Current-state opacity verification in discrete event systems using an observer net

Due to the proliferation of contemporary computer-integrated systems and communication networks, there is more concern than ever regarding privacy, given the potential for sensitive data exploitation. A recent cyber-security research trend is to focus on security principles and develop the foundations for designing safety-critical systems. In this work, we investigated the problem of verifying current-state opacity in discrete event systems using labeled Petri nets. A system is current-state opaque provided that the current-state estimate cannot be revealed as a subset of secret states. We introduced a new sub-model of the system, named an observer net. The observer net have the same structure as the plant, but it is distinguished by the use of colored markers as well as simultaneous and recursive transition enabling and firing, which offer an efficient state estimation. We considered two settings of the proposed approach: an on-line setting, in which a current-state opacity algorithm is proposed. The algorithm waits for the occurrence of an observable event and determines if the current observation of a plant reveals the secret behaviour, as well as, an off-line setting, where the verification problem is solved based on a state estimator called a colored estimator. In this context, necessary and sufficient conditions for verifying opacity are developed with illustrative examples to demonstrate the presented approach.


Scientific Reports
| (2022) 12:21572 | https://doi.org/10.1038/s41598-022-25697-y www.nature.com/scientificreports/ The problem of CSO verification is shown to be decidable for bounded labeled Petri nets 24,25 . However, Tong et al. 26 recently demonstrate that, in general, the opacity verification problem is undecidable if the PN system is unbounded. For this reason, our work concentrates on bounded LPN by proposing an efficient approach that provides definite answers to the CSO problem.
Many of the existing studies on DESs pay particular attention to the opacity problem. Various methods have investigated the issue of state-based opacity verification in DESs 27,28 . In 10 , the authors report a necessary and sufficient criterion using a non-deterministic finite automaton (NFA) by building an observer, i.e., transforming an NFA into a deterministic finite automaton (DFA) with a complexity of O(2 n ) 29 , where n is the number of states in the NFA. However, the verification of CSO is proved to be PSPACE-complete with respect to n [30][31][32] . By using a compact representation of a reachability graph (RG) called a basis RG (BRG), the work in 27 presents a necessary and sufficient condition for CSO. Note that the concept of BRGs have been proposed in [33][34][35][36] . The benefit of this method consists in avoiding the exhaustive enumeration of all reachable markings. However, the computational effort is still considerably heavy, and a large amount of memory is required.
Another interesting work is recently presented in 28 , where the authors discuss CSO modeling and verification in DESs modeled by partially observed PNs (POPNs) 37 . They propose a discernible reachability graph (DRG) to compute the state estimation of a POPN system and check if the opacity condition holds. Its limitation lies in the fact that the DRG alone does not provide a necessary and sufficient CSO verification condition. Consequently, the authors resort to integer linear programming (ILP) to solve this problem. In the same context, online verification algorithms for current 38 and initial 39 state opacity have been proposed by Cong et al. in LPNs by assuming the acyclicity of the observable and unobservable subnets. These algorithms detect the occurrence of events and decide whether the transition (event) sequence observed so far is opaque or not. This decision is based on solving a group of ILPs. The works in 38,39 are restricted to secret markings defined by generalized mutual exclusion constraints (GMECs) 40 .
On the other hand, LBO has been formalized in the existing studies in various ways. It is first proposed in the framework of NFA 41,42 . The secret for the LBO problem is described by a sub-language of the DES. A system is said to be of LBO with respect to a secret language if an intruder cannot reveal that any generated event sequence is entirely within the secret. In 43 , the authors characterize and introduce two types of opacity on the basis of languages, namely strong opacity and weak opacity. In 12 , the authors propose approaches to ensure languagebased opacity for bounded LPNs based on finite-time automata, called a verifier, by assuming that an intruder captures observable transitions only. For LBO verification using ILP, the work in 44 formulates a necessary and sufficient condition. Jacob et al. provide a thorough overview of opacity for DESs 31 . A historical perspective on the development of the opacity theory (and diagnosability theory) in DESs can be found in 45 .
This work investigates CSO using a new model called observer net. The main contributions of this work can be summarized below:

1.
A new sub-model of the system called an observer net is developed based on the plant structure. It is characterised by the new concepts of simultaneous and recursive transition enabling and firing allowing a rapid computation of the reachable markings. 2. We proposed an on-line algorithm for CSO verification in an LPN system. It provides the state estimation and the opacity decision of the word observed so far by waiting the occurrence of an event and then determines if the last observed event reveals the secret behaviour or not. 3. The proposed observer net model provides efficient usage of space, while improving runtime performance.
We managed to lower the space complexity by avoiding the exhaustive computation of all reachable markings, and also lower the time complexity by merging the computation phases using the new concepts of simultaneous and recursive transition enabling and firing. 4. When an off-line opacity verification is desired, we constructed a state estimator called a colored estimator, where each of its states corresponds to a set of the consistent markings.
The remainder of this paper is structured as follows. In section "Current-state opacity", we state the problem of CSO and present its definitions. Section "Observer net" introduces the concept of the observer net and specifies its dynamics. In section "Verification of current-state opacity", we verify current-state opacity using on-line and off-line algorithms. Section "Computational complexity and comparison" investigates the proposed approach's effectiveness by giving a comparative study with related works. In section "Conclusions", concluding remarks and possible future directions are discussed.

Current-state opacity
We intend to define the notion of opacity in a DES modeled as a PN. In a system modeled with an LPN G = (N, M 0 , E, ℓ) , a secret S is a subset of the reachability set composed of some particular markings, called secret markings. Current-state opacity claims that, for every secret state reachable from the initial state by firing a transition sequence, a non-secret state reachable by firing another transition sequence must exist, and both sequences have the same observation from the intruder perspective. Moreover, it is assumed that an intruder knows the system's structure, but he/she can get a partial observation of the event occurrences only. Necessary preliminaries are provided in the appendix of this study 46 .   27 We say that G = (N, Namely, for any possible w ∈ L(N, M 0 ) , an intruder is unable to determine if the current state lies within S. Now, we define the non-current-state opaque observation and system as follows. For a non-CSO observation w, an intruder can deduce that any marking consistent with w is within S, i.e., for any M ∈ C(w) , M ∈ S . Accordingly, a non-current-state opaque system is defined as follows.
Definition 4 39 We say that an LPN G = (N, Based on Definition 4, to ensure the CSO of a bounded LPN system, we need to check whether there is at least a w ∈ L(N, M 0 ) such that C(w) ⊆ S . To answer this question, one must perform an exhaustive enumeration of all reachable markings, i.e., computing C(w) for all w ∈ L(N, M 0 ) , and then build a reachability graph observer, i.e., a DFA equivalent to the RG, using the standard determinization procedure 47 , whose computational complexity is O(2 |X| ) with X being the set of states in the RG 31,47,48 . The reachability graph observer provides the state estimation after the occurrence of an observation sequence as shown in the following example.

Example 1
We consider the plant G in Fig. 1 with initial marking M 0 = 2p 1 and E = {a, b} . The sets of unobservable and observable transitions are T uo = {t 2 , t 3 , t 4 , t 7 } and T o = {t 1 , t 5 , t 6 , t 8 } , respectively. The RG and its corresponding observer are given in Figs

Observer net
This section defines the concept of an observer net. For a plant G, an observer net is a labeled Petri net that has the same structure of G (in terms of places, transitions, and arcs) but has a different behaviour. Specifically, an observer net allows the simultaneous presence of several markings, characterised with distinct colors, in order to determine the states the plant can be in upon observation of an event. In Fig. 4, we summarize the interaction between a plant G and its associated observer net . Upon the occurrence of an event, the observer net determines the system state estimation. Specifically, it finds the possible marking at which a plant may lies, i.e., all the states consistent with the sequence of events observed thus far.
The primary challenges in this work lie in defining how the observer net is modeled, graphically represented, and how it operates. Although the observer net is modeled as a labeled Petri net graphically, its state transition function and states differ from regular Petri nets. In what follows, a formal definition of the observer net, and its construction algorithm, as well as its dynamics, are presented.
Note that, in the following, the word "marking" refers to a marking of the plant and the word "state" refers to a marking of the observer net.    www.nature.com/scientificreports/ 1. C c is a non-empty and finite set of colors.
gives the initial state of the observer net.
The structure of is same as that of the plant G. Its initial state M ,0 consists of colored markings (M, c), where M ∈ U(M 0 ) and c is generated by the function C M . A state in is a set of colored markings (M, c), denoted as M , specifying the system state estimation after observing an event. We need to make sure that C M associates distinct colors to the markings belonging to M to tell the distinction between them (due to the simultaneous presence of different colored markings in the observer net, it can be thought of as being a special class of colored Petri net).
Algorithm 1 takes an LPN G = (N, M 0 , E, ℓ) as input and outputs its associated observer net � = (N, M ,0 , E, ℓ, C c , C M ) . In the first step, we build the structure of the observer net by cloning the plant G, i.e., G and have the same structure N = (P, T, Pre, Post) , and the same labeling function ℓ . Then step 2 defines the initial state M ,0 of by calculating the unobservable reach of the initial marking M 0 of G, and assigns a distinct color c ∈ C c to each marking using the color function C M . This step runs iteratively until all the unobservable reaches of M 0 are colored. The computational complexity of Algorithm 1 is mainly dependent on the number of markings in the unobservable reach of M 0 .
Example 2 Let us consider the LPN system G in Fig. 1. According to Algorithm 1, the observer net is shown in Fig. 5 it has the same structure (states and transitions) as plant G. The initial state of is retrieved from the initial marking of G. We have M 0 = 2p 1 and U(M 0 ) = {M 0 , M 2 , M 5 , M 7 , M 12 , M 17 } ; based on Definition 5. the initial state of the observer net is given by: The initial state of the observer net is composed of six colored markings as shown in Fig. 6.
The dynamic behaviour of a PN is characterized by the transition firing rules together with the distribution of tokens in places. In the following, we introduce the rules that govern the flows of tokens in the observer net.
Given an observer net � = (N,  Based on Equation (2), the set of enabled transitions at M ,0 with label a is given by: Note that, if a transition with label e fires at a colored marking (M, c), all the enabled transitions with label e at (M, c) fire concurrently. Thus, the semantics of an observer net is different from the classical Petri nets.
The following rules define the dynamics of an observer net. The observer net dynamic rules allow us to benefit from the simultaneous and recursive firing mechanism, which ensures a rapid computation of markings and guarantees a significant decrease in the time complexity of the proposed method, as shown in the following sections.
Examine the LPN systems shown in Fig. 7 that illustrates the dynamics of the observer net by two different scenarios. In Fig. 7a  www.nature.com/scientificreports/ Then, based on Rule 2, the observer net simultaneously fires t 1 and t 2 since both are simultaneously enabled. The token of (p 1 , •) is consumed by the execution of firing both transitions t 1 and t 2 , which yields to a new reachable state composed of two colored markings M �,1 = {(p 2 , �), (p 3 , ⋆)}.
In Fig. 7b, the initial state is given as Then, based on Rule 4, the observer net recursively fires t 1 , which yields to a new reachable state composed of two colored markings M �,1 = {(p 1 + p 3 + p 4 , ⊙), (p 3 + p 4 , )}.
According to Rule 5, the colored marking (p 2 , ⋆) does not enable transition t 1 . Thus the token with color type ⋆ is removed from p 2 , i.e., colored marking (p 2 , ⋆) is discarded.

Example 4
The observer net of the LPN G in Fig. 1, is portrayed in We can also say that t 1 and t 6 are enabled and fired simultaneously following Rules 1 and 2. Besides, we notice that the colored marking (M 7 , △) does not enable any observable transition, i.e., �((M 7 , △), e) = ∅ for all e ∈ E , therefore tokens of (M 7 , △) can be removed from the observer net based on Rule 5.
We define the unobservable reach of a state M as We call the set of states reachable from M ,0 the reachable state set of (N, M �,0 ) , denoted by R(N, M �,0 ). Fig. 1 and its associated observer net in The transition firing steps from M ,0 that enable the occurrence of event a are illustrated in Fig. 9.

Example 5 Examine the LPN G in
We define the operator . (Inductive case) Assume that it is true for w. Then, we prove that it also holds for w ′ = we , where e ∈ E .

Verification of current-state opacity
Next, methods for checking CSO of a DES in on-line and off-line settings are developed using the presented observer net model.

On-line verification.
This subsection presents an on-line algorithm devoted to verifying CSO for a given LPN system using an observer net. The observer net of the plant G provides a state estimation of G after an observable event occurs, and then verifies the CSO of the system. A discussion on Algorithm 2 is presented next.
Algorithm 2 takes an LPN G = (N, M 0 , E, ℓ) and a secret S as input. For any current observation w, the algorithm checks its CSO and returns "Yes" if it is opaque; otherwise it returns "No", meaning that G is non-CSO. The first step builds the observer net for G. Then, we initialize the observed word w in the second step. Upon observing the occurrence of any event e ∈ E , w is updated in Step 3. Then, we check its CSO with respect to S in Step 4. Specifically, when an event e occurs at M ,i , the observer net generates a new state M ,i+1 by simultaneously and recursively firing the enabled transitions with label e. If the set of colored markings in M ,i+1 is not fully included in the secret S, then, by Proposition 1 and Definition 1, w is CSO. In this case, it executes Step 2 and waits for the occurrence of a new event; otherwise, w is non-CSO, and the opacity property is violated according to Proposition 2. Consequently, based on Proposition 3, G is non-CSO with respect to S. Algorithm 2 employs the observer net for CSO verification. After an event occurrence, we need to compute the state estimation and then check if the opacity condition holds. Although the algorithm has the exponential space complexity in the worst case, compared with the RG-based verification approach, the main advantage of the on-line verification consists in limiting the analysis to the observed word only instead of exploring the whole language generated by the PN. Besides, the concept of simultaneous and recursive transition firing permits the concurrent execution of transition sequences and results in a significant decrease in the time complexity compared with the classical off-line opacity verification. By applying Algorithm 2 to plant G, given w = a , we obtain M ,1 S . Then the observation w = a is CSO with respect to S. After that, w is updated and the observer net computes M ,2 and also we have M , 2 S , indicating that the observation w = ab is CSO with respect to S. Finally, when event a occurs, the on-line algorithm outputs "No" since M ,3 ⊆ S holds, implying that the observation w = aba is not opaque with respect to S. According to Proposition 3, the LPN system G is non-CSO wrt S.
If Algorithm 2 never outputs "No", we infer that all the previously generated observations are CSO. Once Algorithm 2 returns "No", based on Definition 4, we conclude that G is non-CSO.

Off-line verification. Next, we develop Algorithm 3 to construct the RG of an observer net, called a colored estimator, which can be used for the purpose of an off-line CSO verification.
Let us now clarify how Algorithm 3 works. It takes G = (N, M 0 , E, ℓ) as input and outputs an automaton EST = (M � , E, �, M �,0 ) , also called an observer or a colored estimator. Initially, we build the observer net of G. In the second step, we start constructing the colored estimator by initializing the set M to M ,0 . Then, for all states M ,i ∈ M that have not yet been explored (i.e., without tags) and all events e ∈ E , we check if the set of enabled transitions �(M �,i , e) is not empty. Then we move to the next state computation. This procedure runs iteratively until all states in M are explored. Each state in M represents set of markings consistent with observation. In the worst-case scenario, Algorithm 3 can compute the whole reachability set, suggesting that the space complexity can grow exponentially with the number of tokens at the initial marking. Algorithm 3, on the other hand, exploits the efficient mechanism of the observer net , namely, simultaneous and recursive transition firing, to generate a straightforward state-estimator without constructing the reachability graph of G. The complexity analysis of the algorithm shows a reduced time complexity compared with other related works. Numerical results for approving this benefit are given in section "Computational complexity and comparison".

