Skip to main content

Event-Triggered confidentiality fusion estimation against eavesdroppers in cyber-physical systems


System state plays an important role in cyber-physical systems (CPSs). Ensuring the security of the CPSs is a key issue that can be widely applied. The confidentiality of system state is a fundamental feature of the CPSs security. This paper studies the distributed fusion estimation problem in the presence of eavesdropper, where local sensors send their estimates to a remote fusion center (FC). To prevent eavesdropping, the event triggered scheduling strategy was adopted on each sensor. Some sufficient conditions on the triggers’ threshold were derived to make the eavesdropping expected covariance unbounded while the expected error covariance for the user remains bounded. Moreover, the distributed confidentiality fusion estimation algorithm is provided to achieve perfect expected secrecy. Finally, simulations of different trigger levels for two local systems are employed to show the effectiveness of the proposed methods.

1 Introduction

Cyber-physical systems (CPSs) have been widely integrated in many application fields, such as intelligent transportation, power system, and medical device systems [1, 2, 35]. Multi-sensor fusion estimation is an information processing process that uses the observations from multiple sensors to complete the system state estimation under certain criteria. It is widely used in CPSs because of the high reliability and strong robustness [6, 7, 810]. However, due to its open connectivity, CPSs have become the target of malicious attackers. Eavesdropping attack is one of the typical network attacks [11, 12]. The security of CPSs has received a lot of attention, among which confidentiality is a basic security issue [13]. The data transmitted in channel is easily intercepted by eavesdropper over another channel. It can launch the complex attacks after analyzing a large amount of intercepted data, such as false data injection attacks [14]. Therefore, studying secure fusion estimation in presence of eavesdropper has great important theoretical and practical significance.

Encrypting messages to prevent eavesdropping has been studied from the perspective of information theory [15, 16]. The energy of sensors often comes from batteries, which limits their energy. Thus, it is difficult to exploit conventional strong encryption scheme due to the large energy demand. In recent years, secure communication problem has been studied by using physical layer information and artificial noise (AN). From the perspective of control theory, the concept of perfect encryption has been proposed. In [17], which required that the user's state estimation error is bounded, while the eavesdropper's estimation error tends to be unbounded over time. Then, an optimal confidentiality strategy against eavesdropper without feedback was given to obtain the perfect secrecy. Meanwhile, with feedback, similar results were derived in [18]. An event triggered sensor data scheduling strategy was designed to prevent eavesdropping by recurrent Markov chain in [19]. Moreover, considering the dynamic characteristics and physical layer information of the CPSs, state-secrecy codes was introduced to achieve the goal of perfect encryption for stable, unstable, and arbitrary systems in [2022]. Consider the operation cost, an optimal encryption schedule was proposed to improve system state confidentiality in [23]. Under the distributed framework, the problem of secure fusion estimation with state privacy protection was studied in [24], where perfect secrecy was achieved by injecting AN. In the framework of state component transmission, an AN design strategy based on the system parameters was developed, which makes the eavesdroppers’ fusion error covariance became worse in [25]. Then, the strategies for actively polluting local estimation components were presented to enhance the privacy level of local estimates in [26]. The finite-horizon energy-to-peak state estimation issue was considered for time-varying systems in [27], where the desired time-varying estimator parameter was designed for online computation. For a networked system with multi-rate measurements, a novel encryption-decryption scheme was proposed to protect the privacy of the system state in [28]. Under the constraint of sensor energy, the confidentiality fusion estimation against eavesdroppers algorithm was proposed in [29] by combining event triggers and artificial noise. Recently, the AN based on the channel gain matrix was introduced to maintain confidentiality for distributed fusion estimation in [30]. However, the injected AN consumed more sensor energy, which added the challenge of anti-eavesdropping strategy design.

Based on the above-analysis, we shall study the event-based confidentiality fusion estimation problem with limited sensor energy for CPSs. To save the sensor power, we do not encrypt signals, but schedule the transmission based on event triggers. In our scenario, the sensors transmitting their outputs to a user, where all transmission channels may be tapped by the eavesdroppers. Under this case, the eavesdroppers can obtain an accurate state estimation result through the fusion estimation method. From the user's perspective, in order to protect state privacy, each local sensor needs to design rules for transmitting local estimates to prevent the eavesdropper from getting the real system state through fusion estimation. This is the most important goal of this article, and the main contributions include: (1) We provide some sufficient conditions about the threshold of event triggering to achieve perfect expected secrecy. (2) The event-based distributed confidentiality fusion estimation algorithm is proposed to ensure the effective of the transmission scheduling strategy.

2 Problem formulation

2.1 System model

The system structure is shown in Fig. 1, which is described by the following physical model:

$$\begin{gathered} x(t + 1) = Ax(t) + w(t) \hfill \\ y_{i} (t) = C_{i} x(t) + v_{i} (t)\quad (i = 1,2,...,L) \hfill \\ \end{gathered}$$

where \(x(t) \in R^{n}\) is state vector with dimension n, and \(y_{i} (t) \in R^{{q_{i} }}\) is sensor observation value of the i-th sensor with dimension qi. \(w(t)\) and \(v_{i} (t)\) are Gaussian white noise with zero mean value, and the variances are \(Q\) and \(R_{i}\) respectively. L means there are L sensors to observe the system state. Assume that the matrix pair \((C_{i} ,A)\) is detectable and \((A,Q^{1/2} )\) is controllable.

