Resilient Control under Denial-of-Service:Robust Design

In this paper, we study networked control systems in the presence of Denial-of-Service (DoS) attacks, namely attacks that prevent transmissions over the communication network. The control objective is to maximize frequency and duration of the DoS attacks under which closed-loop stability is not destroyed. Analog and digital predictor-based controllers with state resetting are proposed, which achieve the considered control objective for a general class of DoS signals. An example is given to illustrate the proposed solution approach.


I. INTRODUCTION
Owing to advances in computing and communication technologies, recent years witnessed a growing interest towards cyber-physical systems (CPSs), i.e., systems where physical processes are monitored/controlled via embedded computers and networks, possibly with feedback loops that are implemented on wireless platforms [1], [2].The concept of CPSs is certainly appealing for industrial process automation; however, it raises many theoretical and practical challenges.In particular, the concept of CPSs has triggered considerable attention towards networked control in the presence of cyber attacks.In fact, unlike general-purpose computing systems where attacks limit their impact to the cyber realm, attacks to CPSs can affect the physical world: if the process under control is open-loop unstable, failures in the plant-controller communication can result in environmental damages.
The concept of cyber-physical security mostly concerns security against malicious attacks.There are varieties of attacks such as Denial-of-Service attacks, zero-dynamics attacks, bias injection attacks, to name a few [3].The last two are examples of attacks affecting the integrity of data, while Denial-of-Service attacks are meant to compromise the availability of data.
This paper is concerned with Denial-of-Service (DoS) attacks.We consider a sampled-data control system in which the measurement channel (sensor-to-controller channel) is networked; the attacker objective is to induce closed-loop instability by interrupting the plant-controller communication.In wireless networks, this can be caused by emitting intentional noise, also known as jamming, examples being constant, random and protocol-aware jamming [4]- [6].It is generally accepted that communication failures induced by DoS can have a temporal profile quite different from the one exhibited by genuine packet losses, as assumed in the majority of studies on networked control; in particular, communication failures induced by DoS need not follow a Shuai Feng and Pietro Tesi are with ENTEG, Faculty of Mathematics and Natural Sciences, University of Groningen, 9747 AG Groningen, The Netherlands s.feng@rug.nl,p.tesi@rug.nl.
given class of probability distributions [7].This raises new theoretical challenges from the perspective of analysis as well as control design.
In the literature, several contributions have been proposed dealing with networked control under DoS.In [7], [8], the authors consider the problem of finding optimal control and attack strategies assuming a maximum number of jamming actions over a prescribed (finite) control horizon.A similar formulation is considered in [9], where the authors study zero-sum games between controllers and strategic jammers.In [10], [11], the authors consider DoS attacks in the form of pulse-width modulated signals.The goal is to identify salient features of the DoS signal such as maximum on/off cycle in order to suitably schedule the transmission times.For the case of periodic jamming (of unknown period and duration), identification schemes are proposed for de-synchronizing the transmission times from the DoS signal.
In [12], [13], a framework is introduced where no assumption is made regarding the DoS attack underlying strategy.A general attack model is considered that only constrains the attacker action in time by posing limitations on the frequency of DoS attacks and their duration.The main contribution is an explicit characterization of frequency and duration of the DoS attacks under which closed-loop stability can be preserved by means of state-feedback policies.Building on the results in [12], extensions have been considered dealing with dynamic controllers [14], nonlinear [15] and distributed [16] systems.Recently, a similar formulation has been adopted in the context of DoS-resilient event-triggered control [17]; see also [14].
From the perspective of securing robustness against DoS, static feedback has inherent limitations.In fact, using static feedback one generates control updates only when new measurements become available.Intuitively, this limitation can be overcome by considering dynamic controllers.In particular, a natural approach is to equip the control system with prediction capabilities so as reconstruct the missing measurements from available data during the DoS periods.Prompted by the above considerations, this paper discusses the design of predictor-based controllers in the context of DoS-resilient networked control.Inspired by recent results on finite-time state observers [18], [19], we focus the attention on impulsive-like predictors consisting of dynamical observers with measurements-triggered state resetting.Both analog and digital implementations are discussed, and compared.
While the idea of using predictor-based controllers is intuitive, the result is perhaps surprising.In fact, this paper arXiv:1603.02564v2[cs.SY] 15 Mar 2016 shows that impulsive-like predictors make it possible to maximize the amount of DoS that one can tolerate for the class of DoS signals introduced in [12], [13].
The paper is organized as follows.In Section II, we describe the framework of interest, and outline the paper contribution.Section III presents the main results.We first design analog predictor-based controllers and discuss the conditions under which stability is guaranteed.Second, we design digital predictor-based controllers and characterize sampling rate of the digital device and stability conditions.In Section IV, an example is discussed.Section V ends the paper with concluding remarks and possible extensions to the present research.

