Quantification of Centralized/Distributed Secrecy in Stochastic Discrete Event Systems

Abstract

Unlike information, behaviors cannot be encrypted and may instead be protected by providing covers that generate indistinguishable observations from behaviors needed to be kept secret. Such a scheme may still leak information about secrets due to statistical difference between the occurrence probabilities of the secrets and their covers. Jensen-Shannon Divergence (JSD) is a possible means of quantifying statistical difference between two distributions and can be used to measure such information leak as is presented in this chapter. Using JSD, we quantify loss of secrecy in stochastic partially-observed discrete event systems in two settings: (i) the centralized setting, corresponding to a single attacker/observer, and (ii) the distributed collusive setting, corresponding to multiple attackers/observers, exchanging their observed information. In the centralized case, an observer structure is formed and used to aide the computation of JSD, in the limit, as the length of observations approach infinity to quantify the worst case loss of secrecy. In the distributed collusive case, channel models are introduced to extend the system model to capture the effect of exchange of observations, that allows the JSD computation of the centralized case to be applied over the extended model to measure the distributed secrecy loss.

Appendix

In this appendix, we describe the computation of an observer transition structure that can be used to track the evolution of \(G^{R}\) over its observed symbols \(\varDelta\), and the associated transition matrices \(\{ \varTheta (\delta )|\delta \in \varDelta \}\). Given the refined system model \(G^{R}\), and its observation mask \(M:\overline{\varSigma } \to \overline{\varDelta }\), define the set of traces originating at \((x,\bar{y})\), terminating at \((x^{\prime } ,\bar{y}^{\prime } )\) and executing a sequence of unobservable events followed by a single observable event with observation \(\delta\) as \(L_{{G^{R} }} ((x,\bar{y}),\delta ,(x^{\prime } ,\bar{y}^{\prime } ))\) \(: = \{ s \in \varSigma^{*} |s = u\sigma ,\) \(M(u) = \varepsilon ,M(\sigma ) = \delta ,\) \(\gamma ((x,\bar{y}),s,(x^{\prime } ,\bar{y}^{\prime } )) > 0\}\). Define its probability, \(\alpha (L_{{G^{R} }} ((x,\bar{y}),\delta ,(x^{\prime } ,\bar{y}^{\prime } )))\) \(: = \sum\nolimits_{{s \in L_{{G^{R} }} ((x,\bar{y}),\delta ,(x^{\prime } ,\bar{y}^{\prime } ))}} {\gamma ((x,\bar{y}),s,(x^{\prime } ,\bar{y}^{\prime } ))}\), and denote it as \(\theta_{{(x,\bar{y}),\delta ,(x^{\prime } ,\bar{y}^{\prime } )}}\). Also, define \(\lambda_{ij} = \sum\nolimits_{{\sigma \in \varSigma_{uo} }} {\gamma (i,\sigma ,j)}\) as the probability of transitioning from \((x,\bar{y})\) to \((x^{\prime } ,\bar{y}^{\prime } )\) while executing a single unobservable event. Then, letting \(i = (x,\bar{y})\) and \(j = (x^{\prime } ,\bar{y}^{\prime } )\), \(\theta_{i,\delta ,j} = \sum\nolimits_{k} {\lambda_{ik} \theta_{k,\delta ,j} + \sum\nolimits_{\sigma \in \varSigma :M(\sigma ) = \delta } {(i,\sigma ,j)} }\), where the first term on the right hand side (RHS) corresponds to transitioning in at least two steps (i to intermediate k unobservably, and k to j with a single observation \(\delta\) at the end), whereas the second term on RHS corresponds to transitioning in exactly one step [3, 12]. Thus, for each \(\delta \in \varDelta\), all the probabilities \(\{ \theta_{i,\delta ,j} |i,j \in X \times \overline{Y} \}\) can be found by solving the following matrix equation [23]: \(\varTheta (\delta ) = \varLambda \varTheta (\delta ) + \varGamma (\delta ),\) where \(\varTheta (\delta ),\varLambda\) and \(\varGamma (\delta )\) are all \(|X \times \overline{Y} | \times |X \times \overline{Y} |\) square matrices whose \(ij{th}\) elements are given by \(\theta_{i,\delta ,j} ,\lambda_{ij}\) and \(\sum\nolimits_{\sigma \in \varSigma :M(\sigma ) = \delta } {\gamma ((x,\bar{y}),\sigma ,(x^{\prime } ,\bar{y}^{\prime } ))}\), respectively.