Opacity formulations and verification in discrete event systems

C. N. HadjicostisECE Department

University of Cypruschadjic@ucy.ac.cy

C. KeroglouECE Department

University of Cyprusckerog01@ucy.ac.cy

Abstract

In many emerging security applications, a property ofa system, that may reveal important details about its be-haviour, needs to be kept secret (opaque) to outside ob-servers (intruders). Motivated by such applications, sev-eral authors have formalized, analyzed, and describedmethods to verify notions of opacity in discrete event sys-tems of interest. This paper offers a review of variousdefinitions of opacity, along with methodologies for theirverification and complexity analysis. We review state-based notions of opacity (namely, current-state opacityand initial-state opacity) in non-deterministic finite au-tomata, as well as their extensions to stochastic settings.Specifically, we discuss these notions of opacity and meth-ods to verify them in discrete event systems modeled bynon-deterministic finite automata (NFA’s) or probabilisticfinite automata (PFA’s).Keywords: Opacity, automata, probabilistic automata,security and privacy, DES

1 Introduction

Motivated by the increased reliance of many applica-tions on shared cyber-infrastructures (ranging from de-fense and banking to health care and power distributionsystems), various notions of security and privacy have re-ceived considerable attention from researchers. A numberof such notions focus on characterizing the informationflow from the system to the intruder [11]. Opacity fallsin this category and aims at determining whether a givensystem’s secret behavior (i.e., a subset of the behavior ofthe system that is considered critical and is usually repre-sented by a predicate) is kept opaque to outsiders [4, 22].More specifically, this requires that the intruder (modeledas a passive observer of the system’s behavior) never beable to establish the truth of the predicate.

Early works that studied notions of opacity in discreteevent systems include [5, 6, 1, 10]. The authors of [5]and [6] focus on finite state Petri nets and define opacitywith respect to state-based predicates. Multiple intrud-ers that are modeled as observers with different observa-tion capabilities are considered in [1], which requires that

no intruder be able to determine that the actual trajectoryof the system belongs to the secret behavior assigned tothat intruder. The authors of [10] consider a single in-truder (that might observe different events than the onesobserved/controlled by the supervisor) and establish that aminimally restrictive supervisor always exists, but mightnot be regular.

In [22, 25], the authors consider opacity with respectto state-based predicates in a discrete event system (DES)that can be modeled as a non-deterministic finite automa-ton G with partial observation on its transitions. State-based notions of opacity exemplify the use of observers,i.e., deterministic finite automata which provide, for anyobservation sequence, the set of possible current (or initialin [25]) states for verifying properties of interest. The con-nection with state estimation also makes more explicit therelationship between state-based notions of opacity andtheir verification with observers (such as the current-stateand initial-state estimators discussed in this paper). Theauthors in [31] shown that there exists a polynomial-timetransformation between the different notions of opacity.

The notion of current-state opacity in [22] requires thatno sequence of transitions allows the intruder (who is as-sumed to have full knowledge of the system model and beable to track the sequence of observable transitions) to un-ambiguously determine that the current state of the systembelongs to a given set of secret states S. Analogously, thenotion of initial-state opacity in [25] requires that no se-quence of transitions allows the intruder (who is again as-sumed to have full knowledge of the system model and tobe able to track the sequence of observable transitions) tounambiguously determine that the initial state of the sys-tem belonged to a given set of secret states S. Examplesto motivate the study of current- and initial-state opacityin the context of sensor network coverage and encryptionusing pseudo-random generators can be found in [25, 23].

The notion of resolution of initial-state with respect toa set of secret states S (considered in [13]) is related toinitial-state opacity. The setting is similar: one is givena non-deterministic finite automaton G, with partial ob-servation on its transitions, and a set of secret states S.An observer, with full knowledge of the system model,tracks system activity through some natural projectionmap and aims to determine whether the initial state of

the system definitely lies within the set of secret states S.Resolution of initial state with respect to set S requiresthat when the system starts from a secret state, the ob-server be able to eventually (i.e., after a finite sequenceof events/observations) determine with certainty that thesystem initial state lies within the set of secret states S.Absence of resolution of initial state is necessary but notsufficient for initial-state opacity.

Initial-state opacity and resolution of initial-state arerelated to work that has appeared in the context of testingof digital sequential circuits, where the initial-state mightbe unknown and the task is to identify the initial-state ofthe system. For instance, a distinguishing sequence is aninput sequence that produces a unique output sequence foreach possible starting state, thus allowing the observer todifferentiate among possible starting states [14]. The workin [32] has shown that it is PSPACE-complete to deter-mine whether or not a deterministic finite automaton hasa distinguishing sequence (as there exist systems whoseshortest distinguishing sequence has length that is expo-nential in the number of states of the automaton). How-ever, [32] has also shown that one can determine in poly-nomial time whether a deterministic finite automaton hasan “adaptive” distinguishing sequence. Previous work onobservability/invertibility of DES in [18, 19] and the workon detectability in [28] require the states to eventually(with finite delay) be resolved with respect to a single-ton set of states. Note that [29] addresses the ability todistinguish between clusters of states.

Motivated by the absence of likelihood information inmost earlier work on opacity, the information-theoreticworks in [17, 30], and more recently the work in [2], ex-tend notions of opacity to probabilistic settings. In partic-ular, state-based notions of opacity have been developedfor probabilistic finite automata (PFA’s) in [26] by devis-ing appropriate measures to quantify opacity. Three no-tions were defined and analyzed in [26]:

(i) Step-based almost current-state opacity considersthe a priori probability of violating current-stateopacity, following any sequence of events of lengthk; step-based almost current-state opacity requiresthat this probability lies below a threshold for all pos-sible lengths (k = 0, 1, 2, . . .).

(ii) Almost current-state opacity is the extension of step-based almost current-state opacity when there is noconsideration regarding the length of the sequence ofevents, i.e., it considers the a priori probability of vi-olating current-state opacity following any sequenceof events, and requires that this probability lies belowa threshold.

(iii) Probabilistic current-state opacity requires that, foreach possible sequence of observations, the follow-ing property holds: the increase in the conditionalprobability that the system current state lies in the setof secret states (conditioned on the given sequence of

observations) compared to the prior probability (thatthe initial state lies in the set of secret states beforeany observation became available) is smaller than agiven threshold.

The above ideas were extended recently in [15] to dealwith initial state opacity in PFA’s.

2 Notation

Let Σ be an alphabet (set of events) and denote byΣ∗ the set of all finite-length strings of elements of Σ(sequences of events), including the empty string ε (thelength of a string s is denoted by |s| with |ε| = 0). Alanguage L ⊆ Σ∗ is a subset of finite-length strings (se-quences of events with the first event appearing on the left)from strings in Σ∗ [7]. Given strings s, t ∈ Σ∗, the stringst denotes the concatenation of s and t, i.e., the sequenceof events captured by s followed by the sequence of eventscaptured by t. For a string s, s denotes the prefix-closureof s and is defined as s = {t ∈ Σ∗ | ∃t′ ∈ Σ∗{tt′ = s}}.

