Robust Self-Triggered Control for Nonlinear Cyber-Physical Systems with State Constraints under DoS Attacks

This paper is concerned with the event-based control problem for nonlinear cyber-physical systems (CPSs) with state constraints. A novel security control strategy consisting of a self-triggered mechanism is developed to decrease the network communication loads to the most extent on the basis of ensuring system safety and stability. The maximum capability of the designed self-triggered mechanism to resist denial-of-service (DoS) attacks occurring in controller-actuator (C-A) and sensor-controller (S-C) channels synchronously is also analyzed. In particular, we prove that the security control strategy guarantees the system safety and stability without resulting in Zeno behavior. Finally, a numerical example is provided to demonstrate the prominent eﬀectiveness and the advantages over the existing results.


Introduction
With the rapid development of sensing and information technologies, cyber-physical systems (CPSs) have become a research hotspot, which have emerging and wide applications in areas such as transportation, remote medical services, smart grids, power plant, military communities, and so on [1]- [7].CPSs share data through wireless communication networks [6].However, especially, conventional control strategies regularly transmit control inputs [5], which may consume unnecessary communication resources and overload the network in CPSs.And what's worse, no one can guarantee that safety constraints will still hold for CPSs.Since the sampling frequency of plant is fixed, it could make the system violate safety constraints between two consecutive sampled time instants.The event-based mechanism (EBM) provides a promising solution to this problem [8].The essential characteristic of EBM lies in deciding time instant to update the controller, which is specified by satisfying a certain prescribed triggering condition.Furthermore, EBM can effectually decrease communication consumption loads and reduce the frequency to calculate control inputs.Therefore, on the basis of saving conmmunication resources, it is necessary to design an efficient approach to guarantee the stability and safety of nonlinear CPSs.
Generally speaking, the works about EBM primarily consist of three portions: 1) the eventtriggered control (ETC) [9]-[10]; 2) the selftriggered control (STC) [11]-[13]; and 3) the periodic triggering control (PTC) [14]- [15].The ETC strategy continously monitors the real and its nominal states of system to determine the next triggering time instant until prescribed triggering condition is satisfied.In order to reduce the monitoring consumption of ETC, STC is proposed, where the next triggering time instant is decided by examing a prescribed triggering condition at the current time instant.The PTC is at the intermediate level, but the system states still need to be monitored periodically.
Although EBM has a great advantage in decreasing communication loads, real-time control is central to many nonlinear CPSs with state constraints.The design of a real-time controller must take into account several factors, including computional resources, safety and stability.In particular, a critical way to achieve the last two purposes is to utilize Control Lyapunov Functions (CLFs) [16]- [17] for stability and Control Barrier Functions (CBFs) [18]- [21] for safety that can be combined through quadratic programs (QPs), which are adopted in many safety-critical nonlinear CPSs.Notwithstanding, most of real-time controllers are based on a continuous-time formulation, which is in contradiction with the reality that these controllers are implemented on digital platform, where the updates to the control law can be conducted only at discrete time instants.
Based on the above discussions, the fundamental difficulty lies in how to achieve the real-time control for nonlinear CPSs with state constraints on the basis of minimizing the consumption of network communication resources.To the best of our knowledge, there has been few researches concerning this problem.Motivated by CLFs and CBFs, in this paper, we aim at designing a robust selftriggered security control strategy for nonlinear CPSs with state constraints, and analyzing the maximum ability to resist denial-of-service (DoS) attacks occurring in controller-actuator (C-A) and sensor-controller (S-C) channels synchronously.Compared with most existing results, the distinguished contributions of this paper can be summarized as follows: 1) A novel self-triggered mechanism is designed to minimize the consumption of network communication resources.
2) The maximum capability to resist DoS attacks of the designed self-triggered mechanism is analyzed.Particularly, the maximum duration of DoS attacks is calculated on the premise of guaranteeing safety and stability of nonlinear CPSs, where the DoS attacks occur in C-A and S-C channels synchronously.
3) A security control strategy is developed to guarantee that state constraints are always satisfied under the condition that the aperiodic update of control signals and transmission of control inputs is achieved to reduce the consumption of network communication resources under DoS attacks, i.e., the safety and stability of nonlinear CPSs are both guaranteed.
The rest of this paper is organized as follows.Section II is the preliminaries and problem formulation.Section III presents the detailed analysis of maximum capability to resist DoS attacks of the designed self-triggered mechanism and the novel security control strategy based on designed self-triggered mechanism.Then, simulation and comparisons are provided in Section IV.Finally, Section V concludes this paper.
Notations : Let N and R denote the set of integers and the set of real numbers, respectively.R n is the set of all n-dimensional column vectors.The Lie derivative of a smooth function h (x) along dynamics ẋ = f (x) is denoted as , for some a, b > 0, belongs to the extended class K if it is strictly increasing and α(0) = 0.