Fig. 1
figure 1

Block diagram of the system model

In our scenario, all sensors are smart sensors with computing capability [31]. At time t, the i-th sensor observes the physical process to obtain the observation \(y_{i} (t)\). After collecting the observations until time t, the information set of the ith local estimator is given as \({\text{Y}}_{i} (t)=y_{i} (1), \ldots ,y_{i} (t)\) with \({\text{Y}}_{i} ( - 1) = \emptyset\). Further, define

$$\left\{ \begin{array}{l} \hat{x}_{i}^{ - } (t) \triangleq {\text{E}}[x(t)|{\text{Y}}_{i} (t - 1)],\hat{y}_{i}^{ - } (t) \triangleq {\text{E}}[y_{i} (t)|{\text{Y}}_{i} (t - 1)] \hfill \\ e_{i}^{ - } (t) \triangleq x(t) - \hat{x}_{i}^{ - } (t),P_{i}^{ - } (t) \triangleq {\text{E}}[e_{i}^{ - } (t)e_{i}^{ - T} (t)|{\text{Y}}_{i} (t - 1)] \hfill \\ \hat{x}_{i} (t) \triangleq {\text{E}}[x(t)|{\text{Y}}_{i} (t)],e_{i} (t) \triangleq x(t) - \hat{x}_{i} (t), \hfill \\ P_{i} (t) \triangleq {\text{E}}[e_{i} (t)e_{i}^{T} (t)|{\text{Y}}_{i} (t)] \hfill \\ \end{array} \right.$$

where \({\hat{x}}_{i}^{ - } (t)\)and \({\hat{x}}_{i} (t)\) are a priori and a posteriori MMSE estimates,\(P_{i}^{ - } (t)\) and \(P_{i} (t)\) are estimation error covariance, and E[·] represents the mathematical expectation. Recall from the standard Kalman filter [32], \(\hat{x}_{i} (t)\) and \(P_{i} (t)\) can be obtained according to the local estimator (LE) of the i-th sensor:

$$\left\{ \begin{array}{l} \hat{x}_{i}^{ - } (t) = A\hat{x}_{i} (t - 1),P_{i}^{ - } (t) = AP_{i} (t - 1)A^{T} + Q \hfill \\ K_{i} (t) = P_{i}^{ - } (t)C_{i}^{T} (C_{i} P_{i}^{ - } (t)C_{i}^{T} + R_{i} )^{ - 1} \hfill \\ \hat{x}_{i} (t) = \hat{x}_{i}^{ - } (t) + K_{i} (t)\Gamma_{i} (t),P_{i} (t) = [I_{n} - K_{i} (t)C_{i} ]P_{i}^{ - } (t) \hfill \\ \end{array} \right.$$

According to literature [33], it usually takes only a few iterations for \(P_{i} (t)\) to converge exponentially to the steady-state value. Therefore, for simplicity, let \(P_{i} (0)\) be the initial error covariance of the i-th sensor, and it is equal to \(\overline{P}_{ii}\). Further, we know that \(P_{i} (t) = \overline{P}_{ii}\) for all times t.

After obtaining the LE \(\hat{x}_{i} (t)\), the i-th sensor decides whether to transmit it to the fusion center (FC). We introduce the binary variable \(\alpha_{i} (t)\) to model the decision process. \(\alpha_{i} (t) = 1\) indicates that the LE \({\hat{x}}_{i} (t)\) is sent by the i-th sensor, otherwise it will not send. The channels between the sensors and the FC are not reliable, which may lead to data packet loss. In addition, the packets transmitted on the channel can be intercepted on another channel by eavesdroppers. Let the binary variable \(\beta_{i} (t) = 1\) and 0 denote whether the i-th LE is intercepted by the eavesdropper or not. Let the binary variable \(\gamma_{i} (t) = 1\) and 0 denote whether the i-th LE is successfully received by the user or not.

In the FC, in order to obtain accurate state estimation, user and eavesdropper use the weighted matrix fusion method to obtain the final state estimation based on the received LE. To avoid symbol misuse, the fusion estimation of the user’s FC is taken as an example to illustrate how to implement the weighted matrix fusion algorithm. Let \(h\) and \(h^{k}\) be functions. In specific, \(h(X) \triangleq AXA^{T} + Q\) and \(h^{k} (X) \triangleq \underbrace {h \circ h \circ \cdots \circ h}_{{\quad \quad k\;{\text{times}}}}(X)\). According to [34, 35], if \(k_{1} \le k_{2}\),\(k_{1} ,k_{2} \in Z^{ + }\), then \(\overline{P}_{ii} < h^{{k_{1} }} (\overline{P}_{ii} ) \le h^{{k_{2} }} (\overline{P}_{ii} )\).

In the user’s FC, the LE of the i-th sensor cannot be successfully received in two cases by. One is that the i-th sensor does not send LE to the FC, in which case \(\alpha_{i} (t) = 0\). The second is that the i-th LE is sent, but packet loss occurs in the channel with \(\gamma_{i} (t) = 0\). In this case, it needs to perform a one-step prediction compensation on the local estimate. Therefore, the final LE \(\hat{x}_{i}^{u} (t)\) and covariance \(P_{ii}^{u} (t)\) is computed as

$$(\hat{x}_{i}^{u} (t),P_{ii}^{u} (t)) = \left\{ {\begin{array}{*{20}l} {(\hat{x}_{i} (t),\overline{P}_{ii} ),} \hfill & {if\;\alpha_{i} (t)\gamma_{i} (t) = 1} \hfill \\ {(A\hat{x}_{i}^{u} (t - 1),h(P_{ii}^{u} (t - 1))),} \hfill & {otherwise} \hfill \\ \end{array} } \right.$$

