\le {\displaystyle \frac{\omega }{\beta (\omega +\beta )}}.\end{array}$$

(8)

The proof is similar to that in [24].

Proof. 

Let $s_1,s_2\in P\left[L(G,p)\right]$ be two adjacent input strings. Assume $d(s_2,s_o)=d(s_1,s_o)+c$. Since $d(s_1,s_2)\le k$, we conclude $0\le c\le k$. By this assumption, $s_1$ is closer to $s_o$ than $s_2$, i.e., the utility of $s_1$ is higher than the utility of $s_2$. By removing the absolute value signs in Equation (7), it gives

$$\begin{array}{c}\hfill \Delta u_{\beta }=\underset{s_o\in P\left[L(G,p)\right]}{max}\underset{(s_1,s_2)\in A{R}_{s,k}}{max}{u}_{\beta }(s_1,s_o)-u_{\beta }(s_2,s_o).\end{array}$$

(9)

Combining this with Equation (8), we have

$$\begin{array}{cc}\hfill \Delta u_{\beta }& =\underset{s_o\in P\left[L(G,p)\right]}{max}\underset{(s_1,s_2)\in A{R}_{s,k}}{max}{\displaystyle \frac{1}{d(s_1,s_o)+\beta }}+\alpha \hfill \\ \hfill & -({\displaystyle \frac{1}{d(s_2,s_o)+\beta }}+\alpha )\hfill \\ \hfill & =\underset{s_o\in P\left[L(G,p)\right]}{max}\underset{s_1\in P\left[L(G,p)\right]}{max}{\displaystyle \frac{1}{d(s_1,s_o)+\beta }}\hfill \\ \hfill & -{\displaystyle \frac{1}{d(s_1,s_o)+c+\beta }}\hfill \end{array}$$

(10)

where $c\in \{0,1,\dots ,k\}$. For any $s_o\in P\left[L(G,p)\right]$, $\Delta u_{\beta }$ is maximized as

$$\begin{array}{c}\hfill \Delta u_{\beta }=\underset{c\in \left\{0,1,...,k\right\}}{max}{\displaystyle \frac{c}{\beta (c+\beta )}}\end{array}$$

(11)

where $s_1=s_o$ holds. If $c=k$, the right-hand side can be maximized, and we can obtain Inequality (8).    □

Sensitivity bounds are pivotal in highlighting potential discrepancies in utility between two adjacent input strings. A broader sensitivity bound suggests a greater probability of generating a substitution string that significantly diverges from the sensitive string. This increased deviation reduces the useful information accessible to attackers, thereby bolstering system security.

The exponential mechanism determines the probability distribution of possible output strings by leveraging the sensitivity bound. A sensitivity bound ensures that the generated output strings fall within an acceptable deviation range. It is crucial to strike a balance, as an excessive deviation in the substitution string may lead to a misinterpretation by all observers.

Example 5. 

Consider again the system in Figure 4a. Given the parameter $\omega =2$, string $acc$ is adjacent to the sensitive string $aab$ with the Levenshtein distance of 2 ($\omega =2$). We set $\alpha ={\displaystyle \frac{1}{2}}$ and $\beta =1$ and let $aab$ and $acc$ be two input observations $s_1$ and $s_2$, respectively. If the string $acc$ is selected as an output substitution string, we find $u_{\beta }(aab,acc)={\displaystyle \frac{5}{6}}$ and $u_{\beta }(acc,acc)={\displaystyle \frac{3}{2}}$. Then, the sensitivity bound is $\Delta u_{\beta }={\displaystyle \frac{3}{2}}-{\displaystyle \frac{5}{6}}={\displaystyle \frac{2}{3}}$, which is equal to ${\displaystyle \frac{\omega }{\beta (\omega +\beta )}}$. Supposing we choose a substitution string with a Levenshtein distance of 1 from the sensitive string as the output string, the utility difference will be less than the sensitivity bound $\Delta u_{\beta }$.

5. Substitution String Generation Mechanism

5.1. String Exponential Mechanism

Leveraging both the utility function and the sensitivity bound, we will propose a string exponential mechanism to obtain the probability of each possible output string. This mechanism ensures that the output probability of strings is proportional to the utility.

Theorem 1. 

Given a sensitive string $s_s\in P\left[L(G,p)\right]$, a string exponential mechanism $M_s$ satisfies sensitive string-ϵ-differential privacy if the system $(G,p)$ under the mechanism $M_s$ outputs a substitution string $s\in {\Sigma }_o^{\ast }$ with probability proportional to $\exp \left({\displaystyle \frac{ϵu_{\beta }(s_s,s)}{2\Delta u_{\beta }}}\right)$.