Computational complexity and comparison
The effectiveness of the approach developed in section "Verification of current-state opacity" is investigated in this section by comparing it with the opacity verification methods recently proposed in the literature to demonstrate their advantages and limitations. It is based on the CPU time in seconds of a desktop computer running under the operating system Windows 10 with I7.4 CPU 3.40 GHz, 32 GB memory.
To do so, we apply the proposed on-line algorithm to a larger version of the LPN in Fig. 1, where the initial mark ing is M 0 = 15p 1 . L et S = {(4p 3 + 11p 5 ), (5p 1 + 10p 5 ), (8p 1 + 3p 5 + 4p 6 ), (11p 1 + 2p 2 + 2p 3 ), (13p 1 + 2p 5 ), (14p 1 + p 5 ), (15p 1 )} be a secret. We use the standard opacity verification approach, which consists of computing the RG and converting the obtained RG into its equivalent DFA. After that, for each state of the observer (i.e., C(w) ), we check whether it is fully included in the secret or not. This method takes more than 1.9 × 10 4 seconds and shows that the considered LPN system is non-CSO. This computational overhead is mainly caused by the RG construction and conversion from an NFA to a DFA. Now, let us implement the on-line algorithm to the same example. Table 1 shows the performance of Algorithm 2. The first column represents the occurrence of an event. The second indicates the time (CPU seconds) required to run an observer net when an event occurs. The third column shows the algorithm's outputs when an event occurs: "Y" if the observation is CSO and "N" otherwise. From Table 1, it is known that the observed event sequence w = aabaab is non-current-state opaque wrt S. Thus, by Definition 4, the LPN is non-CSO with respect to the given secret. Consequently, due to the short time taken to verify if an observation is CSO or non-CSO, www.nature.com/scientificreports/ we conclude that the proposed approach can be used for real-time verification. However, this process can be computationally intensive, mainly when an observed word's length is excessively long. Examine the LPN system G in Fig. 1 with initial marking M 0 = kp 1 , where k ∈ N . Accordingly, we consider a family of nets rather than a single LPN, which is parameterized by the initial marking. Table 2 compares the colored estimator construction using the observer net, i.e., EST , as shown in Algorithm 3, with the standard approach for observer construction, i.e., DFA construction using the RG of an LPN. The first column shows the value of k. The number of reachable markings is represented in Column 2. Columns 3 and 4 give the number of states of the standard observer and its construction time, respectively. Finally, Columns 5 and 6, respectively, expose the number of states in the observer net and the time of its construction. We use the notation "o.t. " (out of time) to indicate that the computation takes more than three hours to complete. Both methods are computationally demanding in the worst case. However, the observer net's advantage compared with the standard approach consists of a lower time cost and simplicity of construction. Table 3 exposes the proposed observer net's advantages compared with the recent works for the opacity verification problem. For this purpose, we choose three typical methods respectively presented in 10,27,28 . The second column indicates the application framework. The third column shows the presence of an acyclicity assumption. Column 4 indicates whether the method applies to on-line and off-line settings. Column 5 shows whether we need a conversion from an NFA to a DFA. Finally, Column 6 shows the complexity of each method. Notice that the proposed approach outperforms the related works by getting rid of the acyclicity assumption; in addition, it provides a straightforward strategy for the estimator construction by avoiding the conversion from NFA to DFA. In the worst case, it has an exponential space complexity as it is possible to compute all the reachable markings. However, the observer net has a lower practical time overhead compared with related works due to using the new concepts of simultaneous and recursive transition enabling and firing.

Conclusions
This paper proposes a new PN subclass, called an observer net, to verify the current-state opacity of a DES modeled with an LPN. We define the structure and dynamics (transition enabling and firing rules) for the observer net, which is useful in providing a rapid computation of the set of markings consistent with each observation. Then, we consider on-line and off-line settings for opacity verification. In the on-line setting, the proposed algorithm observes the event occurrence and then decides on-line if the observed word is CSO with respect to the predefined secret. In the off-line setting, we design an algorithm for constructing a colored (state) estimator  www.nature.com/scientificreports/ used for opacity verification rather than the conventional methods based on computing the state estimate (i.e., the set of consistent markings) by constructing a DFA from the reachability graph of a plant. In the proposed model, every node of the colored estimator corresponds to the consistent markings, making the reachability graph construction unnecessary. Finally, a comparison study is conducted to validate the effectiveness of this approach. Our future work includes exploring other security problems and potential vulnerabilities such as unauthorized access, cyberattacks, intrusion detection, prevention, etc.

Data availability
The datasets generated and analysed during the current study are available in the GitHub repository, https:// github. com/ Labed AJalil/ Obser ver-net.