ebook img

Controller Synthesis for Linear Time-varying Systems with Adversaries PDF

0.53 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Controller Synthesis for Linear Time-varying Systems with Adversaries

Controller Synthesis for Linear Time-varying Systems with Adversaries Zhenqi Huang Yu Wang Sayan Mitra Geir Dullerud {zhuang25,yuwang8,mitras,dullerudge}@illinois.edu CoordinateScienceLaboratory UniversityofIllinoisatUrbanaChampaign Urbana,IL61801 5 1 ABSTRACT brid systems have been studied in detail. The reach-avoid 0 properties that our controllers target are special, bounded- 2 We present a controller synthesis algorithm for a discrete time temporal logic requirements, and they have received timereach-avoidprobleminthepresenceofadversaries. Our n special attention as well [6]. Unlike the existing models in modeloftheadversarycapturestypicalmaliciousattacksen- a controller synthesis literature, however, the system here is J visioned on cyber-physical systems such as sensor spoofing, afflicted by an adversary and we would like to synthesize controller corruption, and actuator intrusion. After formu- 8 a controller that guarantees its safety and liveness for all lating the problem in a general setting, we present a sound 1 possible choices made by the adversary. and complete algorithm for the case with linear dynamics and an adversary with a budget on the total L2-norm of This problem is motivated by the urgent social to secure ] controlmodulesincriticalinfrastructuresandsafety-critical Y its actions. The algorithm relies on a result from linear systems against malicious attacks [7,8]. Common modes of control theory that enables us to decompose and precisely S attack include sensor spoofing or jamming, malicious code, compute the reachable states of the system in terms of a . andactuatorintrusion. Abstractingthemechanismsusedto s symbolicsimulationoftheadversary-freedynamicsandthe c launchtheattacks,theireffectonphysicalplantcanbecap- total uncertainty induced by the adversary. With this de- [ tured as a switched system with inputs from the controller composition,thesynthesisproblemeliminatestheuniversal and the adversary: 1 quantifier on the adversary’s choices and the symbolic con- v trolleractionscanbeeffectivelysolvedusinganSMTsolver. x =f (x ,u ,a ), 5 The constraints induced by the adversary are computed by t+1 σt t t t 2 solving second-order cone programmings. The algorithm is wherex isthestateofthesystem,u anda aretheinputs 9 later extended to synthesize state-dependent controller and t t t from the controller and the adversary. The problem is pa- 4 to generate attacks for the adversary. We present prelimi- rameterized by a family of dynamical functions {f } , a 0 naryexperimentalresultsthatshowtheeffectivenessofthis σ σ∈Σ 1. approach on several example problems. sswatietsch(iInngits)i,gtnaarlg{etσts}tta∈tNes, a(Gtoimale),bsoaufendstTat,etsh(eSasefet)o,fthineitsieatl 0 ofchoicesavailabletotheadversary(Adv)andthecontroller 5 Keywords (Ctr). Anaturaldecisionproblemistoask: Doesthereexist 1 a controller strategy u∈Ctr such that for any initial state : Cyber-physicalsecurity,constraint-basedsynthesis,controller in Init, and any choice by the adversary in Adv the system v synthesis i remains Safe and reaches Goal within time T. A construc- X tiveaffirmativeanswercanbeusedtoimplementcontrollers r 1. INTRODUCTION that are Adv-resilient, while a negative answer can inform a We study a discrete time synthesis problem for a plant the system design choices that influence the other parame- simultaneously acted-upon by a controller and an adver- ters like f, T and Ctr. sary. Synthesizing controller strategies for stabilization in We provide a decision procedure for this problem for the thefaceofrandomnoiseordisturbancesisoneoftheclassi- specialcasewheref isalinearmapping,thesetsInit,Safe, cal problem in control theory [1,2]. Synthesis for temporal Goal,andCtrsetsaregivenasbypolytopicsetsandAdvis logic specifications [3–5], for discrete, continuous, and hy- given as an (cid:96)2 ball in an Euclidean space. The idea be- hind the algorithm is a novel decomposition that distin- guishes it from the LTL-based synthesis approaches [3] and reachability-basedtechniquesof[6]. Thekeytothisdecom- position is the concept of adversarial leverage: the uncer- taintyinthestateofthesysteminducedbythesequenceof Permissiontomakedigitalorhardcopiesofallorpartofthisworkforpersonalor choicesmadebytheadversary,foragiveninitialstateanda classroomuseisgrantedwithoutfeeprovidedthatcopiesarenotmadeordistributed sequenceofchoicesmadebythecontroller. Forlinearmod- forprofitorcommercialadvantageandthatcopiesbearthisnoticeandthefullcitation els, we show that the adversary leverage can be computed onthefirstpage.Tocopyotherwise,torepublish,topostonserversortoredistribute exactly. As a result, an adversary-free synthesis problem tolists,requirespriorspecificpermissionand/orafee. withamodifiedsetofSafe andGoal requirements,precisely Copyright20XXACMX-XXXXX-XX-X/XX/XX...