Preliminaries and Problem Formulation 2.1 System Dynamics
We consider the structure of CPSs presented in Fig. 1, in which the controller is in the cloud platform which belongs to the cyber portion, and the actuator, plant, and sensor are in the physical portion.As shown in Fig. 1, the physical process is controlled through wireless communication networks, where both the C-A and S-C channels might be attacked by the DoS attacks synchronously.Here, the physical plant to be controlled is described by the following nonlinear continuous-time system dynamics: where x ∈ R n denotes the system state, u ∈ R m denotes the control input.Let x 0 := x (t 0 ) ∈ R n .
The system states are constrained by a set of safety constraints depicted as follows where h(•) : R n → R is continuously differentiable.The set C is denoted as forward invariant for system (1) if x 0 ∈ C implies x (t) ∈ C, ∀ t ∈ I (x 0 ).Hence, in this paper, the set C must be always guaranteed as forward invariant.Consequently, for nonlinear CPSs shown in Fig. 1, the objectives to be achieved in this paper are depicted as follows: 1) The first objective is to design a selftriggered mechanism for (1) to decrease networked communication loads to the most extent; 2) The second objective is to analyze the maximum capability to resist DoS attacks of the designed self-triggered mechanism, especially to calculate the maximum duration of DoS attacks on the premise of guaranteeing the safety and stability of nonlinear CPSs; 3) The third objective is to develop a novel security control strategy based on the designed self-triggered mechanism to guarantee that the system (1) is at least asymptotically stable while state constraints (2) are satisfied under the condition that the aperiodic update of control signals and transmission of control inputs are achieved to reduce the consumption of network communication resources to the most extent under DoS attacks.
To facilitate the control strategy development, the following assumption and definition are made for system (1).
Assumption 1 : The function f (•) : R n → R n and g(•) : R n → R n * m are locally Lipschitz continuous over the region of interest about system state x with Lipschitz constant L f and over the control input u with Lipschitz constant L g , respectively.
Definition 1: For the dynamical system (1) and the set C defined by ( 2) for some continuous differentiable function h : R n → R, if there exist an extended class K function α and a set C such that then the function h is called zeroing control barrier function (ZCBF).

