Joint State Estimation Under Attack of Discrete Event Systems

The problem of state estimation in the setting of partially-observed discrete event systems subject to cyber attacks is considered. An operator observes a plant through a natural projection that hides the occurrence of certain events. The objective of the operator is that of estimating the current state of the system. The observation is corrupted by an attacker which can tamper with the readings of a set of sensors thus inserting some fake events or erasing some observations. The aim of the attacker is that of altering the state estimation of the operator. An automaton, called joint estimator, is defined to describe the set of all possible attacks. In more details, an unbounded joint estimator is obtained by concurrent composition of two state observers, the attacker observer and the operator observer. The joint estimator shows, for each possible corrupted observation, the joint state estimation, i.e., the set of states consistent with the uncorrupted observation and the set of states consistent with the corrupted observation. Such a structure can be used to establish if an attack function is harmful w.r.t. a misleading relation. Our approach is also extended to the case in which the attacker may insert at most n events between two consecutive observations.


I. INTRODUCTION
Cyber-physical systems are intelligent interconnected systems which are particularly exposed to network-based malicious attacks. Their security is a topic which during the last years has received much attention in different information and communications technology (ICT) communities such as automatic control [1], [2], computer science and engineering [3], [4], and telecommunications [5].
In the domain of automatic control, the security of dynamical systems has been addressed with two main formalisms. The first one is that of time-driven systems, either in continuous time [6], [7] or in discrete time [8], [9]. In [6], the issue of reliable control in cyber-physical system under attack has been investigated. Rabehi et al. [7] design a secure interval observer for solving the problem of state estimation. In [8], the issue of reachability analysis in discrete-time systems under attack has been studied. Finally, Zhang et al. [9] propose the problem of data-driven resilient control against cyber attacks.
The second formalism is that of discrete-event systems, where time driven dynamics are abstracted and a logical (non numerical) approach based on formal languages is adopted. The problem of attack detection in the framework of discrete event systems is addressed in [10]- [12]. In [13] the focus is on fault diagnosis of discrete event systems under attack. The problem of opacity enforcement by insertion functions under energy constraints has been investigated in [14]. The problem of supervisory control of discrete event systems under attack has been considered in [15]- [24].
Mainly inspired by some recent works [25]- [28], we address the problem of state estimation in the setting of partially-observed discrete event systems subject to cyber attacks. In this paper, which is an extended version of [29] 1 , we consider a plant modeled as a discrete event system with state set X, whose evolution is observed by an operator. The occurrence of a subset of events E o , called observable events, can be detected by sensors while all other events, called silent events, produce no observation. An evolution of the plant produces an observed word s ∈ E * o which the operator uses to determine the set of consistent states C(s) ⊆ X, i.e., the set of states in which the system may be when s has been produced.
We assume that an attacker, which has a full knowledge of the plant, may corrupt the sensor readings. This could happen because either the attacker can gain direct control of a sensor or it can corrupt messages between the plant and the operator assuming they are connected through a network. The particular attack model we adopt, among those that have been presented in the literature, is based on the one considered by Meira-Góes et al. [26]. In particular, the attacker may insert in the word observed by the operator fake occurrences of compromised events or, on the contrary, may erase the occurrence of such events. In addition, we consider the possibility that the length of a word inserted by the attacker between the occurrence of two observable events may be n-bounded.
The attacker aims to mislead an operator. Under attack, an observation s ∈ E * o produced by a plant can be changed into a corrupted observation s ∈ E * o and as a result the operator computes a state estimate C(s ) ⊆ X, which is in general incorrect. The attacker may have arbitrary goals. As an example, it may want to hide the fact that the plant has reached a critical state such that the operator does not activate appropriate protections that are fundamental for the system safeness. In all generality, we formalize a malicious goal by introducing a misleading relation R ⊆ 2 X × 2 X and we say that an attack is harmful if there exists some observation s that can be changed into a corrupted observation s such that (C(s), C(s )) ∈ R.
In this paper, we first show how to construct two particular automata, called attacker observer and operator observer, which are defined on an augmented attack alphabet which includes the observable events of the plant and the events describing the action of the attacker. Based on concurrent composition of these two observers, we design a joint estimator, which describes all possible attacks. Finally, by inspection of such a structure one can determine if the attack function is harmful w.r.t. a misleading relation.