Proof. 

Consider a probability space $(\Omega ,\mathcal{F},Pr)$. Given two adjacent strings $s_1,s_2\in {\Sigma }_o^{\ast }$ with $(s_1,s_2)\in A{R}_{s,\omega }$, we consider the ratio of the probability that the exponential mechanism outputs $s\in {\Sigma }_o^{\ast }$. By

$$\begin{array}{cc}\hfill {\displaystyle \frac{P{r}_{\Omega }[M_s\left(s_1\right)=s]}{P{r}_{\Omega }[M_s\left(s_2\right)=s]}}& ={\displaystyle \frac{\left(\frac{\exp \left(\frac{ϵu_{\beta }(s_1,s)}{2\Delta u_{\beta }}\right)}{{\sum }_{s^{\prime }\in {\Sigma }_o^{\ast }}\exp \left(\frac{ϵu_{\beta }(s_1,s^{\prime })}{2\Delta u_{\beta }}\right)}\right)}{\left(\frac{\exp \left(\frac{ϵu_{\beta }(s_2,s)}{2\Delta u_{\beta }}\right)}{{\sum }_{s^{\prime }\in {\Sigma }_o^{\ast }}\exp \left(\frac{ϵu_{\beta }(s_2,s^{\prime })}{2\Delta u_{\beta }}\right)}\right)}}\hfill \\ \hfill & =\exp \left({\displaystyle \frac{ϵ(u_{\beta }(s_1,s^{\prime })-u_{\beta }(s_2,s^{\prime }))}{2\Delta u_{\beta }}}\right)·\left({\displaystyle \frac{{\sum }_{s^{\prime }\in {\Sigma }_o^{\ast }}\exp \left(\frac{ϵu_{\beta }(s_2,s^{\prime })}{2\Delta u_{\beta }}\right)}{{\sum }_{s^{\prime }\in {\Sigma }_o^{\ast }}\exp \left(\frac{ϵu_{\beta }(s_1,s^{\prime })}{2\Delta u_{\beta }}\right)}}\right)\hfill \\ \hfill & \le \exp \left({\displaystyle \frac{ϵ}{2}}\right)·\exp \left({\displaystyle \frac{ϵ}{2}}\right)·\left({\displaystyle \frac{{\sum }_{s^{\prime }\in {\Sigma }_o^{\ast }}\exp \left(\frac{ϵu_{\beta }(s_1,s^{\prime })}{2\Delta u_{\beta }}\right)}{{\sum }_{s^{\prime }\in {\Sigma }_o^{\ast }}\exp \left(\frac{ϵu_{\beta }(s_1,s^{\prime })}{2\Delta u_{\beta }}\right)}}\right)\hfill \\ \hfill & =\exp \left(ϵ\right),\hfill \end{array}$$

(12)

we have

$$P{r}_{\Omega }[M_s\left(s_1\right)=s]=\exp \left(ϵ\right)P{r}_{\Omega }[M_s\left(s_2\right)=s].$$

The inequality is proved by substituting the inequality $u_{\beta }(s_1,s^{\prime })\le u_{\beta }(s_2,s^{\prime })+\Delta u_{\beta }$ into the equation. Thus, the string exponential mechanism satisfies string differential privacy, which completes the proof.    □

5.2. Probability Distribution of Output

The observed strings are the output under the string exponential mechanism for an output observer. A system under the proposed protection mechanism generates a privatized output observation with the same length as the input. Given a sensitive string $s_s$ and a distance $\omega$, a Levenshtein automaton derived from $s_s$, and $\omega$ is represented as $A_{s_s,\omega }=(Q_{s_s,\omega },{\Sigma }_o,{\eta }_{s_s,\omega },q_{0,s_s,\omega })$ based on Definition 3. For convenience, the set of states is written as $Q_{s_s,\omega }=\{q_{i,d}|0\le i\le |s_s|,0\le d\le k\}$, where the first subscript (index i) of a state $q_{i,d}$ denotes the length i of a substitution string, and the second indicates the distance (index d) between the output string and the input string with the length i.

