上海交通大学学位论文

上海交通大学学位论文格式模板

姓 名： 张三

学 号： 520XXXXXXXX

导 师： 李四

学 院： 机械与动力工程学院

专业名称： 工业工程

申请学位层次： 学士

20XX 年 XX 月
 A Dissertation Submitted to

Shanghai Jiao Tong University for Bachelor Degree

DISSERTATION TEMPLATE FOR BACHELOR

DEGREE OF ENGINEERING IN
SHANGHAI JIAO TONG UNIVERSITY

Author: Zhang San

Supervisor: Li Si

School of XXXXXXX
Shanghai Jiao Tong University
Shanghai, P.R.China
June , 20XX
 上海交通大学
学位论文原创性声明

本人郑重声明：所呈交的学位论文，是本人在导师的指导下，独立进行研
究工作所取得的成果。除文中已经注明引用的内容外，本论文不包含任何其他
个人或集体已经发表或撰写过的作品成果。对本文的研究做出重要贡献的个人
和集体，均已在文中以明确方式标明。本人完全知晓本声明的法律后果由本人
承担。

学位论文作者签名：

日期： 年 月 日

上海交通大学
学位论文使用授权书

本人同意学校保留并向国家有关部门或机构送交论文的复印件和电子版，
允许论文被查阅和借阅。

本学位论文属于 ：
□公开论文
□内部论文，保密□1 年/□2 年/□3 年，过保密期后适用本授权书。
□秘密论文，保密 年（不超过 10 年），过保密期后适用本授权书。
□机密论文，保密 年（不超过 20 年），过保密期后适用本授权书。
（请在以上方框内选择打“√”）

学位论文作者签名： 指导教师签名：

日期： 年 月 日 日期： 年 月 日
上海交通大学学位论文

摘 要

随着信息物理系统规模和复杂性的不断增加，形式化方法已经成为了在系统设计过
程中解决安全性问题的重要方法。其中一个安全性问题——“不透明性”，通过假
设系统外存在一个入侵者试图通过窃听信息流来推断系统的秘密行为，成为了安全
性问题研究的一个重点。本文以单一机器人执行任务场景为例，假设存在一个入侵
者可以实时监听由在线控制器通过广播播送给机器人的控制指令,研究同时满足线性
时态逻辑任务，以及不透明性保证的控制器设计算法。本文中我们提出构造非确定
性控制器来增强系统保护机密的能力。非确定性控制器是一种在每个瞬间提供一组
控制决策的决策机制，机器人将在得到的决策集中随机选择具体的控制决策作为实
际执行策略。与标准确定性控制器相比，非确定性控制器可以增强系统的反窃听能
力。

文中我们首先根据形式语言的公认基础，对线性过渡系统、确定性控制器以及“不
透明性”概念进行了正式的表述。然后，我们给出了非确定性控制器的正式定义，
并通过一个例子展示了非确定性控制器在强制不透明性方面比确定性控制器更有力
的情况。非确定性控制器的合成将基于模拟入侵者估计的信息状态（IS）的构建。
最后，我们证明我们的合成方法是正确而完整的。

关键词：不透明性，任务验证，不确定控制器，线性过渡系统
上海交通大学学位论文

ABSTRACT

Formal methods have become an important method in Cyber-Physical System

designing problems to cope with the security issues resulting from the increasing scale and
complexities of those systems. In this paper, we concentrate on an important security
property called "opacity", which assumes that the system has a series of secret behavior,
modeled by a set of secret states and an intruder is trying to infer its secret behavior by
eavesdropping the information flow. The problem that we studied in this paper can be
formulated as synthesizing an optimal controller for a single robot to achieve a linear
temporal logic (visit a certain state) task with security guarantee. We assume that the online
control order, formulated by an online controller, sent to the robot can be accessed by a
passive intruder(eavesdropper). The security constraint requires that the intruder should
never infer confidently that the robot is at a secret state. To achieve this task, we propose a
method using non-deterministic controller. A non-deterministic controller is a decision
mechanism that provides a set of control decisions at each instant, and randomly picks a
specific control decision from decision set to control the robot. While the non-deterministic
controller, compared with the standard deterministic one can enhance the plausible
deniability of the system as the path followed by the robot is based on random realization
thus not determined. First, we give the formal formulation of the labeled transition system,
the deterministic controller, and the notion of 'opacity’ based on the acknowledged
preliminaries of formal languages. Then, we give a formal definition of non-deterministic
controller, and by a motivating example, showing how non-deterministic controller has
more power in enforcing opacity than the deterministic ones. The synthesis of a such non-
deterministic controller will be based on the construction of the Informational States (IS)
which simulate the estimation of the intruder. To synthesize an IS-based controller, we
propose a specific structure called the "Bipartite Non-deterministic Finite Transition
System"(BNFTS) and run the general procedure of "reaching game". Finally, we proof that
our synthesize method is sound and complete.

