Resilient and Privacy-Preserving Leader-Follower Consensus in Presence of Cyber-Attacks

This letter presents a novel and unified distributed control framework that ensures resilient leader-follower consensus in the presence of unknown but bounded attacks on both the communication network and actuators while simultaneously preserving the privacy of an agent’s physical state from eavesdroppers. To this end, a virtual state and time-varying signals are introduced to each agent, which function as masks to the physical state and are designed to ensure resilient leader-follower consensus. The proposed control strategy does not require high network connectivity and imposes no restrictions on the number of attacks. A numerical example is provided to illustrate the results.

network connectivity, which depends on the number of compromised links, to ensure consensus. An alternative strategy, the mean subsequence reduced algorithm, has been proposed for leader-follower consensus in the presence of misbehaving agents [9], [10]. This method does not assume any specific behaviour from the attacker and does not require the healthy agent to detect the misbehaving agents. However, it often comes with restrictions on the number of compromised nodes and the connectivity of the communication network. Furthermore, this method is not effective in ensuring consensus when only the communication network is compromised. In the literature, various alternative strategies have been proposed to address the limitations of high network connectivity and restrictions on the number of attacks, see, e.g., [11], [12], [13], [14], [15], [16]. For instance, the work [14], [16] propose resilient leader-following consensus under Denial-of-Service (DoS) attacks on the communication links. While the individual agent in those work has linear or non-linear dynamics, the type of attacks is only limited to DoS attacks which are less sophisticated than the false data injection (FDI) attacks. On the other hand, the work [12], [13], [15] present approaches for resilient leader-follower consensus under FDI attacks on the communication links. However, the work do not consider attacks on the node's actuator.
It is worth to note that all the strategies proposed in the above-mentioned works rely on exchanging the physical states of both the followers and the leader. This exchange of information can lead to the disclosure of an agent's physical state, making the cooperative system vulnerable to potential privacy threats posed by eavesdroppers. To tackle this privacy concern, the authors in [17] propose a privacypreserving leader-follower consensus algorithm. However the strategy does not guarantee the resiliency of the cooperative system. Cryptography-based methods, see, e.g., [18], [19] have been proposed for leader-follower consensus to ensure the privacy of an agent's physical state. However, these strategies have notable limitations. They might suffer from high computational complexity and some require the existence of trusted or legitimate agents, which might not always be feasible. More importantly, these methods do not ensure the resiliency of cooperative systems against unknown injections. The authors in [19], [20] propose strategies that ensure both resiliency and privacy requirements. However, these strategies are limited to leaderless consensus and impose restrictions on the attack's model including the number of attacks. Furthermore, the methods also require high network connectivity.
From the preceding discussions, it is evident that attackresilient and privacy-preserving leader-follower consensus have mostly been treated as two separate issues. This letter introduces a novel unified control framework that addresses both problems simultaneously. The framework ensures resilient leader-follower consensus in the presence of FDI attacks on both the actuators and communication links while also protecting an agent's physical state from eavesdroppers. To this end, each agent maintains a virtual state and utilizes local time-varying but uniformly bounded signals. These virtual state and time-varying signals act as mask for the physical state, effectively preserving the physical state's privacy of both the leader and followers from eavesdroppers. Moreover, the virtual state and time-varying signals are designed to ensure the approximate leader-follower consensus in the presence of unknown but bounded attacks. The proposed resilient control does not require high network connectivity and does not impose any restrictions on the number of attacks.
This letter is organized as follows. After formally formulating the problem in Section II, the proposed resilient and privacy-preserving leader-follower consensus is presented and analyzed in Section III. The proposed algorithm is demonstrated via a numerical example in Section IV. Concluding remarks are presented in Section V.
Notation: Let R be the set of real numbers; vector 1 n ∈ R n denotes the vector of all ones and I n ∈ R n×n denotes an n × n identity matrix. Cardinality of a set N is denoted by |N |. The ith eigenvalue of a square matrix A can be written is the imaginary-part of λ i (A), and ι = √ −1. Superscript "T" represents the transpose of a matrix or a vector.

