Opacity Enforcement by Edit Functions Under Incomparable Observations
Wei Duan, Ruotian Liu, Maria Pia Fanti, Christoforos N. Hadjicostis, Zhiwu Li
TL;DR
This work addresses opacity enforcement in discrete-event systems under incomparable observations by introducing $ic$-enforceability to capture when an edit function can reliably confuse an intruder. It formulates a two-player imperfect-information game and constructs an edit mechanism that enumerates feasible edits, enabling synthesis of $ic$-enforcing edit functions from the mechanism. The approach combines system/intruder/defender observers, a formal edit game structure, and a trimmed/no-guarantees mechanism to guarantee i-availability, confidentiality, and integrity, with proofs tying the mechanism to $ic$-enforcement. Complexity is analyzed as doubly-exponential in the state space and 2-EXPTIME for the imperfect-information game, with discussion on practical reductions via abstraction and comparison to existing supervisor-based and obfuscation-based opacity methods.
Abstract
As an information-flow privacy property, opacity characterizes whether a malicious external observer (referred to as an intruder) is able to infer the secret behavior of a system. This paper addresses the problem of opacity enforcement using edit functions in discrete event systems modeled by partially observed deterministic finite automata. A defender uses the edit function as an interface at the output of a system to manipulate actual observations through insertion, substitution, and deletion operations so that the intruder will be prevented from inferring the secret behavior of the system. Unlike existing work which usually assumes that the observation capabilities of the intruder and the defender are identical, we consider a more general setting where they may observe incomparable subsets of events generated by the system.To characterize whether the defender has the ability to enforce opacity of the system under this setting, the notion of \emph{$ic$-enforceability} is introduced. Then, the opacity enforcement problem is transformed to a two-player game, with imperfect information between the system and the defender, which can be used to determine a feasible decision-making strategy for the defender. Within the game scheme, an edit mechanism is constructed to enumerate all feasible edit actions following system behavior. We further show that an $ic$-enforcing edit function (if one exists) can be synthesized from the edit mechanism to enforce opacity.