A Secure Decentralized Event-Triggered Cooperative Localization in Multi-Robot Systems Under Cyber Attack

We study the problem of secure decentralized event-triggered cooperative localization (SDECL) for a team of mobile robots in an adversarial environment, where the objective is to perform localization in the presence of a malicious attacker. We consider a scenario in which an intruder is able to attack the communication channels between exteroceptive sensors and filter of the robot and between two robots independently. First, we design a secure decentralized event-triggered cooperative localization in the multi-robot system against random Denial of Service (DoS) and False Data Injection (FDI) attacks. Then, we provide sufficient conditions that ensure the resilience and convergence of the proposed algorithm when the attacker signal rate is bounded. Simulation results show that by properly tuning the parameters of the event-triggered mechanism and considering bounded attack rate, the proposed algorithm is resilient against cyber attacks. Also, experimental results using four e-puck2 mobile robots have demonstrated the effectiveness of the proposed method.


I. INTRODUCTION
In recent years, mobile robots have been widely utilized in the solution of multiple tasks, including surveillance, rural search, and exploration. Accurate and reliable sensors and communication devices have made it possible to consider multi-robot systems in which a team of robots work cooperatively to complete certain task [1]. In this context, precise localization of each robot in the group is crucial for a successful operation. However, precise localization highly depends on reliable sensor measurements which is typically unavailable in practical applications. One solution to this problem is to employ cooperative localization (CL), an area that has attracted much researcher [2], [3], [4], [5]. The basic CL problem consists of enabling each robot to estimate its position by sensing and communicating with the rest of the robots in the team. As a result, communication and The associate editor coordinating the review of this manuscript and approving it for publication was Taous Meriem Laleg-Kirati . exchange of information between robots is a critical factor in CL [6]. Despite significant advances in the development of reliable sensor and communication devices, sensor measurements and communication networks can be maliciously compromised [9]. An attacker can hijack the communication channels between the exteroceptive sensors and the robot's filter, or between filters, and then block or modify the communication data shared between system components, thus degrading localization quality.
In general, cyber attacks can be mainly classified as either denial of service (DoS) or false data injection (FDI) attacks. In DoS attacks, the attacker interrupts the transmission of data through the communication network by propagating a random jamming signal. In FDI attacks, on the other hand, the attacker can affect the trustworthiness of data by manipulating the transmitted data over the network. Zhu et al. [17] address the adaptive torus-event-based control problem for a class of networked Takagi-Sugeno (T-S) fuzzy systems under deception attacks. Pan et al. [18] investigate the Most of the literature on the subject considers the problem of secure state estimation against cyber attacks for single agent systems. Mo et al. [10] consider the problem of secure state estimation against integrity attacks (or FDI attacks) where the attacker intentionally manipulates the sensor measurements. Fawzi et al. [11] study the problem of secure estimation and control for linear systems where the attacker hijacks the sensor measurements and actuators. The authors design a resilient state estimator and state-feedback controller such that the state of a system is recovered accurately and improve the system resilience against deception attacks. Shoukry et al. [12] consider a state reconstruction for discrete-time linear systems under sparse sensor attacks/noise. Li et al. [13] study the problem of remote state estimation where a malicious attacker launches a jamming signal on the communication channel between the sensor and remote estimator. Zhang et al. [14] propose an optimal DoS attack scheduling strategy where the attacker decides when or where to attack the communication channel in order to degrade the performance of the remote estimator. Su et al. [15] investigates malicious attack detection and secure state estimation for CPSs with sensor attacks. Lin et al. [21] derive an optimal estimator for CPSs whose communication channels are subject to mixed DoS and FDI attacks. Qu et al. [16] investigate the chance-constrained H ∞ state estimation problem for a class of time-varying neural networks subject to measurements degradation and randomly occurring deception attacks.
Unlike [10], [11], [12], [13], [14], [15] and [21] that focus on single agent systems, some related works consider secure state estimation for MASs. Liu et al. [22] studies event-triggered distributed state estimation for discrete-time linear systems with multiple communication channels under DoS attacks. Using the covariance intersection fusion framework, the authors design distributed Kalman filters resilient against DoS attacks. Liu et al. [23] further extend the results for nonlinear systems and design resilient event-triggered distributed state estimation filters against DoS attacks where the attack duration is bounded. Chen et al. [24] address the distributed resilient filtering problem for power systems against DoS attack. Chen et al. [25] consider a saturated innovation update mechanism for resilient distributed state estimators against sensor attacks. An et al. [26] study the problem of distributed secure state estimation for discrete-time linear systems under sparse sensor attacks. The authors also implement the proposed algorithm over a multi-agent network. Lu et al. [27] investigate secure state estimation of MASs with both faulty and malicious agents.
Different from [22], [23], [24], [25], [26], and [27] where each agent reconstruct the states without cooperation in the presence of attacks, few works consider the secure cooperative state estimation under malicious attacker. Su et al. [28] consider resilient cooperative state estimation in unreliable multi-agent networks. A gradient descent scheme is adopted for each agent based on local measurements. In this approach, each agent transmit its updates to the other agents in the neighbourhood. Lu et al. [29] address distributed secure state estimation where a group of agents estimate the states cooperatively under malicious attacks. A distributed switched gradient descent scheme is adopted to reconstruct the states in the presence of malicious nodes.