II. PROBLEM FORMULATION
Consider a cooperative system consisting of n + 1 nodes where a leader node is labeled by 0 and the follower nodes are labeled by i = 1, . . . , n. The communication network topology among the leader and follower nodes is modelled as a directed graph G = {V, E} where V = {v 0 , v 1 , . . . , v n } and E ⊂ V × V represent the node set and edge/link set respectively. A directed edge (j, i) ∈ E means that node i can receive information from node j. The neighbours of node i is defined Let x i (t) ∈ R denote the physical state of node i whose dynamics is given bẏ where u i is the control input, i (t) denotes the local information of node i and y i j (t) denotes the information that node j sends to node i via the communication network. The dynamics of the leader node v 0 satisfies the following assumption.
Assumption 1: The derivative of x 0 is uniformly bounded, that is |f (x 0 (t))| ≤ ζ where ζ is a positive constant.

Remark 1:
The results in this letter can be extended in a straightforward manner to the case x i (t) ∈ R p by using the Kronecker product. When the individual dynamics of the follower nodes are given by a heterogeneous nonlinear/linear system, one can potentially use the idea presented in [21], [22]. Specifically, if the individual dynamics can become input passivity-short by a local feedback controller, the dynamic behaviours of the follower nodes at the network level as well as their network control design can then be transformed to (1).
We make the following assumption on the communication network topology.
Assumption 2: The leader node v 0 has a directed path to every follower node.
In practice, the actuators of the follower nodes and the communication channels are vulnerable to cyber-attacks. In this letter, we consider false data injection (FDI) attacks on both the actuators and communication channels. Specifically, the attack on a follower node's actuator is modelled as whereũ i (t) is the compromised control input under unknown injection δ ui (t). Furthermore, follower node i may not receive the true information from its neighboring node j, that is the possibly corrupted information that node i is receiving from its neighbouring node j, including the leader node, takes the following formỹ where δ ji (t) is the malicious injection into the communication link (j, i) ∈ E. The unknown injections δ ui (t), δ ji (t) satisfy the following assumption. Assumption 3: The injections δ ui (t), δ ji (t) are both uniformly bounded.
Remark 2: Assumption 3 is reasonable in practical scenarios and has been considered in several studies, e.g., [23], [24]. Moreover, no restrictions are made on the number of attacks and in contrast to the setup in [10], [11], [25], we assume that the communication links from the leader to the follower nodes can also be compromised.
In addition to considering FDI attacks, our work also takes into account the presence of eavesdroppers, which are external adversaries with the objective of stealing information on the physical states x i (t) of all nodes including the leader by tapping the communication links. Furthermore, we also consider the existence of an honest-but-curious node, which seeks to estimate the physical state x i (t) of its neighbouring nodes. To illustrate this scenario, we adopt an example from [17], which involves the transportation of critical materials by a group of trucks to a destination designated by an operator (leader node), as depicted in Fig. 1. Both the leader node and the trucks share the same goal of protecting their state x i (t) from being disclosed to the eavesdroppers.
The objective of this letter is to design the control input u i (t) such that the cooperative system in (1) reaches an approximate consensus, that is where is a small positive scalar. Furthermore, the nodes including the leader node must also preserve the privacy of Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply. their physical states, that is to prevent the eavesdroppers from learning accurately x j (t) from the information y i j (t). Remark 3: The acceptable value of in (4) in practice depends on the application of interest. For example, in the problem of frequency synchronization in the power grid and islanded microgrid applications, according to National Grid ESO in the U.K., the steady-state frequency must be within the limits of 49.5 Hz to 50.5 Hz. This means that = 0.5 Hz.

III. MAIN RESULTS
In order to ensure resilient leader-follower consensus and preserve privacy of the physical states, we introduce a virtual state z j (t) ∈ R and time-varying but uniformly bounded ∈ R are chosen independently by node j, and along with the virtual state z j (t), they are used to mask the physical state x j (t) before being transmitted to node i where j ∈ N i . Specifically, node j sends the following masked physical states y i j,1 (t), y i j,2 (t) to node i: where β > 0, γ > 0 are scalar gains designed to ensure resiliency against malicious injections. In contrast to the physical state x i (t), the virtual states z i (t) do not have any physical meanings and z i (0) can be set to any values. Next, using the virtual state z i (t), the local information of each follower node Finally, the proposed control input for cooperative system (1) which achieves the objective (4) while preserving the privacy of physical states x i (t) is given by where a ij = 1 if follower node i can receive information from node j and a ij = 0 otherwise. Furthermore, the virtual state of the follower node z i (t) is updated according tȯ where the information i,1 (t), i,2 (t), y i j,1 (t), y i j,2 (t) are defined in (6) and (5).
The gains β, γ are designed offline before deploying the cooperative systems while the information i (t) (resp. y i j (t)) are computed (resp. shared) online. Regarding the information available to the eavesdropper, it is assumed that the external adversary listens to information y i j (t) being exchanged among the agents and possibly knows the network topology. However, the adversary does not know the structure of (5)-(8) since they are considered as local information for each agent. On the other hand, since an honest-but-curious node is part of the cooperative system, he/she has access to the information y i j (t) and the structure of (5)-(8) including gains β, γ .
Remark 4: In contrast to the resilient leader-follower consensus algorithm proposed in [13], control input (7), (8) results in a sparse communication network topology.