Further, the distributed matrix-weighted fusion filter \(\hat{x}_{{}}^{u} (t)\) can be obtained by4

$$\hat{x}^{u} (t) = \sum\limits_{i = 1}^{L} {W_{i} (t)\hat{x}_{i}^{u} (t)}$$


$$\sum\limits_{i = 1}^{L} {W_{i} (t) = I_{n} }$$

Then, define \(\Xi (t) \triangleq \left[ {\begin{array}{*{20}l} {P_{11}^{u} (t) \ldots P_{1L}^{u} (t)} \hfill \\ {\;\quad \vdots \quad \quad \quad \vdots } \hfill \\ {P_{L1}^{u} (t) \ldots P_{LL}^{u} (t)} \hfill \\ \end{array} } \right]\), where \(P_{ij}^{u} (t)\) (i ≠ j) is cross-covariance matrix between any two LEs, which is calculated by:

$$P_{ij}^{u} (t) = [I_{n} - K_{i} (t)C_{i} ][AP_{ij}^{u} (t - 1)A^{T} + Q][I_{n} - K_{j} (t)C_{j} ]^{T}$$

It usually takes only a few iterations for \(P_{ij}^{u} (t)\) to converge exponentially to the steady-state value [36]. For simplicity, we represent the initial error cross-covariance matrix as \(P_{ij} (0)\) for the i-th sensor, and it is equal to \(\overline{P}_{ij}\). Then, it can be concluded that \(P_{ij}^{u} (t) = \overline{P}_{ij}\) for all times t, and the initial of \(\Xi (0)\) is \(\left[ \begin{gathered} \overline{P}_{11} \ldots \;\overline{P}_{1L} \hfill \\ \;\; \vdots \;\;\;\;\;\quad \vdots \hfill \\ \overline{P}_{L1} \ldots \overline{P}_{LL} \hfill \\ \end{gathered} \right]\).

Under the linear minimum variance criterion, in terms of the result in [37], the optimal W1(t), W2(t),…,WL(t) in (6) can be given by:

$$[W_{1} (t), \ldots ,W_{L} (t)] = ((\Upsilon_{{}}^{s} )^{T} \Xi^{{{ - }1}} (t)\Upsilon_{{}}^{s} )^{ - 1} (\Upsilon_{{}}^{s} )^{T} \Xi^{{{ - }1}} (t)$$

where \(\Upsilon_{{}}^{s} = [I_{n} ,I_{n} , \ldots ,I_{n} ]^{T}\). Further, the fusion error covariance \(P^{u} (t) \triangleq {\text{E}}\{ (x(t) - \hat{x}^{u} (t))(x(k) - \hat{x}^{u} (t))^{T} \}.\) can be computed by:

$$P^{u} (t) = ((\Upsilon_{{}}^{s} )^{T} \Xi^{ - 1} (t)\Upsilon_{{}}^{s} )^{ - 1}$$

Remark 1

For the eavesdropper, if he is strong enough to eavesdrop on the transmission data of multiple sensors at the same time, he can use the intercepted LEs to obtain more accurate state estimation through fusion estimation method. This brings challenges to the distributed secure fusion estimation.

2.2 Problem of interest

First, we denote by pi the probability that the i-th sensor decides to send the LE to the FC. To prevent eavesdropping, the stochastic event triggering strategy is adopted for all sensors. In detail, the processor of the i-th sensor can generate a random variable \(\zeta_{i}\) at each time t. These variables obey a uniform distribution on (0, 1), i.e.,\(\zeta_{i} \sim U(0,1)\). The stochastic event triggers are given by

$$\alpha_{i} (t) = \left\{ {\begin{array}{*{20}l} {1,} \hfill & {0 < \zeta_{i} \le \eta_{i} ,} \hfill \\ {0,} \hfill & {\eta_{i} < \zeta_{i} < 1.} \hfill \\ \end{array} } \right.$$

Further, assume that each sensor always decides to send LE to the FC, i.e., \(\alpha_{i} (t) = 1\) for all time t. We model the packet drops and packet interceptions as i.i.d. over time, which are commonly used assumptions by researchers. In particular, we let \(\rho_{i}\) represent the probability that the i-th local estimate is intercepted by the eavesdropper. Similarly, \(\lambda_{i}\) denotes the probability that the i-th local estimate is received by the user. Thus, the channel model can be given as follows:

$$\left\{ \begin{gathered} \beta_{i} (t) = \left\{ {\begin{array}{*{20}l} {1,} \hfill & {{\text{with}}\;{\text{probability}}\;\rho_{i} ,} \hfill \\ {0,} \hfill & {{\text{with}}\;{\text{probability}}\;1 - \rho_{i} .} \hfill \\ \end{array} ,} \right. \hfill \\ \gamma_{i} (t) = \left\{ {\begin{array}{*{20}l} {1,} \hfill & {{\text{with}}\;{\text{probability}}\;\lambda_{i} ,} \hfill \\ {0,} \hfill & {{\text{with}}\;{\text{probability}}\;1 - \lambda_{i} .} \hfill \\ \end{array} } \right. \hfill \\ \end{gathered} \right.$$

Remark 2

In the description of physical layer security problems, knowing exactly the channel model of the eavesdropper for the user is a common assumption[38]. The channel gain can be obtained by using blind estimation, pilot-based estimation, etc. Under this case, knowing the probability \(\rho_{i}\) is less restrictive than knowing the exact eavesdropper’s channel model. In fact, \(\rho_{i}\) can be considered as the confidence level of the system designer on the ability of the eavesdropper to successfully eavesdrop data packs.

Next, the concept of perfect encryption is introduced in the following definition.