Optimal Control Problem
For the continuous dynamical system (1), an initial state x 0 ∈ C. In order to stabilize the system state to a desired state x d ∈ R n on the premise of ensuring that the safety constraints are met, we design a self-triggered mechanism to actively compute the next update instance at which controller update the control inputs given the safety constraints and stability constraints, where control input is calculated through resolving the following optimal control problem denoted as QPs.
Given system (1), the QPs are defined as follows: m) and F (x) ∈ R m are arbitary cost functions, which can be selected on the basis of the desired (state based) weighting of control inputs.
Particularly, the self-triggered mechanism to be designed introduces the notions of CBFs safe period for the safety constraints (ι CBF ) and CLFs update period for stability constraints (ι CLF ).The safe period and update period are obtained by computing a lower bound on the CBFs constraints and a upper bound on the CLFs constraints, and bounds of trajectories of system states.Let the sequence {t k } k∈N ≥0 represent the time instants at which the control signal is updated and controller update the control input, then the next update instant can be obtained as At every update instant t k , resolve (4) to compute the optimal control input u k and apply it in a Zeroth-Order-Hold (ZOH) pattern [22] until the next update instant t k +1 .In particular, the strategy utilized by our designed self-triggered mechanism aims at guaranteeing that u k applied in a ZOH manner could make the safety constraint and stability constraint in (4) will still hold at the interval Remark 1 It should be pointed out that h(x ) acts as safety constraint of system (1), and V (x ) plays the part of stability constraint, which must hold at any time.Therefore, it is significant to guarantee two constraints hold when t ∈ [t k , t k+1 ) under the designed self-triggered mechanism.On the one hand, the selftriggered mechanism can reduce the consumption of network communication resources to the most extent, and on the other hand, it does not violate safety constraint and stability constraint.

Main Results
In this section, firstly, we will illustrate the designed self-triggered mechanism including the detailed issues about the calculation process of CBFs safe period (ι CBF ) and CLFs update period (ι CLF ).Then, we analyze the maximum capability to resist DoS attacks of the designed self-triggered mechanism.Particularly, the maximum duration of DoS attacks is calculated on the premise of guaranteeing safety and stability of nonlinear CPSs, which is summarized in Theorem 1. Finally, based on the designed self-triggered mechanism, we further develop a novel security control strategy, which is summarized in Algorithm 1 and Theorem 2.

CBFs Safe Period
For the computation of the CBFs safe period, we count on calculating bounds of the inequalities in (4).Concretely speaking, we try to find a bound on the system trajectory which exclusively relies on prevailing features of system dynamics.Then, at every t k , we evaluate the trajectory bound, denote w t k (t) = w (t + t k ), ∀t ≥ t k , and denote the upper bound of w t k as w t k .
Before introducing the main result of this subsection, we first show that the upper bound of w t k can be obtained, the result is summarized in lemma 1.
Lemma 1 Given the continuous dynamical system (1), starting from x (t k ), the distance between the trajectory x (t + t k ) and x (t k ) is bounded by (5) Due to the assumption that the system dynamics is Lipschitz continuous, then the following equality holds where L is the Lipschitz constant for f .Substituting (6) into (5), we have ẇt Then, the solution of ( 7) is Finally, once we get w t k (t),then a ball bounding the trajectory under system dynamics (1) can be defined as follows Lemma 1 verifies that the upper bound of the distance between trajectory x (t + t k ) and x (t k ) can be obtained.Next, we will make it clear that the CBFs safe period can be calculated based on the above result.
Definition 1 For dynamical system (1) starting at x (t k ) ∈ C, if there exists a ι CBF such that x (t k + ι CBF ) ∈ C for all t ∈ [t k , t k + ι CBF ) under a constant control input u k , then ι CBF is seen as a safe period for system (1) at time t k .
Based on (3), we define the CBFs constraint as follows: for all x ∈ C. If Θ CBF (t) ≥ 0, then the system (1) is forward invariant.By Lemma 1, we can determine ι CBF to obtain lower bound Θ CBF (t) by means of w t k (t) rather than only rely on the closed-form solution of x (t).In other words, we will count on the implication as follows: (12) At every update instant t k , define the initial condition Θ CBF (t k ) = Θ(t k ).In order to simplify the notation for the rest of this subsection, we define Θ(t) := Θ ECBF (t) which has a similar definition to Θ. Then Θ can be obtained by means of another application of the comparison theorem: where Θ(t) ≤ Θ(t), for all t ∈ [t k , t k+1 ].In order to get Θ(t), we denote the derivative of Θ(t) as Obtaining the lower bound Θ(t), the CBFs safe period ι CBF can be determined to guarantee Θ(t k + ι CBF ) = 0.As a result, the considered problem is equal to calculate a root for Θ.Suppose that it is hard to get the closed-loop solution of (13) about t, we can calculate its roots by means of algorithms such as the secant method [23].On the other hand, if there exist multiple CBFs constraints, every of which is denonted as Θ i respectively, then the safe period that satisfies all CBFs constraints is denoted as follows: (15)