$15.00. gives the solution for the problem with adversary. block, we are able to solve more general problems through We implement the algorithm with a convex optimization abstraction and refinement. packageCVXOPT[9]andanSMTsolverZ3[10]. Wepresent experimental results that show the effectiveness of this ap- 3. PROBLEMSTATEMENT proachonseveralexampleproblems. Thealgorithmsynthe- In this paper, we focus on discrete linear time varying sizes adversary-resilient control for systems with up to 16 (LTV) systems. Consider the discrete type linear control dimensions in minutes. We have that the algorithm can be system evolving according to the equation: applied to to analyze the maximum power of the adversary suchthatafeasiblesolutionexistsandtosynthesizeattacks x =A x +B u +C a , (1) t+1 t t t t t t for adversary. where for each time instant t∈N, x ∈X ⊆Rn is the state t vector of the controlled plant, u ∈ U ⊆ Rm is controller AdvancingScienceofSecurity. t input to the plant, and a ∈A⊆Rl is adversarial input to Scientificsecurityanalysisisnecessarilyparameterizedby t the plant. For a fixed time horizon T ∈ N, let us denote the the skill and effort level of the adversary. In this pa- sequences of controller and adversary inputs by u ∈ UT per we combine these parameters into a single parameter and a ∈ AT. In addition to the sequence of matrices A , called the budget of the adversary which can model sensor t B , C , and a time bound T, the linear adversarial reach- attacksandactuatorintrusionswithdifferentstrengthsand t t avoid control problem or ARAC in short is parameterized persistence. Wepresentthefoundationsforanalyzingcyber- by: (i) three sets of states Init,Safe,Goal ⊆ X called the physical systems under attack from these adversaries with initial, safe and goal states, (ii) a set Ctr ⊆ UT called the different budgets. Specifically, we develop algorithms for controller constraints, and (iii) a set Adv ⊆ AT called the bothautomaticsynthesisofsafecontrollersandforproving adversaryconstraints. Wewillassumefiniterepresentations thatthereexistsnosatisfactory controller, whentheadver- ofthesesetssuchaspolytopesandwewillstatetheserepre- sary has a certain budget. These algorithms can be also sentational assumptions explicitly later. A controller input used to characterize vulnerability of system states in terms sequenceuisadmissible ifitmeetstheconstraintsCtr,that of the adversary budget that make them infeasible for safe is, u ∈ Ctr, and a adversarial input sequence is admissible control. In summary, we present a framework for algorith- if a ∈ Adv. We define what is means to solve a ARAC mically studying security of cyberphysical systems in the problem with an open loop controller strategy. context of model-based development. Definition 1. A solution to a ARAC is an input sequence 2. RELATEDWORK u ∈ Ctr such that for any initial state x ∈ Init and any In this work, we employ SMT solvers to synthesize con- admissiblesequenceofadversarialinputsa∈Adv,thestates trollersforreach-avoidproblemsfordiscrete-timelinearsys- visited by the system satisfies the condition: temswithadversaries. Ourproblemisformulatedalongthe • (Safe) for all t∈{0,...,T}, x ∈Safe and lineoftheframeworkandfundamentaldesigngoalsof[7,11]. t Theframeworkwasappliedtostudyoptimalcontroldesign • (Winning) x ∈Goal. T with respect a given objective function under security con- straints[12]andthedetectionofcomputerattackswiththe InthispaperweproposeanalgorithmthatgivenaARAC knowledge of the physical system [13]. Similar frameworks problem, either computes its solution or proves that there were adopted in [14] where the authors proposed an effec- is none. In the next section, we discuss how the problem tive algorithm to estimate the system states and designed captures instances of control synthesis problems for cyber- feedback controllers to stabilize the system under adver- physical systems under several different types of attacks. saries, and in [15] where a optimal controller is designed HelicopterAutopilotExample foradistributedcontrolsystemwithcommunicationdelays. Althoughthemotivationoftheabovestudiesaresimilarto Tomakethisdiscussionconcreteweconsideranautonomous ours,wefocusonanotheraspectoftheproblemwhichisto helicopter. The state vector of the plant x ∈ R16; the con- synthesize attack-resilient control automatically. trol input vector u ∈ R4 with bounded range of each com- TheideaofusingSMTsolverstosynthesizefeedbackcon- ponent. The descriptions of the state and input vectors are trollers for control systems is inspired by recent works [16, in Table 1. The dynamics of the helicopter is given in [19], 17]. In [16], the authors used SMT solvers to synthesize in- whichcanbediscretizedintoalineartime-invariantsystem: tegratedtaskandmotionplansbyconstructingaplacement x = Ax +Bu . The auto-pilot is supposed to take the t+1 t t graph. In [17], a constraint-based approach was developed helicopter to a waypoint in a 3D-maze within a bounded to solve games on infinite graphs between the system and time T (Goal) and avoid the mapped building and trees. theadversary. Ourworkextendtheideaofconstraint-based The complement of these obstacles in the 3D space define synthesisbyintroducingcontroltheoreticapproachestode- the Safe set (see Figure 1). rived the constraints. The computation of the control inputs (u ) typically in- t The authors of [6,18] proposed a game theoretical ap- volves sensing the observable part of the states, computing proachtosynthesizecontrollerforthereach-avoidproblem, theinputstotheplant,andfeedingtheinputsthroughactu- firstforcontinuousandlaterforswitchedsystems. Inthese ators. In a cyber-physical system, the mechanisms involved approaches,thereachsetofthesystemiscomputedbysolv- in each of these steps can be attacked and different attacks inganon-linearHamilton-Jacobi-IsaacsPDE.Ourmethod- give rise to different instances of ARAC. ology,insteadofformulatingageneraloptimizationproblem ControllerandActuatorattacks. Anadversarywithsoft- forwhichthesolutionmaynotbeeasilycomputable,solves wareprivilegesmaycompromiseapartofthecontrollersoft- a special case exactly and efficiently. With this building ware. Anetwork-leveladversarymayinjectspuriouspackets 4.1 PreliminariesandNotations Foranaturalnumbern∈N,[n]istheset{0,1,...,n−1}. ForasequenceAofobjectsofanytypewithnelements,we refertotheithelement,i≤nbyA . Forareal-valuedvector i v∈Rn,||v||isits(cid:96)2-norm. Forδ≥0,thesetB (v)denotes δ the closed ball {x ∈ Rn | ||v−x|| ≤ δ} centered at v. For a parameter (cid:15)>0 and a compact set A⊆Rn, an (cid:15)-cover of AisafinitesetC ={a } ⊆Asuchthat∪ B (a )⊇A. i i∈I i∈I (cid:15) i For two sets A,B ⊆Rn, the direct sum A⊕B ={x∈Rn : ∃a∈A,∃b∈B,a+b=x}. Foravectorv,wedenoteA⊕v as A⊕{v}. Sets in Rn will be represented by finite union of balls or polytopes. An n-dimensional polytope P ={x∈ Rn : Ax ≤ b} is specified by a matrix A ∈ Rm×n and Figure 1: Helicopter fly through scene. Red boxes are the a vector b ∈ Rm, where m is the number of constraints. A obstacles, the cyan box on the right is the goal states, the polytopicset isafiniteunionofpolytopesandisspecifiedby green ball on the left is a set of initial states and the blue a sequence of matrices and vectors. A polytopic set can be curveisasampledtrajectoryofthehelicopterwitharandom written in Conjunctive Normal Form (CNF), where (i) the adversary input. complete formula is a conjunction of clauses, and (ii) each clauses is disjunction of linear inequalities. In this paper, we will assume that the initial set Init is in the channel between the controller and the actuator. An given as a ball B (θ) ⊆ X for some θ ∈ X and δ > 0. We δ adversary with hardware access may directly tamper with also fix the time horizon T. The set Adv is specified by a the actuator and add an input signal of a . Under many budget b ≥ 0: Adv = {a ∈ AT : (cid:80) ||a ||2 ≤ b}. The set t t t circumstances,itisreasonabletoexpecttheseattackstobe Ctr is specified by a polytopic set. transientorshort-livedcomparedT (forexample,otherwise For a sequence of matrices {At}t∈N, for any 0 ≤ t0 < t1, they will be diagnosed and mitigated). Then the actual in- wedenotethetransition matrixfromt tot inductivelyas 0 1 puttothesystembecomesu(cid:48) =u +a andthedynamicsof α(t ,t )=A α(t −1,t ) and α(t ,t )=I. t t t 1 0 t1−1 1 0 0 0 thecompletesystemismodifiedtox =Ax +Bu +Ba , A trajectory of length T for the system is a sequence t+1 t t t which gives an instance of ARAC. x ,x ,...,x such that x ∈ Init and each x is induc- 0 1 T 0 t+1 Sensor attacks. Another type of adversary spoofs the he- tivelyobtainedfromEquation(1)bytheapplicationofsome licopter’s sensors, the GPS, the gyroscope, so that the po- admissablecontrollerandadversaryinputs. Thetth stateof sition estimator is noisy. Consider a control systems where a trajectory is uniquely defined by the choice of an initial the adversary-free control u is a function on the sequence statex ∈Init,anadmissiblecontrolinputu∈Ctr andan t 0 of sensor data. If the adversary injects an additive error admissible adversary input a ∈ Adv. We denote this state to the sensors, then the control inputs computed based on as ξ(x ,u,a,t). 0 this inaccurate data will be added an error; also the initial Thenotionofatrajectoryisnaturallyextendedtosetsof state will have uncertainty. We model the additive error trajectorieswithsetsofinitialstatesandinputs. Foratime by the adversary input a . Once again, this gives rise to t ∈ [T +1], a subset of initial states Θ ⊆ Init, a subset of t an instance of ARAC. Assuming that the injection of a adversaryinputsA⊆Adv,andasubsetofcontrollerinputs t requires energy and that the adversary has limited energy U⊆Ctr, we define: for launching the attack then gives rise the adversary class Adv=(cid:80)T ||a ||2 ≤b where b is the energy budget. Reach(Θ,U,A,t)={ξ(x0,u,a,t):x0 ∈Θ ∧ a∈A}. i=0 t For a singleton u ∈ U, we write Reach(Θ,{u},Adv,t) as States/ Inputs Description Reach(Θ,u,t). To solve ARAC then we have to decide if [px,py,pz] Cartesian Coordinates ∃ u∈Ctr :(∧t∈[T+1]Reach(Init,u,t)⊆Safe) (2) [u,v,w] Cartesian Velocities ∧ Reach(Init,u,T)⊆Goal. [p,q,r] Euler Angular Rates This representation hides the dependence of the Reach sets [a,b,c,d] Flapping Angles on the set of adversary choices. [ϕ,φ,θ] Euler Angles 4.2 Decoupling u Lateral Cyclic Deflection in [-1,1] z In this section, we present a technique to decouple the u Longitudinal Cyclic Deflection in [-1,1] ARAC problem. The decomposition relies on a result from x robustcontrolthatenablesustopreciselycomputethereach- u Pedal Control Input in [-1,1] p able states of the system in terms of a symbolic simulation uc Collective Control Input in [0,1] oftheadversary-freedynamicsandthetotaluncertaintyin- duced by the adversary. In Section 4.6, we present an algo- Table 1: States and inputs of the helicopter model. rithmthatperformsthisdecompositionsuchastoeliminate theuniversalquantifierontheadversary’schoicesandinitial states in Definition 2 and 3. 4. ALGORITHMFORLINEARARAC 4.3 AdversarialLeverage Definition 2. For any t ∈ [T +1], the adversary leverage Theinitializationfactorcapturesthedegreetowhichthe at t, initial state x ∈ Init, and any control u ∈ Ctr, the uncertainty δ in the initial set can make the adversary-free 0 adversary leverage is a set R(x ,u,t) such that trajectories deviate. For general nonlinear models, we will 0 have to rely on over-approximating initialization factor [], Reach(x ,u,t)=ξ(x ,u,0,t)⊕R(x ,u,t) (3) 0 0 0 butforthelinerversionofARAC thefollowinglemmapro- vides a precise procedure for computing it. Informally,theadversaryleveragecaptureshowmuchanad- versarycandrivethetrajectoryfromanadversary-freetra- Lemma 2. For an initial set Init = B (θ) ⊆ Rn, for any δ jectory.It decomposes the reach set Reach(x0,u,t) into two t ∈ [T +1], input u ∈ Ctr, if the matrix α(t,0)Tα(t,0) is parts: a deterministic adversary-free trajectory ξ(x0,u,0), invertible then and the reachtube R(x ,u,t) that captures the nondeter- 0 minismintroducedbytheadversary. OursolutionforARAC B(θ,u,t)={x∈Rn : xT[αT(t,0)α(t,0)]−1x≤δ1/2} heavily relies on computing over-approximations of reach is the precise initialization factor at t. setsandtothatend,observethatissufficestoover-approximate adversaryleverage. Forcertainclassesofnon-linearsystems, If the matrix A is singular, then a similar statement holds itcanbeover-approximatedstaticallyusingtechniquesfrom intermsofthepseudo-inverseof[αT(t,0)α(t,0)]. Thus,ini- robust