A. LITERATURE REVIEW
The problem of estimation under attack has been considered by relatively few authors in the automatic control literature.
In [30]- [32] the state estimation problem for time-driven models is studied.
Ding et al. [30] propose the problem of remote state estimation under denial-of-service attacks. A sensor needs to choose a channel to transmit the data packets, while an attacker needs to choose a channel to attack. They formalize such a problem as a two player stochastic game between the sensor and the attacker, and present optimal strategies in terms of computational complexity for both sides, respectively.
Peng et al. [31] consider the issue of optimal attack energy allocation against remote state estimation. An optimal attack strategy that can result in maximal estimation error covariances is derived. Finally, they prove that the optimal strategy has a threshold structure.
Cheng et al. [32] develop an attack strategy that can degrade the estimation performance by tampering with the sensors, eavesdropping the measurements, and injecting false feedback information. They conclude that, with the presence of an attacker, the mean-squared stability condition of the state estimation is weakened.
In this work we consider discrete-event models, and the approaches developed in the above mentioned literature cannot be adopted. The state estimation problem for discrete event systems so far has not been studied in all generality, but has been partially addressed in the context of supervisory control. Here we mention a few recent publications which have inspired our work.
Tong et al. [25] present a new finite structure called parallel observer, which allows to simultaneously describe the observations of the supervisor and of the attacker. Based on the parallel observer, a maximally permissive supervisor is developed to enforce current-state opacity.
Meira-Góes et al. [26] propose a novel bipartite transition structure in the framework of discrete event systems, namely, Insertion-Deletion Attack structure, and present a game-like relationship between the supervisor and the environment (the plant and the attacker) to determine if the attacker can lead the plant to a forbidden state without being detected by the supervisor.
Lima et al. [27] propose a defense policy that prevents cyber attacks at sensor and actuator layer in supervisory control systems. It is assumed that the attacker can alter the observation of events in a set of events Σ vs , and modify the enabling of events in a set of events Σ va . The detectable network attack security and undetectable network attack security are introduced to prevent the plant from reaching forbidden states.
Su [28] addresses the problem of attack-with-boundedsensor-reading-alteration (ABSRA), where the attacker can intercept the sensor readings from the plant and arbitrarily alter them but with an upper bound on the length of the altered observation word. In this way the attacker can cheat the supervisor, which will lead the plant to the undesirable states. The author also develops a supervisor that is robust to ABSRA.
We point out that significant differences exist between the problem setting considered in this paper and the problem setting dealt in most of the papers in the literature, including the above mentioned ones. What we propose is a methodology for studying how the possible choices of the attacker can affect the estimate of the operator. On the contrary, previous works on cyber attacks in the DES literature, including [15], [26]- [28], consider the case of an operator/supervisor: in such a case the goal of the attacker is to beguile the supervisor so that a specification is violated, i.e., the plant reaches a forbidden state or generates a forbidden evolution.
The proposed approach can be applied not only to the case in which an operator-supervisor controls a plant in closed-loop -as in the above mentioned papers -but in more general settings, where the operator may have goals of different nature. As an example, in our framework one may study how cyber attacks disturb an operator-monitor which takes decisions based on its estimation of the plant state or an operator-diagnoser which aims to detect the occurrence of faults. Mutatis mutandis, our approach can also be used for addressing a problem of opacity enforcing: in such a case the operator is an intruder that wants to infer a secret and the attacker is the agent that corrupts the observation to thwart the intruder.

B. CONTRIBUTIONS AND STRUCTURE OF THE PAPER
This paper contains several original contributions.
• The problem of joint state estimation under attack is formalized; harmful attacks are characterized in general terms by means of a misleading relation. • Based on the notion of attack alphabet and attack words, which describe how observations can be corrupted by the attacker we show how to construct two different observers: they describe the state estimates computed by the attacker and by the operator for each corrupted observation. • A formal methodology to design a joint estimator is presented. This automaton, constructed as the concurrent composition of the two observers, describes all possible attacks. • The joint estimator shows, for each possible corrupted observation, the joint state estimation, i.e., the set of states consistent with the uncorrupted observation and the set of states consistent with the corrupted observation. Such a structure also indicates if a harmful attack exists. The rest of the paper is organized as follows. In Section II, we recall the basic notions of finite-state automata and of state estimation via observers. In Section III, we first describe the adopted attack model, and then formalize the problem considered in this paper. In Section IV, we develop two observers: attacker observer and operator observer. In Section V, we define the unbounded joint estimator as the concurrent composition of such observers. Then, we define an automaton that allows us, again via concurrent composition, to define a bounded joint estimator, starting from the unbounded one. Conclusions are finally drawn in Section VI where we also discuss our future lines of research in this framework.

