Resilient Control Design of the Third-Order Discrete-Time Connected Vehicle Systems Against Cyber-Attacks

This paper investigates the consensus problems of the third-order discrete-time Connected Vehicle Systems (CVSs) under cyber-attacks. First, the necessary and sufficient conditions for consensus of third-order discrete-time CVSs are derived in the absence of attacks by using algebraic graph and matrix theory. Then the interaction network framework between the original CVSs in the vehicle platoon layer and a virtual system in the hidden layer is established to resist cyber-attacks. Since sufficiently large attacks can be excluded from CVSs through a threshold defense mechanism, such potential attacks considered are bounded and generated by any linear or non-linear finite L2-gain exogenous dynamics system. It is proved that the stability of CVSs can be ensured and the state errors converge to a bounded range whether the attacks exist only in the vehicle platoon layer or in the overall systems (including the vehicle platoon layer and the hidden layer) by using the Lyapunov stability method. Finally, a simulation example containing several scenarios demonstrates the effectiveness and superiority of the proposed methods.


I. INTRODUCTION
Organizing self-driving vehicles as a platoon has attracted widespread attention in recent years due to its advantages in reducing fuel consumption, improving traffic safety and increasing road efficiency [1]- [4]. Based on a distributed control protocol, each vehicle in the platoon travels utilizing local measurements and neighboring information through wireless networks (i.e., vehicle ad hoc networks (VANETs)). Owing to the interconnection and sharing of information between vehicles, such a platoon can be considered as a cyber-physical system (CPS). Considering the driver behaviors, braking control and input delays, cooperative adaptive cruise control (CACC), a typical application of CPS, is further proposed to ensure the coordination and stability of the vehicle platoon systems [5]- [7]. Flocking theory [8], [9] and consensus control [10]- [12] are widely used to analyze the information interaction between vehicles during the CACC communication networks in CPS is necessary and has many advantages, but it has also brought some uncertainties, such as time-delays [17], [18], packet losses [19], [20] and computational burden [21], [22]. These factors lead to poor performance in CPS. In particular, the more dangerous factor is to encounter network-induced cyber-attacks, which is becoming a critically challenging threat for CPS [23]- [25]. With a purpose to destabilize the consensus of CPS, the attacker intercepts the communication network and corrupts its local state feedback. Typical attacks can be summarized into three types: denial of service (DoS) attacks, replay attacks, and deception attacks. DoS attacks keep the network busy with forged requests, making the network unable to process legitimate requests, which can be resolved through various strategies in [26]- [29]. For example, the impact of DoS attacks was modeled as stochastic delays in the network and then an estimation scheme was added to the conventional CACC control strategy to make the platoon resilient to DoS attacks [26]. Another strategy is developing optimal control strategies with multitasking and central-tasking structures by using game theory [27]. In [28], an event-triggering based hybrid control strategy was designed for the time-varying attitude control issues of aircraft systems against DoS attacks. Besides, [29] extended the event-triggering strategy under DoS attacks to nonlinear multi-agent systems. Replay attacks intercept system data and maliciously retransmit, destroying system functionality [30]- [33]. Distributed receding-horizon control approach [30], [31] and recursive distributed Kalman fusion estimator (DKFE) [32] are effective strategies to ensure the consensus of CPS under replay attacks. Deception attacks, including data modification, data replay, and false data injection, modify messages transmitted between agents and may undermine the integrity of CPS [34]- [37]. In [34], the CPS was modeled as a stochastic linear system with the Gaussian noise, and the conditions of the system dynamics were derived to evaluate the impact of feasible stealthy deception attacks. Besides, a distributed observer and observer-based event-triggering controller were designed to obtain the consensus bound of discrete-time stochastic multiagent systems with lossy sensors and deception attacks [35]. From another perspective, a dynamic output feedback controller was proposed to guarantee the prescribed security of the discrete-time stochastic nonlinear systems under deception attacks in [36].
In addition to modeling a certain type of cyber-attacks and proposing corresponding resilient control strategies, timely system fault detection is also necessary to ensure the stability and security of CPS [38], [39]. For example, a novel cyber-attack detection method by analyzing the intersection between a prediction ellipsoid set and an estimation ellipsoid set is proposed to guarantee the security of networked control systems [38]. Furthermore, an extremely randomized trees-based scheme was proposed for stealthy cyber-attack detection, improving the security of smart grid networks [39]. Besides, Markov jumping systems (MJSs), which have been extensively investigated in state filtering [40], sliding-mode control [41], fault detection [42], and resilient asynchronous feedback controller design [43], are also promising in cyberattack detection.