Definition 1

(Perfect Expected Secrecy) [17]. For any initial condition \(P(0)\), a secrecy mechanism achieve perfect expected secrecy if and only if both of the following condition hold:

$$\mathop{{\mathrm{lim}}}\limits_{t \to \infty } {\mathrm{Sup~Tr}}{\mathrm{\{E}}\{P^{u} (t)\} \} < \infty$$
$$\mathop{{\mathrm{lim}}}\limits_{t \to \infty } {\mathrm{Tr\{E}}\{P^{e} (t)\} \} = \infty$$

where the covariance of the state estimation error for the eavesdropper is denoted by \(P^{e} (t)\), Sup represents upper bound, and Tr denotes trace operator.

Remark 3

For any initial system estimation error covariance, when the data transmitted is encrypted according to a scheduling mechanism, the trace of the user's covariance tends to be bounded in the expected sense over time, while the trace of the eavesdroppers’ tends to be unbounded. In this case, the eavesdropper's state estimation error is infinite, and the accurate information of the system state cannot be obtained. Therefore, it can be said that perfect expected encryption is achieved under this encryption mechanism.

Further, the problems we need to solve is described as follows:

  1. (1)

    For the distributed fusion estimation, the first aim of this paper is to answer “how to design event-triggered data scheduler for the sensors so that the user's estimation error is convergent, but the estimation error for the eavesdropper will be unbounded”.

  2. (2)

    From the perspective of the defender, another goal is to design the event-triggered confidentiality fusion estimation algorithm, which guarantee the effectiveness of our data scheduling method.

3 Main results

For a stable system, as long as the eavesdropper has the system model parameters, the system state can be predicted in real time without eavesdropping, and the prediction error is always bounded. Therefore, we studies the problem of confidentiality fusion estimation for unstable systems. As pointed out in the literature [17], fusion estimation to against eavesdroppers for unstable systems is more interesting than that for stable systems. Let the spectral radius of A in the unstable system (1) satisfy \(\rho (A) > 1\). We will explore some sufficient conditions under which we can obtain the distributed security fusion estimation algorithm to protect state privacy.

Theorem 1

For the unstable system (1) with channel model (11), under the encryption mechanism (10), if the trigger thresholds of all sensors satisfy:

  1. (i)

    There is an positive integer i such that

    $$\eta_{i} > \frac{1}{{\lambda_{i} }}\left( {1 - \frac{1}{{\rho (A)^{2} }}} \right)$$
  2. (ii)

    For any positive integer i, the following inequality holds

    $$\eta_{i} < \min \left\{ {\frac{1}{{\rho_{i} }}(1 - \rho (A)^{{ - \frac{2}{L}}} ),1} \right\}$$

Then the Perfect Expected Secrecy can be obtained.


According to the Definition 1, we need to prove that Eqs. (12) and (13) holds simultaneously under condition (14) and (15). We first prove that the Perfect Expected Secrecy condition (12) is satisfied under the condition (14). Suppose that the event trigger threshold \(\eta_{i}\) of the s0th sensor satisfies \(\eta_{i} > \frac{1}{{\lambda_{i} }}(1 - \frac{1}{{\rho (A)^{2} }})\), then we have

$$\eta_{i} \lambda_{i} > 1 - \frac{1}{{\rho (A)^{2} }}$$

In this case, the probability that the user’s FC can successfully receive the LE of the \(s_{0}\)th sensor always satisfies \(p(\alpha_{i} (t)\gamma_{i} (t) = 1) > 1 - \frac{1}{{\rho (A)^{2} }}\). Then, according to [37], the estimation error covariance of the \(s_{0}\) th sensor is bounded, i.e. \(P_{ii}^{u} (t) < \infty\). Denote \(\Upsilon_{i}^{s} = [{\mathbf{0}}, \ldots ,I_{n} , \ldots ,{\mathbf{0}}]^{T} \in R^{nL \times n}\), where, the i-th block place is an identity matrix \(I_{n}\).\({\mathbf{0}}\) represents zero matrix with dimension n. Then, we have

$$\begin{aligned} P^{u} (t) & = ((\Upsilon_{{}}^{s} )^{T} \Xi^{{{ - }1}} (t)\Upsilon_{{}}^{s} )^{ - 1} \\ & = {(}(\Upsilon_{{}}^{s} )^{T} \Upsilon_{i}^{s} {)}^{T} ((\Upsilon_{{}}^{s} )^{T} \Xi^{{-1}} (t)\Upsilon_{{}}^{s} )^{ - 1} {(}(\Upsilon_{{}}^{s} )^{T} \Upsilon_{i}^{s} {)} \\ & = {[(}\Xi^{{{ - }1/2}} (t)\Upsilon_{{}}^{s} )^{T} {(}\Xi^{1/2} (t)\Upsilon_{i}^{s} )]^{T} \\ & \quad \times [{(}\Xi^{{{ - }1/2}} (t)\Upsilon_{{}}^{s} )^{T} \times {(}\Xi^{ - 1/2} (t)\Upsilon_{{}}^{s} )]^{ - 1} \\ & \quad \times {[(}\Xi^{{{ - }1/2}} (t)\Upsilon_{{}}^{s} )^{T} {(}\Xi^{1/2} (t)\Upsilon_{i}^{s} )] \\ & \le {(}\Xi^{1/2} (t)\Upsilon_{i}^{s} )^{T} {(}\Xi^{1/2} (t)\Upsilon_{i}^{s} ) = P_{ii}^{u} (t) < \infty \\ \end{aligned}$$

This means that as long as the LE error covariance of one sensor is bounded, the state error covariance obtained after the FC fuses all local estimates must be bounded. Therefore, the conditions (12) is satisfied.

