Secure distributed adaptive optimal coordination of nonlinear cyber-physical systems with attack diagnosis

Liwei An [email protected] Guang-Hong Yang [email protected] College of Information Science and Engineering, Northeastern University, Shenyang 110819, P.R.China State Key Laboratory of Synthetical Automation for Process Industries, Northeastern University, Shenyang 110819, P.R.China

Abstract

This paper studies the problem of distributed optimal coordination (DOC) for a class of nonlinear large-scale cyber-physical systems (CPSs) in the presence of cyber attacks. A secure DOC architecture with attack diagnosis is proposed that guarantees the attack-free subsystems to achieve the output consensus which minimizes the sum of their objective functions, while the attacked subsystems converge to preset secure states. A two-layer DOC structure is established with emphasis on the interactions between cyber and physical layers, where a command-driven control law is designed that generates provable optimal output consensus. Differing from the existing fault diagnosis methods which are generally applicable to given failure types, the focus of the attack diagnosis is to achieve detection and isolation for arbitrary malicious behaviors. To this end, double coupling residuals are generated by a carefully-designed distributed filter. The adaptive thresholds with prescribed performance are designed to enhance the detectability and isolability. It is theoretically guaranteed that any attack signal cannot bypass the designed attack diagnosis methodology to destroy the convergence of the DOC algorithm, and the locally-occurring detectable attack can be isolated from the propagating attacks from neighboring subsystems. Simulation results for the motion coordination of multiple remotely operated underwater vehicles illustrate the effectiveness of the proposed architecture.

keywords:

Cyber-physical systems, distributed optimization, attack diagnosis, nonlinear systems, adaptive control.

^†^†thanks: This paper was not presented at any IFAC meeting. Corresponding author: Guang-Hong Yang. Tel. +XXXIX-VI-mmmxxi. Fax +XXXIX-VI-mmmxxv.

1 Introduction

Recently, Cyber-Physical Systems (CPSs), which closely connect cyber and physical worlds, have gained much research interest in many fields, such as computer field, control field, battle field. By utilizing the close interaction between cyber and physical parts, the “intelligence” of physical systems can be sufficiently enhanced in order to fulfil some complex, precise or dangerous tasks, such as remote diagnosis, deep sea exploration [1]. However, the networked connection between cyber and physical parts also often leads to large attack space, such that the CPSs are vulnerable to various types of adversarial attacks. Some famous examples such as the Maroochy water breach [2] and Stuxnet [3] indicate the CPS security as a fundamental issue to be studied.

With potential applications of distributed optimization in large-scale CPSs [21], many important results on discrete- or continuous-time DO algorithms have been reported [4, 5, 6, 7, 8]. In these algorithms, each individual (or said agent in multi-agent systems) only performs the designed optimization dynamics, ignoring its own dynamics. Note that the physical dynamic systems are usually indispensable parts for achieving DO task, such as the cooperative search of radio sources [9], the motion coordination [14] and the distributed optimal power flow [10, 11]. Hence, it is relevant to study the distributed optimization problems together with physical dynamics, termed distributed optimal coordination (DOC). In fact, the DOC can be completed based on the CPS architecture by effectively combining of cyber computation/communication and physical dynamics/control [12]. Recently, many important results for DOC have been reported for multi-agent system with various physical dynamics by designing integrated closed-loop control laws, such as integrator-type dynamics [13, 14, 15], continuous-time linear dynamics [16, 17], Euler-Lagrangian dynamics [12]. More references for DOC can be found in [18]. Motivated by these and considering the non-ignorable nonlinear uncertain dynamics in many physical agents [40, 41, 12], this paper investigates the DOC problem for a class of certain nonlinear large-scale systems on the CPS platforms.

Given the growing threat of malicious attacks in large-scale (and safety-critical) CPSs, the vulnerability of consensus-based DOC algorithms is also with respect to cyber attacks. Hence, the other main objective of this paper is to address the issue of security of consensus-based DOC dynamics by providing certain safety guarantees based on attack diagnosis. The recent works [20, 21, 22] also consider the problem of resilient DO under different adversarial models than the ones that we consider here, and the agent’s own physical dynamics is not considered there. Other related important works on distributed/decentralized sensor fault diagnosis and secure state estimation against sensor attacks for large-scale CPSs have been reported in [24, 25, 26, 27, 28, 29, 30]. In the existing fault diagnosis and fault-tolerant results, the fault detectors are in general designed for given failure types [42, 43], such as loss of effectiveness [27], bias faults [24, 25, 26]. As we will see later, in our problem formulation the attack model can be considered to contain infinite number of failure types and one cannot afford to construct a fault detector for each possible failure type. In [28, 29, 30], the attack-resilient mechanisms are designed in the presence of arbitrary adversarial behaviors under the framework of distributed estimation, outside of DOC framework.

In this paper, we propose a secure DOC architecture for a class of nonlinear large-scale CPSs in the presence of cyber attacks. The overall architecture consists of cyber and physical parts, and each physical subsystem is modeled as a nonlinear parametric strict-feedback system equipped with a dedicated decision-making agent in the cyber superstratum. The cyber core (multi-agent network) focuses on the design of DOC and attack diagnosis, and the physical part performs the corresponding optimization task following the cyber-core control command. The objective is to steer the physical systems to achieve the output consensus at the minimizer of a given team performance function in a distributed fashion and provide certain safety guarantees based on attack diagnosis. The contributions of this paper are threefold.

The first contribution of this paper is, differing from the existing integrated closed-loop control schemes proposed in [12, 13, 14, 15, 16, 17], to propose a two-layer DOC structure where the cyber-layer optimizer generates a control command which is transmitted to the physical-layer control for local regulation. To overcome the difficulty caused by the dynamic mismatch between the traditional DO algorithms [4, 5, 6, 7, 8] and adaptive backstepping control systems [36, 37, 38, 39], a novel command-driven control strategy is designed. It is proved that the proposed algorithm ensures all subsystems to achieve the optimal consensus under the healthy (attack-free) environment.

As the second contribution, we provide the design and analysis of an attack detection and isolation (ADI) methodology. The existing fault diagnosis schemes are usually designed for given fault types [42, 43] and cannot guarantee the detectability for arbitrary malicious behaviors in theory. Also, due to the coupling effects of multiple propagated attacks on the physical dynamics and cyber dynamics which are interacted, the attack isolation becomes more challenging. To this end, double coupling residuals and analytical redundancy relations (ARRs) are generated by a carefully-designed distributed filter. The adaptive thresholds with prescribed performance are designed to enhance the detectability and isolability. It is theoretically guaranteed that any attack signal cannot bypass the ADI methodology to destroy the convergence of the DOC algorithm, and the locally-occurring detectable attacks can be isolated from the propagating attacks from the neighboring subsystems.

The last contribution is to develop a secure version of the DOC protocol based on the ADI methodology, which can provide a safety guarantee in the sense that the healthy physical subsystems (satisfying ARRs) reach the output consensus at the optimal solution of the sum of their objective functions, while the attacked physical subsystems (not satisfying ARRs) converge to preset secure states.

2 Preliminaries

2.1 Notations

The symbols $\mathbb{R}$ and $\mathbb{B}$ denote the set of real and Boolean numbers, respectively. $\mathbb{C}^{n}_{m}$ represents the set of $n$ -order differentiable $m$ -dimension function vectors. The cardinality of a set $\mathbb{S}$ is denoted by $|\mathbb{S}|$ . $\otimes$ and $\circ$ stand for the Kronecker product and Hadamard product, respectively. For a given time interval $\Xi$ , $\nu(\Xi)$ represents its Lebesgue measure. $\mathrm{sgn}(\cdot)$ represents the sign function. Denote $1_{N}=[1,\cdots,1]^{T}\in\mathbb{R}^{N}$ . For a vector sequence $\{Y^{(j)}\}_{j=1}^{N}$ , we denote the notation $Y=\mathrm{vec}(Y^{(1)},\cdots,$ $Y^{(N)})$ if not specified.

2.2 Graph theory

A weighted undirected graph $\mathcal{G}=(\mathcal{V},\mathcal{E},A)$ consists of $N$ vertices (or nodes, or agents in multi-agent networks) $\mathcal{V}=\{v_{1},\cdots,v_{N}\}$ , a set of edges (or links) $\mathcal{E}\subset\mathcal{V}\times\mathcal{V}$ and an adjacency matrix $A=\{w_{ij}\}_{N\times N}$ with nonnegative element $w_{ij}>0$ if $(v_{i},v_{j})\in\mathcal{E}$ and $w_{ij}=0$ otherwise. The neighbors of vertex $v_{i}\in\mathcal{V}$ are denoted by the set $\mathbf{N}_{i}=\{v_{j}\in\mathcal{V}:(v_{j},v_{i})\in\mathcal{E}\}$ . The Laplacian matrix $\mathcal{L}=(l_{ij})_{N\times N}$ associated with graph $\mathcal{G}$ is defined as $l_{ii}=\sum_{j=1}^{N}w_{ij}$ and $l_{ij}=-w_{ij}$ for $i\neq j$ . For an undirected graph, the matrix $\mathcal{L}$ is symmetric and semi-positive. A path from vertex $v_{i}$ to vertex $v_{j}$ in graph $\mathcal{G}$ is a sequence of edges $(v_{i},v_{i_{1}}),(v_{i_{1}},v_{i_{2}}),\cdots,(v_{i_{k}},v_{j})$ in the graph with distinct nodes $v_{i_{k}}\in\mathcal{V}$ . An undirected graph is connected if there is a path from every vertex to other vertex in the graph.

3 DOC architecture

Consider a CPS consisting of $N$ subsystems, which aims at achieving the DOC task. The $j$ th subsystem, $j=1,\cdots,N$ is described by the pair $(\mathcal{P}^{(j)},\mathcal{C}^{(j)})$ , where $\mathcal{C}^{(j)}$ denotes the cyber part which is responsible for task decision-making, while $\mathcal{P}^{(j)}$ denotes the physical part which is responsible for task execution. The physical part $\mathcal{P}^{(j)}$ is modeled as a nonlinear dynamical system

\Sigma^{(j)}:\left\{\begin{aligned} \dot{x}_{i}^{(j)}(t)=&x_{i+1}^{(j)}(t)+\varphi_{i}^{(j)}(\bar{x}_{i}^{(j)}(t))\theta_{j}\\ \dot{x}_{n}^{(j)}(t)=&\beta_{j}u^{(j)}(t)+\varphi_{n}^{(j)}(x^{(j)}(t))\theta_{j},\\ y^{(j)}(t)=&x_{1}^{(j)}(t)+a^{(j)}(t)\end{aligned}\right.

(1)

where $i=1,\cdots,n-1$ , $x_{i}^{(j)}(t)\in\mathbb{R}^{m}$ , $\bar{x}_{i}^{(j)}(t)=\mathrm{vec}(x_{1}^{(j)}(t),\cdots,x^{(j)}_{i}(t))$ $\in\mathbb{R}^{im}$ , $x^{(j)}(t)=\mathrm{vec}(x^{(j)}_{1}(t),\cdots,$ $x^{(j)}_{n}(t))\in\mathbb{R}^{nm}$ is the measurable state; $u^{(j)}(t)\in\mathbb{R}^{m}$ is the control input; $\varphi_{i}^{(j)}(\bar{x}^{(j)}(t))\in\mathbb{R}^{m\times p}$ and $\beta_{j}\in\mathbb{R}^{m\times m}$ are known nonsingular matrix; $\theta_{j}\in\mathbb{R}^{p}$ is unknown constant; $y^{(j)}(t)\in\mathbb{R}^{m}$ is the output measurement transmitted to the cyber superstratum through a wireless network channel and $a^{(j)}(t)\in\mathbb{R}^{m}$ denotes the cyber attacks corrupting the sensor transmitting signal. In particular, in order to provide security guarantees against worst case adversarial behavior, we allow the adversarial attacker to know the overall system model, system state, control input and the possible fault detector $\mathfrak{D}$ (e.g., distributed adaptive observers [24, 25, 26]) equipped on the CPS. Thus, the attack signal can be modeled as

a^{(j)}(t)=\kappa^{(j)}(t-T_{a}^{(j)})\phi^{(j)}(x(t),u(t),\mathfrak{D},t-T_{a}^{(j)})

where $\kappa^{(j)}(t)$ is the time profile and $\phi^{(j)}(\cdot,\cdot,\cdot,\cdot)\in\mathbb{R}^{m}$ is an unknown function that occurs at the unknown time instant $T_{a}^{(j)}$ . We make no assumption on $\phi^{(j)}(\cdot,\cdot,\cdot,\cdot)$ , which may be any (such as unbounded, discontinuous) function vector. The time profile of the attack is modeled as $\kappa^{(j)}(r)=0$ if $r<0$ and $\kappa^{(j)}(r)=1$ otherwise. Multiple cyber attacks may occur simultaneously or sequentially, for example, $T_{a}^{(1)}\leq\cdots\leq T_{a}^{(j^{\prime})}$ with $j^{\prime}\leq N$ .

Remark 1. System (1) can represent many practical systems such as mobile robots, chemical reactors, wind tunnels, and autonomous vehicles [36]. Some extensive researches for system (1) in presence of external disturbances, actuator failures, etc., have been studied well [37, 38, 39] (these are easily extended to the current framework and thus no longer considered here). Particularly, the works in [40, 41] investigated the adaptive leader-following consensus control of system (1). In this paper, the problem of DOC further minimizes a given team performance function on the basis of consensus.

Remark 2. In general, the fault detector $\mathfrak{D}$ is designed for given failure types and cannot guarantee the detectability for arbitrary malicious behaviors in theory. Due to adversary’s strategic design, here we can assume that the attack signal $a^{(j)}(t)$ in system (1) denotes a strategic attack model which can potentially bypass the fault detector $\mathfrak{D}$ to destroy the system convergence based on the knowledge of system and detector $\mathfrak{D}$ (see stealthy attack design methods against various fault detectors, e.g., [32, 33, 34, 35] and references therein).

Refer to caption — Figure 1: Secure DOC architecture of the $j$ th subsystem of CPS affected by cyber attacks.

The overall DOC architecture of the considered CPS is illustrated in Fig. 1. Similar CPS architectures can also be found in [31, 26]. The cyber part $\mathcal{C}^{(j)}$ consists of a decision-making multi-agent network. Each decision-making agent, denoted by $\mathcal{D}^{(j)}$ , is responsible for sending the control command $\Im^{(j)}$ to $\Sigma^{(j)}$ . The agent $\mathcal{D}^{(j)}$ contains an optimization module and a monitoring module, denoted by $\mathcal{O}^{(j)}$ and $\mathcal{M}^{(j)}$ , respectively. The module $\mathcal{O}^{(j)}$ is used to optimize its local objective function, while exchanging its information with its neighbors under a network topology $\mathcal{G}$ . Since the adversarial attackers can perform the attack $a^{(j)}(t)$ to corrupt the communication $y^{(j)}(t)$ from physical stratum to cyber stratum, a cyber attack in the subsystem $(\mathcal{P}^{(j)},\mathcal{C}^{(j)})$ can also be propagated to neighbors via the information exchange between the agent $\mathcal{D}^{(j)}$ and its neighboring agents. This complicates the identification of attacked subsystems. To address it, each module $\mathcal{M}^{(j)}$ is used to detect and isolate the cyber attack $a^{(j)}$ . In the physical part $\mathcal{P}^{(j)}$ , the control module $\mathcal{K}^{(j)}$ consisting of an inner-loop stabilizing module $\mathcal{K}^{(I,j)}$ and an outer-loop tracking module $\mathcal{K}^{(O,j)}$ drives the physical dynamics in accordance with the control command $\Im^{(j)}$ coming from the decision-making agent $\mathcal{D}^{(j)}$ . Fig. 1 illustrates that sufficient interaction between cyber and physical parts in the CPS architecture.

Objective of this paper: Design the decision-making agent $\mathcal{D}^{(j)}$ (including the optimization module $\mathcal{O}^{(j)}$ and the monitoring module $\mathcal{M}^{(j)}$ ) and the control agent $\mathcal{K}^{(j)}$ , such that

1) Optimality: Under the healthy (attack-free) condition, all the physical subsystems cooperatively reach the optimal output that minimizes the following team performance function:

\min\sum_{j=1}^{N}g^{(j)}(s),~{}s\in\mathbb{R}^{m}

(2)

where $g^{(j)}:\mathbb{R}^{m}\to\mathbb{R}$ is a local performance function privately known to the agent $\mathcal{D}^{(j)}$ ; and all the closed-loop signals of the physical system are uniformly ultimately bounded (UUB).