B. RELATED PAPERS ON ATTACK DETECTION
To mitigate the effects of attack and improve resilience, several attack detection methods have been proposed in the literature. Huang et al. [37] investigate a defense mechanism for distributed consensus estimator using the measurement of the on-board sensors for each node to detect the false data injection attack. Li et al. [43] design the secured distributed state estimator by adding an attack detector, when the set of attacked sensors is known to be time invariant. Manandhar et al. [36] design a framework for the smart-grid system using the KF estimator together with the χ 2 -detector and Euclidean detector. The authors show that the χ 2 -detector has better performance in detecting different types of faults and attacks, such as DoS attacks and random attacks on the system.

C. RELATED PAPERS ON DECENTRALIZED EVENT-TRIGGERED COOPERATIVE LOCALIZATION IN MULTI-ROBOT SYSTEMS
The event-triggered cooperative localization problem for multi-robot systems has received some attention. Ouimet et al. [30] propose a decentralized cooperative localization algorithm using ETM to reduce unnecessary packets exchanged between agents. Tasooji and Marquez [34] propose a new decentralized event-triggered cooperative localization (DECL) algorithm for a group of mobile robots where the objective is to perform localization with limited communication resources, and study the effect. Reference [35] extends the results and consider the effect of random delays in the event-triggered cooperative localization.

D. MAIN CONTRIBUTION
Compared to the existing literature on cooperative localization [2], [3], [4], [5], [6] and our previous works on decentralized event-triggered cooperative localization [34], [35], this paper investigates secure decentralized event-triggered cooperative localization for multi-robot systems operating with an unreliable communication network subject to DoS and FDI attacks. Also, we consider a scenario in which each robot can sense and communicate with other robots simultaneously within certain range, extending the results of our previous works [34], [35]. Contrary to the case of secure state estimation against a single type of attack (either DoS or FDI) for a single agent system as in references [10], [11], [12], [13], [14], [15], we consider secure state estimation for MASs in the presence of mixed DoS and FDI attacks. Different from [22], [23], [24], [25], [26], and [27] where agents reconstruct states without cooperation, we design a resilient state estimation scheme in which agents reconstruct the states cooperatively in the presence of mixed attacks. In contrast to [24], [25], [26], [27], [28], and [29] that employ periodic sampling, our solution relies in a mixedtype event-triggered mechanism which significantly reduces the average transmission of information through the network. Moreover, our approach to secure communication is different from [22], [24], [26], [27], and [39]. In our approach we consider a detector for each robot based on received innovations to decide whether the measurements received have been attacked or not. Also, the majority of the literature on secure state estimation uses simulations to justify the proposed solution. In this work we tackle the actual implementation of our solution using a group of mobile robots. The implementation is not trivial and bring up multiple challenges.
To the best of our knowledge, the problem of event-triggered cooperative localization has not been investigated for multi-robot systems in the presence of cyber attacks. Departing from our previous work in references [34] and [35], we modify our DECL algorithm to account for the effect of cyber attacks. Our work involves both theoretical development of the solution and practical implementation using a fleet of e-puck2 robots. The experimental results are expected to provide a preliminary effort towards bridging the gap between theoretical analysis and experimental validation. The main challenges involved in this work include (1) designing a secure CL algorithm against cyber attacks that guarantees satisfactory localization performance while maintaining a low communication volume between system components, and (2) implementing the solution using a multi-robot hardware platform and verify the effectiveness of the algorithm.
Our main contribution can be summarized as follows: First, we introduce a SDECL algorithm for a group of mobile robots explicitly focusing on the problem of cyber attacks. We consider a scenario in which the adversary is able to attack the communication channels between the exteroceptive sensors and the robot's filter and between two robots independently. Second, we prove the effectiveness of the proposed algorithm by computing the stochastic boundedness of the estimation error in mean square for the SDECL algorithm under cyber attacks. We provide sufficient conditions that ensure the resiliency and convergence of proposed algorithm when the attacker signal is bounded. We show that by choosing a proper event-triggered condition, the estimation error and covariance of the state estimator remain bounded while reducing the data transmission between the sensor and the filter. Third, when the attack signals are unbounded we introduce an attack detection mechanism capable of detecting the presence of an attack. Finally, comparative experiments are carried out using a team of four e-puck2 robots to validate the corresponding theoretical results. The experimental results show the effectiveness and robustness of SDECL algorithm in the presence of cyber attacks. The rest of this paper is organized as follows. Section II contains the dynamic of multi-robot systems, multi-robot interaction and attack strategy, problem statement and event-triggered data transferring mechanism. In section III, we design a SDECL for multi-robot systems in the presence of cyber attack. In Section IV, we analyze stochastic boundedness of the estimation error in mean square for the SDECL algorithm under cyber attacks. In Section V we present the case study including the simulation and experimental results. Finally, Section VI contains some conclusions of the results.

A. DYNAMIC OF MULTI-ROBOT SYSTEMS
We consider a team of N mobile robots moving in the twodimensional space. The general nonlinear motion of each VOLUME 10, 2022 robot, i ∈ ϑ = {1, 2, . . . , N }, is described as follows ( [5]): where the state vector x i (k) = [x i (k), y i (k), θ i (k)] T contains the position and orientation of each robot with respect to global map and u i m is the control input. Each robot i ∈ ϑ uses odometry or inertial sensors to measure its linear velocity u i m = u i + η i , where u i represents the actual velocity and η i is corresponding white-Gaussian noise. Each robot detect uniquely the other robots in the team using exteroceptive sensors and take relative measurements with respect to them, including range or bearing or a combination of these measurements. The relative measurement taken by robot i from robot j at a time k is described by ( [5]) where h ij (x i , x j ) is the measurement model and ν ij is measurement noise. The noises η i and ν ij are independent white-Gaussian processes with known positive definite vari- All noises are assumed to be mutually uncorrelated.

