Verification and Enforcement of (ϵ, ξ)-Differential Privacy over Finite Steps in Discrete Event Systems

Abstract

In the realm of data protection strategies, differential privacy ensures that unauthorized entities cannot reconstruct original data from system outputs. This study explores discrete event systems, specifically through probabilistic automata. Central is the protection of state data, particularly the initial state privacy of multiple starting states. We introduce an evaluation criterion to safeguard initial states. Using advanced algorithms, the proposed method counters the probabilistic identification of any state within this collection by adversaries from observed data points. The efficacy is confirmed when the probability distributions of data observations tied to these states converge. If a system’s architecture does not meet state differential privacy demands, we propose an enhanced supervisory control mechanism. This control upholds state differential privacy across all initial states, maintaining operational flexibility within the probabilistic automaton framework. Concluding, a numerical analysis validates the approach’s strength in probabilistic automata and discrete event systems.

1. Introduction

In the context of expansive data analytics and the handling of large, sensitive datasets, the RibsNet architecture [1] presents a significant advancement in data center networks, enhancing the management and confidentiality of extensive data collections. This innovation aligns with the ongoing efforts in data privacy, where methodologies like nearest similarity-based clustering [2], k-anonymity [3], and augmented l-diversity [4] have been developed, and both the scholarly community and the industrial sphere are diligently strengthening the confidentiality of sensitive elements within extensive databases. These advanced methods strive to balance the essential benefits of big data analytics with the ethical need for individual privacy [2]. Especially in domains of heightened sensitivity, such as healthcare, these mechanisms for preserving privacy serve as a sine qua non for engendering data-driven insights while mitigating the inherent risks posed by the disclosure of personalized data [3,4].

In data privacy, advanced anonymity architectures are being carefully improved to protect sensitive information in transactional databases. These pioneering algorithms, frequently modulated by bespoke sensitivity indices dictated by the end users, epitomize a finely calibrated balance between data obfuscation and utility. Surpassing extant paradigms in terms of computational frugality and data preservation, these algorithms prioritize the diminution of information attrition [5]. In synchrony with the emergent paradigms in the data privacy landscape, bio-inspired computational strategies such as the black hole algorithm are being judiciously employed to surmount the conventional limitations endemic to k-anonymity models. Preliminary empirical evidence substantiates the black hole algorithm’s superior capacity for amplifying data utility when juxtaposing against existing frameworks [6].

Differential privacy is a game-changing concept that precisely measures the privacy risks associated with using statistical databases. Transcending classical paradigms, this framework contends with privacy infirmities that affect even those individuals who are conspicuously absent from the database’s annals. Through the deployment of a sophisticated suite of algorithms, differential privacy navigates an impeccable equilibrium between maximizing data utility and furnishing unassailable privacy guarantees. As a result, it carves out a novel ambit in the realm of secure, yet perspicacious, data analytics [7,8].

The incorporation of stochastic noise has solidified its role as a quintessential instrument for attaining differential privacy, providing a rigorous framework for individual data safeguarding within collective data assemblages. Employing exacting mathematical formulations such as $ϵ$-differential [9] and $(ϵ,\delta )$-differential privacy [10], this approach critically evaluates the performance metrics of assorted noise-introduction protocols. It furnishes a nuanced exegesis of the intrinsic trade-offs between data concealment and utility, notably in the realm of consensus algorithms.

Advanced frameworks that integrate noise have been developed to protect the subtle differences between similar datasets using differential privacy principles. These frameworks facilitate the injection of stochastic noise, which adheres to various probabilistic distributions, such as the Laplacian or Gaussian models, into the results of data queries. By doing so, they fulfill the stipulated privacy assurances [10,11].

In the evolving field of differential privacy, especially for qualitative data, moving from global sensitivity models to localized sensitivity approaches is a significant change. While the exponential mechanism [12] has long served as the bedrock for global sensitivity-centric strategies, the recently unveiled local dampening mechanism [13] inaugurates a more sophisticated and malleable architecture for safeguarding data privacy. This innovative development exploits local sensitivity metrics to furnish more contextually nuanced and granular privacy assurances, thereby pioneering new frontiers in the intricate realm of qualitative data protection.

Discrete event systems (DESs) function as a formidable paradigm for the conceptualization, scrutiny, and governance of a diverse gamut of systems, wherein the conceptual entity of an ‘event’ is pivotal in dictating systemic dynamics. Ranging from industrial manufacturing sequences and computational networks to telecommunication infrastructures and operations research, the scope of DESs effortlessly straddles conventional disciplinary demarcations. Within this multifaceted domain, a salient focal point comprises the assessment and amelioration of security susceptibilities, especially in scenarios characterized by incomplete observability [14].

Opacity [15] stands as an indispensable facet of security within the ambit of DESs, concentrating on the extent to which a system discloses its internal confidentialities to an extraneous, non-active observer-frequently denominated as either the intruder or malevolent scrutineer. In this intellectual landscape, the notion of language-based opacity [16] takes on considerable weight. This concept delves into the inherent restrictions that come with an outsider’s incomplete surveillance of a system. The critical inquiry here is whether these observational limitations inhibit the outsider from discerning whether the unfolding sequence of events betrays confidential or delicate matters.

State-based opacity [17] augments the analytical tableau by imbuing it with discrete temporal dimensions that enrich the overarching conceptual framework. Contingent upon the particular temporal instances at which a system transits through confidential states, this genre of opacity can be meticulously categorized into four seminal subclasses: initial-state opacity [18], current-state opacity [19], k-step opacity [20], and infinite-step opacity [21]. Each of these refined categories furnishes a stratified comprehension of a system’s robustness vis-à-vis unauthorized external examination across diverse temporal vicissitudes. Notwithstanding its pivotal significance, the authentication of opacity within the frameworks of DESs is anything but elementary, frequently confronting formidable computational impediments. Cutting-edge inquiries in the discipline delve into the architectural constituents of automata paradigms that could potentially facilitate the more manageable verification of opacity [22].

Within the intricate nexus of differential privacy and symbolic control architectures, the transposition of statistical privacy schemata to non-quantitative datasets establishes a pioneering standard. Leveraging exponential methodologies and specialized automata configurations, sensitive alphanumeric sequences are skillfully approximated. This is executed with a dual objective: the preservation of informational sanctity and the retention of data utility. The governance of this intricate process is underscored by the employment of distance metrics such as the Levenshtein distance [23].

At this interdisciplinary juncture, the enhancement of data security is amplified across a diverse spectrum of fields, ranging from natural language processing to intricate industrial systems. Predicated upon this foundational understanding, the current scholarly endeavor aims to further elevate this paradigm. The focus is sharpened on safeguarding the opacity of initial states within DESs, utilizing probabilistic automata embedded within the stringent confines of differential privacy. Within the realm of discrete-event systems, the notion of initial state opacity emerges as an indispensable yardstick for assessing the system’s prowess in concealing its nascent state from unauthorized external entities.

Classical deterministic frameworks for initial state opacity have developed to encompass probabilistic and stochastic paradigms, thus facilitating a more textured comprehension of security dynamics in volatile environments. To cater to elevated privacy requisites, especially in situations where an intrusive entity possesses comprehensive structural awareness of the system, advanced iterations of opacity, such as robust initial state opacity, have been formulated [19,24,25].

Techniques for substantiating these robust opacity conditions are undergoing refinement via innovative approaches, including parallel composition techniques and integer linear programming algorithms [26]. Initial state opacity is a crucial area that combines verification methods, probability models, and cybersecurity concepts to effectively assess data protection in dynamic systems. Cutting-edge computational schemas, such as Petri net models, facilitate the expeditious verification of initial state opacity, obviating the necessity for laborious state space enumeration. Contemporary real-time validation methodologies, encompassing linear programming algorithms, further enhance the relevance and applicability of initial state opacity in intricate network architectures, including those inherent to defense systems and mobile communications networks [27,28].

In architectures delineated via non-deterministic finite automata and their probabilistic counterparts, i.e., probabilistic finite automata, the verification of initial state opacity necessitates sophisticated computational modalities and analytical techniques. The complexity is exacerbated when extended to non-deterministic transition systems, particularly in the instances where state spaces are potentially unbounded. The exploration of initial state opacity thus constitutes a critical nexus between formal computational methodologies, automata theory, and information security, engendering both algorithmic intricacies and theoretical conundrums [29,30]. Differential privacy was delicately integrated into discrete event systems using probabilistic automata in a vital piece of research [31]. The major goal was to protect state information illustrating system resource settings. This technique was designed to provide state differential privacy, with an emphasis on thorough, step-by-step validation. This method made it difficult for potential adversaries to infer the system’s starting state from a limited collection of observations.

In an era where the landscape of extensive data analysis is rapidly evolving, the necessity for impregnable data privacy frameworks becomes ever more apparent. The research presented herein constitutes a substantial breakthrough in the sphere of differential privacy within the context of DESs. This study introduces the concept of the privacy decay factor [32], denoted as $\xi$, a groundbreaking development that diverges markedly from preceding research. Prior studies primarily concentrated on the protection of state information within DESs through the utilization of probabilistic automata. This research, however, forges new paths by integrating this innovative parameter. The implementation of $\xi$ has proven to be particularly efficacious in ensuring the privacy of initial states or conditions, thereby guaranteeing the secure concealment of sensitive data from the very outset of data processing a pivotal requirement in the face of continually evolving privacy standards.

By broadening the scope to encompass an expanded range of initial state conditions and databases, this approach markedly bolsters the method’s resilience and adaptability. The incorporation of $\xi$ addresses a significant void in existing methodologies, providing a more fortified framework for preserving the privacy of initial states against potential adversaries. This methodical consideration of an extensive array of starting conditions not only augments the theoretical foundations of differential privacy within DESs but also showcases its tangible applicability across a spectrum of intricate systems.

Building on this essential understanding, the present scholarly pursuit endeavors to advance this paradigm further. It concentrates on the fortification of the privacy of initial states within DESs, employing probabilistic automata encased within the stringent parameters of differential privacy. As a consequence, this research establishes a new benchmark in the domain of privacy preservation, signaling a shift in data security strategies across diverse sectors. This is particularly pertinent in industries where stringent privacy measures from the commencement of data processing are of the utmost importance. The following lines describe the main contributions of this scientific endeavor:

• The research introduces a novel model of $(ϵ,\xi )$-differential privacy for discrete event systems (DESs) formulated by probabilistic automata, ensuring equitable resource distribution across multiple initial states.
• A novel verification strategy is introduced, originating from distinct observations of a vast set of initial states and evaluating adherence to the tenets of $(ϵ,\xi )$-differential privacy across defined observational sequences.
• By seamlessly integrating probabilistic automata with a diverse set of initial states, the study presents a tailored verification approach. Should systems deviate from the privacy standards, a specialized control mechanism is deployed, conveying $(ϵ,\xi )$-differential privacy within the overarching closed-loop system.
• The research’s potency is exemplified through a detailed numerical case study, illustrating the verification method’s acumen in assessing the privacy integrity of specific automata classes.