2) Security: Detect and isolate multiple cyber attacks occurring at the network communication between physical stratum and cyber superstratum, and guarantee that the attacked subsystem $\mathcal{P}^{(j)}$ , $j\in\mathbf{N}_{a}$ converges to a given secure state $y_{s}^{(j)}$ , while the healthy subsystems achieve the output consensus at the optimal solution of

\min\sum_{j\in\mathbf{N}_{h}}g^{(j)}(s),~{}s\in\mathbb{R}^{m}

(3)

where $\mathbf{N}_{h}$ represents the index set of the healthy subsystems, i.e., $\mathbf{N}_{h}=\{j\in\{1,\cdots,N\}:a^{(j)}(t)=0,\forall t\geq 0\}$ , and $\mathbf{N}_{a}=\{1,\cdots,N\}\backslash\mathbf{N}_{h}$ .

Here we consider the scenario that the communication from physical stratum to cyber superstratum can be attacked, while the communication from the cyber superstratum to the physical stratum is secure [35]. For example, for the GPS spoofing attacks on multiple Unmanned Aerial Vehicles (UAVs) [45], the GPS attacker in fact can tamper with the location information transmitted from the UAV to the ground station, but cannot tamper with the control command from the ground station to the UAV or other communications among the ground stations. Indeed, in many practical situations, the adversarial attackers may also tamper with the control command $\Im^{(j)}$ transmitted from cyber superstratum to physical stratum or communication among decision-making agents in the cyber superstratum; however, the design of the attack diagnosis and attack-tolerant strategy is beyond the scope of this paper.

Assumption 1. The function $g^{(j)}$ is differentiable and convex for all $j=1,\cdots,N$ .

Assumption 2. The graph $\mathcal{G}$ of the network is undirected and connected.

Remark 3. Assumptions 1 and 2 are common in the DO or DOC literature [8, 12, 13, 14, 15, 16, 17, 21]. In fact, many practical optimization problems can be formalized by the current convex DOC problem or approximated by it using convex relaxation, such as the motion coordination [14], target aggregation [12], search of radio sources [12], optimal power flow [10], and so on. The DOC problems for pure-integrator dynamics [13, 14, 15], Euler-Lagrangian systems [12] and linear time-invariant systems [16, 17] have been studied well. This paper further considers more complex nonlinear case (system (1)). Note that a simple combination of traditional DO algorithms [4, 5, 6, 7, 8] and adaptive backstepping controls [36, 37, 38, 39] will cause the mismatch between (cyber) optimization dynamics and physical dynamics and resultantly cannot guarantee the overall convergence.

Let $y_{r}^{(j)}$ denote the estimate of agent $\mathcal{D}^{(j)}$ about the value of the solution to (3) and denote $y_{r}=\mathrm{vec}(y_{r}^{1},\cdots,y_{r}^{N})$ and $L=\mathcal{L}\otimes I_{m}$ . Then problem (3) is equivalent to

\min g(y_{r})=\sum_{j=1}^{N}g^{(j)}(y_{r}^{(j)}),~{}\mathrm{subject~{}to}~{}Ly_{r}=0

(4)

Since $g(y_{r})$ is convex and the constraint in (4) is linear, the constrained optimization problem is feasible. The following lemma gives the analysis on the optimal solution of (4).

Lemma 1 [8]. Under Assumptions 1 and 2, define by

G(y,v)=g(y)+y^{T}Lv+\frac{1}{2}y^{T}Ly.

Then $G$ is differentiable and convex in its first argument and linear in its second, and:

(i) if $(y^{*},v^{*})$ is a saddle point of $G$ , then $y^{*}$ is a solution of (4);

(ii) if $y^{*}$ is a solution of (4), then there exists $v^{*}$ with $Lv^{*}=-\nabla g(y^{*})$ such that $(y^{*},v^{*})$ is a saddle point of $G$ .

In what follows, we present the resilient DOC scheme by three steps. First, under the healthy conditions, we provide a basic version of DOC protocol (Section 4); Second, under the adversarial conditions, an ADI methodology is proposed to identify the attacked subsystems (Section 5); Third, the final secure DOC scheme is derived by formulating appropriate ADI-based attack countermeasure strategy for the basic version (Section 6).

Remark 4. In the cyber superstratum, all the decision-making agents $\mathcal{D}^{(j)}$ themselves are assumed to be healthy in the sense that they will follow any algorithm that we prescribe. However, due to the occurrence of cyber attack $a^{(j)}$ , the agent $\mathcal{D}^{(j)}$ and its neighbors will receive false measurements $y^{(j)}$ and thus be induced as “malicious” agents in network topology. Moreover, these agents also send false data to other healthy agents and cause cascading failures [19]. These tamped measurements allow the corrupted agents to update their states to arbitrary values such that the corresponding physical subsystems follow false decision commands. In this paper, a resilient DOC algorithm will be developed, where the corresponding secure countermeasure based on an ADI method can effectively avoid the occurrences of “malicious agents” and cascading failures.

4 Basic DOC under healthy environment

This section deals with the designs of the optimization module $\mathcal{O}^{(j)}$ and control agent $\mathcal{K}^{(j)}$ that form a basic DOC scheme under healthy conditions, i.e., $a^{(j)}(t)=0$ for any $t\geq 0$ and $j\in\{1,\cdots,N\}$ . In the sequel, we drop the time argument of the signals for notational brevity.

4.1 DOC control algorithm

The model of the optimization module $\mathcal{O}^{(j)}$ is designed as the following algorithm

\mathcal{O}^{(j)}:\left\{\begin{aligned} \dot{y}_{r}^{(j)}=&-\nabla g^{(j)}(y_{r}^{(j)})-\tilde{v}^{\mathbf{N}_{j}}\\ &-(1+\eta)\sum_{i\in\mathbf{N}_{j}}w_{ji}(y^{(j)}-y^{(i)})\\ \dot{v}^{(j)}=&\sum_{i\in\mathbf{N}_{j}}w_{ji}(y^{(j)}-y^{(i)})\\ \Im^{(j)}=&(y_{r}^{(j)},\nabla g^{(j)}(y_{r}^{(j)}),\tilde{v}^{\mathbf{N}_{j}})\end{aligned}\right.

(5)

where $\tilde{v}^{\mathbf{N}_{j}}=\sum_{i\in\mathbf{N}_{j}}w_{ji}(v^{(j)}-v^{(i)})\in\mathbb{R}^{m}$ , and $y_{r}^{(j)}\in\mathbb{R}^{m}$ and $v^{(j)}\in\mathbb{R}^{m}$ represent the agent state vectors; $\nabla g^{(j)}$ is the gradient of $g^{(j)}$ and $\eta>0$ is a design parameter, and $\Im^{(j)}\in\mathbb{R}^{m}\times\mathbb{R}^{m}\times\mathbb{R}^{m}$ is the output that serves as a control command transmitted to the physical subsystem $\mathcal{P}^{(j)}$ .

Next, we present the design of control agent $\mathcal{K}^{(j)}$ which consists of inner-loop module $\mathcal{K}^{(I,j)}$ and outer-loop module $\mathcal{K}^{(O,j)}$ following the control command $\Im^{(j)}$ . First, we define the following changes of coordinates

\displaystyle z_{1}^{(j)}=x_{1}^{(j)}-y_{r}^{(j)},~{}~{}z_{i}=x_{i}^{(j)}-\alpha_{i-1}^{(j)},~{}~{}i=2,\cdots,n

(6)

where $\alpha_{i}^{(j)}=\alpha_{i,I}^{(j)}+\alpha_{i,O}^{(j)}$ is the virtual control function determined at the $i$ th step and spitted into two parts: inner-loop control $\alpha_{i,I}^{(j)}$ and outer-loop control $\alpha_{i,O}^{(j)}$ . Similarly, $u^{(j)}=u_{I}^{(j)}+u_{O}^{(j)}$ is the control input consisting of inner-loop control $u_{I}^{(j)}$ and outer-loop control $u_{O}^{(j)}$ . They can be respectively expressed as follows:

$\bullet$ Inner-loop control $\mathcal{K}^{(I,j)}(x^{(j)},\Im^{(j)})$

	$\displaystyle\alpha_{1,I}^{(j)}=-c_{1}^{(j)}z_{1}^{(j)}-\hat{\rho}^{(j)}z_{1}^{(j)}-\omega_{1}^{(j)}\hat{\lambda}^{(j)}+\hat{\pi}^{(j)}-S\left(\frac{z_{1}^{(j)}}{\delta^{(j)}}\right)$
	$\displaystyle\alpha_{i,I}^{(j)}=-z_{i}^{(j)}-c_{i}^{(j)}z_{i}^{(j)}-\omega_{i}^{(j)}\hat{\lambda}^{(j)}+\Lambda_{i}^{(j)}$		(7)
	$\displaystyle u_{I}^{(j)}=\beta_{j}^{-1}\negthickspace\left[-z_{n}^{(j)}-c_{n}^{(j)}z_{n}^{(j)}-\omega_{n}^{(j)}\hat{\lambda}^{(j)}+\Lambda_{n}^{(j)}\right]$		(8)

The corresponding update laws are given as

$\displaystyle\dot{\hat{\lambda}}^{(j)}$	$\displaystyle=\Gamma^{(j)}\tau_{n}^{(j)}$	(9)
$\displaystyle\dot{\rho}^{(j)}$	$\displaystyle=\gamma_{0}^{(j)}\\|z_{1}^{(j)}\\|^{2}$	(10)
$\displaystyle\dot{\pi}^{(j)}$	$\displaystyle=\gamma^{(j)}_{1}z_{1}^{(j)}$	(11)

where

	$\displaystyle\tau_{1}^{(j)}$	$\displaystyle=\omega_{1}^{(j)}z_{1}^{(j)},~{}\tau_{i}^{(j)}=\tau_{i-1}^{(j)}+\omega_{i}^{(j)}z_{i}^{(j)}$
	$\displaystyle\omega_{i}^{(j)}$	$\displaystyle=\psi_{i}^{(j)}-\sum_{k=1}^{i-1}\frac{\partial\alpha_{i-2,I}^{(j)}}{\partial x_{k}^{(j)}}\psi_{k}^{(j)}$
	$\displaystyle\Lambda_{i}^{(j)}$	$\displaystyle=\sum_{k=1}^{i-1}\frac{\partial\alpha_{i-1,I}^{(j)}}{\partial x_{k}^{(j)}}x_{k+1}^{(j)}+\frac{\partial\alpha_{i-1,I}^{(j)}}{\partial\hat{\lambda}^{(j)}}\Gamma^{(j)}\tau_{i}^{(j)}$
		$\displaystyle+\sum_{k=2}^{i-1}\frac{\partial\alpha_{k-1,I}^{(j)}}{\partial\hat{\lambda}^{(j)}}\Gamma^{(j)}w_{i}^{(j)}z_{k}^{(j)}+\frac{\partial\alpha_{i-1,I}^{(j)}}{\partial\hat{\pi}^{(j)}}\dot{\hat{\pi}}^{(j)}$
	$\displaystyle S\left(\frac{z_{1}^{(j)}}{\delta^{(j)}}\right)$	$\displaystyle=\frac{1}{2}\ln\left(1+\frac{z_{1}^{(j)}}{\delta^{(j)}}\right)-\frac{1}{2}\ln\left(1-\frac{z_{1}^{(j)}}{\delta^{(j)}}\right)$

with $\delta^{(j)}(t)$ being an exponentially decaying function with lower bound $k_{b}^{(j)}$ such that $|z_{1,s}^{(j)}(0)|<\delta^{(j)}(0)$ , and $z_{1,s}^{(j)}$ denotes the $s$ th ( $s=1,\cdots,m$ ) element of $z_{1}^{(j)}$ ; $\psi_{1}^{(j)}=\mathrm{diag}\{\varphi_{1}^{(j)}(x_{1}^{(j)}),0\}$ , $\psi_{i}^{(j)}=\mathrm{diag}\{\varphi^{(j)}_{i}(\bar{x}_{i}^{(j)}),z_{i}^{(j)}\}$ for $i=2,\cdots,N$ ; and $\hat{\lambda}^{(j)}$ , $\hat{\rho}^{(j)}$ and $\hat{\pi}^{(j)}$ are the estimates of $\lambda^{(j)}=:[\theta_{j}^{T},\mu]^{T}$ with $\mu=:((1+\eta)^{2}\|L\|+\|L\|^{3})\Pi^{2}/2$ , $\rho^{(j)}:=(2n-1+\eta)\|L\|$ and $\pi^{(j)}=:\sum_{i\in\mathbf{N}_{j}}(v^{(j)}_{*}-v^{(i)}_{*})$ , respectively, where $\Pi$ is defined in the appendix; $\Gamma^{(j)}$ is a positive definite matrix and $\gamma_{0}^{(j)}$ , $\gamma_{1}^{(j)}$ and $c_{i}^{(j)}$ for $i=1,\cdots,n$ are positive constants, all chosen by users. Here the nonlinear function $S(\cdot)$ is introduced to constrain the bound of tracking error $z_{1}^{(j)}$ , motivated by the prescribed performance technique [39], which will play an important role in enhancing the sensitivity and robustness of the ADI scheme (refer to Remark 7).

$\bullet$ Outer-loop control $\mathcal{K}^{(O,j)}(\Im^{(j)})$

$\displaystyle\alpha_{1,O}^{(j)}=$	$\displaystyle-\nabla g^{(j)}(y_{r}^{(j)})-2\tilde{v}^{\mathbf{N}_{j}}$	(12)
$\displaystyle\alpha_{i,O}^{(j)}=$	$\displaystyle-\frac{\partial\alpha_{i-1,O}^{(j)}}{\partial y_{r}^{(j)}}\left[\nabla g^{(j)}(y_{r}^{(j)})+\tilde{v}^{\mathbf{N}_{j}}\right]$	(13)
$\displaystyle u_{O}^{(j)}=$	$\displaystyle-\beta_{j}^{-1}\frac{\partial\alpha_{n-1,O}^{(j)}}{\partial y_{r}^{(j)}}\left[\nabla g^{(j)}(y_{r}^{(j)})+\tilde{v}^{\mathbf{N}_{j}}\right]$	(14)

Algorithm 1: DOC under healthy environment DO algorithm (Module $\mathcal{O}(y)$ ):

$\displaystyle\dot{y}_{r}=$	$\displaystyle-\nabla g(y_{r})-Lv-(1+\eta)Ly$	(15)
$\displaystyle\dot{v}=$	$\displaystyle Ly$
$\displaystyle\Im=$	$\displaystyle(y_{r},\nabla g(y_{r}),\tilde{v})$

where $\nabla g(y_{r})=\mathrm{vec}(\nabla g^{(1)}(y_{r}^{(1)}),\cdots,\nabla g^{(N)}(y_{r}^{(N)}))$ and $\tilde{v}=\mathrm{vec}(\tilde{v}^{\mathbf{N}_{1}},\cdots,\tilde{v}^{\mathbf{N}_{N}})$ . Adaptive tracking control (Module $\mathcal{K}(x,\Im)$ ):

Inner-loop control $\mathcal{K}^{I}(x,\Im)$ :