Key words: Opacity, Task Verification, Non-deterministic controller, Labeled Transition

System
上海交通大学学位论文

CONTENTS

摘 要..................................................................................................................I

ABSTRACT....................................................................................................II

CHAPTER ONE INTRODUCTION.............................................................1

1.1 FOREWORD....................................................................................................................1
1.2 THE MAIN CONTENT OF THIS PAPER..............................................................................1
1.3 THE SIGNIFICANCE OF THIS ARTICLE.............................................................................1
1.4 SUMMARY.....................................................................................................................1

CHAPTER TWO GUIDE TO FORMATTING BODY TEXT...................2

2.1 BASIC TEXT FORMAT REQUIREMENTS...........................................................................2

2.2 WORD COUNT REQUIREMENTS......................................................................................2
2.2.1 UNDERGRADUATE THESIS REQUIREMENTS.................................................................2

2.3 SUMMARY.....................................................................................................................2

CHAPTER THREE GUIDE TO FORMATTING FIGURE, TABLE AND

FORMULA......................................................................................................3

3.1 GUIDE TO FORMATTING FIGURE....................................................................................3

3.2 FORMULA FORMAT........................................................................................................4
3.3 SUMMARY.....................................................................................................................4

CHAPTER FOUR CONCLUSIONS.............................................................5

4.1 MAIN CONCLUSIONS......................................................................................................5

4.2 RESEARCH OUTLOOK.....................................................................................................5
上海交通大学学位论文

REFERENCES................................................................................................6

SYMBOLS AND MARKS APPENDIX 1 .....................................................7

RESEARCH PROJECTS AND PUBLICATIONS DURING

UNDERGRADUATE PERIOD......................................................................8

ACKNOWLEDGEMENTS............................................................................9
上海交通大学学位论文 Chapter One Introduction

Chapter One Introduction

1.1 Foreword

Hardware and software systems have played important roles in industry and have
reached significant scale and complexity in the last decades, causing an increasing risk of
subtle errors during the system design process. Such errors may be hard to detect and evite
by using the traditional control design process which includes numerous tests and
redesigns. One effective solution to this problem is by using formal methods to construct
systems with built-in reliability despite its complexity[1]. Formal methods, mathematically
based language, techniques, and tools specifying and verifying such systems, has proved
its power notably in solving the planning problems in dynamic systems. A dynamic system
has a state-space that contains possibly finite states and evolves under a dynamic function.
It can be formally modeled as a Labeled Transition System (LTS), Discrete Event System
(DES), Markov Decision Process(MDP),etc. An example of formal method planning is the
path planning problem for a robot. A robot may be assigned in real life to some specific
tasks which can be formulated into temporal logic specifications, and the problem thus
consist of synthesizing control policy that guarantees the eventual accomplishment of this
specification. When the system is weighted or stochastic, an optimal control should be
found that either minimize the cost function or maximize the probability of task
verification. In reference [2], S.Smith et al. first formulate the optimal linear temporal logic
single robot path planning problem in weighted transition systems. The problem was
expanded to multi-robot path planning in reference[3] and solved by using sampling-based
control synthesis. In reference [4]X C Ding et al. studied this problem for a dynamic
system modeled as a Markov Decision Process under temporal logic constraints, where
MDP marks the uncertainty in the workplace properties, robot actions and task outcomes.