CLFs Update Period
Except for the safety constraint (11), the CLFs constraint in ( 4) is also utilized to compute the next update instant t k +1 .Instinctively, if we naively apply this update rule t k +1 := t k + ι CBF , the resulting state trajectory may be out of the equilibrium.
Since the QPs formula is resolved point by point in time, it is impossible to ensure the exponential convergence to the desired state on the ZOH implementation.Aiming at guaranteeing at least asymptotic stability, we define a CLFs update period, which guarantees that the Lyapunov function monotonously decreases at each step.A useful lemma is firstly recalled here.
Lemma 2 Let f : R n −→ R be continuously differentiable, and let x and y be two vectors in R n .Supposing that Then, the following equality holds Proof For the ease of presentation, let t be a scalar parameter and let g(t) = f (x + ty).The chain rule fields (dg/dt)(t) = ẏ ▽ f (x + ty).Now furthermore, it yields that Definition 2 For the continuous dynamical system For systems whose closed-loop solution can not be easily obtained for their trajectory, it is necessary to get an upper bound V (t) such that V (t) By means of descent lemma [24], we can calculate the upper bound of V (x (t)).The following inequality holds where M := max x∈C V (t), and we use the notation V (t) = V (x(t)); The proof can be found in [24], [25].
Remark 3 In order to obtain sharper bound on M , we can maximize the second derivative on C ∩ {x : V (x) < V (x(t k ))}.

Remark 4
We utilize distinct bounds for computing ι CBF and those used for ι CLF because otherwise in many general situations we will begin with a bound very close to zero near the equilibrium, thus implying a vanishing ι CLF .
Because V (t) is a square function of t, then there must exist closed-loop solution for the roots.Accordingly, in the process of determining ι CLF , the condition that we aim at enforcing is V (t) − V (x(t k )) ≤ 0, which leads to the non-zero root of V (t) = 0 as Before we proceed to the analysis, the following assumption should be made.
Assumption 1 For the inequality constraint V (x(t)) ≤ −ǫV (x(t)) in ( 4), we give a assumption that there exists a neighborhood of equilibrium such that the optimal solution through resolving the QPs will make the inequality above gradually develop into an equality V (x(t)) = −ǫV (x(t)).Suppose that this assumption is valid, considering the nature of the cost and two constraints of the QPs, namely satisfying the CLFs constraints while minimizing control effort, then the Lyapunov function V (x (t)) decreases to zero in the process of the system approaching the desired equilibrium.At this moment, the CLFs constraint is the sole active constraint, while all the other constraints are not active.
Proposition 1 For the nonlinear continuous time dynamical system (1), lim that is to say, in the total process that system converge to equilbrium, the sequence of ι CLF keeps bounded far away from zero.
Proof In order to complete the proof, it is necessary to prove that the limit (22) will become a constant strictly greater than zero in the process that the system approaches the equilbrium, i.e., on condition that the Assumption 1 is true, the following equality holds Furthermore, a closed-loop solution for control u of (4) exists.Based on the equality assumption of Assumption 1, the control input can be analytically determined as Since V (x(t)) counts on both control input u and state x (t), which is hard to get.By means of the closed form of ( 25), we can see that the numerator and denominator of ( 24) get the same order of magnitude about V (x (t)).As a result, the ι CLF becomes a constant strictly greater than zero as the system approaches the ideal equilibrium.Then, the Zeno behavior is avoided.

Maximum Capability to Resist Against DoS Attacks
In this subsection, we focus on analysing the maximum capability to resist DoS attacks of the designed self-triggered mechanism and further developing a novel security control strategy.The attacker is only capable of launching limited times attacks owing to its limited power energy.Thus, before proceeding to make analysis, let us make the following assumption.
Assumption 2 Given the CPSs shown in Fig. 1, it is assumed that the DoS attacks do not occur when t = 0.
Theorem 1 Given the CPSs shown in Fig. 1, the safety constraint and stability constraint of (1) can be both guaranteed if the following conditions hold where dur (A t ) indicates duration of DoS attacks starting from time t, min(ι CBF , ι CLF ) indicates the minimal one of ι CBF and ι CLF calculated at time t.
Proof Based on the designed self-triggered mechanism, we can see that if the DoS attacks occur at time t k which is the k -th trigger instant to resolve (4) to obtain u k , then the safety and stability of (1) can be ensured if (26) holds.

Remark 5
The DoS attacks duration denote the total time on which the C-A and S-C communication channels are jammed.In particular, the DoS attacks with larger duration make the communication channels unavailable for more time.Besides, there might exist some extreme cases where the C-A and S-C channels are totally disabled such that all the control inputs can not be transmitted.Therefore, it is reasonable to consider that the DoS attacks are contrained by (26).
Based on the designed self-triggered mechanism, the security control strategy is summarized in Algorithm 1 and Theorem 2.
Algorithm 1 Robust Self-Triggered Control procedure: initialize x 0 , h(x) and V (x) while DoS attack does not occur do 4: Solve (4) to calculate the optimal control input u k

6:
Calculate the CLFs update period ι CLF from (22) 7: end while Calculate the solution of (4) at time t s , and apply it to (1) 12: Calculate the CBFs safe period ι CBF from (15)

13:
Calculate the CLFs update period ι CLF from (22) 14: end while 16: end while end procedure Theorem 2 For the nonlinear continuous-time system (1) with the control law given by Algorithm 1, supposing that Assumptions 1 and 2 are true, then the closed-loop system (1) under DoS attacks is asymptotically stable without violating state constraint.
Proof We first prove that the closed-loop system (1) with the control law given by Algorithm 1 is asymptotically stable, when there are no DoS attacks.
Based on Lemma 1, Lemma 2 and Proposition 1, it can be seen that the closed-loop system (1) is exponentially stable under the control input u * with the control law given by Algorithm 1 when there are no DoS attacks.
Then, we prove that the closed-loop system (1) with the control law given by Algorithm 1 is asymptotically stable when there are DoS attacks.
Assumption 2 indicates that duration of each DoS attack shall not exceed min(ι CBF , ι CLF ) calculated at the moment of attack occurring.Then, using the control law given by Algorithm 1, the closed-loop system (1) is equivalent to the case without DoS attacks.The proof is completed.