Note that when a sensitive string $s_s\in P\left[L(G,p)\right]$ is treated as an input observation, we may abuse the symbols $s_i$ and $s_s$. Given a sensitive string $s_i\in {\Sigma }_o^{\ast }$ (i.e., an input string) and a Levenshtein automaton $A_{s_s,\omega }=(Q_{s_s,\omega },{\Sigma }_o,{\eta }_{s_s,\omega },q_{0,s_s,\omega })$, we implement a randomized policy to the output string and make its probability satisfy $P{r}_o\left(s_o\right):Q_{s_s,\omega }\times {\Sigma }_o\to [0,P{r}_i\left(s_i\right)]$. Moreover, the probability of an input string is equal to the product of the probabilities of each original event in the passing state, i.e.,

$$\begin{array}{c}\hfill P{r}_i\left(s_i\right)=\prod _{n=1}^{|s_i|}p\left({\sigma }_{s_i}^n\right|\eta ({\sigma }_{s_i}^1{\sigma }_{s_i}^2\dots {\sigma }_{s_i}^{n-1})).\end{array}$$

(13)

In this way, we privatize the string while $\Delta u_{\beta }$ achieves maximum value ${\displaystyle \frac{\omega }{\beta (\omega +\beta )}}$ if $\omega \le |s_i|$. The Levenshtein automaton assists in bypassing the computation of the proportionality constant for the string exponential mechanism. This means that we can circumvent the distance calculation between a sensitive string and every potential output string. Instead, we establish the sensitivity bounds as the utility difference between the sensitive strings and the string $s_i$ that has the distance ℓ from the sensitive strings.

According to the string exponential mechanism, the output strings with the same distance from $s_i$ have the same output probability. The probability of outputting a string with the distance ℓ from $s_i$ is equal to the ratio of its output probability to the probability of outputting all the strings with distance ℓ from $s_i$. A Levenshtein automaton ensures that a substitution string $s_o$ (i.e., the output string) is within Levenshtein distance $\omega$ from the original string $s_i$ (i.e., the input string). Under the condition that the distance between the substitution string and the input string is ℓ, we can compute the probability of selecting an output string $s_o$ with the given distance ℓ from $s_i$ as

$$\begin{array}{c}\hfill Pr(s_o,s_i)[d(s_o,s_i)=\ell ]={\displaystyle \frac{\exp (\frac{ϵ\beta (\omega +\beta )}{2\omega }·(\frac{1}{\ell +\beta }+\alpha ))}{{\sum }_{\lambda =0}^{\ell }\exp (\frac{ϵ\beta (\omega +\beta )}{2\omega }·(\frac{1}{\lambda +\beta }+\alpha ))}},\end{array}$$

(14)

derived from Theorem 1.

For a Levenshtein automaton, given a distance ℓ, we prune the states and transitions that do not correspond to this Levenshtein distance and only retain the paths from the initial state to the state that makes the Levenshtein distance of the output string from the input string equal to ℓ. A distance-limited Levenshtein automaton is defined as follows. For the algorithm to construct this automaton, one can refer to [24].

Definition 10. 

(Distance-limited Levenshtein automaton): Given a Levenshtein automaton $A_{s,\omega }=(Q_{\left|s\right|,d},\Sigma ,{\eta }_{s,\omega },q_{0,0})$ and a distance ℓ, a distance-limited Levenshtein automaton is a five-tuple ${\mathcal{A}}^{\ell }=(Q^{\ell },{\Sigma }_o,{\eta }^{\ell },q_{0,0},q_{\ell })$, where $Q^{\ell }$ is the set of states, ${\Sigma }_o$ is the set of observable events, ${\eta }^{\ell }:Q^{\ell }\times {\Sigma }_o\to Q^{\ell }$ is the transition function, $q_{0,0}$ is the initial state, and $q_{\ell }$ is the state corresponding to the length $|s_s|$ and the distance ℓ.

Example 6. 

Consider the Levenshtein automaton $A_{bbc,2}$ shown in Figure 1. By limiting the distance to be $\ell =2$, we prune the states and transitions that cannot reach the state $3^2$. After this operation, the distance-limited Levenshtein automaton with distance $\ell =2$ is shown in Figure 5.

Based on the distance-limited Levenshtein automaton, we can obtain all possible output strings, and the sum of their probabilities is equal to the probability of the input string. According to Equation (14), we can obtain the output probabilities of strings sharing the same Levenshtein distance from an input string. The output probabilities of these strings can be calculated through the string exponential mechanism as

$$\begin{array}{cc}\hfill P{r}_o\left(s_o\right)& ={\displaystyle \frac{\exp (\frac{ϵ\beta (\omega +\beta )}{2\omega }·(\frac{1}{\ell +\beta }+\alpha ))}{{\sum }_{\lambda =0}^{\ell }\exp (\frac{ϵ\beta (\omega +\beta )}{2\omega }·(\frac{1}{\lambda +\beta }+\alpha ))}}·P{r}_i\left(s_i\right)\hfill \\ \hfill & ={\displaystyle \frac{\exp (\frac{ϵ\beta (\omega +\beta )}{2\omega }·(\frac{1}{\ell +\beta }+\alpha ))}{{\sum }_{i=0}^n\left(\genfrac{}{}{0pt}{}{n}{i}\right){(m-1)}^i\exp (\frac{ϵ\beta (\omega +\beta )}{2\omega }·(\frac{1}{i+\beta }+\alpha ))}}·P{r}_i\left(s_i\right),\hfill \end{array}$$

(15)

where $P{r}_i\left(s_i\right)$ is the probability of the input string and m is the number of the substitution strings permitted by the string exponential mechanism with the distance i from the input string. The number of all possible output strings is $\left({\displaystyle \genfrac{}{}{0pt}{}{n}{i}}\right){(m-1)}^i$.