Another objective important in the planning problem is security constraint,

necessitating the non-disclosure of critical information. In the realm of Cyber-Physical
Systems (CPS), the emphasis on privacy and security has escalate due to the heightened
interactions and information exchanges among intelligent devices in CPS, increasing the
risk of information leakage and posing a threat to the system. Formal model-based methods
provide systematic, algorithmic, and correct-by-construction approaches for analyzing and
上海交通大学学位论文 Chapter One Introduction

designing safety-critical CPS. This is particularly vital as the security and privacy
requirements of these systems persistently expand. The security properties of a system can
generally be classified into three categories[5]: availability (a user can always perform
legal actions), integrity (a user can never perform illegal actions) and confidentiality (a
user cannot discover or infer the secret information). Take the example of an e-voting
system in [4]. Guaranteeing that a third party cannot alter the votes is an issue of integrity.
Ensuring that each eligible voter can cast their vote is a matter of availability. Making
certain that it is impossible for a third party to uncover an individual voter's choice is a
matter of confidentiality.

A central notion called ‘opacity’ in the category ‘confidentiality’ is firstly introduced

in reference Error: Reference source not found and quickly attracts strong attention.
Opacity assumes that the system has a series of secret behavior, modeled by a set of secret
states and an intruder is trying to infer its secret behavior by eavesdropping the information
flow. The verification and enforcement of this property has been intensely studied in
Discrete Event Systems (DES). In reference [6], opacity is first formulated in the context
of DES, and several notions of opacity have been proposed , such as initial-state
opacity[7], current-state opacity[8], K-step opacity[9] and infinite-step opacity[10], where
respective verification algorithms were proposed by Saboori, A. and Hadjicostis. In
general, infinite-step opacity (respectively, K-step opacity) holds if the intruder can never
determine for sure that the system was in a secret state for any instant within infinite steps
(respectively, K-steps) prior to that particular instant., and current-state
opacity(respectively, initial-state opacity) holds if the intruder can never determine for sure
that the system was currently(respectively, initialy) in a secret state. In reference [11],
Xiang Yin and Stéphane Lafortune proposed a new approach for the verification of K-step
and infinite step opacity in DES using two-way observer, successfully reduced the
complexity of verification algorithm. These notions have interesting application
background such as in the context of Location Based Service[12].

When the opacity of a given system is not verified, it is also interested to enforce
opacity. The problem of opacity enforcement has been intensely studied under different
enforcement mechanism. For example, reference[14] Error: Reference source not found
use dynamic masks that changes the output information of the system to mislead intruders.
In referenceError: Reference source not found, Yi-Chin Wu and Stephane Lafortune
proposed another mechanism using insertion function that changes the system’s output
information by inserting additional observable events. Both these mechanisms allow the
open-loop system to evolve freely without restriction, it is rather by feeding the intruder
wrong information that opacity is enforced.
上海交通大学学位论文 Chapter One Introduction

One of the opacity enforcement mechanisms widely explored is the supervisor control
theory in DES developed by P. J. Ramadge and W.M. Wonham in [13]. In this framework,
the behavior of the given open-loop system is restricted by a supervisor who can partially
observe the system’s behavior and give control orders that enforce opacity based on its
observation history. In this way, even if the intruders have a full knowledge of the
supervisor’s observation history, it cannot infer for sure the system’s behavior since there
exist probably multiple control choice. For instance,[17] introduces a formula for a
sublanguage that is both controllable and opaque. In [18], the opacity control issue is
addressed by assuming that all controllable events are observable, and the intruder's
observation is considered part of the supervisor's observation. [19] proposed an algorithm
to synthesize an opacity-enforcing supervisor without making assumptions about event
sets. However, it requires assuming that the control policy is not publicly known, thereby
simplifying the problem to computing a maximal controllable and observable sublanguage
of the supermall opaque sublanguage. In Error: Reference source not found a uniform
approach to synthesize opacity-enforcing supervisor for partially observable discrete-event
system is proposed. This method mainly consists of using suitably defined information
states to construct a finite bipartite transition system where all reachable information states
and all admissible supervisory control are embedded. But all these work remains in the
domain of deterministic control for DES, which issue a specific control decision at each
instant. More recently, Xie et al. presented a non-deterministic control mechanism to
enforce opacity in DES systems in Error: Reference source not found using the same
information state method.

