State-Based Differential Privacy Verification and Enforcement for Probabilistic Automata

Abstract

Roughly speaking, differential privacy is a privacy-preserving strategy that guarantees attackers to be unlikely to infer, from the previous system output, the dataset from which an output is derived. This work introduces differential privacy to discrete event systems modeled by probabilistic automata to protect the state information pertaining to system resource configurations. State differential privacy is defined to protect the initial state of a discrete event system, which represents its initial resource configuration. Step-based state differential privacy verification is proposed in the framework of probabilistic automata, such that an attacker is unlikely to determine the initial state from which a system evolves, within a finite step of observations, if two systems with two different initial states satisfy state differential privacy. Specifically, the probability distributions of generating observations within a finite step from the two different initial states are approximate. If the two systems do not satisfy state differential privacy, a control specification is proposed, such that state differential privacy is enforced via supervisory control that is maximally permissive. Experimental studies are given to illustrate that the proposed method can effectively verify state differential privacy and enforce privacy protection in the probabilistic automata framework.

1. Introduction

With the extensive applications of computer communication and data mining technology, many organizations and institutes have studied the value of data by publishing user data sets, which contain personal private data. In the process of publishing the data sets, the privacy of users may be leaked, damaging the security of private information [1,2]. This requires publishers to anonymize or encrypt the data before publishing the security-sensitive data sets. Cryptography cannot only ensure the confidentiality of information, but also ensure its integrity and availability [3,4]. However, it reduces data processing speed and decreases data storage capacity. K-anonymity method anonymizes relational databases such that the individual information contained in the release cannot be distinguished from at least k-1 individuals whose information also appears in the release [5]. A (k, p)-anonymity extends k-anonymity to hide multiple pieces of sensitive information in transactions and sanitize transactional database with personalized sensitivity [6]. To reduce the computational complexity of k-anonymity, the authors in Ref. [7] proposed a novel efficient anonymization system to anonymize transactional data with a small information loss. These methods rely on the background knowledge of attackers. The more background knowledge attackers have, the higher the probability of privacy leakage is.

To solve this problem, the author in Ref. [8] proposed the notion of differential privacy, providing a mathematically strict method to protect sensitive personal information. Differential privacy protects sensitive data by adding random noise to the results to be inquired by an attacker or a malicious observer [9,10,11]. To protect different data between two data sets that differ by one record, noise mechanisms are developed to achieve differential privacy by adding random noise satisfying different distributions to the query results, such as Laplace mechanism and Gauss mechanism [12,13,14]. These mechanisms are not suitable for protecting non-numerical sensitive data. The exponential mechanism is developed to achieve differential privacy for non-numerical data by randomly generating responses based on how well those responses approximate the non-private response [15]. An attacker or a malicious observer conducts a differential attack based on data sets that differ by one record, but the probabilities of two data sets outputting the same result are approximate.

Different from the private information protected by these privacy protection technologies, the sensitive information of discrete event systems (DESs) is the behavior information and resource configuration information, which is represented by the language and state, respectively. DESs refer to systems in which system states transit discretely at certain random points of time, thanks to the triggering of events [16]. An attacker or malicious observer can attack a DES by observing its behavior to infer the other sensitive information, such as the initial state. As an example, the initial state of an armored truck application system represents its initial location information, which should be kept confidential, otherwise it may enable potential hijackers to elaborate upon a perfect hijack plan.

The existing methods for protecting the sensitive information (e.g., the initial state and language) of a DES are developed through the formation of notion of state-based opacity and language-based opacity, where the secret is defined as a set of states and language, respectively [17,18]. For the language-based opacity, a system is said to be opaque with respect to a given secret if no execution leads to an estimate that is completely contained in the secret. Unlike language-based opaque verification, the authors in Ref. [19] developed an exponential mechanism that approximates a sensitive string (or word) using a randomly chosen string (or word) that is given by the Levenshtein distance, which is used to control the similarity or nearness of a sensitive string and its output counterpart. The work is extended to both real-time control and Markov chains for protecting trajectories generated by symbolic systems [20]. However, these methods do not consider the security of state privacy information of a symbolic control system. In this work, we focus on protecting the initial state of DESs modeled with probabilistic automata.

For the initial-state opacity (an important state-based security property), it is assumed that a malicious attacker (observer) fully knows the structure of a system, but only partially observes the event occurrences in it. Note that unobservable events are invisible to the attacker, and the attacker does not know the initial state unless it can be inferred by observations. Given a secret described by a set of states, a system is said to be initial-state opaque with respect to the secret if the attacker is never able to infer that the initial state of the system is within the secret [21,22,23,24]. The initial state information in the framework of probabilistic DESs cannot be protected by the existing methods of initial-state opacity if the occurrence likelihood of events is considered. With a metric on the states of a system, the authors in Ref. [25] formalized differential privacy by use of the probability ratio in the distributions after the same labeled transitions of relevant states. However, an attacker can infer the initial state based on the probability distribution of the language generated by the system via a long-term observation.

Automata and Petri nets are two typical tools to simulate the operation of DESs, where a finite state automaton is a machine that, given a symbolic input, transforms a series of states according to a transition function [26,27,28]. To the best of our knowledge, the verification and enforcement of differential privacy in DESs has not been well-defined and fully explored. The introduction of differential privacy into the framework of automata is of great significance for the protection of state private information, especially the protection of system initial states. To this end, differential privacy is introduced to the community of DESs that are, in this particular research, modeled by probabilistic automata [29,30].

This paper addresses the differential privacy problem in the framework of DESs modeled by probabilistic automata. The main contributions of this work can be summarized:

• The notion of state differential privacy is formulated to protect the initial state information of a DES whose behaviors can be described by a probabilistic automaton. Two adjacent initial states are defined to represent the similar initial resource configurations. Step-based verification for state differential privacy is proposed to verify whether two probabilistic automata satisfy state differential privacy, within a finite step of observations, after the two systems generate a given observation from two adjacent initial states.
• For two probabilistic automata with two adjacent initial states, a verifier is constructed to compute the probabilities of generating any same observation from the two adjacent initial states. If the two systems do not satisfy state differential privacy, we propose a control specification such that the state differential privacy is enforced to the closed-loop systems via supervisory control. The supervisory control is maximally permissive for enforcing privacy protection.
• Through experimental studies, it is shown that the proposed method achieves state differential privacy in the considered class of automata and protects the initial state.

The rest of the paper is organized as follows. Section 2 introduces the backgrounds of probabilistic automata and the notion of differential privacy in sensitive data security. Section 3 is a problem statement. Step-based verification for state differential privacy is formulated in Section 4. Section 5 reports a method to enforce state differential privacy via supervisory control. A numerical example is shown in Section 6. Finally, Section 7 concludes this paper.

2. Preliminaries

In this section, we introduce probabilistic automata and the standard concept of differential privacy.

2.1. Probabilistic Automata

A deterministic finite automaton (DFA) is a four-tuple $\mathcal{A}=(Q,\Sigma ,\delta ,q_0)$, where Q is a finite set of states, $\Sigma =\{\alpha ,\beta ,\cdots \}={\Sigma }_o\dot{\cup }{\Sigma }_{uo}$ is an alphabet of finite events (${\Sigma }_o$ is the set of observable events and ${\Sigma }_{uo}$ is that of unobservable events), $\delta :Q\times \Sigma \to Q$ is a partial transition function, and $q_0\in Q$ is an initial state. The state transition function specifies the dynamics of the DFA: write $\delta (q,e)!$ if $e\in \Sigma$ can occur from state $q\in Q$, saying that $\delta (q,e)$ is defined.

The transition function $\delta$ is traditionally extended by induction on the length of strings to $\delta :Q\times {\Sigma }^{*}\to Q$ by defining $\delta (q,\epsilon )=q$ and $\delta (q,se)=\delta \left(\delta \right(q,s),e)$ for $q\in Q$, $s\in {\Sigma }^{*}$ and $e\in \Sigma$, where $\delta (q,s)$ and $\delta \left(\delta \right(q,s),e)$ are both defined. Given a state $q\in Q$ and a string $s\in {\Sigma }^{*}$, write $\delta (q,s)!$ if $\delta$ is defined for s at q. The length of a string s, denoted by $\left|s\right|$, is the number of symbol occurrences in it.

The generated language of an automaton $\mathcal{A}=(Q,\Sigma ,\delta ,q_0)$ from a state $q\in Q$ is defined as

$$\mathcal{L}(\mathcal{A},q)=\{s\in {\Sigma }^{*}|\delta (q,s)!\}.$$

An attacker can only observe and record observable events. The natural projection $P:{\Sigma }^{*}\to {\Sigma }_o^{*}$ can be used to map any string executed in a system to the sequence of observable events, called an observation. This projection is defined recursively as $P\left(se\right)=P\left(s\right)P\left(e\right)$, $s\in {\Sigma }^{*}$, $e\in \Sigma$, with $P\left(e\right)=e$ if $e\in {\Sigma }_o$ and $P\left(e\right)=\epsilon$ if $e\in {\Sigma }_{uo}$, where $\epsilon$ represents the empty string.

The generated observations of an automaton $\mathcal{A}=(Q$, $\Sigma$, $\delta$, $q_0)$ from a state $q\in Q$ is defined as

$${\mathcal{L}}_o(\mathcal{A},q)=\{\omega \in {\Sigma }_o^{*}|s\in \mathcal{L}(\mathcal{A},q)\&P\left(s\right)=\omega \}.$$

This paper explores the differential privacy problem on DESs modeled by probabilistic automata.

Definition 1

(Probabilistic automaton [29]). A probabilistic automaton is a DFA equipped with a probability distribution of event occurrences, denoted by a two-tuple $G=(\mathcal{A}$, $\rho )$, where $\mathcal{A}=(Q,\Sigma ,\delta ,q_0)$ is a DFA and $\rho :Q\times \Sigma \to [0,1]$ is a probability distribution function. Given a state $q\in Q$ and an event $e\in \Sigma$, $\rho (q,e)$ indicates the firing probability of e from q such that $\rho (q,e)=0$ if $\delta (q,e)$ is not defined and $\rho (q,e)>0$ if $\delta (q,e)!$. The set of all enabled (feasible) events at a state $q\in Q$ is denoted by $\mathcal{E}\left(q\right)=\{e\in \Sigma |\rho (q,e)>0\}$ with ${\sum }_{e\in \mathcal{E}\left(q\right)}\rho (q,e)=1$.

In what follows, $G_s=(Q,\Sigma ,\delta ,\rho )$ is called a probabilistic automaton structure (or the skeleton of a probabilistic automaton), that is, a probabilistic automaton $G=(Q,\Sigma ,\delta ,q_0,\rho )$ is a probabilistic automaton structure $G_s=(Q,\Sigma ,\delta ,\rho )$ equipped with an initial state $q_0$. Write $G=(Q,\Sigma ,\delta ,q_0,\rho )$ as $G\left(q_0\right)$ if $G_s$ is implicitly defined.

Example 1.

A probabilistic automaton structure $G_s=(Q,\Sigma ,\delta ,\rho )$ is shown in Figure 1. Given an initial state $q_1$, $G\left(q_1\right)$ is a probabilistic automaton with $Q=\{q_0$, $q_1$, $q_2$, $q_3$, $q_4$, $q_5\}$ and $\Sigma =\{\alpha$, β, λ, γ, μ, $\tau \}$, it holds $\rho (q_1,\beta )=0.4$ and $\rho (q_1,\lambda )=0.6$. Furthermore, ${\sum }_{e\in \mathcal{E}\left(q_1\right)}\rho (q_1,e)=1$ with $\mathcal{E}\left(q_1\right)=\{\beta ,\lambda \}$.