B. MULTI-ROBOT INTERACTION AND ATTACK STRATEGY
The interaction topology of robots is shown in Fig. 2. We assume that each robot can sense the other robots in the team and take relative measurements z ij (k) and exchange information packets (propagated state and error covariance) with its neighbouring robots residing within communication range. Since we have a set of N robots, we consider the interaction topology G = (V, E, L), where V = {v 1 , . . . , v N } is the set of nodes in the graph. For each node v i , the index i ∈ {1, 2, . . . , N } is the unique identifier of the agent i. E represents the set of information links of the propagated estimates (state and error covariance) exchange between robots. L = a ij ∈ R N ×N is the adjacency matrix of the propagated estimates (state and error covariance) interaction topology. When a ij > 0, robot i is able to receive information packets (propagated state and error covariance) from robot j, while a ij = 0 indicates that there is no information flow from the robot j to robot i. Notice that the resulting network topology is time-varying and reflects the practical scenario in a multirobot system where robots can randomly sense the other robots in the team only within the reach of the exteroceptive sensors. Notice also that in this setup, measurement and communication links are identical. A robot j can exchange information packets with a neighbour robot i, only within certain communication range with the robot i belongs to set We consider that both DoS and FDI attacks can be randomly launched into the communication network and can arbitrarily block or manipulate sensor measurements and information exchange between robots. We assume that the number of attacks affecting the network is limited, in order to reflect the real-world adversaries. As Fig. 2 shows the attacker launch randomly l ∈ = {1, 2, .., M } number of attacks at each time to the communication links (sensor measurements and estimates), where M is the maximum number of attacked links. Fig. 1 shows the block diagram of the proposed SDECL algorithm. This scheme is based on our previous work [34], but has been modified to include cyber attacks. Here, each robot i detects the other robots in the team using the exteroceptive sensors. The relative measurement z ij (k) taken by each robot i are sent to the event detector which determines whether or not current sensor measurement is to be transmitted to the filter over the unreliable communication network, based on a triggering rule. The relative measurement transmitted by the event-detector to the corresponding filter may be tampered by malicious attackers. Both DoS and FDI attacks can block and contaminate the sensor measurements through wireless network which is described by [38]:

C. PROBLEM STATEMENT
where the random variables α l ij (k) and β l ij (k) are mutual independent Bernoulli distributed white sequences taking values of 0 or 1 with the following probabilities: Considering the different values of the random variables α l ij (k) and β l ij (k) it is easy to see that the measurement model (3) comprises of three cases: (1) when α l ij (k) = 1, the filter receives the sensor signals; (2) when α l ij (k) = 0 and β l ij (k) = 1, the system suffers from FDI attack; and (3) when α l ij (k) = 0 and β l ij (k) = 0, the system is subject to DoS attack [38]. Note that the adversary signal ξ l ij (k) is bounded, e.g., E{ξ l ij (k)ξ l ij (k) T } ≤ξ l ij . Also, we assume that the random variables α l ij (k) and β l ij (k) are independent of the system variables x i (k), u i m (k), η i (k) and ν ij (k). Also, all robots exchange information regarding their propagated estimates (namely; states and error covariance) across the unprotected communication channel. The exchanged information (propagated state and error covariance) between filters considering both DoS and FDI attacks is described by: where the random variables ζ l ij (k), λ l ij (k), σ l ij (k) and τ l ij (k) are mutually independent Bernoulli distributed white sequences taking values of 0 or 1 with the following probabilities: The same conclusion about the measurement model (3) can be applied to equations (4) and (5). Note that the adversaries signals l ij (k) and υ l ij (k) are bounded, e.g., Also, the random variables ζ l ij (k), λ l ij (k), σ l ij (k) and τ l ij (k) are assumed to be independent from the system variables x i (k), u i m (k), η i (k) and ν ij (k). The signals ξ l ij (k), l ij (k) and υ l ij (k) are called the malicious inputs, and can be chosen as −z a ij (k) The attack detector at the estimator side monitors the filter behavior and detects possible cyber attacks by checking the statistical properties of the arriving innovation, i.e., ϒ a ). This raises the challenge of how to use state estimates to detect possible attacks [37]. We now present a mechanism to detect the malicious attacks based on Euclidean norm [36] of innovation for each robot i: where ψ ij is the preset threshold. It can be seen in Fig. 1 that the detector decide whether to trigger the alarm for the robot i or not. The threshold ψ ij should be appropriately chosen to balance the false alarm rate and the detection accuracy [37]. In order to minimize the false alarm rate caused by the relative measurement noise, we set the detector threshold ψ ij to 3R ij , where R ij is the covariance of the relative measurement noise. As a result, by setting the detector threshold to 3R ij , the probability of false alarm rate due to relative measurement noise can be reduced to 1%, the same value as in [36].

