1 Introduction

Cyber-physical systems (CPSs) exhibit a tight conjoining of computational and physical components. The fact that any breach in the cyberspace can have a tangible effect on the physical world has recently triggered attention toward cybersecurity also within the engineering community [1, 2]. In CPSs, attacks to the cyber-layer are mainly categorized as either denial-of-service (DoS) attacks or deception attacks. The latter affects the reliability of data by manipulating the transmitted packets over network; see [3, 4]. On the other hand, DoS attacks are primarily intended to affect the timeliness of the information exchange, i.e., to cause packet losses; see for instance [5, 6] for an introduction to the topic. This chapter aims at considering the effect of DoS attacks.

In the literature, the issue of resilience against DoS has been mostly investigated in centralized settings [7,8,9,10,11,12,13,14]. Very recently, [15, 16] explored this problem in a distributed setting with emphasis on consensus-like networks. The main goal of this chapter is to address the issue of resilience against DoS for network coordination problems in which node dynamics are more general than simple integrators. Specifically, we study synchronization networks of the same type as in [17]. Inspired by [18] and [19], we consider a Self-Triggered coordination scheme, in which the available information to each agent is used to update local controls and to specify the next update time. We consider Self-Triggered coordination schemes since they are of major interest when synchronization has to be achieved in spite of possibly severe communication constraints. In this respect, a remarkable feature of Self-Triggered coordination lies in the possibility of ensuring coordination properties in the absence of any global information on the graph topology and with no need to resort to synchronous communication.

The primary step in the analysis of distributed coordination problems in the presence of DoS pertains to the modeling of DoS itself. In [12, 13], a general model is considered that only constrains DoS patterns in terms of their average frequency and duration. This makes it possible to describe a wide range of DoS-generating signals, e.g., trivial, periodic, random, and protocol-aware jamming [5, 6, 20, 21]. The occurrence of DoS has a different effect on the communication, depending on the network architecture. For networks operating through a single access point, in the so-called “infrastructure” mode, DoS may cause all the network links to fail simultaneously [15]. In this chapter, we consider instead a more general scenario in which the network links can fail independent of each other, thus extending the analysis to “ad-hoc” (peer-to-peer) network architectures. In this respect, a main contribution of this chapter is an explicit characterization of the frequency and duration of DoS at the various network links under which coordination can be preserved. In addition to extending the results of [19] to independent polling of neighbors, we also provide an explicit characterization of the effects of DoS on the coordination time. A preliminary and incomplete account of this work without the relevant proofs has appeared in [22].

The problem of network coordination under communication failures can be viewed as a coordination problem in the presence of switching topologies. For purely continuous-time systems, this problem has been thoroughly investigated under assumptions such as, point-wise, period-wise, and joint connectivity [23,24,25]. In CPSs, however, due to the presence of a digital communication layer, the situation is drastically different. In fact, the presence of a digital communication layer implies that the time span between any two consecutive transmissions cannot be arbitrarily small. As a consequence, the classic connectivity notions developed for purely continuous-time systems are not directly applicable to a digital setting as the one considered here. In this respect, we introduce a notion of persistency-of-communication (PoC), which requires graph (link) connectivity be be satisfied over periods of time that are consistent with the constraints imposed by the communication medium [15, 16].

The remainder of this chapter is organized as follows. In Sect. 11.2, we formulate the problem of interest and provide the results for Self-Triggered synchronization. In Sect. 11.3, we describe the considered class of DoS patterns. The main results are provided in Sect. 11.4. A numerical example is given in Sect. 11.5. Finally, Sect. 11.6 ends the chapter with concluding remarks.

Notation: The following notation is used throughout this chapter. The stacking of N column vectors \(x_1,\,x_2,\dots ,\,x_n\) is denoted by x, i.e., \(x=\begin{bmatrix} x_1^\top&x_2^\top&\dots&x_n^\top \end{bmatrix}^\top \). The N- dimensional identity matrix is denoted by \(I_N\). Vectors of all ones and zeros are denoted by \(\mathbf {1}\) and \(\mathbf 0\), respectively. The \(\ell \)th component of vector x is denoted by \(x_\ell \) or, interchangeably, by \([x]_{\ell }\).

2 Self-Triggered Synchronization

2.1 System Definition

We consider a connected and undirected graph \({\mathscr {G}} = ({\mathscr {I}}, {\mathscr {E}})\), where \({\mathscr {I}}:=\{1,2,\cdots \), \(N\}\) is the set of nodes and \({\mathscr {E}} \subseteq \mathscr {I}\times \mathscr {I}\) is the set of links (edges). Given a node \(i\in \mathscr {I}\), we shall denote by \({\mathscr {N}}_i = \{j\in {\mathscr {I}}:(i,j)\in {\mathscr {E}} \}\) the set of its neighbors, i.e., the set of nodes that exchange information with node i, and by \(d^i =|{\mathscr {N}}_{i}|\), i.e., the cardinality of \({\mathscr {N}}_{i}\). Notice that the order of the elements i and j in (ij) is irrelevant since the graph is assumed undirected. Throughout the chapter, we shall refer to \({\mathscr {G}}\) as the “nominal” network (the network configuration when communication is allowed for every link).