II. PRELIMINARIES
Given an alphabet E, let E * denote the set of all words on the alphabet. Given two words w 1 , w 2 ∈ E * , let w 1 w 2 denote their concatenation. Similarly, given two languages L 1 , L 2 ⊆ E * , we denote their concatenation L 1 L 2 and when L 1 = {w} we also write L 1 L 2 = wL 2 .
A deterministic finite-state automaton (DFA) is a fourtuple G = (X, E, δ, x 0 ), where X is the set of states, E is the set of events (alphabet), δ : X × E → X is the transition function, and x 0 is the initial state. The transition function can be extended to δ * : X × E * → X such that δ * (x, ε) = x, and δ * (x, σe) = δ(δ * (x, σ), e) for all x ∈ X, e ∈ E and σ ∈ E * . The generated language of G is defined as Given two alphabets E and E with E ⊆ E, the natural projection on E , P E : E * → (E ) * is defined as [33]: (1) Therefore, given a word σ ∈ E * , its natural projection on E is obtained by erasing events that do not belong to E .
The concurrent composition of two languages is defined as where E 1 and E 2 are alphabets of L 1 and L 2 , respectively, and E = E 1 ∪ E 2 . The concurrent composition operator can also be defined for DFA. In particular, given two DFA G and G , their concurrent composition, denoted as G = G G , E o is the set of observable events, and E uo is the set of unobservable events. In the following, to keep the notation simple, we denote as P : o . When a partially-observed DFA generates a word σ ∈ L(G) it produces the observation s = P (σ) ∈ E * o . However, in general a given observation may be produced by more than one generated word. The set of words consistent with observation s is defined by and denotes the set of words generated by the DFA that produce observation s.
Correspondingly, the set of states consistent with observation s is defined by and denotes the set of states in which the DFA can be when observation s had been produced.
The set C(s) ⊆ X is also called the state estimate corresponding to observation s ∈ E * o . The problem of state estimation of a partially-observed DFA G can be solved, in all generality, constructing a new structure called its observer (see [34] for details).
Let us first define, for a partially-observed DFA G, the unobservable reach of a state x ∈ X. This set is denoted VOLUME 4, 2016 by U R(x) and is defined as a set of states x ∈ X reached from state x generating an unobservable word σ ∈ E * uo , i.e., This definition can be extended to a set of states B ⊆ 2 X as follows: The observer Obs(G) of a partially-observed DFA G = (X, E, δ, x 0 ), is a DFA: where the set of states is B ⊆ 2 X , the alphabet E o is the set of observable events of G, the transition function δ obs : As shown in [34], given a partially-observed DFA G with observer

III. THE JOINT STATE ESTIMATION PROBLEM
In this section, first, we introduce an attack model and an original formalism to represent it. Then, we formalize the problem considered in this paper.

A. ATTACK MODEL
In this paper we consider a plant modeled by a partially observable DFA with set of observable events E o and set of unobservable events E uo . Referring to Fig. 1, if σ is a word generated by the plant, the observed word is s = P (σ). An attacker may corrupt the output signals produced by the plant with the effect of inserting in the observation some events that did not occur, or erasing some events that have occurred. Such a corrupted observation is denoted as s (a sequence of events in E o ), and the operator constructs its state estimation based on s . In our framework, we assume the operator monitors the plant to estimate its current state: the objective of the attacker is to corrupt the observation in such a way that a correct estimation is not possible. Definition 1: [26] The set of compromised events is denoted as E com ⊆ E o . It includes all the observable events that can be corrupted by the attacker, either inserting them in the operator observation, even if they have not actually occurred, or erasing them in the operator observation. The definition of compromised events was first proposed in [26]. However, while in [26] the authors assume that all the compromised events can be inserted and erased by the attacker, here we slightly generalize the definition as follows.
The set of compromised events that can be inserted in the observer evolution is denoted as E ins , and the set of events that can be erased is denoted as E era . To keep the presentation general, we assume that E ins and E era are not necessarily disjoint.
The relationship among the different subsets of observable events E o is clarified in Fig. 2. We now formally describe the action of the attacker in terms of two new types of events that it can generate. More precisely, even if it is possible to directly define the attacker as a finite-state transducer that "translates" an observed word s into a corrupted observation s (see Fig. 1), for a reason that will appear clear in the following, we prefer to characterize the attacker's action in terms of a new word defined on a socalled attack alphabet E a .
The set of inserted events [26] is denoted as E + , namely E + = {e + | e ∈ E ins }. The occurrence of an event e + ∈ E + denotes the fact that the attacker inserts in the operator observation an event e ∈ E ins that has not occurred in reality.
The set of erased events [26] is denoted as E − , namely The occurrence of an event e − ∈ E − denotes the fact that the attacker erases from the operator's observation event e ∈ E era generated by plant.
Given a bound n ∈ N ∪ {∞}, let E ≤n + = {w + ∈ E * + | |w + | ≤ n} denote the set of words on alphabet E + whose length does not exceed n. Note that if n = ∞ then E ≤n An n-bounded attacker can be defined by an attack function where E a is the attack alphabet (Definition 2), satisfying the following conditions: In Definition 3, condition (a) means that the attacker can insert a bounded word w + ∈ E ≤n + at the initial state, before any event generated by the plant is observed. Condition (b) implies that if an event e ∈ E era occurs, the attacker can either erase event e or not erase it, and then insert any word w + ∈ E ≤n + . If an event e ∈ E o \E era occurs, then the attacker can insert any word w + ∈ E ≤n + after e. We notice that imposing that the attacker may insert at most n consecutive events between any two observed events, makes sense in practice. Indeed, even if our model is purely logical, a real system can produce in a finite time just a finite number of events. If the attacker could introduce an arbitrarily large number of events between two consecutive observed events, this would lead to an anomalous behavior as observed by the operator.
We denote as F n the set of attack functions for a given n ∈ N ∪ {∞}. Definition 4: The language modified by an attack function f n is called attack language. It is denoted as L(f n , G) and is defined as The set of all the attack languages relative to a given n ∈ N ∪ {∞}, denoted as L(F n , G), is defined as Given two integer numbers n and n , F n ⊆ F n if n ≤ n . Furthermore, F n ⊆ F ∞ for all n < ∞. Definition 5: The operator mask P : E * a → E * o is defined as: The internal structure of the attacker is visualized in Fig. 1 as a black box taking an observation s as an input and producing a corrupted observation s as an output. Such an internal structure is sketched in more detail in Fig. 3. Here the observed word is s = P (σ) (a sequence of events in E o ). The attacker corrupts the observation according to the attack function f n , producing w ∈ L(f n , G) ⊆ E * a . Such a sequence is projected via P on E o , generating a word s . The plant operator constructs its state estimation based on s .