2.2. Differential Privacy

Generally speaking, a randomized algorithm is said to satisfy differential privacy if an attacker (or a malicious observer) is unlikely to distinguish between the outputs of two data sets differing on, at most, one element. Specifically, given a non-negative real number $ϵ$, a randomized algorithm $\mathcal{F}$ satisfies $ϵ$-differential privacy if, for any two input data sets $D_1$ and $D_2$ differing on, at most, one element (either $D_1=D_2$ or there exists a datum d such that $D_1\cup \left\{d\right\}=D_2$ or $D_2\cup \left\{d\right\}=D_1$), and for any set of outputs O, it holds that [12]

$$e^{-ϵ}\le {\displaystyle \frac{\mathbb{P}(\mathcal{F}\left(D_1\right)\in O)}{\mathbb{P}(\mathcal{F}\left(D_2\right)\in O)}}\le e^{ϵ}.$$

Note that $\mathcal{F}\left(D_1\right)$ (or $\mathcal{F}\left(D_2\right)$) is the output of $\mathcal{F}$ on input $D_1$ (or $D_2$), $\mathbb{P}:O\to (0,1]$ is the probability function, mapping an output of $\mathcal{F}$ to a real number between zero and one (including one), and $ϵ$ is the privacy budget parameter that stipulates the level of privacy protection with $ϵ\in \mathbb{R}$ and $ϵ\ge 0$, where $\mathbb{R}$ is the set of real numbers.

3. Problem Statement

This section introduces differential privacy into the framework of probabilistic automata to protect the initial state information. We first define state differential privacy and establish its mathematical developments below.

3.1. State Differential Privacy

Given a probabilistic automaton $G=(Q,\Sigma ,\delta ,q_0,\rho )$, the probability of generating string $se\in {\Sigma }^{*}$ from state q with $s\in {\Sigma }^{*}$ and $e\in \Sigma$ is recursively defined as

$${\mathrm{Pr}}_{\sigma }(q,se)=\left\{\begin{array}{c}1,\mathrm{if}se=\epsilon \hfill \\ {\mathrm{Pr}}_{\sigma }(q,s)\times \rho (\delta (q,s),e),\mathrm{if}\delta (q,s)!\hfill \\ 0,\mathrm{otherwise}\hfill \end{array}\right.$$

where $\epsilon \in {\Sigma }^{*}$ is the empty string. Intuitively, ${\mathrm{Pr}}_{\sigma }(q,s)$ could be viewed as the probability that the string s can be executed from q in plant G. ${\mathrm{Pr}}_{\sigma }(q,s)>0$ if $\delta (q,s)!$ for $s\in {\Sigma }^{*}$.

The generated language of a probabilistic automaton $G=(Q,\Sigma ,\delta ,q_0,\rho )$ from a state $q\in Q$ is defined as

$$\mathcal{L}(G,q)=\{s\in {\Sigma }^{*}|{\mathrm{Pr}}_{\sigma }(q,s)>0\}.$$

Accordingly, the generated observations of a probabilistic automaton $G=(Q,\Sigma ,\delta ,q_0,\rho )$ from a state $q\in Q$ is defined as

$${\mathcal{L}}_o(G,q)=\{\omega \in {\Sigma }_o^{*}|\exists s\in \mathcal{L}(G,q):\omega =P\left(s\right)\}.$$

The set of strings that are consistent with observation $\omega \in {\Sigma }_o^{*}$ generated at state q is defined as

$$S(q,\omega )=\{s\in {\Sigma }^{*}|s\in \mathcal{L}(G,q)\&P\left(s\right)=\omega \}.$$

The probability of generating observation $\omega \in {\Sigma }_o^{*}$ from a state q is

$${\mathrm{Pr}}_o(q,\omega )=\sum _{s\in S(q,\omega )}{\mathrm{Pr}}_{\sigma }(q,s).$$

Example 2.

Consider the probabilistic automaton structure in Figure 1 with initial state $q_0$. Suppose ${\Sigma }_o=\{\alpha ,\beta ,\lambda ,\gamma ,\mu \}$ and ${\Sigma }_{uo}=\left\{\tau \right\}$. Given a string $s=\beta \gamma \beta \tau$, the probability of generating s from $q_0$ is denoted as ${\mathrm{Pr}}_{\sigma }(q_0,\beta \gamma \beta \tau )=\rho (q_0,\beta )\times \rho (q_2,\gamma )\times \rho (q_2,\beta )\times \rho (q_4,\tau )=0.06$. Let $\omega =\alpha \beta \gamma$. $S(q_0,\omega )=\{\alpha \beta \gamma$, $\alpha \beta \gamma \tau \}$ and ${\mathrm{Pr}}_o(q_0,\omega )={\mathrm{Pr}}_{\sigma }(q_0,\alpha \beta \gamma )+{\mathrm{Pr}}_{\sigma }(q_0,\alpha \beta \gamma \tau )=0.072$ hold.

Given a probabilistic automaton $G=(Q,\Sigma ,\delta ,q_0,\rho )$, the set of states reached by generating any string that is consistent with observation $\omega \in {\Sigma }_o^{*}$ from a state q is denoted by

$$\begin{array}{c}\hfill \phi (q,\omega )=\{q^{\prime }\in Q|\exists s\in S(q,\omega ):\delta (q,s)=q^{\prime }\}.\end{array}$$

Let $q\in \phi (q_0,\omega )$ be a reachable state after the system generates an observation $\omega \in {\Sigma }_o^{*}$ from initial state $q_0$. The probability of generating $s\in {\Sigma }^{*}$ from q is defined as

$${\mathrm{Pr}}_{\sigma }(q_0,\omega ,q,s)=\mathrm{Pr}\left(q\right|\phi (q_0,\omega ))\times {\mathrm{Pr}}_{\sigma }(q,s)$$

where $\mathrm{Pr}\left(q\right|\phi (q_0,\omega ))$ is the probability of choosing q from $\phi (q_0,\omega )$, defined as

$$\mathrm{Pr}\left(q\right|\phi (q_0,\omega ))=\left\{\begin{array}{c}\frac{{\displaystyle \sum _{s\in S(q_0,\omega )\&\delta (q_0,s)=q}}{\mathrm{Pr}}_{\sigma }(q_0,s)}{{\displaystyle \sum _{s\in S(q_0,\omega )}}{\mathrm{Pr}}_{\sigma }(q_0,s)},q\in \phi (q_0,\omega )\hfill \\ 0,q\notin \phi (q_0,\omega )\hfill \end{array}\right.$$

In conclusion, ${\sum }_{q\in Q}\mathrm{Pr}\left(q\right|\phi (q_0,\omega ))=1$ holds.

The probability of choosing q from $\phi (q_0,\omega )$, denoted by $\mathrm{Pr}\left(q\right|\phi (q_0,\omega ))$, is the ratio of the sum of probabilities of the strings that are, consistent with an observation $\omega$, generated from $q_0$, reaching state q, with the sum of probabilities of the strings that are, consistent with $\omega$, generated from $q_0$. In brief, $\mathrm{Pr}\left(q\right|\phi (q_0,\omega ))$ is the probability that the system reaches state q (from $q_0$) under the premise of generating an observation $\omega$.

Example 3.

Consider the probabilistic automaton structure in Figure 1 with initial state $q_1$. Suppose that ${\Sigma }_o=\{\alpha ,\beta ,\lambda ,\gamma ,\mu \}$ and ${\Sigma }_{uo}=\left\{\tau \right\}$. We have $\phi (q_1,\beta )=\{q_3,q_5\}$ and $S(q_1,\beta )=\{\beta ,\beta \tau \}$. For $s\in S(q_1,\beta )$ and $\delta (q_1,s)=q_3$, it holds ${\sum }_s{\mathrm{Pr}}_{\sigma }(q_1,s)=\rho (q_1,\beta )=0.4$. For $s\in S(q_1,\beta )$ and $\delta (q_1,s)=q_5$, it holds that ${\sum }_s{\mathrm{Pr}}_{\sigma }(q_1,s)=\rho (q_1,\beta )\times \rho (q_3,\tau )=0.32$. The probabilities of choosing states $q_3$ and $q_5$ from $\phi (q_1,\beta )$ are $\mathrm{Pr}\left(q_3\right|\phi (q_1,\beta ))=0.4/(0.4+0.32)=5/9$ and $\mathrm{Pr}\left(q_5\right|\phi (q_1,\beta ))=0.32/(0.4+0.32)=4/9$, respectively. We obtain ${\mathrm{Pr}}_{\sigma }(q_1,\beta ,q_3,\tau \mu \alpha )=5/9\times 0.8\times 1\times 0.5=2/9$ and ${\mathrm{Pr}}_{\sigma }(q_1,\beta ,q_5,\mu \alpha \beta )=4/9\times 1\times 0.5\times 0.4=4/45$.

Let $\mathbb{N}$ be the set of natural numbers and ${\mathbb{N}}^{+}=\{x>0|x\in \mathbb{N}\}$. Given an observation $\omega \in {\Sigma }_o^{*}$, the set of all observations generated from a state $q\in \phi (q_0,\omega )$ with $k\in {\mathbb{N}}^{+}$ steps is defined as

$$\begin{array}{c}\hfill {\mathcal{L}}_o(q_0,\omega ,q,k)=\{{\omega }^{\prime }\in {\Sigma }_o^{*}|{\omega }^{\prime }\in {\mathcal{L}}_o(G,q)\&|{\omega }^{\prime }|=k\}.\end{array}$$

The set of all observations due to $k\in {\mathbb{N}}^{+}$-step observation extensions in a system after generating an observation $\omega$ from $q_0$, is defined as

$$\begin{array}{c}\hfill {\mathcal{L}}_o(q_0,\omega ,k)=\bigcup _{q\in \phi (q_0,\omega )}{\mathcal{L}}_o(q_0,\omega ,q,k).\end{array}$$

The probability of generating ${\omega }^{\prime }\in {\mathcal{L}}_o(q_0,\omega ,k)$ after the system generates an observation $\omega$ from $q_0$ is

$${\mathrm{Pr}}_o(q_0,\omega ,k,{\omega }^{\prime })=\sum _{q\in \phi (q_0,\omega )}\sum _{s\in S(q,{\omega }^{\prime })}{\mathrm{Pr}}_{\sigma }(q_0,\omega ,q,s).$$

Note that ${\mathrm{Pr}}_o(q_0,\omega ,k,{\omega }^{\prime })$ is the probability of generating an observation ${\omega }^{\prime }$ due to a k-step observation extension, under the premise that an observation $\omega$ from $q_0$ has been generated.

Example 4.