We assume that each network node is a dynamical system consisting of a linear oscillator with dynamics

$$\begin{aligned} \dot{x}^i=A{x}^i+Bu^i \end{aligned}$$
(11.1)

where (AB) is a stabilizable pair and all eigenvalues of A lie on imaginary axis with unitary geometric multiplicity; \(x^i, u^{i}\in {\mathbb R}^n\) represent node state and control variables. The network nodes exchange information according to the configuration described by the links of \({\mathscr {G}}\). To achieve synchronization with constrained flow of information, we employ a hybrid controller with state variables \((x,\eta ,\xi ,\theta )\in \mathbb {R}^{n \times N}\times \mathbb {R}^{n \times N}\times \mathbb {R}^{n \times d} \times \mathbb {R}^{n \times d}\), where \(d:=\sum _{i=1}^N d^i\). The controller also makes use of a quantization function.

The specific quantizer of choice is \({\text {sign}}_\varepsilon : {\mathbb R} \rightarrow \{-1,0,1\}\), which is given by

$$\begin{aligned} {\text {sign}}_\varepsilon (z) :={\left\{ \begin{array}{ll} \text {sign}(z) &{} \text {if}\, |z|\ge \varepsilon \\ 0 &{} \text {otherwise} \end{array}\right. } \end{aligned}$$
(11.2)

where \(\varepsilon >0\) is a sensitivity parameter, which is selected at the design stage to trade-off between synchronization accuracy and communication frequency. The flow dynamics are given by

$$\begin{aligned}&\dot{\eta }^i=(A+BK){\eta }^i+\sum _{j\in {\mathscr {N}}_i }\xi ^{ij}\end{aligned}$$
(11.3a)
$$\begin{aligned}&\dot{\xi }^{ij}=A\xi ^{ij} \end{aligned}$$
(11.3b)
$$\begin{aligned}&\dot{\theta }^{ij}=-{\mathbf 1} \end{aligned}$$
(11.3c)
$$\begin{aligned}&u^i=K\eta ^i, \end{aligned}$$
(11.3d)

where \(A+KB\) is Hurwitz; \(\eta ^i \in {\mathbb R} ^{n}\) and \(\xi ^{ij} \in {\mathbb R} ^{n}\) are controller states, and \({\theta }^{ij}\in {\mathbb R}^{n}\) is the local clock over the link \((i,j) \in \mathscr {E}\), where \(\theta ^{ij}(0)=0\). As it will become clear in the sequel, the superscript “ij” appearing in \(\xi \) and \(\theta \) indicates that these variables are common to nodes i and j. The continuous evolution of the edge-based controller dynamic holds as long as the set

$$\begin{aligned} {\mathscr {S}}(\theta ,t):=\{ (i,j,\ell ) \in {\mathscr {I}} \times {\mathscr {I}}\times {\mathscr {L}} : {\theta }^{ij}_{\ell }(t^-)=0 \} \end{aligned}$$
(11.4)

is nonempty, where \(s(t^-)\) denotes the limit from below of a signal s(t), i.e., \(s(t^-) = \lim _{\tau \nearrow t} s(\tau )\), and where \(\ell \in {\mathscr {L}}:=\{1,2,\dots ,n\}\). At these time instants, in the “nominal” operating mode, a discrete transition (jump) occurs, which is given by

(11.5)

for every \(i\in {\mathscr {I}}\), \(j\in {\mathscr {N}}_i\), and \(\ell \in {\mathscr {L}}\).

Here, \({\mathscr {D}}^{ij}(\alpha (t))=\alpha ^j(t)-\alpha ^i(t)\) and \(f^{ij}_{\ell }: \mathbb {R}^n \rightarrow \mathbb {R}_{>0}\) is given by

$$\begin{aligned} f_{\ell }^{ij}(x)= \max \left\{ \frac{\left| \left[ e^{-At}{\mathscr {D}}^{ij}(\eta (t)-x(t))\right] _{\ell }\right| }{2(d^i+d^j)}, \frac{\varepsilon }{2(d^i+d^j)}\right\} . \end{aligned}$$
(11.6)

Note that for all \((i,j) \in {\mathscr {E}}\) we have \(\theta ^{ij}(t)=\theta ^{ji}(t)\) and \(\xi ^{ij}(t)=-\xi ^{ji}(t)\) for all \(t \in \mathbb R_{\geqslant 0}\). As such, (11.1)–(11.5) can be regarded as an edge-based synchronization protocol. Here, the term “Self-Triggered”, first adopted in the context of real-time systems [26], expresses the property that the data exchange between nodes is driven by local clocks, which avoids the need for a common global clock.

A few comments are in order.