B. PROBLEM STATEMENT
In this subsection we first describe the possible goals of the attacker on which we are focusing in this paper. Then we formalize the problem statement. To this aim we introduce a relation R ⊆ 2 X × 2 X , called a misleading relation. If s and s in E * o denote, respectively, the generic uncorrupted and corrupted observation of the operator, the goal of the attacker is achieved whenever i.e., whenever the pair (set of states consistent with the uncorrupted observation, set of states consistent with the corrupted observation) belongs to R. The following definition formalizes this. Definition 6: Let G = (X, E, δ, x 0 ) be a plant with set of observable events E o and its observer Obs(G) = (B, E o , δ obs , b 0 ). An attack function f n is harmful w.r.t. a relation R ⊆ 2 X × 2 X if there exists an observation s ∈ P (L(G)) generated by the plant, whose set of consistent states is C(s) = δ * obs (b 0 , s), such that s can be corrupted into a word s = P (f n (s)) whose corresponding set of consistent states is C(s ) = δ * obs (b 0 , s ), and (C(s), C(s )) ∈ R. Different physical problems can be described in this setting by suitably defining relation R. A significant example is the following one. Example 1: Assume that a subset of states of a system, X cr ⊆ X, is labeled as critical in the sense that when the system is in one of such states, a protective action must be taken to avoid possible damages. The operator is monitoring the system evolution in order to establish when one of such states is reached. Obviously, if the operator does not realize that a critical state has been reached, no action is taken and the system behaviour can be seriously compromised. The effectiveness of an attacker that aims to affect the system observation in order to prevent the operator to realize when a critical state is reached, can be evaluated via the misleading relation defined as R = {(X , X ) | X ∩X cr = ∅ and X ∩ X cr = ∅}. Indeed, the attack is harmful if there exists at least one observation s such that C(s) ∩ X cr = ∅ (meaning that the system may be in a critical state) which can be corrupted to an observation s with C(s ) ∩ X cr = ∅ (meaning that the operator excludes the possibility that the system is in a critical state).
Given a plant G = (X, E, δ, x 0 ) with set of observable events E o , and a misleading relation R ⊆ 2 X × 2 X , the main contribution of this paper consists in providing a tool, called a joint estimator that contains all the possible actions (insert and/or erase observations) that an attacker may implement during the system evolution. On the basis of such a structure, the attacker can establish if the attacks are harmful to the plant.

IV. ATTACKER OBSERVER AND OPERATOR OBSERVER
In this section we introduce two special structures, called Attacker Observer and Operator Observer, which are fundamental to derive the solution to the joint estimation problem we are considering.