Based on the string exponential mechanism, we propose a substitution string generation mechanism in stochastic systems. The substitution string generation mechanism constructs a probabilistic control policy in the distance-limited Levenshtein automaton to achieve probability control of the output string to satisfy string-$ϵ$-differential privacy.

To determine the probability of outputting every observable event at a state $q\in Q^{\ell }$, we calculate the number of unique paths from this state to the state $q_{\ell }$ and denote this number by $V\left(q\right)$. Given a distance-limited Levenshtein automaton ${\mathcal{A}}^{\ell }=(Q^{\ell },{\Sigma }_o,{\eta }^{\ell },q_{0,0},q_{\ell })$, let $V\left(q_{\ell }\right)=1$, and $q,q^{\prime }\in Q^{\ell }$ be two states with $(q,\sigma ,q^{\prime })\in {\eta }^{\ell }$. For any $\sigma \in {\Sigma }_o$ such that $(q,\sigma ,q^{\prime })\in {\eta }^{\ell }$, we write the number of events that lead the state q to the state $q^{\prime }$ in ${\mathcal{A}}^{\ell }$ as $C_{\sigma }(q,q^{\prime })$. Note that a distance-limited Levenshtein automaton is a deterministic automaton. For convenience, we sometime write ${\eta }^{\ell }(q,\sigma )=q^{\prime }$ as $(q,\sigma ,q^{\prime })\in {\eta }^{\ell }$ for $q,q^{\prime }\in Q^{\ell }$ and $\sigma \in {\Sigma }_o$, as a function can be represented by a relation. Given a distance-limited Levenshtein automaton ${\mathcal{A}}^{\ell }=(Q^{\ell },{\Sigma }_o,{\eta }^{\ell },q_{0,0},q_{\ell })$, we construct the probabilistic-control policy by using Algorithm 1 as follows.

Algorithm 1: Construction of a probabilistic control policy.

In steps 1–10, for any state $q\in Q^{\ell }$ that is coaccessible to state $q_{\ell }$, we find the number of unique paths from it to $q_{\ell }$ by searching backward. Let $V\left(q_{\ell }\right)=1$ for any $q_{\ell }$ and $Q^{\prime }=Q^{\ell }$. Iteratively, $V\left(q\right)$ is obtained by considering a one-step transition at a time, and the states that have been reached at each iteration are collected in $Q_c$. Then, the probability of outputting any event $\sigma \in {\Sigma }_o$ at q can be calculated in steps 11–13. Finally, we reset $Q^{\prime }$ to $Q_c$ and proceed to the next iteration until the initial state is reached. The computational complexity of constructing the policy is $\mathcal{O}\left(\right|\ell \left|\right|{\Sigma }_o\left|\right|Q^{\ell }{|}^2)$.

Note that the values of $V\left(q\right)$ and $p\left({\sigma }_{s_o}^n\right|q)$ are derived from Theorem 2 as follows.

Theorem 2. 

Given a distance-limited Levenshtein automaton ${\mathcal{A}}^{\ell }=(Q^{\ell },{\Sigma }_o,{\eta }^{\ell },q_{0,0},q_{\ell })$, the number of unique paths from a state $q\in Q^{\ell }$ to the state $q_{\ell }$$V\left(q\right)$ is the product of $V\left(q^{\prime }\right)$ and $C_{\sigma }(q,q^{\prime })$, i.e.,

$$\begin{array}{c}\hfill V\left(q\right)=\sum _{(q,\sigma ,q^{\prime })\in {\eta }^{\ell }}{C}_{\sigma }(q,q^{\prime })·V\left(q^{\prime }\right),\end{array}$$