control, such as H control. It can also be approx- tialization factor is an ellipsoid defined by A,t and δ and is ∞ imated dynamically by reachability algorithms that handle independent of x0 an u. We will drop the arguments of B nondeterministic modes (see, for example [20,21]). when they are redundant or clear from context. For the ARAC problem with linear dynamics described in(1),wheretheadversaryinputAdv={a∈AT : (cid:80) ||a ||2 4.5 Adversary-freeConstraints t t ≤ b} is defined by a budget b ≥ 0, we can compute adver- Using the decomposition of the reach set given by the sary leverage precisely. The following lemma is completely above lemmas, we will first solve a new reach-avoid syn- standard in linear control theory. thesis problem for the adversary-free system. To construct this new problem we will modify the safety and winning Lemma 1. For any time t ∈ [T +1], if the controllability constraints of the ARAC. For a given time instant, the GramianoftheadversaryWt =(cid:80)ts−=10α(t,s+1)CsCsTαT(t,s+ new constraints are obtained using the same approach as 1) is invertible, then in robotic planning with The synthesis problem requires a solution to a sequence of such problems. R(x ,u,t)={x∈Rn :xTW−1x≤b} 0 t Definition 4. Given a set S ⊆ Rn and a compact convex is the precise adversary leverage at t. set R⊆Rn, a set S(cid:48) ⊆Rn is a strengthening of S by R if Proof. For t∈[T +1], we have S(cid:48)⊕R⊆S. (6) (cid:88)t−1 (cid:88)t−1 A strengthening S(cid:48) is precise if it equals R ⊕ S. The xt =α(t,0)x0+ α(t,s+1)Bsus+ α(t,s+1)Csas. (4) strengthening S(cid:48) is a subset of S that is shrunk by the set s=0 s=0 R. If S is a polytopic set and R is a convex compact set Since ξ(x ,u,0,t)=Atx +(cid:80)t−1α(t,s+1)B u , we have then exact solutions to the following optimization problem 0 0 s=0 s s yields precise strengthening. t−1 T−1 R(x ,u,t)={x∈Rn :x=(cid:88)α(t,s+1)C a ∧(cid:88)||a ||2 ≤b}, Lemma 3. For a half hyperplane S ={x∈Rn :cTx≤b} 0 s s s and a convex compact set R, a precise strengthening of S by s=0 t=0 R is S(cid:48) ={x∈Rn :cTx≤b−cTx∗} such that which is the set {x∈Rn :xTW−1x≤b}, with controllabil- t ity Gramian Wt. x∗ =argmin−cTx. (7) x∈R Theabovelemmaestablishesapreciseadversaryleverage . as an ellipsoid defined by the controllability Gramian W t Proof. Fixanyx∈Randy∈S(cid:48). FromthedefinitionofS(cid:48), and b. In this case, the ellipsoid is independent of x an u 0 cTy+b∗ ≤ b. Since x∗ minimizes −cTx in R and x ∈ R, andonlydependsont. Hereon,wewilldropthearguments we have −cTx ≥ −cTx∗ = b∗. It follows that cT(x+y) ≤ ofRwhentheyarereduandantorclearfromcontext. IfW t cTy+cTx∗ ≤ cTy+b∗ ≤ b. Thus x+y ∈ S and therefore is singular for some t ∈ [T +1], then replace the inverse of S(cid:48)⊕R⊆S. W byitspseudo-inverseandthesetRisanellipsoidinthe t For any y ∈S, it holds that cTy ≤b. Let y(cid:48) =y−x∗. It controllable subspace. follows that cTy(cid:48) = cTy−cTx∗ ≤ b−cTx∗. Thus y(cid:48) ∈ S(cid:48). 4.4 UncertaintyinInitialSet Combined with x∗ ∈ R, y = y(cid:48)+x∗ ∈ S(cid:48)⊕R. Therefore S(cid:48)⊕R⊆S. Following the above discussion, we show that a similar decompositionofthereachablestatesispossiblewithrespect Since a polytopic set is a union of intersections of linear to the uncertainty in the initial state. inequalities, the above lemma generalizes to polytopic sets in natural way. Definition 3. Consider the initial set Init to be B (x ) for δ 0 some δ > 0 and x0 ∈ X. For a t ∈ [T +1] and a control Corollary4. ForapolytopicsetS ={x∈Rn : ∨i∈[m]Aix≤ inputu,theinitializationfactorattisasetB(x0,u,t),such bi} and a compact convex set R⊆Rn, that S(cid:48) ={x∈Rn : (cid:95) A x≤b −b∗}, i i i Reach(B (x ),u,0,t)=ξ(x ,u,0,t)⊕B(x ,u,t). (5) δ 0 0 0 i∈[m] is a precise strengthening of S by R. Here the jth element By Definition 2 and 3, we have of b∗ equals cTx∗ with cT being the jth row of A and x∗ is i i the solution of (7). ξ(θ,u,0,t)⊕Safe(cid:48)t⊕Bt ⊇ Reach(θ,u,Adv,t)⊕Bt ⊇ Reach(Init,u,t). 4.6 AnAlgorithmforLinearARAC (10) We present algorithm 1 for solving the linear version of Combining (9) and (10), we have Reach(Init,u,t) ⊆ Safe. the ARAC problem. That is the safety condition of (2) holds. Similarly, since Goal(cid:48) is the strengthening of Goal by R and B , we have T T Reach(Init,u,T)⊆Goal. Thewinningconditionalsoholds. Algorithm 1: Synthesis(Init,Safe,Goal,Adv,Ctr,T) On the other side, suppose u ∈ Ctr solves ARAC, it satisfies (2). Since the adversary leverage R , initialization 1 for t∈[T +1] do t factor B and strengthening Safe(cid:48),Goal(cid:48) are computed pre- 2 Rt ←AdvDrift(Adv,t); t cisely, Equations (9) and (10) take equality. Thus, for any 34 BSatfe←(cid:48)t ←IniStCtroevnegrth(Ienni(tS,ta)f;e,Rt,Bt); tTh∈er[eTfo+re1u],isξ(rθe,tuu,rn0,etd)b∈y ASalgfeo(cid:48)tritahnmd 1ξ(.θ,u,0,T) ∈ Goal(cid:48). 5 end 6 Goal(cid:48) ←Strengthen(Goal,RT,BT); The completeness of the algorithm is based on two facts: 7 (u,Failed)←SolveSMT(θ,Safe(cid:48),Goal(cid:48),Ctr,T); (i) adversary leverage, initialization factor and strengthen- 8 return (u,Failed) ing can be computed precisely, and (ii) the SMT solver is complete for formula (8). The exact computation of adver- sary leverage and initialization factor require that the ini- The subroutine AdvDrift computes a precise adversary tial state Init and admissible adversary Adv are described leverageRt foreverytimet∈[T+1]. FromLemma1,Rt is by (cid:96)2 balls. Since Ctr, Safe(cid:48) and Goal(cid:48) are polytopic sets, an ellipsoid represented by the controllability Gramian and formula (8) is a quantifier-free theory in linear arithmetic, the constant b. The subroutine InitCover computes a ini- which can be solved efficiently for example by algorithm tializationfactordescribedinLemma2foreacht. Thesub- DPLL(T) [24]. routine Strengthen computes a precise