2.1 Deterministic/Non-Deterministic Finite Au-tomata

Definition 1 (Deterministic Finite Automaton (DFA)). Adeterministic finite automaton is described by D =(X,Σ, δ, x0), where X = {1, 2, . . . , N} is the set ofstates, Σ is the set of events, δ : X × Σ → X is the(possibly partially defined) state transition function, andx0 ∈ X is the initial state.

The function δ can be extended from the domainX×Σto the domain X × Σ∗ in the routine recursive manner:

δ(x, σs) =

{δ(δ(x, σ), s), if δ(x, σ) is defined,undefined, otherwise,

for x ∈ X , s ∈ Σ∗ and σ ∈ Σ (note that δ(x, ε) := x).The behavior of D is captured by its language L(D) :={s ∈ Σ∗ | δ(x0, s) is defined}.

Definition 2 (Non-Deterministic Finite Automaton(NFA)). A non-deterministic finite automaton is describedby G = (X,Σ, δ,X0), where X = {1, 2, . . . , N} is theset of states, Σ is the set of events, δ : X ×Σ→ 2X is thenon-deterministic state transition function, and X0 ⊆ Xis the set of possible initial states.

Clearly, a DFA is a special case of an NFA in which themapping δ (with a slight abuse of notation) returns eithera singleton subset of X or the empty set. For an NFA or aDFA, we define, for a set Q ⊆ X and σ ∈ Σ, δ(Q, σ) =∪q∈Qδ(q, σ); with this notation at hand, the function δ canbe extended from the domainX×Σ to the domainX×Σ∗

in the routine recursive manner: δ(x, σs) := δ(δ(x, σ), s)for x ∈ X , s ∈ Σ∗ and σ ∈ Σ (with δ(i, ε) := {i}).The behaviour of G is captured by its language L(G) :={s ∈ Σ∗ | ∃x0 ∈ X0{δ(x0, s) 6= ∅}}. We use L(G, x) to

denote the set of all traces that originate from state x of G(so that L(G) =

⋃x0∈X0

L(G, x0)).In general, only a subset Σobs (Σobs ⊆ Σ) of the

events can be observed, so that Σ is partitioned into theset of observable events Σobs and the set of unobserv-able events Σuo = Σ − Σobs. The natural projectionPΣobs

: Σ∗ → Σ∗obs can be used to map any trace executedin the system (whether a DFA or an NFA) to the sequenceof observations associated with it. This projection is de-fined recursively as PΣobs

(σs) = PΣobs(σ)PΣobs

(s), σ ∈Σ, s ∈ Σ∗, with

PΣobs(σ) =

{σ, if σ ∈ Σobs,ε, if σ ∈ Σuo ∪ {ε},

where ε represents the empty trace [7]. In the sequel, thesubscript Σobs in PΣobs

will be dropped when it is clearfrom context.

Any m ∈ 2X2

is a subset of X2 (i.e., a relation onthe set X) and contains pairs of states. In this paperwe will find it convenient to view m as a state map-ping consisting of pairs of a starting state and an end-ing state. The set of states included as the first (second)component in these pairs is called the set of starting (end-ing) states of m. We denote the set of starting states forstate mapping m by m(1), and the set of ending states bym(2). In other words, m(1) = {i | ∃(i, j) ∈ m} andm(2) = {j | ∃(i, j) ∈ m}. The composition operator◦ : 2X

2 × 2X2 → 2X

2

for state mappings m1,m2 ∈ 2X2

is defined as

m1 ◦m2 := {(i1, i3) | ∃i2 ∈ X{(i1, i2) ∈ m1, (i2, i3) ∈ m2}}.

We can map any observation of finite but arbitrary lengthin NFA G to a state mapping by using the mapping M :

Σ∗obs → 2X2

defined for ω ∈ Σ∗obs as

M(ω) = {(i, j) ∈ X2 | ∃s ∈ Σ∗{P (s) = ω, j ∈ δ(i, s)}},

which we call the ω-induced state mapping. The pair(i, j) ∈ M(ω) implies that there exists a sequence ofevents that starts from state i and ends in state j, and pro-duces observation ω. Finally, for any Z ⊆ X , we de-fine the operator � : 2X → 2X

2

to represent Z � Z :={(i, i) | i ∈ Z}. The following theorem is proven in [15].

Theorem 1 [15] Consider an NFA G = (X,Σ, δ,X0)and a natural projection map P with respect to the setof observable events Σobs, Σobs ⊆ Σ. Given two observa-tion sequences ω1 ∈ Σ∗obs and ω2 ∈ Σ∗obs, we have

M(ω1) ◦M(ω2) = M(ω1ω2) .

2.2 Probabilistic Finite AutomataDefinition 3 (Probabilistic Finite Automaton (PFA)) [20,12]. A probabilistic finite automaton (PFA) is capturedby H = (X,Σ, p, π0), where X = {1, 2, . . . , N} is theset of states; Σ is the set of events; π0 is the initial-stateprobability distribution vector; p(i′, σ|i) is the state tran-sition probability defined for i, i′ ∈ X , and σ ∈ Σ, as theprobability that event σ occurs and the system transitionsto state i′ given that the system is in state i .

When p(i′, σ|i) = 0, state i′ is not reachable from statei via event σ (in the diagram representing the given PFA,we do not draw such transitions). Clearly, we need∑

i′∈X

∑σ∈Σ

p(i′, σ|i) = 1,∀i ∈ X. (A1)

We assign a probability to each trace in Σ∗ with theinterpretation that this value determines the probability ofits occurrence. More formally, assuming that Pr(i′, s) de-notes the probability that s is executed in the system andthe current state of the system becomes state i′, we definefor σ ∈ Σ, s ∈ Σ∗,

P r(sσ) =∑i∈X

Pr(i, sσ),

P r(i, sσ) =∑i′∈X

(p(i, σ|i′)Pr(i′, s)

),

P r(i, ε) = π0(i).

(1)

Remark 1 Given a PFA H = (X,Σ, p, π0) we can asso-ciate with it a unique NFA G = (X,Σ, δ,X0) where thestate transition function δ : X × Σ → 2X is defined fori, i′ ∈ X , σ ∈ Σ as

δ(i, σ) = {i′ | p(i′, σ|i) > 0},

and the set of possible initial states is defined as X0 ={i | π0(i) > 0}. In this way, the behavior of the PFA His mapped to the behavior of the associated NFA G, i.e.,L(H) = L(G) (where L(H) = {s ∈ Σ∗ | Pr(s) > 0}).

When Σ is partitioned into the set of observable eventsΣobs and the set of unobservable events Σuo, we can de-fine the probability of observing a sequence of observa-tions ω as the probability of occurrence of any string inthe system which produces the sequence of observationsω. Note that if two strings s and t produce the sequenceof observations ω (i.e., P (s) = P (t) = ω) and one is aprefix of the other, say t ∈ s, then to obtain the probabil-ity of observing the sequence of observations ω, we onlyinclude the probability of the prefix string t.