(16)

and the probability of outputting the event ${\sigma }_{s_o}^n\in {\Sigma }_o$ at the state $q=\eta ({\sigma }_{s_o}^1{\sigma }_{s_o}^2\dots {\sigma }_{s_o}^{n-1})\in Q^{\ell }$ is product of $p\left({\sigma }_{s_i}^n\right|\eta ({\sigma }_{s_i}^1{\sigma }_{s_i}^2\dots {\sigma }_{s_i}^{n-1}))$ and the ratio of $V\left(q^{\prime }\right)$ to $V\left(q\right)$, i.e.,

$$\begin{array}{c}\hfill p\left({\sigma }_{s_o}^n\right|q)={\displaystyle \frac{V\left(q^{\prime }\right)}{V\left(q\right)}}·p\left({\sigma }_{s_i}^n\right|\eta ({\sigma }_{s_i}^1{\sigma }_{s_i}^2\dots {\sigma }_{s_i}^{n-1}))\end{array}$$

(17)

where $(q,{\sigma }_{s_o}^n,q^{\prime })\in {\eta }^{\ell }$, and $s_i\in {\Sigma }_o^{\ast }$ is an input string.

Proof. 

For any possible output string $s_o={\sigma }_{s_o}^1\dots {\sigma }_{s_o}^n\in {\Sigma }_o^{\ast }$, the probability of outputting $s_o$ is equal to the product of the probabilities of each event occurrence. According to Equation (17), we have

$$\begin{array}{cc}\hfill P{r}_o\left(s_o\right)& =p\left({\sigma }_{s_o}^1\right|q^0)·p\left({\sigma }_{s_o}^2\right|q^1)·\dots p\left({\sigma }_{s_o}^n\right|q^n)\hfill \\ \hfill & =Pr(s_o,s_i)[d(s_o,s_i)=\ell ]·{\displaystyle \frac{1}{\left(\genfrac{}{}{0pt}{}{n}{\ell }\right){(m-1)}^{\ell }}}·P{r}_i\left(s_i\right)\hfill \\ \hfill & ={\displaystyle \frac{\exp (\frac{ϵ\beta (\omega +\beta )}{2\omega }·(\frac{1}{\ell +\beta }+\alpha ))}{{\sum }_{i=0}^n\left(\genfrac{}{}{0pt}{}{n}{i}\right){(m-1)}^i\exp (\frac{ϵ\beta (\omega +\beta )}{2\omega }·(\frac{1}{i+\beta }+\alpha ))}}·P{r}_i\left(s_i\right).\hfill \end{array}$$

(18)

This equation holds since each possible output string with the same distance from $s_i$ has the same probability. The probability of outputting substitution strings with the same distance from an input string can by calculated by Equation (18), consistent with Equation (15), which completes the proof.    □

Example 7. 

Given a Levenshtein distance $\ell =2$, the distance-limited Levenshtein automaton for all strings of length three with a distance 2 from a string $aab$ is obtained by the method as shown in Figure 6. We remove the generated strings whose Levenshtein distance is not 2 to $aab$. For state $2^1$, events a and b can lead the system from state $2^1$ to reach state $3^2$, and we have $C_{\sigma }(2^1,3^2)=2$ and $V\left(2^1\right)=C_{\sigma }(2^1,3^2)·V\left(3^2\right)=2·1=2$. For the state $1^1$, two reachable states need to be computed separately, i.e., $C_{\sigma }(1^1,2^2)=2$ and $C_{\sigma }(1^1,2^1)=1$. Then, we have $V\left(1^1\right)=C_{\sigma }((1^1,2^2)·V\left(2^2\right)+C_{\sigma }((1^1,2^1)·V\left(2^1\right)=2·1+1·2=4$. In state $1^1$, the output probability of event b is $p\left(b\right|1^1)={\displaystyle \frac{V\left(2^2\right)}{V\left(1^1\right)}}·p\left(a_{s_i}\right|\eta \left(a_{s_i}\right))={\displaystyle \frac{1}{4}}·{\displaystyle \frac{2}{3}}={\displaystyle \frac{1}{6}}$. Similarly, the output probability of every event in every state can be computed, which is marked in red in Figure 6.

This example applies Theorem 2 to compute the probability of each event occurring in each state of the distance-limited Levenshtein automaton shown in Figure 6. By analyzing these event probabilities, we can derive the probability of the output string generated through the substitution string generation mechanism. In many cases, the probability of outputting strings that violate k-step opacity is lower than that of the original system output, demonstrating the effectiveness of the proposed mechanism in enhancing privacy protection.

6. Almost k-Step Opacity Enforcement

6.1. Modified Levenshtein Automaton

Utilizing a substitution string generation mechanism for a system can reduce the probability of strings that violate k-step opacity being output since some strings produced by the substitution string generation mechanism conform to the system language, i.e., they do not breach k-step opacity. However, at some point, this reduction in probability is not enough to make ${\sum }_{s\in L_k^P}Pr\left(s\right)<\theta$. Therefore, a modified Levenshtein automaton is constructed to address this limitation.