In addition to the system fault detection, the interaction network [44] implemented by software-defined networking [45] was also proposed to resist unknown cyber-attacks. Gusrialdi and his collaborators [44] extended the dynamic range of the attacks to non-linear situations, in which a virtual system without physical meaning whose number of nodes is equal to the number of followers is introduced to the original CPS. Utilizing the concept of competitive interaction, a Lyapunov-based analysis method was presented for the first-order continuous-time systems to design the interaction between the virtual networks and the original systems, giving CPS a strong resistance to cyber-attacks.
The advantages of using the interaction network to combat cyber-attacks are listed as follows: 1) During the interaction, the hidden layer will not affect the convergence of the original systems. 2) Whether before or after identifying the cyberattacks, the interaction network can keep the stability of the systems from being compromised by attacks. 3) Even if the entire network (including the physical layer and the hidden layer) is subjected to cyber-attacks, the systems can still maintain stability. However, the existing interaction network design only applies to the first-order continuous-time systems [44]. The situation based on high-order discretetime dynamics has not been studied, which attracts us to fill this gap.
In general, there have been many strategies and approaches to resist cyber-attacks and ensure the stability and security of CPS, but existing results have limitations on the order of systems (the first-order or high-order), attack implementation types (DoS attacks, replay attacks, or deception attacks), or network topology (undirected graph or directed graph). In this paper, the resilient consensus problem of the third-order discrete-time CVSs is investigated, where the acceleration and velocity of all vehicles reach consensus, and any two adjacent vehicles maintain the desired safety distance. To design the interaction network of the thirdorder systems more conveniently, we derived the iteration matrix of the system errors and designed the interaction systems based on the iterative formula, which means that the method proposed in this paper can be simply applied to the similar designs of the second-order and first-order systems. Besides, we consider the cyber-attacks generated by unknown nonlinear dynamics, providing a more universal distributed control method for multi-agent systems against multiple cyber-attacks, including false data injection, data modification, and data replay. Last but not least, the proposed network topology in this paper is applied to the undirected graph and directed graph, which means the communication cost can be reduced by optimizing the flow of information in the vehicle platoon.
Compared with the existing work, the main contributions of this paper are shown as follows: i) We propose the cooperative interaction design method for third-order discrete-time CVSs to resist cyber-attacks with unknown nonlinear dynamics. The proposed method is universal and can be conveniently utilized in the resilient control design of the second-order and first-order discretetime multi-agent systems.
ii) In addition to giving the necessary and sufficient conditions for CVSs reaching consensus asymptotically in the absence of an attack, the interaction network design method for CVSs maintaining stability whether the attacks exist only in the vehicle platoon layer or in the overall interaction systems is further developed.
iii) The expressions of system errors are derived to analyze the performance of the systems, which show that the state errors of cooperative CVSs are always bounded for unknown attacks. Moreover, a simulation example containing five cases is provided to illustrate the validity and superiority of the proposed approach.
The remaining sections of this paper are organized as follows. In section II, the recursive formula for the state errors of the third-order discrete-time CVSs with cyber-attacks is derived according to the control objectives and dynamic characteristics of vehicles. In section III, the consensus of CVSs is analyzed in the absence and presence of cyber-attacks, and conditions of controller gains and interaction matrices to stabilize the systems are given. Section IV demonstrates the effectiveness of the proposed methods through a simulation example containing several scenarios, and conclusions are given in section V.
Notation: Let I n and 0 n denote the n×n identity matrix and n × n zero matrix respectively. 0 stands for an n-dimensional column vector where all elements are 0. The notation Re(x) describes the real part of the complex number x. det(A) represents the determinant of the matrix A. A stands for the Euclidean norm of matrix A or vector A. λ max (A) denotes the maximum eigenvalue of matrix A. diag[·] stands for a diagonal matrix. The notation σ (A) ⊂ B(0, 1) describes that all the eigenvalues of the matrix A lie within the unit open circle.