$\displaystyle\alpha_{1,I}=$	$\displaystyle-C_{1}z_{1}-\hat{\rho}z_{1}-\omega_{1}\hat{\lambda}+\hat{\pi}-S\left(\frac{z_{1}}{\delta}\right)$	(16)
$\displaystyle\alpha_{i,I}=$	$\displaystyle-z_{i}-C_{i}z_{i}-\omega_{i}\hat{\lambda}+\sum_{k=1}^{i-1}\frac{\partial\alpha_{i-1}}{\partial x_{k}}x_{k+1}$
	$\displaystyle+\frac{\partial\alpha_{i-1}}{\partial\hat{\lambda}}\Gamma\tau_{i}+\sum_{k=2}^{n-1}\frac{\partial\alpha_{k-1}}{\partial\hat{\lambda}}\Gamma w_{i}z_{k}+\frac{\partial\alpha_{i-1}}{\partial\hat{\pi}}\dot{\hat{\pi}}$	(17)
$\displaystyle u_{I}=$	$\displaystyle B^{-1}\left[-z_{n}-C_{n}z_{n}-\omega_{n}\hat{\lambda}+\sum_{k=1}^{n-1}\frac{\partial\alpha_{n-1}}{\partial x_{k}}x_{k+1}\right.$
	$\displaystyle\left.+\frac{\partial\alpha_{n-1}}{\partial\hat{\lambda}}\Gamma\tau_{n}+\sum_{k=2}^{n-1}\frac{\partial\alpha_{k-1}}{\partial\hat{\lambda}}\Gamma w_{i}z_{k}+\frac{\partial\alpha_{n-1}}{\partial\hat{\pi}}\dot{\hat{\pi}}\right]$	(18)

where $C_{i}=\mathrm{diag}\{c^{(1)}_{i},\cdots,c^{(N)}_{i}\}$ , $\hat{\rho}=\mathrm{diag}\{\hat{\rho}^{(1)},\cdots,\hat{\rho}^{(N)}\}$ , $\Gamma=\mathrm{diag}\{\Gamma^{(1)},\cdots,\Gamma^{(N)}\}$ , $B=\mathrm{diag}\{\beta_{1},\cdots,\beta_{N}\}$ , $S(z_{1}/\delta)=[S(z_{1}^{(1)}/\delta^{(1)}),\cdots,S(z_{1}^{(N)}/\delta^{(N)})]$ , $\psi_{i}=\mathrm{diag}\{\psi^{(1)}_{i},$ $\cdots,\psi^{(N)}_{i}\}$ , $\omega_{i}=\mathrm{diag}\{\omega^{(1)}_{i},\cdots,\omega^{(N)}_{i}\}$ and

	$\displaystyle\tau_{1}$	$\displaystyle=\omega_{1}z_{1}$
	$\displaystyle\tau_{i}$	$\displaystyle=\tau_{i-1}+\omega_{i}z_{i}$
	$\displaystyle\omega_{i}$	$\displaystyle=\psi_{i}-\sum_{k=1}^{i-1}\frac{\partial\alpha_{i-2}}{\partial x_{k}}\psi_{k}$

Outer-loop control $\mathcal{K}^{O}(\Im)$ :

$\displaystyle\alpha_{1,O}=$	$\displaystyle-\nabla g(y_{r})-2Lv$	(19)
$\displaystyle\alpha_{i,O}=$	$\displaystyle-\frac{\partial\alpha_{i-1,O}}{\partial y_{r}}\left[\nabla g(y_{r})+Lv\right]$	(20)
$\displaystyle u_{O}=$	$\displaystyle-B^{-1}\frac{\partial\alpha_{n-1,O}}{\partial y_{r}}\left[\nabla g(y_{r})+Lv\right]$	(21)

where $i=2,\cdots,n-1$ and $\Gamma_{0}=\mathrm{diag}\{\gamma^{(1)}_{0},\cdots,\gamma^{(N)}_{0}\}$ . Update laws:

$\displaystyle\dot{\lambda}$	$\displaystyle=\Gamma\tau_{n}$	(22)
$\displaystyle\dot{\rho}$	$\displaystyle=\Gamma_{0}z_{1}\circ z_{1}$	(23)
$\displaystyle\dot{\pi}$	$\displaystyle=\Gamma_{1}z_{1}$	(24)

where $\Gamma_{0}=\mathrm{diag}\{\gamma^{(1)}_{0},\cdots,\gamma^{(N)}_{0}\}$ and $\Gamma_{1}=\mathrm{diag}\{\gamma^{(1)}_{1},\cdots,$ $\gamma^{(N)}_{1}\}$ .

It can be seen that, the DOC structure consists of two-layer dynamics: the optimization dynamics $\mathcal{O}^{(j)}$ and the physical dynamics $(\Sigma^{(j)},\mathcal{K}^{(j)})$ which interact with each other over the communication signals $y^{(j)}$ and $\Im^{(j)}$ (see Fig. 1). Such an architecture also illustrates the CPS’s feature that the cyber and physical worlds are integrated. In the inner-loop $\mathcal{K}^{(I,j)}$ , a traditional adaptive backstepping controller [36] (i.e., let $\|L\|=0$ ) with slight modifications is applied to stabilize the nonlinear strict-feedback system; In the outer-loop $\mathcal{K}^{(O,j)}$ , a tracking controller is constructed in order to guarantee that the system output can well track the control command $y_{r}^{(j)}$ coming from the cyber superstratum. It can be seen that the control laws of the physical systems do not change with the change of the control commands. Summarizing the above procedure (5)-(14), we derive Algorithm 1 for the DOC of the overall CPS under healthy environment.

4.2 Convergence analysis

In the section, we discuss the convergence of the proposed DOC algorithm. The main result is stated in the following theorem whose proof is placed in Appendix I.

Theorem 1. Under Assumptions 1 and 2, the closed-loop CPS $(\mathcal{P}^{(j)},\mathcal{C}^{(j)})$ with $(\mathcal{K}^{(j)},\mathcal{O}^{(j)})$ , $j=1,\cdots,N$ achieves output consensus at an optimal solution $y^{\star}$ of problem (2), i.e., $\lim_{t\to\infty}y^{(j)}(t)=y^{\star}$ and all the closed-loop signals are UUB in the absence of cyber attacks if $\eta>2(n-1)$ .

Remark 5. Differing from the previous works [12, 13, 14, 15, 16, 17] where the integrated closed-loop control laws are designed, this paper presents a new two-layer control structure based on the traditional DO algorithms [4, 5, 6, 7, 8] and adaptive backstepping controls [36, 37, 38, 39]. Note that the main challenge focuses on how to eliminate the dynamics mismatch between two layers and generate provable optimal consensus. From the proof of Theorem 1 (see (50), (55) and (60)), the dynamics compensation between cyber dynamics $\mathcal{O}^{(j)}$ and physical dynamics $(\Sigma^{(j)},\mathcal{K}^{(j)})$ guarantees the convergence of the overall CPS, where the adaptive mechanism (9)–(11) plays a key role.

5 Distributed ADI

This section deals with the design of the monitoring module $\mathcal{M}^{(j)}$ , $j\in\{1,\cdots,N\}$ . The ADI structure follows the standard one of fault detection and isolation (FDI), formulated by the ARRs of residuals and detection thresholds, e.g., [26, 25]. However, in this section we will focus on achieving the detection and isolation for arbitrary malicious behaviors by constructing new residuals and thresholds. Also, due to the coupling effects of multiple propagated attacks on the physical dynamics and optimization dynamics, the design of attack diagnosis becomes more challenging.

Before giving the main result of this section, we make the following assumption.

Assumption 3. The unknown parameter vector $Z:=\mathrm{vec}(y^{*},v^{*},\theta,\|L\|)$ lies in a known bounded convex set

\Upsilon_{Z}=\{Z\in\mathbb{R}^{N(2m+p)+1}:\sigma(Z)\leq 0\}

where $\sigma(Z)$ is a convex function.

Assumption 3 is common in the existing results for fault diagnosis [25, 26, 37], and this is also necessary to detect the attack in transient response phase. It implies that the upper bounds of $y^{*},v^{*},\theta$ and $\|L\|$ , say, $y_{M},v_{M},\theta_{M},L_{M}$ , can be obtained, respectively. Noting that $V(0)$ depends on the unknown vector $Z$ , then we define function $\Omega(Z):=V(0)$ and $\bar{\Omega}:=\sup_{Z\in\Upsilon_{Z}}\Omega(Z)$ , where $V$ is the Lyapunov function defined in proof of Theorem 1.

5.1 Design of ADI methodology

The ADI methodology consists of detection filter, adaptive threshold and decision logic. Next, we will give detailed design procedures.

5.1.1 Detection filter and residual generation

Now, we design a distributed filter to generate residuals for detecting attacks. According to the dynamics structure (5) of $\mathcal{O}^{(j)}$ , the monitoring module $\mathcal{M}^{(j)}$ is designed as

\displaystyle\mathcal{M}^{(j)}:\left\{\begin{aligned} \dot{\hat{y}}_{r}^{(j)}=&-\nabla g^{(j)}(\hat{y}_{r}^{(j)})-\tilde{v}^{\mathbf{N}_{j}}\\ &-(1+\eta)\sum_{i\in\mathbf{N}_{j}}w_{ji}(\hat{y}_{r}^{(j)}-y^{(i)})\\ \dot{\hat{v}}^{(j)}=&\sum_{i\in\mathbf{N}_{j}}w_{ji}[(\hat{y}_{r}^{(j)}-y^{(i)})-(v^{(j)}-\hat{v}^{(j)})]\end{aligned}\right.

(25)

where $\hat{y}_{r}^{(j)}\in\mathbb{R}^{m}$ and $\hat{v}^{(j)}\in\mathbb{R}^{m}$ are the estimates of $y_{r}^{(j)}$ and $v^{(j)}$ (even $y_{r}^{(j)}$ and $v^{(j)}$ are available for $\mathcal{M}^{(j)}$ ), respectively, based on the local communication signals $y^{(i)}$ and $v^{(i)}$ , $i\in\{j\}\cup\mathbf{N}_{j}$ . Further, we define two residuals

	$\displaystyle e^{(j)}_{r}$	$\displaystyle=y^{(j)}_{r}-\hat{y}^{(j)}_{r}$		(26)
	$\displaystyle e^{(j)}_{v}$	$\displaystyle=v^{(j)}-\hat{v}^{(j)}$		(27)

Taking (5) and (25) into account, the error dynamics can be expressed as

$\displaystyle\dot{e}_{r}^{(j)}=$	$\displaystyle-[\nabla g^{(j)}(y_{r}^{(j)})-\nabla g^{(j)}(\hat{y}_{r}^{(j)})]$
	$\displaystyle-\eta^{(j)}(e_{r}^{(j)}+z_{1}^{(j)})-\eta^{(j)}a^{(j)}$	(28)
$\displaystyle\dot{e}_{v}^{(j)}=$	$\displaystyle-w_{\mathbf{N}_{j}}(e_{v}^{(j)}-e_{r}^{(j)}-z_{1}^{(j)})+w_{\mathbf{N}_{j}}a^{(j)}$	(29)

where $w_{\mathbf{N}_{j}}=\sum_{i\in\mathbf{N}_{j}}w_{ji}$ and $\eta^{(j)}=(1+\eta)w_{\mathbf{N}_{j}}$ .

It is noted that the error dynamics (28)–(29) has a decentralized form where only own information is used in each error dynamics. The feature means that the coupling effects of the propagated attacks $a^{(i)},i\in\mathbf{N}_{j}$ on the residuals $e^{(j)}_{r}$ and $e^{(j)}_{v}$ caused by the optimization dynamics have been removed such that the locally occurring attack $a^{(j)}$ can be isolated. Later, we will further address the coupling effects of the propagated attacks on the residuals caused by the physical dynamics $z_{1}^{(j)}$ . Moreover, to enhance the attack detectability and remove the existence of stealthy attacks, double coupling residuals have been used here.

If the sensor transmitted information $y^{(j)}$ is not affected by local attack $a^{(j)}$ , the error dynamics under healthy conditions, denoted by $(e_{r,H}^{(j)},e_{v,H}^{(j)})$ , can be expressed by

$\displaystyle\dot{e}_{r,H}^{(j)}=$	$\displaystyle-[\nabla g^{(j)}(y_{r}^{(j)})-\nabla g^{(j)}(\hat{y}_{r}^{(j)})]$
	$\displaystyle-\eta^{(j)}(e_{r,H}^{(j)}+z_{1}^{(j)})$	(30)
$\displaystyle\dot{e}_{v,H}^{(j)}=$	$\displaystyle-w_{\mathbf{N}_{j}}(e_{v,H}^{(j)}-e_{r,H}^{(j)}-z_{1}^{(j)})$	(31)

The stability of the estimation error dynamics under healthy conditions is analyzed in the following lemma whose proof is placed in Appendix II.

Lemma 2. The residuals under the healthy conditions $e_{r,H}^{(j)}(t)$ and $e_{v,H}^{(j)}(t)$ satisfy

$\displaystyle\\|e_{r,H}^{(j)}(t)\\|\leq$	$\displaystyle e^{-\eta^{(j)}t}e_{r,H}^{(j)}(0)+\Psi(\eta^{(j)},z_{1}^{(j)}(t),0,t)$	(32)
$\displaystyle\\|e_{v,H}^{(j)}(t)\\|\leq$	$\displaystyle e^{-w_{\mathbf{N}_{j}}t}e_{v,H}^{(j)}(0)$
	$\displaystyle+\Psi(w_{\mathbf{N}_{j}},e_{r,H}^{(j)}(t)+z_{1}^{(j)}(t),0,t)$	(33)

where $\Psi(a,h(t),t_{0},t):=a\int_{\tau=t_{0}}^{t}e^{a(\tau-t)}\|h(\tau)\|d\tau$ .

5.1.2 Construction of adaptive thresholds

The $j$ th detection thresholds, denoted by $\bar{e}_{r,H}^{(j)}(t)$ and $\bar{e}_{v,H}^{(j)}(t)$ , are designed based on the bounds of residuals $e_{r}^{(j)}(t)$ and $e_{v}^{(j)}(t)$ under the healthy conditions, respectively. It is noted that the right-hand sides of (32) and (33) cannot be directly used as the thresholds because $z_{1}^{(j)}=x_{1}^{(j)}-y_{r}^{(j)}$ ( $\neq\tilde{z}_{1}^{(j)}$ ) is unavailable for the modules $\mathcal{O}^{(j)}$ and $\mathcal{M}^{(j)}$ due to the existence of cyber attack $a^{(j)}$ . To derive an available and reasonable threshold, a heuristic idea is to give a robust design w.r.t. the unknown “disturbance-like” term $z_{1}^{(j)}$ which, intrinsically, reflects the effects of physical dynamics on the residuals. Hence, we bound the $j$ th tracking error $z_{1}^{(j)}$ under the healthy conditions in the following lemma whose proof is placed in Appendix III.

Lemma 3. Under Assumption 3, the servo tracking error $z_{1}^{(j)}$ under healthy conditions (i.e., $a^{(j)}=0$ ) satisfies $\|z_{1}^{(j)}(t)\|^{2}/(2c_{1}^{(j)})+\int_{\tau=0}^{t}\|z_{1}^{(j)}(\tau)\|^{2}d\tau\leq\bar{\Omega}/c_{1}^{(j)}$ and $\|z_{1}^{(j)}(t)\|<\sqrt{m}\delta^{(j)}(t)$ .

Remark 6. An intuitive method for the ADI design may assess the change of error signal $\tilde{z}_{1}^{(j)}:=y^{(j)}-y_{r}^{(j)}$ based on Lemma 3, because $\tilde{z}_{1}^{(j)}=z_{1}^{(j)}$ under the healthy conditions and $\tilde{z}_{1}^{(j)}=z_{1}^{(j)}+a^{(j)}$ under cyber attacks. However, we emphasize that the error $\tilde{z}^{(j)}_{1}$ cannot be directly used as the residual to detect and isolate the cyber attacks because $y_{r}^{(j)}$ may be simultaneously affected by multiple propagated attacks $a^{(i)},i\in\mathbf{N}_{j}$ and the locally occurring attack $a^{(j)}$ . The adversarial attacker may cooperatively design the stealthy attacks to degrade the system performance while avoiding detection [32, 33, 34].