Remark 1: Multi-Robot System (MRS) refers to a team of robots that work cooperatively. By contrast, Multi-Agent
System (MAS) refers to a more general system in which an agent is a general object which could be a robot, a drone, but may also be a cyber component, such as a software construct.
Remark 2: In a centralized event-triggered mechanism, it is assumed that there exists a global microprocessor, i.e. the host computer, that collects information (relative measurements) about the whole system and triggers feedback events for each robot. In the decentralized event-triggered mechanism, each robot is equipped with its own embedded microprocessor (micro-controller) that can take relative measurements only from neighboring robots within certain sensing range and trigger events based on received relative measurements. In the distributed event-triggered mechanism, the robots need to trigger the event immediately based on received relative measurements from all neighboring robots. In this work, we consider a decentralized event-triggered mechanism where each robot equipped with its own embedded microprocessor, take relative measurements from neighboring robots and independently trigger events according to the received measurements. Note that whether a system is centralized or decentralized is independent of whether this system is distributed or non-distributed. The main advantage of using a decentralized mechanism over centralized mechanism is that in the case of robot failure, all other robots can proceed unaffected. Also, the advantage of using non-distributed mechanism to distributed mechanism is that the event-triggered mechanism does not wait to receive relative measurements from all neighboring robots and can trigger based on the corresponding relative measurements received. This feature can improve filtering accuracy.
Remark 3: Notice that, in practice, attacks can occur randomly. To protect the system against attacks, the defender can estimate the probability and intensity of the attack signal using statistical tests by monitoring the attacker behaviour online for a period of time. It is therefore reasonable to assume that the probability and the bound of the attack signal are statistically known to the defender. Similar assumptions can be found in references [39], [40], [41]. Remark 4: We assume that all stochastic variables regarding the communication channel between exteroceptive sensors and robot's filter (α l ij (k), β l ij (k)) are independent with the communication channel between two filters (ζ l ij (k), λ l ij (k), σ l ij (k), τ l ij (k)) in i, j and k.

Remark 5: In reality, an attacker can typically only launch a limited number of attacks to the communication links between agents due to limited energy resources. Denoting ij ⊆ N ci the set containing the measurement or communication links affected by attacks, then for l number of attacked measurement links {α
In the FDI attack, it is assumed that the attacker knows the system model and employs a bounded signal to implement the attack. Notice that a bounded signal is preferred by the attacker due to the resource constraints. Moreover, if the attack signal has a large amplitude then it can be easily detected by the detector. Thus, a sophisticated attacker prefers to transmit a bounded false signal to degrade localization performance. It is therefore reasonable to assume that the false signals transmitted by attacker are bounded. Similar assumptions can be found in [31], [37], and [38].
Remark 7: There are other forms of stating the boundedness condition such the use of L 1 , or L 2 norm used for systems with a bounded noise signal. In this work, however, we model noise as a Gaussian distribution. The fundamental problem here is that all the signals are stochastic with unbounded support (due to the Gaussianity assumption). Therefore, we may not simply assume that signals are bounded with probability 1 while simultaneously assuming that (related) the signals are Gaussian random variables. This is precisely the reason that we may not write (for example) that ξ l ij (k)ξ l ij (k) T is bounded. Note also that, in the proofs, we do not need the signals themselves to be bounded. We only need their expectations/moments to be bounded. Therefore, it is better (and technically correct) to assume that E{ξ l ij (k)ξ l ij (k) T } is bounded rather than imposing a deterministic bound on ξ l ij (k)ξ l ij (k) T itself.

D. EVENT-TRIGGERED DATA TRANSFERRING MECHANISM
In order to reduce the communication rate of sensors and therefore extending the battery life of mobile robots, the exteroceptive sensors is equipped with an event-triggered scheduler that decides when relative measurement transmission should occur. The event detector mechanism (7) is based on mixed triggered mechanism [31] which works as follows. Define now the binary decision variable γ ij (k): where z ij (k) denotes the current sensor measurement,z ij (k) represents the last measurement transmitted through the channel and e ij (k) = z ij (k) −z ij (k) is the error between transmitted measurement (when triggered) and the current measurement at time k. ij , ij > 0 are design parameters in the event-triggered mechanism. The smaller the value of ij , ij , the more events are triggered, which results in higher demands on communication resources and higher energy consumed by each robot. When the parameters ij , ij > 0 are sufficiently small, the event-triggered mechanism perform as a time-triggered system. From Eq. (7), we see that, the measurement z ij (k) will be sent to the estimator through unreliable communication channel if and only if γ ij (k) = 1.