Definition 4 (Markov Chain (MC)). A finite Markovchain is denoted by M = (X, p, π0), where X ={1, 2, . . . , N} is the set of states, p(i′|i) is the state tran-sition probability defined for i, i′ ∈ X , as the probabil-ity that the system state i transitions to state i′, and π0

is the N -dimensional initial-state probability distributionvector. We associate with Markov chain M a state transi-tion probability matrix P such that the (i′, i)th element ofmatrix P is defined as p(i′|i), i.e. P(i′, i) = p(i′|i).

Using the state transition probability matrix P, one caniteratively obtain its current-state probability distributionvector πk after k steps via πk+1 = Pπk (so that πk =Pkπ0).

Remark 2 Each PFA H = (X,Σ, p, π0) can be asso-ciated with a unique MC M = (X, pM , π0) where theMarkov chain state transition probability is defined fori, i′ ∈ X as pM (i′|i) =

∑σ∈Σ p(i

′, σ|i) [3].

2.3 Motivating Example: Vehicle TrackingAs motivation for studying the notion of opacity, we

present an example that was first discussed in [21]. Con-sider a vehicle capable of moving on a grid, such as the toy2×2 grid in Fig. 1(a). If we use the cell number to denotethe state of the vehicle, then the trajectory that the vehiclefollows corresponds to a sequence of states and the originof the trajectory is captured by the initial state of the ve-hicle. The vehicle possible movements are available via akinematic model, i.e., a finite automaton whose states areassociated with the state (cell) of the vehicle and whosetransitions correspond to the movements of the vehiclethat are allowed at each position (up, down, left, right,diagonal, etc. — the allowed movements will presumablydepend on the underlying terrain that the grid is captur-ing). Fig. 1(b) depicts an example of a kinematic modelfor the vehicle that moves in the toy grid of Fig. 1(a).

Suppose sensors are deployed in the grid such thateach sensor detects the presence of the vehicle in a cellor in some aggregation of cells; when the vehicle passesthrough a cell within the coverage of a sensor, this sen-sor emits a signal that indicates this event. To capture thisinformation, we can enhance the kinematic model by as-signing label α to all transitions that end in a cell withinthe coverage area of sensor α. Since sensor coverage mayoverlap, the label of transitions ending in areas which arecovered by more than one sensor can be chosen to be aspecial label that indicates the set of all sensors cover-ing that location. Fig. 2 depicts the (non-deterministic)finite automaton G that models both the kinematic modelof the vehicle and the corresponding sensor readings for aparticular set of sensor coverages; note that unobservabletransitions correspond to locations that are not covered byany sensor. Essentially G is a non-deterministic finite au-tomaton with partial observation on its transitions. We canextend the above formulation to a probabilistic setting un-der which each transition is assigned a specific probabilityof occurrence as in Fig. 7.

Several security and privacy questions pertaining to thetrajectory that the vehicle follows can be formulated interms of state-based notions of opacity for NFA or PFA G[21]. In particular, one of the questions that might arisein the above context is that of understanding whether thesensory information that is available allows us to obtainimportant information about the present location (currentstate) or the origin (initial state) of the vehicle. In a prob-abilistic setting this translates to the requirement that theprobability of violating strings be under or above a spe-cific threshold.

3 Opacity in Non-Deterministic Finite au-tomata (NFA’s)

We next discuss language-based and state-based no-tions of opacity. Language-based opacity defines the se-cret as a sublanguage of the system; initial-state opacityand current-state opacity define the secret in terms of a

Figure 1. (a) Grid in which a vehicle canmove; (b) Kinematic model for a vehicle inthe grid in (a).

subset of states. The authors in [31] showed that thereexists a polynomial-time transformation between the dif-ferent notions of opacity.

Definition 5 (Language-Based Opacity (LBO)) [16, 31].Consider an NFAG = (X,Σ, δ,X0), under a natural pro-jection map P with respect to the set of observable eventsΣobs, Σobs ⊆ Σ, a secret language LS ⊆ L(G,X0), anda non-secret language LNS ⊆ L(G,X0). Automaton Gis language-based opaque with respect to LS and P if forall t ∈ LS , there exists another string t′ ∈ LNS such thatP (t) = P (t′). Equivalently, LS ⊆ P−1[P (LNS)].

3.1 Current-state opacity (CSO)Current-state opacity assumes a given set of secret

states S and requires the secret behaviour of the system(i.e., the membership of its current state to the set S) toremain opaque (uncertain) until the system enters a stateoutside the set of secret states S. The following is theformal definition of current-state opacity from [24].

Definition 6 (Current-State Opacity (CSO)). Consider anNFA G = (X,Σ, δ,X0), under a natural projectionmap P with respect to the set of observable events Σobs,Σobs ⊆ Σ, and a set of secret states S ⊆ X . AutomatonGis current-state opaque with respect to S and P (or (S, P )current-state opaque), if ∀t ∈ Σ∗,∀i ∈ X0

{δ(i, t) 6= ∅, δ(i, t) ⊆ S} ⇒

{∃s ∈ Σ∗,∃i′ ∈ X0{P (s) = P (t), δ(i′, s) * S}}.

The set of states that the system might reside in, giventhat a sequence of observations ω ∈ Σ∗obs has been ob-served, is referred to as the current-state estimate. Thecurrent state following any sequence of observations canbe obtained by determinizing the given NFA to obtain itsso-called observer [7]. Here we also refer to the observeras the current state estimator (to distinguish it from theinitial state estimator that we use later on).

Definition 7 (Current State Estimator (CSE)) [7]. Con-sider an NFA G = (X,Σ, δ,X0) under a natural projec-tion map P with respect to the set of observable eventsΣobs, Σobs ⊆ Σ. The current-state estimator (or ob-server) is a deterministic finite automaton (DFA) Gobsconstructed as follows: (i) Each state of Gobs is associ-ated with a unique subset of states of the original NFA G(so that there are at most 2|X| = 2N states). (ii) The ini-tial state Xobs0 of Gobs is the unobservable reach of X0,i.e., the set of states that are reachable from some statein X0 via a sequence of zero, one, or more unobservableevents. (iii) At any state Z of the estimator (Z ⊆ X), thenext state upon observing an event α ∈ Σobs is the uniquestate of Gobs associated with the set of states that can bereached from (one or more of) the states in Z with a stringof events that generates the observation α. We denote theobserver automaton by Gobs = (Xobs,Σobs, δobs, Xobs0)where Xobs ⊆ 2X is the set of states reachable in Gobsfrom the initial state Xobs0.

Adding a self-loop to each state of DFA Gobs for eachlabel in the set Σuo = Σ−Σobs we create the DFA Gobs =(Xobs,Σ, δobs, Xobs0), which is of use later in this paper.The formal definition of Gobs can be found below.

Definition 8 (CSE with Unobservable Self-Loops). Con-sider an NFA G = (X,Σ, δ,X0), under a natural pro-jection map P with respect to the set of observableevents Σobs, Σobs ⊆ Σ. Given its current-state esti-mator (CSE) Gobs = (Xobs,Σobs, δobs, Xobs0), we de-fine the CSE with unobservable self loops to be the DFAGobs = (Xobs,Σ, δobs, Xobs0) where we define δobs forxobs ∈ Xobs and σ ∈ Σ as

δobs(xobs, σ) =

{δ(xobs, σ), for σ ∈ Σobs,xobs, for σ ∈ Σuo,

with Σuo ≡ Σ− Σobs.