Remark 11.1

(Controller structure) The controller emulates the node dynamics (11.1), with an extra coupling term as done in [17]. The coupling is through the variable \(\xi ^{ij}\), which is updated at discrete times and emulates the open-loop behavior of (11.1) during its the controller continuous evolution [19]. Slightly different from [17], the coupling term \(\xi ^{ij}\) takes into account the discrepancy between node and controller states. This choice of coupling is due to the use of the quantizer (11.2) which triggers at discrete instances.        \(\blacksquare \)

Remark 11.2

(Clock variable \(\theta ^{ij}_\ell \)) Each clock variable \(\theta ^{ij}_\ell \) plans ahead the update time of component \(\ell \) of controller state \(\xi ^{ij}\). Whenever \(\theta ^{ij}_\ell \) reaches zero, the \(\ell \)th component of the controller state and clock variables is updated. In order to avoid arbitrarily fast sampling (Zeno phenomena), we use the threshold \(\varepsilon \) in the update of the function \(f^{ij}\) in (11.6). In particular, this implies that for every edge \((i,j) \in \mathscr {E}\) and for any time \({\mathscr {T}}\), no more than \(n \lfloor \frac{2(d^i+d^j){\mathscr {T}}}{\varepsilon } +1\rfloor \) number of updates can occur over an interval of length \(\mathscr {T}\).        \(\blacksquare \)

2.2 Practical Self-Triggered Synchronization

Inspired by [17], we analyze (11.1)–(11.5) using the change of coordinates

$$\begin{aligned} \begin{aligned}&x^i(t)=x^i(t)\\&\mathscr {X}^i(t)=e^{-At}(\eta ^i(t)-x^i(t))\\&{\mathscr {U}}^{ij}(t)=e^{-At}\xi ^{ij}(t)\\&\theta ^{ij}(t)=\theta ^{ij}(t).\\ \end{aligned} \end{aligned}$$
(11.7)

Accordingly, the network-state variables become \((x,\mathscr {X},\mathscr {U},\theta )\in \mathbb {R}^{n \times N}\times \mathbb {R}^{n \times N}\times \mathbb {R}^{n \times d} \times \mathbb {R}^{n \times d}\) with corresponding flow dynamics

$$\begin{aligned}&\dot{x}^i(t)=(A+BK)x^i(t)+BKe^{At}\mathscr {X}^i(t) \end{aligned}$$
(11.8a)
$$\begin{aligned} \nonumber \\&\dot{\mathscr {X}}^i(t)=\sum _{j\in {\mathscr {N}}_i} \mathscr {U}^{ij} \nonumber \\&\dot{\mathscr {U}}^{ij}(t)={\mathbf 0} \\&\dot{\theta }^{ij}(t)=-{\mathbf 1} \nonumber \end{aligned}$$
(11.8b)

and discrete transitions (jumps)

$$\begin{aligned}&x^{i}_\ell (t)=x^{i}_\ell (t^-)\end{aligned}$$
(11.9a)
$$\begin{aligned} \nonumber \\&{\mathscr {X}}^{i}_\ell (t)={\mathscr {X}}^{i}_\ell (t^-) \nonumber \\&{\mathscr {U}}^{ij}_{\ell }(t)={\left\{ \begin{array}{ll} {\text {sign}}_\varepsilon {({\mathscr {D}}^{ij}_\ell (\mathscr {X}(t))} \,\, \text {if} \,(i,j,\ell ) \in {\mathscr {S}}(\theta ,t) \\ \\ {\mathscr {U}}^{ij}_{\ell }(t^-) \qquad \qquad \text {otherwise} \end{array}\right. } \\&{\theta }^{ij}_{\ell }(t)={\left\{ \begin{array}{ll} g^{ij}_{\ell }(\mathscr {X}(t)) \quad \text {if} \,(i,j,\ell ) \in {\mathscr {S}}(\theta ,t) \\ \\ {\theta }^{ij}_{\ell }(t^-) \quad \text {otherwise} \end{array}\right. } \nonumber \end{aligned}$$
(11.9b)

where \((i,j,\ell ) \in {\mathscr {I}} \times {\mathscr {I}}\times {\mathscr {L}}\) and

$$\begin{aligned} g_{\ell }^{ij}(\mathscr {X}(t))= \max \left\{ \frac{\left| {\mathscr {D}}^{ij}_\ell ({\mathscr {X}}(t))\right| }{2(d^i+d^j)}, \frac{\varepsilon }{2(d^i+d^j)}\right\} . \end{aligned}$$
(11.10)

Notice that the notion of local time in both coordinates is the same. The reason for considering this change of coordinates is to transform the original synchronization problem into a consensus problem that involves integrator variables \({\mathscr {X}}^{i}\).

The result which follows is the main result of this section.

