Professional Documents
Culture Documents
上海交通大学学位论文格式模板
姓 名: 张三
学 号: 520XXXXXXXX
导 师: 李四
学 院: 机械与动力工程学院
专业名称: 工业工程
申请学位层次: 学士
20XX 年 XX 月
A Dissertation Submitted to
Supervisor: Li Si
School of XXXXXXX
Shanghai Jiao Tong University
Shanghai, P.R.China
June , 20XX
上海交通大学
学位论文原创性声明
本人郑重声明:所呈交的学位论文,是本人在导师的指导下,独立进行研
究工作所取得的成果。除文中已经注明引用的内容外,本论文不包含任何其他
个人或集体已经发表或撰写过的作品成果。对本文的研究做出重要贡献的个人
和集体,均已在文中以明确方式标明。本人完全知晓本声明的法律后果由本人
承担。
学位论文作者签名:
日期: 年 月 日
上海交通大学
学位论文使用授权书
本人同意学校保留并向国家有关部门或机构送交论文的复印件和电子版,
允许论文被查阅和借阅。
本学位论文属于 :
□公开论文
□内部论文,保密□1 年/□2 年/□3 年,过保密期后适用本授权书。
□秘密论文,保密 年(不超过 10 年),过保密期后适用本授权书。
□机密论文,保密 年(不超过 20 年),过保密期后适用本授权书。
(请在以上方框内选择打“√”)
学位论文作者签名: 指导教师签名:
日期: 年 月 日 日期: 年 月 日
上海交通大学学位论文
摘 要
随着信息物理系统规模和复杂性的不断增加,形式化方法已经成为了在系统设计过
程中解决安全性问题的重要方法。其中一个安全性问题——“不透明性”,通过假
设系统外存在一个入侵者试图通过窃听信息流来推断系统的秘密行为,成为了安全
性问题研究的一个重点。本文以单一机器人执行任务场景为例,假设存在一个入侵
者可以实时监听由在线控制器通过广播播送给机器人的控制指令,研究同时满足线性
时态逻辑任务,以及不透明性保证的控制器设计算法。本文中我们提出构造非确定
性控制器来增强系统保护机密的能力。非确定性控制器是一种在每个瞬间提供一组
控制决策的决策机制,机器人将在得到的决策集中随机选择具体的控制决策作为实
际执行策略。与标准确定性控制器相比,非确定性控制器可以增强系统的反窃听能
力。
文中我们首先根据形式语言的公认基础,对线性过渡系统、确定性控制器以及“不
透明性”概念进行了正式的表述。然后,我们给出了非确定性控制器的正式定义,
并通过一个例子展示了非确定性控制器在强制不透明性方面比确定性控制器更有力
的情况。非确定性控制器的合成将基于模拟入侵者估计的信息状态(IS)的构建。
最后,我们证明我们的合成方法是正确而完整的。
关键词:不透明性,任务验证,不确定控制器,线性过渡系统
上海交通大学学位论文
ABSTRACT
CONTENTS
摘 要..................................................................................................................I
ABSTRACT....................................................................................................II
1.1 FOREWORD....................................................................................................................1
1.2 THE MAIN CONTENT OF THIS PAPER..............................................................................1
1.3 THE SIGNIFICANCE OF THIS ARTICLE.............................................................................1
1.4 SUMMARY.....................................................................................................................1
2.3 SUMMARY.....................................................................................................................2
FORMULA......................................................................................................3
REFERENCES................................................................................................6
UNDERGRADUATE PERIOD......................................................................8
ACKNOWLEDGEMENTS............................................................................9
上海交通大学学位论文 Chapter One Introduction
1.1 Foreword
Hardware and software systems have played important roles in industry and have
reached significant scale and complexity in the last decades, causing an increasing risk of
subtle errors during the system design process. Such errors may be hard to detect and evite
by using the traditional control design process which includes numerous tests and
redesigns. One effective solution to this problem is by using formal methods to construct
systems with built-in reliability despite its complexity[1]. Formal methods, mathematically
based language, techniques, and tools specifying and verifying such systems, has proved
its power notably in solving the planning problems in dynamic systems. A dynamic system
has a state-space that contains possibly finite states and evolves under a dynamic function.
It can be formally modeled as a Labeled Transition System (LTS), Discrete Event System
(DES), Markov Decision Process(MDP),etc. An example of formal method planning is the
path planning problem for a robot. A robot may be assigned in real life to some specific
tasks which can be formulated into temporal logic specifications, and the problem thus
consist of synthesizing control policy that guarantees the eventual accomplishment of this
specification. When the system is weighted or stochastic, an optimal control should be
found that either minimize the cost function or maximize the probability of task
verification. In reference [2], S.Smith et al. first formulate the optimal linear temporal logic
single robot path planning problem in weighted transition systems. The problem was
expanded to multi-robot path planning in reference[3] and solved by using sampling-based
control synthesis. In reference [4]X C Ding et al. studied this problem for a dynamic
system modeled as a Markov Decision Process under temporal logic constraints, where
MDP marks the uncertainty in the workplace properties, robot actions and task outcomes.
designing safety-critical CPS. This is particularly vital as the security and privacy
requirements of these systems persistently expand. The security properties of a system can
generally be classified into three categories[5]: availability (a user can always perform
legal actions), integrity (a user can never perform illegal actions) and confidentiality (a
user cannot discover or infer the secret information). Take the example of an e-voting
system in [4]. Guaranteeing that a third party cannot alter the votes is an issue of integrity.