The rest of this paper is organized in a way that facilitates a comprehensive study of the relevant topics. Section 2 sets the foundation by introducing the basics of probabilistic automata and the important principles of $(ϵ,\xi )$-differential privacy in the context of data security. Section 3 serves as the main investigative focus of the study. The approach to the verification of $(ϵ,\xi )$-differential privacy over finite steps is detailed in Section 4. In Section 5, we describe a method for ensuring $(ϵ,\xi )$-differential privacy via supervisory control. A numerical case study is presented in Section 6 to offer empirical support for the methodologies proposed. Finally, Section 7 concludes the paper, summarizing the key findings and their implications.

2. Preliminaries

This section introduces the concept of probabilistic automata within the framework of discrete event systems and discusses the conventional notion of $(ϵ,\xi )$-differential privacy.

2.1. Probabilistic Automata in Discrete Event Systems (DESs)

In the study of DESs, the use of deterministic finite automata is crucial. A deterministic finite automaton can be formally described by a structure $\mathcal{D}=(S,\sum ,\delta ,s_0)$ [33], where S is a finite set of states, and $\sum$ is the set of events, which can be further divided into ${\sum }_o$ for the set of observable events and ${\sum }_{uo}$ for that of unobservable events. The partial transition function $\delta :S\times \sum \to S$ defines the deterministic behavior of the DES, mapping a state and an event to a subsequent state. Finally, $s_0$ denotes the initial state, taken from the set S, before any events have occurred.

To grasp the operation of the deterministic finite automaton, consider $\delta (s,e)$ to be defined if event e from the set $\sum$ can trigger a transition from state s. Adapting $\delta$ for event sequences or strings, we have $\delta :S\times {\sum }^{\ast }\to S$. This function operates as per $\delta (s,\epsilon )=s$ and $\delta (s,ue)=\delta \left(\delta \right(s,u),e)$, given that both $\delta (s,u)$ and $\delta \left(\delta \right(s,u),e)$ are defined for a state s and a string combination u. For any state s and a string u, if $\delta$ is appropriately defined for the string u at state s, it is denoted as $\delta (s,u)!$. The length of a string u, indicating the number of events in it, is denoted by $\left|u\right|$.

For an automaton $\mathcal{D}=(S,\sum ,\delta ,s_0)$ and a specific state s, the language that the automaton generates, starting from state s, is given by $L(\mathcal{D},s)=\{u\in {\sum }^{\ast }|\delta (s,u)!\}$. In scenarios in which potential attackers can observe and log only the observable events, a key tool to consider is the natural projection, denoted by $P:{\sum }^{\ast }\to {\sum }_o^{\ast }$. This projection effectively translates any executed string within the system into a corresponding sequence of observable events, termed an observation. The definition of this projection is recursive: for any string u from ${\sum }^{\ast }$ and an event e from $\sum$, the projection is defined as $P\left(ue\right)=P\left(u\right)P\left(e\right)$. It is important to note that $P\left(e\right)$ is equal to e when e belongs to ${\sum }_o$, and it becomes the empty string $\epsilon$ when e belongs to ${\sum }_{uo}$. Building on this, the set of observations generated by an automaton $\mathcal{D}=(S,\sum ,\delta ,s_0)$ starting from a state s in S can be defined as

$$L_o(\mathcal{D},s)=\{\omega \in {\sum }_o^{\ast }|\exists u\in L(\mathcal{D},s):P\left(u\right)=\omega \}.$$

This essentially captures all observable sequences corresponding to the possible behaviors of the automaton from the state s.

Definition 1

(Probabilistic automaton [34]). A probabilistic automaton is defined as a tuple $\mathcal{G}=(\mathcal{D},\rho )$, where

• $\mathcal{D}=(S,\sum ,\delta ,s_0)$ denotes the underlying deterministic finite automaton,
• $\rho :S\times \sum \to [0,1]$ serves as a probability distribution function over transitions.

Again, S is the set of states, and $s_0\in S$ is the initial state. Given a state $s\in S$ and an event $e\in \sum$,

$$\rho (s,e)=\left\{\begin{array}{cc}0,\hfill & \mathit{if}\delta (s,e)\mathit{is}\mathit{undefined}\hfill \\ >0,\hfill & \mathit{if}\delta (s,e)\mathit{is}\mathit{defined},\hfill \end{array}\right.$$

the set of feasible events at a given state s is $E\left(s\right)=\{e\in \sum \mid \rho (s,e)>0\}$, subject to the constraint ${\sum }_{e\in E\left(s\right)}\rho (s,e)=1$.

When the underlying structure is implied, the probabilistic automaton $\mathcal{G}$ can be denoted succinctly as $\mathcal{G}\left(s_0\right)$. Given a probabilistic automaton $\mathcal{G}=(S,\sum ,\delta ,s_0,\rho )$, the metric $P{r}_{\sigma }$ plays a pivotal role in determining the likelihood of generating a string $ue$ in ${\sum }^{\ast }$ from state s [34]. When the string $ue$ consists of $u\in {\sum }^{\ast }$ and an event $e\in \sum$, $P{r}_{\sigma }$ is recursively defined as

$$\begin{array}{c}\hfill P{r}_{\sigma }(s,ue)=\left\{\begin{array}{cc}1,\hfill & \mathrm{if}ue=\epsilon \hfill \\ P{r}_{\sigma }(s,u)\times \rho (\delta (s,u),e),\hfill & \mathrm{if}\delta (s,u)\hfill \\ 0,\hfill & \mathrm{otherwise},\hfill \end{array}\right.\end{array}$$

where $\epsilon$ within ${\sum }^{\ast }$ is the empty string. At its core, $P{r}_{\sigma }(s,u)$ signifies the probability that the string u is executed starting from state s in the automaton $\mathcal{G}$. A positive value of $P{r}_{\sigma }(s,u)$ is realized if $\delta (s,u)$ for every $u\in {\sum }^{\ast }$. In this framework, strings and observations emerge as foundational constructs. A string, represented within ${\sum }^{\ast }$, takes the form $u:\mathbb{N}\to \sum$, where $\sum$ is the finite alphabet set of events. Such a string can be visualized as a deterministic sequence, $u=u_1{u}_2\dots u_n$, with each $u_i\in \sum$. The automaton’s transition function establishes that the combination of a state and a string leads to a unique subsequent state, as represented by $\delta :S\times {\sum }^{\ast }\to S$. Further, the language emerging from state s is denoted by

$$L(\mathcal{G},s)=\{u\in {\sum }^{\ast }\mid P{r}_{\sigma }(s,u)>0\},$$

highlighting all strings that can be produced from state s with a non-zero probability.

Contrasting with strings, observations are denoted as $\omega$ within ${\sum }_o^{\ast }$. They are defined as $\omega :\mathbb{N}\to {\sum }_o$, with ${\sum }_o\subseteq \sum$ being the observation alphabet set of events. Observations stem from a potentially non-bijective projection, formalized as $P:{\sum }^{\ast }\to {\sum }_o^{\ast }$.

This suggests that multiple strings might map to the same observation. Essentially, observations capture a more abstract or condensed perspective of the automaton’s behavior. The observations generated from a state s are defined as

$$\ell (\mathcal{G},s)=\{\omega \in {\sum }_o^{\ast }\mid \exists u\in L(\mathcal{G},s):\omega =P\left(u\right)\}.$$

This definition describes all possible observations inferred from the strings originating at state s. To further delineate the relationship between strings and observations, we can define the set of strings that are consistent with a particular observation when the automaton is in state s, which is given by

$$U(s,\omega )=\{u\in {\sum }^{\ast }\mid u\in L(\mathcal{G},s),P\left(u\right)=\omega \}.$$

The probability of generating a specific observation from a state s is calculated as

$$Pr(s,\omega )=\sum _{u\in U(s,\omega )}P{r}_{\sigma }(s,u).$$

While strings u outline the explicit sequences of transitions an automaton undergoes, observations $\omega$ act as potential aggregated or abstracted representations of these sequences. These mathematical representations and definitions bind the automaton’s dynamics, bridging the states to the strings and the resultant observations.

Example 1.

Consider the probabilistic automaton structure $\mathcal{G}=(S,\sum ,\delta ,\rho )$ illustrated in Figure 1. The automaton initiates from the state $s_0$, leading us to denote the automaton configured in this manner as $\mathcal{G}\left(s_0\right)$. This configuration comprises a set of states $S=\{s_0,s_1,s_2,s_3,s_4,s_5,s_6\}$ and partitions the event set Σ into observable events ${\sum }_o=\{\alpha ,\beta ,\lambda ,\gamma ,\mu \}$ and unobservable events ${\sum }_{uo}=\left\{\tau \right\}$. For this configuration, $\rho (s_0,\alpha )=0.8$ and $\rho (s_0,\lambda )=0.2$. Moreover, we ascertain that ${\sum }_{e\in E\left(s_0\right)}\rho (s_0,e)=1$ with $E\left(s_0\right)=\{\alpha ,\lambda \}$. Considering a string $u=\alpha \gamma \tau$, the probability of generating the string u from $s_0$ is given by ${Pr}_{\sigma }(s_0,\alpha \gamma \tau )=\rho (s_0,\alpha )\times \rho (s_1,\gamma )\times \rho (s_2,\tau )=0.24$. However, let $\omega =\alpha \gamma$. Then, the probability of generating this sequence of observation is given by $Pr(s_0,\omega )={Pr}_{\sigma }(s_0,\alpha \gamma )+{Pr}_{\sigma }(s_0,\alpha \gamma \tau )=0.84$.

Given an automaton $\mathcal{G}$, the set of states reached by generating a string consistent with observation $\omega$ from state s is

$$\varphi (s,\omega )=\{s^{\prime }\in S|\exists u\in U(s,\omega ):\delta (s,u)=s^{\prime }\}.$$

The probability of transitioning from state $s_0$ to state s given observation $\omega$ is denoted as $Pr\left(s\right|\varphi (s_0,\omega ))$. For a state $s^{\prime }$ that is reachable after generating an observation $\omega$ from the initial state $s_0$, the probability of generating a string u is given by $P{r}_{\sigma }(s_0,\omega ,s,u)=Pr\left(s\right|\varphi (s_0,\omega ))\times P{r}_{\sigma }(s,u)$. For the purpose of elucidating the mathematical constructs utilized in our analysis, we define an indicator function, denoted as I, which ascertains the validity of state transitions. Formally, it is defined as

$$I_{\delta (s_0,u)=s}=\left\{\begin{array}{cc}1,\hfill & \mathrm{if}\delta (s_0,u)=s\hfill \\ 0,\hfill & \mathrm{otherwise}.\hfill \end{array}\right.$$

In complex mathematical models, the relationship between system changes and observations is subtle. Although not immediately obvious, the system’s current state becomes clear after careful analysis of these observation sequences [35]. Delving deeper into such structures, a crucial concept that becomes intertwined with our discussion is the expectation under a specific distribution. In the provided formulation, ${\mathbb{E}}_{u\sim U(s_0,\omega )}$ signifies the expected value (or average) taken over all strings u drawn from the set $U(s_0,\omega )$. This encapsulates the average behavior or outcome under the distribution of strings originating from $s_0$ and culminating in observations $\omega$. Furthermore, by harnessing the power of the indicator function, the probability $Pr\left(s\right|\varphi (s_0,\omega ))$ undergoes a modification, being redefined as an expectation:

$$Pr\left(s\right|\varphi (s_0,\omega ))=\frac{{\mathbb{E}}_{u\sim U(s_0,\omega )}[I_{\delta (s_0,u)=s}\times P{r}_{\sigma }(s_0,u)]}{{\mathbb{E}}_{u\sim U(s_0,\omega )}\left[P{r}_{\sigma }(s_0,u)\right]}.$$

This expression quantifies the likelihood that the automaton, initiating its sequence at state $s_0$ and transitioning with strings from the set $U(s_0,\omega )$, lands on state s. Subsequently, the probability $P{r}_{\sigma }(s_0,\omega ,s,u)$ integrates the indicator function and the expectation concept:

$$P{r}_{\sigma }(s_0,\omega ,s,u)=\left\{\begin{array}{cc}\frac{{\sum }_{u\in U(s_0,\omega )}{I}_{\delta (s_0,u)=s}\times P{r}_{\sigma }(s_0,u)}{{\sum }_{u\in U(s_0,\omega )}P{r}_{\sigma }(s_0,u)}\times P{r}_{\sigma }(s,u)\hfill & \mathrm{if}s\in \varphi (s_0,\omega )\hfill \\ 0\hfill & \mathrm{otherwise}.\hfill \end{array}\right.$$

This formulation captures the normalized probability of the system transitioning from $s_0$ to s under the observation $\omega$ and then executing string u from state s.