Further, we prove that the Perfect Expected Secrecy condition (13) is satisfied under the condition (15). Let \(\Omega\) denote the event that the event triggers of all sensors are not triggered and all LEs are not successfully intercepted when the LEs are transmitted. \(\Omega^{ \bot }\) represents its complement. Further, we consider the probability of the event \(\Omega\) over the finite time N, one has

$$\begin{aligned} p_{e} (\Omega ) & = p_{e} (\alpha_{i} (t) = 0,\beta_{i} (t) = 0|\alpha_{i} (t) = 1) \\ & = \prod\limits_{i = 1}^{L} {\prod\limits_{t = 1}^{N} {(1 - p_{e} (\alpha_{i} (t) = 1) \times p_{e} (\beta_{i} (t) = 1|\alpha_{i} (t) = 1))} } \\ & = \prod\limits_{i = 1}^{L} {\prod\limits_{t = 1}^{N} {(1 - \eta_{i} \rho_{i} )} } \\ \end{aligned}$$

where \(t = 1,2, \ldots ,N,i = 1,2, \ldots ,L\).

Similar to (9), for all times N in event \(\Omega\), we have the terminal estimation error covariance for the eavesdropper \(P^{e} (N) = ((I_{{}}^{a} )^{T} (\sum^{e} (N))^{ - 1} I^{a} )^{ - 1}\). Then, according to the definition of \(\Omega\), we know that the eavesdropper cannot successfully intercept the LEs of all sensors at all times N. In this case, the eavesdropper can only perform one-step prediction instead of LE. According to (4), we have

$$\sum^{e} (N) = \left[ \begin{gathered} h^{N} (\overline{P}_{11} ) \ldots \;h^{N} (\overline{P}_{1L} ) \hfill \\ \;\; \vdots \;\;\;\;\;\quad \vdots \hfill \\ h^{N} (\overline{P}_{L1} ) \ldots h^{N} (\overline{P}_{LL} ) \hfill \\ \end{gathered} \right] \triangleq h^{N} (\sum (0))$$

where, \(h^{N} (\overline{P}_{ij} ) = A^{N} \overline{P}_{ij} (A^{T} )^{N} + \sum\limits_{s = 0}^{N - 1} {A^{s} Q(A^{T} )^{s} }\)

Taking the trace of terminal estimation error covariance \(P^{e} (N)\), one can get:

$$\begin{aligned} {\text{Tr}}\{ {\text{E}}\{ P^{e} (N)\} \} & = {\text{Tr}}\{ {\text{E}}\{ P^{e} (N)|\Omega \} \} p^{e} (\Omega ) \\ & \quad + {\text{Tr}}\{ {\text{E}}\{ P^{e} (N)|\Omega^{ \bot } \} \} p^{e} (\Omega^{ \bot } ) \\ & > {\text{Tr}}(I_{a}^{T} (\sum^{e} (N))^{ - 1} I_{a} )^{ - 1} p^{e} (\Omega ) \\ \end{aligned}$$

Then, there is an positive integer i, which makes the following equation hold:

$${\text{Tr}}\{ {\text{E}}\{ P^{e} (N)\} \} \; > \frac{1}{L}{\text{Tr}}(A^{N} \overline{P}_{ii} (A^{T} )^{N} )p^{e} (\Omega )$$

Furthermore, according to the condition (15), we can get \(\eta_{i} \rho_{i} < 1 - \rho (A)^{{ - \frac{2}{L}}}.\) Combing (21), the following inequality can be obtained:

$$\begin{aligned} {\text{Tr}}\{ {\text{E}}\{ P^{e} (N)\} \} & > \frac{1}{L}{\text{Tr}}(\overline{P}_{i} (A^{T} )^{N} A^{N} )\prod\limits_{i = 1}^{L} {\prod\limits_{k = 1}^{N} {(1 - \eta_{i} \rho_{i} )} } \\ & > \frac{1}{{L\rho (A)^{2N} }}{\text{Tr}}(\overline{P}_{ii} (A^{T} )^{N} A^{N} ) \\ \end{aligned}$$

Therefore, it can be concluded that \({\mathrm{Tr\{E}}\{ P^{e} (N)\}\} \to \infty\) when N goes to infinity, i.e.\(\mathop {{\mathrm{lim}}}\limits_{t \to \infty} {\mathrm{Tr\{E}}\{ P^{e} (t)\}\}= \infty.\)

Remark 4

The above theorem shows that as long as the event trigger threshold of one sensor is greater than \(\frac{1}{{\lambda_{i} }}(1 - \frac{1}{{\rho (A)^{2} }})\), the user’s fusion estimation error can be guaranteed to be bounded. On this basis, if the event trigger thresholds of all sensors are controlled to satisfy the condition (15), the state estimation error for eavesdropper will tend to be unbounded. For the perspective of user, to protect the privacy of state data from leakage, the event trigger thresholds should be reduced as much as possible when the condition (14) is satisfied. In this case, the probability that the eavesdropper successfully intercepts each local estimation is small, which makes the fusion estimation performance worse. In addition, the larger the number of sensors L is, the more local estimates the eavesdropper may intercept. Then, the user needs to reduce the event trigger threshold to a greater extent to ensure confidentiality. In the special case of only a single sensor with L = 1, the result \(1 - \rho (A)^{{ - \frac{2}{L}}}\) degenerate into \(1 - \frac{1}{{\rho^{2} (A)}}\), which is consistent with the result in literature [39].

