Dorsa Sadigh, K. Driggs-Campbell, R. Bajcsy, S. Sastry, S. Seshia
This paper presents a project in its early stages of development, in which we propose a solution to the problem of human interaction with autonomous vehicles. We have devised a method for design of a user interface that displays sufficient and crucial information to the driver. Our contribution in this work is (i) identifying different modes of driving behavior, (ii) building an expectation model of a driver, and (iii) implementing an interface system.
{"title":"User interface design and verification for semi-autonomous driving","authors":"Dorsa Sadigh, K. Driggs-Campbell, R. Bajcsy, S. Sastry, S. Seshia","doi":"10.1145/2566468.2576851","DOIUrl":"https://doi.org/10.1145/2566468.2576851","url":null,"abstract":"This paper presents a project in its early stages of development, in which we propose a solution to the problem of human interaction with autonomous vehicles. We have devised a method for design of a user interface that displays sufficient and crucial information to the driver. Our contribution in this work is (i) identifying different modes of driving behavior, (ii) building an expectation model of a driver, and (iii) implementing an interface system.","PeriodicalId":339979,"journal":{"name":"Proceedings of the 3rd international conference on High confidence networked systems","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-04-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123758732","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This article presents a network interdiction model to assess the vulnerabilities of a class of physical flow networks. A flow network is modeled by a potential function defined over the nodes and a flow function defined over arcs (links). In particular, the difference in potential function between two nodes is characterized by a nonlinear flux function of the flow on link between the two nodes. To assess the vulnerability of the network to adversarial attack, the problem is formulated as an attacker-defender network interdiction model. The attacker's objective is to interdict the most valuable links of the network given his resource constraints. The defender's objective is to minimize power loss and the unmet demand in the network. A bi-level approach is explored to identify most critical links for network interdiction. The applicability of the proposed approach is demonstrated on a reference water distribution network, and its utility toward developing mitigation plans is discussed.
{"title":"A network interdiction model for analyzing the vulnerability of water distribution systems","authors":"L. Perelman, Saurabh Amin","doi":"10.1145/2566468.2566480","DOIUrl":"https://doi.org/10.1145/2566468.2566480","url":null,"abstract":"This article presents a network interdiction model to assess the vulnerabilities of a class of physical flow networks. A flow network is modeled by a potential function defined over the nodes and a flow function defined over arcs (links). In particular, the difference in potential function between two nodes is characterized by a nonlinear flux function of the flow on link between the two nodes. To assess the vulnerability of the network to adversarial attack, the problem is formulated as an attacker-defender network interdiction model. The attacker's objective is to interdict the most valuable links of the network given his resource constraints. The defender's objective is to minimize power loss and the unmet demand in the network. A bi-level approach is explored to identify most critical links for network interdiction. The applicability of the proposed approach is demonstrated on a reference water distribution network, and its utility toward developing mitigation plans is discussed.","PeriodicalId":339979,"journal":{"name":"Proceedings of the 3rd international conference on High confidence networked systems","volume":"24 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-04-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134119426","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This article presents a framework for managing cyber-risks in large-scale interdependent networks where cyber insurers are strategic players. In our earlier work, we imposed that breach probability of each network node (which we view as a player) is a function of two variables: first, player own security action and second, average security of all players. In this article, we formally derive the expression of breach probability from the standard assumptions. For a homogeneous interdependent network (identical users), we provide a solution for optimal security choice of each node in environments without and with cyber insurers present. Then, we introduce a general heterogeneous network (many user types), and derive the expression for network security. Lastly, we consider the network with two user types (normal and malicious), in which we allow one user type (malicious users) to subvert monitoring of the insurers, even if these insurers are able to perfectly enforce security levels of normal users (at zero cost). Our analysis confirms a discrepancy between informal arguments that favor cyber-insurance as a tool to improve network security, and formal models, which tend to view insurance as an instrument of managing risks only. In particular, our results support the case against cyber-insurance as the means of improving security. Our framework helps to identify the crucial network parameters for improving incentives to provide secure networks.