Example 2.

Consider the probabilistic automaton depicted in Figure 1, with the initial state $s_0$. Let ${\sum }_o=\{\alpha ,\beta ,\lambda ,\gamma ,\mu \}$ and ${\sum }_{uo}=\left\{\tau \right\}$. For the observation $\omega =\alpha \gamma$, define $U(s_0,\alpha \gamma )$ as the set of all strings originating from $s_0$ that are consistent with ω, i.e., $U(s_0,\alpha \gamma )=\{\alpha \gamma \tau ,\alpha \gamma \}$. The cumulative conditional probabilities for transitions from $s_0$ to either state $s_2$ or state $s_5$ using expectations are:

$$\begin{array}{cc}\hfill Pr\left(s_2\right|\varphi (s_0,\alpha \gamma ))& =\frac{{\mathbb{E}}_{u\sim U(s_0,\alpha \gamma )}[I_{\delta (s_0,u)=s_2}\times P{r}_{\sigma }(s_0,u)]}{{\mathbb{E}}_{u\sim U(s_0,\alpha \gamma )}\left[P{r}_{\sigma }(s_0,u)\right]}\hfill \\ \hfill & =0.6/(0.6+0.24)=5/7;\hfill \\ \hfill Pr\left(s_5\right|\varphi (s_0,\alpha \gamma ))& =\frac{{\mathbb{E}}_{u\sim U(s_0,\alpha \gamma )}[I_{\delta (s_0,u)=s_5}\times P{r}_{\sigma }(s_0,u)]}{{\mathbb{E}}_{u\sim U(s_0,\alpha \gamma )}\left[P{r}_{\sigma }(s_0,u)\right]}\hfill \\ \hfill & =0.24/(0.6+0.24)=2/7.\hfill \end{array}$$

Consider the transition scenario from the initial state $s_0$ to state $s_2$. In this instance, the probability of executing the string $u=\tau \beta \lambda$ from state $s_2$ is calculated as $P{r}_{\sigma }(s_0,\alpha \gamma ,s_2,\tau \beta \lambda )=5/7\times 0.4\times 1\times 0.25=1/14.$ Conversely, considering the transition to state $s_5$, the probability of executing the string $u=\beta \lambda \mu$ from state $s_5$ is denoted as $P{r}_{\sigma }(s_0,\alpha \gamma ,s_5,\beta \lambda \mu )=2/7\times 1\times 0.25\times 0.55=11/280$.

Let $\mathbb{N}$ be the set of natural numbers, and ${\mathbb{N}}^{+}$ be the set of positive natural numbers, i.e., ${\mathbb{N}}^{+}=\left\{x\right|x>0\wedge x\in \mathbb{N}\}$. For an observation $\omega \in {\sum }_o^{\ast }$, the collection of all observations produced from a state $s\in \varphi (s_0,\omega )$ at $k\in {\mathbb{N}}^{+}$ step is defined as [34]

$$\ell (s_0,\omega ,s,k)=\{{\omega }^{\prime }\in {\sum }_o^{\ast }|{\omega }^{\prime }\in \ell (\mathcal{G},s),|{\omega }^{\prime }|=k\}.$$

The comprehensive set of all possible observations that arise from k-step observation extensions with $k\in {\mathbb{N}}^{+}$, following the generation of an observation $\omega$ from state $s_0$, is

$$\ell (s_0,\omega ,k)=\bigcup _{s\in \varphi (s_0,\omega )}\ell (s_0,\omega ,s,k).$$

The likelihood of producing ${\omega }^{\prime }\in \ell (s_0,\omega ,k)$ after the system has yielded an observation $\omega$ from $s_0$ is defined as

$$Pr(s_0,\omega ,k,{\omega }^{\prime })=\sum _{s\in \varphi (s_0,\omega )}\sum _{u\in U(s,{\omega }^{\prime })}P{r}_{\sigma }(s_0,\omega ,s,u).$$

It should be highlighted that $Pr(s_0,\omega ,k,{\omega }^{\prime })$ denotes the probability of observing ${\omega }^{\prime }$ after a k-step extension, assuming the prior generation of $\omega$ from $s_0$.

Example 3.

Consider the probabilistic automaton illustrated in Figure 1, where $s_0$ serves as the initial state. Suppose ${\sum }_o=\{\alpha ,\gamma ,\lambda ,\beta ,\mu \}$ and ${\sum }_{uo}=\left\{\tau \right\}$. Let us assume $k=2$. For the observation sequence $\omega =\alpha \gamma$ generated from state $s_0$, we can represent the sequence of observation extensions over two steps from either state $s_2$ or $s_5$ as follows: $\ell (s_0,\alpha \gamma ,s_2,2)=\{\alpha \gamma ,\alpha \lambda ,\alpha \mu \}$, and $\ell (s_0,\alpha \gamma ,s_5,2)=\{\beta \mu ,\beta \gamma ,\beta \lambda \}$. Combining these sequences, we find the set of sequences that lead to either $s_2$ or $s_5$ over two steps after generating the observation sequence $\omega =\alpha \gamma$ from state $s_0$ are $\ell (s_0,\alpha \gamma ,2)=\ell (s_0,\alpha \gamma ,s_2,2)\cup \ell (s_0,\alpha \gamma ,s_5,2)=\{\alpha \gamma ,\alpha \lambda ,\alpha \mu ,\beta \mu ,\beta \gamma ,\beta \lambda \}$. Here, $Pr(s_0,\omega ,2,{\omega }^{\prime })$ is calculated for each possible sequence as follows:  

$$\begin{array}{cccc}\hfill \mathit{For}{\omega }^{\prime }& =\alpha \lambda :\hfill & \hfill Pr(s_0,\alpha \gamma ,2,\alpha \lambda )& =5/7\times 0.6\times 0.25=3/28;\hfill \\ \hfill \mathit{For}{\omega }^{\prime }& =\alpha \gamma :\hfill & \hfill Pr(s_0,\alpha \gamma ,2,\alpha \gamma )& =5/7\times 0.6\times 0.2=3/35;\hfill \\ \hfill \mathit{For}{\omega }^{\prime }& =\alpha \mu :\hfill & \hfill Pr(s_0,\alpha \gamma ,2,\alpha \mu )& =5/7\times 0.6\times 0.55=33/140;\hfill \\ \hfill \mathit{For}{\omega }^{\prime }& =\beta \mu :\hfill & \hfill Pr(s_0,\alpha \gamma ,2,\beta \mu )& =P{r}_{\sigma }(s_0,\alpha \gamma ,s_2,\tau \beta \mu )+P{r}_{\sigma }(s_0,\alpha \gamma ,s_5,\beta \mu )\hfill \\ \hfill & \hfill & & =5/7\times 0.4\times 1\times 0.55+2/7\times 0.55\times 1=11/35;\hfill \\ \hfill \mathit{For}{\omega }^{\prime }& =\beta \lambda :\hfill & \hfill Pr(s_0,\alpha \gamma ,2,\beta \lambda )& =P{r}_{\sigma }(s_0,\alpha \gamma ,s_2,\tau \beta \lambda )+P{r}_{\sigma }(s_0,\alpha \gamma ,s_5,\beta \lambda )\hfill \\ \hfill & \hfill & & =5/7\times 0.25\times 1\times 0.4+2/7\times 0.25\times 1=1/7;\hfill \\ \hfill \mathit{For}{\omega }^{\prime }& =\beta \gamma :\hfill & \hfill Pr(s_0,\alpha \gamma ,2,\beta \gamma )& =P{r}_{\sigma }(s_0,\alpha \gamma ,s_2,\tau \beta \gamma )+P{r}_{\sigma }(s_0,\alpha \gamma ,s_5,\beta \gamma )\hfill \\ \hfill & \hfill & & =5/7\times 0.2\times 1\times 0.4+2/7\times 0.2\times 1=4/35.\hfill \end{array}$$

2.2. Differential Privacy

Differential privacy is a framework that quantifies the privacy guarantees offered by a randomized algorithm. It provides a measure ensuring that the output of a computation remains approximately the same, even if one record in the input dataset is altered. This ensures that an adversary cannot determine whether a specific individual’s information is included in the input to the function. Formally, given a threshold $ϵ>0$, a randomized algorithm M adheres to $ϵ$-differential privacy if, for any pair of datasets $A_1$ and $A_2$ that differ by at most one record, and for any output set O, the following inequality holds [36]:

$$e^{-ϵ}\le \frac{P(M\left(A_1\right)\in O)}{P(M\left(A_2\right)\in O)}\le e^{ϵ},$$

where $M\left(A_1\right)$ and $M\left(A_2\right)$ denote the outputs of algorithm M when run on datasets $A_1$ and $A_2$, respectively. The function P assigns a probability to a potential output of M. The parameter $ϵ$, often referred to as the privacy budget, sets a limit on the allowable information leakage, where $ϵ\in \mathbb{R}$ and $ϵ$ is a non-negative real number.