Theorem 11.1

(Practical Synchronization) Let all the eigenvalues of A lie on the imaginary axis with geometric multiplicity equal to one. Let \((x,\mathscr {X}, \mathscr {U}, \theta )\) be the solution to system (11.8) and (11.9). Then, there exist a finite time T such that \(\mathscr {X}\) converges within the time T to a point \({\mathscr {X}}_*=[{{\mathscr {X}}_*^1}^\top ,\dots ,{{\mathscr {X}}_*^N}^\top ]^\top \) in the set

$$\begin{aligned} \begin{aligned} \mathscr {E}:= \left\{ \mathscr {X}\in \mathbb {R}^{n N}:{|{\mathscr {D}}^{ij}_\ell ({\mathscr {X}})|< \delta \quad \forall \, (i,j,\ell ) \, \in \mathscr {I}\times \mathscr {I}\times {\mathscr {L}} } \right\} , \end{aligned} \end{aligned}$$
(11.11)

where \(\delta =\varepsilon (N-1)\), and \(\mathscr {U}(t)=\varvec{0}\) for all \(t\ge T\). Moreover, for any arbitrary small \(\varepsilon _c \in \mathbb {R}_{>0}\) there exist a time \(T_c(\varepsilon _c) \geqslant T\) such that

$$\begin{aligned} \begin{aligned} \big |x^i_\ell (t)-x^j_\ell (t) \big |< 2\varepsilon _c+\sqrt{n}\, \delta \quad \forall (i,j,\ell ) \, \in \mathscr {I}\times \mathscr {I}\times {\mathscr {L}} \end{aligned} \end{aligned}$$
(11.12)

for all \(t \geqslant T_c(\varepsilon _c)\), where n is the dimension of the vector x.

Proof

See the appendix.        \(\blacksquare \)

Equations (11.11) and (11.12) involve a notion of “practical” synchronization. This amounts to saying that the solutions eventually synchronize up to an error, which can be made as small as desired by reducing \(\varepsilon \) (at the expense of an increase in the communication cost since, in view of (11.6), the minimum inter-transmission time decreases with \(\varepsilon \)). Theorem 11.1 will be used as a reference frame for the analysis of Sect. 11.4. The case of asymptotic synchronization can be pursued along the lines of [18].

3 Network Denial-of-Service

We shall refer to denial-of-service (DoS, in short) as the phenomenon by which communication between the network nodes is interrupted. We shall consider the very general scenario in which the network communication links can fail independent of each other. From the perspective of modeling, this amounts to considering multiple DoS signals, one for each network communication link.

3.1 DoS Characterization

Let \(\{h_n^{ij}\}_{n\in \mathbb {Z}_{\ge 0}}\) with \({h_0^{ij}} {\ge 0} \) denote the sequence of DoS off/on transitions affecting the link (ij), namely the sequence of time instants at which the DoS status on the link (ij) exhibits a transition from zero (communication is possible) to one (communication is interrupted). Then

(11.13)

represents the nth DoS time-interval, of a length \(\tau _n^{ij}\in {\mathbb {R}_{\geqslant 0}}\), during which communication on the link (ij) is not possible.

Given \({t,\tau }\in \mathbb {R}_{ \ge 0}\), with \(t \ge \tau \), let

$$\begin{aligned} \varXi ^{ij} (\tau ,t):=\mathop \bigcup \limits _{n\in {\mathbb {Z}_{\ge 0}}} H_n^{ij} \bigcap {[\tau ,t ]} \end{aligned}$$
(11.14)

and

$$\begin{aligned} \varTheta ^{ij} (\tau ,t):= [\tau ,t ] \; \backslash \; \varXi ^{ij} (\tau ,t) \end{aligned}$$
(11.15)

where \(\backslash \) denotes relative complement. In words, for each interval \([\tau ,t]\), \(\varXi ^{ij} (\tau ,t)\) and \(\varTheta ^{ij} (\tau ,t)\) represent the sets of time instants where communication on the link (ij) is denied and allowed, respectively.

The first question to be addressed is that of determining a suitable modeling framework for DoS. Following [13], we consider a general model that only constrains DoS attacks in terms of their average frequency and duration. Let \(n^{ij}(\tau ,t)\) denote the number of DoS off/on transitions on the link (ij) occurring on the interval \([\tau ,t ]\).

Assumption 11.2

(DoS frequency) For each \((i,j) \in {\mathscr {E}}\), there exist \(\eta ^{ij} \in \mathbb {R}_{ \ge 0}\) and \({\tau _f^{ij}} \in \mathbb {R}_{ > 0}\) such that

$$\begin{aligned} n^{ij} (\tau ,t) \le \eta ^{ij} + \frac{t - \tau }{\tau _f^{ij}} \end{aligned}$$
(11.16)

for all \({t,\tau }\in \mathbb {R}_{ \ge 0}\) with \(t \ge \tau \).        \(\blacksquare \)

Assumption 11.3

(DoS duration) For each \((i,j) \in {\mathscr {E}}\), there exist \(\kappa ^{ij} \in \mathbb {R}_{ \ge 0}\) and \({\tau _d^{ij}} \in \mathbb {R}_{ > 1}\) such that

$$\begin{aligned} |\varXi ^{ij} (\tau ,t) |\le \kappa ^{ij} + \frac{t - \tau }{\tau _d^{ij}} \end{aligned}$$
(11.17)

for all \({t,\tau }\in \mathbb {R}_{\ge 0}\) with \(t \ge \tau \).        \(\blacksquare \)