{"title":"Cyber-insurance framework for large scale interdependent networks","authors":"G. Schwartz, S. Sastry","doi":"10.1145/2566468.2566481","DOIUrl":"https://doi.org/10.1145/2566468.2566481","url":null,"abstract":"This article presents a framework for managing cyber-risks in large-scale interdependent networks where cyber insurers are strategic players. In our earlier work, we imposed that breach probability of each network node (which we view as a player) is a function of two variables: first, player own security action and second, average security of all players. In this article, we formally derive the expression of breach probability from the standard assumptions. For a homogeneous interdependent network (identical users), we provide a solution for optimal security choice of each node in environments without and with cyber insurers present. Then, we introduce a general heterogeneous network (many user types), and derive the expression for network security. Lastly, we consider the network with two user types (normal and malicious), in which we allow one user type (malicious users) to subvert monitoring of the insurers, even if these insurers are able to perfectly enforce security levels of normal users (at zero cost). Our analysis confirms a discrepancy between informal arguments that favor cyber-insurance as a tool to improve network security, and formal models, which tend to view insurance as an instrument of managing risks only. In particular, our results support the case against cyber-insurance as the means of improving security. Our framework helps to identify the crucial network parameters for improving incentives to provide secure networks.","PeriodicalId":339979,"journal":{"name":"Proceedings of the 3rd international conference on High confidence networked systems","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-04-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129760780","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
N. Trcka, M. Moulin, S. D. Bopardikar, A. Speranzon
We develop methods to determine if networked control systems can be compromised by stealth attacks, and derive design strategies to secure these systems. A stealth attack is a form of a cyber-physical attack where the adversary compromises the information between the plant and the controller, with the intention to drive the system into a bad state and at the same time stay undetected. We define the discovery problem as a formal verification problem, where generated counterexamples (if any) correspond to actual attack vectors. The analysis is entirely performed in Simulink, using Simulink Design Verifier as the verification engine. A small case study is presented to illustrate the results, and a branch-and-bound algorithm is proposed to perform optimal system securing.
{"title":"A formal verification approach to revealing stealth attacks on networked control systems","authors":"N. Trcka, M. Moulin, S. D. Bopardikar, A. Speranzon","doi":"10.1145/2566468.2566484","DOIUrl":"https://doi.org/10.1145/2566468.2566484","url":null,"abstract":"We develop methods to determine if networked control systems can be compromised by stealth attacks, and derive design strategies to secure these systems. A stealth attack is a form of a cyber-physical attack where the adversary compromises the information between the plant and the controller, with the intention to drive the system into a bad state and at the same time stay undetected. We define the discovery problem as a formal verification problem, where generated counterexamples (if any) correspond to actual attack vectors. The analysis is entirely performed in Simulink, using Simulink Design Verifier as the verification engine. A small case study is presented to illustrate the results, and a branch-and-bound algorithm is proposed to perform optimal system securing.","PeriodicalId":339979,"journal":{"name":"Proceedings of the 3rd international conference on High confidence networked systems","volume":"124 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-04-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115286787","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We study the multilateral trade problem in interconnected power systems with asymmetric information and non-strategic regional transmission operators (RTOs). We consider a physical network with finite capacity lines connecting the buses within and between RTOs. Each RTO knows the network topology, bus angle constraints, and cost functions within its own region. Each RTO also knows the topology of the network connecting its own region to its neighboring regions and the bus angle constraints of the buses of neighboring RTOs that are immediately connected to its own region. The transmission system is modeled by a modified DC approximation where the power flow equations are represented as convex functions of the angle difference between buses; such an approximation considers lossy flows. The objective is to determine multilateral trades that satisfy the network's informational and physical constraints and minimize the sum of costs of all RTOs. We formulate the above multilateral trade problem as a local public goods problem. We propose a two-layer optimization algorithm that satisfies the problem's informational and physical constraints and results in a sequence of trades that converges to a trade which achieves a local minimum of the corresponding non-convex centralized information multilateral trade problem.