II. PROBLEM FORMULATION A. DISCRETE-TIME VEHICLE PLATOON MODEL
There have been some studies on the third-order discrete-time systems [46], [47], in which the dynamic model of each agent is simplified without considering the effect of the sampling period. In this paper, the dynamic model of CVSs is derived from continuous motion equations in the sampling period. According to the dynamic characteristics of the third-order systems, it is known that the control input is the derivative of acceleration with respect to time, so the following motion equations in each sampling period can be achieved (The following symbols u(k), a(k), v(k), and x(k) represent the control input, acceleration, velocity, and position at time step k respectively): where t ∈ [kT , (k + 1)T ].
Dynamic models of each vehicle can be obtained by integrating the motion equations in the sampling period T : Consider a vehicle platoon including one lead vehicle and n followers. The dynamics of vehicle i in the platoon can be expressed as where i means the index of the lead vehicle (i = 0) or the followers (i = 0), and u 0 (k) is assumed to be 0.

B. RECURSIVE FORMULA FOR SYSTEM ERRORS
In this paper, control objectives of the CVSs are to design appropriate control protocol and cooperative interaction networks so that the spacings between any adjacent vehicles reach the same, and all followers follow the leading vehicle with a consensus velocity and acceleration, which can be expressed as where d denotes the desired spacing between adjacent vehicles, and x * i (k), v * i (k), a * i (k) represent the desired position, velocity, and acceleration of the follower i at time step k respectively.
To express the information flow between vehicles under corresponding network topology, we define g ij = 1 if the vehicle i can receive messages from the vehicle j, and g ij = 0 otherwise (i = 1, 2, · · · , n, j = 0, 1, 2, · · · , n), so one has the Laplacian matrix L = [l ij ]: l ii = n j=1,j =i g ij and l ij = −g ij , i = j (i, j = 1, 2, · · · , n). Analogously, we define a diagonal matrix L 0 = diag[g i0 ] to show network topology between the leading vehicle and each follower.
Following the line in [48], one supposes each vehicle can directly or indirectly communicate with its neighbors, so there is a spanning tree. Furthermore, we assume the following network topologies: i) all followers belong to ''lookahead'' type, i.e., where h denotes the number of the vehicles which the ith vehicle can communicate; ii) all followers belong to the symmetric ''look-ahead'' and ''look-back'' types, i.e., In such cases, the eigenvalues of the Laplacian matrix of the network topologies are real numbers, moreover, one of the eigenvalues of the L is zero, and the real parts of the other eigenvalues are positive known from [49]. Denote the matrixL L + L 0 and then one can obtain In order to achieve the control objectives in (3), the distributed control protocol [46] is designed as: (4) where α > 0, β > 0, and γ > 0 are the control gains to be designed, and x i,j (k), v i,j (k), a i,j (k) represent information transmitted from the vehicle j to the vehicle i.
Since communication between vehicles is vulnerable to cyber-attacks, feedback information can be expressed as (4) and (5), one derives Assumption 1 (Gusrialdi [44]): The attacker aims to destabilize the vehicle platoon by inserting injection ξ (k). In fact, the attacker would have a limited budget to launch the attack and any intelligent adversary would prefer to insert a bounded injection because the sufficiently large attacks can be simply excluded from CVSs through a threshold defense mechanism. Moreover, the attacks whose amplitude is close to the actual system errors are difficult to identify, so it is supposed that the attacks conform to the following general form which has a finite L2-gain and the expression of function g(.) is unknown. The attack signal after each iteration in (7) will be limited to a reasonable bounded range, which is close to the amplitude of the actual system errors.