A. Notation
We denote by R the set of reals.Given α ∈ R, we let R >α (R ≥α ) denote the set of reals greater than (greater than or equal to) α.We let N 0 denote the set of nonnegative integers, N 0 := {0, 1, . ..}.The prime denotes transpose.Given a vector v ∈ R n , v is its Euclidean norm.Given a matrix M , M is its spectral norm.Given two sets A and B, we denote by B\A the relative complement of A in B, i.e., the set of all elements belonging to B, but not to A. Given a measurable time function f : R ≥0 → R n and a time interval [0, t) we denote the

A. Process dynamics and network
The process to be controlled is given by where t ∈ R ≥0 ; x ∈ R n is the state, u ∈ R m is the control input and y ∈ R p is measurement vector; A and B are matrices of appropriate size with (A, B) is stabilizable; d ∈ R n and n ∈ R p are unknown (bounded) disturbance and noise signals, respectively.
We assume that the measurement channel is networked and subject to Denial-of-Service (DoS) status.The former implies that measurements are sent only at discrete time instants.Let {t k } k∈N0 = {t 0 , t 1 , . ..} denote the sequence of transmission attempts.Throughout the paper, we assume for simplicity that the transmission attempts are carried out periodically with period ∆, i.e., with t 0 = 0 by convention.The more general case of aperiodic transmission policies can be pursued along the lines of [13].We refer to DoS as the phenomenon for which some transmission attempts may fail.In this paper, we do not distinguish between transmissions that fail due to channel unavailability (e.g., caused by radio-frequency jammers in protocols employing carrier sensing as medium access policy) and transmissions that fail due to DoS-induced packet corruption.We shall denote by {z m } m∈N0 = {z 0 , z 1 , . ..}, z 0 ≥ t 0 , the sequence of time instants at which samples of y are successfully transmitted.

B. Control objective
The objective is to design ∆ and a controller K, possibly dynamic, in such a way that the closed-loop stability is maintained despite the occurrence of DoS periods.In this paper, by closed-loop stability we mean that all the signals in the closed-loop system remain bounded for any initial condition x 0 and bounded noise and disturbance signals, and converge to zero in the event that noise and disturbance signals converge to zero.

C. Assumptions −Time-constrained DoS
Clearly, the problem in question does not have a solution if the DoS amount is allowed to be arbitrary.Following [13], we consider a general DoS model that constrains the attacker action in time by only posing limitations on the frequency of DoS attacks and their duration.Let {h n } n∈N0 , h 0 ≥ 0, denote the sequence of DoS off/on transitions, i.e., the time instants at which DoS exhibits a transition from zero (transmissions are possible) to one (transmissions are not possible).Hence, represents the n-th DoS time-interval, of a length τ n ∈ R ≥0 , over which the network is in DoS status.If τ n = 0, then H n takes the form of a single pulse at h n .Given τ, t ∈ R ≥0 with t ≥ τ , let n(τ, t) denote the number of DoS off/on transitions over [τ, t[, and let denote the subset of [τ, t] where the network is in DoS status.We make the following assumptions.Assumption 1: (DoS frequency).There exist constants η ∈ R ≥0 and for all τ, t ∈ R ≥0 with t ≥ τ .Remark 1: The rationale behind Assumption 1 is that occasionally DoS can occur at a rate faster than ∆ but the average interval between consecutive DoS triggering is greater than ∆.By (5), one may in fact have intervals where h n+1 − h n ≤ ∆, hence intervals where n(τ, t) is greater than or equal to the maximum number (t − τ )/∆ of transmission attempts that may occur within [τ, t[.However, over large time windows, i.e., when the term (t − τ )/τ D is predominant compared to η, the number of DoS triggering is at most of the order of (t − τ )/τ D .Assumption 2 expresses a similar requirement with respect to the DoS duration.In fact, it expresses the property that, on the average, the time instants over which communication is interrupted do not exceed a certain fraction of time, as specified by the constant T ∈ R >1 .Similarly to η, the constant κ ∈ R ≥0 plays the role of a regularization term.It is needed because during a DoS interval, one has Accordingly, κ serves to make (6) consistent.Assumptions 1 and 2 are general enough to capture many different types of DoS attacks, including trivial, periodic, random and protocol-aware jamming attacks [5], [6]; see [13] for a more detailed discussion.
Remark 2: Unless other conditions are imposed, both the requirements τ D > ∆ and T > 1 are necessary in order for the stabilization problem to be well-posed.In fact, if τ D = ∆ then the DoS signal characterized by the pair (h n , τ n ) = (t k , 0) satisfies Assumptions 1 and 2 with η = 1, κ = 0 and T = ∞ but destroys any communication attempt.Likewise, in case T = 1 then the DoS signal characterized by (h 0 , τ 0 ) = (0, ∞) satisfies Assumptions 1 and 2 with η = 1, κ = 0 and τ D = ∞ but destroys any communication attempt.