{"title":"Multilateral trades in interconnected power systems: a local public goods approach","authors":"Erik Miehling, D. Teneketzis","doi":"10.1145/2566468.2566479","DOIUrl":"https://doi.org/10.1145/2566468.2566479","url":null,"abstract":"We study the multilateral trade problem in interconnected power systems with asymmetric information and non-strategic regional transmission operators (RTOs). We consider a physical network with finite capacity lines connecting the buses within and between RTOs. Each RTO knows the network topology, bus angle constraints, and cost functions within its own region. Each RTO also knows the topology of the network connecting its own region to its neighboring regions and the bus angle constraints of the buses of neighboring RTOs that are immediately connected to its own region. The transmission system is modeled by a modified DC approximation where the power flow equations are represented as convex functions of the angle difference between buses; such an approximation considers lossy flows. The objective is to determine multilateral trades that satisfy the network's informational and physical constraints and minimize the sum of costs of all RTOs. We formulate the above multilateral trade problem as a local public goods problem. We propose a two-layer optimization algorithm that satisfies the problem's informational and physical constraints and results in a sequence of trades that converges to a trade which achieves a local minimum of the corresponding non-convex centralized information multilateral trade problem.","PeriodicalId":339979,"journal":{"name":"Proceedings of the 3rd international conference on High confidence networked systems","volume":"3 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-04-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129822555","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Curtis R. Taylor, K. Venkatasubramanian, Craig A. Shue
Medical device interoperability is an increasingly prevalent example of how computing and information technology will revolutionize and streamline medical care. The overarching goal of interoperable medical devices (IMDs) is increased safety, usability, decision support, and a decrease in false alarms and clinician cognitive workload. One aspect that has not been considered thus far is ensuring IMDs do not inadvertently harm patients in the presence of malicious adversaries. Security for medical devices has gained some traction in the recent years following some well-publicized attacks on individual devices, such as pacemakers and insulin pumps. This has resulted in solutions being proposed for securing these devices, usually in stand-alone mode. However, the introduction of interoperability makes medical devices increasingly connected and dependent on each other. Therefore, security attacks on IMDs becomes easier to mount in a stealthy manner with potentially devastating consequences. This work outlines our effort in understanding the threats faced by IMDs, an important first step in eventually designing secure interoperability architectures. In this regard, we present: (1) a detailed attack graph-based analysis of threats on a specific interoperability environment based on providing a patient pain medication (PCA), under various levels of interoperability from simple data aggregation to fully closed-loop control; (2) a description of the mitigation approaches possible for each of class of attack vectors identified; and (3) lessons learned from this experience which can be leveraged for improving existing IMD architectures from a security point-of-view. Our analysis demonstrates that em even if we use provably safe medical systems in an interoperable setting with a safe interoperability engine, the presence of malicious behavior may render the entire setup unsafe for the patients, unless security is explicitly considered}
{"title":"Understanding the security of interoperable medical devices using attack graphs","authors":"Curtis R. Taylor, K. Venkatasubramanian, Craig A. Shue","doi":"10.1145/2566468.2566482","DOIUrl":"https://doi.org/10.1145/2566468.2566482","url":null,"abstract":"Medical device interoperability is an increasingly prevalent example of how computing and information technology will revolutionize and streamline medical care. The overarching goal of interoperable medical devices (IMDs) is increased safety, usability, decision support, and a decrease in false alarms and clinician cognitive workload. One aspect that has not been considered thus far is ensuring IMDs do not inadvertently harm patients in the presence of malicious adversaries. Security for medical devices has gained some traction in the recent years following some well-publicized attacks on individual devices, such as pacemakers and insulin pumps. This has resulted in solutions being proposed for securing these devices, usually in stand-alone mode. However, the introduction of interoperability makes medical devices increasingly connected and dependent on each other. Therefore, security attacks on IMDs becomes easier to mount in a stealthy manner with potentially devastating consequences. This work outlines our effort in understanding the threats faced by IMDs, an important first step in eventually designing secure interoperability architectures. In this regard, we present: (1) a detailed attack graph-based analysis of threats on a specific interoperability environment based on providing a patient pain medication (PCA), under various levels of interoperability from simple data aggregation to fully closed-loop control; (2) a description of the mitigation approaches possible for each of class of attack vectors identified; and (3) lessons learned from this experience which can be leveraged for improving existing IMD architectures from a security point-of-view. Our analysis demonstrates that em even if we use provably safe medical systems in an interoperable setting with a safe interoperability engine, the presence of malicious behavior may render the entire setup unsafe for the patients, unless security is explicitly considered}","PeriodicalId":339979,"journal":{"name":"Proceedings of the 3rd international conference on High confidence networked systems","volume":"33 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-04-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115840865","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Phillip Lee, Omar S. Saleh, Basel Alomair, L. Bushnell, R. Poovendran
Multi-agent networks consist of autonomous nodes, where each node maintains and updates its state based on exchanged information with its neighboring nodes. Due to the collaborative nature of state updates, if one or more nodes were to misbehave by deviating from the pre-specified update rule, they can bias the states of other nodes and thus drive the network to an undesirable state. In this paper, we present a query-based mechanism for a third-party verifier to detect misbehaving nodes. The proposed mechanism consists of two components. The first component determines whether the state of the queried node is consistent with its ideal value. The second component identifies the set of misbehaving nodes that induced the inconsistency. We prove that our approach detects the set of misbehaving nodes, as well as the times of their misbehaviors, by establishing the equivalence of our approach to a tree-generation algorithm. We evaluate our approach through simulation study which corroborates the theoretical guarantees, and analyzes the performance of our scheme as a function of the number of queried nodes.