strengthening of the safetyconstraintsSafe bybothsetsR andB . FromCorol- t t 5. GENERALIZATIONS lary4,thestrengtheningiscomputedbysolvingasequence of optimization problems. Since R and B are both ellip- In this section, we discuss two orthogonal generalizations t t soids(Lemma1and2),theoptimizationproblemssolvedby oflinearARAC andalgorithmsforsolvingthembuildingon Strengthen arequadraticallyconstrainedlinearoptimization thealgorithmSynthesis. FirstinSection5.1,wepresentan problemsandaresolvedefficientlybysecond-orderconepro- approximate approach to solve a problem where Init, Adv gramming [22] or semidefinite programming [23]. For each and Ctr are general compact convex sets. Then, in Sec- t∈[T+1],thesetSafe isstrengthenedbythecorresponding tion5.2,wemodifiedthedefinitionoflinearARAC problem adversary drift R to get Safe(cid:48). The Goal set is strength- suchthatthecontrollercanbeafunctionoftheinitialstates. t t enedrespecttotheadversarydriftatthefinaltimeT toget Asolutionofthisproblemisalook-uptable,wherethecon- Goal(cid:48). Finally, SolveSMT makes a call to an SMT solver trollerchooseasequenceofopenloopcontroldependingon to check if there exists a satisfiable assignment u∈Ctr for the initial state. quantifier-free formula (8): 5.1 SynthesisforGeneralizedSets WegeneralizethelinearARAC problemdescribedinSec- ∃ u ∈Ctr ∧ tion 4.1 such that Init ⊆ X, Ctr ⊆ UT and Adv ⊆ AT are (∧t∈[T+1]ξ(θ,u,0,t)∈Safe(cid:48)t) ∧ ξ(θ,u,0,T)∈Goal(cid:48). assumed to be some compact subsets of Euclidean space. (8) For a precision parameter (cid:15) > 0, the generalized ARAC For the class of problems we generate, the SMT solver ter- problem can be approximated by a linear ARAC problem. minates and either returns a satisfying assignment u or it We define robustness of a ARAC problem. proclaims the problem is unsatisfiable by returning Failed. We present an extension of Synthesis to solve this prob- If AdvDrift, InitCover and Strengthen compute adversary lem. For a parameter (cid:15) > 0, and compact convex sets leverage, initialization factor and strengthening precisely, Init,Adc,Ctr, we construct a tuple (Θ,A,C) such that then Algorithm 1 is a sound and complete for the linear (i) Θ = {θ } is an (cid:15)-cover of initial set Init, that is, ARAC problem. i i∈I Init ⊆∪ B (θ ). i (cid:15) i Theorem 5. Algorithm 1 outputs u∈Ctr if and only if u (ii) A={a } is an (cid:15)-cover of the adversary. Here each j j∈J solves ARAC. a is seen as a vector in Euclidean space AT and the j unionof(cid:15)-ballsaroundeacha over-approximatesAdv. j Proof. Suppose Algorithm returns u ∈ Ctr. We will first (iii) C ⊆Ctr⊆UT isapolytopicsetsuchthatdH(C,Ctr)≤ showthatusolvesARAC. Sinceusatisfiesconstraints(8), (cid:15),Thatis,Cunder-approximatestheactualconstraints foreveryt∈[T+1],ξ(θ,u,0,t)∈S . SinceS isastrength- of control Ctr, with error bounded by (cid:15) measured by t t ening of Safe by R and B , we have S ⊕R ⊕B ⊆Safe. Hausdorff distance. t t t t t Thus, Themodifiedalgorithmtoapproximatelysolvethegener- ξ(θ,u,0,t)⊕S ⊕B ⊆Safe. (9) alizedARAC problemfollowsthesamestepsasAlgorithm1 t t from line 1 to line 6. The only change is in line 7, where set Init (line 1). The subroutine Cover(Init,(cid:15)) in line first instead of solving an SMT formula (8) we solve (11). computes an (cid:15)-cover {θ } of Init, and then append each i i∈I θ with the parameter (cid:15). The set S stores all such pairs i ∃ u : u∈C ∧ (θ,(cid:15)), such that the (cid:15)-ball around θ is yet to examined by (∧t∈[T+1]∧i∈I ∧j∈Jξ(θi,u,aj,t)∈Safe(cid:48)t) ∧ (11) the algorithm for Synthesis. For each ball B(cid:15)(θ) in S, the subroutine Synthesis is possibly called twice for both the (∧ ∧ ξ(θ,u ,a ,T)∈Goal(cid:48)) i∈I j∈J i j ball B (θ) and the single initial state θ to decide whether (cid:15) theSynthesisissuccessful,afailure,orwhetherfurtherre- The soundness of this modified algorithm is independent finement is needed. of the choice of (cid:15) > 0. That is, if it returns a satisfiable assignment u, then u solves the ARAC problem. Algorithm 2: TableSynthesis Lemma 6. If the modified algorithm returns u∈C, then u solves linear generalized ARAC. 1 (cid:15)←Dia(Init); 2 S ←Cover(Init,(cid:15)); Proof. Suppose u ∈ C ⊆ Ctr satisfies (11). Since Θ and A 3 Tab←∅; are (cid:15)-cover of Init and Adv, there exist a initial state θi ∈ 4 while S =(cid:54) ∅ For (θ,(cid:15))∈S do for any t∈[T +1] we have 5 S ←S/{(θ,(cid:15))}; 6 if Synthesis(B(cid:15)(θ)) returns u∈Ctr then Reach(Init,u,Adv,t)⊆Reach(∪ B (θ ),u,∪ B (a ),t). i∈I (cid:15) i j∈J (cid:15) j 7 Tab← Tab∪{(B(cid:15)(θ),u)}; LetRt andBt bethepreciseadversaryleverageandinitial- 8 else if Synthesis(B(cid:15)(θ)) failed then ization factor as in Algorithm 1. From Lemma 1 and 2, Rt 9 return (θ,Failed) and Bt are independent on the initial state and adversary 10 else input. Therefore, 11 S ←S∪Cover(Init∩B(cid:15)(θ),(cid:15)/2); 12 end Reach(Init,u,Adv,t) 13 end = ∪i∈I ∪j∈J Reach(B(cid:15)(θi),u,B(cid:15)(aj),t) 14 return (Tab, Success) (12) = ∪ ∪ (ξ(θ ,u,a ,t)⊕R ⊕B ) i∈I j∈J i j t t = (∪ ∪ ξ(θ ,u,a ,t))⊕R ⊕B . i∈I j∈J i j t t Theorem 7. IfTableSynthesisreturns(Tab,Success), then From formula (11) implies that (∪i∈I ∪j∈J ξ(θi,u,aj,t)) ⊆ Tab solves the state-dependent ARAC. Otherwise if Ta- Safe(cid:48)t for any t ∈ [T +1] and (∪i∈I ∪j∈J ξ(θi,u,aj,T)) ⊆ blesynthesis returns (θ,Failed), then there is no solution for Goal(cid:48). SinceSafe(cid:48)tisanRt⊕BtstrengtheningofSafe,itfol- initial state θ. lowsfromDefinition4and(12)thatReach(Init,u,Adv,t)⊆ Safe for all t ∈ [T +1] and Reach(Init,u,Adv,T) ⊆ Goal. Proof. Wefirststateaninvariantofthewhileloopwhichcan That is, u solves the generalized linear ARAC. beprovedstraightforwardlythroughinduction. Foranyiter- ation, suppose Tab={(B (θ ),u )} and S ={θ(cid:48),(cid:15)(cid:48)} We observe that if the approximated algorithm success- are the valuations of Tab(cid:15)iandi S iatit∈hIe beginning ojf tjhej∈itJ- fizuelldylsinyenatrheAsiRzeACa cpornotbrolelm, ,thneocmonattrtoelrswolhvaets vtahleuege(cid:15)ne>ral0- eration. Thenwehave(∪i∈iB(cid:15)i(θi))∪(∪j∈JB(cid:15)(cid:48)j(θj(cid:48)))⊇Init. SupposeTableSynthesisreturns(Tab,Success)withTab= takes. Moreover,astheparameter(cid:15)convergesto0,wehave {(B (θ ),u )} . From line 4, S = ∅. From the loop ∪ B (θ ), ∪ B (a ) and C converge to the exact Init, (cid:15)i i i i∈I i∈I (cid:15) i j∈J (cid:15) j invariant, we have ∪ B (θ ) ⊇ Init. Moreover for any Adv and Ctr, respectively. i∈i (cid:15)i i (B (θ),u) ∈Tab, from line 6 and Theorem 5, for any x ∈ (cid:15) 0 5.2 State-dependentControl B(cid:15)(θ), u is an admissible input such that constraints in ?? hold. Thus Tab solves the state-dependent ARAC. In this section, we keep the same definition of Init, Adv OtherwisesupposeTableSynthesisreturns(θ,Failed). From andCtr asinSection4.1,however,weconsideravariantof line 8 and Theorem 5, there is no admissible u solve the ARAC that allows the choice of control u to be depend on ARAC from θ. the initial state of the system. Thatis, we have todecide if TheAlgorithm2issound,thatis,ifthealgorithmtermi- ∀ x ∈Init : ∃ u∈Ctr : 0 nates,italwaysreturnstherightanswer. Forgeneralsetsof (∧t∈[T+1]Reach(x0,u,t)⊆Safe)∧ Reach(x0,u,T)⊆Goal. AdvandCtrtheapproachfromSection5.1canbecombined (13) Algorithm2togetstatedependent(butuandaoblivious) A solution to this generalized ARAC problem is a look-up controllers. table {(I ,u )} such that (i) the union ∪ I ⊇ Init i i i∈I i∈I i covers the initial set, and (ii) for every x0 ∈ Ii, ui is an 6. IMPLEMENTATIONANDEXPERIMEN- admissible input such that the constraints in (13) hold. TALEVALUATION We present an Algorithm 2 to solve this problem and it usesSynthesisasansubroutine. Ifthealgorithmsucceeds, We have implemented the algorithm Synthesis in a pro- itreturnsalook-uptableTabwhichsolvestheabovestate- totypetoolinPython. Theoptimizationproblempresented dependent variant of ARAC. in Lemma 3 is solved by a second-order cone programming The parameters Adv,Ctr,Safe,Goal,T are invariant in solver provided by package CVXOPT [9]. The quantifier- the algorithm, thus we omit it as arguments of Synthesis. free SMT formula (8) is solved by Z3 solver [10]. In Sec- The variable (cid:15) is initialized as the diameter of the initial tion6.1and6.2,wepresenttheimplementationofthebasic which is the number of atomic propositions in φ. Notice that if we convert an CNF formula into a form of union of polytopes, the size of the formula can grow exponentially. Similarly,letCNFformulaφ ,φ andφ specifythe Safe Goal Ctr constraintsSafe,Goal ⊆X andCtr⊆UT. Itcanbederived from (2) that |φ| = T|φ |+|φ |+|φ |. If fixed the Safe Goal Ctr lengthoftheprojectionofφ oncontrolu foreacht,that Ctr t is,weassumethecontrollerconstraintsatdifferenttimesare comparablycomplex,then|φ |growslinearwiththetime Ctr boundT. Supposethelengthof|φ |,|φ |areconstant, Safe Goal then the length of φ is linear to the time bound T. The length of φ is a function of the number and com- Safe Figure 2: Sampled Trajectories of Helicopter Auto-pilot. plexity of obstacles. Suppose that the safe region Safe(cid:48) is Safety and winning conditions hold. obtained by adding an polytopic obstacle O = {x ∈ Rn : Ax < b} to a safe region Safe. One measure of complexity oftheobstacleisthenumberofrowsofthematrixA. Then, algorithm synthesis, show an example in detail, present the the resulting safe region is Safe(cid:48) =Safe\O, which implies experiment results and discuss the complexity of the algo- rithm. In Section 6.3 and 6.4, we present several different φSafe(cid:48) =φSafe∧¬(Ax<b)=φSafe∧(∨i−Aix≤−b), applications of Synthesis. where A is the ith row of A. Therefore the length of φ i Safe 6.1 SynthesizingAdversaryResistantControllers increaseslinearlywiththenumberofobstaclesandthenum- ber of faces in every obstacle. We have solved several linear ARAC problems for a 16- In the experiments, we observe that the running time of dimensional helicopter system (as described in 3) and a 4- Z3tosolvetheSMTformulavariesonacasebycasebasis. dimensional vehicle. Thesizeofobstacles,thevolumeoftheobstacle-freeregion Weillustrateaninstanceofthesynthesisofthehelicopter andthelengthofsignificantdigitsofentriestheconstraints auto-pilot for time bound T = 9 in Figure 2. The state and dynamic matrices also affect the running time. variables, control input variables and the constraint Ctr of the system are listed in Table 1. We model an actuator 6.3 VulnerabilityAnalysisofInitialStates intrusion attack such that the control input is tempered by UsingSynthesis,wecanexaminethevulnerabilityofini- an amount of a at each time t∈[T]. The total amount of t tialstatestoattackers. FixingacontrollerconstraintCtr,a spoofing is bounded by a budget b=1. time bound T, safety condition Safe and winning condition A control u={u } is synthesized by Synthesis. We randomlysampleadtvet∈rs[Tar]yinputsawith(cid:80) ||a ||2 =b, Goal,foreachinitialstateInit,thereexistsamaximumcrit- t∈[T] t icalbudgetb oftheadversaryAdv,suchthatbeyondthis and visualize the corresponding trajectories with control u mfc budget,theproblembecomesinfeasible. Thelowertheb in Figure 2. mfc foraninitialstateis,itisvulnerabletoaweakeradversary. BesidestheHelicoptermodel,westudiedandiscretevari- The maximum budget can be found by a binary search on ation of the navigation problem of a 4-dimensional vehicle, the adversary budget with Synthesis. where the states are positions and velocities in Cartesian We examine the vulnerability of an instance of the 4- coordinates, and the controller and adversary compete to dimensional autonomous vehicle system. The result is il- decide accelerations in both direction. lustrated in Figure 