III. DESIGN OF A SDECL UNDER CYBER ATTACK
In this section, we design a SDECL algorithm via extended Kalman filter (EKF) with event-triggered mechanism (7) and considering cyber attacks (3)- (5). Firstly, we derive the prediction error and estimation error covariances. Then, we obtain the upper bound of the estimation error covariance by employing an stochastic analysis. Finally, we derive the Kalman gain for the proposed filter by minimizing the estimation error covariance. Before we proceed further, we introduce the following Lemma which will be used to obtain our results: Lemma 1: For any two vectors x, y ∈ R n , there exists a scalar ε ∈ R such that the following inequality holds [39]: (1) and (2) with the event-triggered communication strategy (7). Assume that the relative measurement (z ij (k),z ji (k)) and the predicted belief The proof is given in the Appendix A. Remark 8: It is important to notice that it is impossible to compute the actual value of the estimation error covariance due to some terms E (38) for details) which depend on random cyber attacks, random measurement noise, event-triggering parameter and etc. Therefore, using Lemma 1 we provide an upper bound for the estimation error covariance with respect to the parameters of random attacks, event-triggering parameter and etc.
Corollary 1: Under the result of Theorem 1, the optimal Kalman filter gain that minimizes the upper bound of estimation error covarianceP i+ (k) is given by: where X and Y can be expressed as a follows: and alsoF ij (k) is defined as Remark 9: In Corollary 1, we obtain the optimal Kalman filter gain for the proposed filter by minimizing the trace of the upper bound of the estimation error covariance. Considering the structure of the optimal Kalman gain in (10)- (12), the event-triggered mechanism and cyberattacks introduce additional parameters affecting the upper and the lower bounds of the estimation error and the estimation error covariance. Moreover, in the absence of the attack, the optimal gain in (10)- (12) is the same as the one in [34]. Also, note that the proposed filter is suboptimal due to parameters of the cyber attacks, the event-triggered mechanism, and the topology of the interaction between robots. In order to improve the filter's performance, the parameters ε 1 , ε 2 ,. . . can be tuned in a way that the upper bound of estimation error covariance is minimized further. Specifically, the parameters ε 1 , ε 2 ,. . . can be obtained by an optimization algorithm (genetic algorithm) in the MATLAB code ''[x, f min ] = ga(f (x), n x , · · · )'', where f (x) is the objective function (upper bound of error covariance) to be optimized and n x is the dimension of f (x). Note that similar approach can be found in [24].

IV. BOUNDEDNESS OF ESTIMATION ERROR FOR THE PROPOSED SDECL
In this section, we analyze the resilience of the proposed filter under cyber attacks. We derive sufficient conditions that ensure convergence and stochastic stability of the proposed filter.
Lemma 2: ( [32]) Assume there is a stochastic process V k (π k ) as well as real numbers κ,κ, µ > 0 and 0 < φ ≤ 1 such that are satisfied. Then the stochastic process is exponentially bounded in mean square sense, i.e., and the stochastic process is bounded with probability one. Assumption 1: There exist real constants a i ,ā i , h i ,h i , h ij , h ij , q i ,q i , R ij ,R ij , g i ,ḡ i > 0 such that the following bounds on various matrices are satisfied for every k ≥ 0: Assume that the nonlinear discrete-time system (1) and (2) with the event-triggered communication strategy (7) and random cyber attacks (3)(4)(5) satisfies Assumption 1. Given p i ≤ P i+ (0) ≤p i and p ij ≤ P ij+ (0) ≤p ij wherē p i , p i ,p ij and p ij are known positive values. If the following inequality is satisfied, The proof is given in the Appendix B. Remark 10: In Theorem 2, we provide a sufficient condition for the convergence and resilience of the proposed filter using mathematical induction and matrix analysis. It is important to notice that condition (16)

includes all terms involving the dynamics of multi-robot system (MRS), eventtriggered mechanism, cyber attacks, communication topology as well as attack detector. In practice, the boundary of MRS in Assumption 1, the bound of the attacker signal and its probability, and the interaction of robots can be estimated by the defender using parameter identification. Note that if the bound of attack signals (ξ l
ij , l ij , etc) increases according to condition (16), then r ij,max will increase, resulting in an increase of the upper bound of estimation error covariance. Also, the parameters ij , ij > 0 of the event-triggering mechanism in Eq. (7) affect the upper bound of the estimation error covariance. From (7), we can see that the average communication rate γ ij decreases as the value of ij , ij increase. Moreover, based on (16), we can see that r ij,max will increase as the value of ij , ij increase. Therefore, we conclude that the upper bound of error covariance increases with the value of ij , ij . Conversely, smaller the values of ij , ij result is more data transmission. It follows from (16) that the upper bound of the error covariance would be decreased and better estimation performance would be expected at the cost of imposing heavy burden on the communication channels. These two scenarios lead to a tradeoff in the value of ij , ij to balance between the estimation performance and reduced network transmission. When, both parameters of the event triggered mechanism ( ij , ij ) and those of the adversary signal (ξ l ij , l ij , etc) are large, the estimation error covariance might diverge. Convergence and resilience of the proposed filter is guaranteed provided that the attack signals, eventtriggered parameters, etc., satisfy inequality (16). If upper bound of the estimation error covariance converges asymptotically with k, then the error covariance must converge as well.
Remark 11: The parameter ψ ij of the detection mechanism in Eq. (6) affects the performance of the proposed filter.

TABLE 2. Value and description of the parameters in simulation.
When the sensor measurements of robot j are under malicious attack, the data received from robot j, namely, propagated state and error covariance, is suspicious and then the detector may trigger the alarm by setting d ij (k) = 0 (representing a presence of attack) to avoid the transmission of the packets to other robots. As a result the detection mechanism reduce the impact of malicious attack and improve the performance of the filter. Note that the defender may design the detector threshold (ψ ij ) in order to minimize the missing attack report rate, assuming knowledge of the boundary of the MRS in Assumption 1, the bound of attacker signals and its probability, the interaction of robots, event-triggered parameters. Note that the estimation error covariance in the SDECL algorithm does not represent the actual estimation error exactly. Therefore, the result of Theorem 2 can be employed to analyze the performance of the estimation error. This is done in our next Theorem.
Theorem 3: Consider the nonlinear discrete-time system (1) and (2) with the event-triggered communication strategy (7) and random cyber attacks (3)(4)(5). If and for some i > 0, E x i+ (0) 2 ≤ i , then the estimation errorx i+ (k) = x i (k) −x i+ (k) is exponentially bounded in mean square for any i ∈ ϑ . Proof: The proof is given in the Appendix C.