Ensuring that each eligible voter can cast their vote is a matter of availability. Making
certain that it is impossible for a third party to uncover an individual voter's choice is a
matter of confidentiality.
When the opacity of a given system is not verified, it is also interested to enforce
opacity. The problem of opacity enforcement has been intensely studied under different
enforcement mechanism. For example, reference[14] Error: Reference source not found
use dynamic masks that changes the output information of the system to mislead intruders.
In referenceError: Reference source not found, Yi-Chin Wu and Stephane Lafortune
proposed another mechanism using insertion function that changes the system’s output
information by inserting additional observable events. Both these mechanisms allow the
open-loop system to evolve freely without restriction, it is rather by feeding the intruder
wrong information that opacity is enforced.
上海交通大学学位论文 Chapter One Introduction
One of the opacity enforcement mechanisms widely explored is the supervisor control
theory in DES developed by P. J. Ramadge and W.M. Wonham in [13]. In this framework,
the behavior of the given open-loop system is restricted by a supervisor who can partially
observe the system’s behavior and give control orders that enforce opacity based on its
observation history. In this way, even if the intruders have a full knowledge of the
supervisor’s observation history, it cannot infer for sure the system’s behavior since there
exist probably multiple control choice. For instance,[17] introduces a formula for a
sublanguage that is both controllable and opaque. In [18], the opacity control issue is
addressed by assuming that all controllable events are observable, and the intruder's
observation is considered part of the supervisor's observation. [19] proposed an algorithm
to synthesize an opacity-enforcing supervisor without making assumptions about event
sets. However, it requires assuming that the control policy is not publicly known, thereby
simplifying the problem to computing a maximal controllable and observable sublanguage
of the supermall opaque sublanguage. In Error: Reference source not found a uniform
approach to synthesize opacity-enforcing supervisor for partially observable discrete-event
system is proposed. This method mainly consists of using suitably defined information
states to construct a finite bipartite transition system where all reachable information states
and all admissible supervisory control are embedded. But all these work remains in the
domain of deterministic control for DES, which issue a specific control decision at each
instant. More recently, Xie et al. presented a non-deterministic control mechanism to
enforce opacity in DES systems in Error: Reference source not found using the same
information state method.
This work consists of formulating and solve a synthesis problem with respect to LTL
requirements to enforce decision-based transmission opacity on a given robotic system
modeled as a transition system, very much related to the work of Error: Reference source
not found Error: Reference source not found. Specially, we consider a single robot whose
mobility is modeled as a deterministic labeled transition system (LTS) being assigned to a
certain task formulated by linear temporal logic specifications.
controller could fail in enforcing opacity on the system. Followed by this example, we
formally give the definition of non-deterministic controller in the context of LTS
following examples in Error: Reference source not found. Then the respective
definitions of intruders and opacity reformulated in the context of non-deterministic
controller. Then we formulate the problem, noted as Problem 1 as: Given a labeled
transition system, a set of secret states, a set of accepting states and LTL formula.
Synthesize a non-deterministic controller such that the closed-loop system satisfies the
temporal logic specification and is current-state opaque.
3. Informational State and Its Flow: In this section, we begin to attack the opacity-
enforcement problem using the idea of information state space proposed in Error:
Reference source not foundError: Reference source not found. Firstly, we propose an
information structure in the context of our scenario, including the micro-states and
macro-states. Then we define the information state evolution rules based on a certain
observation on the control order. Also, we define an IS-mapping that can encode an
IS-based controller, to restrict Problem 1 to a form more accessible and less complex,
noted as Problem 2.
5. Properties of the Synthesis Procedure: In this section, we will formally prove the
correctness of our synthesis procedure, that is the algorithm being sound and
上海交通大学学位论文 Chapter One Introduction
complete. Then we will prove the restriction of Problem 1 to Problem 2 is without loss
of generality, that is Problem 1 is solvable if and only if Problem 2 is solvable.
While networked control systems offer numerous advantages over classical control
systems, security emerges as a primary challenge in Networked Control Systems (NCSs)
due to extensive communication. Specifically, the security of the control and observation
channels poses a significant concern, as information transmitted through these channels
may be susceptible to interception by intruders. Consequently, there is a risk of divulging
sensitive system information to unauthorized parties. In (), the security of networked
supervisory control systems with insecure control channel has been systematically studied,
an approach to enforce opacity under event-based transmission has been proposed.