Next, we design the detection threshold based on the bound of $z_{1}^{(j)}(t)$ under the healthy condition. To be specific, from Lemma 3, one has $z_{1}^{(j)}(t)\in\Delta^{\delta^{(j)}}_{z}$ where $\Delta^{\delta^{(j)}}_{z}:=\{z(t)\in\mathbb{C}^{n}_{m}:\frac{1}{2c_{1}^{(j)}}\|z(t)\|^{2}+\int_{\tau=0}^{t}\|z(\tau)\|^{2}d\tau\leq\frac{\bar{\Omega}}{c_{1}^{(j)}},\|z(t)\|\leq\sqrt{m}\delta^{(j)}(t)\}$ . Substituting the relation into (32) and (33) yields that

	$\displaystyle\\|e_{r,H}^{(j)}(t)\\|\leq$	$\displaystyle e^{-\eta^{(j)}t}e_{r,H}^{(j)}(0)$
		$\displaystyle+\sup_{z_{1}^{(j)}(t)\in\Delta^{\delta^{(j)}}_{z}}\Psi(\eta^{(j)},z_{1}^{(j)}(t),0,t)$
	$\displaystyle\\|e_{v,H}^{(j)}(t)\\|\leq$	$\displaystyle e^{-w_{\mathbf{N}_{j}}t}e_{v,H}^{(j)}(0)$
		$\displaystyle+\sup_{z_{1}^{(j)}(t)\in\Delta^{\delta^{(j)}}_{z}}\Psi(w_{\mathbf{N}_{j}},e_{r,H}^{(j)}(t)+z_{1}^{(j)}(t),0,t)$

Thus, we define the two adaptive thresholds

	$\displaystyle\bar{e}_{r,H}^{(j)}(t)$	$\displaystyle=e^{-\eta^{(j)}t}e_{r,H}^{(j)}(0)+\bar{\Psi}^{(j)}_{\Delta_{z}^{\delta^{(j)}}}(\eta^{(j)},0,t)$
	$\displaystyle\bar{e}_{v,H}^{(j)}(t)$	$\displaystyle=e^{-w_{\mathbf{N}_{j}}t}e_{v,H}^{(j)}(0)+\bar{\Psi}^{(j)}_{\Delta_{ez}^{\delta^{(j)}}}(w_{\mathbf{N}_{j}},0,t)$

where $\Delta_{ez}^{\delta^{(j)}}:=\{e+z:\|e\|\leq\bar{e}_{r,H}^{(j)},~{}z\in\Delta_{z}^{\delta^{(j)}}\}$ and $\bar{\Psi}^{(j)}_{\Delta^{\delta^{(j)}}}(a,t_{0},t):=\sup_{h(t)\in\Delta^{\delta^{(j)}}}a\int_{\tau=t_{0}}^{t}e^{a(\tau-t)}\|h(\tau)\|d\tau$ .

Remark 7. From (28) and (29), multiple propagated attacks have coupling effects on residuals $e^{(j)}_{r}$ and $e^{(j)}_{v}$ over the physical dynamics. To address it, in the inner-loop control module $\mathcal{K}^{(I,j)}$ the modified prescribed performance technique is used to restrict the bound of tracking error $z^{(j)}_{1}$ (introduce the nonlinear function $S$ into $\alpha_{1,I}^{(j)}$ ). As a result, the detection thresholds, or further the proposed ADI method, are robust against the multiple propagated attacks. Especially, the prescribed performance bound constraint $\|z^{(j)}_{1}(t)\|<\sqrt{m}\delta^{(j)}(t)$ is incorporated and contributes to smaller thresholds (from the definition of $\bar{\Psi}^{(j)}_{\Delta^{\delta^{(j)}}_{z}}(a,t_{0},t)$ ) and restrain the coupling effects of propagated attacks $a^{(i)},i\in\mathbf{N}_{j}$ on $e^{(j)}_{r}$ and $e^{(j)}_{v}$ such that the sensitivity and isolability to the cyber attacks are improved.

5.1.3 Decentralized ADI decision logic

The ADI decision logic implemented in each module $\mathcal{M}^{(j)}$ is based on the ARR, denoted by $\mho^{(j)}(t)$ , which is defined as

\displaystyle\mho^{(j)}(t)=\mho^{(j,r)}(t)\cup\mho^{(j,v)}(t)

(34)

where

		$\displaystyle\mho^{(j,r)}(t):~{}\\|e_{r,H}^{(j)}(t)\\|\leq\bar{e}_{r,H}^{(j)}(t)$
		$\displaystyle\mho^{(j,v)}(t):~{}\\|e_{v,H}^{(j)}(t)\\|\leq\bar{e}_{v,H}^{(j)}(t).$

If $\mho^{(j)}(t)$ is violated, $\mathcal{M}^{(j)}$ will generate an alarm.

The decentralized ADI decision logic is formulated by considering the sensitivity w.r.t local cyber attacks $a^{(j)}$ and the isolability w.r.t propagated cyber attacks $a^{(i)}$ , $i\in\mathbf{N}_{j}$ , which are summarized in the following theorem.

Theorem 2. Consider the ARR $\mho^{(j)}(t)$ defined in (34). The following statements are satisfied:

a): Attack sensitivity: If there is a time instant $T_{d}^{(j)}$ when $\mho^{(j)}(T_{d}^{(j)})$ is not satisfied, then the occurrence of the local cyber attack $a^{(j)}$ is guaranteed.
b): Attack isolability: If the transmitted sensor information $y^{(j)}$ is not affected by cyber attack $a^{(j)}$ , then the ARR $\mho^{(j)}(t)$ is always satisfied even in the presence of the propagated cyber attacks $a^{(i)}$ , $i\in\mathbf{N}_{j}$ .

Proof. a) For sake of contradiction, we suppose that no communication attack $a^{(j)}$ has occurred, then $\mho^{(j)}(t)$ is always satisfied according to Lemma 2.

b) Under the condition that $a^{(j)}=0$ , even though the propagated cyber attack $a^{(i)}$ may exist, $i\in\mathbf{N}_{j}$ , the estimation error dynamics (28)-(29) reduces to (30)-(31), respectively. Then (32) and (33) are valid and, consequently, $\mho^{(j)}(t)$ is always satisfied. $\hfill{}\blacksquare$

Compared with the existing FDI results [24, 25, 26], we have introduced the following techniques to improve the detectability and isolability for attacks:

•

Double coupling residuals are adopted, which will play a key role in removing stealthy attacks (see Lemma 6).
•

The modified prescribed performance technique is applied to enhance the sensitivity and isolability to the cyber attacks (See Remark 7).

5.2 Detectability analysis and avoidance of stealthy attacks

In this section, we will evaluate the attack detectability of the proposed ADI methodology. We first give some properties of functions $\bar{\Psi}^{(j)}_{\Delta_{z}^{(j)}}(a,t_{0},t)$ and $\bar{\Psi}^{(j)}_{\Delta_{ez}^{(j)}}(a,t_{0},t)$ in the adaptive thresholds, which are important for analyzing the detectability performance of the ADI methodology.

Lemma 4. Let $\delta^{(j)}(t)=(k_{0}^{(j)}e^{-c^{(j)}t}+k_{b}^{(j)})/\sqrt{m}$ , where $k_{0}^{(j)}$ , $k_{b}^{(j)}$ and $c^{(j)}(\neq a)$ are positive design parameters such that $|z_{1,s}^{(j)}(0)|<\delta^{(j)}(0),~{}s=1,\cdots,m$ . Then

(a) $\bar{\Psi}^{(j)}_{\Delta^{\delta^{(j)}}_{z}}(a,0,t)\leq k_{b}^{(j)}(1-e^{-at})+\frac{ak_{0}^{(j)}}{a-c^{(j)}}(e^{-c^{(j)}t}-e^{-at})$ ;

(b) $\bar{\Psi}^{(j)}_{\Delta^{\delta^{(j)}}_{ez}}(a,0,t)\leq 2k_{b}^{(j)}(1-e^{-at})+\frac{(2a-c^{(j)})ak_{0}^{(j)}}{(a-c^{(j)})^{2}}(e^{-c^{(j)}t}-e^{-at})+a\left[k_{b}^{(j)}+\frac{ak_{0}^{(j)}}{a-c^{(j)}}+e_{r,H}^{(j)}(0)\right]te^{-at}$ ;

(c) $\int_{t=0}^{\infty}\bar{\Psi}^{(j)2}_{\Delta^{\delta^{(j)}}_{z}}(a,0,t)dt\leq\bar{\Omega}/c_{1}^{(j)}$ , $\int_{t=0}^{\infty}\bar{\Psi}^{(j)2}_{\Delta^{\delta^{(j)}}_{ez}}(a,0,t)dt\leq 2\bar{\Omega}/c_{1}^{(j)}$ .

Proof. (a) Note that $\Psi^{(j)}(a,h(t),0,t)$ increases as $\|h(t)\|$ increases. Based on the constraint $\|h(t)\|\leq k_{0}^{(j)}e^{-c^{(j)}t}+k_{b}^{(j)}$ , we have

\bar{\Psi}^{(j)}_{\Delta^{\delta^{(j)}}_{z}}(a,0,t)\leq a\int_{\tau=0}^{t}e^{a(\tau-t)}(k_{0}^{(j)}e^{-c^{(j)}t}+k_{b}^{(j)})d\tau

By direct computation, the inequality in (a) holds.

(b) Based on (a) and using similar analysis, the proof can be completed.

(c) Let $h^{*}(t):=\arg\sup_{h(t)\in\Delta^{\delta^{(j)}}_{z}}a\int_{\tau=0}^{t}e^{a(\tau-t)}\|h(\tau)\|d\tau$ , i.e., $\bar{\Psi}^{(j)}_{\Delta^{\delta^{(j)}}_{z}}(a,t_{0},t)=a\int_{\tau=0}^{t}e^{a(\tau-t)}\|h^{*}(\tau)\|d\tau$ . Since $\Delta^{\delta^{(j)}}_{z}$ is a compact set, $h^{*}(t)$ satisfies $\int_{\tau=0}^{\infty}\|h^{*}(\tau)\|^{2}d\tau\leq\bar{\Omega}/c_{1}^{(j)}$ .

To show (c), we construct the auxiliary dynamics

\dot{\chi}(t)=-a\chi(t)+a\|h^{*}(t)\|,~{}\chi(0)=0

(35)

By integrating the dynamics we can find $\chi(t)=\bar{\Psi}^{(j)}_{\Delta^{\delta^{(j)}}_{z}}(a,t_{0},t)$ . On the other hand, considering the Lyapunov function $V=\chi^{2}/2$ , its derivative along with (35) satisfies

	$\displaystyle\dot{V}=$	$\displaystyle\chi(-a\chi+a\\|h^{*}\\|)$
	$\displaystyle\leq$	$\displaystyle-aV+\frac{a}{2}\\|h^{*}\\|^{2},$

integrating two sides of which yields $\int_{t=0}^{\infty}\chi^{2}(t)dt\leq\bar{\Omega}/c_{1}^{(j)}$ . Using similar procedure to $\bar{\Psi}^{(j)}_{\Delta^{\delta^{(j)}}_{ez}}(a,0,t)$ , it is easily obtained that $\int_{t=0}^{\infty}\bar{\Psi}^{(j)2}_{\Delta^{\delta^{(j)}}_{ez}}(a,0,t)dt\leq 2\bar{\Omega}/c_{1}^{(j)}$ . $\hfill{}\blacksquare$

From Lemma 4-(c), one has $\lim_{t\to\infty}\bar{\Psi}^{(j)}_{\Delta^{\delta^{(j)}}_{z}}(a,0,t)=0$ and $\lim_{t\to\infty}\bar{\Psi}^{(j)}_{\Delta^{\delta^{(j)}}_{ez}}(a,0,t)=0$ following Barbalat’s Lemma. It means that only if $\mho^{(j)}(t)$ is satisfied, the bound functions $\bar{e}_{r,H}^{(j)}(t)$ and $\bar{e}_{v,H}^{(j)}(t)$ will converge to zero, which in turn implies that $e_{r}^{(j)}(t)$ and $e_{v}^{(j)}(t)$ converge to zero. Lemma 4-(a) and -(b) give prescribed performance bounds of $\bar{\Psi}^{(j)}_{\Delta_{z}^{\delta^{(j)}}}$ and $\bar{\Psi}^{(j)}_{\Delta_{ez}^{\delta^{(j)}}}$ . By replacing $\bar{\Psi}^{(j)}_{\Delta_{z}^{\delta^{(j)}}}$ and $\bar{\Psi}^{(j)}_{\Delta_{ez}^{\delta^{(j)}}}$ with the prescribed performance bounds, we can obtain low-complexity thresholds. However, such relaxations will weaken the detectability and extend the detection time. Also, two modified thresholds converge to $k_{b}^{(j)}$ and $2k_{b}^{(j)}$ instead of zero, which may generate the stealthy attacks. Nevertheless, we can choose $k_{b}^{(j)}$ to be sufficiently small such that the effects of the stealthy attacks resulted from the relaxation are sufficiently small.

To examine the sensitivity of attacks that can be detectable by the proposed attack detection scheme, the following attack detectability is analyzed.

Lemma 5 (Detectable attacks). The cyber attack $a^{(j)}$ occurring at the CPS $(\mathcal{P}^{(j)},\mathcal{C}^{(j)})$ is detected using the ARR $\mho^{(j)}$ , if there exists some time instant $T_{d}^{(j)}>T_{a}^{(j)}$ ( $T_{a}^{(j)}$ is the first time instant of attack $a^{(j)}$ occurrence) such that the attack satisfies

	$\displaystyle\eta^{(j)}\left\\|\int_{t=T_{a}^{(j)}}^{T_{d}^{(j)}}e^{\eta^{(j)}(t-T_{d}^{(j)})}a^{(j)}(t)dt\right\\|>$
	$\displaystyle 2e^{\eta^{(j)}(T_{a}^{(j)}-T_{d}^{(j)})}\\|e_{r}^{(j)}(T_{a}^{(j)})\\|+\bar{\Psi}^{(j)}_{\Delta_{z}^{\delta^{(j)}}}(\eta^{(j)},T_{a}^{(j)},T_{d}^{(j)})$
	$\displaystyle+\eta^{(j)}\int_{t=T_{a}^{(j)}}^{T_{d}^{(j)}}e^{\eta^{(j)}(t-T_{d}^{(j)})}\left\\|\nabla g^{(j)}(y_{r}^{(j)}(t))\right.$
	$\displaystyle\left.-\nabla g^{(j)}(\hat{y}_{r}^{(j)}(t))+\eta^{(j)}z_{1}^{(j)}(t)\right\\|dt$		(36)

	$\displaystyle w_{\mathbf{N}_{j}}\left\\|\int_{t=T_{a}^{(j)}}^{T_{d}^{(j)}}e^{w_{\mathbf{N}_{j}}(t-T_{d}^{(j)})}a^{(j)}(t)dt\right\\|$
$\displaystyle>$	$\displaystyle 2e^{w_{\mathbf{N}_{j}}(T_{a}^{(j)}-T_{d}^{(j)})}\\|e_{v}^{(j)}(T_{a}^{(j)})\\|+\bar{\Psi}^{(j)}_{\Delta_{ez}^{\delta^{(j)}}}\negthickspace(w_{\mathbf{N}_{j}},T_{a}^{(j)},T_{d}^{(j)})$
	$\displaystyle+w_{\mathbf{N}_{j}}\negthickspace\int_{t=T_{a}^{(j)}}^{T_{d}^{(j)}}e^{w_{\mathbf{N}_{j}}(t-T_{d}^{(j)})}\left\\|e_{r}^{(j)}(t)+z_{1}^{(j)}(t)\right\\|dt$	(37)

then the attack $a^{(j)}(t)$ is detected at the time $t=T_{d}^{(j)}$ .