{"title":"Graph-based verification and misbehavior detection in multi-agent networks","authors":"Phillip Lee, Omar S. Saleh, Basel Alomair, L. Bushnell, R. Poovendran","doi":"10.1145/2566468.2566477","DOIUrl":"https://doi.org/10.1145/2566468.2566477","url":null,"abstract":"Multi-agent networks consist of autonomous nodes, where each node maintains and updates its state based on exchanged information with its neighboring nodes. Due to the collaborative nature of state updates, if one or more nodes were to misbehave by deviating from the pre-specified update rule, they can bias the states of other nodes and thus drive the network to an undesirable state. In this paper, we present a query-based mechanism for a third-party verifier to detect misbehaving nodes. The proposed mechanism consists of two components. The first component determines whether the state of the queried node is consistent with its ideal value. The second component identifies the set of misbehaving nodes that induced the inconsistency. We prove that our approach detects the set of misbehaving nodes, as well as the times of their misbehaviors, by establishing the equivalence of our approach to a tree-generation algorithm. We evaluate our approach through simulation study which corroborates the theoretical guarantees, and analyzes the performance of our scheme as a function of the number of queried nodes.","PeriodicalId":339979,"journal":{"name":"Proceedings of the 3rd international conference on High confidence networked systems","volume":"61 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-04-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131775915","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Cyber-physical systems (CPS) consist of a tight coupling between cyber (sensing and computation) and physical (actuation and control) components. As a result of this coupling, CPS are vulnerable to both known and emerging cyber attacks, which can degrade the safety, availability, and reliability of the system. A key step towards guaranteeing CPS operation in the presence of threats is developing quantitative models of attacks and their impact on the system and express them in the language of CPS. Traditionally, such models have been introduced within the framework of formal methods and verification. In this talk, we present a control-theoretic modeling framework. We demonstrate that the control-theoretic approach can capture the adaptive and time-varying strategic interaction between the adversary and the targeted system. Furthermore, control theory provides a common language in which to describe both the physical dynamics of the system, as well as the impact of the attack and defense. In particular, we provide a passivity-based approach for modeling and mitigating jamming and wormhole attacks. We demonstrate that passivity enables composition of multiple attack and defense mechanisms, allowing characterization of the overall performance of the system under attack. Our view is that the formal methods and the control-based approaches are complementary.
{"title":"Passivity framework for modeling, mitigating, and composing attacks on networked systems","authors":"R. Poovendran","doi":"10.1145/2566468.2566470","DOIUrl":"https://doi.org/10.1145/2566468.2566470","url":null,"abstract":"Cyber-physical systems (CPS) consist of a tight coupling between cyber (sensing and computation) and physical (actuation and control) components. As a result of this coupling, CPS are vulnerable to both known and emerging cyber attacks, which can degrade the safety, availability, and reliability of the system. A key step towards guaranteeing CPS operation in the presence of threats is developing quantitative models of attacks and their impact on the system and express them in the language of CPS. Traditionally, such models have been introduced within the framework of formal methods and verification. In this talk, we present a control-theoretic modeling framework. We demonstrate that the control-theoretic approach can capture the adaptive and time-varying strategic interaction between the adversary and the targeted system. Furthermore, control theory provides a common language in which to describe both the physical dynamics of the system, as well as the impact of the attack and defense. In particular, we provide a passivity-based approach for modeling and mitigating jamming and wormhole attacks. We demonstrate that passivity enables composition of multiple attack and defense mechanisms, allowing characterization of the overall performance of the system under attack. Our view is that the formal methods and the control-based approaches are complementary.","PeriodicalId":339979,"journal":{"name":"Proceedings of the 3rd international conference on High confidence networked systems","volume":"86 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-04-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132800124","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In this paper, we study a lightweight algorithm for distributed parameter estimation in a heterogeneous network in the presence of adversary nodes. All nodes interact under a local broadcast model of communication in a time-varying network comprised of many inexpensive normal nodes, along with several more expensive, reliable nodes. Either the normal or reliable nodes may be tampered with and overtaken by an adversary, thus becoming an adversary node. The reliable nodes have an accurate estimate of their true parameters, whereas the inexpensive normal nodes communicate and take difference measurements with neighbors in the network in order to better estimate their parameters. The normal nodes are unsure, a priori, about which of their neighbors are normal, reliable, or adversary nodes. However, by sharing information on their local estimates with neighbors, we prove that the resilient iterative distributed estimation (RIDE) algorithm, which utilizes redundancy by removing extreme information, is able to drive the local estimates to their true parameters as long as each normal node is able to interact with a sufficient number of reliable nodes often enough and is not directly influenced by too many adversary nodes.
