Verification of Current-State Opacity in Discrete Event Systems by Using Basis Coverability Graphs

Abstract

A new approach to the verification of current-state opacity for discrete event systems is proposed in this paper, which is modeled with unbounded Petri nets. The concept of opacity verification is first extended from bounded Petri nets to unbounded Petri nets. In this model, all transitions and partial places are assumed to be unobservable, i.e., only the number of tokens in the observable places can be measured. In this work, a novel basis coverability graph is constructed by using partial markings and quasi-observable transitions. By this graph, this research finds that an unbounded net system is current-state opaque if, for an arbitrary partial marking, there always exists at least one regular marking in the result of current-state estimation with respect to the partial marking not belonging to the given secret. Finally, a sufficient and necessary condition is proposed for the verification of current-state opacity. A manufacturing system example is presented to illustrate that the concept of current-state opacity can be verified for unbounded net systems.

1. Introduction

In recent decades, with the rapid development of information technology and computer science, the security of cyber–physical systems has become a hot research direction in interdisciplinary areas, which include many human-built infrastructures. Discrete event systems (DESs) serve as the technical generalization of such human-made systems that are usually computer-integrated and evolve with the predefined regulations. Typically, almost all the production systems fall into this category. In discrete event systems, similar to controllability, observability, diagnosability, and detectability, opacity is one of the basic attributes of DESs [1], which reflects the confidentiality of a system. To be specific, when unauthorized external observers (or intruders) observe the evolution of the system, they cannot infer that the predicate representing secret information is true.

In the context of DESs, a secret predicate can be either a subset of the state space or a subset of the language generated by a system [2,3]. Opacity can be accordingly divided into two categories: state-based opacity and language-based opacity. Furthermore, state-based opacity can be categorized into current-state opacity (CSO) [4,5], initial-state opacity [6,7], k-step, and infinite-step opacity [8,9,10,11]. Opacity verification can be conducted in a centralized or decentralized framework [12], under different formalisms such as fuzzy or stochastic DESs [13,14].

In this work, the concept of current-state opacity is verified by using an unbounded system, i.e., the number of times a transition is triggered is no longer set with an upper limit. A basis coverability graph (BCG) is constructed to address the CSO verification of a DES modelled with unbounded Petri nets (UPNs); such a system cannot be modelled with a finite state automaton. A condition in [6] is extended, i.e., some unobservable transitions can be detected in a partially observed DES. Moreover, an external observer (or intruder) is assumed to know the overall structure and initial state of the unbounded net model, but only part of places can be observable, i.e., the number of tokens in such a place can be explicitly measured or counted. Under such a setting, it becomes much more challenging to estimate the current state of an unbounded system. This paper constructs a BCG for an unbounded Petri net to determine the possible current state of the system according to the derived quasi-observable transitions and partial observable places.

Compared with finite-state automata (FSA), Petri nets are a more popular tool for modelling and controlling DESs [15]. By changing the number of tokens in places, the system behaviors are observed for further investigations [16] of interesting system properties or behavior. Petri nets have been extensively used to study the diagnosability analysis [17,18], state estimation [19], and supervisory control of DESs. In [17], a programming problem is formulated to perform fault diagnosis in a bounded Petri net, while the work in [18] reports a verifier net to derive a fault diagnosis method for DESs.

However, the existing results in the framework of bounded Petri nets usually need to construct reachability graphs [17,18,19], which suffer from the notorious state explosion problem. In other words, it is difficult to enumerate all the states for real-world systems due to their large sizes [20]. To mitigate this issue, a new type of reachability graph is proposed by Cabasino et al. [21], called a basis reachability graph (BRG). The authors, as well as the followers in the DES domain, apply BRG to many DES problems such as fault diagnosis, diagnosability analysis, supervisory control, and critical observability, opacity verification and enforcement.

In the research on DESs based on Petri nets, there are few studies on unbounded net systems. Ushio et al. [22] reported a method of fault diagnosis by using a partially observed UPN, where all transitions are unobservable and partial places are observable. In [22], two diagnosers, a simple diagnoser and an $\omega$-diagnoser, were constructed to analyze the diagnosability of an underlying system by monitoring the token counts and their changes in observable places. Moreover, the work in [23] improved the results in [18] by extending the diagnosability analysis in bounded net systems to unbounded net systems using a verifier net. In addition, when analyzing the state space of an unbounded net system, its coverability graph [24,25,26] has to be considered. In [27], Lefaucheux et al. extended the concept of BRGs to unbounded net systems. The authors analyzed the relationship between coverability sets and reachability sets. After the definition of BCGs was proposed, the relationship between BCGs and BRGs was further analyzed. Based on the proposed BCGs, the diagnosability analysis for unbounded net systems was significantly improved by the team who originally developed the notion of BRG with a deluge of results. For example, it was shown that an unbounded net system is diagnosable iff there does not exist any cycle in the BCG with the relevant set of fault transitions. However, the investigation of further applications of the BCGs is still open.

Opacity verification and enforcement have been extensively studied and applied to real applications [5,6,7,28,29], i.e., no matter what information is observed by a malicious intruder from outside, some non-secret information and secret information cannot be identified. In this case, the intruder cannot decide whether the possible current system states reasoned from the current observation so far belong to the pre-defined secret of the system.

In [30], the concept of opacity in finite transition systems was proposed for the first time, which was then extended to Petri nets [31]. For the verification of CSO, Tong et al. [4] used a BRG to verify the CSO of a bounded labeled Petri net, which was extended in [6] by representing a secret as generalized mutual exclusion constraints. In addition, a secret with no weakly exposed markings and uncertainty of the initial marking were also considered. The work in [5] verified the CSO in a partially observed bounded Petri net, where the unobservable transitions were divided into quasi-observable transitions and truly unobservable transitions, which were used to analyze the behavior of the system such that more information regarding the system evolution can be precisely captured. However, as far as we know, no work has been reported on the opacity verification of DESs modeled by UPNs.

In this paper, we touch upon the verification of opacity of a DES modeled with unbounded Petri nets by borrowing the methods in [5,6]. The major contributions of this work are stated as follows.

• A new type of basis coverability graph is proposed. The work by Lefaucheux et al. in [27] is extended to propose a new BCG based on the partially observable places only. In short, based on the number change of tokens in all observable places, the system can determine whether the (unobservable) transitions in their pre/post-sets are fired. This approach releases the frequently adopted assumption that observable transitions necessarily exist in a plant. Furthermore, this newly constructed BCG is readily applicable to the formulation of control laws for large and complex systems. A method of state estimation based on this BCG is also presented;
• A verification approach for CSO based on BCG is proposed. A sufficient and necessary condition is developed for the verification of opacity based on the current-state estimation and proves that the CSO can be verified in unbounded net systems.

This paper is organized into five sections. Section 2 conceptualizes partial markings and basis coverability graphs. In Section 3, we introduce a method to estimate the current state by using the newly proposed BCG. Section 4 details the verification of CSO in partially observed UPNs. To show that our method is effective and feasible, an example of a real-world system is shown in Section 5. Finally, the paper is concluded in Section 6.

2. Construction of BCG

The concepts of partial markings and BCGs are reviewed in this section, and a new type of BCG is proposed. Due to the limited space, we suppose that readers are familiar with the preliminaries of the Petri net theory and the related concepts. To facilitate the reading and understanding of this research, the Petri net notations and notions used in this paper can be seen in [32]. In addition, the system considered in this work is assumed to be self-loop free.

2.1. Partial Markings

A marking $M\in R(N,M_0)$ restricted to $P_o$ is represented by a vector $\tilde{M}$ with j entries, called the partially observable marking of the marking M [33]. Then, a partially observable marking (partial marking for simplicity) can be readily calculated by

$$A·M=\tilde{M},$$

where A is a $j\times h$ matrix, called the observability mapping matrix with $A(i,i)=1$ for $i=1,2,\dots ,j$, and the other entries are 0. Similarly, the matrix A is used to project a marking M of a Petri net onto a partial marking based on the set of observable places $P_o$.

Example 1.

A marking of a partially observed UPN is denoted as $M={[p_{o1},p_{o2},p_{o3},p_{uo1},p_{uo2}]}^T={[1,1,0,1,0]}^T$. By assuming that the mapping matrix $A_1$ is  

$$A_1=\left[\begin{array}{ccccc}1& 0& 0& 0& 0\\ 0& 1& 0& 0& 0\\ 0& 0& 1& 0& 0\end{array}\right],$$

the partial marking of $M={[1,1,0,1,0]}^T$ is $\tilde{M}={[1,1,0]}^T$, whose entries correspond to places $p_{o1}$, $p_{o2}$, and $p_{o3}$, respectively, i.e., $\tilde{M}\left(p_{o1}\right)=1$, $\tilde{M}\left(p_{o2}\right)=1$, and $\tilde{M}\left(p_{o3}\right)=0$.

In order to construct the BCG for a UPN with partially observable markings, a coverability set of partial markings is defined as

$$C{S}_o(N,M_0)=\{\tilde{M}\mid \exists M\in CS(N,M_0),A·M=\tilde{M}\}.$$

Although all the transitions are assumed to be unobservable in a UPN in this paper, the transitions whose firing can be detected and inferred by the token changes in observable places are called quasi-observable transitions. Given an unbounded net system $\langle N,M_0\rangle$, the set of quasi-observable transitions is defined as

$${\widehat{T}}_q=\{t\in T\mid \left({}^{•}t\cup t^{•})\cap P_o\ne \varnothing \right\}.$$

Similarly, the transitions that are not in ${\widehat{T}}_q$ are called truly unobservable transitions. Given an unbounded net system $\langle N,M_0\rangle$, the set of truly unobservable transitions is ${\widehat{T}}_u=T\setminus {\widehat{T}}_q$.

Given a transition sequence $\sigma \in T^{*}$, we use $\mathcal{P}$ to denote the natural projection with respect to quasi-observable transitions, i.e., $\mathcal{P}:T^{*}\to {\widehat{T}}_q^{*}$, which is defined as

$$\begin{array}{c}\left\{\begin{array}{c}\mathcal{P}\left(\epsilon \right)=\epsilon \hfill \\ \mathcal{P}\left(\sigma \right)=\sigma ,\sigma \in {\widehat{T}}_q^{*}\hfill \\ \mathcal{P}\left(\sigma \right)=\epsilon ,\sigma \in {\widehat{T}}_u^{*}\hfill \\ \mathcal{P}\left(\sigma s\right)=\mathcal{P}\left(\sigma \right)\mathcal{P}\left(s\right),\sigma \in T^{*},s\in T.\hfill \end{array}\right.\end{array}$$

The inverse projection ${\mathcal{P}}^{-1}:{\widehat{T}}_q^{*}\to 2^{T^{*}}$ is defined as ${\mathcal{P}}^{-1}\left(w\right)=\{\sigma \in L(N,M_0)|\sigma =\mathcal{P}\left(w\right)\}$, i.e., ${\mathcal{P}}^{-1}\left(w\right)$ consists of all transition sequences in $L(N,M_0)$ whose observations are w.

Example 2.

A partially observed unbounded Petri net is considered as shown in Figure 1, where $p_{uo}$ is an unobservable place. Its coverability graph is shown in Figure 2, where a marking is denoted by $M={(p_{o1},p_{o2},p_{uo})}^T$. Note that $p_{o2}$ is unbounded and that the set of quasi-observable transitions is ${\widehat{T}}_q=\{t_1,t_2\}$.

Note that, in this investigation, the number of tokens in unbounded places is denoted by $\omega$. Therefore, if there are some unbounded places that are observable, the system’s administrators or intruders can detect the change in the number of tokens in these places. In simpler terms, for some unbounded places, which are denoted by $\omega$, if they are observable, their pre-sets and post-sets are detectable and quasi-observable.

Algorithm 1 is used to identify the quasi-observable and the truly unobservable transitions in an unbounded Petri net. Moreover, given a quasi-observable string w and a partial marking $\tilde{M}$, let us define the set of states that are possibly reachable by detecting and observing w and $\tilde{M}$ as

$$\mathcal{C}(w,\tilde{M})=\left\{M\right|\exists \sigma \in {\mathcal{P}}^{-1}\left(w\right):M_0[\sigma \rangle M,A·M=\tilde{M}\}$$

which is a collection of markings consistent with w and $\tilde{M}$.

Algorithm 1: Classification of transitions.

2.2. Basis Coverability Graph in Partially Observed UPNs

Different from the work in [27], where an approach based on the labeled Petri nets and their markings is proposed, the concepts of quasi-observable transitions, truly unobservable transitions, and partial markings are used to construct our novel BCGs. In addition, the definition of an unobservable transition subnet [6,20] is extended to truly unobservable transitions.

Definition 1.

Let $(N,M_0)$ be a UPN. Additionally, ${\widehat{T}}_u$ is a set of truly unobservable transitions. The truly unobservable subnet $N^{\prime }=(P,T^{\prime },Pr{e}^{\prime },Pos{t}^{\prime })$ of N is obtained by removing $T\setminus {\widehat{T}}_u$, where $Pr{e}^{\prime }$ and $Pos{t}^{\prime }$ are the restrictions of $Pre$ and $Post$ to ${\widehat{T}}_u$, respectively. The incidence matrix of this subnet is denoted by $C_{\widehat{u}}=Pos{t}^{\prime }-Pr{e}^{\prime }$.

Therefore, based on the above definition, we assume that the truly unobservable subnet is acyclic.

As shown in Figure 3, a partially observed UPN is considered.

Table 1. Markings list of Figure 3.

M	Vector	M	Vector
$M_0$	${(1,1,0,0,0,0,0)}^T$	$M_6$	${(0,2,0,\omega ,0,0,1)}^T$
$M_1$	${(1,1,0,\omega ,0,0,0)}^T$	$M_7$	${(0,0,0,\omega ,1,2,0)}^T$
$M_2$	${(1,0,0,0,1,0,0)}^T$	$M_8$	${(0,1,0,\omega ,0,1,1)}^T$
$M_3$	${(0,2,0,\omega ,1,0,0)}^T$	$M_9$	${(0,0,0,\omega ,0,2,1)}^T$
$M_4$	${(1,0,0,\omega ,0,1,0)}^T$	$M_{10}$	${(0,1,1,\omega ,0,0,0)}^T$
$M_5$	${(0,1,0,\omega ,1,1,0)}^T$	$M_{11}$	${(0,0,1,\omega ,0,1,0)}^T$

and Figure 4 show the list of markings and its coverability graph, respectively, where a regular marking is denoted as $M={(p_{o1},p_{o2},p_{o3},p_{uo1},p_{uo2},p_{uo3},p_{uo4})}^T$.

Definition 2.

Given a partially observed UPN $(N,M_0)$ with its truly unobservable subnet being acyclic, a partial markings $\tilde{M}$, and a transition $t_q\in {\widehat{T}}_q$,

$$\Gamma (\tilde{M},t_q)=\{\sigma \in {\widehat{T}}_u^{*}|M[\sigma \rangle M^{\prime },M^{\prime }\ge Pre(·,t_q),A·M=\tilde{M}\}$$

is defined as a set of explanations of quasi-observable transition $t_q$ at partial marking $\tilde{M}$, and $Y(\tilde{M},t_q)=\{y_{\sigma }\in {\mathbb{N}}^{|{\widehat{T}}_u|}|\exists \sigma \in \Gamma (\tilde{M},t_q):y_{\sigma }=\pi \left(\sigma \right)\}$ is defined as the corresponding set of explanation vectors.

Definition 3.

Given a partially observed UPN $(N,M_0)$ with the acyclic truly unobservable subnet, a partial marking $\tilde{M}\in C{S}_o(N,M_0)$, and a transition $t_q\in {\widehat{T}}_q$,

$${\Gamma }_{min}(\tilde{M},t_q)=\{\sigma \in \Gamma (\tilde{M},t_q)|\nexists {\sigma }^{\prime }\in \Gamma (\tilde{M},t_q):\pi \left({\sigma }^{\prime }\right)⪇\pi \left(\sigma \right)\}$$

is defined as a set of minimum explanations of quasi-observable transition $t_q$ at partial marking $\tilde{M}$ and $Y_{min}(\tilde{M},t_q)=\{y_{\sigma }\in {\mathbb{N}}^{|{\widehat{T}}_u|}|\exists \sigma \in {\Gamma }_{min}(\tilde{M},t_q):y_{\sigma }=\pi \left(\sigma \right)\}$ is defined as the corresponding set of minimum explanation vectors.

Therefore, there necessarily exists a set of basis markings in a BRG regardless of whether the transition set of a labeled Petri net is partitioned [6]. However, in a partially observed UPN, the markings are no longer applicable to constructing the BCG. Instead, the partial markings are only used for this graph. In the following, the definition of a set of basis partial markings is proposed.

Definition 4.

For an unbounded net system $〈N,M_0〉$ and an initial partial marking ${\tilde{M}}_0$, a set of basis partial markings ${\mathcal{M}}_b$ is defined as follows:

• ${\tilde{M}}_0\in {\mathcal{M}}_b$;
• $\forall \tilde{M}\in {\mathcal{M}}_b,\forall t_q\in {\widehat{T}}_q,\forall {\sigma }^{\prime }\in {\Gamma }_{min}(M,t)$ and $y_{\sigma }=\pi \left({\sigma }^{\prime }\right)$, it holds ${\tilde{M}}^{{}^{\prime }}\in {\mathcal{M}}_b$, where ${\tilde{M}}^{{}^{\prime }}=\tilde{M}+C(·,t_q)+C_{\widehat{u}}·y_{\sigma }$.

In other words, the set of basis partial markings includes the initial partial marking and a set of all of the partial markings reachable by firing quasi-observable transitions and minimum explanations of truly unobservable transitions.

Based on the above definitions, an algorithm is proposed to construct a BCG for partially observed UPNs. We follow the work in [6] by using an NFA $\mathbb{C}=({\mathcal{M}}_b,{\widehat{T}}_q,\Delta ,{\tilde{M}}_0)$ to represent the novel BCG, where ${\mathcal{M}}_b$ is the set of basis partial markings, ${\widehat{T}}_q$ is a set of quasi-observable transitions, and $\Delta$ is a transition function defined as $\Delta :{\mathcal{M}}_b\times {\widehat{T}}_q\to {\mathcal{M}}_b$.

Algorithm 2 can be briefly explained. In the first step, the set of basis partial markings ${\mathcal{M}}_b$ is initialized at ${\mathcal{M}}_b=\left\{{\tilde{M}}_0\right\}$. For all non-visited basis partial markings $\tilde{M}$ and all quasi-observable transitions ${\widehat{T}}_q$, we need to determine whether its minimum explanation vector $Y_{min}(\tilde{M},t)$ is a nonempty set. If it is not empty, a new basis partial marking can be calculated. The algorithm runs repeatedly until all basis partial markings are calculated.    

Algorithm 2: Construction of BCG for a partially observed UPN.

Example 3.

The partially observed unbounded Petri net is considered again as shown in Figure 3. Table 1 is the marking list of the net system, where a marking is denoted as $M={[p_{o1},p_{o2},p_{o3},p_{uo1},p_{uo2},p_{uo3},p_{uo4}]}^T$; Figure 4 is the coverability graph of the net system. The places $p_{uo1}$, $,p_{uo2}$, $p_{uo3}$, and $p_{uo4}$ are assumed to be unobservable. Therefore, the set of quasi-observable transitions is ${\widehat{T}}_q=\{t_2,t_3,t_5,t_6,t_7\}$, and the others are truly unobservable transitions. Moreover, a new mapping matrix $A_2$ is assumed as

$$A_2=\left[\begin{array}{ccccccc}1& 0& 0& 0& 0& 0& 0\\ 0& 1& 0& 0& 0& 0& 0\\ 0& 0& 1& 0& 0& 0& 0\end{array}\right].$$

The novel BCG is shown in Figure 5. Since $t_1$ and $t_4$ are truly unobservable transitions, if an intruder observes a new partial marking ${\tilde{M}}_2$ from ${\tilde{M}}_0$, the set of explanations with respect to ${\tilde{M}}_o$ may be $\left\{t_1^n\right\}$, where $n\in \mathbb{N}$. Therefore, there is one minimum explanation, i.e., ${\Gamma }_{min}=\left\{t_1\right\}$.

A special situation should be noted in this work: Given two quasi-observable transitions $t_1,t_2\in {\widehat{T}}_q$, they are said to be confused if $Pre(p,t_1)=Pre(p,t_2)$, or $Post(p,t_1)=Post(p,t_2)$, where p is an arbitrary observable place, with $p\in {}^{•}{t}_1\cap {}^{•}{t}_2$ or $p\in t_1^{•}\cap t_2^{•}$. In other words, there may be multiple quasi-observable transitions in the net system that can lead to the same change in the observable places. This change makes the intruders unable to determine which transition is fired. Therefore, in the novel BCG, there may exist two or even more quasi-observable transitions that are tagged on an arc from one node to another node. In simpler terms, the system administrators do not need to determine which quasi-observable transition is fired. They only need to determine that one of them has been fired.

Example 4.

As shown in Figure 3 and Figure 5, the partially observed UPN and its BCG are considered again. From the initial partial marking ${\tilde{M}}_0={(1,1,0)}^T$, if a new partial marking ${\tilde{M}}_1={(1,0,0)}^T$ is observed, there are two situations: ${\tilde{M}}_0\times t_3\to {\tilde{M}}_1$ and ${\tilde{M}}_0\times t_7\to {\tilde{M}}_1$, i.e., transitions $t_3$ and $t_7$ are confused. Therefore, for the set of quasi-observable transitions $\{t_3,t_7\}$, we conclude that one of the transitions $t_3$ and $t_7$ must have been fired.

3. Current-State Estimation

Based on the new BCG, the concept of current-state estimation is discussed in this section. Let us now introduce the following statements that are useful to formalize the main result.

Given a marking M, $A·M=\tilde{M}$, which is reached by firing a quasi-observable transition $t_q\in {\widehat{T}}_q$, i.e., $M_0[\sigma t_q\rangle M$, where $\sigma \in T^{*}$, a new set of markings is defined as $\mathcal{U}\left(\tilde{M}\right)=\left\{M^{\prime }\right|\exists {\sigma }^{\prime }\in {\widehat{T}}_u^{*}:M[{\sigma }^{\prime }\rangle M^{\prime }\}$, called the unobservable reach of the partial marking $\tilde{M}$.

Given a partial marking $\tilde{M}$ and a quasi-observable transition $t_q$, we assume that the firing of an enabled quasi-observable transition $t_q$ at partial marking $\tilde{M}$ yields a partial marking ${\tilde{M}}^{\prime }=\tilde{M}+C(·,t_q)+C_{\widehat{u}}·\pi \left({\sigma }_u\right)$, where ${\sigma }_u\in {\Gamma }_{min}(\tilde{M},t_q)$, which is denoted by $\tilde{M}[t_q\rangle {\tilde{M}}^{\prime }$. A quasi-observable string $w=\mathcal{P}\left(\sigma \right)=t_{q1}{t}_{q2}\cdots t_{qn}\in {\widehat{T}}_q^{*}$, is enabled at partial marking $\tilde{M}$ if there exist partial markings ${\tilde{M}}_1,{\tilde{M}}_2,\cdots ,{\tilde{M}}_n$ such that $\tilde{M}[t_{q1}\rangle {\tilde{M}}_1[t_{q2}\rangle \cdots {\tilde{M}}_{n-1}[t_{qn}\rangle {\tilde{M}}_n$, denoted as $\tilde{M}[w\rangle {\tilde{M}}_n$, where $\sigma \in T^{*}$, and $n\in \mathbb{N}$. Specifically, if a quasi-observable string w is an empty string, then $\tilde{M}[w\rangle \tilde{M}$ holds.

Theorem 1.

Consider a UPN $(N,M_0)$ with $N=(P,T,Pre,Post)$, whose truly unobservable subnet is acyclic, and a marking $M^{\prime }$ that is reached by firing a quasi-observable transition. For arbitrary partial markings $\tilde{M}\in C{S}_o(N,M_0)$ and an explanation vector $y_{\sigma }\in Y(\tilde{M},t)$, it holds that

$$\begin{array}{cc}\hfill \mathcal{C}(w,\tilde{M})& =\mathcal{U}\left(\tilde{M}\right)\hfill \\ & =\left\{M\right|M=M^{\prime }+C_{\widehat{u}}·y_{\sigma },A·M^{\prime }=A·M=\tilde{M}\}.\hfill \end{array}$$

Proof. 

This proof is extended from [33]. We prove this result by induction on the length of the string w, where there is a transition sequence $\sigma$, $\mathcal{P}\left(\sigma \right)=w$.

In the case that w is an empty string, then the result is true.

Assume that the result is valid for v. We prove that it is also true for $w=v{t}_q$, where $t_q\in {\widehat{T}}_q$.

In fact, there is a transition sequence $\sigma \in T^{*}$ such that $M_0[\sigma \rangle M^{\prime }$ with $\mathcal{P}\left(\sigma \right)=w$, and $y_{\sigma }=\pi \left(\sigma \right)$. Then, there are two sequences ${\sigma }^{\prime },{\sigma }^{″}$ such that

$$\begin{array}{c}\hfill M_0[{\sigma }^{\prime }\rangle M^{\prime }[t_q\rangle M^{″}[{\sigma }^{″}\rangle M^{‴}.\end{array}$$

where $\mathcal{P}\left({\sigma }^{\prime }\right)=v$ and ${\sigma }^{″}\in {\widehat{T}}_u^{*}$. Therefore, one has

$$A·M_0\ne A·M^{\prime }\ne A·M^{″}\ne A·M^{‴}.$$

By induction, there is a partial marking $\tilde{M}\in C{S}_o(N,M_0)$ such that

$$\begin{array}{c}\hfill M_0[{\sigma }_a\rangle M[{\sigma }_b\rangle M^{\prime }[t_q\rangle M^{″}[{\sigma }^{\prime }\rangle M^{‴},\end{array}$$

(1)

where $\mathcal{P}\left({\sigma }_a\right)=v$, ${\sigma }_b\in {\widehat{T}}_u^{*}$ and there is a transition sequence ${\sigma }_u\in {\widehat{T}}_u$ such that $\pi \left({\sigma }_u\right)=y_{\sigma }$ and $\pi \left({\sigma }_a\right)=\pi \left(v\right)+y_{\sigma }$. In addition, we have

$$A·M=A·M^{\prime }=\tilde{M}.$$

By definition of minimal explanations, there is a transition sequence ${\sigma }_c\in \Gamma (\tilde{M},t_q)$ such that

$$\begin{array}{c}\hfill M[{\sigma }_c\rangle M_c[t_q\rangle M_d\end{array}$$

(2)

with $A·M=A·M_c$ and $\pi \left({\sigma }_c\right)\le \pi \left({\sigma }_b\right)$.

We now claim that there is a transition sequence ${\sigma }_d$ with $\pi \left({\sigma }_b\right)=\pi \left({\sigma }_c\right)+\pi \left({\sigma }_d\right)$ enabled at $M_d$. In fact, from Equation (1), it follows that

$$\begin{array}{cc}\hfill M^{″}& =M+C_{\widehat{u}}·\pi \left({\sigma }_b\right)+C(·,t_q)\hfill \\ & =M+C_{\widehat{u}}·\pi \left({\sigma }_c\right)+C_{\widehat{u}}·\pi \left({\sigma }_d\right)+C(·,t_q),\hfill \end{array}$$

while from Equation (2), it follows that

$$M_d=M+C_{\widehat{u}}·\pi \left({\sigma }_c\right)+C(·,t_q).$$

The last two equations imply that

$$M_d=M+C_{\widehat{u}}·\pi \left({\sigma }_d\right)\ge 0,$$

and since the truly unobservable subnet is acyclic, it holds that

$$\begin{array}{c}\hfill M_d[{\sigma }_d\rangle M^{″},\end{array}$$

(3)

$$\begin{array}{c}\hfill A·M_d=A·M^{″},\end{array}$$

(4)

Combining Equations (1)–(4), we can write

$$\begin{array}{c}\hfill M_0[{\sigma }_a\rangle M[{\sigma }_c\rangle M_c[t_q\rangle M_d[{\sigma }_d\rangle M^{″}[{\sigma }^{″}\rangle M^{‴}.\end{array}$$

This completes the proof. □

In simpler terms, for an unbounded net system, if there is a marking that is reached by firing a quasi-observable transition $t_q$, we need to find some markings that still have the same measurement results after firing some truly unobservable transitions, i.e., these markings all have the same partial marking.

Example 5.

As shown in Figure 3, we continue to consider the unbounded net system.

Table 2. Set of markings with respect to $\tilde{M}$.

$\tilde{\mathit{M}}$	$\mathcal{C}(\mathit{w},\tilde{\mathit{M}})$
${\tilde{M}}_0={(1,1,0)}^T$	$M_0,M_1$
${\tilde{M}}_1={(1,0,0)}^T$	$M_2,M_4$
${\tilde{M}}_2={(0,2,0)}^T$	$M_3,M_6$
${\tilde{M}}_3={(0,1,0)}^T$	$M_5,M_8$
${\tilde{M}}_4={(0,1,1)}^T$	$M_{10}$
${\tilde{M}}_5={(0,0,0)}^T$	$M_7,M_9$
${\tilde{M}}_6={(0,0,1)}^T$	$M_{11}$

is a list of all potential markings for all partial markings.

Since the solution of $y_{\sigma }$ is a non-negative solution, given an initial marking $M_0$ with its partial marking being ${\tilde{M}}_0$, the potential markings are $M_0$ and $M_1$ due to $M_0[t_1\rangle M_1$, where $t_1\in {\widehat{T}}_u$, and $A_2·M_0=A_2·M_1={\tilde{M}}_0$. On the other hand, given a marking $M_3$, the partial marking of $M_3$ is ${\tilde{M}}_2$. The other potential marking with respect to ${\tilde{M}}_2$ is $\left\{M_6\right\}$, thanks to $M_3[t_1\rangle M_3$ and $M_3[t_4\rangle M_6$, where $t_1,t_4\in {\widehat{T}}_u$ and $A_2·M_3=A_2·M_6={\tilde{M}}_2$.

Based on Table 2 and the above examples, a BCG-based observer is constructed in Figure 6.

Based on Algorithm 2 and the above definitions of explanations and current-state estimation, the necessity of the truly unobservable subnet needs to be explained. For the partially observed unbounded net systems studied in this work, we can only infer the evolution process of the system state by observing the partial markings composed of partially observable places. In other words, the markings cannot be used to construct a complete coverability graph to obtain complete information about the system. Therefore, it is necessary for us to build novel BCGs to help us complete the acquisition of system information. However, if we do not require that the truly unobservable transition subnet should not constitute a circuit, then the construction of our BCGs may never be complete, i.e., the net system remains in a circuit without any quasi-observable transition being fired. This situation makes it impossible to obtain a complete result of the current-state estimation. Based on this situation, we insist that, for building a BCG, the unobservable transition subnet needs to be acyclic. In the next section, the above results are used to verify the opacity problem.

4. Current-State Opacity Verification

In this section, a method is proposed for verifying the CSO by using the BCG.

4.1. CSO on Unbounded Net Systems

In this part, the set of secret S is defined as a subset of the arbitrary markings. For this work, since all transitions are unobservable, we not only need to estimate the current state of the system but also predict the transitions in its pre-set or pro-set through a few observable places. In this regard, a new definition of CSO is proposed.

Definition 5.

Given a UPN $(N,M_0)$ with the truly unobservable subnet being acyclic and a set of secret $S\subseteq R(N,M_0)$, the unbounded net system $〈N,M_0〉$ is said to be current-state opaque with respect to S if for any transition sequence $\sigma \in T^{*},\mathcal{P}\left(\sigma \right)=w$ such that ${\tilde{M}}_0[w\rangle \tilde{M}$, and $\mathcal{C}(w,\tilde{M})⊈S$ holds.

In simpler terms, an unbounded net system is current-state opaque if, for an arbitrary partial marking that is reached by firing a quasi-observable string, there exists at least one marking that does not belong to the secret in the result of the current-state estimation.

Example 6.

The unbounded net system is considered again as shown in Figure 3. Let the secret be $S=\{M_3,M_5\}$. Suppose that an intruder detects a quasi-observable string $w=t_2{t}_3$, i.e., ${\tilde{M}}_0[t_2\rangle {\tilde{M}}_2$$[t_3\rangle {\tilde{M}}_3$. Then, the system is current-state opaque since $\mathcal{C}(w_0,{\tilde{M}}_0)⊈S$, $\mathcal{C}(w_1,{\tilde{M}}_2)⊈S$, and $\mathcal{C}(w_2,{\tilde{M}}_3)⊈S$, where $w_0$ is an empty string, $w_1=t_2$, and $w_2=t_2{t}_3$.

Moreover, given a UPN $(N,M_0)$ with the truly unobservable subnet being acyclic, and secret S, a marking M is said to be exposed if $M\in CS(N,M_0)\setminus S$. Furthermore, the set of exposed markings is defined as $E\left(S\right)=CS(N,M_0)\setminus S$.

Example 7.

The unbounded net system is considered again as shown in Figure 3. Let the secret states be $S_1=\{M_0,M_2,M_3,M_5,M_7\}$. Then, the set of exposed markings is $E\left(S_1\right)=\{M_1,M_4,M_8-M_{11}\}$.

The above example intuitively explains what markings do not belong to the secret. However, this would be inadequate. More details should be considered. Given a UPN $(N,M_0)$ with the truly unobservable subnet being acyclic, and secret S, a marking M with $A·M=\tilde{M}$ is said to be weakly exposed if M is an exposed marking, and $M\in \mathcal{U}\left(\tilde{M}\right)$. Furthermore, the set of weakly exposed markings consistent with partial marking $\tilde{M}$ is defined as $WE(S,\tilde{M})=E\left(S\right)\cap \mathcal{U}\left(\tilde{M}\right)$.

Example 8.

The above example is extended here. For a partial marking ${\tilde{M}}_3$, the marking $M_8$ is a weakly exposed marking, since $M_8\in E\left(S_1\right)$, $M_5[t_4\rangle M_8$, and $A_2·M_5=A_2·M_8$. At the same time, $WE(S_1,{\tilde{M}}_0)=\left\{M_1\right\}$, $WE(S_1,{\tilde{M}}_1)=\left\{M_4\right\}$, $WE(S_1,{\tilde{M}}_2)=\left\{M_6\right\}$, $WE(S_1,{\tilde{M}}_4)=\left\{M_{10}\right\}$, $WE(S_1,{\tilde{M}}_5)=\left\{M_9\right\}$, and $WE(S_1,{\tilde{M}}_6)=\left\{M_{11}\right\}$.

Note that some markings, such as $M_{11}$, are reached by firing one of the quasi-observable transitions in $\{t_3,t_5,t_7\}$. At the same time, there exists a truly unobservable transition that can be fired, e.g., $M_{11}[t_1\rangle M_{11}$, so these markings also belong to $WE(S,\tilde{M})$.