Proof. After the first occurrence of the attack $a^{(j)}$ , i.e., $t>T_{a}^{(j)}$ , the time derivative of $e_{r}^{(j)}(t)$ becomes

	$\displaystyle\dot{e}_{r}^{(j)}=$	$\displaystyle-[\nabla g^{(j)}(y_{r}^{(j)})-\nabla g^{(j)}(\hat{y}_{r}^{(j)})]$
		$\displaystyle-\eta^{(j)}(e_{r}^{(j)}+z_{1}^{(j)})+\eta^{(j)}a^{(j)}$

Integrating both sides and applying the triangular inequality yield

	$\displaystyle\\|e_{r}^{(j)}(T_{d}^{(j)})\\|\geq$	$\displaystyle\eta^{(j)}\left\\|\int_{t=T_{f}}^{T_{d}^{(j)}}e^{\eta^{(j)}(t-T_{d}^{(j)})}a^{(j)}(t)dt\right\\|$
		$\displaystyle-e^{\eta^{(j)}(T_{a}^{(j)}-T_{d}^{(j)})}\\|e_{r}^{(j)}(T_{a}^{(j)})\\|$
		$\displaystyle-\eta^{(j)}\int_{t=T_{a}^{(j)}}^{T_{d}^{(j)}}e^{\eta^{(j)}(t-T_{d}^{(j)})}\left\\|\nabla g^{(j)}(y_{r}^{(j)}(t))\right.$
		$\displaystyle\left.-\nabla g^{(j)}(\hat{y}_{r}^{(j)}(t))+\eta^{(j)}z_{1}^{(j)}(t)\right\\|dt,$

substituting (36) into which yields

	$\displaystyle\\|e_{r}^{(j)}(T_{d}^{(j)})\\|>$	$\displaystyle e^{\eta^{(j)}(T_{a}^{(j)}-T_{d}^{(j)})}e_{r}^{(j)}(T_{a}^{(j)})$
		$\displaystyle+\bar{\Psi}^{(j)}_{\Delta_{z}^{\delta^{(j)}}}(\eta^{(j)},T_{a}^{(j)},t).$

Following the similar analysis, (37) guarantees

	$\displaystyle\\|e_{v}^{(j)}(T_{d}^{(j)})\\|>$	$\displaystyle e^{w_{\mathbf{N}_{j}}(T_{a}^{(j)}-T_{d}^{(j)})}e_{v}^{(j)}(T_{a}^{(j)})$
		$\displaystyle+\bar{\Psi}^{(j)}_{\Delta_{ez}^{\delta^{(j)}}}(w_{\mathbf{N}_{j}},T_{a}^{(j)},t).$

From the definition of $\mho^{(j)}(t)$ , the attack $a^{(j)}(t)$ satisfying (36) or (37) provokes the violation of ARR $\mho^{(j)}(t)$ and resultantly $a^{(j)}(t)$ is detected when $t=T_{d}^{(j)}$ . $\hfill{}\blacksquare$

The inequalities (36)-(37) characterize the class of detectable cyber attacks under the worst-case detectability. The computation of detection time $T_{d}^{(j)}$ may be somewhat conservative. However, differing from the fault, the attacker may strategically design the (worst-case) attack to extend the detection time as much as possible. Thus, the real-time detection time may sufficiently approach to $T_{d}^{(j)}$ but not exceed than it. In general, from (36)-(37), if the cyber attack on the time interval $[T_{a}^{(j)},T_{d}^{(j)}]$ is sufficiently large, then the attack can be detected. However, a crafty attacker may ingeniously inject the attack signals which are not detected by the proposed distributed ADI scheme, yet degrade the system performance. The following lemma 6 gives the property of the undetectable attack.

Lemma 6 (Undetectable attacks). Suppose that the cyber attack $a^{(j)}(t)$ occurring at the subsystem $(\mathcal{P}^{(j)},$ $\mathcal{C}^{(j)})$ is undetectable by the ARR $\mho^{(j)}$ . Then

\displaystyle\int_{t=T_{a}^{(j)}}^{\infty}\left(\int_{\tau=T_{a}^{(j)}}^{t}e^{w_{\mathbf{N}_{j}}(\tau-t)}\|a^{(j)}(\tau)\|d\tau\right)^{2}dt\leq M

(38)

where $M=4\|e_{v}^{(j)}(T_{a}^{(j)})\|^{2}/w_{\mathbf{N}_{j}}^{4}+16\bar{\Omega}/(c_{1}^{(j)}w_{\mathbf{N}_{j}}^{2})$ . Moreover, $\int_{t=T_{a}^{(j)}}^{\infty}\|a^{(j)}(t)\|^{2}dt<+\infty$ .

Proof. If the attack $a^{(j)}(t)$ occurring at time $T_{a}^{(j)}$ is not detectable, from Lemma 5, then for any $t\geq T_{a}^{(j)}$ ,

		$\displaystyle w_{\mathbf{N}_{j}}\left\\|\int_{\tau=T_{a}^{(j)}}^{t}e^{w_{\mathbf{N}_{j}}(\tau-t)}a^{(j)}(\tau)d\tau\right\\|$
	$\displaystyle\leq$	$\displaystyle 2e^{w_{\mathbf{N}_{j}}(T_{a}^{(j)}-t)}\\|e_{v}^{(j)}(T_{a}^{(j)})\\|+2\bar{\Psi}^{(j)}_{\Delta_{ez}^{\delta^{(j)}}}(w_{\mathbf{N}_{j}},T_{a}^{(j)},t)$		(39)

Consider the right-hand side of (39). Taking square and integral consecutively to each term yields

		$\displaystyle 4\\|e_{v}^{(j)}(T_{a}^{(j)})\\|^{2}\int_{t=T_{a}^{(j)}}^{\infty}e^{2w_{\mathbf{N}_{j}}(T_{a}^{(j)}-t)}dt\leq\frac{2\\|e_{v}^{(j)}(T_{a}^{(j)})\\|^{2}}{w_{\mathbf{N}_{j}}},$
		$\displaystyle 4\int_{t=T_{a}^{(j)}}^{\infty}\bar{\Psi}^{(j)2}_{\Delta_{ez}^{\delta^{(j)}}}(w_{\mathbf{N}_{j}},T_{a}^{(j)},t)dt\leq\frac{8\bar{\Omega}}{c_{1}^{(j)}}.$

where the second inequality follows from Lemma 4-(c).

Then using the Cauchy-Buniakowsky-Schwarz inequality, one has

	$\displaystyle 4\int_{t=T_{a}^{(j)}}^{\infty}(e^{w_{\mathbf{N}_{j}}(T_{a}^{(j)}-t)}\\|e_{v}^{(j)}(T_{a}^{(j)})\\|$
	$\displaystyle+\bar{\Psi}^{(j)}_{\Delta_{ez}^{\delta^{(j)}}}(w_{\mathbf{N}_{j}},T_{a}^{(j)},t))^{2}dt$
	$\displaystyle\leq\frac{4\\|e_{v}^{(j)}(T_{a}^{(j)})\\|^{2}}{w_{\mathbf{N}_{j}}^{2}}+\frac{16}{c_{1}^{(j)}}\bar{\Omega}$		(40)

Combining (39) and (40), Eq. (38) follows at once. Further, $\lim_{t\to\infty}\int_{\tau=T_{a}^{(j)}}^{t}e^{w_{\mathbf{N}_{j}}(\tau-t)}a^{(j)}(\tau)d\tau=0$ .

Next, to prove $\int_{t=T_{a}^{(j)}}^{\infty}\|a^{(j)}(t)\|^{2}dt<+\infty$ , we consider the error dynamics

\dot{e}_{v}^{(j)}=-w_{\mathbf{N}_{j}}(e_{v}^{(j)}-e_{r}^{(j)}-z_{1}^{(j)})+w_{\mathbf{N}_{j}}a^{(j)}.

Noting that $\mho^{(j)}$ is always satisfied, then $e_{r}^{(j)},e_{v}^{(j)},z_{1}^{(j)}\in L_{2}$ from Lemma 4-(c). Therefore, there exist a sufficiently big $T\geq T_{a}^{(j)}$ and a time interval $\Xi_{v}$ with $\nu(\Xi_{v})=0$ such that

\frac{a^{(j)}_{s}(t)}{e_{v,s}^{(j)}(t)}<1,~{}\forall t\in[T,\infty)\backslash\Xi_{v}

which means that there exists a function $\bar{\phi}_{v}(t)\leq 0$ such that

\displaystyle\|a^{(j)}(t)\|\negthickspace<\|e_{v}^{(j)}(t)\|~{}\mathrm{or}~{}a^{(j)}(t)=\bar{\phi}_{v}(t)\mathrm{sgn}(e_{v}^{(j)}(t))

(41)

for any $t\in[T,\infty)\backslash\Xi_{v}$ , where $a_{s}^{(j)}$ and $e^{(j)}_{v,s}$ represent the $s$ th element of $a^{(j)}$ and $e^{(j)}_{v}$ . Applying similar procedure to $\dot{e}_{r}^{(j)}=-[\nabla g^{(j)}(y_{r}^{(j)})-\nabla g^{(j)}(\hat{y}_{r}^{(j)})]-\eta^{(j)}(e_{r}^{(j)}+z_{1}^{(j)})+\eta^{(j)}a^{(j)}$ , there exist $\bar{\phi}_{r}(t)\leq 0$ and $\Xi_{r}$ with $\nu(\Xi_{r})=0$ such that

\displaystyle\|a^{(j)}(t)\|\negthickspace<\|e_{r}^{(j)}(t)\|~{}\mathrm{or}~{}a^{(j)}(t)=\bar{\phi}_{r}(t)\mathrm{sgn}(e_{r}^{(j)}(t))

(42)

for any $t\in[T,+\infty)\backslash\Xi_{r}$ .

Compared (41) with (42), and noting that the equality

\mathrm{sgn}(e_{v}^{(j)}(t))=\mathrm{sgn}(e_{r}^{(j)}(t)),\forall t\in[T,+\infty)\backslash(\Xi_{r}\cup\Xi_{v})

does not hold, it yields that $\|a^{(j)}(t)\|<\|e_{r}^{(j)}(t)\|$ or $\|a^{(j)}(t)\|<\|e_{v}^{(j)}(t)\|$ for any $t\in[T,+\infty)\backslash(\Xi_{r}\cup\Xi_{v})$ , which guarantees $\int_{t=T_{a}^{(j)}}^{\infty}\|a^{(j)}(t)\|^{2}dt<+\infty$ . $\hfill{}\blacksquare$

Lemma 6 implies that any undetectable attack must belong to $L_{2}$ . From its proof, we can see the design of double coupling residuals plays a key role in removing the existence of stealthy attacks $a^{(j)}(t)=\bar{\phi}_{r}(t)\mathrm{sgn}(e_{r}^{(j)}(t))$ against $\mho^{(j,r)}$ or $a^{(j)}(t)=\bar{\phi}_{v}(t)\mathrm{sgn}(e_{v}^{(j)}(t))$ against $\mho^{(j,v)}$ . Now, we give the main result of this section.

Theorem 3. Under Assumptions 1-3, the closed-loop CPS $(\mathcal{P}^{(j)},\mathcal{C}^{(j)})$ with $(\mathcal{K}^{(j)},\mathcal{D}^{(j)}(\mathcal{O}^{(j)},$ $\mathcal{M}^{(j)}))$ achieves output consensus at an optimal solution of problem (2) and all the closed-loop signals are UUB even in the presence of the undetectable attacks if $\eta>2(n-1)$ .

Proof. From Lemma 6, one has $\int_{t=T_{a}^{(j)}}^{\infty}\|a^{(j)}(t)\|^{2}dt<+\infty$ . Following Theorem 1, the proof can be complete. $\hfill{}\blacksquare$

Theorem 3 implies that all the subsystems $(\mathcal{P}^{(j)},\mathcal{C}^{(j)})$ , $j=1,\cdots,N$ can achieve optimal consensus only if the ARRs $\mho^{(j)}$ are satisfied. In other words, any attacks cannot bypass the designed ADI methodology to destroy the system convergence.

6 Secure countermeasure against cyber attacks

With these results on basic DOC and ADI in hand, we now provide a secure countermeasure against the cyber attacks and give the final secure DOC algorithm. The security objective is to steer the physical part $\mathcal{P}^{(j)}$ , $j\in\mathbf{N}_{A}$ to a secure state $y_{s}^{(j)}\in\mathbb{R}^{m}$ , i.e., $\lim_{t\to\infty}y^{(j)}(t)=y_{s}^{(j)}$ , while guaranteeing $(\mathcal{P}^{(j)},\mathcal{C}^{(j)})$ , $j\in\mathbf{N}_{H}$ to achieve the output consensus at the optimal solution of

\min\sum_{j\in\mathbf{N}_{H}}g^{(j)}(s),~{}s\in\mathbb{R}^{m}

(43)

where $\mathbf{N}_{A}$ represents the set of subsystems $(\mathcal{P}^{(j)},\mathcal{C}^{(j)})$ which are affected by detectable attack $a^{(j)}$ subject to (36) or (37), and $\mathbf{N}_{H}\triangleq\{1,\cdots,N\}\setminus\mathbf{N}_{A}$ represents the set of the subsystems which are healthy or affected by undetectable attacks satisfying (38). To guarantee the output consensus of subsystems $\mathcal{P}^{(j)}$ , $j\in\mathbf{N}_{H}$ , the following assumption is necessary in accordance with Assumption 2.

Assumption 4. The network topology induced by agents $\mathcal{D}^{(j)}$ , $j\in\mathbf{N}_{H}$ is connected.

Assumption 4 captures the communication redundancy of graph $\mathcal{G}$ . Note that different notions of network robustness have been reported to guarantee the convergence of resilient distributed algorithms, e.g., [20, 21, 22, 23]. For an undirected graph, Assumption 4 is in fact necessary for achieving the security objective (43).

Before giving the secure countermeasure, we first define a notification signal $\digamma^{(j)}(t)$ such that “ $\digamma^{(j)}(t)=1$ ” represents the $j$ th subsystem $(\mathcal{P}^{(j)},\mathcal{C}^{(j)})$ is attacked at time $t$ , and “ $\digamma^{(j)}(t)=0$ ” otherwise. In order to prevent the transmission data $y^{(j)}$ corrupted by the cyber attack $a^{(j)}$ from being propagated the neighboring subsystems, we design

\digamma^{(j)}(t)=\left\{\begin{aligned} &1,~{}\mathrm{if}~{}t\geq T_{d}^{(j)}\\ &0,~{}\mathrm{otherwise}\end{aligned}\right.

(44)

where $T_{d}^{(j)}$ is the attack detection time for $\mathcal{M}^{(j)}$ , defined as

T_{d}^{(j)}=\inf_{t\geq 0}\left\{t:\mho^{(j)}(t)~{}\mathrm{is~{}volated}\right\}.

If $\mho^{(j)}(t)$ is always satisfied, then the detection time is defined as $T_{d}^{(j)}=+\infty$ .

According to the security objective, we modify the output of decision-making dynamics (5), i.e., the control command $\Im^{(j)}$ , under adversarial environment as

\Im^{(j)}=\left\{\begin{aligned} &(y_{r}^{(j)},\nabla g^{(j)}(y_{r}^{(j)}),\tilde{v}^{\mathbf{N}_{j}}),~{}\mathrm{if}~{}t<T_{d}^{(j)}\\ &(y_{s}^{(j)},0,0),~{}~{}~{}~{}~{}~{}~{}~{}~{}~{}~{}~{}~{}~{}~{}~{}~{}\mathrm{otherwise}\end{aligned}\right.

(45)

The final secure decision-making algorithm for agent $\mathcal{D}^{(j)}$ based on the notification signal (44) and the control command (45) is summarized as:

$\bullet$ Receive $(y^{(i)},v^{(i)},\digamma^{(i)})$ to its neighbors $\mathcal{D}^{(i)},i\in\mathbf{N}_{j}$ ;
$\bullet$ Set $y^{(i)}=0$ and $v^{(i)}=0$ if $\digamma^{(i)}=1$ ;
$\bullet$ Update state by computing Eq. (5);
$\bullet$ Send control command $\Im^{(j)}$ to control module $\mathcal{K}^{(j)}$

Theorem 4. Consider the closed-loop CPS $(\mathcal{P}^{(j)},\mathcal{C}^{(j)})$ with $(\mathcal{K}^{(j)},\mathcal{D}^{(j)}(\mathcal{O}^{(j)},\mathcal{M}^{(j)}))$ in the presence of cyber attacks $a^{(j)}$ , $j\in\{1,\cdots,N\}$ . Under Assumptions 1-4, subsystems $(\mathcal{P}^{(j)},\mathcal{C}^{(j)})$ , $j\in\mathbf{N}_{H}$ achieve the output consensus at the optimal solution $y^{\star}_{\mathrm{N}_{H}}$ of (43), while the system output of physical part $\mathcal{P}^{(j)}$ , $j\in\mathbf{N}_{A}$ converges to a given state $y_{s}^{(j)}$ , i.e., $\lim_{t\to\infty}y^{(j)}(t)=y^{\star}_{\mathrm{N}_{H}}$ for $j\in\mathbf{N}_{H}$ and $\lim_{t\to\infty}y^{(j)}(t)=y_{s}^{(j)}$ for $j\in\mathbf{N}_{A}$ . Moreover, all the closed-loop signals are UUB.