D. Previous work and paper contribution
In [13], the problem of achieving robustness against DoS has been analyzed for the case of static feedback laws where K is a state-feedback matrix designed in such a way that all the eigenvalues of Φ = A + BK have negative real part.For this scenario, a characterization of stabilizing transmission policies was given.We summarize below this result.
Theorem 1: Consider the process (1) under a control action as in (7).Given any positive definite symmetric matrix Q, let P denote the solution of the Lyapunov equation Φ P + P Φ + Q = 0. Let the transmission policy in (2) be such that when µ A > 0, and when µ A ≤ 0, where µ A is the logarithmic norm of A and σ is a positive constant satisfying γ 1 − σγ 2 > 0, where γ 1 is equal to the smallest eigenvalue of Q and γ 2 := 2P BK .Then, the closed-loop system is stable for any DoS sequence satisfying Assumption 1 and 2 with arbitrary η and κ, and with τ D and T such that where ω 1 := (γ 1 − γ 2 σ)/2α 2 and ω 2 := 2γ 2 /α 1 , where α 1 and α 2 denote the smallest and largest eigenvalue of P , respectively.Inequality (10) provides an explicit characterization of the robustness degree against DoS that static feedback policies can achieve.This characterization relates the DoS parameters τ D and T with the transmission period ∆ and the control system parameters via ω 1 and ω 2 , which depend on choice of the state-feedback matrix K.
Clearly, increasing the right-hand side of (10) increases the amount of DoS that the control system can tolerate.However, with static feedback it is difficult to obtain large values for the right-hand side of (10).The underlying reason is that static feedback has the inherent limitation of generating control updates only when new measurements become available, and this possibly reflects in small values for the right-hand side of (10).Intuitively, this limitation can be overcome by equipping the controller with prediction capabilities, with the idea of compensating DoS by reconstructing the missing measurements from available data.In the next section, it is shown that using predictor-based controllers one can achieve closed-loop stability whenever holds true.While the idea of using predictor-based controllers is intuitive, the result is perhaps surprising.In fact, this is the best possible bound that one can achieve for DoS signals satisfying Assumption 1 and 2. Indeed

III. MAIN RESULTS
In Section III-A, we discuss one technical result which is fundamental for the developments of the paper.The theoretical analysis for analog predictor-based controllers is presented in Section III-B, while in Section III-C we will further extend our work to digital implementations.

A. Key lemma
The following lemma relates DoS parameters and time elapsing between successful transmissions.
Lemma 1: Consider a transmission policy as in (2), along with a DoS signal satisfying Assumption 1 and 2. If (11) holds true, then the sequence of successful transmissions satisfies z 0 ≤ Q and z m+1 − z m ≤ Q + ∆ for all m ∈ N 0 , where Proof.We first define some auxiliary quantities.Let Hn := {h n } ∪ [h n , h n + τ n + ∆[ represent the n-th DoS interval prolonged by one sampling.For any interval [τ, t], let Ξ(τ, t) := n∈N0 Hn [τ, t] and Θ(τ, t) := [τ, t]\ Ξ(τ, t).The main idea for the proof relies on the following argument.Given h n , we have which leads to a contradiction.Based on these arguments, the proof can be readily finalized.Consider first z 0 ≤ Q.If t 0 is successful then the claim holds trivially.Suppose instead that t 0 is unsuccessful, i.e., h 0 = 0.By the above arguments we have one successful transmission no later than h 0 +Q and, hence, no later than Q.Consider next z m+1 − z m ≤ Q + ∆.If z m + ∆ is successful, then the claim holds trivially.Suppose instead that z m + ∆ is unsuccessful.Since z m is successful a DoS must occur within ]z m , z m +∆].Hence, we must have h n ∈]z m , z m +∆] for some n ∈ N 0 .By the above arguments we have one successful transmission no later than h n + Q and, hence, no later than z m + Q + ∆.
Remark 3: In the absence of DoS, when T = τ D = ∞ and κ = η = 0, Q becomes zero.In fact, in the absence of DoS, Lemma 1 simply describes the functioning of a standard periodic transmission policy.