Based on the above definitions and theorem, the following necessary and sufficient condition is proposed for CSO.

Theorem 2.

Given a UPN $〈N,M_0〉$ with $N=(P,T,Pre,Post)$, whose truly unobservable subnet is acyclic, and a secret $S\subseteq R(N,M_0)$, the system is current-state opaque with respect to S if and only if for all $\sigma \in T^{*}$ with $\mathcal{P}\left(\sigma \right)=w$ and ${\tilde{M}}_0[w\rangle \tilde{M}$, $\mathcal{C}(w,\tilde{M})\cap WE(S,\tilde{M})\ne \varnothing$ holds.

Proof. 

$(\Rightarrow )$ Given an arbitrary sequence $\sigma \in T^{*}$ such that $\mathcal{P}\left(\sigma \right)=w$ and ${\tilde{M}}_0[w\rangle \tilde{M}$, if the set of weakly exposed markings consistent with $\tilde{M}$ is not an empty set, then there is a marking $M\in \mathcal{U}\left(\tilde{M}\right)$, $M\in E\left(S\right)$, i.e., $M\in \mathcal{U}\left(\tilde{M}\right)\cap E\left(S\right)=WE(S,\tilde{M})$, and hence, $M\in \mathcal{C}(w,\tilde{M})$. This indicates that $\mathcal{C}(w,\tilde{M})\cap WE(S,\tilde{M})\ne \varnothing$. By the definition of the set of exposed markings, the system is current-state opaque with respect to S.

$(\Leftarrow )$ On the contrary, given an unbounded net system that is current-state opaque, we assume that an intruder detects a quasi-observable string w such that ${\tilde{M}}_0[w\rangle \tilde{M}$, and none of the markings consistent with $\tilde{M}$ are weakly exposed. Based on Theorem 1 and the definition of exposed markings, all markings consistent with partial marking $\tilde{M}$ belong to the secret, i.e., $\mathcal{C}(w,\tilde{M})\cap WE(S,\tilde{M})=\varnothing$, i.e., the system is not opaque. This indicates that this assumption contradicts the definition of opacity, which completes the proof. □

As stated in the above theorem, if the system administrators need to verify whether an unbounded net system is current-state opaque, they just need to find out whether there exists at least one weakly exposed marking in partial markings, instead of exhausting all the states.

4.2. CSO Verification on BCG

This subsection deals with the CSO verification based on the BCG. Since the purpose of this work is to extend the existing opacity verification methods to UPNs, some existing methods [5,6] can be referred to and used. Given a UPN $(N,M_0)$ with the truly unobservable subnet being acyclic, and a secret S, a binary scalar $a\left(\tilde{M}\right)$ is defined as follows:

$$\begin{array}{c}a\left(\tilde{M}\right)=\left\{\begin{array}{c}1\mathcal{C}(w,\tilde{M})\cap WE(S,\tilde{M})\ne \varnothing ;\hfill \\ 0otherwise.\hfill \end{array}\right.\end{array}$$

The BCG is combined with binary scalar $a\left(\tilde{M}\right)$ to construct a new non-deterministic automaton (NFA), i.e., a new observer $\widehat{\mathbb{C}}=({\widehat{\mathcal{M}}}_b,{\widehat{T}}_q,\Delta ,{\tilde{M}}_0)$, where ${\widehat{\mathcal{M}}}_b\subseteq {\mathcal{M}}_b\times \{0,1\}$. Compared with the observer in [6], their spatial complexity is approximate. The spatial complexity of the new non-deterministic automaton observer $\widehat{\mathbb{C}}$ is $\mathcal{O}\left(2^{|\tilde{M}|}\right)$. In general, the number of partial markings is less than or equal to that of markings, i.e., $|C{S}_o(N,M_0)|\le |CS(N,M_0)|$. Moreover, if the secret S is changed to $S^{\prime }$, we only need to change the scalar $a\left(\tilde{M}\right)$ of all partial markings. In the following, a proposition for the CSO verification problem is proposed by using the BCG.

Proposition 1.

Given a UPN $(N,M_0)$ with the truly unobservable subnet being acyclic, and a secret $S\subseteq R(N,M_0)$, for all nodes in the new non-deterministic automaton observer, if the binary scalar is always $a\left(\tilde{M}\right)=1$, then the unbounded net system $〈N,M_0〉$ is current-state opaque with respect to secret S.

Proof. 

Based on the contrapositive, assume that the system is not current-state opaque. If the binary scalars of all nodes in an unbounded net system are equal to 1, i.e., for all partial markings $\tilde{M}$, $a\left(\tilde{M}\right)=1$, we can find that there is at least one weakly exposed marking in the result of any state estimation. According to Theorem 2, the unbounded net system is current-state opaque with respect to S. However, this contradicts the original hypothesis, which completes the proof. □

In simpler terms, according to Theorem 2 and Proposition 1, if all the binary scalars are 1, i.e., $a(·)=1$, the net system is current-state opaque; otherwise, we require further analysis. According to the above proposition, an example is present to illustrate the novel method.

Example 9.

As shown in Figure 3, the unbounded net system is considered again. The secret set of Example 7 is considered again. Figure 7 is the new BCG-based observer of the unbounded net system using the non-deterministic automaton. Since the binary scalar of all nodes in this automaton is $a\left(\tilde{M}\right)=1$. It represents that the unbounded net system $〈N,M_0〉$ is current-state opaque.

In other words, for any quasi-observable string, if there exists at least one weakly exposed marking associated with the arbitrary partial marking, then it means that the unbounded net system is current-state opaque.

5. An Example of Real Systems

In this section, the novel methodology will be applied to a real system that can be of help to illustrate the idea underlying this research. We hope that the explanation of this example can show that our method has a certain engineering guiding significance such that a practitioner may be interested in this study.