III. MAIN RESULTS
The CVSs should remain stable in the ideal situation without cyber-attacks, including normal design and interaction design, which is the basis for stable driving of the vehicle platoon. Therefore, in the following analysis, we first derive the stability conditions for CVSs in the absence of an attack, and then we investigate the robustness of the systems under cyber-attacks.

A. CONTROLLER DESIGN FOR THE VEHICLE PLATOON LAYER WITHOUT CYBER-ATTACKS
In normal design, if there are no attacks, the state error dynamics (6) is reduced to The following theorem gives sufficient and necessary conditions for CVSs to reach stability in the absence of an attack.
Theorem 1: The CVSs (8) derived from (2) can achieve consensus asymptotically if and only if the controller gains in (4) satisfy whereλ is defined before (4).

VOLUME 8, 2020
Proof: Let θ be the eigenvalue of the matrix G, and one can derive the eigenvalue polynomial: Equation (10) is a polynomial of θ with the degree 3n. 3n eigenvalues of the matrix G can be obtained by solving this equation. It's not difficult to find that eachλ i corresponds to three solutions of θ, so the solution for eigenvalue θ can be converted to the following formula: To ensure the stability of the system (8), eigenvalues θ are all in the unit open circle. Applying bilinear transformation θ = (s + 1)/(s − 1) [15], [47], one can obtain It implies that the system (8) is stable if and only if Re(s) < 0. The controller gain α in (4), sampling period T and eigenvalueλ i are all positive, then the conditions in (9) can be derived by using the Routh-Hurwitz stability criterion. Remark 1: For the controller design in Theorem 1, firstly, an appropriate network topology can be selected according to the actual position of the vehicles and the communication cost to determineλ i . Secondly, the sampling period T of CVSs should be decided based on the performance of the sensor networks. Finally, the controller gains α, β and γ in (4) can be determined in the line with the condition (9).

B. INTERACTION NETWORK DESIGN WITHOUT CYBER-ATTACKS
To deal with potential cyber-attacks, a hidden layer with the number of nodes equal to n is introduced to interact with the original vehicle platoon layer, as shown in Fig. 1  (n is assumed to be 4 in the figure). To this end, systems (8) can be rewritten as the following cooperative systems where K , D and E are 3n × 3n matrices to be designed, and z(k) = [z 1 (k), z 2 (k), · · · , z 3n (k)] T is the state vector of the virtual system in the hidden layer. The hidden layer can be implemented as an internal signal component at each follower of the vehicle platoon layer. For the transmission of information in the hidden layer, different communication networks can be used, such as internet technology or software-defined networking [45], which is a promising approach in network management and cloud computing.
The following lemmas are given to design the interaction matrices in (13) and guarantee the stability of the systems.
Lemma 1: Choose the appropriate matrix D to ensure σ (D) ⊂ B(0, 1). At the same time, the matrix G designed in section III-A also meets σ (G) ⊂ B(0, 1). According to the Lyapunov criterion, there exist positive symmetric matrices P s and P h satisfying G T P s G − P s < 0 and D T P h D − P h < 0. Then positive matrices Q s and Q h can be found to meet the following equations Remark 2: The discrete-time Lyapunov equation AX A T − X + Q = 0 can be solved by the function X = dlyap(A, Q) in the Matlab toolbox [50]. The description of such function in Matlab is ''The solution X is symmetric when Q is symmetric, and positive definite when Q is positive definite and A has all its eigenvalues inside the unit disk.'', from which we know that when matrices Q s and Q h are determined, one obtains P s and P h .
Lemma 2: Given the matrix G (D), P s (P h ) in Lemma 1 increases with Q s (Q h ), where increasing means that all elements in the matrix change in the same proportion. To ensure that matrix Q s (Q h ) is positive definite, the scale factor can only be the positive real number.
Proof: From (14) one can obtain Adding the above formulas, one obtains (G n+1 ) T P s G n+1 When all elements in matrix Q s are multiplied by the same scale factor, all elements in P s also change accordingly.
To this end, the relationship between P s and Q s in Lemma 2 is proved, which is also suitable for P h and Q h . Lemma 3: Consider the overall vehicle platoon systems (13) with an interaction network. The systems can achieve consensus asymptotically if (i) matrix G satisfies the Lyapunov equation (14), (ii) matrix D satisfies equation (15) and (iv) Q h is chosen to be sufficiently large and Q s is taken small (i.e., The absolute value of each non-zero element in Q h (Q s ) is large enough (small enough)). Proof: Select the Lyapunov function candidate as