In the field of differential privacy, one of the central challenges emerges from the recurrent utilization of a privacy-preserving mechanism. As this mechanism is used repeatedly, the cumulative privacy guarantees can degrade, potentially weakening the overall privacy assurance [32]. Addressing this issue necessitates a more refined strategy, and introducing a decay factor serves this purpose. This factor places emphasis on the time-dependent modification of privacy loss parameters. Consider a scenario where mechanism M is invoked in an iterative fashion. A direct or naïve summation of the privacy loss parameter $ϵ$ over each use could swiftly consume the allotted privacy budget, compromising the robustness of the privacy safeguards in place. This predicament underscores the relevance of the decay factor. When expressed as

$${ϵ}^{\prime }=ϵe^{-\xi i},$$

it signifies an exponential decay in the privacy loss parameter. This ensures that with each subsequent application or iteration, there is a diminishing allowance for deviation in privacy guarantees, thereby systematically curtailing potential privacy breaches. From a mathematical perspective, the compounded degradation in differential privacy over n iterations can be encapsulated by: ${ϵ}_{\mathrm{total}}={\sum }_{i=1}^nϵe^{-\xi i}.$ This culminates in the refined differential privacy relationship:

$$e^{-{ϵ}_{\mathrm{total}}}\le \frac{P(M\left(A_i\right)\in O)}{P(M\left(B_i\right)\in O)}\le e^{{ϵ}_{\mathrm{total}}}.$$

This integration suggests that the privacy safeguard, when enhanced with a decay factor, does not merely sum over multiple invocations. Instead, it decays, emphasizing a gradual tightening of privacy constraints. This sophisticated model ensures that our differential privacy implementations remain robust and effective, even with repeated applications. While ${ϵ}_{\mathrm{total}}$ is crucial in a broad range of differential privacy applications, the study in this paper specifically emphasizes the application of differential privacy to automata initial states over finite steps. We deliberately choose to focus on the decay of $ϵ$ across iterations and, consequently, omit the consideration of ${ϵ}_{\mathrm{total}}$ to maintain a concise and focused presentation.

Definition 2

(Decay factor $\xi$). A decay factor ξ in the context of differential privacy is a measure that determines the rate at which the privacy loss parameter ϵ decreases for each iteration of a privacy-preserving algorithm. It quantifies the exponential reduction in the potential privacy loss, thus ensuring enhanced long-term protection of privacy in iterative processes.

The role of $\xi$ includes (1) exponential decay—$\xi$ results in an exponential decrease in ${ϵ}^{\prime }$ with each iteration; (2) privacy degradation control—adjusting $\xi$ fine-tunes the privacy degradation rate, with a higher $\xi$ enhancing protection; (3) robustness in repeated use—$\xi$ limits cumulative privacy loss, ensuring robustness in differential privacy mechanisms over multiple iterations.

3. Investigative Focus

This section delves into the complexity of maintaining $(ϵ,\xi )$-differential privacy within an ensemble of probabilistic automata with multiple initial states. Two main situations are examined: the first deals with the verification of privacy parameters across automata, and the second presents an oversight framework to assure compliance operations under defined privacy restrictions.

3.1. Proximate States and Differential Privacy

Definition 3.

(Proximate states for n initials). Given a probabilistic automaton structure $\mathcal{G}=(S,\sum ,\delta ,\rho )$ and a set of initial states $\{s_0^1,s_0^2,\dots ,s_0^n\}\subseteq S$, the states in this set are said to be collectively proximate if there exists an observation $\omega \in {\sum }_o^{\ast }\setminus \left\{\epsilon \right\}$ such that for any $s_0^i$ with $1\le i\le n$, $Pr(s_0^i,\omega )>0$. The collective contiguity implies that an observation that is not the empty string can be generated from every initial state in the set.

Definition 4 (K-step $(ϵ,\xi )$-differential privacy for n initials).

Let $\mathcal{G}=(S,\sum ,\delta ,\rho )$ denote a probabilistic automaton structure. Given a set of collectively proximate initial states $\{s_0^1,s_0^2,\dots ,s_0^n\}\subseteq S$, this leads to n distinct probabilistic automata $\mathcal{G}\left(s_0^1\right),\mathcal{G}\left(s_0^2\right),\dots ,\mathcal{G}\left(s_0^n\right)$. These automata are said to uphold ($ϵ,\xi$)-differential privacy over a k-step observation extension, modulated by a decay factor ξ, if for each automaton $\mathcal{G}\left(s_0^i\right)$ and any observation $\omega \in {\sum }_o^{\ast }$ originating from $s_0^i$, there exists a set of subsequent observations ${\mathrm{\Omega }}_{k^{\prime }}$ such that for each $k^{\prime }\le k$, ${\mathrm{\Omega }}_{k^{\prime }}={\bigcup }_{i=1}^n\ell (s_0^i,\omega ,k^{\prime })$, where ℓ denotes an observation likelihood function.

Additionally, for any two distinct initial states $s_0^i$ and $s_0^j$$\in S$, and for all $k^{\prime }\le k$, given any observation ${\omega }^{\prime }\in {\mathrm{\Omega }}_{k^{\prime }}$, where ${\omega }^{\prime }$, the $(ϵ,\xi )$-differential privacy condition $|Pr(s_0^i,\omega ,k^{\prime },{\omega }^{\prime })-Pr(s_0^j,\omega ,k^{\prime },{\omega }^{\prime })|\le ϵe^{-\xi k^{\prime }}$ must hold. The privacy parameter $ϵ$ undergoes exponential decay influenced by $k^{\prime }$ steps of observation, guided by the decay rate $\xi$. As observations accrue, the $(ϵ,\xi )$-differential privacy assurance wanes, underscoring the inherent challenge in preserving privacy as more data emerges.

3.2. Verification Concerns

Within an ensemble of n probabilistic automata, derived from a foundational automaton with n distinct initial states as $\{\mathcal{G}\left(s_0^1\right),\mathcal{G}\left(s_0^2\right),\dots ,\mathcal{G}\left(s_0^n\right)\}$, the verification process is paramount. It is essential to ascertain that each automaton in the ensemble genuinely observes the principles of ($ϵ,\xi$)-differential privacy over a k-step observation extension, particularly when influenced by a decay factor $\xi$.

A dedicated verifier, $V_{\omega }^k$, is posited to play this crucial role. Its function is to assess whether each automaton in the ensemble, when initialized from its respective initial state within the set $\{s_0^1,s_0^2,\dots ,s_0^n\}$, indeed adheres to the $(ϵ,\xi )$-differential privacy criteria. More specifically, given any observation $\omega$ that originates from these initial states, following the definition of proximate states, $V_{\omega }^k$ must validate:

• The emergence and integrity of subsequent observations ${\mathrm{\Omega }}_{k^{\prime }}$ based on the defined observation likelihood function ℓ.
• The preservation of the $(ϵ,\xi )$-differential privacy condition between any two distinct initial states for all possible $k^{\prime }\le k$ steps of observation.

This verification serves as a continuous safeguard, ensuring that the $(ϵ,\xi )$-differential privacy guarantees, despite the probabilistic behaviors and intertwined initial states, remain uncompromised and robust.

4. Verification of (ϵ, ξ)-Differential Privacy over Finite Steps

For the intricate analysis of probabilistic automaton with multiple initial states, the verifier emerges as a pivotal tool. It meticulously dissects each initial state, treating it as the epicenter of an independent probabilistic automaton system. Through this isolated examination, the verifier offers a holistic understanding of every conceivable behavior that might emanate from a particular initial state. In essence, by simulating each initial state coupled with its observation sequence as a stand-alone probabilistic automaton, the verifier elucidates the potential trajectory of the entire automaton. This methodology, delineated in Algorithm 1, crafts a refined lens for researchers to discern the nuances of behaviors within a multi-initial-state probabilistic automaton framework.

Consider a set of n probabilistic automata, denoted as $\mathcal{G}=[\mathcal{G}\left(s_0^1\right),\mathcal{G}\left(s_0^2\right),\dots ,\mathcal{G}\left(s_0^n\right)]$, with each automaton defined by $\mathcal{G}\left(s_0^i\right)=(S,\sum ,\delta ,s_0^i,\rho )$. The goal of the algorithm is to compute a Verifier for an observation $\omega$, denoted as $V_{\omega }^k=(S_v,{\sum }_o,{\delta }_v,S_0)$. In the heart of our algorithm lies the concept of memoization, a ubiquitous technique in algorithmic optimization. We introduce a memoization function, defined as $M:(S\times \sum )\to 2^S$, where the domain of M encapsulates the Cartesian product of states and events, and its codomain is the power set of S, embracing all conceivable subsets of reachable states. Formally articulated, for any state-event pair $(s,e)$, we have

$$M(s,e)=\{s^{\prime }\in S:\delta (s,e)=s^{\prime }\}.$$

At the inception of the algorithm, M is initialized as an empty function. As the algorithm progresses and each state-event pair is encountered, the resulting set of reachable states is cached in M to prevent redundant computations in future iterations. With the memoization table M established, the algorithm begins by iterating through each initial state $s_0^i$ of $\mathcal{G}$. Depending on the current segment of the observation sequence and the state under consideration, the set of reachable states is either computed afresh using the transition function $\delta$ or promptly retrieved from M. As the algorithm traverses the observation sequence, it accumulates the resulting reachable states into $S_0$. Subsequently, the algorithm embarks on computing the product states, represented as $Q_1\times Q_2\times \dots \times Q_n$. These product states are deduced based on observable events and the current state, leading to the formation of $S_v$, which is synthesized from the collection $Sr$. The worst-case approximated complexity of Algorithm 1 is $O\left(2^n\times n^2\times |{\sum }_o|\times |{\sum }_{uo}|\right)$.

Definition 5 (Verifier).

Given a probabilistic automaton structure $\mathcal{G}=(S,\sum ,\delta ,\rho )$, and a list of proximate initial states $[s_0^1,s_0^2,\dots ,s_0^n]$ leading to n distinct lists of probabilistic automata $[\mathcal{G}\left(s_0^1\right),\mathcal{G}\left(s_0^2\right),\dots ,\mathcal{G}\left(s_0^n\right)]$, a differentially private verifier $V_{\omega }^k$ for a k-step observation extension modulated by a decay factor ξ is defined as a 4-tuple $V_{\omega }^k=(S_v,{\sum }_o,{\delta }_v,S_0)$. Here, $S_v$ is the cross-product of states in the automata set, $S=Q_1\times Q_2\times \dots \times Q_n$, with each $Q_i$ being a subset of states from $\mathcal{G}\left(s_0^i\right)$, ${\sum }_o$ denotes all observable events, ${\delta }_v:S_v\times {\sum }_o\to 2^{S_v}$ represents the transition function of the verifier, and $S_0$ is redefined as the Cartesian product of sets obtained from the function ϕ applied to each initial state and the observation ω, specifically $S_0=\varphi (s_0^1,\omega )\times \dots \times \varphi (s_0^n,\omega )$. This verifier $V_{\omega }^k$ encapsulates the collective behaviors of the original probabilistic automata set, over a k-step of observation.

Theorem 1.

Given a verifier $V_{\omega }^k$ that integrates the state-transition model with respect to observation ω up to step k, an initial positive parameter ϵ, a decay factor ξ, and a list of n initial states $[s_0^1,s_0^2,\dots ,s_0^n]$, Algorithm 2 will ascertain whether the system upholds $(ϵ,\xi )$-differential privacy across k steps within the modulating privacy parameter ϵ that evolves with each step.

Proof. 

Initiating with the assignment of a unit probability to each originating state s at $t=0$, the procedure warrants unequivocal certainty for these foundational states. The algorithm then invokes Algorithm 1 to procure the transition probabilities $\varphi (s_0^i,\omega {\omega }^{\prime })$, thereby forming a probabilistic mapping from any state $s_0^i$ to another $s_0^j$ contingent on the observation sequence $\omega$. Iteratively, the algorithm explores the subsequent potential states for each event in the observation sequence, thereby crafting a dynamic probabilistic landscape for each state s.