More recently, preserving information-flow security in the task planning problem

have become a new object being investigated by researchers, with the notion of opacity
adopted in most cases to characterize information-flow security. In Error: Reference source
not found, Hadjicostis C studied a trajectory planning problem undercurrent-state opacity
constraint. In Error: Reference source not foundXinyi Yu et al. describes a scenario where
multi-agent modeled as a global transition system is assigned to high-level LTL task and
besides the standard requirement on the correctness of coordination plan, they also took
into consideration the potential informational leakage of each agent. They end up by
proposing a coordination algorithm that synthesize an optimal global plan for the system,
while the security of each agent is guaranteed. This problem aligns well with real-life
scenarios where security and privacy concerns have become important issues in agent
networks. It underscores the importance of incorporating security constraints into task
planning algorithms.
上海交通大学学位论文 Chapter One Introduction

1.2 The main content of this paper

This work is motivated by the notion of “opacity under decision-based transmission”

proposed inError: Reference source not found. Specifically, the system is controlled by an
online controller who observes the system’s behavior through the observation channel and
sends control orders through the decision channel. By assuming that the observation
channel is secured, and that the decision channel is insecure and potentially being
eavesdropped by an intruder, a scenario completely different from the previous ones where
the observation channel is usually insecure has been created. Such a scenario is reasonable
as the controller may be located remotely from the controller and must send orders via
Internet or radios. The goal is to synthesize, in the formal method, a controller that secures
information flow under such insecure control channel while still guaranteeing the given
task specification.

This work consists of formulating and solve a synthesis problem with respect to LTL
requirements to enforce decision-based transmission opacity on a given robotic system
modeled as a transition system, very much related to the work of Error: Reference source
not found Error: Reference source not found. Specially, we consider a single robot whose
mobility is modeled as a deterministic labeled transition system (LTS) being assigned to a
certain task formulated by linear temporal logic specifications.

This paper is organized in the following sections:

1. Preliminaries: In this section, we define and give the necessary preliminaries of

labeled transition system model, deterministic controller in the context of LTS based
on the supervisor control theory in[13], and decision-based transmission opacity in the
context of deterministic controller.

2. Task Verification Under Security Constraint with Non-Deterministic Controller:

In this section, we begin with a motivating example showing how deterministic
上海交通大学学位论文 Chapter One Introduction

controller could fail in enforcing opacity on the system. Followed by this example, we
formally give the definition of non-deterministic controller in the context of LTS
following examples in Error: Reference source not found. Then the respective
definitions of intruders and opacity reformulated in the context of non-deterministic
controller. Then we formulate the problem, noted as Problem 1 as: Given a labeled
transition system, a set of secret states, a set of accepting states and LTL formula.
Synthesize a non-deterministic controller such that the closed-loop system satisfies the
temporal logic specification and is current-state opaque.

3. Informational State and Its Flow: In this section, we begin to attack the opacity-
enforcement problem using the idea of information state space proposed in Error:
Reference source not foundError: Reference source not found. Firstly, we propose an
information structure in the context of our scenario, including the micro-states and
macro-states. Then we define the information state evolution rules based on a certain
observation on the control order. Also, we define an IS-mapping that can encode an
IS-based controller, to restrict Problem 1 to a form more accessible and less complex,
noted as Problem 2.

4. Synthesis of IS-Based Controller: In this section, we discuss how to synthesize an

IS-based controller based on the informational states that verifies the temporal task
and enforces opacity at the same time. We introduce and propose the algorithm to
synthesize a bipartite non-deterministic finite state transition system, and by an
example, showing how it can be constructed by recursion. Then we show that we can
narrow down the system to a biggest bipartite non-deterministic finite state transition
system satisfying Problem 2 by a LTL based reachability game. The process will also
be showed more clearly by an example. Finally, we propose the algorithm coding the
IS-based controller associating to this system.