= [Ge(k) + Kz(k)] T P s [Ge(k) + Kz(k)] + [Dz(k) + Ee(k)] T P h [Dz(k) + Ee(k)] − e(k) T P s e(k) − z(k) T P h z(k) = e(k) T (G T P s G + E T P h E − P s )e(k)
By selecting (18), it is easy to obtain G T P s K + E T P h D = 0 3n . Besides, combining (18), one can achieve

+ [Kz(k)] T P s [Kz(k)] − e(k) T Q s e(k) − z(k) T Q h z(k).
According to Lemma 2, P h increases with Q h , and P s decreases with Q s , so the first, second and third terms in the final form of equation (21) can be forced to converge to an arbitrarily small range by increasing Q h and taking small Q s , meanwhile, the fourth term increases with Q h , thus (21) is negative with sufficiently large Q h and small Q s . So far, V e,z (k) < 0 can be guaranteed, simultaneously Lemma 3 is obtained.

C. RESILIENT CONTROL DESIGN WITH CYBER-ATTACKS IN THE VEHICLE PLATOON LAYER
Considering that the vehicle platoon layer is subject to attacks satisfying Assumption 1, systems (13) can be rewritten as: The following theorem shows the stable conditions of interactive systems (22).
Theorem 2: Consider the interactive systems subject to cyber-attacks in the vehicle platoon layer (i.e, the systems (22)). The systems are bounded for any injection satisfying (7) if the conditions in Lemma 3 hold. Moreover, the system errors satisfy where ξ e is the steady state of the injection ξ .
Define the error vectorsē(k) = e(k) − e e (k),z(k) = z(k) − z e (k), andξ (k) = ξ (k) − ξ e (k). Combining (22) and (24), one obtains     ē According to the converse Lyapunov theorem [44], there exists a Lyapunov function Vξ (k) related toξ (k) with the following property where ν is a positive constant. To verify that the interactive error systems (25) are asymptotically stable under cyberattacks, one selects a Lyapunov function candidate as V¯e ,z,ξ (k) =ē(k) T P sē (k) +z(k) T P hz (k) + ηVξ (k), (27) where η is the positive real number. Similar to (20), one can achieve For 3ξ (k) T Y T P s Yξ (k) + η Vξ (k), combining (26) one obtains Note that η in (29) is a parameter of the Lyapunov function candidate (27), so the change of η only means the variation of the selected Lyapunov function, and does not affect the matrix selection of (22). Then, (29) can be guaranteed to be negative by selecting η > 3λ max (P s ) Y 2 /ν. Besides, Similar to the negative judgment of (21), (30) is negative by increasing Q h and taking small Q s . So far, V¯e ,z,ξ (k) < 0 can be guaranteed, thus the error systems (25) will eventually converge to 0 (i.e., lim k→∞ e(k) = e e (k)). Let lim k→∞ ξ e (k) = ξ e , and one can achieve the expression of the system errors (23) by combining the first and second formulas in (24). Theorem 2 is proved. Remark 3: Theorem 2 gives the conditions of the interaction matrices for CVSs to resist cyber-attacks in the vehicle platoon layer. Specifically, to design such a resilient system, firstly, the conditions of the controller gains in Theorem 1 must be satisfied, which helps to design the matrix G and ensure that the Lyapunov equation (14) holds. Secondly, an appropriate matrix D should be selected to guarantee the establishment of the equation (15). Thirdly, the matrix K is determined and sufficiently large Q h and small Q s are selected, simultaneously, one obtains the matrices P h and P s (As described in Remark 2). Finally, the interaction matrix E can be easily computed based on (18).
Remark 4: From (23) one knows the system errors e(k) cannot converge to 0 because ξ e = 0 when there exists a cyber-attack. Besides, it is known from Lemma 2 that when increasing Q h and taking small Q s (i.e., all elements in Q h (Q s ) increase (decrease) in the same proportion) to stabilize the interactive systems (22), the absolute value of each non-zero element in P h will become larger and that in P s gets smaller, concurrently −K (23) can be forced to converge to an arbitrarily small neighborhood around 0 3n . In this case, the system errors can be rewritten as lim k→∞ e(k) = −(G − I 3n ) −1 Y ξ e , which is bounded for any injection ξ satisfying (7). Note that in this case −[(G−I 3n )−K (D − I 3n ) −1 E] is not the optimal matrix that minimizes the system errors (23), so when we take infinitely large Q h and make Q s infinitely close to 0 3n , (23) converges to a bounded range but not a minimum range. As a special case, the system errors converge to 0 accurately when there are no cyber-attacks.