Central to the verification of privacy is the computation of the absolute deviation between the transition probabilities of any two initial states $s_0^i$ and $s_0^j$. If any such deviation surpasses $ϵ$, the algorithm returns a negative result. As the observation progresses, the state set S undergoes updates to encompass new feasible states, symbolized as $S^{\ast }$. Should the algorithm traverse all k steps without infringing the evolving ($ϵ,\xi$)-differential privacy constraint, it returns an affirmative outcome. This, by induction, validates the algorithm’s fidelity to ($ϵ,\xi$)-differential privacy for all inaugural states across steps $1\le k^{\prime }\le k$, culminating in the affirmation of the theorem.    □

Algorithm 1: Construction of a k-step verifier

Algorithm 2 conducts $(ϵ,\xi )$-differential privacy verification for a specified number of steps, k. It takes inputs including a verifier $V_{\omega }^k$, step count k, privacy threshold $ϵ$, and n initial states. Initially, each state in $S_0$ has a transition probability of 1. The algorithm iteratively examines state transitions and probability distributions up to step k. A critical aspect of this process is the decay factor $\xi$, crucial for upholding rigorous privacy constraints. This factor adjusts the influence of the privacy parameter over time, ensuring consistent adherence to privacy norms throughout the algorithm’s execution.

Crucially, the algorithm juxtaposes privacy probabilities across all conceivable state pairings. Should any disparity surpass $ϵ$, the algorithm promptly returns ’false’. This guarantees a uniform privacy assessment, irrespective of initial state variances, encompassing a predictable future scope. Considering its design and operations, the worst-case computational complexity of Algorithm 2 is gauged at $O(k\times 2^n\times |{\sum }_o|\times n^3\times |{\sum }_{uo}\left|\right)$. This provides an understanding of the resource demands for larger input sizes, crucial for practical implementations.

Algorithm 2: Differential privacy verification over finite steps with $ϵ$ decay

Example 4.

Consider the structure of a probabilistic automaton depicted in Figure 2, where we assume that the initial states are $s_1$ and $s_2$, which means $n=2$. The set of observable events is ${\sum }_o$ = $\{\alpha ,\beta ,\lambda ,\gamma ,\mu \}$, while the set of unobservable events is ${\sum }_{uo}=\left\{\tau \right\}$. The verifier for the system $\mathcal{G}\left(s_1\right)$ and $\mathcal{G}\left(s_2\right)$ is illustrated in Figure 3, in which the initial state $S_0$ is defined as the Cartesian product $S_0=\left\{s_1\right\}\times \left\{s_2\right\}$.

For the state $S_1$ and the observable event α, we can say that $S_1$ is the Cartesian product of $\varphi (s_1,\alpha )$ and $\varphi (s_2,\alpha )$, resulting in $S_1=\{s_3,s_4\}\times \left\{s_5\right\}$. Therefore, $\delta (S_0,\alpha )$ becomes $\{s_3,s_4\}\times \left\{s_5\right\}$. Similarly, for the state $S_4$ and the observable event λ, $S_4$ is the Cartesian product of $\varphi ((s_3,s_4),\lambda )$ and $\varphi (s_5,\lambda )$, which turns out to be $\left\{s_4\right\}\times \varnothing$. Consequently, $\delta (S_1,\lambda )$ is also $\left\{s_4\right\}\times \varnothing$. For the state $S_5$ and the observable event β, $S_5$ is $\left\{s_5\right\}\times \left\{s_6\right\}$, and this results from taking the Cartesian product of $\varphi (s_3,\beta )$ and $\varphi (s_5,\beta )$. Therefore, $\delta (S_1,\beta )$ is $\left\{s_5\right\}\times \left\{s_6\right\}$. Finally, for the state $S_8$ and the observable event γ, $S_8$ is the Cartesian product of $\varphi (s_5,\gamma )$ and $\varphi (s_6,\gamma )$, yielding $S_8=\left\{s_4\right\}\times \left\{s_4\right\}$. This leads us to conclude that $\delta (S_5,\gamma )$ is also $\left\{s_4\right\}\times \left\{s_4\right\}$.

Figure 2. A probabilistic automaton $\mathcal{G}$*.

Figure 2. A probabilistic automaton $\mathcal{G}$*.

Figure 3. The verifier $V_{\omega }^k$ of probabilistic automaton $\mathcal{G}$*.

Figure 3. The verifier $V_{\omega }^k$ of probabilistic automaton $\mathcal{G}$*.

Example 5.

Let us consider the probabilistic automaton structure in Figure 2. Assume two proximate initial states $s_1$ and $s_2$ such that $n=2$. The verifier is shown in Figure 3. We want to verify the ϵ-differential privacy with $ϵ=0.13$, decay factor $\xi =0.05$ and for $k^{\prime }=1$. Due to the decay factor, our effective ${ϵ}^{\prime }$ for this step is $ϵe^{-\xi k^{\prime }}=0.13e^{-0.05}\approx 0.124$. For state $S_0$:

$$\begin{array}{cc}\hfill \left|{Pr}_1(S_0,\alpha )-{Pr}_2(S_0,\alpha )\right|& =\left|Pr\left(s_1\right|\left\{s_1\right\})\times Pr\left(\{s_3,s_4\}\right|\varphi (s_1,\alpha ))-Pr\left(s_2\right|\left\{s_2\right\})\times {Pr}_{\sigma }(s_2,\alpha )\right|\hfill \\ \hfill & =0.5/0.5+(0.5\times 0.8)+0.5\times 0.8/0.5+(0.5\times 0.8)-0.9\hfill \\ & =0.1<{ϵ}^{\prime }\approx 0.124;\hfill \\ \hfill \left|{Pr}_1(S_0,\gamma )-{Pr}_2(S_0,\gamma )\right|& =\left|Pr\left(s_1\right|\left\{s_1\right\})\times {Pr}_{\sigma }(s_1,\gamma )-Pr\left(s_2\right|\left\{s_2\right\})\times {Pr}_{\sigma }(s_2,\gamma )\right|\hfill \\ \hfill & =0.120<{ϵ}^{\prime }\approx 0.124;\hfill \\ \hfill \left|{Pr}_1(S_0,\mu )-{Pr}_2(S_0,\mu )\right|& =\left|Pr\left(s_1\right|\left\{s_1\right\})\times {Pr}_{\sigma }(s_1,\mu )-Pr\left(s_2\right|\left\{s_2\right\})\times {Pr}_{\sigma }(s_2,\mu )\right|\hfill \\ \hfill & =0.38-0.1=0.28>{ϵ}^{\prime }\approx 0.124.\hfill \end{array}$$

The system of two automata $\mathcal{G}\left(s_1\right)$ and $\mathcal{G}\left(s_2\right)$ do not satisfy ($ϵ,\xi$)-differential privacy at $k^{\prime }=1$ with ${ϵ}^{\prime }=0.124$.

5. Ensuring (ϵ, ξ)-Differential Privacy via Supervisory Control

In the prior section, we introduced the notion of $(ϵ,\xi )$-differential privacy, where an automaton starting from distinct n initial states produces similar observation likelihoods over a set number of steps. This concept is central to our ongoing discussion. We then delve into supervisory control as a method for ensuring this privacy alignment over a fixed sequence length. Our study further explores the realms of control theory, highlighting a groundbreaking algorithm rooted in probabilistic automata and designed to predict state transitions from observation sequences.

Consider a verifier $V_{\omega }^k=(S_v,{\sum }_o,{\delta }_v,S_0)$ and a state $S\in S_v$, where S is an element of the state space $S_v$ and can be expressed as a tuple of multiple state components, i.e., $S=Q_1\times Q_2\times \dots \times Q_n$. We define $S^{\#}$ as a subset of $S_v$ containing states that can be reached from the initial state $S_0$ for a specific observation sequence ${\omega }^{\prime }$. In essence, $S^{\#}$ captures the set of states that are intermediate in the transition from $S_0$ to S through the sequence ${\omega }^{\prime }$.

The set $R\left(S\right)$ is then introduced to encapsulate all events e that transition the system from state S to some other state $S^{\prime }$ that is a member of $S^{\#}$. Specifically, $S^{\prime }$ represents a state, analogous to S, but formed from different combinations of state components. Hence, $S^{\prime }=Q_1^{\prime }\times Q_2^{\prime }\times \dots \times Q_n^{\prime }$ where each $Q_i^{\prime }$ is a potential state from the original n probabilistic automata. This ensures the system remains within the permissible state transitions defined by $S^{\#}$. Thus, $R\left(S\right)$ can be defined as:

$$R\left(S\right)=\left\{e\in {\sum }_o\mid \exists S^{\prime }\in S^{\#}\setminus \left\{S\right\}:{\delta }_v(S,e)=S^{\prime }\right\}.$$

This expression underscores the events that, when executed from state S, guide the system to another state within the permissible state transitions defined by $S^{\#}$. Let $\mathrm{\Theta }:{\sum }_o\to \mathbb{R}$ be a ranking function defined over the observation events in the context of the verifier $V_{\omega }^k$. For any event $e\in {\sum }_o$, $\mathrm{\Theta }\left(e\right)$ designates a unique scalar value, conveying its significance or importance.

This formulation ensures both uniqueness, where for any two distinct events $e_1,e_2\in {\sum }_o$, if $e_1\ne e_2$ then $\mathrm{\Theta }\left(e_1\right)\ne \mathrm{\Theta }\left(e_2\right)$, and a total order such that for any two events $e_1$ and $e_2$ in ${\sum }_o$, the relationships $\mathrm{\Theta }\left(e_1\right)<\mathrm{\Theta }\left(e_2\right)$, $\mathrm{\Theta }\left(e_1\right)>\mathrm{\Theta }\left(e_2\right)$, or $\mathrm{\Theta }\left(e_1\right)=\mathrm{\Theta }\left(e_2\right)$ are established.

Once the events are ranked by their $\mathrm{\Theta }\left(e\right)$ values, each event e is assigned an index value $T(S,e)$, where $T:S_v\times {\sum }_o\to {\mathbb{N}}^{+}$ is a mapping function. In this context, for states $S=Q_1\times Q_2\times \cdots \times Q_n\in S_v$ and $S^{\prime }=Q_1^{\prime }\times Q_2^{\prime }\times \cdots \times Q_n^{\prime }\in S^{\ast }$, the set of all events that transition the system from $S^{\prime }$ to S is denoted as $E(S^{\prime },S)=\{e\in {\sum }_o\mid {\delta }_v(S^{\prime },e)=S\}$.

Consequently, the events in $R\left(S\right)$ are systematically sorted based on their respective $\mathrm{\Theta }\left(e\right)$ values in ascending order, ensuring a structured and meaningful sequence for subsequent operations, reflecting both the probabilistic properties and temporal nuances of the events within $V_{\omega }^k$.