Let us consider the probabilistic automaton structure in Figure 1 with initial state $q_1$. Suppose ${\Sigma }_o=\{\alpha ,\beta ,\lambda ,\gamma ,\mu \}$, ${\Sigma }_{uo}=\left\{\tau \right\}$ and $k=2$. We have ${\mathcal{L}}_o(q_1,\beta ,q_3,2)=\{\gamma \gamma$, $\gamma \mu$, $\mu \alpha$, $\mu \beta \}$ and ${\mathcal{L}}_o(q_1,\beta ,q_5,2)=\{\mu \alpha$, $\mu \beta \}$. Due to ${\mathcal{L}}_o(q_1,\beta ,2)={\mathcal{L}}_o(q_1,\beta ,q_3,2)\cup {\mathcal{L}}_o(q_1,\beta ,q_5,2)=\{\gamma \gamma$, $\gamma \mu$, $\mu \alpha$, $\mu \beta \}$, the probabilities of generating ${\omega }^{\prime }\in {\mathcal{L}}_o(q_1,\beta ,2)$ after the system generates an observation $\omega =\beta$ from state $q_1$ is

$$\begin{array}{cc}\hfill & For{\omega }^{\prime }=\gamma \gamma :{\mathrm{Pr}}_o(q_1,\beta ,2,\gamma \gamma )={\mathrm{Pr}}_{\sigma }(q_1,\beta ,q_3,\gamma \gamma )=5/9\times 0.2\times 0.2=1/45;\hfill \\ \hfill & For{\omega }^{\prime }=\gamma \mu :{\mathrm{Pr}}_o(q_1,\beta ,2,\gamma \mu )={\mathrm{Pr}}_{\sigma }(q_1,\beta ,q_3,\gamma \tau \mu )=5/9\times 0.2\times 0.8\times 1=4/45;\hfill \\ \hfill & For{\omega }^{\prime }=\mu \alpha :{\mathrm{Pr}}_o(q_1,\beta ,2,\mu \alpha )={\mathrm{Pr}}_{\sigma }(q_1,\beta ,q_3,\tau \mu \alpha )+{\mathrm{Pr}}_{\sigma }(q_1,\beta ,q_5,\mu \alpha )\hfill \\ & =5/9\times 0.8\times 1\times 0.5+4/9\times 1\times 0.5=4/9;\hfill \\ \hfill & For{\omega }^{\prime }=\mu \beta :{\mathrm{Pr}}_o(q_1,\beta ,2,\mu \beta )={\mathrm{Pr}}_{\sigma }(q_1,\beta ,q_3,\tau \mu \beta )+{\mathrm{Pr}}_{\sigma }(q_1,\beta ,q_5,\mu \beta )\hfill \\ & =5/9\times 0.8\times 1\times 0.5+4/9\times 1\times 0.5=4/9.\hfill \end{array}$$

Definition 2

(Adjacent states). Given a probabilistic automaton structure $G_s=(Q,\Sigma ,\delta ,\rho )$ and two initial states $q_0\in Q$ and $q_0^{\prime }\in Q$, $q_0$ and $q_0^{\prime }$ are said to be adjacent if there exists an observation $\omega \in {\Sigma }_o^{*}\setminus \left\{\epsilon \right\}$ such that ${\mathrm{Pr}}_o(q_0,\omega )>0$ and ${\mathrm{Pr}}_o(q_0^{\prime },\omega )>0$ hold.

Two initial states $q_0$ and $q_0^{\prime }$ are adjacent if an observation that is not the empty string can be generated from both $q_0$ and $q_0^{\prime }$. The concept of state differential privacy in probabilistic automata is presented to conceal two adjacent initial states of a system.

Definition 3

(State differential privacy). Given a probabilistic automaton structure $G_s=(Q,\Sigma ,\delta ,\rho )$ and two adjacent initial states $q_0$, $q_0^{\prime }$ (leading to two probabilistic automata $G\left(q_0\right)$ and $G\left(q_0^{\prime }\right)$), $G\left(q_0\right)$ and $G\left(q_0^{\prime }\right)$ are said to satisfy ϵ-state differential privacy, within a given k-step observation extension if, after $G\left(q_0\right)$ and $G\left(q_0^{\prime }\right)$ generate an observation $\omega \in {\Sigma }_o^{*}$ from $q_0$ and $q_0^{\prime }$, respectively, for all $k^{\prime }\le k$, for all ${\omega }^{\prime }\in {\mathcal{L}}_o(q_0,\omega ,k^{\prime })\cup {\mathcal{L}}_o(q_0^{\prime },\omega ,k^{\prime })$, it holds

$$|{\mathrm{Pr}}_o(q_0,\omega ,k^{\prime },{\omega }^{\prime })-{\mathrm{Pr}}_o(q_0^{\prime },\omega ,k^{\prime },{\omega }^{\prime })|\le ϵ,$$

where the parameter ϵ is a positive real number between zero and one, which stipulates the level of privacy protection for adjacent initial states.

3.2. Problems

In this subsection, we formulate two problems involving the pre-defined state differential privacy in probabilistic automata. First, this work focuses on step-based verification for state differential privacy to protect the initial state.

Problem 1.

Given two probabilistic automata $G\left(q_0\right)=(Q,\Sigma ,\delta ,q_0,\rho )$ and $G\left(q_0^{\prime }\right)=(Q,\Sigma ,\delta ,q_0^{\prime },\rho )$, and an observation $\omega \in {\Sigma }_o^{*}$, construct a verifier $V_{\omega }=(Q_v$, ${\Sigma }_o$, ${\delta }_v$, ${\mathcal{Q}}_0)$ that is a finite state automaton to verify whether $G\left(q_0\right)$ and $G\left(q_0^{\prime }\right)$ satisfy ϵ-state differential privacy, within k-step observation extensions, after $G\left(q_0\right)$ and $G\left(q_0^{\prime }\right)$ generate the given observation ω from two adjacent initial states $q_0$ and $q_0^{\prime }$, respectively.

Next, we propose a supervisory control method to supervise the behavior of two probabilistic automata such that the controlled systems satisfy state differential privacy.

Problem 2.

Given a verifier $V_{\omega }=(Q_v$, ${\Sigma }_o$, ${\delta }_v$, ${\mathcal{Q}}_0)$ for two probabilistic automata $G\left(q_0\right)$ and $G\left(q_0^{\prime }\right)$, find a supervisor such that the controlled systems satisfy ϵ-state differential privacy while the supervisory control is maximally permissive.

A solution to Problem 2 would ensure that an attacker is unlikely to infer the initial states of the two probabilistic automata within a given k-step observation extension.

4. Step-Based Verification for State Differential Privacy

This section provides a step-based verification method for state differential privacy in DESs modeled with probabilistic automata. The information of similar initial resource configurations of two probabilistic automata is protected if the two systems satisfy state differential privacy, within a finite step observation extension, after the two systems generate a given observation from two given adjacent initial states.

The set of post-states of a state q in a probabilistic automaton $G=(Q,\Sigma ,\delta ,q_0,\rho )$ is defined as

$$\begin{array}{c}\hfill q^{♯}=\{q^{\prime }\in Q|(\exists e\in \Sigma )\delta (q,e)=q^{\prime }\}.\end{array}$$

Given a probabilistic automaton $G=(Q,\Sigma ,\delta ,q_0,\rho )$, for a state $q\in Q$ and an observable event $e\in {\Sigma }_o$, we define

$$\sigma (q,e)=\{s\in {\Sigma }^{*}|(\exists t\in {\Sigma }_{uo}^{*})s=te,{\mathrm{Pr}}_{\sigma }(q,s)>0\}$$

as the set of extended strings of e generated at q.

All extended strings of an observable event generated at a state are the concatenation of an unobservable string or the empty string with the observable event, and must end with the observable event. Given a positive integer k, suppose that an observation $\omega$ has been generated from two adjacent initial states. When a new observation ${\omega }^{\prime }$ occurs, whose length is less than or equal to k, $\omega {\omega }^{\prime }$ is observed. A verifier needs to be defined to check whether two systems with two adjacent initial states satisfy state differential privacy.

Definition 4

(Verifier). Given two probabilistic automata $G\left(q_0\right)=(Q,\Sigma ,\delta ,q_0,\rho )$ and $G\left(q_0^{\prime }\right)=(Q,\Sigma ,\delta ,q_0^{\prime },\rho )$, and an observation $\omega \in {\Sigma }_o^{*}$, a verifier is a four-tuple $V_{\omega }=(Q_v$, ${\Sigma }_o$, ${\delta }_v$, ${\mathcal{Q}}_0)$, where $Q_v$ is a finite set of all states ${\mathcal{S}}_1\times {\mathcal{S}}_2$ with ${\mathcal{S}}_1,{\mathcal{S}}_2\in 2^Q$, ${\mathcal{Q}}_0=\phi (q_0,\omega )\times \phi (q_0^{\prime },\omega )$ is an initial state, ${\Sigma }_o$ is a set of observable events, and ${\delta }_v:Q_v\times {\Sigma }_o\to Q_v$ is a state transition function such that, $\forall {\mathcal{S}}_1\in 2^Q$, $\forall {\mathcal{S}}_2\in 2^Q$ with ${\mathcal{S}}_1\ne {\mathcal{S}}_2$, $\forall e\in {\Sigma }_o$, for $\mathcal{Q}={\mathcal{S}}_1\times {\mathcal{S}}_2\in Q_v$ with $\mathcal{Q}\ne \varnothing$, ${\bigcup }_{q\in {\mathcal{S}}_1\cup {\mathcal{S}}_2}\phi (q,e)\ne \varnothing$⇒${\bigcup }_{q\in {\mathcal{S}}_1}\phi (q,e)\times {\bigcup }_{q\in {\mathcal{S}}_2}\phi (q,e)$= ${\delta }_v(\mathcal{Q},e)\in Q_v$. Write ${\delta }_v(\mathcal{Q},e)!$ if ${\delta }_v$ is defined for an observable event $e\in {\Sigma }_o$ at state $\mathcal{Q}\in Q_v$.

Given two probabilistic automata $G\left(q_0\right)=(Q$, $\Sigma$, $\delta$, $q_0$, $\rho )$ and $G\left(q_0^{\prime }\right)=(Q$, $\Sigma$, $\delta$, $q_0^{\prime }$, $\rho )$, and an observation $\omega$, a verifier $V_{\omega }=(Q_v,{\Sigma }_o,{\delta }_v,{\mathcal{Q}}_0)$ is constructed by Algorithm 1. For two adjacent initial states $q_0$ and $q_0^{\prime }$, lines 1–15 compute $\phi (q_0,\omega )$, $\phi (q_0^{\prime },\omega )$ and take their Cartesian product as an initial state ${\mathcal{Q}}_0$ ($Q_v$ is initialized to $\left\{{\mathcal{Q}}_0\right\}$). For $\mathcal{Q}={\mathcal{S}}_1\times {\mathcal{S}}_2\in Q_n$ ($Q_n$ is initialized to $\left\{{\mathcal{Q}}_0\right\}$), if ${\mathcal{S}}_1\ne {\mathcal{S}}_2$ and $\mathcal{Q}\ne \varnothing$, for any observable event $e\in {\Sigma }_o$, we obtain the sets of all reachable states by generating e from all states in ${\mathcal{S}}_1$ and ${\mathcal{S}}_2$, denoted by ${\mathcal{S}}_1^{\prime }$ and ${\mathcal{S}}_2^{\prime }$, respectively. ${\delta }_v(\mathcal{Q},e)={\mathcal{S}}_1^{\prime }\times {\mathcal{S}}_2^{\prime }$ is defined, ${\mathcal{S}}_1^{\prime }\times {\mathcal{S}}_2^{\prime }$ is inserted into $Q_n$ and $Q_v$, and $\mathcal{Q}$ is removed from $Q_n$. Recursively execute what is stated as above until $Q_n$ is the empty set. The complexity of Algorithm 1 is $\mathcal{O}\left(2^{\left|Q\right|}\right)$.

Algorithm 1: Construction of a verifier

Example 5.

Let us consider the probabilistic automaton structure in Figure 1 with two adjacent initial states $q_1$ and $q_2$. Suppose ${\Sigma }_o=\{\alpha ,\beta ,\lambda ,\gamma ,\mu \}$ and ${\Sigma }_{uo}=\left\{\tau \right\}$. If two systems $G\left(q_1\right)$ and $G\left(q_2\right)$ generate an observation β, $\phi (q_1,\beta )=\{q_3,q_5\}$ and $\phi (q_2,\beta )=\{q_4,q_5\}$ hold. ${\mathcal{Q}}_0=\{q_3,q_5\}\times \{q_4,q_5\}$ is an initial state in a verifier $V_{\beta }$. For state ${\mathcal{Q}}_0$ and observable event γ, ${\bigcup }_{q\in \{q_3,q_5\}}\phi (q,\gamma )=\left\{q_3\right\}$, ${\bigcup }_{q^{\prime }\in \{q_4,q_5\}}\phi (q^{\prime },\gamma )=\varnothing$ and ${\delta }_v({\mathcal{Q}}_0,\gamma )=\left\{q_3\right\}\times \varnothing$ hold. For state ${\mathcal{Q}}_0$ and observable event μ, it holds ${\bigcup }_{q\in \{q_3,q_5\}}\phi (q,\mu )=\left\{q_0\right\}$, ${\bigcup }_{q^{\prime }\in \{q_4,q_5\}}\phi (q^{\prime },\mu )=\left\{q_0\right\}$ and ${\delta }_v({\mathcal{Q}}_0,\mu )=\left\{q_0\right\}\times \left\{q_0\right\}$. A verifier $V_{\beta }$ is shown in Figure 2a. If $G\left(q_1\right)$ and $G\left(q_2\right)$ do not generate any observation before verifying state differential privacy, a verifier $V_{\epsilon }$ is shown in Figure 2b.