B. Analog predictor-based controller
The considered predictor-based controller consists of two parts: prediction and state-feedback.As for the prediction part, we consider an impulsive predictor, whose dynamics are given by with initial condition where t ∈ R ≥0 and m ∈ N 0 .By construction the solution x is continuous from the right everywhere.
The state-feedback matrix is an arbitrary matrix K such that all the eigenvalues of Φ = A + BK have negative real part.Then, the control input applied to the process (and the predictor) is given by where t ∈ R ≥0 .
The predictor differs from a classical asymptotic observer due to the measurements-triggered jumps in the state.The reason for considering an impulsive-like predictor rather than an asymptotic one is the following.Let where t ∈ R ≥0 .The process dynamics can be therefore expressed as where t ∈ R ≥0 .Consider any symmetric positive definite matrix Q, and let P be the solution of the Lyapunov equation Its derivative along the solutions to (18), satisfies for all t ∈ R ≥0 , where γ 1 is the smallest eigenvalue of Q, γ 2 := 2P BK and γ 3 := 2P .From the last expression one sees that stability depends on the magnitude of e.In this respect, the dynamics of e obeys where t ∈ R ≥0 and m ∈ N 0 .One sees from the second equation of ( 20) that resetting the predictor state makes it possible to reset e to a bounded value whenever a new measurement becomes available.In turns, Lemma 1 ensures that a resetting does always occur in a finite time.These two properties guarantee boundedness of e for all t ≥ z 0 .
In particular, we have the following result.
Lemma 2: Consider the process (1) with predictor-based controller ( 14)-( 16) under a transmission policy as in (2).Consider any DoS sequence satisfying Assumption 1 and 2 with arbitrary η and κ, and with τ D and T satisfying (11).Then, there exists a positive constant ρ such that e(t) ≤ ρ w t ∞ for all t ∈ [z m , z m+1 [, where the second inequality follows from Lemma 1.If instead µ A > 0, we have where the second inequality follows again from Lemma 1.Hence, we conclude that the claim holds with if µ A ≤ 0, and with Exploiting Lemma 2, we obtain the following stability result for analog controller implementations.
Theorem 2: Consider the process (1) with predictor-based controller ( 14)-( 16) under a transmission policy as in (2).Then, the closed-loop system is stable for any DoS sequence satisfying Assumption 1 and 2 with arbitrary η and κ, and with τ D and T satisfying (11).
Proof.Consider the closed-loop dynamics for all t ≥ z 0 .Notice that z 0 exists finite by virtue of Lemma 1.In view of (19) and Lemma 2, we have for all t ∈ R ≥z0 , where γ 4 := γ 2 ρ + γ 3 .
Observe that for any positive real β, the Young's inequality yields Using this inequality with β = γ 4 /γ 1 , straightforward calculations yield for all t ∈ R ≥z0 , where ω 1 := γ 1 /(2α 2 ) and γ 5 := γ 2 4 /(2γ 1 ), where α 2 denotes the largest eigenvalue of P .Accordingly, we obtain for all t ∈ R ≥z0 .This shows that x remains bounded because z 0 exists finite in view of Lemma 1.In turns, this implies that also x remains bounded.Moreover, in the event that disturbance and noise signals converge to zero, (20) implies that e converges to zero.In turns, (19) implies that both x and x also converge to zero.
Remark 4: The considered controller yields quite strong stability properties, namely global exponential stability with linear bounds on the map from the disturbance and noise signals to the process state.It is also interesting to observe that, as long as the triplet (τ D , T, ∆) satisfies ( 11), ∆ can be chosen arbitrarily (though large values of ∆ may affect the performance via γ 5 , which depends on ρ).In particular, in the absence of DoS when T = τ D = ∞ and κ = η = 0, then ( 11) is satisfied for any bounded value of ∆.This is due to the controller state resetting mechanism.