V. CASE STUDY A. SIMULATION RESULTS
In this subsection the performance of the proposed SDECL algorithm (1) under cyber attacks is verified by simulation results. The motion equations of the ith robot is described by: Algorithm 1 A Secure Decentralized Cooperative Localization Algorithm Under Cyber Attack 1: Initialize state estimation and error covariance matrix as Robots i ∈ ϑ and j ∈ ϑ\{i}:x i+ (0) ∈ R n i , P i+ (0) ∈ S n i , P ij+ (0) = 0 n i ×n j 2: repeat 3: Propagation: Compute the predicted state and error covariance for each robot:

4:
Update: 5: if robot i ∈ ϑ detect the other robot in the team, the relative measurement z ij (k) taken by each robot will sent to event-detector to judge whether to transmit the current measurement or not through unprotected communication network. Then, each robot exchange propagated state and error covariance with the other robot through unreliable communication network. The arriving innovation and its covariance considering cyber attacks are as follows: • If arriving innovation is greater than the threshold, i.e., ϒ a ij (k) ≥ ψ i ⇒ attack detected ⇒ trigger the alarm • If arriving innovation is less than the threshold, i.e., ϒ a ij (k) < ψ i ⇒ proposed filter is resilient against cyber attacks ⇒ follow steps 6-9 6: Compute optimal Kalman gain under cyber attacks: Update state estimation with the current measurement: Update the error covariance: where x i (t) ∈ R n i and y i (t) ∈ R n i are the Cartesian coordinates of robot i, θ i (t) ∈ R n i is the orientation, v i (t) and ω i (t) ∈ R n i are the linear velocity and angular velocity,  2)The pink color shows the position estimation error of each robot using classical CL algorithm under event-triggered mechanism and with cyber attacks.
R i are distance moved by wheels. Note that, the control input of each robot i is measured by odometry and inertial sensors. Also, the relative measurements taken by robot i ∈ {1, 2, 3, 4} from robot j ∈ {1, 2, 3, 4} \{i} is described by: where: ρ ij (t) is the range of robot i relative to the robot j. θ ij (t) is the bearing of the robot i relative to the robot j. We assume that additive white-Gaussian noise affects both the control input u i (t) and the relative measurements z ij (t).
In a practical application, this noises may account for the effect of model uncertainties associated with the wheel encoders and overhead camera. In our simulations, we compare the following: 1) Ground truth of each robot; 2) Localization of robots using filter propagation; 3) Localization of robots using the SDECL algorithm 1 with/without cyber attacks.
In our simulations we assume that the mobile robots move in a random trajectory and at least one of them perform as a stationary robot. Robots then employs their exteroceptive sensors to observe the stationary robot and take relative measurements. We consider a scenario in which the filter corresponding to each robot receives information through an unreliable communication network. The moving robots then receive the predicted position and associated error covariance of each observed stationary robot over the unreliable VOLUME 10, 2022 communication network. An adversary can attempt to attack the communication between the sensor and filter of each robot and between two filters and degrade the localization quality. Fig. 3, Fig. 4, Fig. 5 and Fig. 6 show the outcome of our simulation results. We first evaluate the performance of dead-reckoning method where each robot employs only the wheel-encoders to estimate the pose (position and orientation) independently with no exchange of information (estimated states and error covariance) with other robots. As seen in Fig. 3 that pose estimation error using dead-reckoning method grow continuously for each robot, showing that using only local information (i.e. using only wheel-encoder information) is ineffective to determine the location of each robot in the team. Next we consider the scenario in which each robot receives continuous (i.e. time-triggered) relative measurements through a reliable communication network, without cyber attacks, and correct its pose estimation. As seen in Fig. 3(a), the pose estimation from SDECL  algorithm closely tracks the reference trajectory (ground truths). Fig. 3(e) and Fig. 3(f) indicate the triggering instances with respect to time for the range and bearing of each robot. Note that the absence of triggering times in the case of time-triggered mechanism means that the robot i performs as a stationary robot for the rest of robots.
Then, we simulate a scenario that includes mixed DoS and FDI attacks with probability of 0.2 and 0.2 (both of attacks) applied to the communication channel between the exteroceptive sensors and corresponding estimator. In other words, we consider the case in which each robot receives relative measurement intermittently (with event-triggered mechanism) in a unreliable communication network (with mixed DoS and FDI attacks) and correct its pose estimation using   the proposed algorithm (1). Fig. 3(b), Fig. 3(c) and Fig. 3(d) show that when the event-triggering parameters increases for the same rate of DoS and FDI attacks, the quality of the tracking deteriorates slightly, however the tracking error remains bounded. Fig. 3(g) and Fig. 3(h) display the triggering times corresponding to event-triggering condition used in Fig. 3(c) and also Fig. 3(i) and Fig. 3(j) indicate the triggering instances corresponding to event-triggering condition used in Fig. 3(d). To compare the filter performance under different triggering conditions we use position error for each robot. According to Fig. 4, we conclude that our proposed algorithm (1) outperforms the classical CL under cyber attacks. Also, by properly tuning the triggering condition for the given attack rate, we can achieve good estimation while reducing the communication rate. Then we consider the filter's performance under the following assumptions: (i) no attacks; when there is an attacks affecting one of the following: (ii) communication between the sensor measurements and the robot's filter, (iii) communication between filters; (v) communication between the sensor measurements and the robot's filter and between the filters. The results are shown in Fig. 5(a), Fig. 5(b), Fig. 5(c) and Fig. 5(d). We consider mixed DoS and FDI attacks with the probability of 0.1 and 0.1 applied in cases (ii), (iii) and (v). Also, the parameters of the event-triggering conditions are the same in all cases. Fig. 5(e) and Fig. 5(f) shows the triggering times corresponding to the event-triggering condition used in Fig. 5(a), Fig. 5(b), Fig. 5(c) and Fig. 5(d). Finally we evaluate the performance of the filter by comparing the position error for all cases. We conclude that although the position error slightly increases in case (v) with respect to case (ii) and case (iii), the proposed filter still remains resilient against simultaneous attacks and considering reduced amount of rangebearing measurements. We also illustrate the performance of proposed SDECL algorithm (i) without cyber-attacks, (ii) under DoS attacks, (iii) under FDI attacks. It can be seen from Fig. 8 and Fig. 9 that our algorithm is efficient in each of these scenarios. Then we simulate the false alarm rate and missing report rate with different detector parameters. Fig. 7 shows the relationship between the false alarm rate and the missing report rate versus detector parameter. It can be seen that false alarm rate decreases when the detector threshold is increased, while the missing report rate increases when the detector threshold is increased. In other words, a small false alarm rate can be interpreted as the detector judging that normal relative measurements are untrustworthy, whereas a higher rate of missing report can be interpreted that the detector judging that falsified relative measurements are credible.