Given a verifier $V_{\omega }=(Q_v,{\Sigma }_o,{\delta }_v,{\mathcal{Q}}_0)$, a sequence of states and observable events ${\mathcal{Q}}_{i0}{e}_{i1}{\mathcal{Q}}_{i1}\cdots {\mathcal{Q}}_{ij-1}{e}_{ij}{\mathcal{Q}}_{ij}$ generates an observation $e_{i1}\cdots e_{ij}$ for $h=\{0,1,\dots ,j\}$ and $e_{ih}\in {\Sigma }_o$, ${\delta }_v({\mathcal{Q}}_{ih-1},e_{ih})={\mathcal{Q}}_{ih}$ for $h=\{1,2,\dots ,j\}$. The state transition function ${\delta }_v$ is extended to ${\delta }_v:Q_v\times {\Sigma }_o^{*}\to Q_v$ by defining ${\delta }_v(\mathcal{Q},\epsilon )=\mathcal{Q}$ and ${\delta }_v(\mathcal{Q},se)={\delta }_v({\delta }_v(\mathcal{Q},s),e)$ for $\mathcal{Q}\in Q_v$, $s\in {\Sigma }_o^{*}$ and $e\in {\Sigma }_o$.

For state $\mathcal{Q}\in Q_v$, ${}^{♯}\mathcal{Q}$ and ${\mathcal{Q}}^{♯}$ are the sets of pre- and post-states of $\mathcal{Q}$, respectively, defined as

$$\begin{array}{c}\hfill {}^{♯}\mathcal{Q}=\{{\mathcal{Q}}^{\prime }\in Q_v|(\exists e\in {\Sigma }_o){\delta }_v({\mathcal{Q}}^{\prime },e)=\mathcal{Q}\};\\ \hfill {\mathcal{Q}}^{♯}=\{{\mathcal{Q}}^{\prime }\in Q_v|(\exists e\in {\Sigma }_o){\delta }_v(\mathcal{Q},e)={\mathcal{Q}}^{\prime }\}.\end{array}$$

Proposition 1.

Given a probabilistic automaton structure $G_s=(Q,\Sigma ,\delta ,\rho )$, two adjacent initial states $q_0$ and $q_0^{\prime }$, and an observation $\omega \in {\Sigma }_o^{*}$, let $V_{\omega }=(Q_v,{\Sigma }_o,{\delta }_v,{\mathcal{Q}}_0)$ be the verifier due to Algorithm 1. Given ${\mathcal{S}}_1\in 2^Q$, ${\mathcal{S}}_2\in 2^Q$, and a positive real number ϵ, for  $\mathcal{Q}={\mathcal{S}}_1\times {\mathcal{S}}_2\in Q_v$ with ${\mathcal{Q}}^{♯}=\varnothing$, if  $|{\mathrm{Pr}}_o(q_0,\omega {\omega }^{\prime })-{\mathrm{Pr}}_o(q_0^{\prime },\omega {\omega }^{\prime })|\le ϵ$ where ${\delta }_v({\mathcal{Q}}_0,{\omega }^{\prime })=\mathcal{Q}$ and ${\omega }^{\prime }\in {\Sigma }_o^{*}$, then $|{\mathrm{Pr}}_o(q_0,\omega {\omega }^{\prime }{\omega }^{″})-{\mathrm{Pr}}_o(q_0^{\prime },\omega {\omega }^{\prime }{\omega }^{″})|\le ϵ$ where $\forall {\omega }^{″}\in {\Sigma }_o^{*}$.

Proof. 

For $\mathcal{Q}={\mathcal{S}}_1\times {\mathcal{S}}_2\in Q_v$ in verifier $V_{\omega }$, if ${\mathcal{Q}}^{♯}=\varnothing$, it holds that ${\mathcal{S}}_1=\varnothing$, ${\mathcal{S}}_2=\varnothing$ or ${\mathcal{S}}_1={\mathcal{S}}_2$. If ${\mathcal{S}}_1=\varnothing$ and $|{\mathrm{Pr}}_o(q_0,\omega {\omega }^{\prime })-{\mathrm{Pr}}_o(q_0^{\prime },\omega {\omega }^{\prime })|\le ϵ$, then ${\mathrm{Pr}}_o(q_0,\omega {\omega }^{\prime })=0$ and ${\mathrm{Pr}}_o(q_0^{\prime },\omega {\omega }^{\prime })\le ϵ$ hold. For any observation ${\omega }^{″}\in {\Sigma }_o^{*}$ generated from $q\in {\mathcal{S}}_2$, $0\le {\mathrm{Pr}}_o(q,{\omega }^{″})\le 1$ and ${\mathrm{Pr}}_o(q_0,\omega {\omega }^{\prime }{\omega }^{″})=0$ hold. We have ${\mathrm{Pr}}_o(q_0^{\prime },\omega {\omega }^{\prime })\times {\mathrm{Pr}}_o(q,{\omega }^{″})\le ϵ$, that is, ${\mathrm{Pr}}_o(q_0^{\prime },\omega {\omega }^{\prime }{\omega }^{″})\le ϵ$. $|{\mathrm{Pr}}_o(q_0,\omega {\omega }^{\prime }{\omega }^{″})-{\mathrm{Pr}}_o(q_0^{\prime },\omega {\omega }^{\prime }{\omega }^{″})|\le ϵ$ holds. If ${\mathcal{S}}_2=\varnothing$, we have ${\mathrm{Pr}}_o(q_0,\omega {\omega }^{\prime }{\omega }^{″})\le ϵ$, ${\mathrm{Pr}}_o(q_0^{\prime },\omega {\omega }^{\prime }{\omega }^{″})=0$ and $|{\mathrm{Pr}}_o(q_0,\omega {\omega }^{\prime }{\omega }^{″})-{\mathrm{Pr}}_o(q_0^{\prime },\omega {\omega }^{\prime }{\omega }^{″})|\le ϵ$ for any observation ${\omega }^{″}\in {\Sigma }_o^{*}$ by the similar way. If ${\mathcal{S}}_1={\mathcal{S}}_2$ and $|{\mathrm{Pr}}_o(q_0,\omega {\omega }^{\prime })-{\mathrm{Pr}}_o(q_0^{\prime },\omega {\omega }^{\prime })|\le ϵ$, for any observation ${\omega }^{″}\in {\Sigma }_o^{*}$ generated from $q\in {\mathcal{S}}_1$ (or $q\in {\mathcal{S}}_2$), since $0\le {\mathrm{Pr}}_o(q,{\omega }^{″})\le 1$, it holds that $|{\mathrm{Pr}}_o(q_0,\omega {\omega }^{\prime })\times {\mathrm{Pr}}_o(q,{\omega }^{″})-{\mathrm{Pr}}_o(q_0^{\prime },\omega {\omega }^{\prime })\times {\mathrm{Pr}}_o(q,{\omega }^{″})|\le ϵ$, that is, $|{\mathrm{Pr}}_o(q_0,\omega {\omega }^{\prime }{\omega }^{″})-{\mathrm{Pr}}_o(q_0^{\prime },\omega {\omega }^{\prime }{\omega }^{″})|\le ϵ$.    □

In Proposition 1, for all states $\mathcal{Q}\in Q_v$ without post-states in verifier $V_{\omega }$, given a positive real number $ϵ$, if the difference between the probabilities of generating $\omega {\omega }^{\prime }$ from $q_0$ and $q_0^{\prime }$ is less than or equal to $ϵ$, where ${\delta }_v({\mathcal{Q}}_0,{\omega }^{\prime })=\mathcal{Q}$, then the difference between the probabilities of generating observation $\omega {\omega }^{\prime }{\omega }^{″}$ for all ${\omega }^{″}\in {\Sigma }_o^{*}$ from $q_0$ and $q_0^{\prime }$ is less than or equal to $ϵ$. The two systems with adjacent initial states verified by the verifier satisfy state differential privacy within any finite step observation extension.

Step-based verification for state differential privacy is implemented by Algorithm 2. Given a verifier $V_{\omega }=(Q_v$, ${\Sigma }_o$, ${\delta }_v$, ${\mathcal{Q}}_0)$ for $G\left(q_0\right)=(Q$, $\Sigma$, $\delta$, $q_0$, $\rho )$ and $G\left(q_0^{\prime }\right)=(Q$, $\Sigma$, $\delta$, $q_0^{\prime }$, $\rho )$, a finite step $k\in {\mathbb{N}}^{+}$ and a parameter $ϵ$, for any $k^{\prime }\le k$ with $k^{\prime }\in {\mathbb{N}}^{+}$, for a state $\mathcal{Q}\in Q_n$ ($Q_n$ is initialized to $\left\{{\mathcal{Q}}_0\right\}$), and for any observable event e with ${\delta }_v(\mathcal{Q},e)!$, we obtain the probabilities of generating ${\omega }^{\prime }e$ with ${\delta }_v({\mathcal{Q}}_0,{\omega }^{\prime })=\mathcal{Q}$ after the systems generate $\omega$ from $q_0$ and $q_0^{\prime }$, respectively, denoted by ${\mathrm{Pr}}_1({\mathcal{Q}}_0,{\omega }^{\prime }e)$ and ${\mathrm{Pr}}_2({\mathcal{Q}}_0,{\omega }^{\prime }e)$. If the difference between ${\mathrm{Pr}}_1({\mathcal{Q}}_0,{\omega }^{\prime }e)$ and ${\mathrm{Pr}}_2({\mathcal{Q}}_0,{\omega }^{\prime }e)$ is larger than $ϵ$, the two systems with adjacent initial states do not satisfy $ϵ$-state differential privacy; otherwise, $\mathcal{Q}$ is deleted from $Q_n$ and all post-states of $\mathcal{Q}$ are inserted into $Q_n$. Its complexity is $\mathcal{O}(k\times |Q_v{|}^2\times \left|{\Sigma }_o\right|\times 2^{\left|Q\right|})$.

Algorithm 2: Step-based verification for state differential privacy

Example 6.

Let us consider the verifier $V_{\beta }$ in Figure 2a. Suppose $k=3$ and $ϵ=0.12$. After the two probabilistic automata $G\left(q_1\right)$ and $G\left(q_2\right)$ generate an observation β from two adjacent initial states $q_1$ and $q_2$, $\phi (q_1,\beta )=\{q_3,q_5\}$ and $\phi (q_2,\beta )=\{q_4,q_5\}$ hold. The probabilities of choosing states $q_3$ and $q_5$ from $\phi (q_1,\beta )$ are $\mathrm{Pr}\left(q_3\right|\phi (q_1,\beta ))=5/9$ and $\mathrm{Pr}\left(q_5\right|\phi (q_1,\beta ))=4/9$, respectively. The probabilities of choosing states $q_4$ and $q_5$ from $\phi (q_2,\beta )$ are $\mathrm{Pr}\left(q_4\right|\phi (q_2,\beta ))=1/2$ and $\mathrm{Pr}\left(q_5\right|\phi (q_2,\beta ))=1/2$, respectively.