D. ROBUSTNESS ANALYSIS WITH CYBER-ATTACKS IN THE OVERALL SYSTEMS
Next, one considers the case that the virtual system in the hidden layer, designed in section III-B to enhance the robustness of the systems, is also disturbed by cyber-attacks. To this end, the overall systems subject to cyber-attacks can be considered as where ξ (k) also satisfies Assumption 1. Then the following theorem is given to show the boundary and stabilization properties of systems (31). Theorem 3: Consider the interactive CVSs subject to cyberattacks in the overall systems (31). The systems are bounded for any injection ξ and ξ satisfying (7) if the conditions (i), (iii) and (iv) in Lemma 3 hold and σ ( √ 2 D) ⊂ B(0, 1). Moreover, the system errors of (31) satisfy (32) where ξ e and ξ e are the steady states of the injections ξ and ξ , respectively.
Similar to the proof of Theorem 2, we have the error system for (31) as A Lyapunov function candidate Vξ (k) related toξ (k) can be found with the following property where ν is a positive constant. Select the Lyapunov function candidate as where η is the positive real number. Then one can achieve (29), by choosing η > 3λ max (P h ) Y 2 /ν , a negative value can be determined. If the condition σ ( √ 2 D) ⊂ B(0, 1) in Theorem 3 holds, the following Lyapunov equation similar to (15) can be found Then one can obtain Referring to the negative judgment of (30) and (28) in Theorem 2,(39) and (37) can be made negative by increasing Q h and taking small Q s , so the error system (34) will eventually converge to 0. Similar to the derivation of (23), it is not difficult to achieve the system errors (32). The proof is completed. Remark 5: Theorem 3 develops the conditions of the interaction matrices that enable the cooperative CVSs resistant to attacks in the overall system. The design of such resilient CVSs is similar to the process described in Remark 3. The only difference is that the constraint on the matrix D is σ ( √ 2D) ⊂ B(0, 1) in Theorem 3 and σ (D) ⊂ B(0, 1) in Theorem 2 (The constraint on matrix D in Theorem 2 is the same as that in Lemmas 1 and 3). Both of these constraints should be satisfied because CVSs are supposed to remain stable in all four design cases in section III.
Remark 6: Similar to the analysis in Remark 4, it can be known from (32) that the system errors of (31) can also converge to a bounded range for any injection ξ and ξ satisfying (7). Therefore, the stabilization of cooperative CVSs can be guaranteed even if the overall systems are under cyberattacks.
Remark 7: It can be known from Theorems 2 and 3 that CVSs can reach a global consensus under any attacks satisfying Assumption 1. The dynamics (i.e., the function g(.) in (7)) of such attacks is unknown for CVSs, which means the injection inserted by the attacker in (5) can be multiple types, including false data injection, data modification, and data replay.
Remark 8: The proposed method is different from the existing works (i.e., [44], [46], [47]). The existing consensus analysis methods for the third-order discrete-time systems ignored the sampling period T of the dynamic model [46], [47], which means Theorem 1 in this paper provides more rigorous guidelines for the consensus design of the third-order discrete-time multi-agent systems in the absence of cyber-attacks. Besides, this paper proposes new Lyapunov analysis methods (seen in section III B-D) for the cooperative interaction design of the discrete-time systems, which are obviously different from the design methods for the continuous-time systems [44]. Moreover, we only need a matrix G satisfying σ (G) ⊂ B(0, 1) to design the resilient systems, so the proposed method can be easily applied to the second-order or first-order discrete-time systems.