A. ATTACKER OBSERVER
The attacker observer Obs att (G) describes all possible attack words that can be generated by functions in F ∞ and the corresponding sets of consistent states of the system. Since VOLUME 4, 2016 attacks are performed by the attacker, it knows which observations originate from events that have really occurred in the plant (E o ), which observations have been erased (E − ), and which observations have been inserted (E + ). The attacker observer Obs att (G) can be constructed using Algorithm 1. Then, for all e ∈ E era and for all b ∈ B, whenever δ att (b, e) is defined, the algorithm imposes δ att (b, e − ) = δ att (b, e). Indeed, the attacker knows that e − corresponds to event e that has been canceled, thus the way it updates its estimation is the same in the case of e and e − .
Finally, for all events e ∈ E ins , and for all states b ∈ B, we add self-loops δ att (b, e + ) = b. Indeed, the attacker knows that events in E + are fake events that have not really occurred in the plant, thus it does not update its estimation based on them. In particular, self-loops correspond to the possibility of inserting an arbitrarily large number of such events, which is consistent with the fact that we are dealing with attack functions in F ∞ . Example 2: Consider a partially-observed plant G = (X, E, δ, x 0 ) in Fig. 4(a), where E = E o ∪ E uo , E o = {a, c, d, g}, and E uo = {b}. The corresponding observer of G is shown in Fig. 4(b). Let E ins = {c, d}, and E era = {c, g}. The attacker observer constructed using Algorithm 1 is shown in Fig. 5(a).
Since events c, g ∈ E era , and there is a transition labeled c from state {1, 2} to state {3} in the observer of the plant Obs(G), we add transitions labeled c and c − from state {1, 2} to state {3} in the attacker observer. Similar arguments    can be used to explain transitions labeled c and c − from state {5} to state {6}, self-loops labeled g and g − at state {4}. Then, since c, d ∈ E ins , we add self-loops labeled c + and d + at all the states.
The following proposition provides a characterization of the attacker observer. Proposition 1: Consider a plant G with set of observable events E o and observer Obs(G) = (B, E o , δ obs , b 0 ). Let f ∞ be an attack function, F ∞ be the set of attack functions, and E a = E o ∪E + ∪E − be an attack alphabet. Let Obs att (G) be the attacker observer constructed using Algorithm 1. It holds that: (a) L(Obs att (G)) = L(F ∞ , G); . Proof: (a) According to Algorithm 1, Step 2 implies that L(Obs att (G)) contains all words that can be observed if no attack occurs. Correspondingly, according to the definition of attack function (Definition 3), the set of attack languages L(F ∞ , G) also contains these words since the attacker does not reduce the language of the plant.
Steps 3-9 guarantee that all attacks resulting from the cancellation of events in E era are considered. Correspondingly, according to the definition of attack function, each time the plant generates an event e ∈ E era , then the attacker can erase it.
Finally, Steps 10-14 guarantee that all attacks resulting from the insertion of an arbitrarily large number of events in E ins are taken into account. Again, according to the definition of attack function, the attacker can insert any word w + ∈ E ≤n + whenever possible. Thus, we can conclude that L(Obs att (G)) = L(F ∞ , G). (b) We prove this by induction on the length of s. If s = ε, the result follows from the fact that, by definition of attack function, it is f ∞ (ε) ∈ E ≤n + , and by Steps 10-14, events in E + lead to self-loops in Obs att (G).
Let us now consider a generic word s ∈ P (L(G)) with length greater than one, written as s = se, where s ∈ P (L(G)) and e ∈ E o . Assume the result holds for s. We prove that it also holds for s = se considering the following two possible cases.
If e ∈ E era , by the definition of attack function, w ∈ f∞∈F∞ f ∞ (s){e − , e}E ≤n + is true. According to Steps 3-9, events e and e − are dealt with in the same manner when defining the transition function δ att . Finally, as just pointed out, according to Steps 10-14, events in E + lead to self-loops in Obs att (G).
Finally, if e ∈ E o \ E era , by the definition of attack function, w ∈ f∞∈F∞ f ∞ (s)eE ≤n + is true. Thus the result follows from the fact that, according to Steps 10-14, events in E + lead to self-loops in Obs att (G) and events in E o are dealt with in the same manner in Obs att (G) and Obs(G). Now we discuss the computational complexity of constructing the attacker observer Obs att (G). Given a plant G with set of states X, the observer of the plant Obs(G) can be constructed in 2 |X| steps. According to Algorithm 1, Obs att (G) has the same number of states as Obs(G); thus the complexity of building Obs att (G) is O(2 |X| ).