For initial state ${\mathcal{Q}}_0$ and $k^{\prime }=1$, it holds that

$$\begin{array}{cc}\hfill & |{\mathrm{Pr}}_1({\mathcal{Q}}_0,\gamma )-{\mathrm{Pr}}_2({\mathcal{Q}}_0,\gamma )|=\mathrm{Pr}\left(q_3\right|\{q_3,q_5\})\times {\mathrm{Pr}}_{\sigma }(q_3,\gamma )=1/9\le ϵ;\hfill \\ \hfill & |{\mathrm{Pr}}_1({\mathcal{Q}}_0,\mu )-{\mathrm{Pr}}_2({\mathcal{Q}}_0,\mu )|=|\mathrm{Pr}\left(q_5\right|\{q_3,q_5\})\times {\mathrm{Pr}}_{\sigma }(q_5,\mu )+\mathrm{Pr}\left(q_3\right|\{q_3,q_5\})\times {\mathrm{Pr}}_{\sigma }(q_3,\tau \mu )\hfill \\ & -\mathrm{Pr}\left(q_5\right|\{q_4,q_5\})\times {\mathrm{Pr}}_{\sigma }(q_5,\mu )-\mathrm{Pr}\left(q_4\right|\{q_4,q_5\})\times {\mathrm{Pr}}_{\sigma }(q_4,\tau \mu )|=1/9\le ϵ.\hfill \end{array}$$

For $k^{\prime }=2$ and $k^{\prime }=3$, there is no state transition with $k^{\prime }$-step observation extensions in $V_{\beta }$. Two systems $G\left(q_1\right)$ and $G\left(q_2\right)$ satisfy ϵ-state differential privacy with $ϵ=0.12$, within three-step observation extensions, after the systems generate β from $q_1$ and $q_2$.

Consider the verifier $V_{\epsilon }$ in Figure 2b. For initial state ${\mathcal{Q}}_0$ and $k^{\prime }=1$, it holds that

$$\begin{array}{cc}\hfill |{\mathrm{Pr}}_1({\mathcal{Q}}_0,\beta )-{\mathrm{Pr}}_2({\mathcal{Q}}_0,\beta )|& =|\mathrm{Pr}\left(q_1\right|\left\{q_1\right\})\times {\mathrm{Pr}}_{\sigma }(q_1,\beta )-\mathrm{Pr}\left(q_2\right|\left\{q_2\right\})\times {\mathrm{Pr}}_{\sigma }(q_2,\beta )|\hfill \\ & =0.1\le ϵ;\hfill \\ \hfill |{\mathrm{Pr}}_1({\mathcal{Q}}_0,\lambda )-{\mathrm{Pr}}_2({\mathcal{Q}}_0,\lambda )|& =|\mathrm{Pr}\left(q_1\right|\left\{q_1\right\})\times {\mathrm{Pr}}_{\sigma }(q_1,\lambda )-\mathrm{Pr}\left(q_2\right|\left\{q_2\right\})\times {\mathrm{Pr}}_{\sigma }(q_2,\lambda )|\hfill \\ & =0.3>ϵ;\hfill \\ \hfill |{\mathrm{Pr}}_1({\mathcal{Q}}_0,\gamma )-{\mathrm{Pr}}_2({\mathcal{Q}}_0,\gamma )|& =|\mathrm{Pr}\left(q_2\right|\left\{q_2\right\})\times {\mathrm{Pr}}_{\sigma }(q_2,\gamma )|=0.4>ϵ.\hfill \end{array}$$

Two systems $G\left(q_1\right)$ and $G\left(q_2\right)$ do not satisfy ϵ-state differential privacy with $ϵ=0.12$, within three-step observation extensions, after the systems generate the empty string from $q_1$ and $q_2$, respectively.

Theorem 1.

Two systems satisfy ϵ-state differential privacy, within $k\in {\mathbb{N}}^{+}$-step observation extensions, after the systems generate a given observation from two given adjacent initial states if, and only if Algorithm 2 returns true.

Proof. 

(if) Given two probabilistic automata $G\left(q_0\right)=(Q$, $\Sigma$, $\delta$, $q_0$, $\rho )$ and $G\left(q_0^{\prime }\right)=(Q$, $\Sigma$, $\delta$, $q_0^{\prime }$, $\rho )$, a positive real number $ϵ$, and an observation $\omega \in {\Sigma }_o^{*}$, let $V_{\omega }=(Q_v,{\Sigma }_o,{\delta }_v,{\mathcal{Q}}_0)$ be the verifier due to Algorithm 1. Given a positive integer $k\in {\mathbb{N}}^{+}$, for any $k^{\prime }\le k$ with $k^{\prime }\in {\mathbb{N}}^{+}$, and for any observation ${\omega }^{\prime }\in {\Sigma }_o^{*}$ whose length is equal to $k^{\prime }$ generated from ${\mathcal{Q}}_0$, ${\mathrm{Pr}}_1({\mathcal{Q}}_0,{\omega }^{\prime })$ and ${\mathrm{Pr}}_2({\mathcal{Q}}_0,{\omega }^{\prime })$ in Algorithm 2 are the probabilities of generating ${\omega }^{\prime }$ after the systems generate $\omega$ from $q_0$ and $q_0^{\prime }$, respectively. For any ${\omega }^{\prime }\in {\Sigma }_o^{*}$ generated within k-step observation extensions after the systems generate $\omega$ from $q_0$ and $q_0^{\prime }$, the difference between ${\mathrm{Pr}}_1({\mathcal{Q}}_0,{\omega }^{\prime })$ and ${\mathrm{Pr}}_2({\mathcal{Q}}_0,{\omega }^{\prime })$ is less than or equal to $ϵ$ if Algorithm 2 returns true, that is, for all $k^{\prime }\le k$ and all ${\omega }^{\prime }\in {\mathcal{L}}_o(q_0,\omega ,k^{\prime })\cup {\mathcal{L}}_o(q_0^{\prime },\omega ,k^{\prime })$, it holds $|{\mathrm{Pr}}_o(q_0,\omega ,k^{\prime },{\omega }^{\prime })-{\mathrm{Pr}}_o(q_0^{\prime },\omega ,k^{\prime },{\omega }^{\prime })|\le ϵ$. The two systems $G\left(q_0\right)$ and $G\left(q_0^{\prime }\right)$ satisfy $ϵ$-state differential privacy, within k-step observation extensions, after the systems generate a given observation $\omega$ from two given adjacent initial states $q_0$ and $q_0^{\prime }$.

(only if) If Algorithm 2 returns false, there exists an observation ${\omega }^{\prime }\in {\Sigma }_o^{*}$ such that the difference between ${\mathrm{Pr}}_1({\mathcal{Q}}_0,{\omega }^{\prime })$ and ${\mathrm{Pr}}_2({\mathcal{Q}}_0,{\omega }^{\prime })$ is larger than $ϵ$, that is, there exists a positive integer $k^{\prime }\le k$ such that $|{\mathrm{Pr}}_o(q_0,\omega ,k^{\prime },{\omega }^{\prime })-{\mathrm{Pr}}_o(q_0^{\prime },\omega ,k^{\prime },{\omega }^{\prime })|>ϵ$ holds, where ${\omega }^{\prime }\in {\mathcal{L}}_o(q_0,\omega ,k^{\prime })\cup {\mathcal{L}}_o(q_0^{\prime },\omega ,k^{\prime })$. The two systems $G\left(q_0\right)$ and $G\left(q_0^{\prime }\right)$ do not satisfy $ϵ$-state differential privacy. This reveals that Algorithm 2 returns true if two systems $G\left(q_0\right)$ and $G\left(q_0^{\prime }\right)$ satisfy $ϵ$-state differential privacy, within k-step observation extensions, after $G\left(q_0\right)$ and $G\left(q_0^{\prime }\right)$ generate a given observation from two given adjacent initial states $q_0$ and $q_0^{\prime }$.    □

5. Supervisory Control for Enforcing State Differential Privacy

As seen from Section 4, if the probability distributions of generating observations within a given finite step observation extension, after two systems generating a given observation from two adjacent initial states are approximate, then the two systems satisfy state differential privacy. To ensure that the two systems satisfy state differential privacy within a given finite step observation extension, we present a supervisory control strategy for enforcing state differential privacy.

Given a matrix M, we use $M\left[i\right]\left[j\right]$ to describe the element in the i-th row and j-th column of M, where $i,j\in {\mathbb{N}}^{+}$. The number of rows or columns in M is represented as ${\mathbb{N}}^r\left(M\right)\in {\mathbb{N}}^{+}$ or ${\mathbb{N}}^c\left(M\right)\in {\mathbb{N}}^{+}$. Moreover, $M[:]\left[j\right]$ and $M\left[i\right][:]$ are the j-th column and the i-th row vectors of M, respectively. Moreover, if M is a row (column) vector, $M\left[i\right]$ is the element in the i-th column (row) of M. Given two $m\times n$ matrices $M_1$ and $M_2$, an $m\times 2n$ matrix $M=\left[M_1\right|M_2]$ is a horizontal extension of $M_1$ and $M_2$.

Given a verifier $V_{\omega }=(Q_v$, ${\Sigma }_o$, ${\delta }_v$, ${\mathcal{Q}}_0)$ and a state $\mathcal{Q}\in Q_v$, the set $\mathcal{C}\left(\mathcal{Q}\right)$ is defined as

$$\mathcal{C}\left(\mathcal{Q}\right)=\{e\in {\Sigma }_o|(\exists {\mathcal{Q}}^{\prime }\in {\mathcal{Q}}^{♯}\setminus \left\{\mathcal{Q}\right\}){\delta }_v(\mathcal{Q},e)={\mathcal{Q}}^{\prime }\}.$$

A mapping $H:{\Sigma }_o\to {\mathbb{N}}^{+}$ assigns to an observable event a unique positive integer. For a state $\mathcal{Q}\in Q_v$, we sort all events $e\in \mathcal{C}\left(\mathcal{Q}\right)$ by $H\left(e\right)$ from small to large, and then give e an index value $I(\mathcal{Q},e)$, where $I:Q_v\times {\Sigma }_o\to {\mathbb{N}}^{+}$ is a mapping. For two states $\mathcal{Q}={\mathcal{S}}_1\times {\mathcal{S}}_2\in Q_v$ and ${\mathcal{Q}}^{\prime }={\mathcal{S}}_1^{\prime }\times {\mathcal{S}}_2^{\prime }\in {}^{♯}\mathcal{Q}$, the set of all enabled events from ${\mathcal{Q}}^{\prime }$ to $\mathcal{Q}$ is denoted as $\mathcal{E}({\mathcal{Q}}^{\prime },\mathcal{Q})=\{e\in {\Sigma }_o|{\delta }_v({\mathcal{Q}}^{\prime },e)=\mathcal{Q}\}$. For any event $e\in \mathcal{E}({\mathcal{Q}}^{\prime },\mathcal{Q})$, $X({\mathcal{Q}}^{\prime },\mathcal{Q},e)$ is defined as a $\left|\mathcal{C}\right({\mathcal{Q}}^{\prime }\left)\right|$-dimensional column vector, which contains zeros and ones only. We associate a binary scalar $X({\mathcal{Q}}^{\prime },\mathcal{Q},e)\left[v\right]$ defined as follows:

$$X({\mathcal{Q}}^{\prime },\mathcal{Q},e)\left[v\right]=\left\{\begin{array}{c}1,v=I({\mathcal{Q}}^{\prime },e)\hfill \\ 0,v\ne I({\mathcal{Q}}^{\prime },e)\hfill \end{array}\right.$$

where $1\le v\le \left|\mathcal{C}\right({\mathcal{Q}}^{\prime }\left)\right|$ and $v\in {\mathbb{N}}^{+}$. $X({\mathcal{Q}}^{\prime },\mathcal{Q})$ is a horizontal extension of $X({\mathcal{Q}}^{\prime },\mathcal{Q},e)$ for all $e\in \mathcal{E}({\mathcal{Q}}^{\prime },\mathcal{Q})$ sorted by increasing the value of $I({\mathcal{Q}}^{\prime },e)$.

Example 7.

A probabilistic automaton structure is shown in Figure 3. Given two adjacent initial states $q_1$ and $q_2$, suppose that ${\Sigma }_o=\{\alpha ,\beta ,\gamma ,\lambda ,\mu \}$ and ${\Sigma }_{uo}=\left\{\tau \right\}$. A verifier $V_{\epsilon }$ is shown in Figure 4. Let $H\left(\alpha \right)=1$, $H\left(\beta \right)=2$, $H\left(\gamma \right)=3$, $H\left(\lambda \right)=4$ and $H\left(\mu \right)=5$. For initial state ${\mathcal{Q}}_0$, $\mathcal{C}\left({\mathcal{Q}}_0\right)=\{\gamma ,\beta ,\lambda \}$ holds. Since $I({\mathcal{Q}}_0,\beta )=1$, $I({\mathcal{Q}}_0,\gamma )=2$ and $I({\mathcal{Q}}_0,\lambda )=3$, it holds that $\mathcal{E}({\mathcal{Q}}_0,{\mathcal{Q}}_2)=\{\beta ,\lambda \}$ and $X({\mathcal{Q}}_0,{\mathcal{Q}}_2)=\left[X_{\beta }\right|X_{\lambda }]$, where $X_{\beta }=(1$, 0, ${0)}^T$ and $X_{\lambda }=(0$, 0, ${1)}^T$.

Given a probabilistic automaton structure $G_s=(Q,\Sigma ,\delta ,\rho )$ with two adjacent initial states $q_0$, $q_0^{\prime }$ and an observation $\omega \in {\Sigma }_o^{*}$, let $V_{\omega }=(Q_v,{\Sigma }_o,{\delta }_v,{\mathcal{Q}}_0)$ be the verifier. For a state $\mathcal{Q}={\mathcal{S}}_1\times {\mathcal{S}}_2\in Q_v$ and ${\delta }_v({\mathcal{Q}}_0,{\omega }^{\prime })=\mathcal{Q}$, $Z_{{\omega }^{\prime }}\left({\mathcal{S}}_1\right|\mathcal{Q})$ and $Z_{{\omega }^{\prime }}\left({\mathcal{S}}_2\right|\mathcal{Q})$ are two $\left|\mathcal{C}\right(\mathcal{Q}\left)\right|$-dimensional row vectors. For any $e\in \mathcal{C}\left(\mathcal{Q}\right)$, $I(\mathcal{Q},e)\in \{1,2,\dots ,|\mathcal{C}\left(\mathcal{Q}\right)\left|\right\}$ and $i\in \{1,2\}$, it holds that

$$\begin{array}{cc}\hfill & Z_{{\omega }^{\prime }}\left({\mathcal{S}}_1\right|\mathcal{Q})\left[I(\mathcal{Q},e)\right]=\sum _{q\in {\mathcal{S}}_1}\sum _{\begin{array}{c}s\in \sigma (q,e)\end{array}}[\mathrm{Pr}\left(q\right|\phi (q_0,\omega {\omega }^{\prime }))\times {\mathrm{Pr}}_{\sigma }(q,s)];\hfill \\ \hfill & Z_{{\omega }^{\prime }}\left({\mathcal{S}}_2\right|\mathcal{Q})\left[I(\mathcal{Q},e)\right]=\sum _{q\in {\mathcal{S}}_2}\sum _{\begin{array}{c}s\in \sigma (q,e)\end{array}}[\mathrm{Pr}\left(q\right|\phi (q_0^{\prime },\omega {\omega }^{\prime }))\times {\mathrm{Pr}}_{\sigma }(q,s)].\hfill \end{array}$$

Example 8.

Consider the verifier in Figure 4. For state ${\mathcal{Q}}_0$, $\mathcal{C}\left({\mathcal{Q}}_0\right)=\{\gamma ,\beta ,\lambda \}$ holds. Since $I({\mathcal{Q}}_0,\beta )=1$, $I({\mathcal{Q}}_0,\gamma )=2$ and $I({\mathcal{Q}}_0,\lambda )=3$, we have $Z_{\epsilon }\left(\left\{q_1\right\}\right|{\mathcal{Q}}_0)=(0.45,0,0.55)$ and $Z_{\epsilon }\left(\left\{q_2\right\}\right|{\mathcal{Q}}_0)=(0.4,0.2,0.4)$. For state ${\mathcal{Q}}_2$, $\mathcal{C}\left({\mathcal{Q}}_2\right)=\left\{\mu \right\}$ holds. We have $Z_{{\omega }^{\prime }}\left(\left\{q_3\right\}\right|{\mathcal{Q}}_2)$$={\mathrm{Pr}}_{\sigma }(q_3,\tau \mu )=0.8$ and $Z_{{\omega }^{\prime }}\left(\left\{q_4\right\}\right|{\mathcal{Q}}_2)={\mathrm{Pr}}_{\sigma }(q_4,\tau \mu )=0.7$, where ${\omega }^{\prime }\in \{\beta ,\lambda \}$.

Given a probabilistic automaton structure $G_s=(Q,\Sigma ,\delta ,\rho )$ with two adjacent initial states $q_0$, $q_0^{\prime }$ and an observation $\omega \in {\Sigma }_o^{*}$, let $V_{\omega }=(Q_v,{\Sigma }_o,{\delta }_v,{\mathcal{Q}}_0)$ be the verifier. For a state $\mathcal{Q}={\mathcal{S}}_1\times {\mathcal{S}}_2\in Q_v$ with ${\delta }_v({\mathcal{Q}}_0,{\omega }^{\prime })=\mathcal{Q}$, $X^{{\omega }^{\prime }}\left({\mathcal{S}}_i\right|\mathcal{Q})$ is called a probability matrix for ${\mathcal{S}}_i$, $\mathcal{Q}$ and ${\omega }^{\prime }$, where $i\in \{1,2\}$, respectively, defined by

• if ${}^{♯}\mathcal{Q}=\varnothing$, it holds $X^{\epsilon }\left({\mathcal{S}}_i\right|\mathcal{Q})=Z_{\epsilon }\left({\mathcal{S}}_i\right|\mathcal{Q})$;
• if ${}^{♯}\mathcal{Q}\ne \varnothing$, for ${\mathcal{Q}}^{\prime }={\mathcal{S}}_1^{\prime }\times {\mathcal{S}}_2^{\prime }\in {}^{♯}\mathcal{Q}$ with ${\delta }_v({\mathcal{Q}}_0,{\omega }^{″})={\mathcal{Q}}^{\prime }$, ${\delta }_v({\mathcal{Q}}^{\prime },e)=\mathcal{Q}$, and ${\omega }^{″}e={\omega }^{\prime }$, it holds that

  $$\begin{array}{c}\hfill X_m^{{\omega }^{\prime }}\left({\mathcal{S}}_i\right|\mathcal{Q})={[X^{{\omega }^{″}}\left({\mathcal{S}}_i^{\prime }\right|{\mathcal{Q}}^{\prime })\times X({\mathcal{Q}}^{\prime },\mathcal{Q})]}^T[:]\left[m\right]\times Z_{{\omega }^{\prime }}\left({\mathcal{S}}_i\right|\mathcal{Q}).\end{array}$$

Then

$$\begin{array}{c}\hfill X^{{\omega }^{\prime }}\left({\mathcal{S}}_i\right|\mathcal{Q})=[X_1^{{\omega }^{\prime }}{\left({\mathcal{S}}_i\right|\mathcal{Q})}^T|\dots |X_n^{{\omega }^{\prime }}{\left({\mathcal{S}}_i\right|\mathcal{Q})}^T{]}^T,\end{array}$$

where $n={\mathbb{N}}^r\left(X^{{\omega }^{″}}\left({\mathcal{S}}_i^{\prime }\right|{\mathcal{Q}}^{\prime })\right)$ and $m\in \{1,2,\dots ,n\}$.

The computation of probability matrices for a state in a verifier is implemented by Algorithm 3, whose complexity is $\mathcal{O}\left(\right|{\mathcal{Q}}_v|\times 2^{\left|Q\right|})$.

Example 9.

Consider the verifier in Figure 4. For initial state ${\mathcal{Q}}_0$, $X^{\epsilon }\left(\left\{q_1\right\}\right|{\mathcal{Q}}_0)=(0.45,0,0.55)$ and $X^{\epsilon }\left(\left\{q_2\right\}\right|{\mathcal{Q}}_0)=(0.4,0.2,0.4)$ hold. Given state ${\mathcal{Q}}_2$, we have

$$\begin{array}{cc}\hfill & X^{\epsilon }\left(\left\{q_1\right\}\right|{\mathcal{Q}}_0)\times X({\mathcal{Q}}_0,{\mathcal{Q}}_2)=(0.45,0.55);X^{\epsilon }\left(\left\{q_2\right\}\right|{\mathcal{Q}}_0)\times X({\mathcal{Q}}_0,{\mathcal{Q}}_2)=(0.4,0.4).\hfill \end{array}$$

For ${\omega }^{\prime }\in \{\beta ,\lambda \}$, we have

$$\begin{array}{cc}\hfill & X^{{\omega }^{\prime }}\left(\left\{q_3\right\}\right|{\mathcal{Q}}_2)={(0.45,0.55)}^T[:]\left[1\right]\times Z_{{\omega }^{\prime }}\left(\left\{q_3\right\}\right|{\mathcal{Q}}_2)={(0.36,0.44)}^T;\hfill \\ \hfill & X^{{\omega }^{\prime }}\left(\left\{q_4\right\}\right|{\mathcal{Q}}_2)={(0.4,0.4)}^T[:]\left[1\right]\times Z_{{\omega }^{\prime }}\left(\left\{q_4\right\}\right|{\mathcal{Q}}_2)={(0.28,0.28)}^T.\hfill \end{array}$$

As in the classical supervisory control theory of DESs, the set $\Sigma$ is partitioned into ${\Sigma }_c$ and ${\Sigma }_{uc}$ ($\Sigma ={\Sigma }_c\dot{\cup }{\Sigma }_{uc}$), the sets of controllable and uncontrollable events, respectively. Traditionally, we can only disable controllable events $e\in {\Sigma }_c$. This paper assumes that all observable events are controllable and all unobservable events are uncontrollable.

For a probabilistic automaton $G=(Q,\Sigma ,\delta ,q_0,\rho )$, the probabilities of the remaining enabled events proportionally increase after a controllable event is disabled. If a controllable event is disabled at state $q\in Q$, the set of all enabled events at q is updated. The firing probability of a remaining enabled event e at q is equal to $\rho (q,e)=\rho (q,e)/{\sum }_{e^{\prime }\in \mathcal{E}\left(q\right)}\rho (q,e^{\prime }).$

Example 10.

Consider the probabilistic automaton structure in Figure 3. If event β is disabled at state $q_2$, the plant can choose between γ and λ to occur at $q_2$. The firing probabilities of γ and λ at $q_2$ are $\rho (q_2,\gamma )=\rho (q_2,\gamma )/(\rho (q_2,\gamma )+\rho (q_2,\lambda ))=1/3$ and $\rho (q_2,\lambda )=\rho (q_2,\lambda )/(\rho (q_2,\gamma )+\rho (q_2,\lambda ))=2/3$, respectively.

Algorithm 3: Computation of probability matrices for a state in a verifier

A function $\mathcal{D}:Q\to 2^{\Sigma }$ is a mapping that assigns to a state in a probabilistic automaton $G=(Q,\Sigma ,\delta ,q_0,\rho )$ a set of disabled events. Algorithm 4 computes a control specification, which is to disable certain events at specific states. Given a probabilistic automaton structure $G_s=(Q,\Sigma ,\delta ,\rho )$ with two adjacent initial states $q_0$, $q_0^{\prime }$ and an observation $\omega \in {\Sigma }_o^{*}$, let $V_{\omega }=(Q_v,{\Sigma }_o,{\delta }_v,{\mathcal{Q}}_0)$ be the verifier. Given a positive integer $k\in {\mathbb{N}}^{+}$, for any $k^{\prime }\le k$ with $k^{\prime }\in {\mathbb{N}}^{+}$, $Q_n$ is the set of reachable states with $k^{\prime }$-step observation extensions. For any state $\mathcal{Q}={\mathcal{S}}_1\times {\mathcal{S}}_2\in Q_n$ with ${\delta }_v({\mathcal{Q}}_0,{\omega }^{\prime })=\mathcal{Q}$, and for any two numbers $x_1$, $x_2$ at the same position in $X^{{\omega }^{\prime }}\left({\mathcal{S}}_1\right|\mathcal{Q})$, $X^{{\omega }^{\prime }}\left({\mathcal{S}}_2\right|\mathcal{Q})$, we need to decide whether $|x_1-x_2|$ is larger than $ϵ$. If so, event e is disabled at all $q\in {\mathcal{S}}_1\cup {\mathcal{S}}_2$, where $I(\mathcal{Q},e)=j$ and $x_1$ is in the j-th column of $X^{{\omega }^{\prime }}\left({\mathcal{S}}_1\right|\mathcal{Q})$. $X^{{\omega }^{\prime }}\left({\mathcal{S}}_1\right|\mathcal{Q})$ and $X^{{\omega }^{\prime }}\left({\mathcal{S}}_2\right|\mathcal{Q})$ are then updated. Moreover, for any observable event e with ${\delta }_v(\mathcal{Q},e)=\mathcal{Q}$, $w_1$ and $w_2$ are the probabilities of generating e from $q\in {\mathcal{S}}_1$ and $q^{\prime }\in {\mathcal{S}}_2$, respectively. For any two numbers $x_1$, $x_2$ at the same position in $X^{{\omega }^{\prime }}\left({\mathcal{S}}_1\right|\mathcal{Q})$, $X^{{\omega }^{\prime }}\left({\mathcal{S}}_2\right|\mathcal{Q})$, and for any positive integer $n\le k-k^{\prime }$ with $n\in {\mathbb{N}}^{+}$, we decide whether $|w_1^n\times x_1-w_2^n\times x_2|\le ϵ$ holds until $w_1^n\times x_1$ and $w_2^n\times x_2$ are both less than or equal to $ϵ$. If $|w_1^n\times x_1-w_2^n\times x_2|>ϵ$, event e is disabled at all $q\in {\mathcal{S}}_1\cup {\mathcal{S}}_2$. Its complexity is $\mathcal{O}(k\times |Q_v{|}^2\times \left|{\Sigma }_o\right|\times 2^{\left|Q\right|})$.

Algorithm 4: Computation of a control specification

A supervisory control function for a probability automaton $G=(Q,\Sigma ,\delta ,q_0,\rho )$ is $\mathcal{V}:Q\to 2^{\Sigma }$ that assigns to a state in G a set of enabled events, where $\mathcal{V}\left(q\right)=\mathcal{E}\left(q\right)\setminus \mathcal{D}\left(q\right)$ for all $q\in Q$. The next event allowed to happen at q by supervisory control is $e\in \mathcal{V}\left(q\right)$. A supervisor implementing the supervisory control function $\mathcal{V}$ can be constructed if ${\bigcup }_{q\in Q}\mathcal{D}\left(q\right)\cap {\Sigma }_{uc}=\varnothing$ holds.

Example 11.

Let us consider the verifier in Figure 4. Suppose ${\Sigma }_c=\{\alpha ,\beta ,\lambda ,\gamma ,\mu \}$, ${\Sigma }_{uc}=\left\{\tau \right\}$, $k=10$ and $ϵ=0.12$. For $k^{\prime }=1$, $X^{\epsilon }\left(\left\{q_1\right\}\right|{\mathcal{Q}}_0)=(0.45,0,0.55)$ and $X^{\epsilon }\left(\left\{q_2\right\}\right|{\mathcal{Q}}_0)=(0.4,0.2,0.4)$ hold. Since $|0-0.2|>ϵ$, disable event γ at state $q_2$. We update $X^{\epsilon }\left(\left\{q_1\right\}\right|{\mathcal{Q}}_0)=(0.45,0.55)$ and $X^{\epsilon }\left(\left\{q_2\right\}\right|{\mathcal{Q}}_0)=(0.5,0.5)$. For $k^{\prime }=2$, $X^{{\omega }^{\prime }}\left(\left\{q_3\right\}\right|{\mathcal{Q}}_2)={(0.36,0.44)}^T$ and $X^{{\omega }^{\prime }}\left(\left\{q_4\right\}\right|{\mathcal{Q}}_2)={(0.35,0.35)}^T$ hold, where ${\omega }^{\prime }\in \{\beta ,\lambda \}$. Since $\rho (q_3,\gamma )\times X^{{\omega }^{\prime }}\left(\left\{q_3\right\}\right|{\mathcal{Q}}_2)={(0.072,0.088)}^T$ and $\rho (q_4,\gamma )\times X^{{\omega }^{\prime }}\left(\left\{q_4\right\}\right|{\mathcal{Q}}_2)={(0.105,0.105)}^T$, event γ is not disabled at states $q_3$ and $q_4$. For $2\le k^{\prime }\le k$ and $k^{\prime }\in {\mathbb{N}}^{+}$, since ${\mathcal{Q}}_3^{♯}=\varnothing$, we do not need to do more analysis. The control specification is that event γ is disabled at state $q_2$, that is, $\mathcal{D}\left(q_2\right)=\left\{\gamma \right\}$. Due to ${\bigcup }_{q\in Q}\mathcal{D}\left(q\right)\cap {\Sigma }_{uc}=\varnothing$, there exists a supervisor to control the system behavior such that $G^{\prime }\left(q_1\right)$ and $G^{\prime }\left(q_2\right)$ satisfy ϵ-state differential privacy, within 10-step observation extensions, after $G^{\prime }\left(q_1\right)$ and $G^{\prime }\left(q_2\right)$ generate the empty string from $q_1$ and $q_2$. The skeleton of a supervisor implementing $\mathcal{V}$ is shown in Figure 5.

Theorem 2.

Given a probabilistic automaton structure $G_s=(Q,\Sigma ,\delta ,\rho )$ and two adjacent initial states $q_0,q_0^{\prime }$, $G\left(q_0\right)$ and $G\left(q_0^{\prime }\right)$ controlled by the control specification due to Algorithm 4 satisfy ϵ-state differential privacy, within a given k-step observation extension, after the systems generate a given observation $\omega \in {\Sigma }_o^{*}$ from $q_0$ and $q_0^{\prime }$.

Proof. 

Given a probabilistic automaton structure $G_s=(Q,\Sigma ,\delta ,\rho )$ with two adjacent initial states $q_0$, $q_0^{\prime }$ and an observation $\omega \in {\Sigma }_o^{*}$, let $V_{\omega }=(Q_v,{\Sigma }_o,{\delta }_v,{\mathcal{Q}}_0)$ be the verifier. For $\mathcal{Q}={\mathcal{S}}_1\times {\mathcal{S}}_2\in Q_v$ that can be reached with $k^{\prime }$-step observation extensions and ${\delta }_v({\mathcal{Q}}_0,{\omega }^{\prime })=\mathcal{Q}$, where $k^{\prime }\le k$ and $k^{\prime }\in {\mathbb{N}}^{+}$, if there exists no observable event $e\in {\Sigma }_o$ such that ${\delta }_v(\mathcal{Q},e)=\mathcal{Q}$, and if $|X^{{\omega }^{\prime }}\left({\mathcal{S}}_1\right|\mathcal{Q})\left[i\right]\left[j\right]-X^{{\omega }^{\prime }}\left({\mathcal{S}}_2\right|\mathcal{Q})\left[i\right]\left[j\right]|\le ϵ$ holds for all $i,j\in {\mathbb{N}}^{+}$, then the difference between the probabilities of generating $\omega {\omega }^{\prime }e$ for any $e\in {\Sigma }_o$ from $q_0$ and $q_0^{\prime }$ is less than or equal to $ϵ$.

For $\mathcal{Q}={\mathcal{S}}_1\times {\mathcal{S}}_2\in Q_v$ that can be reached with $k^{\prime }$-step observation extensions and ${\delta }_v({\mathcal{Q}}_0,{\omega }^{\prime })=\mathcal{Q}$, if there exists an observable event $e\in {\Sigma }_o$ such that ${\delta }_v(\mathcal{Q},e)=\mathcal{Q}$, then the relation $|w_1^n\times x_1-w_2^n\times x_2|\le ϵ$ is true until $w_1^n\times x_1\le ϵ$ and $w_2^n\times x_2\le ϵ$ hold for all $1\le n\le k-k^{\prime }$ and $n\in {\mathbb{N}}^{+}$, where $w_1$ and $w_2$ are the probabilities of generating e from $q\in {\mathcal{S}}_1$ and $q^{\prime }\in {\mathcal{S}}_2$, respectively, and $x_1,x_2$ are any two numbers at the same position in $X^{{\omega }^{\prime }}\left({\mathcal{S}}_1\right|\mathcal{Q}),X^{{\omega }^{\prime }}\left({\mathcal{S}}_2\right|\mathcal{Q})$, respectively. The difference between the probabilities of generating $\omega {\omega }^{\prime }{\omega }_a$ for all ${\omega }_a\in {\Sigma }_o^{*}$ containing e from $q_0$ and $q_0^{\prime }$ is less than or equal to $ϵ$. For all $k^{\prime }\in {\mathbb{N}}^{+}$ and ${\omega }^{\prime }\in {\Sigma }_o^{*}$, where $k^{\prime }\le k$ and $|{\omega }^{\prime }|=k^{\prime }$, it holds that $|{\mathrm{Pr}}_o(q_0,\omega ,k,{\omega }^{\prime })-{\mathrm{Pr}}_o(q_0^{\prime },\omega ,k,{\omega }^{\prime })|\le ϵ$. Two systems $G\left(q_0\right)$ and $G\left(q_0^{\prime }\right)$ controlled by the control specification due to Algorithm 4 satisfy $ϵ$-state differential privacy, within a given k-step observation extension, after the systems generate a given observation $\omega$ from $q_0$ and $q_0^{\prime }$. □

The supervisory control is maximally permissive for $ϵ$-state differential privacy enforcement if the number of enabled controllable events at any state in the probabilistic automaton controlled via the supervisor is the largest compared with other supervisory control methods. If a supervisor implementing the proposed supervisory control function can be constructed, then the maximally permissive supervisory control exists.

Proposition 2.

The supervisory control under the control specification due to Algorithm 4 is maximally permissive.

Proof. 

Given a probabilistic automaton structure $G_s=(Q,\Sigma ,\delta ,\rho )$ with two adjacent initial states $q_0$, $q_0^{\prime }$ and an observation $\omega \in {\Sigma }_o^{*}$, let $V_{\omega }=(Q_v,{\Sigma }_o,{\delta }_v,{\mathcal{Q}}_0)$ be the verifier. A supervisor is constructed by the control specification due to Algorithm 4. The supervisory control function for a probability automaton $G=(Q,\Sigma ,\delta ,q_0,\rho )$ under the control specification is $\mathcal{V}:Q\to 2^{\Sigma }$, where $\mathcal{V}\left(q\right)=\mathcal{E}\left(q\right)\setminus \mathcal{D}\left(q\right)$ for all $q\in Q$. Suppose that $G\left(q_0\right)$ and $G\left(q_0^{\prime }\right)$ reach states q and $q^{\prime }$ by generating $\omega {\omega }^{\prime }\in {\Sigma }_o^{*}$ from $q_0$ and $q_0^{\prime }$ within $k\in {\mathbb{N}}^{+}$-step observation extensions, respectively. For all $e\in \mathcal{V}\left(q\right)$ (or $e\in \mathcal{V}\left(q^{\prime }\right)$), it holds that $|{\mathrm{Pr}}_o(q_0,\omega {\omega }^{\prime }e)-{\mathrm{Pr}}_o(q_0^{\prime },\omega {\omega }^{\prime }e)|\le ϵ$. If any event $e\in \mathcal{D}\left(q\right)\cup \mathcal{D}\left(q^{\prime }\right)$ occurs from q or $q^{\prime }$, we obtain $|{\mathrm{Pr}}_o(q_0,\omega {\omega }^{\prime }e)-{\mathrm{Pr}}_o(q_0^{\prime },\omega {\omega }^{\prime }e)|>ϵ$. Since $\mathcal{D}\left(q\right)\cup \mathcal{D}\left(q^{\prime }\right)\subseteq {\Sigma }_o$, there exists an observation $\omega {\omega }^{\prime }e$ such that the difference between firing probabilities of $\omega {\omega }^{\prime }e$ at $q_0$ and $q_0^{\prime }$ is larger than $ϵ$. Two systems $G\left(q_0\right)$ and $G\left(q_0^{\prime }\right)$ do not satisfy $ϵ$-state differential privacy, within k-step observation extensions, after the systems generate $\omega$ from $q_0$ and $q_0^{\prime }$. We conclude that the supervisory control under the control specification due to Algorithm 4 is maximally permissive. □

6. Numerical Examples

To verify the correctness and effectiveness of the method in this paper, an experimental study in the MATLAB environment is conducted to illustrate that the proposed method achieves state differential privacy in the considered class of probabilistic automata and protects the information of initial system resource configuration.

A probabilistic automaton structure $G_s$ is shown in Figure 6. Suppose ${\Sigma }_o=\{\alpha ,\beta ,\lambda ,\mu \}$ and ${\Sigma }_{uo}=\left\{\tau \right\}$. Given two adjacent initial states $q_0$ and $q_1$, a verifier $V_{\epsilon }$ for $G\left(q_0\right)$ and $G\left(q_1\right)$ is shown in Figure 7. Let $H\left(\alpha \right)=1$, $H\left(\beta \right)=2$, $H\left(\lambda \right)=3$ and $H\left(\mu \right)=4$.

Suppose ${\Sigma }_c=\{\alpha ,\beta ,\lambda ,\mu \}$ and ${\Sigma }_{uc}=\left\{\tau \right\}$. Let $ϵ=0.1$ and $k=5$. For $k^{\prime }=1$ and initial state ${\mathcal{Q}}_0$, since $I({\mathcal{Q}}_0,\alpha )=1$, $I({\mathcal{Q}}_0,\beta )=2$ and $I({\mathcal{Q}}_0,\lambda )=3$, $X^{\epsilon }\left(\left\{q_0\right\}\right|{\mathcal{Q}}_0)=(0,0.09,0.65)$ and $X^{\epsilon }\left(\left\{q_1\right\}\right|{\mathcal{Q}}_0)=(0.15,0,0.6)$ hold. Since $0.15>ϵ$, event $\alpha$ is disabled at states $q_0$ and $q_1$. Since $\rho (q_1,\lambda )=\rho (q_1,\lambda )/(\rho (q_1,\lambda )+\rho (q_1,\mu ))=0.6/(0.6+0.25)\approx 0.7$ and $\rho (q_1,\mu )=\rho (q_1,\mu )/(\rho (q_1,\lambda )+\rho (q_1,\mu ))=0.25/(0.6+0.25)\approx 0.3$, we update $X^{\epsilon }\left(\left\{q_0\right\}\right|{\mathcal{Q}}_0)=(0.09,0.65)$ and $X^{\epsilon }\left(\left\{q_1\right\}\right|{\mathcal{Q}}_0)=(0,0.7)$. Events $\beta$ and $\lambda$ are not disabled at states $q_0$ and $q_1$. For event $\mu$ enabled at $q_0$ and $q_1$, it holds that

$$\begin{array}{cc}\hfill & \rho {(q_0,\mu )}^1\times X^{\epsilon }\left(\left\{q_0\right\}\right|{\mathcal{Q}}_0)=0.26\times (0.09,0.65)=(0.0234,0.169);\hfill \\ \hfill & \rho {(q_1,\mu )}^1\times X^{\epsilon }\left(\left\{q_1\right\}\right|{\mathcal{Q}}_0)=0.3\times (0,0.7)=(0,0.21);\hfill \\ \hfill & \rho {(q_0,\mu )}^2\times X^{\epsilon }\left(\left\{q_0\right\}\right|{\mathcal{Q}}_0)={0.26}^2\times (0.09,0.65)\approx (0.006,0.044)\le (0.1,0.1);\hfill \\ \hfill & \rho {(q_1,\mu )}^2\times X^{\epsilon }\left(\left\{q_1\right\}\right|{\mathcal{Q}}_0)=0.3^2\times (0,0.7)=(0,0.063)\le (0.1,0.1).\hfill \end{array}$$

Event $\mu$ is not disabled at states $q_0$ and $q_1$. For $k^{\prime }=2$ and state ${\mathcal{Q}}_1$, it holds that

$$\begin{array}{cc}\hfill & X^{\epsilon }\left(\left\{q_0\right\}\right|{\mathcal{Q}}_0)\times X({\mathcal{Q}}_0,{\mathcal{Q}}_1)=(0.09,0.65)\times {(0,1)}^T=0.65;\hfill \\ \hfill & X^{\epsilon }\left(\left\{q_1\right\}\right|{\mathcal{Q}}_0)\times X({\mathcal{Q}}_0,{\mathcal{Q}}_1)=(0,0.7)\times {(0,1)}^T=0.7;\hfill \\ \hfill & X^{\lambda }\left(\left\{q_2\right\}\right|{\mathcal{Q}}_1)=0.65\times Z_{\lambda }\left(\left\{q_2\right\}\right|{\mathcal{Q}}_1)=0.65\times (0.6+0.2\times 0.88,0.2\times 0.12,0.2)\hfill \\ & =(0.5044,0.0156,0.13);\hfill \\ \hfill & X^{\lambda }\left(\left\{q_3\right\}\right|{\mathcal{Q}}_1)=0.7\times Z_{\lambda }\left(\left\{q_3\right\}\right|{\mathcal{Q}}_1)=0.7\times (0.88,0.12,0)=(0.616,0.084,0).\hfill \end{array}$$

Since $0.13>ϵ$, event $\lambda$ is disabled at states $q_2$ and $q_3$. We update

$$\begin{array}{cc}\hfill & \rho (q_2,\alpha )=\rho (q_2,\alpha )/(\rho (q_2,\alpha )+\rho (q_2,\tau ))=0.6/(0.6+0.2)=0.75;\hfill \\ \hfill & \rho (q_2,\tau )=\rho (q_2,\tau )/(\rho (q_2,\alpha )+\rho (q_2,\tau ))=0.2/(0.6+0.2)=0.25;\hfill \\ \hfill & X^{\lambda }\left(\left\{q_2\right\}\right|{\mathcal{Q}}_1)=0.65\times Z_{\lambda }\left(\left\{q_2\right\}\right|{\mathcal{Q}}_1)=0.65\times (0.75+0.25\times 0.88,0.25\times 0.12)\hfill \\ & =(0.6305,0.0195);\hfill \\ \hfill & X^{\lambda }\left(\left\{q_3\right\}\right|{\mathcal{Q}}_1)=0.7\times Z_{\lambda }\left(\left\{q_3\right\}\right|{\mathcal{Q}}_1)=0.7\times (0.88,0.12)=(0.616,0.084).\hfill \end{array}$$

Events $\alpha$ and $\beta$ are not disabled at states $q_2$ and $q_3$. For $k^{\prime }=3$ and state ${\mathcal{Q}}_4$, it holds

$$\begin{array}{cc}\hfill & X^{\lambda }\left(\left\{q_2\right\}\right|{\mathcal{Q}}_1)\times X({\mathcal{Q}}_1,{\mathcal{Q}}_4)=(0.6305,0.0195)\times {(1,0)}^T=0.6305;\hfill \\ \hfill & X^{\lambda }\left(\left\{q_3\right\}\right|{\mathcal{Q}}_1)\times X({\mathcal{Q}}_1,{\mathcal{Q}}_4)=(0.616,0.084)\times {(1,0)}^T=0.616;\hfill \\ \hfill & \mathrm{Pr}\left(\{q_4,q_5\}\right|\phi (q_0,\lambda \alpha ))=0.65\times 0.75/(0.65\times 0.75+0.65\times 0.25\times 0.88)\approx 0.773;\hfill \\ \hfill & \mathrm{Pr}\left(\left\{q_5\right\}\right|\phi (q_0,\lambda \alpha ))=0.65\times 0.25\times 0.88/(0.65\times 0.75+0.65\times 0.25\times 0.88)\approx 0.227;\hfill \\ \hfill & X^{\lambda \alpha }\left(\{q_4,q_5\}\right|{\mathcal{Q}}_4)=0.6305\times Z_{\lambda \alpha }\left(\{q_4,q_5\}\right|{\mathcal{Q}}_4)=0.6305\times \hfill \\ & (0.773\times 1\times 0.6+0.227\times 0.6,0.773\times 1\times 0.4+0.227\times 0.4)=(0.3783,0.2522);\hfill \\ \hfill & X^{\lambda \alpha }\left(\left\{q_5\right\}\right|{\mathcal{Q}}_4)=0.616\times Z_{\lambda \alpha }\left(\left\{q_5\right\}\right|{\mathcal{Q}}_4)=0.616\times (0.6,0.4)=(0.3696,0.2464).\hfill \end{array}$$

Events $\alpha$ and $\lambda$ are not disabled at states $q_4$ and $q_5$. For $k^{\prime }>3$, there is no state transition with $k^{\prime }$-step observation extensions in $V_{\epsilon }$. The control specification is that event $\alpha$ is disabled at state $q_1$ and event $\lambda$ is disabled at state $q_2$. The skeleton of a supervisor is shown in Figure 8. For two probabilistic automata $G\left(q_0\right)$ and $G\left(q_1\right)$ controlled via the supervisor, the probability distributions of generating observations within five-step observation extensions from two adjacent initial states $q_0$ and $q_1$ are shown in Figure 9a–d and Figure 10.

As shown in Figure 9a–d and Figure 10, two systems $G\left(q_0\right)$ and $G\left(q_1\right)$ controlled via the supervisor satisfy $0.1$-state differential privacy, within five-step observation extensions, after the systems generate the empty string from $q_0$ and $q_1$. The smaller the $ϵ$ is, the more events are disabled, and the fewer observations the systems generate. The supervisory control is maximally permissive. Two systems $G\left(q_0\right)$ and $G\left(q_1\right)$ controlled via the supervisor satisfy $0.1$-state differential privacy while generating the most observations.

These results indicate that our method solves the problems formulated in Section 3. By constructing a verifier, we verify whether two probabilistic automata with two adjacent initial states satisfy $ϵ$-state differential privacy, within finite step observation extensions. Moreover, the obtained supervisor enables the two controlled systems to satisfy $ϵ$-state differential privacy, while the supervisory control is maximally permissive. The existing differential privacy methods presented in probabilistic DESs cannot protect the initial state information. Our proposed method achieves state differential privacy in the considered class of probabilistic automata and protects the initial state information.

7. Conclusions

State differential privacy is defined to protect the initial state information of a DES modeled by a probabilistic automaton. The initial state information of a system represents its initial system resource configuration. Step-based state differential privacy verification is proposed in the framework of probabilistic automata. If two probabilistic automata satisfy state differential privacy, within a given finite step observation extension, after the systems generate a given observation from two adjacent initial states, then an attacker is unlikely to determine the initial states of the systems after observing the given observation; otherwise, a maximally permissive supervisory control is designed for state differential privacy enforcement. To this end, the probability distributions of generating observations within the given finite step observation extension, after the systems generate the given observation from the two adjacent initial states, are approximate. In the future, other applications of differential privacy in DESs will be investigated.