C. Digital predictor-based controller
In this section, we extend the control algorithm to a digital implementation.The substantial difference between analog and digital implementations is that in the latter the control action can be updated only at a finite rate.Because of this, Lemma 2 does not hold any longer.As we will see, in order to recover a boundedness inequality similar to the one in Lemma 2, constraints have to be enforced on the sampling rate of the digital controller.
Consider a digital controller with sampling rate where b is any positive integer.Choosing the controller sampling rate as a submultiple of ∆ makes it possible to implement the controller as a sampled-data version of ( 14), which is synchronized with the network transmission rate.
Let A δ = e Aδ and B δ = δ 0 e Aτ Bdτ .The digital predictor is given by where q ∈ N 0 .
The control action is given by where q ∈ N 0 .Similar to the analog implementation, also the digital implementation is equipped with a state resetting mechanism.Due to the discrete nature of the update equations, the resetting mechanism is implemented using an auxiliary variable α.
The stability analysis follows the same steps as in the previous case.Let where t ∈ I q := [qδ, (q + 1)δ[, q ∈ N 0 .Hence, the process dynamics satisfies for all t ∈ I q .
Given any symmetric positive definite matrix Q, let P be the solution of the Lyapunov equation Φ P + P Φ + Q = 0. Let V (x) = x P x.Its derivative along the solutions to (35), satisfies for all t ∈ I q , where γ 1 is the smallest eigenvalue of Q, γ 2 := 2P BK and γ 3 := 2P .As in the previous case, stability depends on the magnitude of φ.In this respect, the dynamics of φ satisfies for all t ∈ I q .The differential equation in (37) differs from its analog counterpart in (20) due to the extra term Φα(qδ).Because of this, Lemma 2 breaks down.In order to recover a property similar to the one established in Lemma 2, constraints have to be enforced on the sampling rate of the digital controller.This is consistent with intuition, and simply indicates that the rate of control updates has to be sufficiently fast.In this respect, letting δ = ∆/b allows to differentiate between controller sampling rate and transmission rate, maintaining ∆ possibly large.Lemma 3: Consider the process (1) with predictor-based controller (32)-(33) under a transmission policy as in (2).Consider any DoS sequence satisfying Assumption 1 and 2 with arbitrary η and κ, and with τ D and T satisfying (11).Let the controller sampling rate be such that when µ A > 0, and when µ A ≤ 0, where µ A is the logarithmic norm of A and σ is a positive constant satisfying γ 1 − σγ 2 > 0, where γ 1 is equal to the smallest eigenvalue of Q and γ 2 := 2P BK .Then, there exists a positive constant ρ such that for all t ∈ R ≥z0 .
Proof.Consider any interval [z m , z m+1 [, m ∈ N 0 , and any controller sampling instant qδ ∈ [z m , z m+1 [.The proof is divided into two steps.In the first step, we provide an upper bound on the error dynamics φ at the controller sampling time qδ.Second, we provide an upper bound on the error dynamics φ between controller inter-samplings.In turns, this provides an upper bound on φ over the whole interval [z m , z m+1 [, and, hence, over R ≥z0 .
For the sake of convenience, we will relate a controller update instant qδ with a successful transmission instant z m via the expression where p ∈ N 0 .This is always possible since δ = ∆/b.We start by deriving an upper bound on φ(qδ).It is simple to verify that the dynamics of the variable α in the controller equations satisfies In fact, between two successful transmissions, α coincides with x, which evolves like a classical linear time-invariant discrete-time system.On the other hand, where the second equality is obtained using the change of variable s = z m + (k + 1)δ − τ .
We can now obtain an upper bound on φ(qδ).Specifically, since by hypothesis qδ ∈ [z m , z m+1 [, we have where ρ is defined as in Lemma 2.
We can now provide an upper bound on φ between controller inter-samplings.Let Integrating (37) over the interval I q , we obtain φ(t) ≤ e A(t−qδ) φ(qδ) for all t ∈ I q , where ρ := max{e µ A δ , 1}.
Based on Lemma 3 the following result can be stated, which provides a natural counterpart of Theorem 2.
Theorem 3: Consider the process (1) with predictor-based controller (32)-(33) under a transmission policy as in (2).Let the controller sampling rate be chosen as in Lemma 3.Then, the closed-loop system is stable for any DoS sequence satisfying Assumption 1 and 2 with arbitrary η and κ, and with τ D and T satisfying (11).
Compared with the analog implementation, one sees that the digital implementation does only require a proper choice of the controller sampling rate.On the other hand, it achieves the same robustness properties of the analog implementation.By Lemma 3, admissible values for the controller sampling rate can be explicitly computed from the parameters of the control system.