Given the observer of a system $O(G,p)=(Q_o,{\Sigma }_o,{\eta }_o,q_{0,o})$ and a distance-limited Levenshtein automaton ${\mathcal{A}}^{\ell }=(Q^{\ell },{\Sigma }_o,{\eta }^{\ell },q_{0,0},q_{\ell })$, a modified Levenshtein automaton is defined as ${\mathcal{A}}_{a,o}=(Q_{a,o},{\Sigma }_o,{\eta }_{a,o},q_{0,a,o},Q_m)$, where $Q_{a,o}=Q^{\ell }\times Q_o$ is the set of states, ${\Sigma }_o$ is the set of observable events, ${\eta }_{a,o}:Q_{a,o}\times {\Sigma }_o\to Q_{a,o}$ is the (partial) transition function, $q_{0,a,o}=(q_{0,0},q_{0,o})$ is the initial state, and $Q_m=\{q_m\in Q_{a,o}|q_m=(q_{\ell },q_o)\}$ is a set of marked states with $q_o\in Q_o$.

We construct a modified Levenshtein automaton ${\mathcal{A}}_{a,o}$ by using Algorithm 2 as follows. Based on the transition function construction method of the product composition in [28], we obtain the transition function of ${\mathcal{A}}_{a,o}$ in steps 3–9. By using the trim operation [28] in step 10, the automaton ${\mathcal{A}}_{a,o}$ is constructed such that all the strings generated by ${\mathcal{A}}_{a,o}$ belong to $L\left(O\left(A_s\right)\right)$, i.e., $P\left[L\left(A_s\right)\right]$. For a string $s_s$ and a distance $\omega$, given ${\mathcal{A}}^{\ell }$ with $\omega |s_s|$ states and $O\left(A_s\right)$ with $2^{\left|Q\right|}$ states, the automaton ${\mathcal{A}}_{a,o}$ has at most $\omega |s_s\left|\right|{\Sigma }_o|2^{\left|Q\right|}$ transitions. Hence, the computational complexity of Algorithm 2 is $\mathcal{O}\left(\omega \right|s_s\left|\right|{\Sigma }_o\left|2^{\left|Q\right|}\right)$.

After obtaining the modified Levenshtein automaton, we use the probabilistic control policy in Algorithm 1 to ensure that the probabilities of outputting substitution strings meet the requirements of differential privacy. Note that there may be multiple states corresponding to the length $|s_s|$. For each $q_{\ell }\in Q^m$, we have $V\left(q_{\ell }\right)=1$.

Algorithm 2: Construction of a modified Levenshtein automaton.

Theorem 3. 

A system $(G,p)$ using a modified Levenshtein automaton ${\mathcal{A}}_{a,o}=(Q_{a,o}$, ${\Sigma }_o$, ${\eta }_{a,o}$, $q_{0,a,o}$, $Q_m)$ to generate output strings is almost k-step opaque.

Proof. 

Since the set of states $Q_{a,o}$ in the modified Levenshtein automaton is constructed by $Q^{\ell }\times Q_o$, $Q_{a,o}\subseteq Q\setminus Q_s$, all output strings s generated by the modified Levenshtein automaton belong to the language of the system, i.e., $s\in L(G,p)$. For all prefixes $\alpha$ of s, ${\widehat{Q}}_G\left(\alpha \right|P\left(s\right))\subseteq Q\setminus Q_s$, i.e., no outputs generated by the modified Levenshtein automaton violate k-step opacity. Therefore, we can obtain the probability of strings violating k-step opacity ${\sum }_{s\in L_k^P}Pr\left(s\right)=0$, which must be less than the given threshold. According to Definition 6, the system can be determined to be almost k-step opaque. □

Example 8. 

Consider system $A_{s_2}$ in Figure 4a. Given the distance $\omega =2$, we use Algorithm 2 to find a modified Levenshtein automaton ${\mathcal{A}}_{a,o}$ and apply a probabilistic control policy in Algorithm 1.