A small but comprehensive flexible manufacturing cell [34] is considered as shown in Figure 8. The reason that we choose a manufacturing cell as an example lies in the fact that such an example is easy to understand and captures the methods developed in this paper. The system is composed of one robot, one input buffer, one output buffer, and two machines. The robot and the machines can only deal with one part when the system is working. Specifically, the buffer can be regarded as an infinite bin, i.e., its space capacity is unlimited, which is different from the traditional modeling methods that assume such a buffer is bounded. The workflow of this system is as follows: When a sensor detects that the goods to be processed enter the input buffer if the robot and Machine 1 are available, the robot will put the goods into Machine 1 for processing. When the work of Machine 1 is completed, the robot puts the goods into the buffer for storage. Machine 2 will regularly use the robot to process goods. The robot will put the goods into Machine 2 from the buffer. If the buffer is empty, the robot will directly put the goods into Machine 2 from Machine 1. When Machine 2 finishes the processing, the robot transfers the goods to the output.

The system is modeled by Petri nets in Figure 9, where places $\{p_{uo1},\cdots ,p_{uo6}\}$ and all transitions are unobservable. Furthermore, the meanings of all places and transitions are displayed in

Table 3. Meaning of transitions and places.

T	Meaning	P	Meaning
$t_1$	Goods detected	$p_{o1}$	Machine 1 waiting
$t_2$	Load over	$p_{o2}$	Loading
$t_3$	Machine 1 over	$p_{uo2}$	Machine 1 processing
$t_4$	Ready to move	$p_{o3}$	Wait robot
$t_5$	Buffer entered	$p_{o4}$	Move to buffer
$t_6$	Robot requested	$p_{uo3}$	Buffer
$t_7$	Move to Machine 2	$p_{o5}$	Machine 2 waiting
$t_8$	Machine 2 over	$p_{o6}$	Robot holding
$t_9$	Product detected	$p_{uo4}$	Machine 2 processing
$t_{10}$	Unload over	$p_{uo5}$	Wait robot
		$p_{uo6}$	Unload
		$p_{uo1}$	Robot

. A coverability graph is shown in Figure 10, where a marking of the system is denoted as $M={(p_{o1},p_{o2},p_{o3},p_{o4},p_{o5},p_{o6},p_{uo1},p_{uo2},p_{uo3},p_{uo4},p_{uo5},p_{uo6})}^T$. Based on the set of unobservable places, we can infer that the set of truly unobservable transitions is ${\widehat{T}}_u=\{t_8,t_9\}$, and ${\widehat{T}}_q=T\setminus {\widehat{T}}_u$. Moreover, the mapping matrix $A_3$ is assumed as follows by using the technique presented, as aforementioned:

$$A_3=\left[\begin{array}{cccccccccccc}1& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0\\ 0& 1& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0\\ 0& 0& 1& 0& 0& 0& 0& 0& 0& 0& 0& 0\\ 0& 0& 0& 1& 0& 0& 0& 0& 0& 0& 0& 0\\ 0& 0& 0& 0& 1& 0& 0& 0& 0& 0& 0& 0\\ 0& 0& 0& 0& 0& 1& 0& 0& 0& 0& 0& 0\end{array}\right].$$

Figure 11 is a BCG of the flexible manufacturing cell using the partial markings and quasi-observable transitions. The results of the current-state estimation with partial markings are shown in Figure 12. In this work, we assume that the process of Machine 2 is the confidential information of the system, i.e., the secret states are $S=\{M_7,M_8\}$. Its BCG-based observer, as shown in Figure 13, is constructed to verify if the system is current-state opaque.

There is a possibility that when the system is invaded by intruders, the system can keep secret information. Specifically, an intruder can infer the system’s quasi-observable transitions and build the corresponding BCG of the system. When they observe that the evolution of the system is $t_1{t}_2{t}_3{t}_4{t}_5{t}_6{t}_7$, the corresponding partial marking of the system is ${\tilde{M}}_6$, and at the same time, $\mathcal{C}(w,{\tilde{M}}_6)\cap WE(S,{\tilde{M}}_6)\ne \varnothing$, and $a\left({\tilde{M}}_6\right)=1$. This means that the intruder cannot determine whether the current state of the system must be a secret state. On the other hand, for other partial marks, there is no possible secret state in their current state estimation results. In other words, in the BCG-based observer of the system, the binary scalar of any node is equal to one, i.e., $a(·)=1$. Therefore, the flexible manufacturing cell is current-state opaque.

Based on this example, we can find that for a manufacturing system, because goods are constantly transported, loaded, and unloaded, a real system is in general not bounded, as it is reasonable to assume that the production is continuous without any interruption. In other words, unbounded systems are more common than bounded systems. Furthermore, the method reported in this particular research not only is successfully applied to the proposed example but also shows that this method can be closer to the conditions of unbounded systems in the real world. Therefore, this method is more effective in solving the problem of confidentiality of confidential information in the real world.

6. Conclusions

This paper deals with the verification of CSO in partially observed unbounded Petri nets, where the truly unobservable subnet is acyclic. The coverability problem and complete state estimation problem are explored by using the novel basis coverability graph. This research proves that the BCG can verify the CSO problems by constructing a BCG-based observer. This approach is characterized by the fact that the CSO problem can be accomplished based on only a few observations. Specific examples are presented and illustrate that this approach is effective.

However, based on the real-world example, one deficiency in this research is also recognized. From the viewpoint of graph theory, Petri nets are a topological structure of a real system, and their nodes correspond to the components of the system. This phenomenon leads to the necessity of reusing Petri nets for modeling if the structure of the system or topology is changed. To help system administrators analyze system performance, adaptive modeling methods developed for system structure changes will become a new research topic.

In future work, unbounded Petri nets and their basis coverability graphs are still our research interest. All the typical problems arising in the domain of discrete event systems modeled with unbounded Petri nets will be continuously explored, such as the verification of initial-state opacity and language-based opacity, the analysis of detectability [35,36], the enforcement of opacity based on supervisory control [37], and fault diagnosis and diagnosability analysis [38]. It is also interesting to address various scheduling problems of automated production systems [39] with the opacity property being guaranteed.