Remark 5

The proposed stochastic event triggering strategy ensures that eavesdroppers cannot obtain the true system state information by fusing data from the local sensors intercepted on unreliable channels. At the same time, the energy of local sensors is saved under the event triggering mechanisms. It is worth noting that the fusion estimation performance of the user will also decrease. This is a compromise on the fusion estimation performance for the sake of confidentiality.

We provide two sufficient conditions for event triggered security fusion estimation above. Next, we present a distributed confidentiality fusion estimation algorithm to achieve the Perfect Expected Secrecy. The specific steps are as follows (Table 1):

Table 1 Event-triggered confidentiality fusion estimation against eavesdroppers algorithm

4 Result and discussion

Consider a scene where two sensors observe a dynamic system. The model parameters are given as follows

$$A = \left[ {\begin{array}{*{20}c} {1.2} & 1 \\ {0.3} & {1.1} \\ \end{array} } \right],\;C_{1} = [1\quad 0],\;C_{2} = [1\quad 1],\;Q = \left[ {\begin{array}{*{20}c} 1 & {0.5} \\ {0.5} & 2 \\ \end{array} } \right],\;R_{1} = 1,\;R_{1} = 2.$$

Through several iterations, the steady-state covariance matrices can be obtained as:

$$\overline{P}_{11} = \left[ {\begin{array}{*{20}c} {{0}{{.8656}}} & {{0}{{.6412}}} \\ {{0}{{.6412}}} & {{2}{{.6544}}} \\ \end{array} } \right],\;\overline{P}_{22} = \left[ {\begin{array}{*{20}c} {{1}{{.1354}}} & { - {0}{{.3315}}} \\ { - {0}{{.3315}}} & {{1}{{.1855}}} \\ \end{array} } \right],\;\overline{P}_{12} = \left[ {\begin{array}{*{20}c} {{0}{{.0080}}} & {{0}{{.0602}}} \\ { - {0}{{.9288}}} & {{1}{{.2829}}} \\ \end{array} } \right].$$

Suppose that the probability \(\lambda_{i} \;(i = 1,2)\) of successful data reception between the user’s FC and the two local sensors are 0.7 and 0.9, respectively. Both channels are eavesdropped, and the data interception probability \(\rho_{i} \;(i = 1,2)\) are both 0.4. We can calculate the values of \(\frac{1}{{\lambda_{i} }}(1 - \frac{1}{{\rho (A)^{2} }})\;(i = 1,2)\) as 0.5080 and 0.3951 respectively, and the values \(\frac{1}{{\rho_{i} }}(1 - \rho (A)^{{ - \frac{2}{L}}} )\;(i = 1,2)\) are both 0.4932. All results are 1000 Monte Carlo simulations. To better interpret the simulation results, we define the following abbreviations: trace of error covariance (TEC), and trace of fusion error covariance (TFEC).

First, we do not set event triggers for all local sensors, and observe the fusion estimation performance for the eavesdropper and the user. In fact, this is equivalent to making the event trigger thresholds \(\eta_{i} \;(i = 1,2)\) of both sensors. The specific simulation results are shown in Figs. 2 and 3.

Fig. 2
figure 2

The TEC of final local estimates without event triggers

Fig. 3
figure 3

The TFEC without event triggers

Figure 2 shows the final LE error covariance curve of the eavesdropper and user’s FC, and Fig. 3 shows the trace curve of their fusion estimation error covariance. It is seen that the final LE error of the eavesdropper is much larger than that of the user. This is because the successful reception rate of the user's FC is higher than that of the eavesdropper. Notice that both the eavesdropper and the user can obtain much smaller estimation error than the final local estimation through the fusion estimation method. Therefore, the fusion estimation can greatly reduce the user's state estimation error, but at the same time, it may lead to more state privacy disclosure. Next, the anti-eavesdropping strategy based on event triggering is verified.

The stochastic event triggers are designed for two local sensors according to (10). Let the trigger thresholds combinations for two local sensors be (0.4, 0.4), (0.45, 0.9), (0.9, 0.9). The specific simulation results are shown in Figs. 4 and 5.

Fig. 4
figure 4

The TEC of final local estimate for the eavesdropper

Fig. 5
figure 5

TFEC with different trigger thresholds

Figure 4 shows the final local estimation curve of the eavesdropper’s FC, and Fig. 5 reflects the fusion estimation performance under different event trigger threshold combinations of two sensors. It is seen from Fig. 4 that the eavesdropper’s TEC grows unbounded when the communication rate between the sensors and the FC is low. From Fig. 5, when the trigger thresholds is selected as (0.4, 0.4), the eavesdropper’s estimation performance is poor. Its TFEC grows unbounded over time. This is because the sufficiency condition (15) is satisfied under this communication rate combination, so that the eavesdropper cannot obtain the real state information. In this case, the user's TFEC is bounded. This is because the user’s FC has a high successful rate of receiving data from the local sensors, which makes the sufficiency condition (14) satisfied. For other combinations, the conditions (14) and (15) are not satisfied at the same time. The eavesdropper can always obtain a bounded estimation error, which makes the event trigger invalid. Therefore, in order to prevent the disclosure of state privacy, the user must design smaller trigger thresholds so that the sufficiency conditions of Theorem 1 are satisfied.

5 Conclusions

This paper studied the state privacy protection of distributed fusion estimation for CPSs. The goal was to make the TFEC matrix of the eavesdropper become unbounded over time while the expected error covariance for the user remained bounded. The random event triggering strategy was adopted to maintain confidentiality. The relationship between event triggering thresholds and estimation performance in FC was established. Some sufficient conditions of trigger thresholds were derived to guarantee the Perfect Expected Secrecy. Finally, a simulation example was employed to verify the effectiveness of the proposed method. Future research topics include (1) the privacy protection for stable systems; (2) the perfect encryption strategies based on encryption and decryption, and (3) the encryption strategy design and security fusion estimation for nonlinear systems.