B. OPERATOR OBSERVER
The attack model we are considering may change an observation s into a corrupted observation s which cannot be produced by the nominal plant. In this case the operator understands that the system is under attack. This can be formalized as follows. Definition 7: Consider a plant G. An attack function f n is said to be stealthy if P (L(f n , G)) ⊆ P (L(G)), where P is the operator mask.
In words, stealthiness requires that the set of words that an operator observes when the system is under attack is contained in the set of words the operator may observe when no attack occurs.
The operator observer Obs opr (G) generates two different sets of words. The first set includes all words on E * a that may either result from an uncorrupted observation of the plant or from a corrupted observation which keeps the attacker stealthy. The second set of words includes all the previous words continued with a symbol in E a so that the resulting word is not consistent with an uncorrupted observation. While the words in the first set lead to a set of states that according to the operator are consistent with the perceived observation, those in the second set lead to a dummy state denoted as b ∅ . The operator observer Obs opr (G) can be constructed using Algorithm 2, as shown below.
According to Algorithm 2, the set of states B opr = B ∪ {b ∅ } and the set of events E a are initially computed. Then, the transition function of Obs opr (G) is initialized at δ opr = δ obs . Indeed, events in E o are events actually occurring on the plant; when such events occur, the operator updates its state estimation according to the transition function of Obs(G).
Furthermore, for all e ∈ E ins and for all b ∈ B, we impose δ opr (b, e + ) = δ opr (b, e). Indeed, the operator does not distinguish between events in E + and the corresponding events in E ins . For all e ∈ E era and for all b ∈ B, we add self-loops δ opr (b, e − ) = b. Indeed, events in E − correspond to no observation by the operator.
Finally, for all the events e a ∈ E a that are not enabled at the generic state b ∈ B, let δ opr (b, e a ) = b ∅ . As a result, for all b ∈ B and for all e a ∈ E a , function δ opr (b, e a ) is defined. On the contrary, δ opr (b ∅ , e a ) is undefined for all e a ∈ E a . Example 3: Consider again the plant G in Fig. 4. Let E ins = {c, d} and E era = {c, g}. The operator observer constructed using Algorithm 2 is visualized in Fig. 5(b  end for 22: end for c, g ∈ E era , we add self-loops labeled c − and g − at all the states. Finally, we add all the missing transitions to the new state b ∅ , which has no output arc. To better characterize the properties of the operator observer, let us define two sets of words associated to an attack model as described in Subsection III-A. Definition 8: The set of stealthy words on attack alphabet E a is W s = {w ∈ E * a | P (w) ∈ P (L(G))}, while the set of exposing words on E a is In plain words, a stealthy word w produces an observed word s = P (w) which does not reveal the presence of the attacker because such an observation may have been produced by the plant. An exposing word is a non-stealthy word on E a whose strict prefixes are all stealthy: hence it reveals the presence of the attacker but only at the last step.
The following proposition provides a characterization of the operator observer. Proposition 2: Let G be a plant with set of observable events E o and observer Obs(G) = (B, E o , δ obs , b 0 ). Given an attack alphabet E a = E o ∪ E + ∪ E − with set of stealthy words W s and set of exposing words W e , let Obs opr (G) be the operator observer constructed by Algorithm 2. It holds that: (a) L(Obs opr (G)) = W s ∪ W e ; (b) ∀w ∈ L(Obs opr (G)): if w ∈ W s , then δ * opr (b 0 , w) = δ * obs (b 0 , P (w)); if w ∈ W e , then δ * opr (b 0 , w) = b ∅ . Proof: (a) Follows from Algorithm 2, and from the definitions of stealthy words, exposing words, and operator mask.
In more detail, Step 3 guarantees that all uncorrupted words belong to L(Obs opr (G)). Steps 4-10 guarantee that, in Obs opr (G), events in E + lead to the same states of the corresponding events in E ins . Steps 11-15 guarantee that, in Obs opr (G), events in E − lead to self-loops. The above steps guarantee that all the stealthy words w ∈ W s belong to L(Obs opr (G)).
Finally, Steps 16-22 impose that, if after executing Steps 1-15, a certain event in E a is not already enabled at a certain state of Obs opr (G), then such an event is enabled at such a state and leads to state b ∅ , where no other event may be executed. These steps ensure that all the exposing words w ∈ W e belong to L(Obs opr (G)).
(b) We prove this by induction on the length of w. If w = ε, the result holds beingP (w) = ε.
Consider now a word w ∈ L(Obs opr (G)) with length greater than one. Assume w ∈ W s , and let w = w e a . Assume that the result holds for a generic w ∈ W s . By definition of operator mask, if e a ∈ E o ∪ E + , then P (w) = P (w )e ∈ P (w ){e, ε}; otherwise P (w) = P (w ) ∈ P (w ){e, ε}. Thus δ * opr (b 0 , w) = δ opr (δ * opr (b 0 , w ), e a ). Then, δ * obs (b 0 , P (w)) = δ obs (δ * obs (b 0 , P (w )), e) if e a ∈ E o ∪ E + , and δ * obs (b 0 , P (w)) = δ obs (δ * obs (b 0 , P (w )), ε) if e a ∈ E − . According to Algorithm 2 the transition function of Obs opr (G) starting for a generic state b ∈ B is defined in the same way in case of e and e + (Steps 6 and 7), while it corresponds to a self-loop in the case of e − ∈ E − (Step 13). As a result, we can conclude that δ * opr (b 0 , w) = δ * obs (b 0 , P (w)). Finally, the last claim in (b) follows from the fact that, if w ∈ W e , according to Algorithm 2, all the missing transitions end up in the new state b ∅ , thus δ * opr (b 0 , w) = b ∅ . Given a plant G with set of states X, the observer of the plant Obs(G) can be constructed in 2 |X| steps. According to Algorithm 2, the operator observer Obs opr (G) has at most 2 |X| + 1 states; thus the complexity of constructing Obs att (G) is O(2 |X| ).