A. Resilient Leader-Follower Consensus
In this subsection, we analyze the resiliency of the cooperative system under the proposed control input (7). To this end, the closed-loop dynamics of follower nodes (1) under control input (7) and virtual state's dynamics (8) in presence of unknown injections can be written aṡ Here, it is assumed that the adversary can insert different injections δ ji (t), δ ji (t) into the exchanged information y i j,1 (t) and y i j,2 (t) respectively.
Next, let us define the following error vectors By noting that A1 n = −B, dynamics of the errorx(t) can be calculated aṡ Similarly, dynamics of the errorz(t) can also be calculated aṡ Error dynamicsx(t),z(t) can be written in a compact form as ẋ (t) where = ⊗ A and Before proceeding we introduce the following lemma. Lemma 1: Under assumption 2 matrix in (13) is Hurwitz for scalar gains β > 0 and γ > 0 satisfying where θ = max i | (λ i (A))| | (λ i (A))| . Proof: First, observe that for scalar gains β, γ > 0 satisfying the first inequality 2β > γ − 1 in (14), the eigenvalues of matrix are complex, i.e., λ( ) = r ± υι where Next, the eigenvalues of matrix are in the set S = {λ( )λ i (A)|i = 1, . . . , n}. It follows that the real-part of the eigenvalues of are given by Recall that matrix A is Hurwitz and thus r (λ i (A)) < 0. Hence, matrix is Hurwitz, i.e., (λ i ( )) < 0 for i = 1, . . . , n if and only if the following condition is satisfied which can also be written as r υ > | (λ i (A))| | (λ i (A))| , for i = 1, . . . , n which is satisfied for all i if r υ > θ, leading to the second inequality in (14). This completes the proof.
Remark 5: The design of gains β, γ as given in (14) relies on the eigenvalues of A, which implies that the network topology has to be known a priori. However, the implementation of control law (7) is distributed since each node makes decisions based on its local and neighbouring information, as evident from (7) and (8).
Finally, the following theorem shows that the approximate leader-follower consensus (4) is ensured in the presence of unknown but bounded attacks.
Remark 6: Various control strategies, such as robust control, adaptive control, and observer-based methods, have been proposed in the literature to ensure consensus in the presence of external disturbances, also known as practical consensus. However, these strategies suffer from at least one of the following limitations: (i) the control law depends on the existence of a solution to Linear Matrix Inequalities; (ii) the network's topology is undirected; (iii) the rate of change of the disturbance is bounded; (iv) they do not consider attacks on the communication network when the information being exchanged is corrupted. More importantly, these strategies do not guarantee the privacy of the physical state of the agents. In contrast, the resilient control proposed in our work overcomes all of the above limitations and protects the agents' physical state from eavesdroppers.
Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply.