The states $(3,2,\left\{7\right\}),(3,2,\left\{11\right\})\in Q^{\ell }$ have $V\left(q_{\ell }\right)=1$. For the state $(2,1,\{5,6\left\}\right)$, only event c can drive the state to state $(3,2,\{7\left\}\right)$, i.e., $C_{\sigma }((2,1,\{5,6\}),(3,2,\left\{7\right\}))=1$, and we calculate $V\left((2,1,\{5,6\})\right)=C_{\sigma }((2,1,\{5,6\}),(3,2,\left\{7\right\}))·V\left((3,2,\left\{7\right\})\right)=1·1=1$. For the initial state, there are two reachable states, and we have $V\left((0,0,\left\{0\right\})\right)=C_{\sigma }((0,0,\left\{0\right\}),(1,0,\left\{1\right\}))·V\left((1,0,\left\{1\right\})\right)+C_{\sigma }((0,0,\left\{0\right\})$, $(1,1,\{8\left\}\right))·V((1,1,\{8\left\}\right))=1·1+1·1=2$. For event b that occurs at state $(0,0,\{0\left\}\right)$, we obtain $p\left(b\right|(0,0,\left\{0\right\}))={\displaystyle \frac{V\left(\right(1,1,\left\{8\right\}\left)\right)}{V\left(\right(0,0,\left\{0\right\}\left)\right)}}·p\left(a_{s_i}\right|q_0)={\displaystyle \frac{1}{4}}$. Similarly, the output probability of any possible event at all states can be calculated (marked in red) in Figure 7.

The probability of outputting $acc$ as the substitution is

$$P{r}_o\left(acc\right)=p\left(a\right|(0,0,\left\{0\right\}))·p\left(c\right|(1,0,\left\{1\right\}))·p\left(c\right|(2,1,\{5,6\}))·P{r}_i\left(abb\right)={\displaystyle \frac{1}{2}}·1·1·{\displaystyle \frac{1}{3}}={\displaystyle \frac{1}{6}}$$

which is equal to the probability of outputting $bac$ as the substitution $P{r}_o\left(bac\right)$.

In this example, a probabilistic control policy from Algorithm 1 is applied to the distance-limited modified Levenshtein automaton in Figure 4a. Through this example, we can derive the probability distribution of the output strings under the given conditions, ensuring that no strings violating k-step opacity are included. Compared to the output string probabilities in Example 7 and Example 8, the proposed method provides stronger privacy protection, further enhancing the security of the distance-limited modified Levenshtein automaton.

6.2. Enforcement Policies

For some stochastic systems, the substitution string generation mechanism can be used to replace observable sensitive strings and enforce almost k-step opacity. Since a portion of the strings output by the substitution string generation mechanism belongs to the system language, they do not violate k-step opacity, i.e., the probability of outputting the strings that violate k-step opacity decreases.

Example 9. 

As shown in Figure 6, the substitution strings that do not belong to the system language include the prefix-closure of $ab$, $aca$, $bb$, $bb$, $bc$, c, i.e., $ab,aca,bb,baa,c\in L_k^P$. we can calculate ${\sum }_{s\in L_k^P}Pr\left(s\right)=Pr\left(ab\right)+Pr\left(aca\right)+Pr\left(bb\right)+Pr\left(bc\right)+Pr\left(baa\right)+Pr\left(c\right)={\displaystyle \frac{1}{18}}+{\displaystyle \frac{1}{36}}+{\displaystyle \frac{1}{36}}+{\displaystyle \frac{1}{36}}+{\displaystyle \frac{1}{36}}+{\displaystyle \frac{1}{9}}={\displaystyle \frac{5}{18}}$. If the given threshold θ is less than ${\displaystyle \frac{1}{3}}$ and greater than ${\displaystyle \frac{5}{18}}$, then using the substitution string generation mechanism output can make the system satisfy almost k-step opacity.

However, for some systems, the output generated by a substitution string generation mechanism still does not meet the almost k-step opacity. For these systems, we introduce a modified Levenshtein automaton to ensure that all possible output strings belong to the system language and are not sensitive strings.

For a system, the method used depends on the value of $\theta$. When the system requires higher privacy protection (corresponding to the situation where the given $\theta$ is very small), we use a modified Levenshtein automaton to ensure that an attacker will not observe any string that should not be generated.

In Example 9, when the given threshold $\theta$ is less than ${\displaystyle \frac{5}{18}}$, the substitution string generation mechanism will not work. Then, we need to use a modified Levenshtein automaton to determine the output to enforce almost k-step opacity on the system under the differential privacy mechanism.

In some cases, a system that fails to satisfy almost k-step opacity cannot achieve this standard because there may not always exist a safe observation that belongs to the system language and a sensitive string similar to the sensitive string for a given distance, i.e., there is no substitution string that does not violate k-step opacity. For example, consider the following scenario.

Example 10. 

Consider again the automaton $A_{s_1}$ in Figure 3. When the given threshold $\theta =0.2$ is less than ${\sum }_{s\in L_k^P}Pr\left(s\right)$, the system does not satisfy almost k-step opacity. Given the parameter $\omega =2$, all the strings that are adjacent to the sensitive string $abd$ are not in $P\left[L\left(A_{s_1}\right)\right]$, i.e., there does not exist any substitution string that allows the system to achieve almost k-step opacity.