IV. EXAMPLE
The numerical example is taken from [20].The system to be controlled is open-loop unstable and is characterized by the matrices The state-feedback matrix is given by The control system parameters are γ The network transmission rate is given by ∆ = 0.1s.Both analog and digital controllers are considered.As for the digital implementation, in accordance with Lemma 3, we must select σ such that σ < 0.4744.According to (38), we obtain the constraint δ < 0.1508.We select δ = 0.01s so that δ is sufficiently small, and in order to synchronize the controller sampling rate with ∆.
Figure 1 shows simulation results, which compare the static feedback law (7) with the predictor-based controllers ( 14)-( 16) and (32)-(33).We consider a sustained DoS attack with variable period and duty cycle, generated randomly.Over a simulation horizon of 50s, the DoS signal yields |Ξ(0, 50)| = 38.8sand n(0, 50) = 52.This corresponds to values (averaged over 50s) of τ D ≈ 0.96 and T ≈ 1.29, and ∼ 80% of transmission failures.For the predictor-based controllers, the stability requirement is satisfied since On the other hand, the DoS parameters do not satisfy the stability requirement for the pure static feedback law, which is (cf.( 10)) The theoretical bound for the case of pure static feedback is conservative (indeed, simulations show that (7) ensures closed-loop stability for the system in (53) up to ∼ 40% of transmission failures).Nonetheless, the improvement given by predictor-based controllers is significant.In fact, while the system undergoes instability with (7), the performance level provided by ( 14)-( 16) and (32)-( 33) is very high despite the sustained DoS attack.It is worth noting that while stability is independent on the magnitude of disturbance and noise signals, performance is not.As shown in Figure 2, noise significantly impacts on the accuracy of the state estimate, and, hence, on the closed-loop behavior during DoS status; cf. the paper conclusions.

V. CONCLUDING REMARKS
In this paper, we investigated the problem of designing DoS-resilient control systems.It was shown that the use of dynamical observers with state resetting mechanism makes it possible to maximize the amount of DoS that one can tolerate for a general class of DoS signals.Both analog and digital implementations have been discussed, the latter requiring a suitable choice of the controller sampling rate.
The results presented in this paper can be extended in various directions.We envision the use of a similar control architecture for the case of partial state measurements, via the approach considered in [18].Another interesting study concerns performance robustness against measurement noise, which is the main factor affecting the quality of the process state estimation.The recent results in [21] may prove relevant in this regard.
, if we denote by S(τ D , T ) the class of DoS signals for which (11) is not satisfied, then S(τ D , T ) does always contain DoS signals for which stability is destroyed.Examples are DoS signals characterized by (τ D , T ) = (∆, ∞) and (τ D , T ) = (∞, 1); cf.Remark 2.

Fig. 2 .
Fig. 2. Simulation results for the example in case disturbance and noise are random signals with uniform distribution in [−0.01, 0.01].Top: Analog controller; Bottom: Digital Controller.
13)for all t ≥ h n where the first inequality follows from the definition of the set Ξ(τ, t) while the second inequality follows from Assumption 1 and 2. Notice that | Θ(h n , t)| > 0 implies that [h n , t] contains at least one successful transmission.This is because | Θ(h n , t)| > 0 implies that [h n , t] contains a DoS-free interval of length greater than ∆.We claim that a successful transmission does always occur within[h n , h n + Q].To this end, suppose that the claim is false and let t * denote the last transmission attempt occurring within [h n , h n + Q].Since t * is unsuccessful | Θ(h n , t * )| = 0.Moreover, this also implies | Θ(h n , t * + ∆)| = 0.This is because, if t * is unsuccessful then it must be contained in a DoS interval, say H q , so that [t * , t * + ∆[⊆ Hq .However, since t * + ∆ > h n + Q we also have