For each event e belonging to $E(S^{\prime },S)$, we define $A(S^{\prime },S,e)$ as a column vector with $\left|R\right(S^{\prime }\left)\right|$ dimensions, exclusively consisting of zeros and ones. Additionally, we define a binary scalar $A(S^{\prime },S,e)\left[v\right]$ in the following manner:

$$A(S^{\prime },S,e)\left[c\right]=\left\{\begin{array}{cc}1,\hfill & \mathrm{if}v=T(S^{\prime },e)\hfill \\ 0,\hfill & \mathrm{if}v\ne T(S^{\prime },e).\hfill \end{array}\right.$$

With v being a positive integer such that $1\le v\le \left|R\right(S^{\prime }\left)\right|$, the matrix $A(S^{\prime },S)$ can be viewed as an expanded form of $A(S^{\prime },S,e)$ for every event e in $E(S^{\prime },S)$, arranged in ascending order according to the value of $T(S^{\prime },e)$. Given a probabilistic automaton structure $\mathcal{G}=(S,\sum ,\delta ,\rho )$ with proximate initial states $s_0^{\left(1\right)},s_0^{\left(2\right)},\dots ,s_0^{\left(n\right)}$, and an observation sequence $\omega \in {\sum }_o^{\ast }$, we define $V_{\omega }^k=(S_v,{\sum }_o,{\delta }_v,S_0)$ as the verification mechanism. For a compound state $S=Q_1\times Q_2\times \dots \times Q_n$ in $S_v$, and given ${\delta }_v(S_0,{\omega }^{\prime })=S$, any of the row vectors $C_{{\omega }^{\prime }}\left(S_1\right|S),C_{{\omega }^{\prime }}\left(S_2\right|S),\dots ,C_{{\omega }^{\prime }}\left(S_n\right|S)$ is with the dimensioning of $\left|R\right(S\left)\right|$. For each event $e\in R\left(S\right)$ and index $T(S,e)\in \{1,2,\dots ,|R\left(S\right)\left|\right\}$, the following relationship holds for $i\in \{1,2,\dots ,n\}$:

$$C_{{\omega }^{\prime }}\left(S_i\right|S)\left[T(S,e)\right]=\sum _{s\in S_i}\sum _{s^{\prime }\in \sigma (s,e)}\left[{Pr}_{\sigma }\left(s\right|\varphi (s_0^{\left(i\right)},\omega {\omega }^{\prime }))\times {Pr}_{\sigma }(s^{\prime },u)\right].$$

Given a probabilistic automaton $\mathcal{G}=(S,\sum ,\delta ,\rho )$ with n initial states $s_0^{\left(1\right)},s_0^{\left(2\right)},\dots ,s_0^{\left(n\right)}$ and an observation $\omega \in {\sum }_o^{\ast }$, let $V_{\omega }^k=(S_v,{\sum }_o,{\delta }_v,S_0)$ serve as the verificationer. For a compound state $S=Q_1\times Q_2\times \cdots \times Q_n$ residing in the state space $S_v$, and given ${\delta }_v(S_0,{\omega }^{\prime })=S$, we define $A^{{\omega }^{\prime }}\left(S_i\right|S)$ as the corresponding probabilistic matrix for the sub-state $S_i$, the composite state S, and the observation sequence ${\omega }^{\prime }\in {\sum }_o^{\ast }$, where i is an index drawn from the set $\{1,2,\dots ,n\}$. The definition of $A^{{\omega }^{\prime }}\left(S_i\right|S)$ unfolds in two scenarios:

First, in the event that $S^{\ast }=\varnothing$, the matrix $A^{\epsilon }\left(S_i\right|S)$ is identified directly as $C_{\epsilon }\left(S_i\right|S)$;

Second, when $S^{\#}\ne \varnothing$, for any $S^{\prime }=Q_1^{\prime }\times Q_2^{\prime }\times \cdots \times Q_n^{\prime }$ belonging to $S^{\#}$ such that ${\delta }_v(S_0,{\omega }^{″})=S^{\prime }$, ${\delta }_v(S^{\prime },e)=S$, and ${\omega }^{″}e={\omega }^{\prime }$, the following relation holds:

$$A_m^{{\omega }^{\prime }}\left(S_i\right|S)={\left[A^{{\omega }^{″}}\left(S_i^{\prime }\right|S^{\prime })\times A(S^{\prime },S)\right]}^T[:]\left[m\right]\times C_{{\omega }^{\prime }}\left(S_i\right|S);$$

Subsequently, the exhaustive probabilistic matrix $A^{{\omega }^{\prime }}\left(S_i\right|S)$ is synthesized as

$$A^{{\omega }^{\prime }}\left(S_i\right|S)={\left[{\left(A_1^{{\omega }^{\prime }}\left(S_i\right|S)\right)}^T|\cdots |{\left(A_h^{{\omega }^{\prime }}\left(S_i\right|S)\right)}^T\right]}^T;$$

where $h={\mathbb{N}}^r\left(A^{{\omega }^{″}}\left(S_i^{\prime }\right|S^{\prime })\right)$; this relationship reflects the intricate structure and hierarchy inherent in the probabilistic matrices, emphasizing a crucial characteristic, possibly its dimensionality or structural depth.

Within this setup, h is deduced by elevating $\mathbb{N}$ to the power of r. It is conjectured that r represents the rank or a distinct inherent trait of the matrix $A^{{\omega }^{″}}\left(S_i^{\prime }\right|S^{\prime })$. This formulation provides a foundation for the ensuing algorithmic stages, imparting a computational perspective to the entire procedure. A clear linkage between m and h exists, with m being an element of the set $\{1,2,\dots ,h\}$. The strategy for computing these probabilistic matrices for each state in the verifier is encapsulated in Algorithm 3, demonstrating a computational complexity of $O\left({\left|S_v\right|}^2\times \left(\left|{\sum }_o\right|+\left|R\left(S^{\prime }\right)\right|+\left|R\left(S\right)\right|+n\times \left|S_i\right|\right)\right)$.

Algorithm 3: Probability matrices determination

Example 6.

Consider the probabilistic automaton structure represented in Figure 2 and its corresponding verifier illustrated in Figure 3, in which the given parameters are ${\sum }_o=\{\alpha ,\beta ,\lambda ,\gamma ,\mu \}$ and ${\sum }_{uo}=\left\{\tau \right\}$. We define the function Θ as: $\mathrm{\Theta }\left(\alpha \right)=1$, $\mathrm{\Theta }\left(\beta \right)=2$, $\mathrm{\Theta }\left(\lambda \right)=3$, $\mathrm{\Theta }\left(\gamma \right)=4$, and $\mathrm{\Theta }\left(\mu \right)=5$. For $S_0$, we obtain $E(S_0,S_1)=\left\{\alpha \right\}$, $A(S_0,S_1)=\left[A_{\alpha }\right]$ with $A_{\alpha }={(1,0,0)}^T$ and $E(S_0,S_3)=\left\{\mu \right\}$, $A(S_0,S_3)=\left[A_{\mu }\right]$ with $A_{\mu }={(0,0,1)}^T$. For $S_2$, we obtain $R\left(S_5\right)=\left\{\gamma \right\}$ and $T(S_5,\gamma )=1$. Thus, $C_{{\omega }^{\prime }}\left(\left\{s_5\right\}\right|S_5)=P{r}_{\sigma }(s_5,\gamma )=0.55$ and $C_{{\omega }^{\prime }}\left(\left\{s_6\right\}\right|S_5)=P{r}_{\sigma }(s_6,\gamma )=1$, where ${\omega }^{\prime }=\left\{\alpha \beta \right\}$.

Example 7.

Consider the verification depicted in Figure 3. For the initial state $S_0$, we have $A^{\epsilon }\left(\left\{s_1\right\}\right|S_0)=(0.5,0.12,0.38)$ and $A^{\epsilon }\left(\left\{s_2\right\}\right|S_0)=(0.9,0,0.1)$. For state $S_3$: $A^{\epsilon }\left(\left\{s_1\right\}\right|S_0)\times A(S_0,S_3)=0.38$; $A^{\epsilon }\left(\left\{s_2\right\}\right|S_0)\times A(S_0,S_3)=0.1$. For an observable event ${\omega }^{\prime }=\mu$, $A^{{\omega }^{\prime }}\left(\left\{s_1\right\}\right|S_3)={\left(0.38\right)}^T[:]\left[2\right]\times C_{{\omega }^{\prime }}\left(\left\{s_1\right\}\right|S_3)={(0.19,0)}^T$ and $A^{{\omega }^{\prime }}\left(\left\{s_5\right\}\right|S_3)={\left(0.1\right)}^T[:]\left[2\right]\times C_{{\omega }^{\prime }}\left(\left\{s_5\right\}\right|S_3)={(0,0.045)}^T$.

Within the intricate domain of probabilistic automata, the introduction of fake events represents a paradigm shift in how systems interact with their observable events. This is not a superficial addition; rather, it is a calculated stratagem where these events, ingeniously derived from the set ${\sum }_o$ of genuine observable events, play a pivotal role in ensuring system integrity and privacy [37]. The origin of these fake events can be traced back to the enforcement mechanism, which incorporates an insertion function designed to embed any event within ${\sum }_o$ seamlessly. While on the surface, these inserted events might mirror the observable ones, their underlying design is distinct. The crucial aspect lies in their deliberate ambiguity; they mirror the observable events with such precision that they become indistinguishable upon a cursory examination. This resemblance is not coincidental but serves a pivotal role in the broader system dynamics.

The aforementioned duality serves a higher purpose, particularly in the domain of differential privacy. The insertion of fake events is not merely a technique for enhancing system dynamics; it acts as a vital control strategy. When the system fails to achieve $(\epsilon ,\xi )$-differential privacy through conventional means, these fake events step in to refine the transition probabilities of the genuine events within ${\sum }_o$, ensuring the attainment of the desired $(\epsilon ,\xi )$-differential privacy threshold. Such innovation highlights the sophistication and flexibility of probabilistic automata theory, where privacy safeguards and operational effectiveness are adeptly intertwined.

The supervisory control system in question operates based on observed events ${\sum }_o$. In addition to these genuine events, we introduce fabricated events, denoted by ${\sum }_{\mathrm{fake}}$. Each fabricated event is a simulation derived from its ${\sum }_o$ counterpart. Collectively, the universe of all events is given by $\sum ={\sum }_o\bigcup {\sum }_{\mathrm{fake}}\bigcup {\sum }_{\mathrm{uo}}.$ The matrix D is a configuration of size $n\times n$, with n indicating the system’s state count. An element $D\left[i\right]\left[j\right]$ delineates the difference in actions executed at states $Q_i$ and $Q_j$ in response to a specific observation ${\omega }^{\prime }$. This relationship is formally described by $D\left[i\right]\left[j\right]=A^{{\omega }^{\prime }}(Q_i\mid S)-A^{{\omega }^{\prime }}(Q_j\mid S).$ To incorporate $(ϵ,\xi )$-differential privacy, we leverage an insertion function, E, which maps a state and a genuine event to a corresponding fabricated event. Formally, $\mathrm{\Phi }:S\times {\sum }_o\to S\times {\sum }_{\mathrm{fake}}.$ The execution of this function results in $\mathrm{\Phi }(s,e)=(s^{\prime },E(s,e)),$ with $s^{\prime }$ determined by $s^{\prime }=\delta (s,e).$ This function’s application adjusts the event probability distribution. For instance, triggering an artificial event, $e_{\mathrm{fake}}$, at state s modulates the event probabilities as ${\rho }^{\prime }(s,e)=\rho (s,e)-\rho (s,e_{\mathrm{fake}})\times \rho (s,e).$

In the context of a supervisory control system within a probabilistic automaton, the process of refining transition probabilities through the insertion of fake events plays a pivotal role in adhering to differential privacy constraints. Consider a system where the transition probability from an initial state by a particular observation sequence ${\omega }^{\prime }$ is formulated as $A^{{\omega }^{\prime }}(Q\mid S)=P{r}_{\sigma }(s_0,{\omega }^{″}e)\times \rho (\delta (s_0,{\omega }^{″}),e)$, with ${\omega }^{\prime }={\omega }^{″}e$, where ${\omega }^{″}\in {\sum }_o^{\ast }$ and $e\in {\sum }_o$. This formulation encapsulates the probability of the sequence ${\omega }^{″}e$ occurring from the initial state $s_0$ and the probability of transitioning to the next state due to event e.