In Assumption 11.2, the term “frequency” stems from the fact that \(\tau _f^{ij}\) provides a measure of the “dwell time” between any two consecutive DoS intervals on the link (ij). The quantity \(\eta ^{ij}\) is needed to render (11.16) self-consistent when \(t=\tau =h_n^{ij}\) for some \(n \in \mathbb Z_{\geqslant 0}\), in which case \(n^{ij} (\tau ,t)=1\). Likewise, in Assumption 11.3, the term “duration” is motivated by the fact that \(\tau _d^{ij}\) provides a measure of the fraction of time (\({\tau _d^{ij}} > 1\)) the link (ij) is under DoS. Like \(\eta ^{ij}\), the constant \(\kappa ^{ij}\) plays the role of a regularization term. It is needed because during a DoS interval, one has \(|\varXi (h_n^{ij},h_n^{ij}+\tau _n^{ij})| = \tau _n^{ij} \geqslant \tau _n^{ij} /\tau _d^{ij}\) since \({\tau _d^{ij}}>1\), with \( \tau _n^{ij} = \tau _n^{ij} /\tau _d^{ij}\) if and only if \( \tau _n^{ij} =0\). Hence, \(\kappa ^{ij}\) serves to make (11.17) self-consistent. Thanks to the quantities \(\eta ^{ij}\) and \(\kappa ^{ij}\), DoS frequency and duration are both average quantities.

3.2 Discussion

The considered assumptions only pose limitations on the frequency of the DoS status and its duration. As such, this characterization can capture many different scenarios, including trivial, periodic, random and protocol-aware jamming [5, 6, 20, 21]. For the sake of simplicity, we limit our discussion to the case of radio frequency (RF) jammers, although similar considerations can be made with respect to spoofing-like threats [27].

Consider for instance the case of constant jamming, which is one of the most common threats that may occur in a wireless network [5, 28]. By continuously emitting RF signals on the wireless medium, this type of jamming can lower the packet send ratio (PSR) for transmitters employing carrier sensing as a medium access policy as well as lower the packet delivery ratio (PDR) by corrupting packets at the receiver. In general, the percentage of packet losses caused by this type of jammer depends on the jamming-to-signal ratio and can be difficult to quantify as it depends, among many things, on the type of anti-jamming devices, the possibility to adapt the signal strength threshold for carrier sensing, and the interference signal power, which may vary with time. In fact, there are several provisions that can be taken in order to mitigate DoS attacks, including spreading techniques, high-pass filtering, and encoding [21, 29]. These provisions decrease the chance that a DoS attack will be successful, and, as such, limit in practice the frequency and duration of the time intervals over which communication is effectively denied. This is nicely captured by the considered formulation.

As another example, consider the case of reactive jamming [5, 28]. By exploiting the knowledge of the 802.1i MAC layer protocols, a jammer may restrict the RF signal to the packet transmissions. The collision period need not be long since with many CRC error checks a single-bit error can corrupt an entire frame. Accordingly, jamming takes the form of a (high-power) burst of noise, whose duration is determined by the length of the symbols to corrupt [29, 30]. Also, this case can be nicely accounted for via the considered assumptions.

4 Main Result

4.1 Resilient Self-Triggered Synchronization

When DoS disrupts link communications, the former controller state \(\xi ^{ij}_\ell \) is not available any more. In order to compensate for the communication failures, the control action is suitably modified as follows during the controller discrete updates,

$$\begin{aligned} \begin{aligned}&x^{i}_\ell (t)=x^{i}_\ell (t^-) \\&{\mathscr {X}}^{i}_\ell (t)={\mathscr {X}}^{i}_\ell (t^-) \\&{\mathscr {U}}^{ij}_{\ell }(t)={\left\{ \begin{array}{ll} {\text {sign}}_\varepsilon {({\mathscr {D}}^{ij}_\ell (\mathscr {X}))} &{} \text {if} \, (i,j,\ell )\in {\mathscr {S}}(\theta ,t) \wedge t\in \varTheta ^{ij}(0,t) \\ 0 &{} \text {if} \, (i,j,\ell )\in {\mathscr {S}}(\theta ,t) \wedge t\in \varXi ^{ij}(0,t) \\ {\mathscr {U}}^{ij}_{\ell }(t^-) &{} \text {otherwise} \end{array}\right. } \\&{\theta }^{ij}_{\ell }(t)={\left\{ \begin{array}{ll} g^{ij}_{\ell }(t) &{} \text {if} \, (i,j,\ell )\in {\mathscr {S}}(\theta ,t) \wedge t\in \varTheta ^{ij}(0,t) \\ \displaystyle \frac{\varepsilon }{2(d^i+d^j)} &{} \text {if} \, (i,j,\ell )\in {\mathscr {S}}(\theta ,t) \wedge t\in \varXi ^{ij}(0,t) \\ {\theta }^{ij}_{\ell }(t^-) &{} \text {otherwise} \end{array}\right. } \end{aligned} \end{aligned}$$
(11.18)