One can check whether a system is current-stateopaque by constructing the current-state estimator and byverifying that no (nonempty) current-state estimate liesentirely within the set of secret states [22, 8, 24, 9].

Theorem 2 (Verification of Current-State Opacity) [25].The non-deterministic finite automaton G is current stateopaque with respect to a set of secret states S under natu-ral projection map P if and only if

∀xobs ∈ Xobs : {xobs * S ∨ xobs = ∅ }, (2)

where Xobs is the set of (reachable) states of the CSEGobs.

Example 1 Consider the NFA G depicted in Fig. 2 withΣobs = Σ = {α, β}. Assume that S = {2, 3} and thatX0 = {1, 3, 4}. It can be seen from the current-state es-timator in Fig. 3 that there exists x ∈ Xobs, such thatx ⊆ S, thus G is not current-state opaque.

Figure 2. NFA G used in Example 1.

Figure 3. Current-state estimator (CSE) forNFA G in Example 1.

3.2 Initial-State Opacity (ISO)In certain applications, such as encryption, some vital

initial-state information (e.g., the seed used at the start ofa random number generator) needs to be kept secret froman outside observer during the operation of the system.Motivated by such requirements, the notion of initial-stateopacity in DES that are modeled as non-deterministic fi-nite automata requires that the membership of the initialstate to a given set of secret states S remain opaque toan external observer who is observing the events that oc-cur in the system through some natural projection map Pwith respect to the set of observable events [25].

Definition 9 (Initial-State Estimate). Consider an NFAG= (X,Σ, δ,X0), under a natural projection map P withrespect to the set of observable events Σobs, Σobs ⊆ Σ.The initial-state estimate after observing string ω ∈ Σ∗obsis defined as

X0(ω) = {x0 ∈ X0 | ∃s ∈ Σ∗ {P (s) = ω, δ(x0, s) 6= ∅}} .

The authors of [25] introduced the construction ofthe initial-state estimator (ISE), i.e., a deterministic finiteautomaton GIobs = (XIobs,Σobs, δIobs, XIobs0) that isdriven by observable events in Σobs and whose states arestate mappings, i.e., XIobs ⊆ 2X

2

. The ISE construc-tion ensures the following property: given the observationof a sequence of labels ω ∈ Σ∗obs, ω 6= ε (generated byunknown underlying activity in the system G), the ISE

reaches a state m = δIobs(XIobs0, ω) such that the set ofpossible initial states is captured by the initial states asso-ciated with m, i.e., for ω 6= ε

X0(ω) = m(1) where m = δIobs(XIobs0, ω) .

To construct the estimator GIobs, we start from a statein which nothing about the initial system state is known;specifically, the state mapping associated with this initialstate of the estimator is X0 � X0, where X0 is the setof initial states of the system. The observation of a labelα ∈ Σobs causes GIobs to transition to the state associ-ated with the state mapping obtained by composing theprevious state mapping and the mapping M(α) inducedby the new observation. The information captured by thiscomposed state mapping (and by each subsequently ob-tained state of GIobs) is the following: we keep track ofall pairs of one starting state (from the set X0) and oneending state, such that we can reach the ending state fromthe starting state via a sequence of events that generatesthe sequence of observations seen so far. Note that thisconstruction (which is described formally below) is guar-anteed to be finite and has at most 2N

2

states, where N isthe number of states of the finite automaton G.

Definition 10 (Initial-State Estimator (ISE)) . Consideran NFA G = (X,Σ, δ,X0), under a natural pro-jection map P with respect to the set of observableevents Σobs, Σobs ⊆ Σ. The initial-state estimator(ISE) is the deterministic finite automaton GIobs =AC(2X

2

,Σobs, δIobs, XIobs0) with state set 2X2

(powerset ofX×X), event set Σobs, initial stateXIobs0 = X0�X0, and state transition function δIobs : 2X

2 × Σobs →2X

2

defined for α ∈ Σobs as

m′ = δIobs(m,α) := m ◦M(α),

where m,m′ ∈ 2X2

. [Recall that M(α) denotes the statemapping that is induced by symbol α ∈ Σobs;AC denotesthe states that are accessible from initial state XIobs0 viaδIobs]. If we let XIobs ⊆ 2X

2

be the states that arereachable from the initial state XIobs0 under δIobs, thenGIobs = (XIobs,Σobs, δIobs, XIobs0).

Adding a self-loop to each state of DFA GIobs for eachlabel in the set Σuo = Σ − Σobs we create the DFAGIobs = (XIobs,Σ, δIobs, XIobs0), which is of use laterin this paper. The formal definition of GIobs can be foundbelow.

Definition 11 (ISE with Unobservable Self-Loops). Con-sider an NFA G = (X,Σ, δ,X0), under a natural pro-jection map P with respect to the set of observableevents Σobs, Σobs ⊆ Σ. Given its initial-state esti-mator (ISE) GIobs = AC(2X

2

,Σobs, δIobs, XIobs0) ≡(XIobs,Σobs, δIobs, XIobs0), we define the ISE withunobservable self loops to be the DFA GIobs =

(XIobs,Σ, δIobs, XIobs0) where we define δIobs forxIobs ∈ XIobs and σ ∈ Σ as

δIobs(xIobs, σ) =

{δ(xIobs, σ), for σ ∈ Σobs,xIobs, for σ ∈ Σuo,

with Σuo ≡ Σ− Σobs.

Example 2 The following example is used to clarify thenotation and the ISE construction. Consider the NFAG =(X,Σ, δ,X0) shown in Fig. 4, where X = {1, 2, 3, 4},Σ = {α, β}, δ is as defined by the transitions in the figure,and X0 = X = {1, 2, 3, 4}. Assume that Σobs = {α, β}and Σuo = ∅. To construct the β-induced state mapping,i.e., M(β), note that β can be observed only from state 1,whereas the ending state can be state 2 or state 3. Hence,M(β) = {(1, 2), (1, 3)}. Following the same reasoning,we obtain M(α) = {(2, 3), (2, 4), (3, 3), (4, 1), (4, 3)}.The composition of these two state mappings yieldsM(β) ◦M(α) = {(1, 3), (1, 4)} and indicates that if weobserve βα, we could start from state 1 and end up in state3 or state 4.

Figure 4. NFA G in Example 2.

Fig. 5 shows the initial-state estimator for this sys-tem. The initial uncertainty is assumed to be equalto the state space and hence m0 = X0 � X0 ={(1, 1), (2, 2), (3, 3), (4, 4)}. In Fig. 6 we use a graphicalway to describe the pairs associated with each state of theISE: initial states are shown on the left of each diagram(starting with state 1 on the top left) and final states areshown on the right of each diagram (starting with state 1on the top right). Upon observing β, the next state of theISE becomes

m′ = δIobs(m0, β) = m0 ◦M(β)

= {(1, 2), (1, 3)} = M(β) ≡ m1 .

Next, assume that we observe α; following the samereasoning as in the case ofM(β), we first obtainM(α) ={(2, 4), (2, 3), (3, 3), (4, 1), (4, 3)} and then we have

m′ = δIobs(m1, α) = m1 ◦M(α) = M(β) ◦M(α) =

= {(1, 3), (1, 4)} .

Using this approach for all possible observations (fromeach state), the ISE construction can be completed as

Figure 5. Initial-State Estimator (ISE) for Gin Example 2.

shown in Fig. 5 and Fig. 6. The procedure is guaran-teed to complete in finite time because the set of differentstate mappings that can be generated is finite. Note thatin Fig. 5, following convention, we did not draw the statecorresponding to the empty state mapping and transitionsfrom/to it (e.g., from state m1 under observation β). �

Figure 6. Graphical representation of statemappings for ISE in Fig. 5.

Definition 12 (Initial-State Opacity). Consider an NFAG = (X,Σ, δ,X0), under a natural projection map Pwith respect to the set of observable events Σobs, Σobs ⊆Σ, and a set of secret states S ⊆ X . Automaton G isinitial-state opaque with respect to S and P if for all xs ∈S ∩X0 and for all s ∈ L(G, xs) we have ∃xns ∈ X0 −S,∃t ∈ L(G, xns), P (s) = P (t).

In other words, the system G is initial-state opaque if,for every string s from a secret initial state (in the setS ∩X0), there exists a string t that originates from a non-secret initial state (in the set X0 − S) and has the sameprojection as s. Clearly, a system is initial state opaque ifand only if [25]

∀ω ∈ Σ∗obs{X0(ω) * S ∨ X0(ω) = ∅} .

If the ISE GIobs = (XIobs,Σobs, δIobs, XIobs0) for sys-tem G is available, it can be easily argued that the non-deterministic finite automaton G is initial-state opaque,with respect to a set of secret states S under natural pro-jection map P , if and only if [25]

∀xIobs ∈ XIobs : {xIobs(1) * S ∨ xIobs = ∅ }. (3)

4 Opacity in Probabilistic Finite Automata(PFA’s)

4.1 Current-state opacityGiven a PFA, its associated NFA might be classified

as not current-state opaque, even when the probability ofobserving a sequence of observations that reveals that thesystem current state is within the set of secret states isvery small. One way to quantify current-state opacity in aprobabilistic setting is to obtain the probability of violat-ing current-state opacity either a priori or at a given pointalong all sequences of events. Definition 14 below takesthis perspective and characterizes the probability of vio-lating current-state opacity assuming that the system hasgenerated k events.

Definition 13 (Critical language LC). Consider aPFA H = (X,Σ, p, π0) with associated NFA G =(X,Σ, δ,X0), under a natural projection map P with re-spect to the set of observable events Σobs, Σobs ⊆ Σ, anda set of secret states S ⊆ X . We define

LC ={t ∈ Σ∗ | ∃i ∈ X0{δ(i, t) 6= ∅, δ(i, t) ⊆ S} and

(∀i ∈ X0)(∀s ∈ Σ∗)(∀i′ ∈ X0)

{{δ(i, t) 6= ∅, δ(i, t) ⊆ S, P (s) = P (t), δ(i′, s) 6= ∅}

⇒ δ(i′, s) ⊆ S}}.

Remark 3 The language LC in Definition 13 denotes theset of strings t in the system that violate current-stateopacity, i.e., upon observing P (t), the intruder is certainthat the current state of the system is within the set of se-cret states.

Definition 14 (Step-Based Almost Current-State Opa-city). Consider a PFA H = (X,Σ, p, π0) with associ-ated NFA G = (X,Σ, δ,X0), under a natural projectionmap P with respect to the set of observable events Σobs,Σobs ⊆ Σ, and a set of secret states S ⊆ X . Then, PFAH is step-based almost current-state opaque with respectto S, P , and a threshold θ (or (S, P, θ, T )-almost current-state opaque where the symbol “T” is used to indicatestep-based) if

∀k = 0, 1, 2, ...,∑

t∈LC,|t|=k

Pr(t) < θ.

According to Definition 14, PFA H is step-based al-most current-state opaque if, for all k, the occurrence ofstrings of length k that violate current-state opacity has cu-mulative probability that is less than θ. Note that if NFAG is current-state opaque, then H is (S, P, θ, T )-almostcurrent-state opaque for any θ > 0.

Figure 7. PFA H in Example 3.

Example 3 Consider the PFA H depicted in Fig. 7(whose associated NFA G is shown in Fig. 2) with Σobs =Σ = {α, β}. Assume that S = {2, 3} and that π0 =[ 13 , 0,

13 ,

13 ]

′. We have LC = {sβ|sβ ∈ L(G)}. This

can be seen from the current-state estimator in Fig. 3.Let us verify whether the system is step-based almostcurrent-state opaque with respect to S, P , and θ = 2

3 .We have (∀k)(∀s, |s| = k − 1),

∑t∈LC,|t|=k Pr(t) =∑

s,|s|=k−1 Pr(sβ) = 1 −∑s,|s|=k−1 Pr(sα) < 1 −

(∑s Pr(s))

13 = 2

3 , where 13 is the minimum state transi-

tion probability under event α. A systematic way to verifythat

∑t∈LC,|t|=k Pr(t) < θ for all k ≥ 0 for any given

PFA H using finite memory follows.

Figure 8. PFA Hp in Example 3.

In order to verify step-based almost current-state opac-ity for a given PFA H , we need to obtain, for k =0, 1, 2, . . ., the cumulative probability of violating current-state opacity for all strings of length k. In [26] this is done

by first characterizing the set of sequences of observationswhich violate current-state opacity and then obtaining theprobability of occurrence in the system of strings of lengthk that generate such sequences of observations.

The sequences of observations that violate current-stateopacity are captured in the current-state estimator for theNFAG associated with the given PFAH by the sequencesof observations that reach a state in the current-state es-timator Gobs whose associated current-state estimate (isnonempty and) lies entirely within the set of secret states.

The strings in the system that can generate these se-quences of observations can contain of course any numberof unobservable events between the observable events inthese sequences, as long as the resulting string can be gen-erated by the given system. Such strings are characterizedin [26] as follows: we first form the product of the NFA Gand the modified current-state estimator (Gobs); by con-struction, any string that reaches a state in the product au-tomaton whose associated current-state estimate lies in theset of secret states is a string in the system whose corre-sponding sequence of observations violates current-stateopacity.

The above state-based characterization of behaviourthat violates opacity provides a compact way to representall such strings but needs to be enhanced to take into ac-count the probabilities associated with transitions. In or-der to tackle this issue, one needs to introduce a productoperator (similar to the product operator for two NFA’s),which acts on a PFA and an NFA such that the probabili-ties associated with events in the PFA are retained. Thereis no normalization associated with this operator, and theresulting product automaton is a PFA if and only if none ofthe strings in the input PFA is disabled by the input NFA.Since the closed behaviour of PFA H is a sublanguageof the closed-behaviour of the modified current-state es-timator Gobs, the product of the PFA H and the modifiedcurrent-state estimator Gobs results in a PFAHp which re-tains not only the previous state-based characterization ofstrings in the system that violate current-state opacity, butalso the transition probabilities required for computing theprobability of occurrence of such strings.

In other words, the strings in the system whose corre-sponding sequences of observations violate current-stateopacity are those strings that reach a state in Hp whoseassociated current-state estimate (is non-empty and) lieswithin the set of secret states. Thus, the probability of oc-currence of such strings (and hence the probability of vi-olating current-state opacity after k events have occurred)can be obtained as the probability of reaching certainstates in Hp after k events. The labels on the transitionscan be discarded and we can compute the probability ofviolating current-state opacity by (i) constructing the MCassociated with the product PFA Hp, and (ii) calculatingthe probability of reaching MC states whose associatedcurrent-state estimate lies entirely within the set of secretstates. The details of this construction are provided in thealgorithm below.

Algorithm A: Consider a PFA H = (X,Σ, p, π0) andits associated NFA G = (X,Σ, δ,X0), under a naturalprojection map P with respect to the set of observableevents Σobs, Σobs ⊆ Σ, and a set of secret states S ⊆ X .(i) Construct the (deterministic) current-state estimatorGobs = (Xobs,Σobs, δobs, Xobs0) associated with G andnatural projection map P .(ii) Construct the DFA Gobs = (Xobs,Σ, δobs, Xobs0)fromGobs by adding a self-loop to each state of DFAGobsfor each label in the set Σuo = Σ− Σobs.(iii) Construct the PFA Hp = H × Gobs :=(Xp,Σ, pp, π0,p) where

1. Xp = X ×Xobs is the set of states.

2. pp(i′p, σ|ip) is the state transition probability definedfor ip = (i, I) ∈ Xp (i.e., i ∈ X and I ∈ Xobs), i′p =(i′, I ′) ∈ Xp (i.e., i′ ∈ X and I ′ ∈ Xobs), and σ ∈Σ, as pp(i′p, σ|ip) = p(i′, σ|i), if I ′ = δobs(I, σ),and pp(i′p, σ|ip) = 0, otherwise.

3. π0,p is the initial-state probability distribution vectorindexed by the states ip of PFA Hp (i.e., ip ∈ Xp)with the ithp element of the vector π0,p defined forip = (i,Xobs0), 1 ≤ i ≤ N as π0,p(ip) = π0(i), andπ0,p(ip) = 0, otherwise.

(iv) Construct the MC M = (Xp, pM , π0,p) associatedwith the PFA Hp = (Xp,Σ, pp, π0,p), i.e., define theMarkov chain with state transition probabilities pM (i′p|ip)for ip, i′p ∈ Xp as pM (i′p|ip) =

∑σ∈Σ

pp(i′p, σ|ip).

Once we construct MC M , we mark all states associ-ated with a state of the CSE for which current-state opac-ity is violated. For the system to be step-based almost cur-rent state opaque, the probability of reaching such markedstate after k steps needs to be smaller than the threshold θfor all k.

Example 4 The PFA Hp for the PFA G in Fig. 7 is shownin Fig. 8.

Another way to quantify current-state opacity is to con-sider all sequences of events (of arbitrary length) and ob-tain their cumulative probability of violating current-stateopacity (at any point along them). We refer to this notionas almost current-state opacity. One can think of almostcurrent-state opacity as a way to characterize the securityrequirements of the system before it starts operation (interms of the probability of eventually violating opacity —at some point during its operation).

Definition 15 (Almost Current-State Opacity). Considera PFA H = (X,Σ, p, π0) with associated NFA G =(X,Σ, δ,X0), under a natural projection map P with re-spect to the set of observable events Σobs, Σobs ⊆ Σ, anda set of secret states S ⊆ X . We define

LPC = {t ∈ LC | ∀t′ ∈ t, t′ 6= t{t′ /∈ LC}},

where LC is given in Definition 13. Then, PFAH is almostcurrent-state opaque with respect to S, P , and a thresholdθ (or (S, P, θ)-almost current-state opaque) if∑

t∈LPC

Pr(t) < θ.

In almost current-state opacity, we are interested in ob-taining the probability of observing a sequence of obser-vations that violates current-state opacity at least once dur-ing its execution. In order to include this in our computa-tion, we make the marked states in the MCM (obtained atStep (iv) of Algorithm A) whose associated current-stateestimate lies within the set of secret states, absorbing.1 Inthis way, the probability of violating current-state opacitycan be computed as the absorption probability at these ab-sorbing (sink) states. The following algorithm from [26]formalizes the above discussion and provides more detailsfor the construction.

Theorem 3 (Verifying Almost Current-State Opacity).Consider a PFA H = (X,Σ, p, π0), under a natural pro-jection map P with respect to the set of observable eventsΣobs, Σobs ⊆ Σ, and a set of secret states S ⊆ X . Con-struct the MC M as in Algorithm A and let C ⊆ Xp bethe set of states in MC M whose associated current-stateestimate lies within the set of secret states S. ConstructMC M = (Xp, pM , π0,p) by forcing states in C to beabsorbing. Then, PFA H is almost current-state opaquewith respect to S, P , and θ if and only if the probabil-ity PCabs of absorption in the set of states C of the MCM = (Xp, pM , π0,p) satisfies PCabs < θ. In other words,PFA H is almost current-state opaque with respect to S,P , and θ if and only if PCabs < θ where

PCabs =∑ip∈Xp

π0,p(ip)PC(ip),

and PC is the vector of minimal2 nonnegative solutions tothe system of linear equations

PC(ip) =

∑jp∈Xp

pM (jp|ip)PC(jp), if ip /∈ C,

1, if ip ∈ C,

indexed by states ip of MC M . �

Step-based almost current-state opacity and almostcurrent-state opacity can be used to quantify current-state opacity when the given system is not current-stateopaque. For the case when the given system is current-state opaque, one way to further quantify current-stateopacity is to determine, for each (possible) sequence of

1In Markov chains, a state is called absorbing (or sink) state if, onceentered, it cannot be left.

2Recall that the vector PC is the minimal nonnegative solution tothe given system of linear equations if for all other nonnegative solutionsP ′C , we have P ′C(ip) > PC(ip) for all ip ∈ Xp.

observations generated by the system, the probability thatthe system current state lies in the set of secret states. Thisprobability captures the confidence of the intruder that thesystem is in a secret state. We refer to this notion as prob-abilistic current-state opacity and we formalize it below.

Definition 16 (Current-State Probability DistributionVector). Consider a PFA H = (X,Σ, p, π0), undera natural projection map P with respect to the set ofobservable events Σobs, Σobs ⊆ Σ, and a set of secretstates S ⊆ X . Let us denote the current-state probabilitydistribution vector after observing the sequence of obser-vations ω = α0α1 . . . αn by πω . Specifically, πω(i) is theconditional probability that H is in state i given that thesequence of observations ω has observed.

Definition 17 (Probabilistic Current-State Opacity)[26].Consider a PFA H = (X,Σ, p, π0), under a natural pro-jection map P with respect to the set of observable eventsΣobs, Σobs ⊆ Σ, and a set of secret states S ⊆ X . De-fine for an observation sequence ω ∈ Σ∗obs, ||πω(S)|| =∑i∈S πω(i) and ||π0(S)|| =

∑i∈S π0(i), where πω is

given in Definition 16. PFAH is probabilistically current-state opaque with respect to S, P , and θ (or (S, P, θ)-probabilistically current-state opaque), if

∀ω ∈ Σ∗obs : ‖πω(S)‖ − ‖π0(S)‖ ≤ θ. (4)

It has been shown in [26] that probabilistic current stateopacity is an undecidable problem in general.

4.2 Initial-state opacityGiven a PFA H = (X,Σ, p, π0) under a natural pro-

jection map P with respect to the set of observable eventsΣobs, its associated NFA G = (X,Σ, δ,X0) may not beinitial-state opaque (Definition 12) even if the probabilityof observing a sequence of observations that reveals thatthe system initial state is within a set of secret states is verysmall. One way to quantify initial-state opacity is to ob-tain the a priori probability with which the system mightgenerate behavior that violates initial-state opacity. In or-der to calculate this probability, our work in [15] takesadvantage of the fact that if the set of initial states is ex-posed to be within the set of secret states S for a givensequence of observations, then it remains exposed for allpossible continuations of that sequence.

Definition 18 below characterizes the probability of vi-olating initial-state opacity assuming that the system hasgenerated k events; this is referred to as step-based almostinitial-state opacity (SAISO). Definition 19 is the exten-sion of SAISO when there is no consideration regardingthe length of the sequence (i.e., it considers the probabilityof violating initial-state opacity following any sequenceof events), and requires that this probability lies below athreshold. This notion of opacity is referred to as almostinitial-state opacity (AISO). Both SAISO and AISO areinspired, respectively, by step-based almost current-stateopacity and almost current-state opacity. The key differ-ence is that in the case of current state opacity, there is no

monotonicity (a violation of current state opacity at timestep k does not imply a violation of current state opacityat later times) which renders the two definitions —in thecase of current state opacity— quite distinct.

Definition 18 (Step-Based Almost Initial-State Opacity).Consider a PFA H = (X,Σ, p, π0) with associated NFAG = (X,Σ, δ,X0), under a natural projection map Pwith respect to the set of observable events Σobs, Σobs ⊆Σ, and a set of secret states S ⊆ X0. Define

LI = {s ∈ L(G) | X0(P (s)) ⊆ S}

(where X0(ω) is the set of initial state estimates follow-ing the observation sequence ω). Then, PFA H is step-based almost initial-state opaque (SAISO) with respect toS, P , and a threshold θ (or (S, P, θ, T )-almost initial-state opaque) if∑

s∈LI ,|s|=k

Pr(s) < θ,∀k = 0, 1, 2,···

Remark 4 Note that the language LI in Definition 18 de-notes the set of strings s in the system that violate initial-state opacity (ISO). Note that if G is initial-state opaque,then H is (S, P, θ, T )-almost initial-state opaque for anyθ > 0.

Definition 19 (Almost Initial-State Opacity). Considera PFA H = (X,Σ, p, π0) with associated NFA G =(X,Σ, δ,X0), under a natural projection map P with re-spect to the set of observable events Σobs, Σobs ⊆ Σ, anda set of secret states S ⊆ X0. Define

LPI = {s ∈ LI | ∀s′ ∈ s, s′ 6= s{s′ /∈ LI}}.

Then, PFA H is almost initial-state opaque (AISO) withrespect to S,P , and a threshold θ (or (S, P, θ)-almostinitial-state opaque) if∑

s∈LPI

Pr(s) < θ .

Remark 5 If an observation sequence s causes a viola-tion of initial-state opacity, then any s′ ∈ L/s (i.e., anycontinuation of s) will also cause a violation of initial-state opacity. This can be easily shown using the mono-tonic (non-increasing) property of initial state estimation,i.e., the fact that

X0(ω1ω2) ⊆ X0(ω1)

for all ω1, ω2 ∈ Σ∗obs. Due to this fact, it is not hard toestablish that∑s∈LI ,|s|=k

Pr(s) ≤∑

s∈LI ,|s|=k+1

Pr(s) , k = 0, 1, 2, ...

and ∑s∈LP

I

Pr(s) ≡∑

s∈LI ,|s|→∞

Pr(s) .

4.3 Complexity ConsiderationsClearly, one way to verify current-state opacity is

to first construct the CSE which has space complexityO(2N ) and similar time complexity, and check whetherthe condition in (2) holds. This may not be such a badstrategy for verification, since the verification of current-state opacity has been shown to be a PSPACE-completeproblem [8, 9]. Analogously, one way to verify initial-state opacity is to first construct the ISE which has spacecomplexity O(2N

2

) and similar time complexity, andcheck whether the condition in (3) holds. Note that onecan reduce the complexity of the verification method toO(4N ) via the use of state-status mappings [21, 25].Again, this may not be such a bad strategy for verifica-tion, since the verification of initial-state opacity has beenshown to be a PSPACE-complete problem when the num-ber of observable events satisfies |Σobs| > 1 [21].

The verification method for almost current-state opac-ity using Theorem 3 requires the construction of thecurrent-state estimator which has O(2N ) state-space andtime complexity (since all of the probabilistic automataand MCs that are constructed in Algorithm A haveO(2N )state-space complexity). Using this fact, as well as the re-sults in [8, 9] (that show that verifying current-state opac-ity is PSPACE-complete), it was established in [26] thatverifying almost current-state opacity is PSPACE-hard. In[26] it was also shown that the verification of the current-state probabilistic opacity is undecidable in general.

Unlike the above opacity problems, resolution ofinitial-state can be verified with polynomial complexity.The formal definition is presented below.

Definition 20 (Resolution of Initial State). Consider anNFAG = (X,Σ, δ,X0) under a natural projection map Pwith respect to the set of observable events Σobs, Σobs ⊆Σ. SystemG possesses the property of resolution of initialstate with respect to a set of secret states S, S ⊆ X , ifthere exists integer n0, such that for all xs ∈ X0 ∩ Sand for all s ∈ L(G, xs) of length |s| ≥ n0, we haveX0(P (s)) ⊆ S.

Resolution of initial-state can be verified easily bychecking for cycles in the ISE that involve states whoseassociated state estimates are confused (they involve bothstates in S and outside S). For the reader who is famil-iar with work on fault diagnosis in finite automata (start-ing with [27] and subsequently pursued by many other re-searchers), the above approach is quite natural. Cycles (ifany) identified in Step 2, imply that there is an arbitrarilylong sequence of events that can occur in the system andkeep the observer uncertain whether the initial state be-longed to the set of secret states or not. Note that check-ing for cycles of marked states is of linear complexity inthe number of states of GIobs (which, is of size O(2N

2

)).However, an alternative method (that uses a verifier-likeconstruction of polynomial complexity) can be used toverify resolution of initial state [13].

The problem of resolution of initial-state opacity wasshown in [13] to be polynomially equivalent to that oflogical diagnosability as it was introduced in [27]. Un-fortunately, there is no clear relationship between state-based notions of opacity and logical diagnosability. Instate-based opacity we typically want to keep the observer(intruder) confused for all possible traces. The exact op-posite is that at least one trace exposes the set of secretstates to an intruder. On the other hand, logical diagnos-ability wants all traces after a finite number of steps to ex-pose the property of the system, which apparantly makesits verification an easier task.

5 Conclusions

Motivated by security applications in DES, we dis-cussed in this paper different notions of opacity. Specif-ically, we discussed definitions and verification methodsfor state-based notions of opacity in non-deterministic fi-nite automata (NFA’s) and probabilistic finite automata(PFA’s). Issues of computational complexity (or even un-decidability) arise for many of these notions. Certain no-tions of opacity that can be verified easier (e.g., resolutionof initial state) could potentially create opportunities forfurther research and applications in this area.

6 Acknowledgements

This work falls under the Cyprus Research Promo-tion Foundation’s Framework Programme for Research,Technological Development and Innovation 2009-2010(DESMI 2009-2010), co-funded by the Republic ofCyprus and the European Regional Development Fund,under Grant TΠE/OPIZO/0609(BE)/08. Any opinions,findings, and conclusions or recommendations expressedin this publication are those of the authors and do not nec-essarily reflect the views of the funding agency.

References

[1] E. Badouel, M. Bednarczyk, A. Borzyszkowski, B. Cail-laud, and P. Darondeau. Concurrent secrets. In Proceed-ings of the 8th International Workshop on Discrete EventSystems, pages 51–57, July 2006.

[2] B. Berard, J. Mullins, and M. Sassolas. Quantifying opac-ity. In Proceedings of Seventh International Conferenceon the Quantitative Evaluation of Systems (QEST), pages263–272, 2010.

[3] P. Bremaud. Markov Chains: Gibbs Fields, Monte CarloSimulation and Queues. Springer-Verlag, 1999.

[4] J. W. Bryans, M. Koutny, L. Mazare, and P. Y. A. Ryan.Opacity generalised to transition systems. In Proceedingsof the 3rd Int. Workshop on Formal Aspects in Security andTrust, pages 81–95, July 2005.

[5] J. W. Bryans, M. Koutny, and P. Y. A. Ryan. Modellingdynamic opacity using Petri nets with silent actions, vol-ume 173 of Formal Aspects in Security and Trust, pages159–172. Springer, 2005.

[6] J. W. Bryans, M. Koutny, and P. Y. A. Ryan. Modellingopacity using Petri nets. Electronic Notes in TheoreticalComputer Science, 121:101–115, February 2005.

[7] C. G. Cassandras and S. Lafortune. Introduction to Dis-crete Event Systems. Springer, 2007.

[8] F. Cassez, J. Dubreil, and H. Marchand. Dynamic ob-servers for the synthesis of opaque systems. In Proceed-ings of Automated Technology for Verification and Analy-sis, Lecture Notes in Computer Science, vol. 5799, pages352–367. 2009.

[9] F. Cassez, J. Dubreil, and H. Marchand. Synthesis ofopaque systems with static and dynamic masks. FormalMethods in System Design, 40(1):88–115, 2012.

[10] J. Dubreil, P. Darondeau, and H. Marchand. Opacity en-forcing control synthesis. In Proceedings of the 9th Inter-national Workshop on Discrete Event Systems, pages 28–35, May 2008.

[11] R. Focardi and R. Gorrieri. A taxonomy of trace–based se-curity properties for CCS. In Proceedings of the 7th Work-shop on Computer Security Foundations, pages 126–136,June 1994.

[12] V. Garg, R. Kumar, and S. I. Marcus. Probabilistic lan-guage formalism for stochastic discrete event systems.IEEE Transactions on Automatic Control, 44(2):29–3,February 1997.

[13] C. N. Hadjicostis. Resolution of initial-state in securityapplications of DES. In 20th Mediterranean Conferenceon Control Automation (MED), pages 794–799, 2012.

[14] F. C. Hennie. Finite State Models for Logical Machines.Wiley, New York, 1968.

[15] C. Keroglou and C. N. Hadjicostis. Initial state opacityin stochastic DES. In IEEE 18th Conference on Emerg-ing Technologies Factory Automation (ETFA), pages 1–8,2013.

[16] F. Lin. Opacity of discrete event systems and its applica-tions. Automatica, 47(3):496–503, Mar. 2011.

[17] J. K. Millen. Covert channel capacity. In Proceedings ofIEEE Symposium on Security and Privacy, pages 60–66,1987.

[18] C. M. Ozveren and A. S. Willsky. Observability of discreteevent dynamic systems. IEEE Transactions on AutomaticControl, 35(7):797–806, July 1990.

[19] C. M. Ozveren and A. S. Willsky. Invertibility of discreteevent dynamic systems. Mathematics of Control, Signals,and Systems, 5(4):365–390, July 1992.

[20] A. Paz. Introduction to Probabilistic Automata. AcademicPress, Inc., 1971.

[21] A. Saboori. Verification and Enforcement of State-BasedNotions of Opacity in Discrete Event Systems. PhD thesis,University of Illinois, Urbana, IL, 2010.

[22] A. Saboori and C. N. Hadjicostis. Notions of security andopacity in discrete event systems. In Proceedings of 46thIEEE Conference on Decision and Control, pages 5056–5061, 2007.

[23] A. Saboori and C. N. Hadjicostis. Coverage analysis ofmobile agent trajectory via state-based opacity formula-tions. Control Engineering Practice (Special Issue on Se-lected Papers from 2nd International Workshop on De-pendable Control of Discrete Systems), 19(9):967–977,September 2011.

[24] A. Saboori and C. N. Hadjicostis. Verification of K-stepopacity and analysis of its complexity. IEEE Transactionson Automation Science and Engineering, 8(3):549–559,July 2011.

[25] A. Saboori and C. N. Hadjicostis. Verification of initial-state opacity in security applications of DES. InformationSciences, 246:115–132, 2013.

[26] A. Saboori and C. N. Hadjicostis. Current-state opacityformulations in probabilistic finite automata. IEEE Trans-actions on Automatic Control, 59(1):120–133, 2014.

[27] M. Sampath, R. Sengupta, S. Lafortune, K. Sinnamo-hideen, and D. Teneketzis. Diagnosability of discrete eventsystems. IEEE Transactions on Control Systems Technol-ogy, 40(9):1555–1575, September 1995.

[28] S. Shu, F. Lin, and H. Ying. Detectability of discreteevent systems. IEEE Transactions on Automatic Control,52(12):2356–2359, December 2007.

[29] W. Wang, S. Lafortune, and F. Lin. An algorithm for cal-culating indistinguishable states and clusters in finite-stateautomata with partially observable transitions. Systemsand Control Letters, 56:656–661, 2007.

[30] J. T. Wittbold and D. M. Johnson. Information flow in non-deterministic systems. In Proceedings of IEEE ComputerSociety Symposium on Research in Security and Privacy,pages 144–161, 1990.

[31] Y.-C. Wu and S. Lafortune. Comparative analysis of re-lated notions of opacity in centralized and coordinated ar-chitectures. Discrete Event Dynamic Systems, 23(3):307–339, 2013.

[32] M. Yannakakis and D. Lee. Testing finite-state machines:state identification and verification. IEEE Transactions onComputers, 43(3):209–227, March 1994.