Simulation Results
In this section, we will demonstrate the efficiency of the proposed security control strategy by one numerical example.
We consider the concrete nonholonomic mobile robot in CPSs, which has the nonlinear continuous-time system dynamics as follows: Here, the position of robot is expressed by [x(t), y(t)] T , and the orientation is expressed by θ(t), then the system state variable are denoted as [x(t), y(t), θ(t)] T .The control input of robot is u, which is comprised of linear velocity v (t) and angular velocity ω(t).In addition, the calculated Lipschitz constants are L f = 1.5 √ 2, L g = 1, respectively.
We consider a problem of trajectory tracking, where a mobile robot aims at tracking a target moving in curve line and needs to avoid two moving obstacles in straight-line movement and curve-line movement.Firstly, we transform the tracking-error model expressed in the inertial frame to the body-fixed frame, and denote the error coordinates as The state error is e = [e x , e y , e θ ] described from the body-fixed frame, [x d , y d , θ d ] means target state.Our goal is to find feasible control inputs v c and ω c to stabilize e x , e y and e θ such that mobile robot can track target accurately in the procedure of avoiding obstacles.
Then, we define the dynamics for the nonlinear CPSs as ẋ = f (x) + g(x)u, (31) where u = [u 0 , u 1 ] T = [v c , ω c ] T , x = [e θ , e y , -e x ] T , and q d = [v d , ω d ] T is the desired velocity in the body-fixed frame.Thus, the system dynamics can be denoted as follows: Our goal is to find control inputs [u 0 ,u 1 ] T based on the developed security control strategy to stabilize [e θ ,e y ,-e x ] T on the basis of guaranteeing safety constraint (30) hold under DoS attacks.
The simulation is conducted on a computer with Intel Core i7 CPU and dominant frequency of 3.9GHz with 8GB RAM.And the optimization problem is solved by quadprog function in MAT-LAB.Figs 2-4 present the simulation results with the initial state (-15.15-4.6 0).Fig. 2 illustrates that the mobile robot approaches the target fastly.The coordinates and direction angle errors gradually decrease over time, and the mobile robot avoids the moving obstacle precisely.Fig. 3 verifies that the state of mobile robot does not viloate the state constraint h(x ) in the process of tracking the desired trajectory and avoiding obstacles.Fig. 4 shows the comparison simulation.The DoS attacks are presented in Fig. 5, where dur(A t ) ≤ min(ι CBF , ι CLF ).As we can see from Fig. 2, the mobile robot approaches the target fastly.The coordinates and direction angle errors gradually decrease over time, and the mobile robot avoids the moving obstacles precisely and smoothly.In addition, the density of sampling points on the curve is different in different time periods.At the beginning, the calculated min(ι CBF , ι CLF ) is a little greater, because the distance between the mobile robot and obstacles is far greater than 0.5 unit at the moment.When the mobile robot approaches the obstacles, the calculated min(ι CBF , ι CLF ) becomes much shorter to update the control input timely to avoid the violation of state constraints.Finally, when the mobile robot is already tracked precisely, min(ι CBF , ι CLF ) becomes approximately a constant.Fig. 3 shows the changing distance between the mobile robot and the moving obstacles during the target tracking.It can be easily observed that the distance is always greater than 0.5 unit, which verifies that obstacle is avoided accurately.On the contrary, as shown in the red circle in Fig. 4, utilizing the conventional approach in [18] fails to satisfy the state constraints, where the sample period is chosen as 5 ms, which leads to the end of iterations and failure of algorithm, and the mobile robot can not continue to move to track target or avoid obstacles.In conclusion, the comparison simulation implies the much better performance of our approach compared to the conventional method in [18].

Conclusions
In this paper, we have developed a robust selftriggered control algorithm for nonlinear cyberphysical systems with state constraints under DoS attacks.In this method, we have designed a selftriggered mechanism to decrease network communication loads to the most extent.The sufficient conditions are in place to ensure the algorithm feasibility and closed-loop stability.In the final, the numerical example has been provided to demonstrate the prominent feasibility and advantages of proposed approach.
For our future studies directions, some possible enhancements of the proposed work need to be taken into account.
1) Develop a more resilient approach to handle control input constraint [26] under more complex cyber-physical environment, where cyber threats such as DoS attacks and deception attacks [27] might coexist.
2) Combine the proposed framework with model predictive control [28]- [30] and extend them to large-scale CPSs.

Fig. 1
Fig. 1 The schematic diagram of the CPSs

while
DoS attack occurs do 10: Calculate the starting time t s of the DoS attacks 11:

Fig. 2 Fig. 4 Fig. 5
Fig.2The evolution of trajectory when avoiding obstacles in straight-line and curve-line movements As we can see from the calculation process of Θ(t), it is time dependent, since we substitute x (t) with w (t) in the original safety constraint Θ(t k ).Therefore, there is no necessity to calculate the closedloop solution of (1) to appraise the safety constraint.
k , t k+1 ] under ZOH, then we only need to take state bound into consideration.By Lemma 1, we use w t k (t) to determine the boundary of the state and utilize Lipschitz condition Θ, f and g to obtain Θ(t).Remark 2