In words, the control action \(\mathscr {U}^{ij}\) is reset to zero whenever the link (ij) is in DoS status.Footnote 1 In addition to \(\mathscr {U}\), also the local clocks are modified upon DoS, yielding a two-mode sampling logic. Let \(\{t^{ij}_{\ell _k}\}_{\ell _k\in \mathbb {Z}_{\ge 0}}\) denote the sequence of transmission attempts for \(\ell \)th component of \(\xi ^{ij}\) over the link \((i,j) \in \mathscr {E}\). Then, when a communication attempt is successful \(t^{ij}_{\ell _{k+1}}=t^{ij}_{\ell _k}+g_{\ell }^{ij}(t)\), and when it is unsuccessful \(t^{ij}_{\ell _{k+1}}=t^{ij}_{\ell _k}+\varepsilon /(2(d^i+d^j))\).

In order to characterize the overall network behavior in the presence of DoS. The analysis is subdivided into two main steps: (i) we first prove that all the edge-based controllers eventually stop updating their local controls; and (ii) we then provide conditions on the DoS frequency and duration such that synchronization, in the sense of (11.12), is preserved. This is achieved by resorting to a notion of persistency-of-Communication (PoC), which naturally extends the PoE condition [25] to a digital networked setting by requiring graph connectivity over periods of time that are consistent with the constraints imposed by the communication medium.

As for (i), we have the following result.

Proposition 11.1

(Convergence of the solutions) Let \((x,\mathscr {X}, \mathscr {U}, \theta )\) be the solutions to (11.8) and (11.18). Then, there exists a finite time \(T_*\) such that, for any \((i,j) \in {\mathscr {E}} \), it holds that \(\mathscr {U}^{ij}_\ell (t)=0\) for all \(\ell \in {\mathscr {L}}\) and for all \(t \geqslant T_*\).

Proof

See the appendix.        \(\blacksquare \)

The above result does not allow one to conclude anything about the final disagreement vector in the sense that given a pair of nodes (ij), the asymptotic value of \(|\mathscr {X}_\ell ^j(t)-\mathscr {X}_\ell ^i(t) |\) and/or \(|x^j_\ell (t)-x^i_\ell (t) |\) can be arbitrarily large. As an example, if node i is never allowed to communicate then \(\mathscr {X}^i(t)=\mathscr {X}^i(0)\) and the oscillator state \(x^i(t)\) satisfies \(\dot{x}^i(t) =Ax^i(t)\) with initial condition \(-\mathscr {X}^i(0)\) for all \(t \in \mathbb R_{\geqslant 0}\). In order to recover the same conclusions as in Theorem 11.1, bounds on DoS frequency and duration have to be enforced. The result which follows provides one such characterization. Let \((i,j) \in {\mathscr {E}}\) be a generic network link, and consider a DoS sequence on (ij), which satisfies Assumptions 11.2 and 11.3. Define

$$\begin{aligned} \alpha ^{ij}:= \frac{1}{\tau ^{ij}_d}+\frac{\varDelta ^{ij}_*}{\tau ^{ij}_f} \end{aligned}$$
(11.19)

where

$$\begin{aligned} \varDelta ^{ij}_*:= \frac{\varepsilon }{2(d^i+d^j)}. \end{aligned}$$
(11.20)

As for (ii), we have the following result.

Proposition 11.2

(Persistency-of-communication (PoC)) Consider any link \((i,j) \in {\mathscr {E}}\) employing the transmission protocol (11.18). Also consider any DoS sequence on (ij), which satisfies Assumptions 11.2 and 11.3 with \(\eta ^{ij}\) and \(\kappa ^{ij}\) arbitrary, and \(\tau ^{ij}_d\) and \(\tau ^{ij}_f\) such that \(\alpha ^{ij} < 1\). Let

$$\begin{aligned} \varPhi ^{ij}:= \frac{\kappa ^{ij}+ (\eta ^{ij} +1)\varDelta _*^{ij}}{1-\alpha ^{ij}}. \end{aligned}$$
(11.21)

Then, for any given unsuccessful transmission attempt \(t^{ij}_{\ell _k}\), at least one successful transmission occurs over the link (ij) within the interval \([t^{ij}_{\ell _k},t^{ij}_{\ell _k}+\varPhi ^{ij}]\).

Proof

See the appendix.        \(\blacksquare \)

The following result extends the conclusions of Theorem 11.1 to the presence of DoS.

Theorem 11.4

Let \((x,\mathscr {X}, \mathscr {U}, \theta )\) be the solution to (11.8) and (11.18). For each \((i,j) \in \mathscr {E}\), consider any DoS sequence that satisfies Assumptions 11.2 and 11.3 with \(\eta ^{ij}\) and \(\kappa ^{ij}\) arbitrary, and \(\tau ^{ij}_d\) and \(\tau ^{ij}_f\) such that \(\alpha ^{ij} < 1\). Then, \(\mathscr {X}\) converges in a finite time \(T_*\) to a point \(\mathscr {X}^*\) in (11.11), and \(\mathscr {U}(t)=\varvec{0}\) for all \(t\ge T_*\). Moreover, for every \(\varepsilon _c \in \mathbb {R}_{>0}\) there exists a time \(T_c(\varepsilon _c) \geqslant T_*\) such that (11.12) is satisfied for all \(t \geqslant T_c(\varepsilon _c)\).