Availability of data and materials

Please contact authors for data requests.



Cyber-physical systems


Fusion center


Artificial noise


Local estimator


Trace of error covariance


Trace of fusion error covariance


  1. G. Cisotto, M. Capuzzo, A.V. Guglielmi et al., Feature stability and setup minimization for EEG-EMG-enabled monitoring systems. EURASIP J. Adv. Signal Process. 2022(1), 1–22 (2022)

    Article  Google Scholar 

  2. A.S.S. Thuluva, M.S. Somanathan, R. Somula et al., Secure and efficient transmission of data based on Caesar Cipher Algorithm for Sybil attack in IoT. EURASIP J. Adv. Signal Process. 2021, 1–23 (2021)

    Article  Google Scholar 

  3. Q. Yang, S. Jagannathan, Reinforcement learning controller design for affine nonlinear discrete-time systems using online approximators. IEEE Trans. Syst. Man Cybern. Part B Cybern. 42(2), 377–390 (2011)

    Article  Google Scholar 

  4. Q. Yang, W. Cao, W. Meng, J. Si, Reinforcement-learning-based tracking control of waste water treatment process under realistic system conditions and control performance requirements. IEEE Trans. Syst. Man Cybern. Syst. 52(8), 5284–5294 (2022)

    Article  Google Scholar 

  5. A. Arunan, Y. Qin, X. Li, C. Yuen, A federated learning-based industrial health prognostics for heterogeneous edge devices using matched feature extraction. IEEE Trans. Autom. Sci. Eng. (2023).

    Article  Google Scholar 

  6. S.Y. Lai, B. Chen, T. Li, L. Yu, Packet-based feedback control under Dos attacks in cyber-physical systems. IEEE Trans. Circuits Syst. II Express Briefs 66(8), 1421–1425 (2019)

    Google Scholar 

  7. B. Chen, D. Ho, G.Q. Hu, L. Yu, Secure fusion estimation for bandwidth constrained cyber-physical systems under replay attacks. IEEE Trans. Cybern. 48(6), 1862–1876 (2018)

    Article  Google Scholar 

  8. Z. Ruan, Q. Yang, S.S. Ge, Y. Sun, Adaptive fuzzy fault tolerant control of uncertain MIMO nonlinear systems with output constraints and unknown control directions. IEEE Trans. Fuzzy Syst. 30(5), 1224–1238 (2022)

    Article  Google Scholar 

  9. K. Q. Zhou, Y. Qin, C. Yuen, Lithium-ion battery online knee onset detection by matrix profile. arXiv preprint arXiv:2304.00691 (2023)

  10. Y. Qin, A. Auran, C. Yuen, Digital twin for real-time Li-ion battery state of health estimation with partially discharged cycling data. IEEE Trans. Ind. Inf. 19(5), 7247–7257 (2023)

    Article  Google Scholar 

  11. B. Chen, G.Q. Hu, D. Ho, L. Yu, Distributed covariance intersection fusion estimation for cyber-physical systems with communication constraints. IEEE Trans. Autom. Control 61(12), 4020–4026 (2018)

    Article  MathSciNet  Google Scholar 

  12. K. Koo, D. Moo, J.H. Huh et al., Attack graph generation with machine learning for network security. Electron. 11(9), 1332 (2022)

    Article  Google Scholar 

  13. Q.N. Wang, H.B. Mu, Privacy-preserving and lightweight selective aggregation with fault-tolerance for edge computing-enhanced IoT. Sens. 21(16), 5369 (2021)

    Article  Google Scholar 

  14. B. Chen, D. Ho, W. Zhang, L. Yu, Distributed dimensionality reduction fusion estimation for cyber-physical systems under DoS attacks. IEEE Trans. Syst. Man Cybern. 49(2), 455–468 (2019)

    Article  Google Scholar 

  15. C. Shannon, Communication theory of secrecy systems. Bell Syst. Tech. J. 28(4), 656–715 (1949)

    Article  MathSciNet  Google Scholar 

  16. S. William, Cryptography and network security: principles and practices (Pearson Education India, Noida, 2006)

    Google Scholar 

  17. A. Tsiamis, K. Gatsis, G.J. Pappas, State estimation with secrecy against eavesdroppers. In Proceedings of IFAC world congress, Toulouse, France, pp. 8715–22 (2017)

  18. A.S. Leong, D.E. Quevedo, D. Dolz, Transmission scheduling for remote state estimation over packet dropping links in the presence of an eavesdropper. IEEE Trans. Autom. Control. 64(9), 3732–3739 (2019)

    Article  MathSciNet  Google Scholar 

  19. J. Lu, A.S. Leong, D.E. Quevedo, Optimal event-triggered transmission scheduling for privacy-preserving wireless state estimation. Int. J. Robust Nonlinear Control 30(11), 4205–4224 (2020)

    Article  MathSciNet  Google Scholar 

  20. A. Tsiamis, K. Gatsis, G. Pappas, State-secrecy codes for networked linear systems. IEEE Trans. Autom. Control 65(5), 2001–2015 (2019)

    Article  MathSciNet  Google Scholar 

  21. A. Tsiamis, K. Gatsis, G. Pappas, An information matrix approach for state secrecy. In Proceedings of the Conference on Decision and Control, Fontainebleau Miami Beach, United States, 17–19 December 2018; pp. 2062–2067(2018)

  22. A. Tsiamis, K. Gatsis, G. Pappas, State-Secrecy Codes for Stable Systems. In Proceedings of the Annual American Control Conference , Milwaukee WI, USA, 27–29, 2018; pp. 171–17(2018)

  23. L.Y. Huang, A.S. Leong, D.E. Quevedo, L. Shi, Finite time encryption schedule in the presence of an eavesdropper with operation cost. arXiv preprint arXiv:1903.11763 (2019).