IV. SIMULATIONS
Consider a vehicle platoon consisting of a leader and four followers (n = 4) that travels straight at a constant speed of v 0 , where the expected distance between adjacent vehicles is d = 20m. To verify the convergence of the vehicle platoon systems with or without attacks, we consider that each follower has a different initial state. Set initial position, velocity, and acceleration vectors as [x 0 (0), · · · , x 4 (0)] T = [100, 90, 65, 10, 20,15,5,35,30] T , and [a 0 (0), · · · , a 4 (0)] T = [0, −10, 20, −15, 10] T respectively. The design method of the controller gains in (4) was illustrated in Remark 1. Firstly, note that the proposed network topology in this paper is applicable to the undirected graph and directed graph. Taking directed graph as an example, considering the physical distance and communication cost, we suppose that vehicle i can only receive the messages from the vehicle i−1 (i = 1, · · · , n). Correspondingly, matrix L and matrix L 0 in section II-B are determined, which are and L 0 = diag[1 0 0 0]. Then, we assume the sampling period T = 0.03s, which is affordable for most VOLUME 8, 2020 sensor networks. Finally, we set the controller gains α = 2, β = 3, and γ = 4 to meet Theorem 1. Next, simulation results in several different scenarios would be given to demonstrate the validity of the proposed methods.

A. THE CASE WITHOUT THE HIDDEN LAYER AND IN THE ABSENCE OF CYBER-ATTACKS
In the case without the hidden layer and in the absence of cyber-attacks (i.e., the systems (8)), the vehicle platoon is allowed to travel for 18 seconds under the control protocol (4). The trajectories of position x i , position error e xi , velocity error e vi , and acceleration error e ai of vehicle i are shown in Fig. 2. As can be seen in Fig. 2(a), no collision occurred during the driving process (The curves do not intersect). Besides, the control objectives in (3) can be reached eventually, i.e., the state errors converge to 0 (see Fig. 2 Fig. 2(c) and Fig. 2(d)).

B. THE CASE WITH THE HIDDEN LAYER AND IN THE ABSENCE OF CYBER-ATTACKS
For comparison, we add a hidden layer except for the lead vehicle while retaining the parameters used in section IV-A (i.e., the parameters designed at the beginning of section IV). The design method for such interaction systems (i.e., the systems (13)) was mentioned in Remark 3 and Remark 5, which would be demonstrated below. To satisfy the constraint on the matrix D in Lemma 1, let D = 0.6I 12 . Besides, the other parameters are set as follows: K = 0.25I 12 , Q s = 0.01I 12 and Q h = 8Q s . Then one has the solutions of the equations (14) and (15), which are P s = dlyap(G T , Q s ) and P h = dlyap(D T , Q h ). Until now, it is easy to compute the interaction matrix E based on (18) in Lemma 3. After 6 seconds of similar running, the state change curves are shown in Fig. 3. It can be seen from Fig. 3(a) that no collision occurs when adjusting the vehicle platoon (The hidden layer does not affect the convergence of the original systems). Besides, the hidden layer accelerates the convergence speed of the spacing error, velocity error, and acceleration error (see Fig. 3 Fig. 3(c), and Fig. 3(d)). It takes more than 10s for CVSs without a hidden layer to reach stability (as shown in Fig. 2), but the convergence time is reduced to within 1s after adding the hidden layer (see Fig. 3). By comparing the simulation in section IV-A and section IV-B, we can see that the interactive design improves the stability of the vehicle platoon in the absence of cyber-attacks.