V. UNBOUNDED AND N -BOUNDED JOINT ESTIMATORS
In this section we define a particular DFA, called joint estimator, which is defined on alphabet E a and contains all attack words that can be generated by the plant.
Here we distinguish two different cases. In the first case, the attack function belongs to F ∞ . We call unbounded joint estimator the corresponding DFA, denoted as A ∞ . In the second case, the attack function belongs to F n for a given n ∈ N. We call n-bounded joint estimator the corresponding DFA and denote it as A n .

A. UNBOUNDED JOINT ESTIMATOR
Let us first formalize the definition of A ∞ . Definition 9: The unbounded joint estimator A ∞ = (R, E a , δ a , r 0 ) w.r.t. G and E com is defined as A ∞ = Obs att (G) Obs opr (G). Example 4: Consider again the plant G in Fig. 4 whose attacker observer and operator observer are visualized in Figs. 5(a) and (b), respectively. The unbounded joint estimator A ∞ built according to Definition 9 is shown in Fig. 6. By inspecting the unbounded joint estimator A ∞ in Fig. 6, once event a occurs on the plant, the attacker executes event a on A ∞ starting from the initial state ({0}, {0}). Thus state ({1, 2}, {1, 2}) is reached. Now, the attacker may wait for a new event occurring on the plant, a or c in this case. Alternatively, the attacker may insert an event c or d in the operator observation, which correspond to execute c + or d + , respectively, in A ∞ . Then, the attacker may erase event c in the operator observation, which corresponds to execute c − in A ∞ , and so on.
We notice that, any word w ∈ E * a generated by the unbounded joint estimator allows us to argue the following three information: (1) which is the observation s ∈ E * o actually produced by the system; (2) how the attacker corrupted it (which events it has inserted and/or erased); (3) which is the word s ∈ E * o observed by the operator. Consider as an example, the word w = ac − ac + ∈ E * a that leads to state ({4}, {6}). This corresponds to the observation s = aca produced by the system. The attacker erases the observation c after the first a and inserts the dummy observation c after the second a, resulting in the word s = P (w) = aac observed by the operator.
The following theorem provides a characterization of the unbounded joint estimator.
Theorem 1: Let G be a plant with set of observable events E o and observer Obs(G) = (B, E o , δ obs , b 0 ). Given attack alphabet E a , with set of stealthy words W s and set of exposing words W e , let A ∞ = (R, E a , δ a , r 0 ) be its unbounded joint estimator. It holds that: is not defined. Proof: (a) Follows from Propositions 1 and 2 and Definition 9. Indeed, by Proposition 1, it holds that L(Obs att (G)) = L(F ∞ , G) and by Proposition 2, it holds that L(Obs opr (G)) = W s ∪ W e . Since A ∞ is defined as the concurrent composition of Obs att (G) and Obs opr (G), having the same alphabet, its language is equal to the intersection of the languages of the two DFA.
In plain words, Theorem 1 implies that the language of the joint estimator contains all words on alphabet E a that can be generated under attack and that are either stealthy or exposing. In addition the state (b a , b a ) reached in the joint estimator by a stealthy word w = f ∞ (s) describes the joint estimation composed by the correct observation b a = C(s) that would have been computed by the operator without attack, and the corrupted observation b a = C(s ) = C( P (w)) due to the attack. An exposing word w = f ∞ (s) reaches a state (b a , b ∅ ) where b a = C(s) is the correct observation that would have been computed by the operator without attack.
Let us show how to select a harmful attack function on the basis of the unbounded joint estimator A ∞ . Proposition 3: Given a plant G = (X, E, δ, x 0 ) with set of compromised events E com , let R ⊆ 2 X × 2 X be the misleading relation, and A ∞ = (R, E a , δ a , r 0 ) be the unbounded joint estimator. An attack function f n is harmful iff R ∩ R = ∅. VOLUME 4, 2016 Proof: (If) Assume that there exists a state r = (b a , b a ) of the joint estimator A such that r ∈ R ∩ R. Since r ∈ R, then there exists an attack word w with δ a (r 0 , w) = r. According to the definition of attack function (Definition 3), there exists an observation s ∈ P (L(G)) such that w = f n (s), where P is the natural projection.
According to Theorem 1, if w ∈ W s (W s is the set of stealthy words), we have r = (b a , b a ) such that δ * obs (b 0 , s) = b a , and δ * obs (b 0 , P (w)) = b a , where P is the operator mask. Note that, if w ∈ W e (W e is the set of exposing words), then δ a (r 0 , w) = r = (b a , b ∅ ) / ∈ R, which leads to a contradiction. For this reason, we exclude such a case.
Since r = (b a , b a ) ∈ R, then the observation s can be corrupted into a word s = P (w) such that (C(s), C(s )) ∈ R, where C(s) = δ * obs (b 0 , s), and C(s ) = δ * obs (b 0 , s ) (C(s) (resp., C(s )) is the set of states consistent with observation s (resp., s )). According to Definition 6, we can conclude that f n is harmful.
(Only if) Assume that an attack function f n is harmful. According to Definition 6, there exists an observation s that can be corrupted into an observation s = P (w) such that (C(s), C( P (w))) ∈ R, where C(s) = δ * obs (b 0 , s), C( P (w)) = δ * obs (b 0 , P (w)), and w = f n (s) ∈ W s (we exclude the case that w ∈ W e for the same reason that discussed in the above proof).
Since the joint estimator A contains all the possible attacks, and according to Theorem 1, then there must exist a state r = δ a (r 0 , w) = (b a , b a ) such that δ * obs (b 0 , s) = b a , and δ * obs (b 0 , P (w)) = b a . Namely, R ∩ R = ∅. Example 5: Recall the plant G in Fig. 4 with the unbounded joint estimator A ∞ depicted in Fig. 6. Assume that the misleading relation is R = {({5}, X) | X ⊆ {6, 7, 8}}.
Looking at A ∞ , if the plant generates the word aa, A ∞ is in state ({5}, {5}), then the attacker can insert a fake event c + such that state ({5}, {6}) ∈ R is reached. If such a state is reached, the plant is in the critical state {5}, while the operator thinks that the plant is in the non-critical state {6}. Thus no protective actions are activated, and damages are caused.
We conclude this subsection discussing the complexity of computing the unbounded joint estimator A ∞ .
Given a plant G with set of states X, both the attack observer and the operator observer are computed in 2 |X| steps. The unbounded joint estimator is defined as A ∞ = Obs att (G) Obs opr (G); thus the complexity of constructing A ∞ is O(2 |X| · 2 |X| ).

B. BOUNDED JOINT ESTIMATOR
The n-bounded joint estimator A n that describes attack functions in F n , can be easily obtained starting from A ∞ . To this aim, a particular DFA, called n-bounded attack automaton, denoted as G n , is introduced. Then A n is obtained as the concurrent composition of A ∞ and G n . Definition 10: The n-bounded attack automaton is a DFA: G n = (X, E a , δ, 0), where X = {0, 1, . . . , n} (n ∈ N), and the transition function is defined as follows: ∀i ∈ X, δ(i, e a ) := 0 if e a ∈ E a \ E + , ∀i ∈ (X\{n}), δ(i, e a ) := i + 1 if e a ∈ E + .
(5) Fig. 7 shows the n-bounded attack automaton G n . As it can be seen, events in E a \ E + are enabled at any state. On the contrary, events in E + are enabled provided that they have not been already executed n times consecutively. Theorem 2: Let G be a plant with attack alphabet E a and unbounded joint estimator A ∞ = (R, E a , δ a , r 0 ). Let A n = A ∞ G n , where G n is the n-bounded attack automaton. It holds that L(A n ) = L(A ∞ ) \ {w ∈ L(A ∞ ) | cons E+ (w) > n}, where cons E+ (w) denotes the maximum number of consecutive events in E + contained in the word w.
Proof: Follows from the fact that A n is defined as A n = A ∞ G n and G n limits to n the maximum number of consecutive events that the attacker can add to the operator observation. Example 6: Consider the unbounded joint estimator A ∞ in Example 4. The 1-bounded attack automaton G 1 and the 1bounded joint estimator A 1 = A ∞ G 1 are depicted in Figs. 8 and 9, respectively. The 1-bounded joint estimator forces the attacker to insert at most one fake event between the occurrence of two observable events of the system.
A result equivalent to Theorem 1 holds for an n-bounded joint estimator. Now we discuss the computational complexity of building the n-bounded joint estimator A n . Given an integer value n, the n-bounded joint estimator is obtained by computing A n = A ∞ G n where G n is the n-bounded attack automaton. Therefore, the complexity of computing A n is O(2 |X| · 2 |X| · n).

VI. CONCLUSIONS AND FUTURE WORK
In this paper we investigate the problem of state estimation under attack, for partially-observed discrete event systems. In more detail, an operator observes the system evolution with a natural projection, which depends on the sensors available on the system. The operator observation may be corrupted by an attacker. The corruption may be done by erasing some events that have occurred and/or inserting some events that have not actually occurred. It is possible to impose an upper bound on the number n of consecutive observations that can be added by the attacker within the occurrence of two observable events in the plant. We show how to construct a joint estimator that contains all the possible attacks that can be implemented during the system evolution and that allows to establish if an attack function is harmful w.r.t. a given misleading relation.
Our future lines of research in this framework will follow several directions. On the one hand, we will look for a way to select stealthy and harmful attacks on the basis of the joint estimator or establish if such attacks can be thwarted. On the other hand, we will try to characterize and solve the same problem using Petri nets to understand if some advantages in terms of computational complexity can be obtained and if efficient solutions can also be computed for unbounded systems.