Proof. Consider the subsystem $(\mathcal{P}^{(j)},\mathcal{C}^{(j)})$ , $j\in\mathbf{N}_{A}$ . From Lemma 5, $\mho^{(j)}$ is not satisfied and the optimization module $\mathcal{O}^{(j)}$ sends the control command $(y_{s}^{(j)},0,0)$ to the control module $\mathcal{K}^{(O,j)}$ . Then from (12)-(14) the outer-loop control $u^{(j)}_{O}=0$ and the inner-loop control $u^{(j)}_{I}$ (traditional adaptive backstepping control [36]) can guarantee the closed-loop $\mathcal{P}^{(j)}$ converges to $y_{s}^{(j)}$ .

Consider the subsystem $(\mathcal{P}^{(j)},\mathcal{C}^{(j)})$ , $j\in\mathbf{N}_{H}$ . Given the above secure decision-making, the dynamics (5) becomes

\left\{\begin{aligned} \dot{y}_{r}^{(j)}=&-\nabla g^{(j)}(y_{r}^{(j)})-\sum_{i\in\mathbf{N}_{j}\cap\mathbf{N}_{H}}w_{ji}(v^{(j)}-v^{(i)})\\ &-(1+\eta)\sum_{i\in\mathbf{N}_{j}\cap\mathbf{N}_{H}}w_{ji}(y^{(j)}-y^{(i)})\\ \dot{v}^{(j)}=&\sum_{i\in\mathbf{N}_{j}\cap\mathbf{N}_{H}}w_{ji}(y^{(j)}-y^{(i)})\end{aligned}\right.

Following Theorem 1 and Theorem 3, the output of $\mathcal{P}^{(j)}$ , $j\in\mathbf{N}_{H}$ converges to the optimal solution of problem (43) as $t\to+\infty$ , and all the signals are UUB. $\hfill{}\blacksquare$

From (44) and (45), the security performance under the cyber attacks heavily relies on the detection time $T_{d}^{(j)}$ . With the increase of $(T_{d}^{(j)}-T_{a}^{(j)})$ , the attacker will have more time to damage the system performance.

7 Simulation example

As a practical application of the studied problem framework, we apply our algorithms to the problem of motion coordination of multiple Remotely Operated Vehicles (ROVs). The motion coordination expects the formation of ROVs to rendezvous at a location which is optimal for the formation [16, 14]. The dynamic behavior of ROVs can be described in two coordinate frames, the body-fixed frame and the earth-fix frame as shown in Fig. 2. The dynamics equation of each ROV can be expressed as [44]:

	$\displaystyle\dot{\boldsymbol{\eta}}=$	$\displaystyle J(\boldsymbol{\eta})\boldsymbol{\nu}$		(46)
	$\displaystyle M\dot{\boldsymbol{\nu}}+C(\boldsymbol{\nu})+D(\boldsymbol{\nu})\boldsymbol{\nu}+g(\boldsymbol{\eta})=$	$\displaystyle\boldsymbol{\tau}+\Delta\boldsymbol{f}$		(46)

where $\boldsymbol{\eta}=[x,y,z,\phi,\theta,\psi]^{T}$ is the position and orientation described in the earth-fixed frame ( $|\theta|<\pi/2$ and $|\phi|<\pi/2$ ), $\boldsymbol{\nu}=[u,v,w,p,q,r]^{T}$ is the linear and angular velocity in the body-fixed frame, $M=M_{RB}+M_{A}$ and $M$ is positive definite, $C(\boldsymbol{\nu})=C_{RB}(\boldsymbol{\nu})+C_{A}(\boldsymbol{\nu})$ satisfying $C(\boldsymbol{\nu})=-C^{T}(\boldsymbol{\nu})$ , $M_{RB}$ is the rigid-body inertia matrix, $M_{A}$ is the added inertia matrix; $C_{RB}(\boldsymbol{\nu})$ is the rigid-body Coriolis and centripetal matrix, $C_{A}(\boldsymbol{\nu})$ is the hydrodynamic Coriolis and centripetal matrix in cluding added mass, $D(\boldsymbol{\nu})$ is hydrodynamic damping and lift matrix, $g(\boldsymbol{\eta})$ is a vector of gravitational forces and moment, $\boldsymbol{\tau}$ is the control force and torque vector, $\Delta\boldsymbol{f}$ is the bounded disturbance vector. Note that system (46) can be transformed into the form of system (1) by choosing the state variables $[x_{1}^{T},x_{2}^{T}]^{T}=[\boldsymbol{\eta}^{T},\boldsymbol{\nu}^{T}J^{T}(\boldsymbol{\eta})]^{T}$ .

As reported in [44], in the positioning and trajectory tracking control of ROV, the variables needed to be controlled are $x,y,z$ and $\psi$ . Under some cases, for the purpose of improving the dynamic stability and decreasing the influences of $\phi$ and $\theta$ on other variables, a simple P-controller can be used to control $\phi$ and $\theta$ . Therefore the order of the MIMO backstepping robust controller can be reduced from 6 degrees of freedom (DOF) to 4 DOF.

To simplify the controller design, the transformation matrix $J(\boldsymbol{\eta})$ can also be approximately obtained by assuming that $\phi=\theta=p=q=0$ , then the corresponding matrix parameters of reduced system are $M=\mathrm{diag}\{m_{\nu}-X_{\dot{u}},m_{\nu}-Y_{\dot{v}},m_{\nu}-Z_{\dot{w}},I_{z}-N_{\dot{r}}\}$ , $D(\boldsymbol{\nu})=-\mathrm{diag}\{X_{u}+X_{u|u|},Y_{v}+Y_{v|v|}v,Z_{w}+Z_{w|w|},N_{r}+N_{r|r|}r\}$ , $g(\eta)=[0,0,-(W-B),0]^{T}$ and

	$\displaystyle J(\boldsymbol{\eta})=$	$\displaystyle\left[\begin{matrix}\cos\psi&-\sin\psi&0&0\\ \sin\psi&\cos\psi&0&0\\ 0&0&1&0\\ 0&0&0&1\\ \end{matrix}\right],$
	$\displaystyle C(\boldsymbol{\nu})=$	$\displaystyle\left[\begin{matrix}0&0&0&-(m_{\nu}-Y_{\dot{v}})v\\ 0&0&0&-(m_{\nu}-X_{\dot{u}})u\\ 0&0&0&0\\ (m_{\nu}-Y_{\dot{v}})v&-(m_{\nu}-X_{\dot{u}})u&0&0\\ \end{matrix}\right].$

According to [44], the velocity dynamics can be expressed as linear-parametric form

M\dot{\boldsymbol{\nu}}_{v}+C(\boldsymbol{\nu})+D(\boldsymbol{\nu})\boldsymbol{\nu}+g(\boldsymbol{\eta})=\Phi^{T}(\boldsymbol{\nu},\dot{\boldsymbol{\nu}}_{v},\boldsymbol{\eta})\sigma

where $\sigma=[m_{\nu}-X_{\dot{u}},m_{\nu}-Y_{\dot{v}},X_{u},X_{|u|u},Y_{v},Y_{|v|v},m_{\nu}-Z_{\dot{w}},Z_{w},Z_{w|w|},W-B,I_{z}-N_{\dot{r}},N_{r},N_{r|r|}]$ is unknown system parameter vector, $\boldsymbol{\nu}_{v}$ is the virtual control and $\Phi(\boldsymbol{\nu},\dot{\boldsymbol{\nu}}_{v},\boldsymbol{\eta})$ is a known reduced regressor matrix function whose specific form can be found in [44] and is omitted here for saving space.

TABLE I. Simulation Model Parameters of ROV

Par Value Par Value $m_{\nu}$ 2500kg $X_{\dot{u}}$ -2140kg $I_{z}$ 1250kg $\cdot$ m² $Y_{\dot{v}}$ -1636kg $W$ 24525N $Z_{\dot{w}}$ -3000kg $B$ 24525N $N_{\dot{r}}$ -1524kg $\cdot$ m² $X_{u}$ -3610kg/s $X_{u|u|}$ -952 kg/m $Y_{v}$ -4660kg/s $Y_{v|v|}$ -1361kg/m $Z_{w}$ -11772kg/s $Z_{w|w|}$ -3561kg/m $N_{r}$ -7848kg $\cdot$ m²/(s $\cdot$ rad) $N_{r|r|}$ -773kg $\cdot$ m²/(s $\cdot$ rad)

Consider a ROV formation which consists of 4 same ROVs. The parameters of the ROV are shown in Table I. The communication topology $\mathcal{G}$ is given by a $2$ -regular graph and the edge weight $w_{ji}=1$ . The problem of multi-agent coordination consisting in finding a distributed control strategy that is able to drive each ROV from its initial position to rendezvous at the target position which minimizes the square sum of distances from these initial positions. The coordination control objective can be formulated as the following problem:

\min_{\boldsymbol{\eta}^{(j)}}\sum_{j=1}^{4}\|\boldsymbol{\eta}^{(j)}-\boldsymbol{\eta}^{(j)}_{0}\|^{2},~{}\mathrm{s.t.}~{}\boldsymbol{\eta}^{(1)}=\cdots=\boldsymbol{\eta}^{(4)}

(47)

where $\boldsymbol{\eta}^{(j)}_{0}$ represents the initial state of the $j$ th ROV.

Next, we apply the proposed secure DOC control strategy to complete the motion coordination task. Consider the cyber attacks (also including the sensor faults or some extraneous factors such as ocean currents) occurring in the complex underwater environment. When the cyber core detects the existence of the cyber attacks, it will drive the attacked ROV to the secure state $\boldsymbol{\eta}_{s}=0$ . In the simulation, the initial state conditions of these four ROVs are set as $\boldsymbol{\eta}^{(1)}(0)=[0.3~{}0.4~{}1~{}0]^{T}$ , $\boldsymbol{\eta}^{(2)}(0)=[0.1~{}0.1~{}0.5~{}-\pi/6]^{T}$ , $\boldsymbol{\eta}^{(3)}(0)=[0~{}0~{}0~{}-\pi/8]^{T}$ and $\boldsymbol{\eta}^{(4)}(0)=[0.2~{}0.5~{}1~{}0]^{T}$ . Assume that the 4th ROV suffers the cyber attack at $t=30$ s, and $\phi^{(4)}(t)=e^{0.5(t-30)-1}[\sin(t)~{}\cos(t)~{}-\sin(t)~{}-\cos(t)]^{T}$ . For simplifying calculation, only the ARR $\mho^{(j,r)}(t)$ rather than $\mho^{(j)}(t)$ is used in the proposed ADI approach.

The simulation results are shown in Figs. 3-5. Fig. 3 describes the state responses of $\boldsymbol{\eta}^{(j)}(t)$ and $\boldsymbol{\nu}^{(j)}(t)$ of these four ROVs, $j=1,\cdots,4$ . It can be seen that these four ROVs are arriving at the consensus at the optimal solution of (47) before the attack occurs. The ADI mechanism based on the ARR $\mho^{(j,r)}(t)$ formulated by $e_{r}^{(j)}$ and $e_{r,H}^{(j)}$ is shown in Fig. 4, which implies that for $j=1,2,3$ , the ARR $\mho^{(j,r)}(t)$ generated by $\mathcal{M}^{(j)}$ is still satisfied even after the cyber attack occurs, while $\mho^{(4,y)}(t)$ is immediately violated (about at $t=31.5$ s), thus indicating the cyber attack occurs in the 4th ROV. After detecting the cyber attack, the module $\mathcal{O}^{(j)}$ will send the control command $\Im^{(j)}=(\boldsymbol{\eta}_{s},0,0)$ to the 4th ROV based on the secure decision-making (45). Then the ROV stops sending the transmission data $\boldsymbol{\eta}^{(4)}$ , and converges to the secure position $\boldsymbol{\eta}_{s}=0$ , while the remaining three ROVs achieve the consensus at the optimal solution of

\min_{\boldsymbol{\eta}^{(j)}}\sum_{j=1}^{3}\|\boldsymbol{\eta}^{(j)}-\boldsymbol{\eta}^{(j)}_{0}\|^{2},~{}\mathrm{s.t.}~{}\boldsymbol{\eta}^{(1)}=\boldsymbol{\eta}^{(2)}=\boldsymbol{\eta}^{(3)}

(48)

These have been illustrated in Fig. 3. The control inputs of the overall procedure are plotted in Fig. 5.

To further visualize the motion coordination of the ROV formation, also for comparison, the routes of the formulation of ROVs under the following three cases are presented in Figs. 7-9, respectively, where the Simulink in MATLAB running time is set as [0s,80s]:

Case 1: Apply the basic/secure version of DOC under attack-free environment;

Case 2: Apply the basic version of DOC (without the ADI mechanism and secure countermeasure, i.e., set $\Im^{(j)}=(y_{r}^{(j)},$ $\nabla g^{(j)}(y_{r}^{(j)}),\tilde{v}^{\mathbf{N}_{j}})$ and $F^{(j)}=0$ all the time) under adversarial environment;

Case 3: Apply the secure version of DOC under adversarial environment.

In Fig. 6, clearly all the ROVs rendezvous at the target position $(0.15,0.25,0.625)$ (the optimal solution of problem (47)) under the healthy condition. Fig. 7 shows that under the case when the 4th ROV is attacked, all the ROVs follow the wrong control commands and move along with wrong (insecure) routes due to the attack propagation through the exchange of information between neighboring subsystems (The Simulink reports “ERROR” at $t=34.45$ s and terminates). However, by applying the secure DOC scheme, the ROVs 1, 2 and 3 rendezvous at the target position $(0.1333,0.1678,$ $0.5003)$ (the optimal solution of problem (48)), and the 4th ROV reach the preset secure position $(0,0,0)$ , which has been illustrated in Fig. 8.

8 Conclusions

This paper presented a secure DOC method for a class of uncertain nonlinear CPSs. First, a basic DOC under the healthy conditions was proposed. By interacting and coordinating between cyber dynamics and physical dynamics, the consensus and optimality were guaranteed. In the presence of multiple cyber attacks, we proposed a distributed ADI approach to identify the locally occurring attacks from multiple propagating attacks. It is shown that any attack signal cannot bypass the designed ADI approach to destroy the convergence of the DOC algorithm. Finally, a secure countermeasure strategy against cyber attacks was described, which guarantees that all healthy physical subsystems complete the DOC objective, while the attacked physical subsystems converge to a given secure state.

Appendix I

Proof of Theorem 1. First, we give the convergence analysis on the cyber dynamics (15) and physical dynamics (1) based on the Lyapunov method, respectively.

Cyber dynamics: Let $y^{*}=1_{N}\otimes y^{\star}$ be a solution of (4). By Lemma 1-(ii), there exists $v^{*}\in\mathbb{R}^{Nm}$ such that $\nabla g(y_{r}^{*})+Lv^{*}+(1+\eta)Ly_{r}^{*}=0$ holds, and $(y^{*},v^{*})$ is the saddle of $G$ . Consider the Lyapunov function of the cyber dynamics

V_{c}=\frac{1}{2}(\|y_{r}-y^{*}\|^{2}+\|v-v^{*}\|^{2})

Note that $z_{1}=y-y_{r}$ under the healthy conditions. Then (15) becomes

	$\displaystyle\dot{y}_{r}=$	$\displaystyle-\nabla g(y_{r})-Lv-(1+\eta)Ly_{r}-(1+\eta)Lz_{1}$		(49)
	$\displaystyle\dot{v}=$	$\displaystyle Ly_{r}+Lz_{1}$		(49)

The time derivative of $V_{c}$ along with (49) is

$\displaystyle\dot{V}_{c}=$	$\displaystyle(y_{r}-y^{*})^{T}[-\nabla g(y_{r})-Lv-(1+\eta)Ly_{r}]$
	$\displaystyle+(v-v^{})^{T}Ly_{r}-(1+\eta)z_{1}^{T}Ly_{r}+(v-v^{})^{T}Lz_{1}$
$\displaystyle\overset{(a)}{=}$	$\displaystyle(y^{*}-y_{r})^{T}[\nabla g(y_{r})+Lv+Ly_{r}]-y_{r}^{T}Ly_{r}$
	$\displaystyle+G(y_{r},v)-G(y_{r},v^{*})-(1+\eta)z_{1}^{T}Ly_{r}$
	$\displaystyle+(v-v^{*})^{T}Lz_{1}$
$\displaystyle\overset{(b)}{\leq}$	$\displaystyle G(y^{},v)-G(y^{},v^{})+G(y^{},v^{})-G(y,v^{})$
	$\displaystyle-\eta y_{r}^{T}Ly_{r}-(1+\eta)z_{1}^{T}Ly_{r}+(v-v^{*})^{T}Lz_{1}$
$\displaystyle\overset{(c)}{\leq}$	$\displaystyle-\eta y_{r}^{T}Ly_{r}-(1+\eta)z_{1}^{T}Ly_{r}+v^{T}Lz_{1}-z_{1}^{T}\pi$	(50)

where the equalities: $(a)$ follows from $Ly^{*}=0$ and the linearity of $G$ in its second argument; $(b)$ follows from the convexity of $G$ in the first argument; $(c)$ follows from the fact that $(y^{*},v^{*})$ is the saddle point of $G$ . Note that the mismatching terms $v^{T}Lz_{1}$ and $-z_{1}^{T}\pi$ will be compensated by the following physical dynamics.