5. Properties of the Synthesis Procedure: In this section, we will formally prove the
correctness of our synthesis procedure, that is the algorithm being sound and
上海交通大学学位论文 Chapter One Introduction

complete. Then we will prove the restriction of Problem 1 to Problem 2 is without loss
of generality, that is Problem 1 is solvable if and only if Problem 2 is solvable.

1.3 The significance of this article

In the realm of contemporary applications, controllers are frequently deployed in

interconnected environments where system components communicate through
networks .These control systems, characterized by networked information structures, are
commonly known as Networked Control Systems (NCSs).Systematically, networked
supervisory control systems typically involve two communication channels: (i) sensors
transmit observable events to the supervisor through the observation channel, and (ii) the
supervisor conveys control decisions to the actuators via the control channel. In contrast to
traditional supervisory control systems, networked supervisory control systems offer
various advantages. Notably, the networked information structure enables the utilization of
external computational devices for the remote control of large-scale systems.

While networked control systems offer numerous advantages over classical control
systems, security emerges as a primary challenge in Networked Control Systems (NCSs)
due to extensive communication. Specifically, the security of the control and observation
channels poses a significant concern, as information transmitted through these channels
may be susceptible to interception by intruders. Consequently, there is a risk of divulging
sensitive system information to unauthorized parties. In (), the security of networked
supervisory control systems with insecure control channel has been systematically studied,
an approach to enforce opacity under event-based transmission has been proposed.

However, such a scenario has not been studied in Labeled Transition System, who
shows different transition properties as discreet event systems, and is more applied to the
general control of robots. In this paper, we formulate and model a scenario based on the
plausible security problems faced by a military robot who receives orders form a controller
via network or radios to carry out a confidential mission, for example, passing by the
arsenal and launch attack on the enemy base. Despite the strong willing of the controller to
keep this mission confidential, orders passing through the radio can be easily eavesdropped
by the enemies, who can easily deduce the movement of this robot by combining orders
with the road map. Our intension is thus to study systematically this kind of problem and
design a save-by-construction controller. This would enrich the case-studies in the realm of
secured communication and extend the previous studies in the domain of discreet event
systems.
上海交通大学学位论文 Chapter One Introduction

1.4 Summary

In this chapter, we present a brief review of existing works focusing on path planning
problems, opacity-enforcing control, and security-aware planning. The integration of
formal methods with security considerations, particularly in Cyber-Physical Systems (CPS)
is discussed, with an emphasis on the concept of opacity. We showed several typical
approaches studied in opacity-enforcing problems that inspired our study, ending by
highlighting the importance of incorporating security constraints into task planning
algorithms. Then we present shortly our topic, following by an outline of this paper,
composed by 5 sections: preliminaries; task verification under security constraint with non-
deterministic controller; informational state and its flow; synthesis of IS-Based controller;
properties of the synthesis procedure. Finally, we explain the significance of our work by
evoking a previous work of our group. The connection between our model and real-life
scenario if further explained, therefore clarifying the intension of this study.
上海交通大学学位论文 Chapter Two Guide to Formatting Body Text

Chapter Two Guide to Formatting Body Text

2.1 Basic text format requirements

The content of the thesis should generally consist of ten main parts, in order:1. cover,
2. Chinese abstract, 3. English abstract, 4. table of contents, 5. symbol description, 6. thesis
body, 7. references, 8. appendices, 9. acknowledgements, 10. published academic papers
during degree study.

2.2 Word count requirements

2.2.1 Undergraduate thesis requirements

……

2.3 Summary

……
上海交通大学学位论文 Chapter Three Guide to Formatting Figure, Table and Formula

Chapter Three Guide to Formatting Figure, Table and Formula

3.1 Guide to formatting figure

Illustration 3-1 XXX

上海交通大学学位论文 Chapter Three Guide to Formatting Figure, Table and Formula

Illustration 3-2 XXX

Table 3-1 XXX

A B C D
A1
A2
A3

Table 3-1 (continued)