B. EXPERIMENTAL VALIDATION
In this subsection we validate the performance of the SDECL algorithm by performing experiments on our robotic system. Our setup (see Fig. 10) consists of a Linux-based host computer equipped with Nvidia GPU, four e-puck2 mobile robots, an overhead ZED stereo camera and the workspace of robots. The system is equipped with Robot Operating System (ROS) where each robot and the overhead camera correspond to a ROS node. Our computer vision system [33] tracks the pose of each robot with respect to the reference trajectory and also provides relative measurements. The accuracy of the computer vision-based positioning algorithm is 0.03m for range and 5 degree for bearing. E-puck2 robots move along circular trajectory simultaneously with a radius of 0.13 m (see Fig. 12). Each e-puck2 is equipped with odometry sensor to propagate the filter. The host computer uses the ZED camera to collect data from the four e-puck2 robots and produce relative measurements (range and bearing) using computer vision software. The event detector uses the corresponding relative measurements to decide whether or not new information is to be transmitted to the robots. When a pair of robots receives new relative measurements, they exchange information (propagated state and error covariance) with each other to update the localization. The communication between e-puck2 robots and the host computer is conducted through Bluetooth. There is inherent time delays in communication between two robots, the camera latency and image processing and the event-detector. Also, the ROS package message_filter [42] is used to synchronize the time stamp of the odometry data and relative measurements. We perform two experiments as following:

1) LOCALIZATION OF ROBOTS UNDER CYBER ATTACKS
In this experiment, we compare the following: 1) A ground truth of each robot provided by the overhead ZED camera; 2) Localization of robots by odometry sensor; 3) Localization of robots using the SDECL algorithm 1 considering cyber attacks. Fig. 11 shows the results of our experiments. In our experiments, the trajectory generated by the overhead camera is employed as our reference trajectory. Note that the odometry sensor provides the pose estimates for the filter propagation. Each robot uses range-bearing measurements to improve the localization accuracy. Fig. 11(a) and Fig. 11(b) shows the performance of SDECL algorithm under time-triggered and event-triggered mechanisms where packets transmitted in a reliable communication network. It can be seen that FIGURE 11. Trajectories of the e-puck2 robots under an experimental test generated by four simultaneously running ROS packages, one for the camera location tracking (the green curve), one for the odometry estimate (the red curve), and the other one (the blue curve) to obtain location estimates by SDECL Algorithm (a) under time-triggered mechanism and without cyber attacks; (b) under event-triggered mechanism and without cyber attacks; (c) under event-triggered mechanism and bounded cyber attacks. the event-triggered mechanism achieves a trade-off between localization accuracy and number of transmitted packets. Fig. 11(c) shows the resiliency of proposed SDECL algorithm in the presence of bounded attack. We assume mixed DoS and FDI attacks with probabilities of 0.1 and 0.1 corrupting the sensor measurements in the sensor-filter communication channel. In this case, we assume that the attacker blocks and manipulates the relative measurement obtained from the camera in the communication channel between the exteroceptive sensors and the filter. It can be seen that the cyber attack deteriorates the localization accuracy slightly but still the proposed algorithm is resilient against bounded attacks. We also provide the position error of the four e-puck2 robots (see Fig. 11) by comparing (i) time-triggered mechanism without cyber attacks; (ii) event-triggered mechanism without cyber attacks; (iii) event-triggered mechanism with cyber attacks. We conclude that the our algorithm provides satisfactory localization performance against cyber attacks while reducing the amount of transmitted range-bearing measurements.