3, where the box at the bottom repre- The experimental results for different instances are listed sent the Goal, the red regions represent the obstacle whose inTable2,wherethecolumnsrepresent(i)themodelofthe complement is the Safe, the green-black on the top region complete system, (ii) the dimension of state, control input is the Init. The black regions are most vulnerable with and adversary input vectors, (iii) the time bound, (iv) the b = 0 and the lightest green region are least vulnerable lengthofformularepresentingSafeandnumberofobstacles, mfc withb =1.8. Weseethattheregionclosertoanobstacle (v)thelengthofformularepresentingGoal andCtr,(vi)the mcc are darker as an adversary with relatively small budget (b) lengthofthequantifier-freeformulain(2),(vii)thesynthesis can make the vehicle run into an obstacle. We also observe result,and(vii)therunningtimeofthesynthesisalgorithm. thatthedarkregionsareshiftedtowardsthecentersincethe Fromtheresult,weobservethatthealgorithmcansynthe- obstaclesareaggregatedatthecenteroftheplane. Avoiding size controller for lower dimensional system for a relatively them may cause a controller run out of the time bound. longhorizon(320)forreasonableamountoftime. Forhigher dimensionalsystem(16-dimensional),theapproachscalesto 6.4 AttackSynthesis anhorizonT =15. Theruntimeofthealgorithmgrowsex- ponentiallywiththetimeboundT. ByComparingrow2-4, The Synthesis subroutine can also be used to generate weobservethattheruntimegrowslinearlywiththenumber attacks by swathing the roles of the adversary and the con- of obstacles. troller. In this section, we synthesize adversarial attacks to the4-dimensionalvehiclesuchthatthesystemwillbedriven 6.2 Discussion on Complexity of Safety Con- to unsafe states in a bounded time T. That is, for a state straints x∈X, we decide whether Letthequantifier-freeconstraintsin(2)bespecifiedbyan ∃ a∈Adv ∀ u∈Ctr: CNF formula φ, where each atomic proposition is a linear (14) constrain. We denote |φ| as the length of the CNF formula (∨ ξ(x,u,a,t)∈Unsafe). t∈[T] Complete System # x,u,a T |φ |,#Obs |φ |,|φ | |φ| Result Run Time (s) Safe Goal Ctr 40 16, 3 4, 160 804 unsat 2.79 80 20, 4 4, 320 1924 sat 16.49 80 44, 10 4, 320 3844 sat 35.22 Vehicle 4,2,2 80 84, 20 4, 320 7044 sat 53.8 160 20, 5 4, 640 3844 sat 91.78 320 24, 6 4, 1280 8964 sat 532.5 5 18, 3 6,40 136 sat 1.2 5 24, 4 6,40 166 unsat 0.61 7 24, 4 9, 56 213 sat 8.2 Helicopter 16,4,4 9 36, 6 6, 72 402 sat 24.5 12 24,4 6, 96, 338 sat 60.6 15 24, 4 6, 96, 576 sat 158.8 18 24, 4 10, 96, 640 – – Table 2: Experimental results for Synthesis Figure4: AttackGeneration. Thedarkeraregionis,alarger portionofvelocityisvulnerable. Ifthevehiclevisitaregion neartoanobstacle,itcouldsurviveonlyifitsinitialvelocity Figure3: VulnerabilityAnalysisofInitialStates. Adversary is pointing outwards. may cause the system to hit an obstacle or delay the time of reaching beyond T SupposethesetofstatesX ⊆R4 iscompact. Anadversary first creates a uniform cover of the state space, then search foranattackforeachcover. Ifthesynthesissucceedandre- Notice that (14) is essentially the same as (2) by switching turnsanattacka,thenthecoverisvulnerableandisstored the roles of u and a, and negating Safe to get Unsafe. in the look-up table of attacks paired with the attack a. WesupposethatthesetofadversarialinputAdvisapoly- A result of the synthesis is illustrated in 4, where the topicsetandthecontrolCtr={u∈UT : (cid:80)t∈T ||ut||2 ≤b} red boxes specify obstacles. The vulnerable covers, each is specified by budget b ≥ 0. For general convex compact of which is a subset of R4, are projected on the 2-D plane sets Ctr and Adv, one can come up with an under approxi- and visualized as blue regions, where the white region are mated Adv as polytopic set and an over-approximated Ctr notvulnerabletoattackers. Thedarknessofaregioncorre- with budget b. As we discuss in Section 5.1, this approxi- spondstothenumberofvulnerablecovershaveprojectionin mation is sound. theregion. Thatis,ifthevehicleisinadarkregion,alarge We synthesize a look-up table {(Ii,ai)}i as the strategy portionofitsvelocityspaceisvulnerableunderattacksthat oftheadversary,suchthat(i)Ii ⊆X,and(ii)foreachstate makes the system unsafe. A sample trajectory is captured x∈Ii,thecorrespondingadversaryaisatisfies(14). During by the green curve, where, as it enters light shadow region, the evolution of the plant under controller, the adversary its velocity does not fall into a vulnerable cover right away. act only when the system reaches a state x ∈ Ii for some As it approach further, it enters a vulnerable cover and an Ii in the look-up table, then the corresponding attack ai is attack is triggered at the point with cross mark. triggered at x which breaks the safety of the system. Thesynthesisofattacksusessimilarideaofcreatingcov- 7. CONCLUSION ers of the states as in TableSynthesis without refinements. We present a controller synthesis algorithm for a discrete ICRA 2014, Hong Kong, China, May 31 - June 7, time reach-avoid problem in the presence of adversaries. 