However, such a scenario has not been studied in Labeled Transition System, who
shows different transition properties as discreet event systems, and is more applied to the
general control of robots. In this paper, we formulate and model a scenario based on the
plausible security problems faced by a military robot who receives orders form a controller
via network or radios to carry out a confidential mission, for example, passing by the
arsenal and launch attack on the enemy base. Despite the strong willing of the controller to
keep this mission confidential, orders passing through the radio can be easily eavesdropped
by the enemies, who can easily deduce the movement of this robot by combining orders
with the road map. Our intension is thus to study systematically this kind of problem and
design a save-by-construction controller. This would enrich the case-studies in the realm of
secured communication and extend the previous studies in the domain of discreet event
systems.
上海交通大学学位论文 Chapter One Introduction
1.4 Summary
In this chapter, we present a brief review of existing works focusing on path planning
problems, opacity-enforcing control, and security-aware planning. The integration of
formal methods with security considerations, particularly in Cyber-Physical Systems (CPS)
is discussed, with an emphasis on the concept of opacity. We showed several typical
approaches studied in opacity-enforcing problems that inspired our study, ending by
highlighting the importance of incorporating security constraints into task planning
algorithms. Then we present shortly our topic, following by an outline of this paper,
composed by 5 sections: preliminaries; task verification under security constraint with non-
deterministic controller; informational state and its flow; synthesis of IS-Based controller;
properties of the synthesis procedure. Finally, we explain the significance of our work by
evoking a previous work of our group. The connection between our model and real-life
scenario if further explained, therefore clarifying the intension of this study.
上海交通大学学位论文 Chapter Two Guide to Formatting Body Text
The content of the thesis should generally consist of ten main parts, in order:1. cover,
2. Chinese abstract, 3. English abstract, 4. table of contents, 5. symbol description, 6. thesis
body, 7. references, 8. appendices, 9. acknowledgements, 10. published academic papers
during degree study.
……
2.3 Summary
……
上海交通大学学位论文 Chapter Three Guide to Formatting Figure, Table and Formula
A B C D
A1
A2
A3
A B C D
A4
A5
A6
A7
A8
1 2
μ
1
()
∇ A− j ωσ A−∇ ×( ∇× A )+J 0 =0
μ (3-1)
3.3 Summary
……
上海交通大学学位论文 Chapter Four Conclusions
……
……
上海交通大学学位论文 References
References
[1]. Edmund M. Clarke and Jeannette M. Wing. Formal methods: state of the art and future directions.
ACM Comput. Surv. 1996,28(4): 626–643.
[2]. S. Smith, J. Tumova, C. Belta, and D. Rus. Optimal path planning for surveillance with temporal-
logic constraints. The International Journal of Robotics Research, 2011, 30(14):1695–1708.
[3]. Yiannis Kantaros and Michael M. Zavlanos. Sampling-based Control Synthesis for Multi-Robot
Systems under Global Temporal Specifications. ACM/IEEE International Conference on Cyber-
Physical Systems,2017 (ICCPS), 11 pages.
[4]. X C Ding, S L Smith, C Belta, and D Rus. MDP Optimal Control under Temporal Logic
Constraints. Proceedings of the IEEE Conference on Decision and Control. 2011,3(1): 1–11
[5]. M. Bishop, Introduction to Computer Security. Reading, MA: Addison-Wesley Professional,
2004,5-17.
[6]. Bryans, J. W., Koutny, M., Mazaré, L., & Ryan, P. Opacity generalised to transition systems.
International Journal of Information Security, 2008, 7(6), 421–435.
[7]. Saboori, A., & Hadjicostis, C. N. Verification of initial-state opacity in security applications of
discrete event systems. Information Sciences,2014, 246, 115–132.
[8]. Saboori, A., & Hadjicostis, C. N. Current-state opacity formulations in probabilistic finite
automata. IEEE Transactions on Automatic Control, 2014, 59(1), 120–133.
[9]. Saboori, A., & Hadjicostis, C. N. Verification of K -step opacity and analysis of its complexity.
IEEE Transactions on Automation Science and Engineering, 2011,8(3), 549–559.
[10]. Saboori, A., & Hadjicostis, C. N. Verification of infinite-step opacity and complexity
considerations. IEEE Transactions on Automatic Control, 2012, 57(5), 1265–1269.
[11]. Xiang Yin, &Stéphane Lafortune. A new approach for the verification of infinite-step and K-step
opacity using two-way observers. Automatica.2017, 80,162-171.
[12]. Gruteser, M., & Grunwald, D. Anonymous usage of location-based services through spatial and
temporal cloaking. International conference on mobile systems, applications and services 2003,
31–42.
[13]. P.J. Ramadge, W.M. Wonham.Supervisory control of a class of discrete event processes. SIAM J.
Control Optim. 1987 , 25 (1) , 206-230.
[14]. B. Behinaein, F. Lin, and K. Rudie. Optimal information release for mixed opacity in discrete-
event systems. IEEE Transactions on Automation Science and Engineering, 2019, 16(4):1960–
1970.
[15].
上海交通大学学位论文 References
Period
[1] ……
上海交通大学学位论文 Acknowledgements
Acknowledgements
……
上海交通大学学位论文
英文大摘要单独编页码