The introduction of a fake event, executed by the supervisory function E, fundamentally alters this transition probability. Post-insertion, the probability of the transition by the observation sequence ${\omega }^{\prime }$ is refined to $A^{{\omega }^{\prime }}(Q\mid S)=P{r}_{\sigma }(s_0,{\omega }^{″}e)\times \rho (\delta (s_0,{\omega }^{″}),e)\times (1-\rho (\delta (s_0,{\omega }^{″}),e_{\mathrm{fake}}))$. The inclusion of the term $(1-\rho (\delta (s_0,{\omega }^{″}),e_{\mathrm{fake}}))$, which lies between 0 and 1, ensures a reduction in $A^{{\omega }^{\prime }}(Q\mid S)$ subsequent to the insertion of the fake event.

This reduction plays a crucial role in aligning the system with differential privacy constraints. When the inequality $\left|\right(A^{{\omega }^{\prime }}(Q_i\mid S)-\left(A^{{\omega }^{\prime }}(Q_j\mid S)\right|\ge {ϵ}^{\prime }$ holds, indicating a potential breach of privacy thresholds, the insertion of the fake event with a predetermined probability effectively diminishes the left-hand side of the inequality by a factor of $(1-\rho (\delta (s_0,{\omega }^{″}),e_{\mathrm{fake}}))$. This decrement contributes significantly to reducing the differences in probabilities of sequences resulting from the initial states ($s_0^i$, $s_0^j$), thus facilitating the achievement of the differential privacy constraint. Therefore, the strategic insertion of fake events emerges as a vital mechanism for refining transition probabilities in a manner that upholds the principles of differential privacy within the framework of probabilistic automata.

Theorem 2.

Given a supervisory control system formulated by the verifier $V_k^{\omega }=(S_v,{\sum }_o,{\delta }_v,S_0)$. The introduction of a fake event mechanism, governed by the insertion function E, that operates within the $(ϵ,\xi )$-differential privacy boundary will ensure convergence towards a refined system state such that the differential between state transitions, quantified by matrix D, remains beneath the threshold ${ϵ}^{\prime }$.

Proof. 

Starting with the differential matrix representation for each pair of states $(Q_i,Q_j)$ in our system, the differential is defined as $D\left[i\right]\left[j\right]=A^{{\omega }^{\prime }}(Q_i\mid S)-A^{{\omega }^{\prime }}(Q_j\mid S)$, capturing the initial difference between the states in light of a particular observation $\omega$. For any given state s and an event e from ${\sum }_o$, the insertion function is described as $E:S\times {\sum }_o\to {\sum }_{\mathrm{fake}}$, producing a fake event $e_{\mathrm{fake}}=E(s,e)$. With this new event, the state transition dynamics are altered: the state transition probabilities evolve to ${\rho }^{\prime }(s,e)=\rho (s,e)-\rho (s,e_{\mathrm{fake}})\times \rho (s,e)$, ensuring the recalculated differential remains constrained within the threshold $|D^{\prime }\left[i\right]\left[j\right]|\le {ϵ}^{\prime }$. Assuming that the introduction of the fake event modifies the state transition mechanisms, the system undergoes iterative invocations of the insertion function to guarantee all differentials in matrix D adhere to $\forall i,j:\left|D\left[i\right]\left[j\right]\right|\le {ϵ}^{\prime }$.

Given a maximum bound of iterations, denoted as k, combined with the consistent adjustment via the insertion function E, it is implied that convergence occurs within these iterations. Crucially, each introduction of a fake event acts as a remedial measure, aligning the system’s dynamics closer to the $(ϵ,\xi )$-differential privacy conditions. Through our established iterations, and by ensuring differentials remain within the specified boundary, the system not only guarantees state transition convergence but also maintains the constraints of differential privacy. Thus, the theorem is affirmed, elucidating how the supervisory control system, using the intricate balance of fake event insertion, converges toward refined states while upholding $(ϵ,\xi )$-differential privacy.    □

Transitioning to the algorithmic realm, Algorithm 4 stands at the intersection of computer science, data analytics, and $(ϵ,\xi )$-differential privacy.

Algorithm 4 is meticulously crafted to ensure that whenever variances within matrix D surpass a predefined threshold ${ϵ}^{\prime }$, a fake event, $e_{\mathrm{fake}}$, is integrated into ${\sum }_o$.

This intricate mechanism ensures a balance between maintaining $(ϵ,\xi )$-differential privacy mandates and upholding the system’s dynamic transitions. The core of this algorithm focuses on extracting the value $a_i$ from the observation matrix $A^{\prime }(Q_i\mid S)$ while concurrently formulating $z_i$ using $z_i\leftarrow {\sum }_{s\in Q_i}[Pr\left(s\right|\varphi (s_0^i,{\omega }^{\prime }))\times \rho (s,e)]$. Remarkably, despite its sophistication, Algorithm 4 boasts a computational efficiency with complexity of $O(k\times |S_v|\times n^3\times |{\sum }_o\left|\right)$, thereby encapsulating the essence of modern supervisory control-bridging privacy safeguards with system dynamism.

Theorem 3.

For the algorithm “Iterative supervisory control refinement for multiple initial states”, given a verifier $V_{\omega }^k=(S_v,{\sum }_o,{\delta }_v,S_0)$ and a positive integer k, the algorithm converges to a refined set of states in at most k iterations, ensuring that the differential between state transitions, as indicated by matrix D, remains below the threshold ${ϵ}^{\prime }$.

Proof. 

Initiating with $St$ set to the initial state $S_0$, the algorithm iteratively refines states, bounded by a maximum of k iterations. The matrix D captures state differentials, and the algorithm ensures that none of its entries surpass ${ϵ}^{\prime }$. If an entry in D breaches this threshold, a “fake event” is introduced, adjusting state transitions to bring the differential back within bounds.

The algorithm’s iterations (lines 10–18) either keep differentials in D under ${ϵ}^{\prime }$ or apply corrective mechanisms to achieve this. Hence, within k iterations, the algorithm guarantees that state transition differentials adhere to the threshold ${ϵ}^{\prime }$.    □

Algorithm 4: Iterative supervisory control refinement for multiple initial states

6. Numerical Case Study

This section presents a numerical case study that precisely illustrates the proposed methodology. The case study confirms the methodology’s effectiveness and applicability to discrete event systems modeled by probabilistic automata. A DES represented by probabilistic automata is shown in Figure 4, where ${\sum }_o=\{\alpha ,\beta ,\lambda ,\gamma ,\mu \}$, ${\sum }_{uo}=\left\{\tau \right\}$, ${\sum }_{fake}=\{{\alpha }^{\prime },{\beta }^{\prime },{\lambda }^{\prime },{\gamma }^{\prime },{\mu }^{\prime }\}$, and the initial states are: $\{s_0,s_1,s_2\}$. The verifier of this system is represented in Figure 5. Let $\mathrm{\Theta }\left(\alpha \right)=1$, $\mathrm{\Theta }\left(\beta \right)=2$, $\mathrm{\Theta }\left(\lambda \right)=3$, $\mathrm{\Theta }\left(\gamma \right)=4$, $\mathrm{\Theta }\left(\mu \right)=5$, $ϵ=0.14$, and $\xi =0.01$.

For $k^{\prime }=1$ and state $S_0$ in $V_{{\omega }^{\prime }}^k$: ${ϵ}_1^{\prime }=ϵe^{-0.01}=0.139.$

$$\begin{array}{cc}\hfill & T(S_0,\alpha )=1,T(S_0,\lambda )=2.\hfill \\ \hfill & A^{\epsilon }\left(\left\{s_0\right\}|S_0\right)=(0.2,0.8);\hfill \\ & A^{\epsilon }\left(\left\{s_1\right\}|S_0\right)=(0.31,0.69);\hfill \\ & A^{\epsilon }\left(\left\{s_2\right\}|S_0\right)=(0.22,0.78).\hfill \end{array}$$

Probability differences are:

$$\begin{array}{cc}\hfill & (s_0,s_1)=(0.110,0.110);\hfill \\ \hfill & (s_1,s_2)=(0.090,0.090);\hfill \\ \hfill & (s_2,s_0)=(0.020,0.020).\hfill \end{array}$$

For $k^{\prime }=2$: ${ϵ}_2^{\prime }=ϵe^{-0.02}=0.136.$ For state $S_1$:

$$\begin{array}{cc}\hfill & T(S_1,\beta )=1,T(S_1,\lambda )=2,T(S_1,\gamma )=3.\hfill \\ \hfill & A^{\epsilon }\left(\left\{s_0\right\}|S_0\right)\times A(S_0,S_1)=0.2;\hfill \\ \hfill & A^{\epsilon }\left(\left\{s_1\right\}|S_0\right)\times A(S_0,S_1)=0.31;\hfill \\ \hfill & A^{\epsilon }\left(\left\{s_2\right\}|S_0\right)\times A(S_0,S_1)=0.22.\hfill \end{array}$$

Then:

$$\begin{array}{cc}\hfill & A^{\epsilon }\left(\left\{s_4\right\}|S_1\right)=(0.2,0,0);\hfill \\ \hfill & A^{\epsilon }\left(\left\{s_6\right\}|S_1\right)=(0.171,0.047,0.093);\hfill \\ \hfill & A^{\epsilon }\left(\left\{s_7\right\}|S_1\right)=(0.220,0,0).\hfill \end{array}$$

Probability differences are:

$$\begin{array}{cc}\hfill & (s_4,s_6)=(0.029,0.047,0.093);\hfill \\ & (s_6,s_7)=(0.049,0.047,0.093);\hfill \\ & (s_7,s_4)=(0.020,0,0).\hfill \end{array}$$