We enforce almost k-step opacity to systems that do not meet this criterion if there are substitution strings that do not violate k-step opacity. For systems with moderate security requirements or a substantial number of substitution strings that do not violate k-step opacity, we employ a substitution string generation mechanism to generate the output. In other cases, a modified Levenshtein automaton is utilized for systems with high privacy protection requirements or fewer substitution strings that do not violate k-step opacity.

Compared with the enforcement of infinite-step opacity and k-step opacity via the insertion mechanism [9], the proposed differential privacy mechanism protects system privacy while retaining the information value of the output. The degree of this retention can be adjusted as needed. The insertion function requires inserting fictitious events into the system output, whereas the differential privacy mechanism developed in this research keeps the length of the output string unchanged. We extend the scope of k-step opacity enforcement to stochastic systems, achieving refined system privacy protection through almost k-step opacity enforcement. Depending on the protection scenario, we use the substitution string generation mechanism for lightweight protection and the modified Levenshtein automaton for higher levels of privacy protection.

6.3. Application

In medical systems, patients’ health data are continuously monitored to provide real-time insights to healthcare providers, enabling timely medical interventions. The health status of patients is modeled as a set of discrete states. Changes in physiological indicators and external events have a probabilistic chance of triggering state transitions, thus modeling the system as a probabilistic automaton. The medical system must allow managers to access data for analysis and count events such as examinations. The disease status of patients is highly sensitive, and external observers should not be able to identify whether a patient is or has been in a specific disease state. Directly altering the strings that lead to secret states or using insertion functions can result in data distortion. A differential privacy mechanism is more suitable for this type of stochastic system, as it preserves the privacy of patients’ health data while maintaining the statistical integrity of the information.

Here is a medical system of monitoring and treating the patient’s condition; it has three possible developments modeled as shown in Figure 8a. State 7 marked in yellow, for which there is a one-third probability of being reached, is related to patients’ privacy, i.e., this state is a secret state. The set of observable events is presented as ${\Sigma }_o=\{a,b,c,d,e\}$ and the event f is unobservable in the system. For outside observers, the observation of the modeling is shown in Figure 8b. In all figures of this section, the probability of an event occurring in each state is marked in red.

By setting parameter $k=2$, the string $adea$ is the sensitive string that must be replaced. Given the distance $\omega =1$, based on the substitution string generation mechanism, we can obtain 16 substitution strings as shown in Figure 9, among which strings $abea$ and $acea$ belong to the system language. It can be calculated that ${\sum }_{s\in L_k^P}Pr\left(s\right)={\displaystyle \frac{7}{24}}$, i.e., an observer who knows all possible output languages of the system has this chance of finding that the system is in the secret state within two steps. The manager of the medical system will set the threshold according to the observer’s situation. When the threshold $\theta$ is set to be less than 7/24, a modified Levenshtein automaton will be used to output strings. We can obtain the modified Levenshtein automaton as shown in Figure 10 according to Algorithm 2. In this case, only stings $abea$ and $acea$ can be output.

In practical applications, the reported strategy in this paper optimizes privacy protection by tailoring enforcement methods to the specific security needs of a system. It provides a balanced approach between security and utility, providing customized measures for systems with varying security requirements. This fine-grained approach enhances system security and resilience.

7. Conclusions

In this paper, we tackle the challenge of enforcing almost k-step opacity in a stochastic partially observed discrete-event system, whose behavior is characterized by a language that is a collection of strings (along with the generation probability) defined over the alphabet of the system. The opacity enforcement is achieved by replacing the sensitive strings with substitution strings. We aim to reduce the likelihood that an attacker can deduce that the system has reached a secret state within k steps from an observed string. A differential privacy mechanism is introduced to enforce almost k-step opacity while maintaining the statistical significance of the output.

We devise a utility function and establish sensitivity bonds to evaluate the information value of substitution strings. A probabilistic control policy based on an exponential mechanism is proposed to ensure that the probabilities of substitution strings meet the requirements of differential privacy. We use a substitution string generation mechanism for lightweight protection and a modified Levenshtein automaton for higher levels. We enforce almost k-step opacity by reducing the probability of strings that violate k-step opacity and realize the refined protection of the system. To move forward, we will explore the use of this tailored differential privacy mechanism to enforce opacity in a decentralized architecture of a discrete event system, where different observational sites may have different substitution string generation mechanisms. Further, it is interesting to explore a system with multiple agents (observers) who may want to disclose each other’s secrets while keeping their own concealed.