B. Privacy-Preserving Leader-Follower Consensus
Next, we show that the proposed control input (7) and (8) do not only ensure resilient leader-follower consensus in the presence of unknown attacks but also protect the physical states x i (t) for i = 0, 1, . . . , n from eavesdropper.
Proof: First, we consider an external adversary. Since the adversary only listens to y i j,1 (t), y i j,2 (t) for j = 0, 1, . . . , n and does not know the structure of (5)-(8), it is not possible for the adversary to estimate the physical states x j (t) solely from y i j,1 (t), y i j,2 (t). Next, consider node i who is honest-but-curious and aims to estimate physical state x j (t), j ∈ N i \{0} from the information y i j,1 (t), y i j,2 (t) that it receives. Node i knows the structure of y i j,1 (t), y i j,2 (t) and the values of β and γ but he/she does not know the values of z j (t), p i j,1 (t) and p i j,2 (t) which are not shared directly by node j. Therefore, in order to learn its neighbouring node's physical state x j (t) node i has to solve at each time t the underdetermined systems of linear equations given in (5), that is two linear equations with four unknown variables. An underdetermined linear system in general has infinitely many solutions, if any. Hence, it is not possible for the follower node i to accurately estimate the physical state x j (t).
Remark 7: An honest-but-curious node will eventually learn about x 0 (t) as x i (t) converges close to x 0 (t), see Theorem 1. When there are multiple (but non-cooperative in estimating the physical state) honest-but-curious nodes, as the injections p i j,1 (t), p i j,2 (t) can be designed independently for each link we still have an underdetermined linear system as observed from (5) and thus the privacy can still be ensured. Thorough analysis of multiple curious nodes who aim to cooperatively estimate the physical state is subject to future work.
Remark 8: In the absence of attacks, i.e., when δ i (t), δ i (t) are all zero, the physical states x i (t) do not converge exactly to x 0 (t), i.e., > 0, due to the time varying signals p 1 0,1 (t), p 1 0,2 (t) which are not necessarily vanishing asymptotically. The tracking accuracy can then be improved by increasing the gains β and γ .

IV. A NUMERICAL EXAMPLE
Consider a cooperative system consisting of four follower nodes (n = 4) whose network topology is shown in Fig. 2. In order to better illustrate the results we set x 0 (t) = 2. Moreover, the dynamics of the attacks in (11) is given byδ( It is shown in Fig. 3a that for a standard leader-follower consensus, i.e., by setting β = 0 in (10), the attacker could prevent the follower nodes from tracking the physical state of the leader node.  Next, we apply the proposed resilient leader-follower consensus algorithms (7), (8) where the gains are set to β = 95, γ = 100. Furthermore, the time-varying signals p i j,1 (t), p i j,2 (t) are set to be a combination of sinusoidal signals of different amplitude, frequency, and phase. Fig. 3b shows the trajectory of the follower nodes. It can be observed that x i (t), i = 1, 2, 3, 4 converge to a small neighbourhood of the leader node's physical state x 0 (t) = 2. Furthermore, the control input of the follower nodes is shown in Fig. 3c. The control input is mainly affected by the gains β, γ . Now, let us consider a scenario where an external adversary aims to steal the information of the leader node's physical state x 0 by tapping the communication link from the leader node to follower node 1. In order to protect its physical state, instead of sending the physical state x 0 the leader node sends the masked state y 1 0,1 (t), y 1 0,2 (t) defined in (5) to follower node 1. It can be observed from Fig. 4 that the masked physical state y 1 0,1 (t), y 1 0,2 (t) are completely different from x 0 . Furthermore, even though x 0 is constant, the masked information is time varying and does not converge to a constant value. Since the adversary does not know the structure of the masked state in (5) and the time-varying signals p 1 0,1 (t), p 1 0,2 (t), it is not possible for the external adversary to learn the physical state x 0 from the exchanged information y 1 0,1 (t), y 1 0,2 (t). Finally, assume that node 4 is curious to know the trajectory of node 3. In order to protect its physical state trajectory, instead of sending the physical state x 3 (t) node 3 sends the masked state y 4 3,1 (t), y 4 3,2 (t) which are different from the true Fig. 4. The information (masked physical state) y 1 0,1 (t), y 1 0,2 (t) that leader node sends to follower node 1. Fig. 5. Instead of sending the true physical state x 3 (t), node 3 sends the masked physical state y 4 3,1 (t), y 4 3,2 (t) to node 4. Note that the exchanged information are different from the physical state of node 3. Node 4, who is curious, is not able to estimate the physical state of node 3 from the information that it receives as discussed in Section III-B. state x 3 (t) as can be observed from Fig. 5. Since the virtual states z 3 (t) and time varying signals p 4 3,1 (t), p 4 3,2 (t) are local information of node 3 and are not exchanged with the other nodes, it is not possible for node 4 to estimate x 3 (t) from p 4 3,1 (t), p 4 3,2 (t) as it needs to solve at each time two linear equations with four unknown variables.

V. CONCLUSION AND FUTURE WORK
This letter proposes a unified control framework that ensures both resilient leader-follower consensus against unknown malicious injections and protection of the physical state of the agents from eavesdropper. The strategy does not require high network connectivity and imposes no restrictions on the number of attacks. Simulation results validate the efficacy of the proposed resilient control algorithm. Future work includes the consideration of input and safety constraints within the proposed resilient control framework.