For $k^{\prime }=2$ and state $S_2$:

$$\begin{array}{cc}\hfill & T(S_2,\beta )=1,T(S_2,\lambda )=2,T(S_2,\mu )=3.\hfill \\ \hfill & A^{\epsilon }\left(\left\{s_0\right\}|S_0\right)\times A(S_0,S_2)=(0.2,0.8)\times {(0,1)}^T=0.8;\hfill \\ \hfill & A^{\epsilon }\left(\left\{s_1\right\}|S_0\right)\times A(S_0,S_2)=(0.31,0.69)\times {(0,1)}^T=0.69;\hfill \\ \hfill & A^{\epsilon }\left(\left\{s_2\right\}|S_0\right)\times A(S_0,S_2)=(0.22,0.78)\times {(0,1)}^T=0.78.\hfill \end{array}$$

For $s_3$:

$$\begin{array}{c}{A}^{\lambda }\left(\left\{s_3\right\}\right|S_2)=0.8\times C_{\lambda }\left(\left\{s_3\right\}\right|S_2)=0.8(0.6,0,0.14)=(0.480,0,0.112);\hfill \\ \rho (s_3,\gamma )=0.26;\hfill \\ {\left(\rho (s_3,\gamma )\right)}^1\times A^{\lambda }\left(\left\{s_3\right\}\right|S_2)=0.26\times (0.48,0,0.11)=(0.125,0,0.029);\hfill \\ {\left(\rho (s_3,\gamma )\right)}^2\times A^{\lambda }\left(\left\{s_3\right\}\right|S_2)={\left(0.26\right)}^2\times (0.48,0,0.11)=(0.032,0,0.007).\hfill \end{array}$$

For $s_5$:

$$\begin{array}{c}{A}^{\lambda }\left(\left\{s_5\right\}\right|S_2)=0.69\times C_{\lambda }\left(\left\{s_5\right\}\right|S_2)=0.69(0.8,0,0)=(0.552,0,0);\hfill \\ \rho (s_5,\gamma )=0.2;\hfill \\ {\left(\rho (s_5,\gamma )\right)}^1\times A^{\lambda }\left(\left\{s_5\right\}\right|S_2)=0.2\times (0.55,0,0)=(0.110,0,0);\hfill \\ {\left(\rho (s_5,\gamma )\right)}^2\times A^{\lambda }\left(\left\{s_5\right\}\right|S_2)={\left(0.2\right)}^2\times (0.55,0,0)=(0.004,0,0).\hfill \end{array}$$

For $s_6$:

$$\begin{array}{c}{A}^{\lambda }\left(\left\{s_6\right\}\right|S_2)=0.8\times C_{\lambda }\left(\left\{s_6\right\}\right|S_2)=0.78(0.55,0.15,0)=(0.429,0.117,0);\hfill \\ \rho (s_6,\gamma )=0.3;\hfill \\ {\left(\rho (s_6,\gamma )\right)}^1\times A^{\lambda }\left(\left\{s_6\right\}\right|S_2)=0.3\times (0.43,0.12,0)=(0.129,0.036,0);\hfill \\ {\left(\rho (s_6,\gamma )\right)}^2\times A^{\lambda }\left(\left\{s_6\right\}\right|S_2)={\left(0.3\right)}^2\times (0.43,0.12,0)=(0.039,0.011,0).\hfill \end{array}$$

For $k^{\prime }=3$: ${ϵ}_3^{\prime }=ϵe^{-0.03}=0.132.$ For state $S_3$:

$$\begin{array}{ccc}\hfill & T(S_3,\alpha )=1,T(S_3,\beta )=2,T(S_3,\lambda )=3,T(S_3,\gamma )=4,T(S_3,\mu )=5.\hfill & \\ \hfill & A^{\alpha }\left(\left\{s_4\right\}\right|S_1)\times A(S_1,S_3)=(0.2,0,0)\times {(1,0,0)}^T=0.2;\hfill & \\ \hfill & A^{\alpha }\left(\left\{s_6\right\}\right|S_1)\times A(S_1,S_3)=(0.171,0.047,0.093)\times {(1,0,0)}^T=0.171;\hfill & \\ \hfill & A^{\alpha }\left(\left\{s_7\right\}\right|S_1)\times A(S_1,S_3)=(0.22,0,0)\times {(1,0,0)}^T=0.22.\hfill & \\ \hfill & A^{\alpha \beta }\left(\left\{s_9\right\}\right|S_3)=0.2\times C_{\alpha \beta }\left(\left\{s_9\right\}\right|S_3)=0.2\times (0,0.4,0,0.4,0.2)=(0,0.080,0,0.080,0.040);\hfill & \\ \hfill & A^{\alpha \beta }\left(\left\{s_{15}\right\}\right|S_3)=0.17\times C_{\alpha \beta }\left(\left\{s_{15}\right\}\right|S_3)=0.17\times (0.24,0,0.19,0.4,0.17);\hfill & \\ \hfill & =(0.041,0,0.032,0.068,0.029);\hfill & \\ \hfill & A^{\alpha \beta }\left(\left\{s_{11}\right\}\right|S_3)=0.22\times C_{\alpha \beta }\left(\left\{s_{11}\right\}\right|S_3)=0.22\times (0,0.25,0,0,0.75);\hfill & \\ \hfill & =(0,0.055,0,0,0.165).\hfill \end{array}$$

Probability differences are:

$$\begin{array}{cc}\hfill & (s_9,s_{15})=(0.041,0.080,0.032,0.012,0.011);\hfill \\ \hfill & (s_{15},s_{11})=(0.041,0.055,0.032,0.068,0.136);\hfill \\ \hfill & (s_{11},s_9)=(0,0.025,0,0.080,0.125).\hfill \end{array}$$

For $k^{\prime }=3$ and state $S_6$:

$$\begin{array}{cc}\hfill & T(S_6,\alpha )=1,T(S_6,\lambda )=2,T(S_6,\gamma )=3,T(S_6,\mu )=4.\hfill \end{array}$$

We then compute:

$$\begin{array}{cc}\hfill & A^{\lambda }\left(\left\{s_3\right\}|S_2\right)\times A(S_2,S_6)=0.480;\hfill \\ \hfill & A^{\lambda }\left(\left\{s_5\right\}|S_2\right)\times A(S_2,S_6)=0.552;\hfill \\ \hfill & A^{\lambda }\left(\left\{s_6\right\}|S_2\right)\times A(S_2,S_6)=0.429.\hfill \end{array}$$

Here, the probability of choosing either $\left(s_8\mathrm{or}{s}_{12}\right)$ by the ${\omega }^{\prime }$ = $\lambda \beta$ is conditional such that:

$$Pr\left(s_{12}\right|\varphi (s_0,\lambda \beta ))=\frac{0.48\times 0.55}{0.48\times 0.55+0.48}=0.355;$$

$$Pr\left(s_8\right|\varphi (s_0,\lambda \beta ))=\frac{0.48}{0.48\times 0.55+0.48}=0.645.$$

Next, we have:

$$\begin{array}{cc}\hfill A^{\lambda \beta |}\left(\{s_8,s_{12}\}|S_6\right)& =0.48\times C_{\lambda \beta }\left(\{s_8,s_{12}\}\right|S_6)=\hfill \\ \hfill A^{\lambda \beta |}\left(\{s_8,s_{12}\}|S_6\right)& =(0.218,0.139,0.146,0.143);\hfill \\ \hfill A^{\lambda \beta }\left(\left\{s_{10}\right\}|S_6\right)& =(0.221,0.121,0.044,0.165);\hfill \\ \hfill A^{\lambda \beta }\left(\left\{s_{15}\right\}|S_6\right)& =(0.103,0.081,0.172,0.073).\hfill \end{array}$$

Probability differences are:

$$\begin{array}{cc}\hfill & (\{s_8,s_{12}\},s_{10})=(0.003,0.018,0.102,0.022);\hfill \\ \hfill & (s_{10},s_{15})=(0.118,0.040,0.128,0.920);\hfill \\ \hfill & (s_{15},\{s_8,s_{12}\})=(0.115,0.058,0.026,0.070).\hfill \end{array}$$

Based on the numerical investigation conducted, the automaton ${\mathcal{G}}^{\#}$ satisfies the $(ϵ,\xi )$-differential privacy condition for $k^{\prime }=1$ with ${ϵ}_1^{\prime }=0.139$ and for $k^{\prime }=2$ with ${ϵ}_2^{\prime }=0.136$. However, the $(ϵ,\xi )$-differential privacy condition is not met for $k^{\prime }=3$ with ${ϵ}_3^{\prime }=0.132$ between the pair $(s_{15},s_{11})$. For the state $s_{11}$, triggering the fake ${\mu }^{\prime }$ via supervisory control such that: $\mathrm{\Phi }(s_{11},{\mu }^{\prime })=(s_{11},{\mu }^{\prime })$, will lead to redistribution of events probabilities as follows: $(0,0.225,0,0,0.675,0.1)$. By triggering ${\mu }^{\prime }$ at state $s_{15}$ such that $\mathrm{\Phi }(s_{15},{\mu }^{\prime })=(s_{15},{\mu }^{\prime })$, the adjusted transitions probabilities are as follows: $(0.216,0,0.171,0.36,0.153,0.1).$ Now, we are computing the transformed probabilities, taking into account the effect of the triggered fake event ${\mu }^{\prime }$:

$$\begin{array}{ccc}\hfill & A^{\alpha \beta }\left(\left\{s_{11}\right\}\right|S_3)=0.22\times (0,0.225,0,0,0.675)=(0,0.050,0,0,0.149,0.022);\hfill & \\ \hfill & A^{\alpha \beta }\left(\left\{s_{15}\right\}\right|S_3)=0.171\times (0.216,0,0.171,0.36,0.153)\hfill & \\ \hfill & =0.037,0,0.029,0.062,0.026,0.017);\hfill & \\ \hfill & A^{\alpha \beta }\left(\left\{s_9\right\}\right|S_3)=0.2\times (0,0.4,0,0.4,0.2,0)=(0,0.080,0,0.080,0.040).\hfill \end{array}$$

Based on the above, the supervisory mechanism successfully enforces the $(ϵ,\xi )$-differential privacy for $k^{\prime }=3$ with ${ϵ}_3^{\prime }=0.132$.

7. Conclusions

Our study marks a significant advancement in probabilistic automata, introducing a verification protocol aimed at protecting initial states. Utilizing advanced mathematical methods, this protocol evaluates privacy risks in event sequences and incorporates a supervisory control to maintain privacy without sacrificing system functionality. Looking ahead, we plan to explore the integration of probabilistic automata with dynamic concealment frameworks, focusing on adaptability and responsiveness in various system environments.

Despite these advancements, we recognize areas needing further exploration and improvement. Managing the complexity of multiple initial states in probabilistic automata is challenging, particularly regarding scalability and efficiency in larger systems. The reliance on precise observation sequences is another critical aspect, as any inaccuracies could undermine the reliability of our privacy assurances. The resource-intensive nature of our approach also necessitates consideration, especially in settings with limited resources. Additionally, enhancing the model’s adaptability to dynamic systems with frequently changing initial states and behaviors is a crucial future direction. Finally, broadening the methodology’s applicability to diverse systems and domains remains an essential goal.

Thus, while our research establishes a solid foundation for differential privacy in discrete event systems using probabilistic automata, it also underscores the need for continuous advancements in complexity management, observation accuracy, resource optimization, adaptability, and application scope. These areas will be central to our ongoing research efforts in this evolving field.