C. THE CASE WITHOUT THE HIDDEN LAYER AND IN THE PRESENCE OF CYBER-ATTACKS
In this simulation, the parameters used in section IV-A are retained and the vehicle platoon (i.e., the systems (8)) is exposed to cyber-attacks. Since the attack is unknown to the interactive systems, it is assumed that ξ (k) = [0, · · · , 0 8 , ξ 1 (k), ξ 2 (k), ξ 3 (k), ξ 4 (k)], where ξ i (k) < 50.
The amplitude of such attack signals is close to the maximum of the actual position error, speed error, and acceleration error, so it is difficult to identify them through the threshold defense mechanism. The simulation results in Fig. 4 show that without protection (i.e., without the hidden layer), attacks will destabilize the vehicle platoon. As can be seen in Fig. 4(a), collisions occurred in the driving process. Besides, the system errors cannot converge to the ideal range (see Fig. 4 Fig. 4(c) and Fig. 4(d)).

D. THE CASE AGAINST CYBER-ATTACKS IN THE VEHICLE PLATOON LAYER
Based on the simulation in section IV-C, we make the systems robust against the attacks by connecting the vehicle platoon systems to the same hidden layer as in IV-B (i.e., the systems (22)). After 6 seconds of similar running, the simulation results are shown in Fig. 5. Compared with the simulation results shown in Fig. 4, it can be seen that the robustness of the vehicle platoon has been significantly improved (No collision occurred during platoon adjustment (see Fig. 5(a)) and state errors converged to the ideal bounded range (see Fig. 5 Fig. 5(c) and Fig. 5(d)).

E. THE CASE AGAINST CYBER-ATTACKS IN THE VEHICLE PLATOON LAYER AND THE HIDDEN LAYER
In this section, we assume that the virtual system (hidden network) is also attacked as described in (31), where ξ i (k) is considered to have the same limitation as ξ i (k) in IV-C, and the hidden network used is identical with it in IV-D. As shown in Fig. 6, the stability of the vehicle platoon is still guaranteed despite of the attacks on both networks.  According to the above simulation, we can know that the robustness of the CVSs has been significantly improved by adding the hidden network. The results show that the interaction design gives the vehicle platoon strong resistance to cyber-attacks.
Remark 9: As demonstrated above, the cooperative systems with the hidden network can guarantee the resilient consensus of CVSs under cyber-attacks. In practical applications, virtual nodes that have no physical meaning can be added to each agent of CPS to form the hidden network (as shown in Fig. 1), and then the control strategy in this paper could be applied to design the interaction matrices. After determining the interaction matrices, it is not difficult to achieve the entire cooperative interaction network topology with the physical layer and the hidden layer through softwaredefined networking [45]. Therefore, the approach proposed in this paper can not only be used for resilient control of vehicle platoon but also can be utilized to ensure the stability of other discrete-time multi-agent systems under cyber-attacks.

V. CONCLUSION
In this paper, the resilient consensus of third-order discretetime CVSs subject to cyber-attacks with unknown non-linear dynamics has been studied. In the absence of an attack, the necessary and sufficient conditions for CVSs to reach stability have been first derived. Based on that a Lyapunovbased method has been proposed to design the cooperative interaction CVSs that have a strong resistance to attacks. It has been proved that the system errors of cooperative CVSs can be controlled within a bounded range under all possible attacks. In the end, simulations have been made to verify the feasibility of the theoretical method. The proposed approach has superior performance and is also suitable for resilient control of other multi-agent systems based on firstorder or high-order discrete-time dynamics. However, this paper does not give the design method of interaction matrices that can minimize the system errors of CVSs under attacks. In our future work, the optimal control framework would be utilized to design the optimal interaction matrices. Besides, the control performance of cooperative interaction systems under low communication rates will be investigated to reduce communication consumption and computational burden.