2) CYBER ATTACK DETECTION
In this experiment, we apply mixed DoS and FDI attacks to corrupt the transmitted relative measurement of e-puck0 under unbounded attack signal. Since, the attack detector monitors the filter by checking the arriving innovation, an alarm is triggered if the arriving innovation is greater than the threshold. Note that the LEDs of the e-pucks turn on when the alarm triggers, indicating the presence of a possible attack. Fig. 14(a)-(d) shows the status of e-pucks at t = 0, 7, 13, 20 s. According to the SDECL algorithm, all robots communicate with each other, in order to perform localization. When one of the robots receives corrupted sensor measurements, the corrupted packets (propagated state and error covariance) are transmitted to the other robots, thus increasing the norm of the arriving innovation and eventually triggering an alarm. It can be seen from Fig. 14  (ii) event-triggered mechanism and without cyber attacks; (iii) event-triggered mechanism and with cyber attacks. we consider the proposed attack detection mechanism. Here the alarm of e-puck0 is triggered indicating an attack, thus, the robot does not transmit the corrupted packets to the other robots. Therefore, we can see that the arriving innovation in the other robots is less than the threshold resulting in an improvement in the localization performance.

VI. CONCLUSION
In this article, we study the problem of event-triggered cooperative localization with the specific objective of cyber attacks. For the attacks with limited resources, we design the optimal Kalman filter under both DoS and FDI attacks, and provided a sufficient condition to guarantee the convergence and resilience of the proposed filter. Moreover, we also propose an attack detection mechanism for the proposed algorithm when the attack signal are unbounded. Simulation and experimental results show the efficiency of the proposed algorithm. As mentioned earlier, in cooperative localization exteroceptive and proprioceptive sensors need to be fused to correct the navigation states. More specifically, laser, camera and IMU sensors usually run at different sampling rates, leading to sensor data streams being multi-rate. To tackle this case, multi-rate EKF should be use to estimate the position of robots. Further research will include the extension of our results to the multi-rate EKF-based localization algorithm for multi-robot systems subject to network-induced phenomena (e.g. asynchronous communication, DoS attacks [19], deception attacks [16], [17], etc) and unknown measurement sensitivity [20].

APPENDIX A PROOF OF THEOREM 1
Proof: The predicted state error of robot i for MRS (1) at time instant k + 1 can be described by: where the predicted state of each robotx i− (k + 1) is defined by: Expanding f i (x i (k), u i m (k)) using Taylor series aroundx i+ (k), we have: where and o |x i+ (k)| denote the high-order terms of the Taylor series expansion. Following [31], [39], we introduce the unknown time-varying matrix F i (k), and known scaling matrix B i (k) to account for the linearization error. We can write: where E i (k) is a known tuning matrix and assume that F i (k) satisfies: and using (20)-(23), the predicted state error for robots i and j can be computed as follows: Using Eqs. (25)- (26), the predicted state error covariance for robot i and cross covariance between two robots (i and j) are represented by: Considering the event-triggered mechanism (7) and random cyber attack (3), the current transmitted measurement is as follows (for simplicity of the notation we use time instant k instead of time instant k + 1): The arriving innovation can be computed as follows: The state estimates of each robot are corrected according to: where h ij (x i− ,x j− ) is the predicted measurement. Let the first-order expansion of where and o |x i− (k)|, |x j− (k)| represent the high-order terms of the Taylor series expansion. We now introduce unknown time-varying matrices C i i (k) and C i j (k), and known scaling matrices D i i (k), D i j (k) accounting for the linearization errors of the measurement model: where E i i (k) and E i j (k) are known tuning matrices and assume that C i i (k) and C i j (k) satisfy: Note that the matrices and E i (k) should be designed appropriately. Substituting (29) into (31), we have: Using (32)- (36) and introducing H i the estimation error can be computed as follows: (37), the estimation error covariance matrix can be computed as follows: Defining constants ε 1 , ε 2 , ε 3 , ε 4 , ε 5 , ε 6 , ε 7 , ε 8 , ε 9 > 0 and applying Lemma 1 we obtain an upper bound of the error covariance matrix (9), which completes the proof.

VII. PROOF OF THEOREM 2
Proof: It is obvious that the state estimation error and the error covariance matrix are updated with new relative measurement. The updated error covariance can be computed as follows: where S ij,a (k) is covariance of arriving innovation which can be obtained from Eq. (12). So, we can show that P i+ (k + 1) ≤ P i− (k + 1). Considering the prediction error covariance matrix in (27) and substituting K i (k) in (10)- (12) we write: where Now, in order to prove the boundedness of error covariance P i− (k + 1), we assume that p i I ≤ P i− (k) ≤p i I and p ij I ≤ P ij− (k) ≤p ij I holds at k, then we will show that it is true in k + 1.
Therefore, we show that the error covariance matrix is bounded for k ≥ 1 by mathematical induction, which completes the proof.

APPENDIX C PROOF OF THEOREM 3
Proof: First, we choose the Lyapunov function as follows: Using Theorem 2 it is obtained that p i I ≤ P i+ (k) ≤p i I.
According to the condition in (16), the Lyapunov function Eq. (45) is bounded according to the following inequality: Next, we have to ensure the boundary of E V k (x i+ (k))| x i+ (k − 1) − V k−1 (x i+ (k − 1)). On the basis of Eq. (45), the conditional expectation E V k (x i+ (k))|x i+ (k −1) is derived: Considering the property of conditional expectation that E x i+ (k)|x i+ (k) =x i+ (k), the following equation is obtained by subtracting V k−1 (x i+ (k − 1)) from Eq. (47): According to Eqs. (10)-(12), the following inequality for Kalman gain is given as: Both sides of µ ij (k) are scalars. Using Lemma 1 and computing the trace of µ ij (k), we have: Then, E V k (x i+ (k))|x i+ (k − 1) − V k−1 (x i+ (k − 1)) is written in the following form: we can show the following inequality: According to Lemma 2, there is This completes the proof.