  24. D. X. Xu, B. Chen, L. Yu, Secure fusion estimation against eavesdroppers. In Proceedings of the 37th Chinese control conference, Wuhan, China, 25–27 July 2018; pp. 4310–4315 (2018)

  25. D.X. Xu, B. Chen, L. Yu, W.A. Zhang, Secure dimensionality reduction fusion estimation against eavesdroppers in cyber–physical systems. ISA Trans. 104, 154–161 (2020)

    Article  Google Scholar 

  26. X.H. Yan, Y.C. Zhang, D.X. Xu, B. Chen, Distributed confidentiality fusion estimation against eavesdroppers. IEEE Trans. Aerosp. Electron. Syst. 58(4), 3633–3642 (2021)

    Article  Google Scholar 

  27. L. Zou, Z.D. Wang, B. Shen, H.L. Dong, G.P. Lu, Encrypted finite-horizon energy-to-peak state estimation for time-varying systems under eavesdropping attacks: tackling secrecy capacity. IEEE/CAA J Autom Sin 10(4), 985–996 (2023)

    Article  Google Scholar 

  28. L. Zou, Z.D. Wang, B. Shen, H.L. Dong, Encryption-decryption-based state estimation with multi-rate measurements against eavesdroppers: a recursive minimum-variance approach. IEEE Trans. Autom. Control (2023).

    Article  Google Scholar 

  29. D.X. Xu, B. Chen, Y.C. Zhang, L. Yu, Energy-constrained confidentiality fusion estimation against eavesdroppers. IEEE Trans. Circuits Syst. II Express Briefs 69(2), 624–628 (2021)

    Google Scholar 

  30. D.X. Xu, B. Wang, L. Zhang, A new adaptive high-degree unscented Kalman filter with unknown process noise. Electron. 11(12), 1863 (2020)

    Article  Google Scholar 

  31. A. Jazwinski, Stochastic processes and filtering theory (Academic, New York, 1970)

    Google Scholar 

  32. B. Li, Y. Lu, H.R. Karimi, Adaptive fading extended Kalman filtering for mobile robot localization using a doppler–azimuth radar. Electron. 10(20), 2544 (2021)

    Article  Google Scholar 

  33. L. Shi, P. Cheng, J.M. Chen, Sensor data scheduling for optimal state estimation with communication energy constraint. Autom. 47(8), 1693–1698 (2011)

    Article  MathSciNet  Google Scholar 

  34. H. Zhang, Y.F. Qi, J.F. Wu, L. Fu, L.D. He, DoS attack energy management against remote state estimation. IEEE Trans. Control Network Syst. 5(1), 383–394 (2016)

    Article  MathSciNet  Google Scholar 

  35. Y. Gao, Z. Deng, Robust integrated covariance intersection fusion Kalman estimators for networked mixed uncertain time-varying systems. IMA J. Math. Control. Inf. 38(1), 232–266 (2021)

    Article  MathSciNet  Google Scholar 

  36. M. Sun, M.E. Davies, I.K. Proudler, Adaptive kernel Kalman filter. IEEE Trans on Signal Process. 71, 713–726 (2023)

    Article  MathSciNet  Google Scholar 

  37. P. A. Regalia, A. Khisti, Y. Liang, S. Tomasin, Secure communications via physical-layer and information-theoretic techniques. In Proceeding of the IEEE 2015, 103, pp. 1698–1701 (2015)

  38. T. Rhouma, J.Y. Keller, M.N. Abdelkrim, A Kalman filter with intermittent observations and reconstruction of data losses. Int. J. Appl. Math. Comput. Sci. 32(2), 241–253 (2022)

    MathSciNet  Google Scholar 

  39. J. Qin, J. Wang, L. Shi et al., Randomized consensus-based distributed Kalman filtering over wireless sensor networks. IEEE Trans. Autom. Control 66(8), 3794–3801 (2020)

    Article  MathSciNet  Google Scholar 

Download references


The authors thank the editor and anonymous reviewers for their helpful comments and valuable suggestions.


This research was funded by Natural Science Foundation of Zhejiang Province, Grant No. LZY23F030001, LZY22E050003, LZY22E050005, and the Quzhou Science and Technology Plan Project under Grant 2023K223, 2022K100, 2021F013.

Author information

Authors and Affiliations



Methodology, D.X.; software, Z.C.; formal analysis, D.X., Z.C. and H.W.; investigation, D.X.; resources, Z.C. and H.W.; data curation, Z.C.; writing—D.X. and Z.C.; writing—review and editing, H.W.; project administration, Z.C.; funding acquisition, D.X. and H.W. All authors have read and agreed to the published version of the manuscript.

Corresponding author

Correspondence to Hailun Wang.

Ethics declarations

Ethics approval and consent to participate

Not applicable.

Consent for publication

Not applicable.

Competing interests

The authors declare that they have no competing interests.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Xu, D., Chen, Z. & Wang, H. Event-Triggered confidentiality fusion estimation against eavesdroppers in cyber-physical systems. EURASIP J. Adv. Signal Process. 2024, 56 (2024).

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: