Papers
Topics
Authors
Recent
Search
2000 character limit reached

Opacity Enforcing Supervisory Control with a Priori Unknown Supervisors

Published 5 Apr 2026 in eess.SY | (2604.04070v1)

Abstract: We investigate the enforcement of opacity in discrete-event systems via supervisory control. A system is said to be opaque if a passive intruder can never unambiguously infer whether the system is in a secret state through its observations. In this context, the intruder's knowledge about the supervisor plays a critical role in both problem formulation and solvability. Existing studies typically assume that the policy of the supervisor is either fully unknown to the intruder or fully known a priori, the latter leading to severe technical challenges and unresolved problems under incomparable observations. This paper investigates opacity supervisory control under a new intermediate information setting, which we refer to as the a priori unknown supervisor setting. In this setting, the supervisor's internal realization is not publicly available, but the intruder can partially infer its behavior by eavesdropping on the control decisions issued online during system execution. We formalize the intruder's information-flow under both observation-triggered and decision-triggered decision-issuance mechanisms and define the corresponding notions of opacity. We provide sound and complete algorithms for synthesizing opacity-enforcing supervisors without imposing any restrictions on the observable or controllable event sets. By constructing an information-state structure that embeds the supervisor's estimate of the intruder's belief, the synthesis problem is reduced to a safety game. Finally, we show that, under strictly finer intruder observations, the proposed setting coincides with the standard a priori known supervisor model.

Summary

  • The paper introduces a complete algorithm synthesizing opacity-enforcing supervisors in settings with a priori unknown control policies.
  • It models the intruder’s evolving state estimates via recursive belief updates and employs safety game reduction to eliminate unsafe states.
  • The approach unifies previous models by handling arbitrary observation partitions and extends to practical decision-triggered control scenarios.

Opacity-Enforcing Supervisory Control with A Priori Unknown Supervisors

Introduction and Motivation

Opacity is a foundational information-flow security property in discrete-event systems (DES), ensuring that a passive intruder cannot deterministically infer whether a system is in a secret state based on its observations. This property is especially pertinent in cyber-physical systems (CPS), where information leakage can have significant security implications. Existing research typically analyzes opacity enforcement under two contrasting assumptions: the supervisor is either fully unknown (the intruder estimates system behavior based on the open-loop model) or fully known a priori (the supervisor's control policy is public, and the intruder refines its estimate using closed-loop behavior).

However, both extremes inadequately model many practical scenarios where an intruder may have partial and dynamically accumulating knowledge of the supervisor, particularly by eavesdropping on control decisions communicated over potentially unsecured channels during system execution. Figure 1

Figure 1: Conceptual illustration of the a priori unknown opacity supervisory control setting investigated.

Problem Formulation: The A Priori Unknown Supervisor Setting

The paper introduces and formalizes an intermediate information setting, termed the a priori unknown supervisor scenario. In this setting, the intruder:

  • Knows the plant structure (open plant automaton).
  • Observes a potentially strictly finer set of events than the supervisor (Σa\Sigma_a need not be a subset of Σo\Sigma_o or vice versa).
  • Crucially, does not know the supervisor's control policy before runtime, but can observe online-issued control decisions during execution.

Two natural mechanisms are considered for decision issuance:

  • Observation-triggered: The supervisor issues a control decision following each new observable event it perceives.
  • Decision-triggered: The supervisor only issues decisions when they change, reducing redundant communication/events and better modeling bandwidth-conserving secure applications.

The intruder’s information-flow thus evolves as a sequence of potentially observable event–decision pairs, from which it estimates a set of plausible system states (the controlled state estimate) as specified in the system model.

Algorithmic Solution: Synthesis via Information-State Structures

The main technical contribution is an effective, sound and complete algorithm for synthesizing opacity-enforcing supervisors in the a priori unknown setting, regardless of the partitioning or overlap between controlled and observed events by the supervisor and the intruder. The key methodological innovations are:

  1. Intruder State Estimator: The authors define a recursive belief update mechanism capturing the evolution of the intruder’s knowledge, represented as a finite structure. The estimator reflects changes both in event observations and in the eavesdropped supervisor decisions, accounting for all four possible visibility scenarios (observable/unobservable for each).
  2. Supervisor Information-State Structure: Since the intruder and supervisor may observe incomparable event sets, the supervisor does not know exactly what the intruder knows. To address this, the control synthesis is recast as a search over "consistent information states": sets of tuples comprised of plant states, possible intruder’s estimates, and the associated control decisions.
  3. Safety Game Reduction: The opacity enforcement problem is reduced to a safety game over the information-state structure. Unsafe states (those in which every possible intruder estimate consists solely of secret states) are identified and eliminated. The synthesis algorithm constructs the maximal safe supervisor by recursively exploring feasible control decisions and observation-update transitions.
  4. Algorithmic Guarantees and Complexity: Importantly, the algorithm imposes no restrictions on the event partitions, thus subsuming and generalizing prior settings. The proposed method is complete: restricting attention to information-state-based supervisors incurs no loss of generality. The computational complexity is double-exponential in the plant size, which is shown to be inevitable for general incomparable observations.

Comparison with Existing Models and Robustness

A central theoretical result is the establishment of the relationship between the a priori unknown and a priori known supervisor models:

  • Strictly Finer Intruder Observations: If the intruder observes a strictly finer event set than the supervisor (ΣoΣa\Sigma_o \subseteq \Sigma_a), and the sequence of issued control decisions is eavesdropped, the a priori unknown and a priori known settings coincide with respect to the enforced opacity property.
  • No Extra Assumptions on Controllability: Classical results for the a priori known supervisor generally require that all controllable events are observable to the supervisor, a restriction not needed in the proposed framework.

This equivalence result resolves an open problem: opacity enforcement under known supervisors and incomparable observation sets was previously unsolved due to technical difficulties decoupling the intruder’s and supervisor’s beliefs.

Extension to Decision-Triggered Mechanism

The authors address a practical variant whereby supervisors only communicate control decisions when they change (decision-triggered). The complexity of intruder belief updates increases, since observed decisions reflect only necessary changes, potentially reducing information leakage. All main constructs—intruder state estimator, information-state structure, and safety game synthesis—are modified accordingly, preserving soundness and completeness.

Numerical Examples and Illustrative Scenarios

Throughout, the methodology is instantiated via detailed examples, highlighting:

  • How the intruder’s state estimate improves when online decision eavesdropping is incorporated.
  • The difference between observation-triggered and decision-triggered information flows (including specific scenarios where previous solutions would fail to enforce opacity, but the new method succeeds under the revised assumptions).

Implications, Limitations, and Future Directions

The results significantly enhance both the practical applicability and theoretical understanding of opacity enforcement in supervisory control. By robustly handling dynamic, incremental knowledge acquisition by an intruder, the framework closely models realistic cyber-physical scenarios (e.g., networked actuator communication subject to eavesdropping).

The framework:

  • Unifies and generalizes preceding results for both fully known and unknown supervisor policies.
  • Provides an explicit, automatable synthesis route even with arbitrary overlaps of observation and control event sets.
  • Avoids restrictive structural assumptions endemic in prior works.

Potential future developments include:

  • Extending the approach to stochastic systems and approximate opacity metrics, as recently explored in both DES [lefebvre2020exposure, udupa2025synthesis] and continuous/hybrid systems [yin2021approximate, liu2020verification].
  • Adapting the information-state structural methodology to scenarios with uncountable or continuous state spaces.

Conclusion

This work offers a rigorous formalization and solution to opacity-enforcing supervisory control under the previously unaddressed scenario where an intruder can partially reconstruct supervisor behavior in real time via online decision eavesdropping. The synthesis condition is both necessary and sufficient, applies to all observation/control event configurations, and yields structurally efficient supervisors. Theoretical insights into the relationship between different information models further deepen the foundation for secure-by-design control in DES and CPS.


References

  • "Opacity Enforcing Supervisory Control with a Priori Unknown Supervisors" (2604.04070)
  • Selected references as discussed: [dubreil2010supervisory], [tong2018current], [yin2015uniform], [udupa2025synthesis], [yin2021approximate], [liu2020verification]

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.