上海交通大学学位论文 Chapter Three Guide to Formatting Figure, Table and Formula

A B C D
A4
A5
A6
A7
A8

3.2 Formula format

1 2
μ
1
()
∇ A− j ωσ A−∇ ×( ∇× A )+J 0 =0
μ （3-1）

3.3 Summary

……
上海交通大学学位论文 Chapter Four Conclusions

Chapter Four Conclusions

4.1 Main conclusions

……

4.2 Research outlook

……
上海交通大学学位论文 References

References

[1]. Edmund M. Clarke and Jeannette M. Wing. Formal methods: state of the art and future directions.
ACM Comput. Surv. 1996,28(4): 626–643.
[2]. S. Smith, J. Tumova, C. Belta, and D. Rus. Optimal path planning for surveillance with temporal-
logic constraints. The International Journal of Robotics Research, 2011, 30(14):1695–1708.
[3]. Yiannis Kantaros and Michael M. Zavlanos. Sampling-based Control Synthesis for Multi-Robot
Systems under Global Temporal Specifications. ACM/IEEE International Conference on Cyber-
Physical Systems,2017 (ICCPS), 11 pages.
[4]. X C Ding, S L Smith, C Belta, and D Rus. MDP Optimal Control under Temporal Logic
Constraints. Proceedings of the IEEE Conference on Decision and Control. 2011,3(1): 1–11
[5]. M. Bishop, Introduction to Computer Security. Reading, MA: Addison-Wesley Professional,
2004,5-17.
[6]. Bryans, J. W., Koutny, M., Mazaré, L., & Ryan, P. Opacity generalised to transition systems.
International Journal of Information Security, 2008, 7(6), 421–435.
[7]. Saboori, A., & Hadjicostis, C. N. Verification of initial-state opacity in security applications of
discrete event systems. Information Sciences,2014, 246, 115–132.
[8]. Saboori, A., & Hadjicostis, C. N. Current-state opacity formulations in probabilistic finite
automata. IEEE Transactions on Automatic Control, 2014, 59(1), 120–133.
[9]. Saboori, A., & Hadjicostis, C. N. Verification of K -step opacity and analysis of its complexity.
IEEE Transactions on Automation Science and Engineering, 2011,8(3), 549–559.
[10]. Saboori, A., & Hadjicostis, C. N. Verification of infinite-step opacity and complexity
considerations. IEEE Transactions on Automatic Control, 2012, 57(5), 1265–1269.
[11]. Xiang Yin, &Stéphane Lafortune. A new approach for the verification of infinite-step and K-step
opacity using two-way observers. Automatica.2017, 80,162-171.
[12]. Gruteser, M., & Grunwald, D. Anonymous usage of location-based services through spatial and
temporal cloaking. International conference on mobile systems, applications and services 2003,
31–42.
[13]. P.J. Ramadge, W.M. Wonham.Supervisory control of a class of discrete event processes. SIAM J.
Control Optim. 1987 , 25 (1) , 206-230.
[14]. B. Behinaein, F. Lin, and K. Rudie. Optimal information release for mixed opacity in discrete-
event systems. IEEE Transactions on Automation Science and Engineering, 2019, 16(4):1960–
1970.
[15].
上海交通大学学位论文 References

（参考文献格式请参考 GB/T 7714-2015《信息与文献 参考文献著录规则》）

上海交通大学学位论文 Appendix 1

Symbols and Marks Appendix 1

上海交通大学学位论文 Research Projects and Publications

Research Projects and Publications during Undergraduate

Period

[1] ……
上海交通大学学位论文 Acknowledgements

Acknowledgements

……
上海交通大学学位论文

NUMERICAL SIMULATION OF HOMOGENEOUS

CHARGE COMPRESSION IGNITION COMBUSTION
FUELED WITH DIMETHYL ETHER (英文大摘要)

HCCI (Homogenous Charge Compression Ignition) combustion has advantages in

terms of efficiency and reduced emission. HCCI combustion can not only ensure both the
high economic and dynamic quality of the engine, but also efficiently reduce the NO x and
smoke emission. Moreover, one of the remarkable characteristics of HCCI combustion is
that the ignition and combustion process are controlled by the chemical kinetics, so the
HCCI ignition time can vary significantly with the changes of engine configuration
parameters and operating conditions. ……(英文大摘要正文)

英文大摘要单独编页码