Physical system: The convergence analysis is discussed based on backstepping procedure. Rewrite (1) into a compact form

\mathcal{P}:~{}\left\{\begin{aligned} &\dot{x}_{i}=x_{i+1}+\varphi_{i}(\bar{x}_{i})\theta,~{}i=1,\cdots,n-1\\ &\dot{x}_{n}=Bu+\varphi_{n}(x)\theta,\\ &y=x_{1}\end{aligned}\right.

(51)

where $\varphi_{i}(\bar{x}_{i})=\mathrm{diag}\{\varphi_{i}^{(1)}(\bar{x}_{i}^{(1)}),\cdots,\varphi_{i}^{(N)}(\bar{x}_{i}^{(N)})\}$ and $\theta=\mathrm{vec}(\theta_{1},\cdots,\theta_{N})$ .

The error dynamics can be expressed as

\left\{\begin{aligned} &\dot{z}_{1}=\alpha_{1}+\varphi_{1}(\bar{x}_{1})\theta-\dot{y}_{r}+z_{2}\\ &\dot{z}_{i}=\alpha_{i}+\varphi_{i}(\bar{x}_{i})\theta-\dot{\alpha}_{i-1}+z_{i+1}\\ &\dot{z}_{n}=Bu+\varphi_{n}(x)\theta-\dot{\alpha}_{n-1}\end{aligned}\right.

(52)

which can be spitted into inner-loop and outer-loop subsystems:

\left\{\begin{aligned} \dot{z}_{1,I}=&\alpha_{1,I}+\psi_{1}(\bar{x}_{1})\lambda+z_{2}\\ \dot{z}_{i,I}=&\alpha_{i,I}+\psi_{i}(\bar{x}_{i})\lambda-\dot{\alpha}_{i-1,I}+z_{i+1}-\mu z_{i}\\ \dot{z}_{n,I}=&Bu_{I}+\psi_{n}(x)\lambda-\dot{\alpha}_{n-1,I}-\mu z_{n}\\ \end{aligned}\right.

(53)

and

\left\{\begin{aligned} &\dot{z}_{1,O}=\alpha_{1,O}-\dot{y}_{r}\\ &\dot{z}_{i,O}=\alpha_{i,O}-\dot{\alpha}_{i-1,O}\\ &\dot{z}_{n,O}=Bu_{O}-\dot{\alpha}_{n-1,O}\end{aligned}\right.

(54)

where $z_{i}=z_{i,I}+z_{i,O}$ for $i=1,\cdots,n$ .

Next, we provide the Lyapunov analysis of the physical dynamics by considering

V_{p}=\frac{1}{2}\left(\sum_{i=1}^{n}\|z_{i}\|^{2}+\tilde{\lambda}^{T}\Gamma^{-1}\tilde{\lambda}+\tilde{\rho}^{T}\Gamma_{0}^{-1}\tilde{\rho}+\tilde{\pi}^{T}\Gamma_{1}^{-1}\tilde{\pi}\right)\\

where $\tilde{\lambda}=\lambda-\hat{\lambda}$ , $\tilde{\rho}=\rho-\hat{\rho}$ , $\tilde{\pi}=\pi-\hat{\pi}$ .

The derivative of $V_{p}$ can be computed as

	$\displaystyle\dot{V}_{p}=$	$\displaystyle\sum_{i=1}^{n}z_{i}\dot{z}_{i}-\tilde{\lambda}^{T}\Gamma^{-1}\dot{\hat{\lambda}}-\tilde{\rho}^{T}\Gamma_{0}^{-1}\dot{\hat{\rho}}-\tilde{\pi}^{T}\Gamma_{1}^{-1}\dot{\hat{\pi}}$
	$\displaystyle=$	$\displaystyle\dot{V}_{I}+\dot{V}_{O}$

where $\dot{V}_{I}=\sum_{i=1}^{n}z_{i}\dot{z}_{i,I}-\tilde{\lambda}^{T}\Gamma^{-1}\dot{\hat{\lambda}}-\tilde{\rho}^{T}\Gamma_{0}^{-1}\dot{\hat{\rho}}-\tilde{\pi}^{T}\Gamma_{1}^{-1}\dot{\hat{\pi}}$ and $\dot{V}_{O}=\sum_{i=1}^{n}z_{i}\dot{z}_{i,O}$ represent the inner-loop and outer-loop Lyapunov derivatives, respectively.

Consider the inner-loop error dynamics (53) with controls (16)-(18) and adaptive laws (22)-(24). Following the traditional backstepping procedure [36], along with (53), we can obtain

	$\displaystyle\dot{V}_{I}\leq$	$\displaystyle-\sum_{i=1}^{n}z_{i}^{T}C_{i}z_{i}-\mu\sum_{i=2}^{n}\\|z_{i}\\|^{2}$
		$\displaystyle-\rho\\|z_{1}\\|^{2}+z_{1}^{T}\pi-z_{1}^{T}S\left(\frac{z_{1}}{\delta}\right).$		(55)

Now we consider the outer-loop error dynamics (54) with controls (19)-(21).

Step 1. In view of (54) and (15), we have

\displaystyle\dot{z}_{1,O}=\alpha_{1,O}+\nabla g(y_{r})+Lv+(1+\eta)Ly

(56)

To stabilize (56), consider the Lyapunov derivative $\dot{V}_{1,O}=z_{1}\dot{z}_{1,O}$ . Then using the virtual control (19), we have

$\displaystyle\dot{V}_{1,O}=$	$\displaystyle z_{1}^{T}[\alpha_{1,O}+\nabla g(y_{r})+Lv+(1+\eta)Ly]$
$\displaystyle=$	$\displaystyle-z_{1}^{T}Lv+(1+\eta)z_{1}^{T}Ly$
$\displaystyle=$	$\displaystyle-z_{1}^{T}Lv+(1+\eta)z_{1}^{T}L(y_{r}+z_{1})$
$\displaystyle\leq$	$\displaystyle-z_{1}^{T}Lv+(1+\eta)z_{1}^{T}Ly_{r}+(1+\eta)\\|L\\|\\|z_{1}\\|^{2}$	(57)

Step $i(2\leq i\leq n)$ . Note that the arguments of the function $\alpha_{i-1,O}$ involve $y_{r}$ and $v$ . From (54) and (15), we have

$\displaystyle\dot{z}_{i,O}\negthickspace=$	$\displaystyle\alpha_{i,O}+\frac{\partial\alpha_{i-1,O}}{\partial y_{r}}\left[\nabla g(y_{r})+Lv+(1+\eta)Ly\right]$
	$\displaystyle-\frac{\partial\alpha_{i-2,O}}{\partial y_{r}}L^{2}y$
$\displaystyle=$	$\displaystyle\left[(1+\eta)\frac{\partial\alpha_{i-1,O}}{\partial y_{r}}L-\frac{\partial\alpha_{i-2,O}}{\partial y_{r}}L^{2}\right](y_{r}+z_{1})$	(58)

By using the triangular inequality, one has

	$\displaystyle(1+\eta)z_{i}^{T}\frac{\partial\alpha_{i-1,O}}{\partial y_{r}}Ly_{r}\leq$	$\displaystyle\frac{1}{4}(1+\eta)^{2}\\|L\\|z_{i}^{T}\left(\frac{\partial\alpha_{i-1,O}}{\partial y_{r}}\right)^{2}z_{i}$
		$\displaystyle+y_{r}Ly_{r}$
	$\displaystyle(1+\eta)z_{i}^{T}\frac{\partial\alpha_{i-1,O}}{\partial y_{r}}Lz_{1}\leq$	$\displaystyle\frac{1}{4}(1+\eta)^{2}\\|L\\|z_{i}^{T}\left(\frac{\partial\alpha_{i-1,O}}{\partial y_{r}}\right)^{2}z_{i}$
		$\displaystyle+\\|L\\|\\|z_{1}\\|^{2}$
	$\displaystyle-\frac{\partial\alpha_{i-2,O}}{\partial y_{r}}L^{2}y_{r}\leq\frac{1}{4}\\|L\\|^{3}$	$\displaystyle z_{i}^{T}\left(\frac{\partial\alpha_{i-2,O}}{\partial y_{r}}\right)^{2}z_{i}+y_{r}Ly_{r}$
	$\displaystyle-\frac{\partial\alpha_{i-2,O}}{\partial y_{r}}L^{2}z_{1}\leq\frac{1}{4}\\|L\\|^{3}$	$\displaystyle z_{i}^{T}\left(\frac{\partial\alpha_{i-2,O}}{\partial y_{r}}\right)^{2}z_{i}+\\|L\\|\\|z_{1}\\|^{2}$

Also, on the compact set $\{V(t)\leq V(0)\}$ , there exists a positive constant such that $\|\partial\alpha_{i,O}/\partial y_{r}\|\leq\Pi$ for all $i=1,\cdots,n-1$ . Based on these facts, the Lyapunov derivative $\dot{V}_{i,O}=z_{i}\dot{z}_{i,O}$ along with (58) can be expressed as

	$\displaystyle\dot{V}_{i,O}=$	$\displaystyle z_{i}^{T}\left[(1+\eta)\frac{\partial\alpha_{i-1,O}}{\partial y_{r}}L-\frac{\partial\alpha_{i-2,O}}{\partial y_{r}}L^{2}\right](y_{r}+z_{1})$
	$\displaystyle\leq$	$\displaystyle\mu\\|z_{i}\\|^{2}+2\\|L\\|\\|z_{1}\\|^{2}+2y_{r}^{T}Ly_{r}$		(59)

Combining (57) and (59), the outer-loop Lyapunov derivative satisfies

	$\displaystyle\dot{V}_{O}\leq$	$\displaystyle-z_{1}^{T}Lv+(1+\eta)z_{1}^{T}Ly_{r}+\rho\\|z_{1}\\|^{2}+2(n-1)y_{r}^{T}Ly_{r}$
		$\displaystyle+\mu\sum_{i=2}^{n}\\|z_{i}\\|^{2}$		(60)

Finally, construct the Lyapunov function $V=V_{c}+V_{p}$ for the overall CPS. Taking (50), (55) and (60) into account, its time derivative satisfies

$\displaystyle\dot{V}\leq$	$\displaystyle-(\eta-2(n-1))y_{r}^{T}Ly_{r}-\sum_{i=1}^{n}z_{i}^{T}C_{i}z_{i}$
	$\displaystyle-\sum_{j=1}^{N}z_{1}^{(j)T}S\left(\frac{z_{1}^{(j)}}{\delta^{(j)}}\right)$
$\displaystyle\leq$	$\displaystyle-(\eta-2(n-1))y_{r}^{T}Ly_{r}-\sum_{i=1}^{n}z_{i}^{T}C_{i}z_{i}$	(61)

where the fact $z_{1}^{(j)T}S(z_{1}^{(j)}/\delta^{(j)})\geq 0$ is used.

Choose $\eta>2(n-1)$ . Then $\dot{V}\leq 0$ . Thus, $\{V(t)\leq V(0)\}$ is an invariant set. It implies that $z(t)$ , $y_{r}(t)$ , $v(t)$ , $\hat{\lambda}(t)$ , $\hat{\rho}(t)$ , $\hat{\pi}(t)$ and $z_{1}^{(j)T}S(z_{1}^{(j)}/\delta^{(j)})$ are bounded. Then $y(t)=z_{1}(t)+y_{r}(t)$ is bounded. Along with the backstepping procedure, $\alpha_{i}(t)$ , $u_{i}(t)$ and $x_{i}(t)$ are also bounded. Noting $\dot{y}_{r}(t),\dot{v}(t)\in L_{\infty}$ and $y_{r}^{T}(t)Ly_{r}(t),z_{i}(t)\in L_{2}$ . According to Barbalat’s Lemma, $\lim_{t\to\infty}y_{r}^{T}(t)Ly_{r}(t)=0$ and $\lim_{t\to\infty}z_{i}(t)=0$ . Finally, following the proof of [[8]. Theorem 4.1], one obtains that $\lim_{t\to\infty}y_{r}(t)=y^{*}$ . Thus, we can conclude that $\lim_{t\to\infty}[y(t)-y^{*}]=\lim_{t\to\infty}[y(t)-y_{r}(t)+y_{r}(t)-y^{*}]=0$ . $\hfill{}\blacksquare$

Appendix II

Proof of Lemma 2. To analyze the stability of (30), we first construct an auxiliary system

\displaystyle\dot{\tilde{e}}_{r,H}^{(j)}=-\eta^{(j)}({\tilde{e}}_{r,H}^{(j)}+z_{1}^{(j)}),~{}{\tilde{e}}_{r,H}^{(j)}(0)=e_{r,H}^{(j)}(0)

(62)

By directly computing (62), we obtain that

\|\tilde{e}_{r,H}^{(j)}(t)\|\leq e^{-\eta^{(j)}t}e_{r,H}^{(j)}(0)+\Psi(\eta^{(j)},z_{1}^{(j)}(t),0,t).

Also, along with (62), the time derivative of the Lyapunov function $U^{(j)}({\tilde{e}}_{r,H}^{(j)})=\|{\tilde{e}}_{r,H}^{(j)}\|^{2}/2$ is

\displaystyle\dot{U}^{(j)}({\tilde{e}}_{r,H}^{(j)})=

\displaystyle-\eta^{(j)}{\tilde{e}}_{r,H}^{(j)T}({\tilde{e}}_{r,H}^{(j)}+z_{1}^{(j)})

(63)

On the other hand, the time derivative of $U^{(j)}(e_{r,H}^{(j)})$ along with (30) can be expressed as

$\displaystyle\dot{U}^{(j)}(e_{r,H}^{(j)})=$	$\displaystyle-e_{r,H}^{(j)T}[\nabla g^{(j)}(y_{r}^{(j)})-\nabla g^{(j)}(\hat{y}_{r}^{(j)})]$
	$\displaystyle-\eta^{(j)}e_{r,H}^{(j)T}(e_{r,H}^{(j)}+z_{1}^{(j)})$
$\displaystyle\leq$	$\displaystyle-\eta^{(j)}e_{r,H}^{(j)T}(e_{r,H}^{(j)}+z_{1}^{(j)})$	(64)

where the inequality follows from the convexity of $g^{(j)}$ .

Using the comparison principle [46], under the same initial condition ${\tilde{e}}_{r,H}^{(j)}(0)=e_{r,H}^{(j)}(0)$ , (63) and (64) imply $U^{(j)}(e_{r,H}^{(j)})\leq U^{(j)}({\tilde{e}}_{r,H}^{(j)})$ , or equivalently, $\|e_{r,H}^{(j)}(t)\|\leq\|{\tilde{e}}_{r,H}^{(j)}(t)\|\leq e^{-\eta^{(j)}t}e_{r,H}^{(j)}(0)+\Psi(\eta^{(j)},z_{1}^{(j)}(t),t_{0},t)$ .

Directly solving (31) and applying the triangular inequality, $\|e_{v,H}^{(j)}(t)\|$ can be bounded by (33).

Appendix III

Proof of Lemma 3. Under the healthy conditions, integrating both sides of Eq. (61) yields

	$\displaystyle V(t)-V(0)\leq$	$\displaystyle-(\eta-2n+2)\int_{\tau=0}^{t}y_{r}^{T}(\tau)Ly_{r}(\tau)d\tau$
		$\displaystyle-\sum_{i=1}^{n}\int_{\tau=0}^{t}z_{i}^{T}(\tau)C_{i}z_{i}(\tau)d\tau$

which implies that

\displaystyle\frac{1}{2}\|z_{1}^{(j)}(t)\|^{2}+c_{1}^{(j)}\int_{\tau=0}^{t}\|z_{1}^{(j)}(\tau)\|^{2}d\tau\leq V(0).