Proof

By Proposition 11.1, all the local controls become zero in a finite time \(T_*\). In turn, Proposition 11.2 excludes that this is due to the persistence of a DoS status. Then the result follows along the same lines as in Theorem 11.1.        \(\blacksquare \)

Remark 11.3

One main reason for considering DoS comes from studying network coordination problems in the presence of possibly malicious attacks. In fact, the proposed modeling framework allows to consider DoS patterns that need not follow a given class of probability distribution, which is instead a common hypothesis when dealing with “genuine” DoS phenomena such as network congestion or communication errors due to low-quality channels. In this respect, [16] discusses how genuine DoS can be incorporated into this modeling framework.        \(\blacksquare \)

4.2 Effect of DoS on the Synchronization Time

By Theorem 11.4, \(\dot{\mathscr {X}}\) becomes zero in a finite time \(T_*\) after which the network states x exponentially synchronize. Thus, it is of interest to characterize \(T_*\), which amounts to characterizing the effect of DoS on the time needed to achieve synchronization.

Lemma 11.1

(Bound on the convergence time) Consider the same assumptions as in Theorem 11.4. Then,

$$\begin{aligned} T_* \leqslant \left[ \frac{1}{\varepsilon } + \frac{ d_\mathrm{{max} }}{\varepsilon d_\mathrm{{min} }} + \frac{4 d_\mathrm{{max} }}{\varepsilon ^2} \varPhi \right] \sum _{i \in \mathscr {I}} \sum _{\ell \in \mathscr {L}}(\eta _\ell ^i(0)-x_\ell ^i(0))^2, \end{aligned}$$
(11.22)

where \(d_\mathrm{{min} }:= \min _{i \in \mathscr {I}}d^i\) and \(\varPhi := \max _{(i,j) \in \mathscr {E}} \varPhi ^{ij}\).

Proof

Consider the same Lyapunov function V as in the proof of Theorem 11.1. Notice that, by construction of the control law and the scheduling policy, for every successful transmission \(t^{ij}_{\ell _k}\) characterized by \(|{\mathscr {D}}^{ij}_\ell (\mathscr {X}(t^{ij}_{\ell _k})| \geqslant \varepsilon \), the function V decreases with rate not less than \(\varepsilon /2\) for at least \(\varepsilon /(4 d_\mathrm{{max} })\) units of time, in which case V decreases by at least \(\varepsilon ^2 / (8 d_\mathrm{{max} }) =: \varepsilon _*\). Considering all the network links, such transmissions are in total no more than \(\lfloor V(0)/\varepsilon _* \rfloor \) since, otherwise, the function V would become negative. Hence, it only remains to compute the time needed to have \(\lfloor V(0)/\varepsilon _* \rfloor \) of such transmissions. In this respect, pick any \(t^*_\ell \geqslant 0\) such that consensus has still not been reached on the \({\ell }\)th component of \(\mathscr {X}\). Note that we can have \(\mathscr {U}^{ij}_\ell (t^*_\ell )=0\) for all \((i,j) \in \mathscr {E}\). However, this condition can last only for a limited amount of time. In fact, if \(\mathscr {U}^{ij}_\ell (t^*_\ell )=0\) then the next transmission attempt, say \(l^{ij}_{\ell }\), over the link (ij) and component-\(\ell \) will necessarily occur at a time less than or equal to \(t_\ell ^*+\varDelta ^{ij}_*\) with \(\varDelta ^{ij}_* \leqslant \varepsilon /(4 d_\mathrm{{min} })\). Let \(\mathscr {Q}:= [t^*_\ell ,t^*_\ell + \varDelta ^{ij}_*]\), and suppose that over \(\mathscr {Q}\) some of the controls \(\mathscr {U}_\ell ^{ij}\) have remained equal to zero. This implies that for some \((i,j) \in \mathscr {E}\) we necessarily have that \(l^{ij}_{\ell }\) is unsuccessful. This is because if \(\mathscr {U}^{ij}_\ell (t)=0\) for all \((i,j) \in \mathscr {E}\) and all \(t \in \mathscr {Q}\) then \(\mathscr {X}_\ell ^{i}(t)=\mathscr {X}_\ell ^{i}(t^*_\ell )\) for all \(i \in \mathscr {I}\) and all \(t \in \mathscr {Q}\). Hence, if all the \(l^{ij}_{\ell }\) were successful, we should also have \(\mathscr {U}^{ij}_\ell (l_{\ell }^{ij}) \ne 0\) for some \((i,j) \in \mathscr {E}\) since, by hypothesis, consensus is not reached at time \(t^*_\ell \). Hence, applying Proposition 11.2 we conclude that at least one of the controls \(\mathscr {U}_\ell ^{ij}\) will become nonzero before \(l^{ij}_\ell +\varPhi ^{ij}\). As each vector component \(\ell \) has the same \(\varDelta ^{ij}_*\), at least one of the control vectors \(\mathscr {U}^{ij}\) will become nonzero before the same amount of time. Overall, this implies that at least one control will become nonzero before \(\varepsilon /(4 d_\mathrm{{min} }) + \varPhi \) units of time have elapsed. Since \(t^*_\ell \) is generic, we conclude that V decreases by at least \(\varepsilon _*\) every \(\varepsilon /(4 d_\mathrm{{max} }) + \varepsilon /(4 d_\mathrm{{min} }) + \varPhi \) units of time, which implies that