2014, 2014, pp. 5319–5325. [Online]. Available: Specifically, we present a sound and complete algorithm for http://dx.doi.org/10.1109/ICRA.2014.6907641 thecasewithlineartime-varyingdynamicsandanadversary [6] Z. Zhou, R. Takei, H. Huang, and C. J. Tomlin,“A withabudgetonthetotalL2-normofitsactions. Thealgo- general, open-loop formulation for reach-avoid games.” rithm combines techniques in control theory and synthesis in CDC, 2012, pp. 6501–6506. approaches coming from formal method and programming [7] A. A. Ca´rdenas, S. Amin, and S. Sastry,“Research language researches. Our approach first precisely converts challenges for the security of control systems.”in the reach set of the complete system into a composition of HotSec, 2008. non-determinism from the adversary input and the choice [8] F. Pasqualetti, F. Dorfler, and F. Bullo,“Attack of initial state, and an adversary-free trajectory with fixed detection and identification in cyber-physical initialstate. ThenweenhancetheSafe andGoal conditions systems,”Automatic Control, IEEE Transactions on, by solving a sequence of quadratic-constrained linear opti- vol. 58, no. 11, pp. 2715–2729, Nov 2013. mizationproblem. Andfinallywederivealinearquantifier- [9] J. Dahl and L. Vandenberghe,“Cvxopt: A python free SMT formula for the adversary-free trajectories, which package for convex optimization,”in Proc. eur. conf. can be solved effectively by SMT solvers. The algorithm is op. res, 2006. thenextendedtosolveproblemswithmoregeneralinitialset [10] L. De Moura and N. Bjørner, Z3: An efficient SMT andconstraintsofcontrollerandadversary. Wepresentpre- solver. Springer, 2008. liminary experimental results that show the effectiveness of [11] A. Cardenas, S. Amin, B. Sinopoli, A. Giani, this approach on several example problems. The algorithm A. Perrig, and S. Sastry,“Challenges for securing synthesizes adversary-resilient controls for a 4-dimensional cyber physical systems,”in Workshop on future system for 320 rounds and for a 16-dimensional system for directions in cyber-physical systems security, 2009. 15roundsinminutes. Thealgorithmisextendedtoanalyze [12] S. Amin, A. A. Ca´rdenas, and S. S. Sastry,“Safe and vulnerability of states and to synthesize attacks. secure networked control systems under FutureDirection denial-of-service attacks,”in Hybrid Systems: Computation and Control. Springer, 2009, pp. 31–45. There are several interesting follow-up research topics. For [13] A. A. Cardenas, S. Amin, Z.-S. Lin, Y.-L. Huang, example, the solution of linear ARAC can be used to solve C.-Y. Huang, and S. Sastry,“Attacks against process adversary-free nonlinear avoid-reach problems, where the control systems: risk assessment, detection, and dynamics can be linearized along a nominal trajectory and response,”in Proceedings of the 6th ACM symposium the linearization error is modeled as adversary. on information, computer and communications We also planned to extend the approach to synthesize security. ACM, 2011, pp. 355–366. switched controller for infinite horizon by applying a sim- [14] H. Fawzi, P. Tabuada, and S. Diggavi,“Secure ilar approach as suggested in [25]. estimation and control for cyber-physical systems Another interesting direction is to precisely define a dual under adversarial attacks,”IEEE Transactions on problem of the linear ARAC. Since reachability is dual to Automatic Control, vol. 59, no. 6, pp. 1454–1467, June detectability, we envision that there exists a detectability 2014. type problem dual to ARAC, such that the adversary adds noise to the measurements. The question is then how well [15] Y.Shoukry,J.Araujo,P.Tabuada,M.Srivastava,and wecanestimatewhetherthesystemisinunsafestatebased K. H. Johansson,“Minimax control for cyber-physical on the noisy measurements. systems under network packet scheduling attacks,”in Proceedings of the 2nd ACM international conference on High confidence networked systems. ACM, 2013, 8. REFERENCES pp. 93–100. [1] S. P. Bhattacharyya, H. Chapellat, and L. H. Keel, [16] S. Nedunuri, S. Prabhu, M. Moll, S. Chaudhuri, and “Robust control,”The Parametric Approach, by L. E. Kavraki,“Smt-based synthesis of integrated task Prentice Hall PTR, 1995. and motion plans from plan outlines.” [2] T. Basar, G. J. Olsder, G. Clsder, T. Basar, T. Baser, [17] T. Beyene, S. Chaudhuri, C. Popeea, and and G. J. Olsder, Dynamic noncooperative game A. Rybalchenko,“A constraint-based approach to theory. SIAM, 1995, vol. 200. solvinggamesoninfinitegraphs,”inProceedings of the [3] P. Tabuada and G. J. Pappas,“Model checking ltl 41st annual ACM SIGPLAN-SIGACT symposium on over controllable linear systems is decidable,”in Principles of programming languages. ACM, 2014, Hybrid systems: computation and control. Springer, pp. 221–234. 2003, pp. 498–513. [18] J. Ding, E. Li, H. Huang, and C. J. Tomlin, [4] A. Ulusoy, T. Wongpiromsarn, and C. Belta, “Reachability-based synthesis of feedback policies for “Incremental controller synthesis in probabilistic motion planning under bounded disturbances,”in environments with temporal logic constraints,”The Robotics and Automation (ICRA), 2011 IEEE International Journal of Robotics Research, p. International Conference on. IEEE, 2011, pp. 0278364913519000, 2014. 2160–2165. [5] E. M. Wolff, U. Topcu, and R. M. Murray, [19] B. Mettler, T. Kanade, and M. B. Tischler, System “Optimization-based trajectory generation with linear identification modeling of a model-scale helicopter. temporal logic specifications,”in 2014 IEEE Carnegie Mellon University, The Robotics Institute, International Conference on Robotics and Automation, 2000. [20] O. Botchkarev and S. Tripakis,“Verification of hybrid systems with linear differential inclusions using ellipsoidal approximations,”in Hybrid Systems: Computation and Control. Springer, 2000, pp. 73–88. [21] T. A. Henzinger, B. Horowitz, R. Majumdar, and H. Wong-Toi,“Beyond hytech: Hybrid systems analysis using interval numerical methods,”pp. 130–144, 2000. [22] F. Alizadeh and D. Goldfarb,“Second-order cone programming,”Mathematical programming, vol. 95, no. 1, pp. 3–51, 2003. [23] L. Vandenberghe and S. Boyd,“Semidefinite programming,”SIAM review, vol. 38, no. 1, pp. 49–95, 1996. [24] B. Dutertre and L. De Moura,“A fast linear-arithmetic solver for dpll (t),”in Computer Aided Verification. Springer, 2006, pp. 81–94. [25] J.-W.Lee,“Inequality-basedpropertiesofdetectability and stabilizability of linear time-varying systems in discrete time,”Automatic Control, IEEE Transactions on, vol. 54, no. 3, pp. 634–641, March 2009.

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.