Given Assumption 3 and definition of $\bar{\Omega}$ , we have

\frac{1}{2c_{1}^{(j)}}\|z_{1}^{(j)}(t)\|^{2}+\int_{\tau=0}^{t}\|z_{1}^{(j)}(\tau)\|^{2}d\tau\leq\bar{\Omega}/c_{1}^{(j)}

In addition, from Theorem 1 we know $z_{1}^{(j)T}S(z_{1}^{(j)}/\delta^{(j)})$ is bounded, which yields $|z_{1,s}^{(j)}(t)|<\delta^{(j)}(t)$ for any $t\geq 0$ . To prove the result we suppose, for contradiction, there exists $s\in\{1,\cdots,m\}$ such that $|z_{1,s}^{(j)}(t)|\geq\delta^{(j)}(t)>k_{b}^{(j)}$ . According to the form of $S$ and the prescribed performance technique [39], $\|S(z_{1}^{(j)}/\delta^{(j)})\|$ converges to $+\infty$ . Then $z_{1}^{(j)T}S(z_{1}^{(j)}/\delta^{(j)})\geq k_{b}^{(j)}\|S(z_{1}^{(j)}/\delta^{(j)})\|\to+\infty$ as $t\to\infty$ , a contradiction, which in turn implies $\|z_{1}^{(j)}(t)\|<\sqrt{m}\delta^{(j)}(t)$ .

References

[1] P. Antsaklis, “Goals and challenges in cyber-physical systems research editorial of the editor in chief,” IEEE Trans. Automat. Control, vol. 59, no. 12, pp. 3117–3119, Dec. 2014.
[2] J. Slay and M.Miller, “Lessons learned from the Maroochy Water Breach,” in Critical Infrastructure Protection. New York, NY, USA: Springer, 2007.
[3] J. P. Farwell and R. Rohozinski, “Stuxnet and the future of cyber war,” Survival, vol. 53, no. 1, pp. 23–40, 2010.
[4] A. Nedic and A. Ozdaglar, “Distributed subgradient methods for multiagent optimization,” IEEE Trans. Autom. Control, vol. 54, no. 1, pp. 48–61, 2009.
[5] I. Lobel and A. Ozdaglar, “Distributed subgradient methods for convex optimization over random networks,” IEEE Trans. Autom. Control, vol. 56, no. 6, pp. 1291–1306, June 2011.
[6] M. Zhu and S. Martlnez, “On distributed convex optimization under inequality and equality constraints,” IEEE Trans. Autom. Control, vol. 57, no. 1, pp. 151–164, 2012.
[7] B. Johansson, T. Keviczky, M. Johansson, and K. H. Johansson, “Subgradient methods and consensus algorithms for solving convex optimization problems,” in Proc. IEEE Conf. Decision Control, Cancun, Mexico, Dec. 2008, pp. 4185–4190.
[8] B. Gharesifard and J. Cortes, “Distributed continuous-time convex optimization on weight-balanced digraphs,” IEEE Trans. Autom. Control, vol. 59, no. 3, pp. 781–786, Mar. 2014.
[9] C. Y. Kim, D. Z. Song, Y. L. Xu, J. G. Yi, and X. Y. Wu. “Cooperative search of multiple unknown transient radio sources using multiple paired mobile robots,” IEEE Trans. Robotics, vol. 30, no. 5, pp. 1161–1173, 2014.
[10] E. Dall’Anese, H. Zhu, and G. B. Giannakis, “Distributed optimal power flow for smart microgrids,” IEEE Trans. Smart Grid, vol. 4, no. 3, pp. 1464–1475, 2013.
[11] S. Bose, S. H. Low, T. Teeraratkul, and B. Hassibi, “Equivalent relaxations of optimal power flow,” IEEE Trans. Autom. Control, vol. 60, no. 3, pp. 729–742, 2015.
[12] Y. Zhang, Z. Deng, and Y. Hong, “Distributed optimal coordination for multiple heterogeneous Euler-Lagrangian systems,” Automatica, vol. 79, pp. 207–213, 2017.
[13] P. Lin, W. Ren, Y. Song, and J.A. Farrell, “Distributed optimization with the consideration of adaptivity and finite-time convergence,” in Proc. Conf. Amer. Control, 2014, pp. 3177–3182.
[14] Y. Xie and Z. Lin,“Global optimal consensus for higher-order multi-agent systems with bounded controls,” Automatica, vol. 99, pp. 301–307, 2019.
[15] Y. Zhang and Y. Hong, “Distributed optimization design for high-order multi-agent systems,” in Proc. Conf. Chin. Control, 2015, pp. 7251–7256.
[16] Y. Zhao, Y. Liu, G. Wen, and G. Chen, “Distributed optimization for linear multiagent systems: edge- and node-based adaptive designs,” IEEE Trans. Autom. Control, vol. 62, no. 7, pp. 3602-3609, 2017.
[17] Z. Li, Z. Wu, Z. Li, and Z. Ding, “Distributed optimal coordination for heterogeneous linear multi-agent systems with event-triggered mechanisms,” IEEE Trans. Autom. Control, 10.1109/TAC.2019.2937500.
[18] T. Yang, X. Yi, J. Wu, Y. Yuan, D. Wu, Z. Meng, Y. Hong, H. Wang, Z. Lin, K. H. Johansson, “A survey of distributed optimization,” Ann. Rev. Control, vol. 47, pp. 278–305, 2019.
[19] O. Yaggan, D. Qian, J. Zhang, and D. Cochran, “Optimal allocation of interconnecting links in cyber-physical systems: interdependence, cascading failures, and robustness,” IEEE Trans. Paral. Distr. Syst., vol. 23, no. 9, pp. 1708–1721, 2015.
[20] L. Su and N. Vaidya, “Byzantine multi-agent optimization,” arXiv:1506.04681, 2015.
[21] S. Sundaram and B. Gharesifard, “Distributed optimization under adversarial nodes,” IEEE Trans. Autom. Control, vol. 64, no. 3, pp. 1063–1076, 2019.
[22] C. Zhao, J. He, and Q.-G. Wang, “Resilient distributed optimization algorithm against adversarial attacks,” IEEE Trans. Autom. Control, 10.1109/TAC.2019.2954363.
[23] W. Fu, J. Qin, Y. Shi, W. Zheng, and Y. Kang, “Resilient consensus of discrete-time complex cyber-physical networks under deception attacks,” IEEE Trans. Ind. Inf., 10.1109/TII.2019.2933596.
[24] Q. Zhang and X. Zhang, “Distributed sensor fault diagnosis in a class of interconnected nonlinear uncertain systems,” in Proc. 8th IFAC SAFEPROCESS, Mexico City, Mexico, 2012, pp. 1101–1106.
[25] V. Reppa, M. M. Polycarpou, and C. G. Panayiotou, “Decentralized isolation of multiple sensor faults in large-scale interconnected nonlinear systems,” IEEE Trans. Autom. Control, vol. 60, no. 6, pp. 1582–1596, Mar. 2015.
[26] V. Reppa, M. M. Polycarpou, and C. G. Panayiotou, “Distributed sensor fault diagnosis for a network of interconnected cyber-physical systems,” IEEE Trans. Control Netw. Syst., vol. 2, no. 1, pp. 11–23, Mar. 2015.
[27] L. Zhang and G.-H. Yang, “Observer-based fuzzy adaptive sensor fault compensation for uncertain nonlinear strict-feedback systems,” IEEE Trans. Fuzzy Syst., vol. 26, no. 4, pp. 2301–2310, 2018.
[28] F. Pasqualetti, F. Dorfler, and F. Bullo, “Attack detection and identification in cyber-physical systems,” IEEE Trans. Autom. Control, vol. 58, no. 11, pp. 2715–2729, 2013
[29] L. An and G.-H. Yang, “Distributed secure state estimation for cyber-physical systems under sensor attacks,” Automatica, vol. 107, pp. 526–538, 2019.
[30] J. Zhang, R. Blum, X. Lu, and D. Conus, “Asymptotically optimum distributed estimation in the presence of attacks,” IEEE Trans. Signal Process., vol. 63, no. 5, pp. 1086–1101, Mar. 2015.
[31] M. Zhu and S. Mart nez, “Attack-resilient distributed formation control via online adaptation,” in Proc. IEEE Conf. Dec. Control Eur. Control (CDC-ECC), Orlando, USA,, 2011, pp. 6624–6629.
[32] L. An and G.-H. Yang, “Data-driven coordinated attack policy design based on adaptive $L_{2}$ -gain optimal theory,” IEEE Trans. Autom. Control, vol. 63, no. 6, pp. 1760–1767, 2018.
[33] Y. Liu, M.K. Reiter, and P. Ning, “False data injection attacks against state estimation in electric power grids,” in Proc. the 16th ACM conf. Computer communications security, 2009, pp. 21–32.
[34] Y. Chen, S. Kar, and J.M.F. Moura, “Optimal attack strategies subject to detection constraints against cyber-physical systems,”IEEE Trans. Control Netw. Syst., vol. 5, no. 3, pp. 1157–1168, 2019.
[35] T.-Y. Zhang and D. Ye, “False data injection attacks with complete stealthiness in cyber-physical systems: A self-generated approach,” Automatica, vol. 120, Oct. 2020, Art. no. 109117.
[36] M. Krstic, P. V. Kokotovic, I. Kanellakopoulos, Nonlinear and Adaptive Control Design. New York: Wiley, 1995.
[37] H. Ouyang, Y. Lin, “Adaptive fault-tolerant control for actuator failures: A switching strategy,” Automatica, vol. 81, pp. 87–95, 2017.
[38] X. D. Tang, G. Tao, and S. M. Joshi, “Adaptive actuator failure compensation for parametric strict feedback systems and an aircraft application,” Automatica, vol. 39, pp. 1975–1982, 2003.
[39] W. Wang and C. Wen, “Adaptive actuator failure compensation control of uncertain nonlinear systems with guaranteed transient performance,” Automatica, vol. 46, pp. 2082–2091, 2010.
[40] W. Wang, C. Wen, J. Huang, “Distributed adaptive asymptotically consensus tracking control of nonlinear multi-agent systems with unknown parameters and uncertain disturbances,” Automatica, vol. 77, pp. 133–142, 2017.
[41] W. Liu and J. Huang, “Adaptive leader-following consensus for a class of higher-order nonlinear multi-agent systems with directed switching networks,” Automatica, vol. 79, pp. 84–92, 2017.
[42] M. Massoumnia, G. Verghese, and A. Willsky, “Failure detection and identification,” IEEE Trans. Autom. Control, vol. 34, no. 3, pp. 316–321, 1989.
[43] H. Fawzi, P. Tabuada, and S. Diggavi, “Secure estimation and control for cyber-physical systems under adversarial attacks,” IEEE Trans. Automat. Control, vol. 59, no. 6, pp. 1454–1467, Jun. 2014.
[44] K. Zhu, L. Gu, “A MIMO nonlinear robust controller for work-class ROVs positioning and trajectory tracking control,” in Proc. Annu. Conf. Control Decision, Hangzhou, China, 2011, pp. 2565–2570.
[45] A. Eldosouky, A. Ferdowsi, and W. Saad, “Drones in distress: a game-theoretic countermeasure for protecting UAVs against GPS spoofing,” IEEE Int. Things Journal, vol. 7, no. 4, 2840–2854, 2020.
[46] H. Khalil, Nonlinear Systems, third ed., Prentice Hall, Hoboken, New Jersey, 2002.

	$\displaystyle\eta^{(j)}\left\\|\int_{t=T_{a}^{(j)}}^{T_{d}^{(j)}}e^{\eta^{(j)}(t-T_{d}^{(j)})}a^{(j)}(t)dt\right\\|>$
	$\displaystyle 2e^{\eta^{(j)}(T_{a}^{(j)}-T_{d}^{(j)})}\\|e_{r}^{(j)}(T_{a}^{(j)})\\|+\bar{\Psi}^{(j)}_{\Delta_{z}^{\delta^{(j)}}}(\eta^{(j)},T_{a}^{(j)},T_{d}^{(j)})$
	$\displaystyle+\eta^{(j)}\int_{t=T_{a}^{(j)}}^{T_{d}^{(j)}}e^{\eta^{(j)}(t-T_{d}^{(j)})}\left\\|\nabla g^{(j)}(y_{r}^{(j)}(t))\right.$
	$\displaystyle\left.-\nabla g^{(j)}(\hat{y}_{r}^{(j)}(t))+\eta^{(j)}z_{1}^{(j)}(t)\right\\|dt$		(36)

	$\displaystyle w_{\mathbf{N}_{j}}\left\\|\int_{t=T_{a}^{(j)}}^{T_{d}^{(j)}}e^{w_{\mathbf{N}_{j}}(t-T_{d}^{(j)})}a^{(j)}(t)dt\right\\|$
$\displaystyle>$	$\displaystyle 2e^{w_{\mathbf{N}_{j}}(T_{a}^{(j)}-T_{d}^{(j)})}\\|e_{v}^{(j)}(T_{a}^{(j)})\\|+\bar{\Psi}^{(j)}_{\Delta_{ez}^{\delta^{(j)}}}\negthickspace(w_{\mathbf{N}_{j}},T_{a}^{(j)},T_{d}^{(j)})$
	$\displaystyle+w_{\mathbf{N}_{j}}\negthickspace\int_{t=T_{a}^{(j)}}^{T_{d}^{(j)}}e^{w_{\mathbf{N}_{j}}(t-T_{d}^{(j)})}\left\\|e_{r}^{(j)}(t)+z_{1}^{(j)}(t)\right\\|dt$	(37)

	$\displaystyle\\|e_{r}^{(j)}(T_{d}^{(j)})\\|\geq$	$\displaystyle\eta^{(j)}\left\\|\int_{t=T_{f}}^{T_{d}^{(j)}}e^{\eta^{(j)}(t-T_{d}^{(j)})}a^{(j)}(t)dt\right\\|$
		$\displaystyle-e^{\eta^{(j)}(T_{a}^{(j)}-T_{d}^{(j)})}\\|e_{r}^{(j)}(T_{a}^{(j)})\\|$
		$\displaystyle-\eta^{(j)}\int_{t=T_{a}^{(j)}}^{T_{d}^{(j)}}e^{\eta^{(j)}(t-T_{d}^{(j)})}\left\\|\nabla g^{(j)}(y_{r}^{(j)}(t))\right.$
		$\displaystyle\left.-\nabla g^{(j)}(\hat{y}_{r}^{(j)}(t))+\eta^{(j)}z_{1}^{(j)}(t)\right\\|dt,$

	$\displaystyle(1+\eta)z_{i}^{T}\frac{\partial\alpha_{i-1,O}}{\partial y_{r}}Ly_{r}\leq$	$\displaystyle\frac{1}{4}(1+\eta)^{2}\\|L\\|z_{i}^{T}\left(\frac{\partial\alpha_{i-1,O}}{\partial y_{r}}\right)^{2}z_{i}$
		$\displaystyle+y_{r}Ly_{r}$
	$\displaystyle(1+\eta)z_{i}^{T}\frac{\partial\alpha_{i-1,O}}{\partial y_{r}}Lz_{1}\leq$	$\displaystyle\frac{1}{4}(1+\eta)^{2}\\|L\\|z_{i}^{T}\left(\frac{\partial\alpha_{i-1,O}}{\partial y_{r}}\right)^{2}z_{i}$
		$\displaystyle+\\|L\\|\\|z_{1}\\|^{2}$
	$\displaystyle-\frac{\partial\alpha_{i-2,O}}{\partial y_{r}}L^{2}y_{r}\leq\frac{1}{4}\\|L\\|^{3}$	$\displaystyle z_{i}^{T}\left(\frac{\partial\alpha_{i-2,O}}{\partial y_{r}}\right)^{2}z_{i}+y_{r}Ly_{r}$
	$\displaystyle-\frac{\partial\alpha_{i-2,O}}{\partial y_{r}}L^{2}z_{1}\leq\frac{1}{4}\\|L\\|^{3}$	$\displaystyle z_{i}^{T}\left(\frac{\partial\alpha_{i-2,O}}{\partial y_{r}}\right)^{2}z_{i}+\\|L\\|\\|z_{1}\\|^{2}$