$$\begin{aligned} T_* \leqslant \left[ \frac{\varepsilon }{4 d_\mathrm{{max} }} + \frac{\varepsilon }{4 d_\mathrm{{min} }} + \varPhi \right] \frac{V(0)}{\varepsilon _*}. \end{aligned}$$
(11.23)

The thesis follows by recalling that V(0) can be rewritten as

$$\begin{aligned} V(0)=\frac{1}{2} \sum _{i \in \mathscr {I}} \sum _{\ell \in \mathscr {L}}(\mathscr {X}_\ell ^i(0))^2. \end{aligned}$$
(11.24)

       \(\blacksquare \)

5 A Numerical Example

We consider a random (connected) undirected graph with \(N=6\) nodes and with \(d^i=2\) for all \(i \in \mathscr {I}\). Each node has harmonic oscillator dynamics of the form

$$\begin{aligned} \dot{x}^i(t)= \begin{bmatrix} 0&1\\ -1&0\end{bmatrix} x^i(t)+ \begin{bmatrix}0\\1 \end{bmatrix}u^i(t). \end{aligned}$$
(11.25)

The nodes initial values are randomly within interval \([-2,2]\) and \((\eta (0),\xi (0),\theta (0))\) \(=({\mathbf 0},{\mathbf 0},{\mathbf 0})\).

In the simulations, we considered DoS attacks which affect each of the network links independently. For each link, the corresponding DoS pattern takes the form of a pulse-width-modulated signal with variable period and duty cycle (maximum period of 0.4sec and maximum duty cycle equal to \(55\%\)), both generated randomly. These patterns are reported in Table 11.1 for each network link.

Table 11.1 DoS average duty cycle over links
Full size table
Fig. 11.1
figure 1

Evolution of x, corresponding to the solution to (11.1)–(11.3) and (11.18) for a random graph with \(N=6\) nodes in the presence of DoS

Full size image
Fig. 11.2
figure 2

Evolution of the controller state \(\eta \) in the absence of DoS

Full size image
Fig. 11.3
figure 3

Evolution of the controller state \(\eta \) in the presence of DoS

Full size image

The evolution of x, corresponding to the solutions to (11.1)–(11.3) and (11.18) with \(\varepsilon =0.04\) is depicted in Fig. 11.1. One sees that x exhibits a quite smooth response. In fact, the impact of loss of information can be better appreciated by looking at the controller dynamics, which are reported in Figs. 11.2 and 11.3. This can be explained simply by noting that the controller state \(\xi \) is affected by DoS directly while x is affected by DoS indirectly since \(\xi \) enters the node dynamics after being filtered twice.

As a final comment, note that for each DoS pattern one can compute corresponding values for \((\eta ^{ij},\kappa ^{ij},\tau _f^{ij},\tau _d^{ij})\). They can be determined by computing \(n^{ij} (\tau ,t)\) and \(|\varXi ^{ij} (\tau ,t)|\) of each DoS pattern (cf. Assumptions 11.2 and 11.3) over the considered simulation horizon. Figure 11.4 depicts the values obtained for \(\tau _f^{ij}\) and \(\tau _d^{ij}\) for each \((i,j) \in \mathscr {E}\). One sees that these values are consistent with the requirements imposed by the PoC condition.

Fig. 11.4
figure 4

Locus of the points \(1/\tau _d+{\varDelta _*}/{\tau ^{ij}_f}=1\) as a function of \((\tau _d,\tau _f)\) with \(\varDelta _* = 0.05\) (blue solid line). The horizontal axis represents \(\tau _d\) and the vertical axis represents \(\tau _f\). Notice that \(\varDelta _* = \varDelta ^{ij}_*\) for all \((i,j) \in \mathscr {E}\), so that the locus of point does not vary with (ij). The various “\(*\)” represent the values of \((\tau ^{ij}_d,\tau ^{ij}_f)\) for the network links

Full size image

6 Conclusions

In this chapter, we have investigated Self-Triggered synchronization of group of harmonic oscillators in presence of denial-of-service at communication links. In the considered framework each of the network links fail independently, which is relevant for peer-to-peer networks architectures. A characterization of DoS frequency and duration is provided under which network synchronization is preserved, along with an explicit estimate of the effect of DoS on the time required to achieve synchronization.