{"title":"Resilient distributed parameter estimation in heterogeneous time-varying networks","authors":"Heath J. LeBlanc, F. Hassan","doi":"10.1145/2566468.2566476","DOIUrl":"https://doi.org/10.1145/2566468.2566476","url":null,"abstract":"In this paper, we study a lightweight algorithm for distributed parameter estimation in a heterogeneous network in the presence of adversary nodes. All nodes interact under a local broadcast model of communication in a time-varying network comprised of many inexpensive normal nodes, along with several more expensive, reliable nodes. Either the normal or reliable nodes may be tampered with and overtaken by an adversary, thus becoming an adversary node. The reliable nodes have an accurate estimate of their true parameters, whereas the inexpensive normal nodes communicate and take difference measurements with neighbors in the network in order to better estimate their parameters. The normal nodes are unsure, a priori, about which of their neighbors are normal, reliable, or adversary nodes. However, by sharing information on their local estimates with neighbors, we prove that the resilient iterative distributed estimation (RIDE) algorithm, which utilizes redundancy by removing extreme information, is able to drive the local estimates to their true parameters as long as each normal node is able to interact with a sufficient number of reliable nodes often enough and is not directly influenced by too many adversary nodes.","PeriodicalId":339979,"journal":{"name":"Proceedings of the 3rd international conference on High confidence networked systems","volume":"230 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-04-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116203883","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
M. Yampolskiy, Yevgeniy Vorobeychik, X. Koutsoukos, P. Horváth, Heath J. LeBlanc, J. Sztipanovits
Distributed consensus protocols are an important class of distributed algorithms. Recently, an Adversarial Resilient Consensus Protocol (ARC-P) has been proposed which is capable to achieve consensus despite false information provided by a limited number of malicious nodes. In order to withstand false information, this algorithm requires a mesh-like topology, so that multiple alternative information flow paths exist. However, these assumptions are not always valid. For instance, in Smart Grid, an emerging distributed CPS, the node connectivity is expected to resemble the scale free network topology. Especially closer to the end customer, in home and building area networks, the connectivity graph resembles a tree structure. In this paper, we propose a Range-based Adversary Resilient Consensus Protocol (R.ARC-P). Three aspects distinguish R.ARC-P from its predecessor: This protocol operates on the tree topology, it distinguishes between trustworthiness of nodes in the immediate neighborhood, and it uses a valid value range in order to reduce the number of nodes considered as outliers. R.ARC-P is capable of reaching global consensus among all genuine nodes in the tree if assumptions about maximal number of malicious nodes in the neighborhood hold. In the case that this assumption is wrong, it is still possible to reach Strong Partial Consensus, i.e., consensus between leafs of at least two different parents.
{"title":"Resilient distributed consensus for tree topology","authors":"M. Yampolskiy, Yevgeniy Vorobeychik, X. Koutsoukos, P. Horváth, Heath J. LeBlanc, J. Sztipanovits","doi":"10.1145/2566468.2566485","DOIUrl":"https://doi.org/10.1145/2566468.2566485","url":null,"abstract":"Distributed consensus protocols are an important class of distributed algorithms. Recently, an Adversarial Resilient Consensus Protocol (ARC-P) has been proposed which is capable to achieve consensus despite false information provided by a limited number of malicious nodes. In order to withstand false information, this algorithm requires a mesh-like topology, so that multiple alternative information flow paths exist. However, these assumptions are not always valid. For instance, in Smart Grid, an emerging distributed CPS, the node connectivity is expected to resemble the scale free network topology. Especially closer to the end customer, in home and building area networks, the connectivity graph resembles a tree structure. In this paper, we propose a Range-based Adversary Resilient Consensus Protocol (R.ARC-P). Three aspects distinguish R.ARC-P from its predecessor: This protocol operates on the tree topology, it distinguishes between trustworthiness of nodes in the immediate neighborhood, and it uses a valid value range in order to reduce the number of nodes considered as outliers. R.ARC-P is capable of reaching global consensus among all genuine nodes in the tree if assumptions about maximal number of malicious nodes in the neighborhood hold. In the case that this assumption is wrong, it is still possible to reach Strong Partial Consensus, i.e., consensus between leafs of at least two different parents.","PeriodicalId":339979,"journal":{"name":"Proceedings of the 3rd international conference on High confidence networked systems","volume":"58 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-04-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126489588","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: