Expert Systems With Applications 237 (2024) 121454

Contents lists available at ScienceDirect

Expert Systems With Applications

journal homepage: www.elsevier.com/locate/eswa

Adjacent initial states-based differential privacy for probabilistic labeled

Petri nets
Yuanxiu Teng, Li Yin ∗, Zhiwu Li, Naiqi Wu
Institute of Systems Engineering, Macau University of Science and Technology, Taipa 999078, Macao Special Administrative Region of China

ARTICLE INFO ABSTRACT

Keywords: Privacy protection has received widespread attention from the community of discrete event systems to protect
Discrete event system the sensitive information of users or organizations from being leaked. The existing privacy protection methods
Privacy protection cannot protect the state information of probabilistic discrete event systems via repeated observations, which
Probability distribution
represents the information pertaining to system resource configurations. This work introduces differential
Supervisory control
privacy into the framework of probabilistic labeled Petri nets to solve the problems pertaining to the initial
state protection. For two initial states that are adjacent under a specified measure, a state differential privacy
verification method is proposed by determining whether the probability distributions of observations generated
from adjacent initial states are similar. An external attacker is unlikely to infer the initial state via repeated
observations if the system satisfies state differential privacy for certain adjacent initial states. For a probabilistic
labeled Petri net, which does not satisfy state differential privacy, a supervisory control method is proposed for
enforcement. A maximally permissive controller can be constructed based on the control specification proposed
in this paper. Experimental studies show that the method proposed in the paper can effectively protect the
privacy of given adjacent initial states.

1. Introduction However, in many applications, the system output is non-numerical,

In the era of big data, privacy protection has become a fundamental
concern for Internet users and organizations. Preventing privacy leak-
age has been a focus of researchers and practitioners (Fiore & Russo,
2019; Li et al., 2023; Varghese & Sasikala, 2023). A technique for
anonymizing data called 𝐾-anonymity is reported to protect the secu-
rity of personal information (Sweeney, 2002). However, an attacker can
associate the known data with the existing background knowledge such
that the removed identity information can be recovered or exposed,
which causes the leakage of personal privacy. To solve this problem,
differential privacy is proposed to protect the sensitive data of an
information-safety-critical system by injecting a desirable amount of
noise into the response to a query, e.g., the noise satisfying the Laplace
distribution (Gu & Zhang, 2023; Hassan et al., 2020; Jiang et al.,
2023). Differential privacy has been extensively serving as an effective
privacy-preserving strategy to protect privacy by making it unlikely
for an attacker or an external observer to distinguish the output of
two adjacent data sets. The existing approaches to differential privacy
almost focus on real-valued functions, and output similar real-value
results for two input data sets differing by a single record (McSherry,
2010; Soria-Comas et al., 2017; Yin et al., 2018; Zhu et al., 2017).
e.g., the produced models or classifiers in machine learning. The notion
of differential privacy can be applied to non-numerical data using the
exponential mechanism to make the random responses satisfy a certain
probability distribution (Dwork, 2008). Differential privacy provides a
higher level of semantic security for private information. Consequently,
the introduction to differential privacy in the community of discrete
event systems (DESs) is of great significance for privacy protection.
DESs are extensively treated as the models of cyber–physical sys-
tems that often involve a wide spectrum of events, ranging from
lower-level signals to higher-level abstract events (Hu & Cao, 2023;
Yang et al., 2020; Yang & Li, 2018). The behavior of a DES is character-
ized by the generated language that is obviously non-numerical thanks
to the inherent features of its dynamics (Arichi et al., 2022; Wang et al.,
2022; Yu et al., 2022). Differential privacy is not achieved by adding
noise to the generated language of a DES due to the characteristics of
DESs. The privacy of a DES mainly includes the state and language
information, which needs to be concealed from observers in some cases.
To the best of our knowledge, the verification and implementation
of differential privacy in DESs have not been well defined and fully
explored.

∗ Corresponding author.
E-mail addresses: [email protected] (Y. Teng), [email protected] (L. Yin), [email protected] (Z. Li), [email protected]
(N. Wu).

https://doi.org/10.1016/j.eswa.2023.121454
Received 14 June 2023; Received in revised form 2 August 2023; Accepted 2 September 2023
Available online 7 September 2023
0957-4174/© 2023 Elsevier Ltd. All rights reserved.
Y. Teng et al.
To protect the language information of a deterministic transition
system (a standard model of DESs) whose output is strings or words
of symbols (non-numerical), an exponential mechanism is developed
to obfuscate a sensitive string using a randomly chosen string that is
likely to be near to it (Jones et al., 2019). The notion of ‘‘near’’ is
evaluated by the Levenshtein distance, which is used to control the
similarity or nearness of a sensitive string and its output counterpart.
By using the framework of differential privacy, the work provides a
guarantee that privatized behavior (information) will reveal nothing
meaningful regarding the underlying sensitive behavior (information).
However, this method fails to define and protect the state information
of a symbolic control system, which motivates us to borrow the idea
of differential privacy to the DES area for state information protection.
Petri nets are a graphical modeling tool for DESs with solid mathemati-
cal support and can well analyze stochastic or timed systems (Cabasino
et al., 2014; Ding et al., 2018; Ma et al., 2020). In this work, we focus on
the privatization of the initial state of DESs modeled with probabilistic
Petri nets.
The initial state of a real-world DES usually represents its initial
resource configuration, whose protection is of great significance. For
example, in sequential auctions, the pre-determined auction sequence
of items to be auctioned tremendously affects the strategic considera-
tions of both bidders and auctioneers. Auctioneers do not want that the
auction sequence can be estimated by bidders based on the auctioned
items. The initial state protection has received much attention from
the community of DESs. The existing methods for protecting the initial
state of a DES are developed through the formation of the notion of
initial-state opacity (Basile et al., 2023; Tong et al., 2017a; Zhu et al.,
2018). It is assumed that a malicious attacker (observer) fully knows the
structure of a system, but only partially observes the event occurrences
in it (unobservable events are invisible to the attacker). The attacker
does not know the initial state unless it can be inferred by observations.
Given a secret described by a set of states, a system is said to be initial-
state opaque with respect to the secret if the attacker is never able to
infer that the initial state of the system is within the secret. However,
some systems may be repeatedly observed by an external observer.
An external observer can initialize a system multiple times to observe
its behavior for a certain initial state. The initial state information of
a DES under the probabilistic framework cannot be protected by the
existing methods, as the initial state can be inferred via the probability
distribution of the language generated from the system by an external
attacker. Compared with the initial-state opacity methods, differential
privacy can protect similar initial resource configurations modeled by
adjacent initial states.
Research Gap and Innovation: The verification and implementa-
tion of differential privacy in DESs have not been well defined and fully
explored. The documented results listed in Table 1 do not consider
differential privacy and state information protection simultaneously
in the DES framework. The existing literature uses the framework
of differential privacy to protect sensitive language information of a
symbolic control system. However, the current study does not consider
the problems pertaining to the initial state protection for repeatedly
observable DESs. We propose a probabilistic model, called probabilistic
labeled Petri nets (PLPNs), to estimate the likelihood of specific events
occurring. If the probability distributions of observations generated
from the two initial states that are adjacent under a specified measure
are similar, an attacker is unlikely to distinguish the two initial states
via repeated observations. To this end, differential privacy is introduced
to the community of DESs that are in this particular research modeled
by PLPNs.
Contributions: This work addresses the problem of state informa-
tion protection for repeatedly observable DESs. We achieve differential
privacy verification and enforcement in the framework of PLPNs to
protect adjacent initial states. The main contributions of this work are
summarized as follows:
2
Expert Systems With Applications 237 (2024) 121454
(1) The notion of state differential privacy is formulated to protect
adjacent initial states, which are defined to represent similar ini-
tial resource configurations of a Petri net. We present the concept
of PLPNs and provide a method for computing the probability
distributions of the behavior of two PLPNs with adjacent initial
states. A state differential privacy verification method is proposed
to analyze whether the adjacent initial states are protected using
PLPNs.
(2) A supervisory control method is proposed for the enforcement
of state differential privacy to control the behavior of a PLPN.
The strictest control specification is proposed to make a system
satisfy 0-state differential privacy with adjacent initial states.
A controller constructed by our supervisory control method is
maximally permissive for the enforcement of 0-state differential
privacy.
(3) Experimental studies show that the proposed method achieves the
verification and enforcement of state differential privacy in the
considered class of PLPNs.
The rest of the paper is organized as follows. Section 2 introduces
the backgrounds of PLPNs and the notion of differential privacy in
sensitive data security. Section 3 is a problem statement, which presents
the notion of state differential privacy and two problems involving
state differential privacy in PLPNs. The verification of state differential
privacy is formulated in Section 4. Section 5 designs a controller for
state differential privacy enforcement. A numerical example is shown
in Section 6. Section 7 concludes this paper.
2. Preliminaries
In this section, we introduce the backgrounds of PLPNs and the stan-
dard concept of differential privacy. Let N be the set of non-negative
integers and N+ be the set of positive integers.
2.1. Probabilistic labeled Petri nets
A Petri net is a structure 𝑁 = (𝑃 , 𝑇 , 𝑃 𝑟𝑒, 𝑃 𝑜𝑠𝑡), where 𝑃 is a finite
set of 𝑚 places and 𝑇 is a finite set of 𝑛 transitions with 𝑃 ∪ 𝑇 ≠ ∅ and
𝑃 ∩ 𝑇 = ∅. 𝑃 𝑟𝑒 ∶ 𝑃 × 𝑇 → N and 𝑃 𝑜𝑠𝑡 ∶ 𝑃 × 𝑇 → N are the pre-
and post-incidence functions that respectively specify the arcs directed
from places to transitions and transitions to places. Thanks to their
definitions, function 𝑃 𝑟𝑒 or 𝑃 𝑜𝑠𝑡 can be tabulated in a rectangular array
and further represented by an 𝑚 × 𝑛 matrix indexed by 𝑃 and 𝑇 . The
incidence matrix 𝐶 of a net is defined by 𝐶 = 𝑃 𝑜𝑠𝑡 − 𝑃 𝑟𝑒.
Let 𝑥 ∈ 𝑃 ∪ 𝑇 be a node in a Petri net. Its pre-set is defined as
∙ 𝑥 = {𝑦 ∈ 𝑃 ∪ 𝑇 ∣ 𝑃 𝑟𝑒(𝑦, 𝑥) > 0} and its post-set is defined as
𝑥∙ = {𝑦 ∈ 𝑃 ∪ 𝑇 ∣ 𝑃 𝑜𝑠𝑡(𝑦, 𝑥) > 0}. A node sequence 𝑥1 𝑥2 ⋯ 𝑥𝑟 ∈ (𝑃 ∪ 𝑇 )∗
in a Petri net is called a path if 𝑥𝑖 ∈ 𝑥∙𝑖−1 holds for 𝑖 = 2, … , 𝑟. A path
𝑥1 𝑥2 ⋯ 𝑥𝑟 is said to be a cycle if 𝑥1 = 𝑥𝑟 . A net is said to be acyclic or
cycle-free if it has no cycle.
A marking or state of a Petri net is defined as a mapping 𝑀 ∶ 𝑃 → N
that assigns to each place of a Petri net a non-negative integer of tokens.
A marking 𝑀 can be treated as a column vector indexed by 𝑃 for
the sake of mathematical convenience. We use 𝑀(𝑝) to indicate the
number of tokens in place 𝑝 at marking 𝑀. For economy of space, 𝑀
can be compactly written as a multi-set over place set 𝑃 , i.e., 𝑀 =
∑
𝑝∈𝑃 𝑀(𝑝)𝑝. A Petri net system ⟨𝑁, 𝑀0 ⟩ is a net structure 𝑁 with an
initial marking 𝑀0 .
A transition 𝑡 is enabled at a marking 𝑀, denoted by 𝑀[𝑡⟩, if 𝑀 ≥
𝑃 𝑟𝑒(⋅, 𝑡) and may fire yielding a marking 𝑀 ′ = 𝑀 + 𝐶(⋅, 𝑡), denoted as
𝑀[𝑡⟩𝑀 ′ . The set of transitions that are enabled at a marking 𝑀 defines
𝑇 (𝑀) = {𝑡 ∈ 𝑇 ∣ 𝑀[𝑡⟩}. We write 𝑀[𝜎⟩ to denote that the sequence of
transitions 𝜎 = 𝑡1 ⋯ 𝑡𝑘 ∈ 𝑇 ∗ (𝑘 ∈ N) is enabled at 𝑀, and 𝑀[𝜎⟩𝑀 ′ to
denote that the firing of 𝜎 from 𝑀 yields 𝑀 ′ . A marking 𝑀 is reachable
in ⟨𝑁, 𝑀0 ⟩ if there exists a sequence 𝜎 such that 𝑀0 [𝜎⟩𝑀 holds. The
Y. Teng et al. Expert Systems With Applications 237 (2024) 121454

Table 1
Recent research contributions.
Literature Focused Focused DES Focused language Focused state
differential privacy privacy protection information protection information protection
Hassan et al. (2020) *
Jiang et al. (2023) *
Gu and Zhang (2023) *
McSherry (2010) *
Soria-Comas et al. (2017) *
Yin et al. (2018) *
Zhu et al. (2017) *
Dwork (2008) *
Jones et al. (2019) * * *
Basile et al. (2023) * *
Tong et al. (2017a) * *
Zhu et al. (2018) * *
Current research * * *

set of all markings reachable from 𝑀0 defines the reachability set of
⟨𝑁, 𝑀0 ⟩, denoted by 𝑅(𝑁, 𝑀0 ), i.e., 𝑅(𝑁, 𝑀0 ) = {𝑀 ∈ N|𝑃 | ∣ (∃𝜎 ∈
𝑇 ∗ )𝑀0 [𝜎⟩𝑀}.
A labeled Petri net (LPN) is a four-tuple  = (𝑁, 𝑀0 , 𝐸, 𝓁), where
⟨𝑁, 𝑀0 ⟩ is a Petri net system, 𝐸 is the alphabet (a finite set of labels)
and 𝓁 ∶ 𝑇 → 𝐸 ∪ {𝜀} is the labeling function that assigns to each
transition 𝑡 ∈ 𝑇 either a symbol from 𝐸 or the empty word 𝜀. The
transitions in  can be partitioned into two disjoint sets 𝑇 = 𝑇𝑜 ∪ 𝑇𝑢 ,
where 𝑇𝑜 = {𝑡 ∈ 𝑇 ∣ 𝓁(𝑡) ∈ 𝐸} is the set of observable transitions and
𝑇𝑢 = 𝑇 ∖𝑇𝑜 = {𝑡 ∈ 𝑇 ∣ 𝓁(𝑡) = 𝜀} is the set of unobservable transitions.
The labeling function can be extended to firing sequences 𝓁 ∶ 𝑇 ∗ → 𝐸 ∗ ,
i.e., 𝓁(𝜀) = 𝜀 and 𝓁(𝜎𝑡) = 𝓁(𝜎)𝓁(𝑡) with 𝜎 ∈ 𝑇 ∗ and 𝑡 ∈ 𝑇 .
Given an LPN  = (𝑁, 𝑀0 , 𝐸, 𝓁) and a marking 𝑀 ∈ 𝑅(𝑁, 𝑀0 ),
we define the language of  generated from 𝑀 as
where  (𝐷1 ) (or  (𝐷2 )) is the output of  on input 𝐷1 (or 𝐷2 ), P ∶
𝑂 → (0, 1] is the probability function, mapping an output of  to a real
number between zero and one (including one), and 𝜖 is the privacy
budget parameter that stipulates the level of privacy protection with
𝜖 ∈ R and 𝜖 ≥ 0.
3. Problem statement
In this section, differential privacy is introduced to protect the initial
state of DESs modeled by PLPNs. We first define our notation and
establish its mathematical developments below.
3.1. State differential privacy

(𝑁, 𝑀) = {𝜔 ∈ 𝐸 ∗ |∃𝜎 ∈ 𝑇 ∗ ∶ 𝑀[𝜎⟩ & 𝓁(𝜎) = 𝜔}.
A string belonging to (𝑁, 𝑀0 ) is called an observation. To investi-
gate the differential privacy problems in DESs, this paper proposes a
new formalism called probabilistic labeled Petri nets, motivated by the
work in Cabasino et al. (2015).
Definition 1. [Probabilistic Labeled Petri Nets] A probabilistic labeled
Petri net 𝐺 = (𝑁, 𝑀0 , 𝐸, 𝓁, 𝐵) is a five-tuple such that the following
statements hold:
1. (𝑁, 𝑀0 , 𝐸, 𝓁) is a labeled Petri net.
2. 𝐵 ∶ 𝑅(𝑁, 𝑀0 ) × 𝑇 → [0, 1] is a mapping that assigns to a pair of a
reachable marking 𝑀 and a transition 𝑡 ∈ 𝑇 a real number between
∑
0 and 1 such that 𝑡∈𝑇 (𝑀) 𝐵(𝑀, 𝑡) = 1. 𝐵(𝑀, 𝑡) indicates the firing
probability of the transition 𝑡 at the marking 𝑀. ⋄
In what follows, 𝐺𝑠 = (𝑁, 𝐸, 𝓁, 𝐵) is called a PLPN structure, i.e., a
PLPN 𝐺 = (𝑁, 𝑀0 , 𝐸, 𝓁, 𝐵) is a net structure 𝐺𝑠 = (𝑁, 𝐸, 𝓁, 𝐵) with
an initial marking 𝑀0 . Write 𝐺 = (𝑁, 𝑀0 , 𝐸, 𝓁, 𝐵) as 𝐺(𝑀0 ) if 𝐺𝑠 is
implicitly defined.
2.2. Differential privacy
Traditionally, a randomized algorithm is said to satisfy differential
privacy if an attacker is unlikely to distinguish the output distributions
of two data sets differing on at most one element. It guarantees that a
randomized algorithm behaves similarly on similar (or adjacent) input
data sets. Let R be the set of real numbers.
Two data sets 𝐷1 and 𝐷2 are said to be adjacent if they differ on
at most one element, i.e., either 𝐷1 = 𝐷2 or there exists a datum 𝑑
such that 𝐷1 ∪ {𝑑} = 𝐷2 or 𝐷2 ∪ {𝑑} = 𝐷1 (Dwork & Roth, 2013).
By Chaudhuri et al. (2011), a randomized algorithm  satisfies 𝜖-
differential privacy if for any two adjacent input data sets 𝐷1 and 𝐷2 ,
and for any set of outputs 𝑂,
Let 𝑎, 𝑏 ∈ N be two non-negative integers. We associate 𝑎 and 𝑏 with
a binary scalar 𝜉(𝑎, 𝑏), defined as follows:
{
1, 𝑎 ≠ 𝑏
𝜉(𝑎, 𝑏) =
0, 𝑎 = 𝑏
Definition 2. [Adjacent States] Given a net structure 𝐺𝑠 = (𝑁, 𝐸, 𝓁, 𝐵),
a set of possible initial markings 0 , and two markings (states) 𝑀1 ,
𝑀2 ∈ 0 , 𝑀1 and 𝑀2 are said to be 𝜃-adjacent if
{∑
𝑝∈𝑃 𝜉(𝑀1 (𝑝), 𝑀2 (𝑝)) = 𝜃
∑ ∑
𝑝∈𝑃 𝑀1 (𝑝) = 𝑝∈𝑃 𝑀2 (𝑝)
where 𝜃 ∈ N+ is usually close to zero. ⋄
In plain words, two markings or states 𝑀1 and 𝑀2 are 𝜃-adjacent if
(1) the number of places containing different numbers of tokens at 𝑀1
and 𝑀2 is 𝜃; (2) the token sums at 𝑀1 and 𝑀2 are equal. Accordingly,
any of two adjacent states 𝑀1 and 𝑀2 can be assigned to a PLPN as an
initial marking. In this case, they are called 𝜃-adjacent initial states for
the underlying PLPN structure.
Given a transition sequence 𝜎 = 𝑡1 𝑡2 ⋯ 𝑡𝑘 ∈ 𝑇 ∗ , where for all
𝑖, 𝑗 ∈ {1, 2, … , 𝑘}, 𝑖 ≠ 𝑗 does not necessarily imply 𝑡𝑖 ≠ 𝑡𝑗 , 𝑘 is said
to be the length of 𝜎, denoted by |𝜎|. The 𝑖th element of 𝜎 is denoted
by 𝜎[𝑖].
Suppose that an attacker observes an observation 𝜔 ∈ 𝐸 ∗ at a time
instance, where the length of 𝜔 is 𝑘 ∈ N (called a current observation
length), i.e., |𝜔| = 𝑘. Now we find the firing transition sequences from
the initial marking whose corresponding observations are bounded by
length 𝑘.
Definition 3. [Firing Transition Sequences] Given a PLPN 𝐺 = (𝑁,
𝑀0 , 𝐸, 𝓁, 𝐵), the set of firing transition sequences generated from 𝑀0
bounded by an observation length 𝑘 ∈ N is defined as

𝑒𝑥𝑝(−𝜖) × P( (𝐷2 ) ∈ 𝑂) ≤ P( (𝐷1 ) ∈ 𝑂) ≤ 𝑒𝑥𝑝(𝜖) × P( (𝐷2 ) ∈ 𝑂) 𝑓 (𝑀0 , 𝑘) = {𝜎 ∈ 𝑇 ∗ ∣ 𝑀0 [𝜎⟩, 𝓁(𝜎) = 𝜔, |𝜔| ≤ 𝑘}. ⋄

3
Y. Teng et al.
Definition 4. [Observations] Given a PLPN 𝐺 = (𝑁, 𝑀0 , 𝐸, 𝓁, 𝐵), the
set of all observations generated from 𝑀0 bounded by 𝑘 ∈ N is defined
as
𝑜 (𝑀0 , 𝑘) = {𝜔 ∈ 𝐸 ∗ ∣ 𝜔 = 𝓁(𝜎), 𝜎 ∈ 𝑓 (𝑀0 , 𝑘)}.
Definition 5. [Probability Distributions] Given a PLPN structure 𝐺𝑠 =
(𝑁, 𝐸, 𝓁, 𝐵), a set of possible initial markings 0 , and 𝑀 ∈ 0 , a
function Pr ∶ {𝑀} × 𝑜 (𝑀, 𝑘) → (0, 1] is the probability distribution,
mapping a pair of an initial marking and an observation to a real
number between zero and one (including one). ⋄
Given a net structure 𝐺𝑠 = (𝑁, 𝐸, 𝓁, 𝐵) and two 𝜃-adjacent ini-
tial states 𝑀1 , 𝑀2 (leading to two PLPNs 𝐺(𝑀1 ) and 𝐺(𝑀2 )), let
0 = {𝑀1 , 𝑀2 }. The probability distribution function of adjacent ini-
tial states can be extended to Pr ∶ 0 × (𝑜 (𝑀1 , 𝑘) ∪ 𝑜 (𝑀2 , 𝑘)) → [0, 1],
mapping a pair of an adjacent initial state and an observation generated
from the two 𝜃-adjacent initial states to a real number between zero and
one (including zero and one).
Definition 6. [State Differential Privacy] Given a net structure 𝐺𝑠 =
(𝑁, 𝐸, 𝓁, 𝐵) and two 𝜃-adjacent initial states 𝑀1 , 𝑀2 (leading to two
PLPNs 𝐺(𝑀1 ) and 𝐺(𝑀2 )), 𝐺(𝑀1 ) and 𝐺(𝑀2 ) satisfy 𝜖-state differential
privacy if for all 𝑘 ∈ N and for all 𝜔 ∈ 𝑜 (𝑀1 , 𝑘) ∪ 𝑜 (𝑀2 , 𝑘), it holds
𝑒𝑥𝑝(−𝜖) × Pr(𝑀2 , 𝜔) ≤ Pr(𝑀1 , 𝜔) ≤ 𝑒𝑥𝑝(𝜖) × Pr(𝑀2 , 𝜔)
where the parameter 𝜖 ∈ R and 𝜖 ≥ 0 stipulates the level of privacy
protection. ⋄
By observation for an arbitrarily long time, if the probability distri-
butions of generating all observations from two 𝜃-adjacent initial states
are similar, the PLPN satisfies state differential privacy with adjacent
initial states. An attacker is unlikely to distinguish the two adjacent
initial states. In this paper, we restrict ourselves to state differential
privacy.
3.2. Problems
In this paper, we consider two problems involving pre-defined state
differential privacy in PLPNs. First, this work engages to verify whether
the private information regarding the initial state of a DES modeled
with a PLPN is protected.
Problem 1. Given a PLPN structure 𝐺𝑠 = (𝑁, 𝐸, 𝓁, 𝐵) and two 𝜃-
adjacent initial states 𝑀0 and 𝑀0′ , verify whether the PLPN satisfies
𝜖-state differential privacy with 𝑀0 and 𝑀0′ by the probability distri-
butions of generating observations bounded by the length 𝑘 from 𝑀0
and 𝑀0′ .
Next, we propose a controller to supervise the behavior of a PLPN
such that the controlled system satisfies state differential privacy to be
defined.
Problem 2. Given a PLPN structure 𝐺𝑠 = (𝑁, 𝐸, 𝓁, 𝐵) and two 𝜃-
adjacent initial states 𝑀0 and 𝑀0′ , construct a controller 𝐺𝑐 = (𝑐 , 𝑇𝑐 ,
𝛥𝑐 , 𝑀𝑐 0 ) such that the PLPN satisfies 0-state differential privacy with
𝑀0 and 𝑀0′ and the controller is maximally permissive.
A solution to Problem 2 would ensure that an attacker in unlikely
to infer the initial state of the PLPN by observation for an arbitrarily
long time.
4. Verification of state differential privacy
This section verifies whether a PLPN satisfies state differential pri-
vacy with respect to two adjacent initial states by the probability
distributions of observations generated from the two adjacent ini-
tial states. A method for computing the probability distribution of
observations generated from an initial state in a PLPN is provided first.
Expert Systems With Applications 237 (2024) 121454
Given a finite set of transitions 𝑇 , the concatenation operation over
𝑇 ∗ is a function 𝑐𝑎𝑡 ∶ 𝑇 ∗ × 𝑇 ∗ → 𝑇 ∗ by defining 𝑐𝑎𝑡(𝑥, 𝑥′ ) = 𝑥𝑥′ ,
where 𝑥, 𝑥′ ∈ 𝑇 ∗ . For example, given 𝜎 = 𝑡1 𝑡2 𝑡3 𝑡4 ∈ 𝑇 ∗ and 𝑡5 ∈ 𝑇 ∗ ,
𝑐𝑎𝑡(𝜎, 𝑡5 ) = 𝑡1 𝑡2 𝑡3 𝑡4 𝑡5 ∈ 𝑇 ∗ holds.
⋄
The set of firing transition sequences that are consistent with an
observation 𝜔 generated at 𝑀0 is defined as
𝑆(𝜔, 𝑀0 ) = {𝜎 ∈ 𝑇 ∗ ∣ 𝑀0 [𝜎⟩, 𝓁(𝜎) = 𝜔}.
Before the probability of generating an observation is computed,
let us first propose the probability computation of a firing transition
sequence. Given a PLPN 𝐺 = (𝑁, 𝑀0 , 𝐸, 𝓁, 𝐵), let 𝜎 ∈ 𝑓 (𝑀0 , 𝑘) be
a (feasible) firing transition sequence such that 𝑀0 [𝜎[1]⟩𝑀1 [𝜎[2]⟩𝑀2 ⋯
[𝜎[|𝜎|]⟩𝑀|𝜎| . The probability of generating 𝜎 from 𝑀0 is defined as
|𝜎|
∏
Pr(𝑀0 , 𝜎) = 𝐵(𝑀𝑖−1 , 𝜎[𝑖]) × 𝐵(𝑀|𝜎| , 𝜀) (1)
𝑖=1
where 𝐵(𝑀|𝜎| , 𝜀) ∈ (0, 1] is the probability that there is no transition
firing at 𝑀|𝜎| .
The probability of generating a firing transition sequence 𝜎 from the
initial state 𝑀0 is the product of firing probabilities of the transitions
contained in 𝜎 and the probability that there is no transition firing at
𝑀|𝜎| after generating 𝜎, denoted by 𝐵(𝑀|𝜎| , 𝜀).
Since the generation of 𝜎 and all firing transition sequences of
the from 𝑐𝑎𝑡(𝜎, 𝜎 ′ ) (𝜎 ′ ∈ 𝑇 𝑇 ∗ ) are independent, 𝐵(𝑀|𝜎| , 𝜀) is used
to indicate the probability that the sequence 𝜎 ′ ∈ 𝑇 ∗ is not gen-
erated from 𝑀|𝜎| (𝑀0 [𝜎⟩𝑀|𝜎| ). For example, given two firing tran-
sition sequences 𝑡1 𝑡2 such that 𝑀0 [𝑡1 ⟩𝑀1 [𝑡2 ⟩𝑀2 and 𝑡1 𝑡2 𝑡3 such that
𝑀0 [𝑡1 ⟩𝑀1 [𝑡2 ⟩𝑀2 [𝑡3 ⟩𝑀3 , we have Pr(𝑀0 , 𝑡1 𝑡2 ) = 𝐵(𝑀0 , 𝑡1 ) × 𝐵(𝑀1 , 𝑡2 ) ×
𝐵(𝑀2 , 𝜀), where 𝐵(𝑀2 , 𝜀), showing that there is no transition firing at
𝑀2 , is exactly the probability that 𝑡3 does not fire at 𝑀2 .
The probability of generating an observation 𝜔 is the sum of firing
probabilities of all the firing transition sequences that are consis-
tent with 𝜔. For an observation 𝜔 ∈ 𝑜 (𝑀0 , 𝑘), the probability of 𝜔
generated from 𝑀0 is defined as
∑
Pr(𝑀0 , 𝜔) = Pr(𝑀0 , 𝜎) (2)
𝜎∈𝑆(𝜔,𝑀0 )
Algorithm 1 computes the probability distribution of generating
all the observations bounded by length 𝑘 from an initial state. The
number of enabled transitions at a state 𝑀 is denoted by |𝑇 (𝑀)|.
The firing probability of any enabled transition 𝑡 at 𝑀 with 𝑀[𝑡⟩ is
denoted by 𝐵(𝑀, 𝑡) = 1∕(|𝑇 (𝑀)| + 1). For a firing transition sequence
𝜎 ∈ 𝑓 (𝑀0 , 𝑘), the probability of generating 𝜎 from the initial state
𝑀0 is denoted by Pr(𝑀0 , 𝜎). If 𝑀 is the marking by firing 𝜎 from
𝑀0 , i.e., 𝑀0 [𝜎⟩𝑀, and the length of 𝓁(𝜎) is less than 𝑘, the proba-
bility that there is no transition firing at 𝑀 is denoted by 𝐵(𝑀, 𝜀) =
1∕(|𝑇 (𝑀)| + 1). If the length of 𝓁(𝜎) is equal to 𝑘, then there is no tran-
∏
sition firing at 𝑀, i.e., 𝐵(𝑀, 𝜀) = 1. Let Pr(𝑀0 , 𝜎) = 𝑖 𝐵(𝑀𝑖−1 , 𝜎[𝑖]) ×
𝐵(𝑀, 𝜀), where 1 ≤ 𝑖 ≤ |𝜎|, 𝑖 ∈ N+ , 𝑀𝑖−1 [𝜎[𝑖]⟩𝑀𝑖 , and 𝑀0 [𝜎⟩𝑀.
The obtained Pr(𝑀0 , 𝜎) is the product of firing probabilities of the
transitions contained in 𝜎 and the probability that there is no transition
firing at 𝑀 with 𝑀0 [𝜎⟩𝑀, as shown in Eq. (1). The probability of
generating an observation 𝜔, denoted by Pr(𝑀0 , 𝜔), is the sum of firing
probabilities of all firing transition sequences that are consistent with 𝜔
from 𝑀0 , as shown in Eq. (2). Algorithm 1 formalizes the computation
given in Eqs. (1) and (2).
Notice that to apply the proposed approach, two assumptions are
made:
(A1) there is no unobservable cycle in a PLPN; and
(A2) all enabled transitions at a reachable state in a PLPN are
equally likely to fire.
Assumption (A1) guarantees that the sets 𝑓 (𝑀0 , 𝑘) and 𝑜 (𝑀0 , 𝑘)
are finite and thus Algorithm 1 can terminate within finite time. As-
sumption (A2) provides a basis for computing probability distributions
of generating observations from an initial state.
4
Y. Teng et al. Expert Systems With Applications 237 (2024) 121454

Algorithm 1: Computation of the probability distribution of

generating observations from an initial state
Input: A PLPN 𝐺 = (𝑁, 𝑀0 , 𝐸, 𝓁, 𝐵), a set of observations
𝑜 (𝑀0 , 𝑘) and that of firing transition sequences 𝑓 (𝑀0 ,
𝑘)
Output: Probability distribution of generating the observations
from 𝑀0
1 foreach 𝜎 ∈ 𝑓 (𝑀0 , 𝑘) do Fig. 1. PLPN structure 𝐺1 𝑠 .
2 𝑀 ← 𝑀0 ; Pr(𝑀0 , 𝜎) ← 1;
3 if 𝜎 ≠ 𝜀 then
4 for 𝑖 = 1, 𝑖 ≤ |𝜎|; 𝑖 + + do the set of the observations bounded by length 𝑘 is 𝑜 (𝑀0 , 60) = {𝜀, 𝑎,
5 𝑐 ← |𝑇 (𝑀)|; 𝑎𝑏, 𝑎𝑏𝑏, …, (𝑎𝑏𝑏)19 𝑎𝑏, (𝑎𝑏𝑏)20 }. The probabilities of generating 𝜀 and 𝑎
6 𝐵(𝑀, 𝜎[𝑖]) ← 1∕(𝑐 + 1); from 𝑀0 are Pr(𝑀0 , 𝜀) = 𝐵(𝑀0 , 𝜀) = 1∕2 and Pr(𝑀0 , 𝑎) = Pr(𝑀0 , 𝑡1 ) =
7 Pr(𝑀0 , 𝜎) ← Pr(𝑀0 , 𝜎) × 𝐵(𝑀, 𝜎[𝑖]); 𝐵(𝑀0 , 𝑡1 ) × 𝐵(𝑀1 , 𝜀) = (1∕2)2 = 1∕4, respectively.
8 𝑀 ← 𝑀 + 𝐶(⋅, 𝜎[𝑖]);
Note that the number of enabled transitions at 𝑀1 after generating
9 if |𝓁(𝜎)| < 𝑘 then 𝑡1 is one (the enabled transition is 𝑡2 ) and the probability that there is no
10 𝑧 ← |𝑇 (𝑀)|; transition firing at 𝑀1 is 1∕2, i.e., 𝐵(𝑀1 , 𝜀) = 1∕2. For the observation
11 else 𝑎𝑏, it holds 𝑆(𝑎𝑏, 𝑀0 ) = {𝑡1 𝑡2 , 𝑡1 𝑡2 𝑡3 }. The probability of generating 𝑎𝑏
12 𝑧 ← 0; from 𝑀0 is
13 𝐵(𝑀, 𝜀) ← 1∕(𝑧 + 1); Pr(𝑀0 , 𝑎𝑏) = Pr(𝑀0 , 𝑡1 𝑡2 ) + Pr(𝑀0 , 𝑡1 𝑡2 𝑡3 )
14 Pr(𝑀0 , 𝜎) ← Pr(𝑀0 , 𝜎) × 𝐵(𝑀, 𝜀); = 𝐵(𝑀0 , 𝑡1 ) × 𝐵(𝑀1 , 𝑡2 ) × 𝐵(𝑀2 , 𝜀)+
15 Pr(𝑀0 , 𝜔) ← 0; 𝐵(𝑀0 , 𝑡1 ) × 𝐵(𝑀1 , 𝑡2 ) × 𝐵(𝑀2 , 𝑡3 ) × 𝐵(𝑀3 , 𝜀)
16 foreach 𝜔 ∈ 𝑜 (𝑀0 , 𝑘) do
17 foreach 𝜎 ∈ 𝑓 (𝑀0 , 𝑘) do = (1∕2)3 + (1∕2)4 = 3∕16.
18 if 𝜎 ∈ 𝑆(𝜔, 𝑀0 ) then Similarly, the probabilities of generating (𝑎𝑏𝑏)19 𝑎𝑏 and (𝑎𝑏𝑏)20 from 𝑀0
19 Pr(𝑀0 , 𝜔) ← Pr(𝑀0 , 𝜔) + Pr(𝑀0 , 𝜎); are

Pr(𝑀0 , (𝑎𝑏𝑏)19 𝑎𝑏) = Pr(𝑀0 , (𝑡1 𝑡2 𝑡3 𝑡4 )19 𝑡1 𝑡2 ) + Pr(𝑀0 , (𝑡1 𝑡2 𝑡3 𝑡4 )19 𝑡1 𝑡2 𝑡3 )

= (1∕2)79 + (1∕2)80 .
Pr(𝑀0 , (𝑎𝑏𝑏)20 ) = Pr(𝑀0 , (𝑡1 𝑡2 𝑡3 𝑡4 )20 ) = (1∕2)80 .
Proposition 1. Given a PLPN 𝐺 = (𝑁, 𝑀0 , 𝐸, 𝓁, 𝐵), a set of observations
𝑜 (𝑀0 , 𝑘) and that of firing transition sequences 𝑓 (𝑀0 , 𝑘) bounded by The sum of all probabilities of generating the observations bounded by
length 𝑘, it holds 𝑘 from 𝑀0 is equal to one, i.e.,
∑ ∑ ∑
Pr(𝑀0 , 𝜎) = Pr(𝑀0 , 𝜔) = 1. Pr(𝑀0 , 𝜔) = 1∕2 + (1∕2)2 + ⋯ + (1∕2)80 + (1∕2)80 = 1.
𝜎∈𝑓 (𝑀0 ,𝑘) 𝜔∈𝑜 (𝑀0 ,𝑘) 𝜔∈𝑜 (𝑀0 ,60)

For 𝑀0′ = 2𝑝1 + 𝑝5 + 𝑝6 , the set of observations generated from 𝑀0′

Proof. Given a state 𝑀 ∈ 𝑅(𝑁, 𝑀0 ), suppose that the number of
enabled transitions at 𝑀 is 𝑐 ∈ N. Then, the firing probability of a
transition 𝑡 ∈ 𝑇 (𝑀) at 𝑀 is 1∕(𝑐 + 1). The probability that there is no
transition firing at 𝑀 is also 1∕(𝑐 + 1), denoted by 𝐵(𝑀, 𝜀). As known,
the sum of firing probabilities of all enabled transitions at 𝑀 and the
probability that there is no transition firing at 𝑀 is equal to one. The
sum of firing probabilities of all transition sequences from 𝑀0 is equal
to one.
Suppose that at a time instance, the current observation length
is 𝑘 ∈ N. We do not consider the transition sequences consistent
with 𝜔, where |𝜔| > 𝑘. Instead, we focus on the probabilities of
firing transition sequences from 𝑀0 whose observations are bounded
by length 𝑘. For a firing transition sequence 𝜎 with |𝓁(𝜎)| = 𝑘 and
𝑀0 [𝜎⟩𝑀 ′ , the probability that there is no transition firing at 𝑀 ′ is
equal to one, i.e., there is no transition sequence 𝜎 ′ = 𝑐𝑎𝑡(𝜎, 𝜎𝑠 ) with
𝜎𝑠 ∈ 𝑇 𝑇 ∗ generated from 𝑀0 , i.e., the firing probability of 𝜎 ′ from 𝑀0
is equal to zero. Thus, the sum of the probabilities of all firing transition
sequences generated from an initial state is restricted to one. Since the
probability of generating an observation 𝜔 is the sum of probabilities
of generating all firing transition sequences consistent with 𝜔, the sum
of all probabilities of generating 𝜔 from 𝑀0 is restricted to one.
Example 1. A PLPN structure 𝐺1𝑠 is shown in Fig. 1. Given two initial
states 𝑀0 = 𝑝1 + 2𝑝5 + 𝑝6 and 𝑀0′ = 2𝑝1 + 𝑝5 + 𝑝6 , we say that the two
initial states 𝑀0 and 𝑀0′ are 2-adjacent for the PLPN structure 𝐺1𝑠 . The
reachable markings in 𝑅(𝐺1𝑠 , 𝑀0 ) of ⟨𝐺1𝑠 , 𝑀0 ⟩ are 𝑀0 = 𝑝1 + 2𝑝5 + 𝑝6 ,
𝑀1 = 𝑝2 + 2𝑝5 , 𝑀2 = 𝑝3 + 𝑝5 + 𝑝6 , and 𝑀3 = 𝑝4 + 2𝑝5 . Suppose that
at a time instance, the current observation length is 𝑘 = 60. We have
bounded by length 𝑘 is 𝑜 (𝑀0′ , 60)={𝜀, 𝑎, 𝑎𝑏, 𝑎𝑏𝑎, 𝑎𝑏𝑏, …, (𝑎𝑏𝑏)19 𝑎𝑏𝑎,
(𝑎𝑏𝑏)20 }. The probabilities of generating the observations from 𝑀0′ are
Pr(𝑀0′ , 𝜀) = 1∕2; Pr(𝑀0′ , 𝑎) = 1∕4; Pr(𝑀0′ , 𝑎𝑏) = 1∕8; … ;
Pr(𝑀0′ , (𝑎𝑏𝑏)19 𝑎𝑏𝑎) = 1∕(259 × 320 ); Pr(𝑀0′ , (𝑎𝑏𝑏)20 ) = 1∕(260 × 320 ).
For any observation 𝜔 generated from 𝑀0 or 𝑀0′ , i.e., 𝜔 ∈ 𝑜 (𝑀0 , 60)
∪𝑜 (𝑀0′ , 60), let 𝜖 = 0.05, it does not hold 𝑒𝑥𝑝(−𝜖)×Pr(𝑀0′ , 𝜔) ≤ Pr(𝑀0 , 𝜔)
≤ 𝑒𝑥𝑝(𝜖) × Pr(𝑀0′ , 𝜔). Therefore, the PLPN does not satisfy 0.05-state
differential privacy with respect to the two 2-adjacent initial states 𝑀0
and 𝑀0′ . Furthermore, given an initial state 𝑀0′′ = 𝑝1 +𝑝5 +2𝑝6 , the PLPN
satisfies 0.05-state differential privacy with respect to two 2-adjacent
initial states 𝑀0 and 𝑀0′′ . ■
5. Controller design for state differential privacy enforcement
As seen from Section 4, a small value of 𝜖 yields a stricter privacy
requirement regarding the output of a system. This paper currently
aims at the strictest control specification for a system to satisfy state
differential privacy, i.e., 0-state differential privacy, which makes sense
■ to protect the initial state. This paper requires that the probabilities of
all identical observations generated from two 𝜃-adjacent initial states
should be the same. To ensure that a system generates as many ob-
servations as possible while satisfying 0-state differential privacy with
adjacent initial states, the controller constructed by our supervisory
control method is maximally permissive for the enforcement of 0-
state differential privacy. Suppose that all transitions of the system are
controllable. The controller is represented by a finite state automaton

5
Y. Teng et al.
(as defined in Tong et al. (2017b)) based on the reachability graphs (RGs)
of Petri nets.
An RG of a bounded Petri net system (𝑃 , 𝑇 , 𝑃 𝑟𝑒, 𝑃 𝑜𝑠𝑡, 𝑀0 ) can be
regarded as a finite state automaton 𝐺𝑟 = (, 𝑇 , 𝛥, 𝑀0 ), where
 = 𝑅(𝑁, 𝑀0 ) is a finite set of states, the set of transitions 𝑇 is
the alphabet, 𝑀0 ∈  is an initial state, and 𝛥 ⊆  × 𝑇 ×  is
the transition relation (it is actually a partial function). Given a PLPN
structure 𝐺𝑠 with transition set 𝑇 and two 𝜃-adjacent initial states 𝑀0 ,
𝑀0′ (leading to two PLPNs 𝐺(𝑀0 ) and 𝐺(𝑀0′ )), we accordingly obtain
two RGs 𝐺𝑟1 = (1 , 𝑇 , 𝛥1 , 𝑀0 ) and 𝐺𝑟2 = (2 , 𝑇 , 𝛥2 , 𝑀0′ ), respectively.
Given a state 𝑀 ∈  in 𝐺𝑟 = (, 𝑇 , 𝛥, 𝑀0 ), the set of one-step
reachable states of 𝑀 is defined as
′ ′
(𝑀) = {𝑀 ∈  ∣ (∃𝑡 ∈ 𝑇 )(𝑀, 𝑡, 𝑀 ) ∈ 𝛥}.
Accordingly, the set of transitions firing from 𝑀 to 𝑀 ′ is defined as
 (𝑀, 𝑀 ′ ) = {𝑡 ∈ 𝑇 ∣ (𝑀, 𝑡, 𝑀 ′ ) ∈ 𝛥}.
Definition 7. [Extended RG] Given two RGs 𝐺𝑟1 = (1 , 𝑇 , 𝛥1 , 𝑀0 ) and
𝐺𝑟2 = (2 , 𝑇 , 𝛥2 , 𝑀0′ ), an extended RG 𝐺𝑒 = (𝑒 , 𝑇𝑒 , 𝛥𝑒 , 𝑀𝑒0 ) by 𝐺𝑟1
and 𝐺𝑟2 is a finite state automaton such that the following statements
hold:
1. 𝑒 ⊆ 1 × 2 is a finite set of states defined as:
∗ ′ ∗
𝑀𝑎 ∈ 1 & 𝑀𝑏 ∈ 2 & (∃𝜎 ∈ 𝑇 )𝑀0 [𝜎⟩𝑀𝑎 &(∃𝜎 ∈ 𝑇 )𝑀0′ [𝜎 ′ ⟩𝑀𝑏
& |𝜎| = |𝜎 ′ | ⇒ (𝑀𝑎 , 𝑀𝑏 ) ∈ 𝑒 .
2. 𝑇𝑒 = 2𝑇 × 2𝑇 is the alphabet.
3. 𝑀𝑒0 = (𝑀0 , 𝑀0′ ) ∈ 𝑒 is an initial state.
4. 𝛥𝑒 ⊆ (1 × 2 ) × (2𝑇 × 2𝑇 ) × (1 × 2 ) is the transition relation
defined as:
𝑀𝑒 = (𝑀𝑎 , 𝑀𝑏 ) ∈ 𝑒 & 𝑀𝑒′ = (𝑀𝑎′ , 𝑀𝑏′ ) ∈ 𝑒 &  (𝑀𝑎 , 𝑀𝑎′ ) ≠ ∅ &
⋄ 6
 (𝑀𝑏 , 𝑀𝑏′ ) ≠ ∅ ⇒ (𝑀𝑒 ,  (𝑀𝑎 , 𝑀𝑎′ ) ×  (𝑀𝑏 , 𝑀𝑏′ ), 𝑀𝑒′ ) ⊆ 𝛥𝑒 .
By Definition 7, (𝑀𝑒 ,  (𝑀𝑎 , 𝑀𝑎′ ) ×  (𝑀𝑏 , 𝑀𝑏′ ), 𝑀𝑒′ ) ⊆ 𝛥𝑒 implies that
for any (𝑡𝑎 , 𝑡𝑏 ) ∈  (𝑀𝑎 , 𝑀𝑎′ ) ×  (𝑀𝑏 , 𝑀𝑏′ ), there exist 𝑀𝑎 , 𝑀𝑎′ ∈ 1 and
𝑀𝑏 , 𝑀𝑏′ ∈ 2 such that 𝑀𝑎 [𝑡𝑎 ⟩𝑀𝑎′ in 𝐺𝑟1 and 𝑀𝑏 [𝑡𝑏 ⟩𝑀𝑏′ in 𝐺𝑟2 hold.
Algorithm 2 constructs an extended RG 𝐺𝑒 = (𝑒 , 𝑇𝑒 , 𝛥𝑒 , 𝑀𝑒0 ) by
𝐺𝑟1 and 𝐺𝑟2 . Given two RGs 𝐺𝑟1 = (1 , 𝑇 , 𝛥1 , 𝑀0 ) and 𝐺𝑟2 = (2 ,
𝑇 , 𝛥2 , 𝑀0′ ) of a PLPN structure 𝐺𝑠 with two 𝜃-adjacent initial states
𝑀0 and 𝑀0′ , an initial state of 𝐺𝑒 , denoted by 𝑀𝑒0 , is 𝑀𝑒0 = (𝑀0 , 𝑀0′ ).
Let ′𝑒 be a temporary variable, initialized by ′𝑒 = {𝑀𝑒0 }. For any
state (𝑀𝑎 , 𝑀𝑏 ) ∈ ′𝑒 , we compute respectively (𝑀𝑎 ) and (𝑀𝑏 ) in
𝐺𝑟1 and 𝐺𝑟2 . For any state 𝑀𝑎′ ∈ (𝑀𝑎 ) and any state 𝑀𝑏′ ∈ (𝑀𝑏 ),
(𝑀𝑎′ , 𝑀𝑏′ ) is a state in 𝐺𝑒 and (𝑀𝑎′ , 𝑀𝑏′ ) is inserted into ′𝑒 . The sets
 (𝑀𝑎 , 𝑀𝑎′ ) and  (𝑀𝑏 , 𝑀𝑏′ ) in 𝐺𝑟1 and 𝐺𝑟2 are computed respectively.
If they are not empty, ((𝑀𝑎 , 𝑀𝑏 ),  (𝑀𝑎 , 𝑀𝑎′ ) ×  (𝑀𝑏 , 𝑀𝑏′ ), (𝑀𝑎′ , 𝑀𝑏′ )) is a
transition relation in 𝐺𝑒 . We remove (𝑀𝑎 , 𝑀𝑏 ) from ′𝑒 . This procedure
runs iteratively until there is no state in ′𝑒 .
Example 2. Consider again the PLPN structure 𝐺1𝑠 in Fig. 1 with two
2-adjacent initial states 𝑀0 = 𝑝1 + 2𝑝5 + 𝑝6 and 𝑀0′ = 2𝑝1 + 𝑝5 + 𝑝6 .
The two RGs of ⟨𝐺1𝑠 , 𝑀0 ⟩ and ⟨𝐺1𝑠 , 𝑀0′ ⟩, denoted by 𝐺1𝑟 1 and 𝐺1𝑟 2 ,
are shown in Figs. 2(a) and (b), respectively.
Now an extended RG, denoted by 𝐺𝑒 , is constructed as follows. Its
initial state is 𝑀𝑒0 = (𝑀0 , 𝑀0′ ). For the state 𝑀0 in 𝐺1𝑟 1 , we obtain
(𝑀0 ) = {𝑀1 } and  (𝑀0 , 𝑀1 ) = {𝑡1 }. For the state 𝑀0′ in 𝐺1𝑟 2 , we
obtain (𝑀0′ ) = {𝑀1′ } and  (𝑀0′ , 𝑀1′ ) = {𝑡1 }. The state (𝑀1 , 𝑀1′ ) is
a state in 𝐺𝑒 , denoted by 𝑀𝑒1 = (𝑀1 , 𝑀1′ ). It holds (𝑀𝑒0 , {𝑡1 } × {𝑡1 },
𝑀𝑒1 ) ∈ 𝛥𝑒 . Finally, we obtain all states and transition relations in
𝐺𝑒 . The extended RG 𝐺𝑒 by 𝐺1𝑟 1 and 𝐺1𝑟 2 is constructed and shown
in Fig. 3. The label of the edge from a state to another in 𝐺𝑒 is the
Cartesian product of two sets of transitions that are enabled at two
markings in 𝐺1𝑟 1 and 𝐺1𝑟 2 , respectively. ■ share the same label, then 𝑡𝑙 and 𝑡𝑟 are also selected as the candidate
Given a state 𝑀𝑒 ∈ 𝑒 in 𝐺𝑒 = (𝑒 , 𝑇𝑒 , 𝛥𝑒 , 𝑀𝑒0 ), the set of one-step
reachable states of 𝑀𝑒 is defined as
(𝑀𝑒 ) = {𝑀𝑒′ ∈ 𝑒 |(∃𝑙 × 𝑟 ∈ 𝑇𝑒 )(𝑀𝑒 , 𝑙 × 𝑟 , 𝑀𝑒′ ) ∈ 𝛥𝑒 }.
6
Expert Systems With Applications 237 (2024) 121454
Algorithm 2: Construction of an extended RG
Input: Two RGs 𝐺𝑟1 = (1 , 𝑇 , 𝛥1 , 𝑀0 ) and 𝐺𝑟2 = (2 , 𝑇 , 𝛥2 ,
𝑀0′ )
Output: An extended RG 𝐺𝑒 = (𝑒 , 𝑇𝑒 , 𝛥𝑒 , 𝑀𝑒0 ) by 𝐺𝑟1 and
𝐺𝑟2
1 𝑀𝑒0 ← (𝑀0 , 𝑀0′ ); 𝑒 ← {𝑀𝑒0 }; ′𝑒 ← {𝑀𝑒0 }; 𝑇𝑒 ← ∅; 𝛥𝑒 ← ∅;
2 foreach (𝑀𝑎 , 𝑀𝑏 ) ∈ ′𝑒 do
3 foreach 𝑀𝑎′ ∈ (𝑀𝑎 ) do
4 foreach 𝑀𝑏′ ∈ (𝑀𝑏 ) do
5 𝑒 ← 𝑒 ∪ {(𝑀𝑎′ , 𝑀𝑏′ )};
6 ′𝑒 ← ′𝑒 ∪ {(𝑀𝑎′ , 𝑀𝑏′ )};
7 𝑇𝑒 ← 𝑇𝑒 ∪  (𝑀𝑎 , 𝑀𝑎′ ) ×  (𝑀𝑏 , 𝑀𝑏′ );
8 𝛥𝑒 ←
𝛥𝑒 ∪ {((𝑀𝑎 , 𝑀𝑏 ),  (𝑀𝑎 , 𝑀𝑎′ ) ×  (𝑀𝑏 , 𝑀𝑏′ ), (𝑀𝑎′ , 𝑀𝑏′ ))};
9 ′𝑒 ← ′𝑒 ∖{(𝑀𝑎 , 𝑀𝑏 )};
Algorithm 3: Candidate transition computation between a state
and its one-step reachable state
Input: An extended RG 𝐺𝑒 = (𝑒 , 𝑇𝑒 , 𝛥𝑒 , 𝑀𝑒0 ) with two states
𝑀𝑒 and 𝑀𝑒′ , and a PLPN structure 𝐺𝑠 = (𝑁, 𝐸, 𝓁, 𝐵)
Output: A set  (𝑀𝑒 , 𝑀𝑒 ′ ) of candidate transitions from 𝑀𝑒 to
𝑀𝑒 ′
1  (𝑀𝑒 , 𝑀𝑒 ′ ) ← ∅;
2 if (𝑀𝑒 , 𝑙 × 𝑟 , 𝑀𝑒 ′ ) ∈ 𝛥𝑒 then
3 𝑙 (𝑀𝑒 , 𝑀𝑒 ′ ) ← 𝑙 ;
4 𝑟 (𝑀𝑒 , 𝑀𝑒 ′ ) ← 𝑟 ;
5  (𝑀𝑒 , 𝑀𝑒 ′ ) ← 𝑙 (𝑀𝑒 , 𝑀𝑒 ′ ) ∩ 𝑟 (𝑀𝑒 , 𝑀𝑒 ′ );
foreach 𝑡𝑙 ∈ 𝑙 (𝑀𝑒 , 𝑀𝑒 ′ )∖ (𝑀𝑒 , 𝑀𝑒 ′ ) do
7 foreach 𝑡𝑟 ∈ 𝑟 (𝑀𝑒 , 𝑀𝑒 ′ )∖ (𝑀𝑒 , 𝑀𝑒 ′ ) do
8 if 𝓁(𝑡𝑙 ) = 𝓁(𝑡𝑟 ) then
9  (𝑀𝑒 , 𝑀𝑒 ′ ) ←  (𝑀𝑒 , 𝑀𝑒 ′ ) ∪ {𝑡𝑙 , 𝑡𝑟 };
10 𝑙 (𝑀𝑒 , 𝑀𝑒 ′ ) ← 𝑙 (𝑀𝑒 , 𝑀𝑒 ′ )∖{𝑡𝑙 };
11 𝑟 (𝑀𝑒 , 𝑀𝑒 ′ ) ← 𝑟 (𝑀𝑒 , 𝑀𝑒 ′ )∖{𝑡𝑟 };
Given a net structure 𝐺𝑠 = (𝑁, 𝐸, 𝓁, 𝐵) and two 𝜃-adjacent initial
states 𝑀0 , 𝑀0′ (leading to two PLPNs 𝐺(𝑀0 ) and 𝐺(𝑀0′ )), to ensure
that the PLPNs 𝐺(𝑀0 ) and 𝐺(𝑀0′ ) satisfy state differential privacy, a
controller needs to be constructed to supervise the behavior of two
PLPNs.
To this end, we need to choose the transitions from a state to its
one-step reachable state in 𝐺𝑒 to construct the controller, and these
transitions are called candidate transitions.
To construct a controller, Algorithm 3 finds the candidate transi-
tions from the label of the edge between a state 𝑀𝑒 to its one-step
reachable state 𝑀𝑒′ in an extended RG. The set of these transitions is
denoted by  (𝑀𝑒 , 𝑀𝑒′ ). Specifically, given an extended RG 𝐺𝑒 = (𝑒 ,
𝑇𝑒 , 𝛥𝑒 , 𝑀𝑒0 ) by 𝐺𝑟1 and 𝐺𝑟2 (the RGs of ⟨𝐺𝑠 , 𝑀0 ⟩ and ⟨𝐺𝑠 , 𝑀0′ ⟩), a
state 𝑀𝑒 and its one-step reachable state 𝑀𝑒′ , if there exist two sets of
transitions 𝑙 and 𝑟 such that (𝑀𝑒 , 𝑙 × 𝑟 , 𝑀𝑒′ ) ∈ 𝛥𝑒 , let 𝑙 (𝑀𝑒 , 𝑀𝑒 ′ ) =
𝑙 and 𝑟 (𝑀𝑒 , 𝑀𝑒 ′ ) = 𝑟 (note that 𝑙 (𝑀𝑒 , 𝑀𝑒 ′ ) and 𝑟 (𝑀𝑒 , 𝑀𝑒 ′ ) are
initialized as empty sets). All the elements in 𝑙 (𝑀𝑒 , 𝑀𝑒 ′ ) ∩ 𝑟 (𝑀𝑒 , 𝑀𝑒 ′ )
are candidate transitions from 𝑀𝑒 to 𝑀𝑒 ′ . Further, for any two mutually
exclusive transitions 𝑡𝑙 in 𝑙 (𝑀𝑒 , 𝑀𝑒 ′ ) and 𝑡𝑟 in 𝑟 (𝑀𝑒 , 𝑀𝑒 ′ ), if they
transitions from 𝑀𝑒 to 𝑀𝑒′ .
A state 𝑀𝑒 in 𝐺𝑒 is said to be a first-cycled state (with respect to
the initial state 𝑀𝑒0 of 𝐺𝑒 ) if 𝑀𝑒 is a node in a cycle and there is a
Y. Teng et al.
Fig. 2. RGs 𝐺1 𝑟 1 and 𝐺1 𝑟 2 .
Fig. 3. Extended RG 𝐺𝑒 by 𝐺1 𝑟 1 and 𝐺1 𝑟 2 .
production1 starting from 𝑀𝑒0 and ending at 𝑀𝑒 such that the length
of any production from 𝑀𝑒0 to any other state in the cycle is greater
than that of the production from 𝑀𝑒0 to 𝑀𝑒 .
Definition 8. [Profit Function] Given an extended RG 𝐺𝑒 = (𝑒 , 𝑇𝑒 ,
𝛥𝑒 , 𝑀𝑒0 ) by two RGs 𝐺𝑟1 = (1 , 𝑇 , 𝛥1 , 𝑀0 ) and 𝐺𝑟2 = (2 , 𝑇 , 𝛥2 , 𝑀0′ ),
 ∶ 𝑒 → N ∪ {−1} is said to be a profit function, mapping a state in
𝐺𝑒 to a natural number or −1. ⋄ implemented by Algorithm 4. Lines 1–7, 8–15, and 16–26 achieve steps
The computation of a profit function can be conducted by the
following steps in a recursive way.
(1) All the states in 𝐺𝑒 are first initialized to a natural number or −1.
(1.1) For all 𝑀𝑒 ∈ 𝑒 , if (𝑀𝑒 ) = ∅, the profit of 𝑀𝑒 is initialized
to zero and 𝑀𝑒 is assigned a tag ‘‘old’’.
(1.2) For all 𝑀𝑒 ∈ 𝑒 , if (𝑀𝑒 ) ≠ ∅ and 𝑀𝑒 is a first-cycled
state, the profit of 𝑀𝑒 is initialized to |𝑒 | × |𝑇 | and 𝑀𝑒 is
assigned a tag ‘‘old’’.
(1.3) If the conditions in (1.1) and (1.2) are not satisfied, the
profit of 𝑀𝑒 is initialized to −1, and 𝑀𝑒 is assigned no tag.
(2) A set ′𝑒 is initialized by ′𝑒 = 𝑒 . Given a state 𝑀𝑒 ∈ ′𝑒 ,
if the tags of all 𝑀𝑒′ ∈ (𝑀𝑒 ) are ‘‘old’’, the profit of 𝑀𝑒 needs
to be re-computed. To this end, let us first reset the profits of all
𝑀𝑒′ ∈ (𝑀𝑒 ). Let 𝑀𝑒 = (𝑀𝑎 , 𝑀𝑏 ). For all 𝑒 ∈ 𝐸 ∪ {𝜀}, the sets of
one-step reachable states from 𝑀𝑎 in 𝐺𝑟1 and 𝑀𝑏 in 𝐺𝑟2 by firing
a candidate transition 𝑡 ∈  (𝑀𝑒 , 𝑀𝑒′ ) with 𝓁(𝑡) = 𝑒 are denoted
by 𝑎 (𝑀𝑒 , 𝑒) and 𝑏 (𝑀𝑒 , 𝑒), respectively.
(2.1) For any 𝑀𝑒′ ∈ (𝑀𝑒 ), if  (𝑀𝑒 , 𝑀𝑒′ )
= ∅, reset (𝑀𝑒′ )
= −1.
(2.2) If |𝑎 (𝑀𝑒 , 𝑒)| > |𝑏 (𝑀𝑒 , 𝑒)|, select |𝑎 (𝑀𝑒 , 𝑒)| − |𝑏 (𝑀𝑒 , 𝑒)|
states from (𝑀𝑒 ) ∩ (𝑎 (𝑀𝑒 , 𝑒) × 2 ) such that the profit of
1
A production in finite state automata is a sequence of states and transi-
tions starting from and ending at states. The length of a production is defined
as the number of its transitions.
7
Expert Systems With Applications 237 (2024) 121454
any non-selected state in (𝑀𝑒 ) ∩ (𝑎 (𝑀𝑒 , 𝑒) × 2 ) is no less
than that of a selected state. Reset the profits of all selected
states as −1.
(2.3) If |𝑎 (𝑀𝑒 , 𝑒)| < |𝑏 (𝑀𝑒 , 𝑒)|, select |𝑏 (𝑀𝑒 , 𝑒)| − |𝑎 (𝑀𝑒 , 𝑒)|
states from (𝑀𝑒 ) ∩ (1 × 𝑏 (𝑀𝑒 , 𝑒)) such that the profit of
any non-selected state in (𝑀𝑒 ) ∩ (1 × 𝑏 (𝑀𝑒 , 𝑒)) is no less
than that of a selected state. Reset the profits of all selected
states as −1.
(2.4) If |𝑎 (𝑀𝑒 , 𝑒)| = |𝑏 (𝑀𝑒 , 𝑒)|, we do not reset the profits of
states in (𝑀𝑒 ).
After (2.1)–(2.4), the profit of 𝑀𝑒 is reset by
∑
(𝑀𝑒 ) = (𝑀𝑒′ ) + (𝑀𝑒 , 𝑀𝑒′ ) (3)
𝑀𝑒′ ∈(𝑀𝑒 ),(𝑀𝑒′ )≥0
where (𝑀𝑒 , 𝑀𝑒′ ) = | (𝑀𝑒 , 𝑀𝑒′ ) ∩  (𝑀𝑎 , 𝑀𝑎′ )| and
𝑀𝑒′ = (𝑀𝑎′ , 𝑀𝑏′ ). The tag of 𝑀𝑒 is reset to ‘‘old’’ and the state 𝑀𝑒
is removed from ′𝑒 . This procedure runs iteratively until there
is no state in ′𝑒 .
Definition 8 is introduced to select the states from 𝐺𝑒 for a con-
troller. As seen later, a state 𝑀𝑒 ∈ 𝑒 with (𝑀𝑒 ) = −1 will be
forbidden by a controller. The computation of a profit function is
(1), (2.1), and (2.2)–(2.4), respectively.
Example 3. Let us consider again the extended RG 𝐺𝑒 in Fig. 3. We first
perform step (1) of the computation of the profit function of states in
𝐺𝑒 . Since (𝑀𝑒4 ) = ∅, the profit of 𝑀𝑒4 is initialized to zero. By noting
that 𝑀𝑒0 is a first-cycled state and |𝑒 | × |𝑇 | = 20, the profit of 𝑀𝑒0 is
initialized to 20. The profits of other states in 𝐺𝑒 are initialized to −1.
For the states 𝑀𝑒2 and 𝑀𝑒4 , by  (𝑀𝑒2 , 𝑀𝑒4 ) = ∅, the profit of 𝑀𝑒4 is
reset to be −1 due to step (2.1) of the computation of the profit function
of states in 𝐺𝑒 . By (𝑀𝑒3 , 𝑀𝑒0 ) = 1, the profit of 𝑀𝑒3 is equal to 21 by
Eq. (3).
Consider state 𝑀𝑒2 = (𝑀2 , 𝑀2′ ) and label 𝜀, we have 𝑎 (𝑀2 , 𝜀) =
{𝑀3 } and 𝑏 (𝑀2′ , 𝜀) = {𝑀3′ }. By step (2.4) of the computation of the
profit function of states in 𝐺𝑒 , we do not have to reset the profit of 𝑀𝑒3 .
By (𝑀𝑒2 , 𝑀𝑒3 ) = 1, we find (𝑀𝑒2 ) = (𝑀𝑒3 ) + (𝑀𝑒2 , 𝑀𝑒3 ) = 22 by
Eq. (3). Similarly, we obtain (𝑀𝑒1 ) = (𝑀𝑒2 ) + (𝑀𝑒1 , 𝑀𝑒2 ) = 23 and
reset (𝑀𝑒0 ) = (𝑀𝑒1 ) + (𝑀𝑒0 , 𝑀𝑒1 ) = 24. ■
Definition 9. [Controller] Given an extended RG 𝐺𝑒 = (𝑒 , 𝑇𝑒 , 𝛥𝑒 ,
𝑀𝑒0 ) by two RGs 𝐺𝑟1 = (1 , 𝑇 , 𝛥1 , 𝑀0 ) and 𝐺𝑟2 = (2 , 𝑇 , 𝛥2 , 𝑀0′ )
with the profit function , a controller 𝐺𝑐 = (𝑐 , 𝑇𝑐 , 𝛥𝑐 , 𝑀𝑐 0 ) is a
finite state automaton such that the following statements hold:
1. 𝑐 is the transition relation defined as:
𝑀𝑒 ∈ 𝑐 & 𝑀𝑒′ ∈ (𝑀𝑒 ) & (𝑀𝑒′ ) ≥ 0 ⇒ 𝑀𝑒′ ∈ 𝑐 .
2. 𝑇𝑐 = 2𝑇 is the alphabet.
3. 𝑀𝑐 0 = 𝑀𝑒0 ∈ 𝑐 is an initial state.
Y. Teng et al. Expert Systems With Applications 237 (2024) 121454

Algorithm 4: Profit function computation of states in an Algorithm 5: Construction of a controller

extended RG Input: An extended RG 𝐺𝑒 = (𝑒 , 𝑇𝑒 , 𝛥𝑒 , 𝑀𝑒0 ) with the profit
Input: An extended RG 𝐺𝑒 = (𝑒 , 𝑇𝑒 , 𝛥𝑒 , 𝑀𝑒0 ) function 
Output: A profit function  for 𝐺𝑒 Output: A controller 𝐺𝑐 = (𝑐 , 𝑇𝑐 , 𝛥𝑐 , 𝑀𝑐 0 )
1 foreach 𝑀𝑒 ∈ 𝑒 do 1 𝑀𝑐 0 ← 𝑀𝑒0 ; 𝑐 ← {𝑀𝑐 0 };
2 if (𝑀𝑒 ) = ∅ then 2 ′𝑐 ← {𝑀𝑐 0 }; 𝛥𝑐 ← ∅; 𝑇𝑐 ← ∅;
3 (𝑀𝑒 ) ← 0 and tag node 𝑀𝑒 ‘‘old’’; 3 foreach 𝑀𝑐 ∈ ′𝑐 do
4 else if 𝑀𝑒 is a first-cycled state then 4 𝑀𝑒 ← 𝑀𝑐 ;
5 (𝑀𝑒 ) ← |𝑒 | × |𝑇 | and tag node 𝑀𝑒 ‘‘old’’; 5 foreach 𝑀𝑒′ ∈ (𝑀𝑒 ) do
6 if (𝑀𝑒′ ) ≥ 0 then
6 else
7 𝑐 ← 𝑐 ∪ 𝑀𝑒′ ;
7 (𝑀𝑒 ) ← −1 and assign no tag to 𝑀𝑒 ;
8 ′𝑐 ← 𝑐 ∪ 𝑀𝑒′ ;
8 ′𝑒 ← 𝑒 ; 9 𝑇𝑐 ← 𝑇𝑐 ∪  (𝑀𝑒 , 𝑀𝑒′ );
9 foreach 𝑀𝑒 = (𝑀𝑎 , 𝑀𝑏 ) ∈ ′𝑒 do 10 𝛥𝑐 ← 𝛥𝑐 ∪ {(𝑀𝑒 ,  (𝑀𝑒 , 𝑀𝑒′ ), 𝑀𝑒′ )};
10 if all states in (𝑀𝑒 ) with tag ‘‘old’’ then
11 ′𝑐 ← 𝑐 ∖{𝑀𝑐 };
11 𝑡 ← ∅;
12 foreach 𝑀𝑒′ = (𝑀𝑎′ , 𝑀𝑏′ ) ∈ (𝑀𝑒 ) do
13 if  (𝑀𝑒 , 𝑀𝑒′ ) = ∅ then
14 (𝑀𝑒′ ) = −1;
The mutually exclusive observations generated from 𝜃-adjacent ini-
15 𝑡 ← 𝑡 ∪  (𝑀𝑒 , 𝑀𝑒′ );
tial states need to be prohibited by supervisory control. The same ob-
16 foreach 𝑒 ∈ 𝐸 ∪ {𝜀} do servations generated from 𝜃-adjacent initial states should have identical
17 foreach 𝑓 ∈ {𝑎, 𝑏} do generation probabilities.
⋃
18 𝑓 ← 𝑡∈𝑡 ∧𝓁(𝑡)=𝑒 {𝑀𝑓′ }, 𝑀𝑓 [𝑡⟩𝑀𝑓′ ;
19 if |𝑎 | > |𝑏 | then Theorem 1. Given a net structure 𝐺𝑠 = (𝑁, 𝐸, 𝓁, 𝐵) that meets assumptions
20 𝑥 ← (𝑎 × 2 ) ∩ (𝑀𝑒 ); (A1) and (A2), two 𝜃-adjacent initial states 𝑀0 , 𝑀0′ , and a controller
21 ℎ ← |𝑎 | − |𝑏 |; 𝐺𝑐 = (𝑐 , 𝑇𝑐 , 𝛥𝑐 , 𝑀𝑐 0 ), the two controlled PLPNs 𝐺𝑐 (𝑀0 ) and 𝐺𝑐 (𝑀0′ )
satisfy 𝜖-state differential privacy with respect to 𝜃-adjacent initial states 𝑀0
22 else
and 𝑀0′ for any 𝜖 ≥ 0 iff ( R1) and ( R2) hold.
23 𝑥 ← (1 × 𝑏 ) ∩ (𝑀𝑒 );
24 ℎ ← |𝑏 | − |𝑎 |;
Proof. (if) If 𝜔 ∈ 𝑜 (𝑀0 , 𝑘)∖𝑜 (𝑀0′ , 𝑘), we have 𝜔 ∈ 𝑜 (𝑀0 , 𝑘) and
25 Select ℎ states from 𝑥 such that the profit of any 𝜔 ∉ 𝑜 (𝑀0′ , 𝑘). The probability of generating 𝜔 from 𝑀0′ is equal to
non-selected state in 𝑥 is no less than that of a zero, i.e., Pr(𝑀0′ , 𝜔) = 0. In 𝐺𝑐 (𝑀0′ ), we also have Pr(𝑀0′ , 𝜔) = 0. By
selected state; (R1), for any 𝜔 ∈ 𝑜 (𝑀0 , 𝑘)∖𝑜 (𝑀0′ , 𝑘), there is no feasible transition
26 Reset the profits of all selected states as −1; sequence 𝜎 ∈ 𝑇 ∗ in 𝐺𝑐 (𝑀0 ) and 𝐺𝑐 (𝑀0′ ) such that 𝓁(𝜎) = 𝜔 holds
27 Re-compute (𝑀𝑒 ) by Eq. (3); Tag node 𝑀𝑒 ‘‘old’’; and thus the probability of generating 𝜔 from 𝐺𝑐 (𝑀0 ) is required to
′𝑒 ← ′𝑒 − {𝑀𝑒 }; be zero, i.e., Pr(𝑀0 , 𝜔) = Pr(𝑀0′ , 𝜔) = 0. If 𝜔 ∈ 𝑜 (𝑀0′ , 𝑘)∖𝑜 (𝑀0 , 𝑘),
it holds Pr(𝑀0 , 𝜔) = Pr(𝑀0′ , 𝜔) = 0 in 𝐺𝑐 (𝑀0 ) or 𝐺𝑐 (𝑀0′ ) in the same
way. For any 𝜔 ∈ (𝑜 (𝑀0 , 𝑘)∖𝑜 (𝑀0′ , 𝑘)) ∪ (𝑜 (𝑀0′ , 𝑘)∖𝑜 (𝑀0 , 𝑘)), 𝜖 = 0
implies the truth of 𝑒𝑥𝑝(−𝜖)×Pr(𝑀0′ , 𝜔) ≤ Pr(𝑀0 , 𝜔) ≤ 𝑒𝑥𝑝(𝜖)×Pr(𝑀0′ , 𝜔).
For any 𝜔 ∈ 𝑜 (𝑀0 , 𝑘) ∩ 𝑜 (𝑀0′ , 𝑘), it holds Pr(𝑀0 , 𝜔) = Pr(𝑀0′ , 𝜔)
4. 𝛥𝑐 ⊆ 𝑐 × 2𝑇 × 𝑐 is the transition relation defined as:
in 𝐺𝑐 (𝑀0 ) or 𝐺𝑐 (𝑀0′ ) due to (R2) and thus 𝜖 = 0 implies the truth of
𝑀𝑒 ∈ 𝑐 & 𝑀𝑒′ ∈ (𝑀𝑒 ) & (𝑀𝑒′ ) ≥ 0 ⇒ (𝑀𝑒 ,  (𝑀𝑒 , 𝑀𝑒′ ), 𝑀𝑒′ ) ∈ 𝛥𝑐 . 𝑒𝑥𝑝(−𝜖) × Pr(𝑀0′ , 𝜔) ≤ Pr(𝑀0 , 𝜔) ≤ 𝑒𝑥𝑝(𝜖) × Pr(𝑀0′ , 𝜔).
Since 𝜔 ∈ (𝑜 (𝑀0 , 𝑘)∖𝑜 (𝑀0′ , 𝑘)) ∪ (𝑜 (𝑀0′ , 𝑘)∖𝑜 (𝑀0 , 𝑘)) ∪ (𝑜 (𝑀0 ,
Given an extended RG 𝐺𝑒 = (𝑒 , 𝑇𝑒 , 𝛥𝑒 , 𝑀𝑒0 ) by 𝐺𝑟1 and 𝐺𝑟2 with 𝑘) ∩ 𝑜 (𝑀0′ , 𝑘)) = 𝑜 (𝑀0 , 𝑘) ∪ 𝑜 (𝑀0′ , 𝑘), the controlled PLPNs 𝐺𝑐 (𝑀0 )
the profit function , a controller 𝐺𝑐 = (𝑐 , 𝑇𝑐 , 𝛥𝑐 , 𝑀𝑐 0 ) is constructed and 𝐺𝑐 (𝑀0′ ) satisfy 𝜖-state differential privacy with respect to two 𝜃-
by Algorithm 5. The initial state of 𝐺𝑒 serves as the initial state of 𝐺𝑐 , adjacent initial states 𝑀0 and 𝑀0′ for any 𝜖 ≥ 0 if (R1) and (R2)
i.e., 𝑀𝑐 0 = 𝑀𝑒0 . The set 𝑐 is initialized by 𝑐 = {𝑀𝑐 0 }. Let ′𝑐 be a hold.
(only if) If 𝐺𝑐 (𝑀0 ) and 𝐺𝑐 (𝑀0′ ) satisfy 𝜖-state differential privacy
temporary variable, initialized by ′𝑐 = {𝑀𝑐 0 }. For any state 𝑀𝑐 ∈ ′𝑐 ,
with respect to 𝑀0 and 𝑀0′ for any 𝜖 ≥ 0, it holds 𝑒𝑥𝑝(−𝜖) × Pr(𝑀0′ , 𝜔)
let 𝑀𝑒 = 𝑀𝑐 . We find the set (𝑀𝑒 ) in 𝐺𝑒 . For any state 𝑀𝑒′ ∈ (𝑀𝑒 ),
≤ Pr(𝑀0 , 𝜔) ≤ 𝑒𝑥𝑝(𝜖) × Pr(𝑀0′ , 𝜔) with 𝜖 = 0, i.e., Pr(𝑀0 , 𝜔) = Pr(𝑀0′ ,
if the profit of 𝑀𝑒′ is not −1, the state 𝑀𝑒′ is put into 𝑐 and ′𝑐 , and
𝜔). For any 𝜔 ∈ 𝑜 (𝑀0 , 𝑘)∖𝑜 (𝑀0′ , 𝑘) (or 𝜔 ∈ 𝑜 (𝑀0′ , 𝑘)∖𝑜 (𝑀0 , 𝑘)), to
thus (𝑀𝑒 ,  (𝑀𝑒 , 𝑀𝑒′ ), 𝑀𝑒′ ) ∈ 𝛥𝑐 is obtained. The state 𝑀𝑐 is removed
ensure that Pr(𝑀0 , 𝜔) (or Pr(𝑀0′ , 𝜔)) is equal to zero, there is no feasible
from ′𝑐 . This procedure runs iteratively until there is no state in ′𝑐 . transition sequence 𝜎 ∈ 𝑇 ∗ in 𝐺𝑐 (𝑀0 ) and 𝐺𝑐 (𝑀0′ ) such that 𝓁(𝜎) = 𝜔
If a PLPN with two 𝜃-adjacent initial states does not satisfy 𝜖-state holds. Thus, (R1) holds. For any 𝜔 ∈ 𝑜 (𝑀0 , 𝑘) ∩ 𝑜 (𝑀0′ , 𝑘), it holds
differential privacy, the construction of a controller becomes manda- Pr(𝑀0 , 𝜔) = Pr(𝑀0′ , 𝜔) in 𝐺𝑐 (𝑀0 ) and 𝐺𝑐 (𝑀0′ ). Thus, (R2) holds. ■
tory to enforce the state differential privacy. Given 𝑀0 , 𝑀0′ (leading
to two PLPNs 𝐺(𝑀0 ) and 𝐺(𝑀0′ )) and a controller 𝐺𝑐 , we accordingly Proposition 2. Given two RGs 𝐺𝑟1 = (1 , 𝑇 , 𝛥1 , 𝑀0 ) and 𝐺𝑟2 = (2 ,
have two controlled PLPNs (two PLPNs with the controller), denoted 𝑇 , 𝛥2 , 𝑀0′ ) of a PLPN structure 𝐺𝑠 with two 𝜃-adjacent initial states 𝑀0
by 𝐺𝑐 (𝑀0 ) and 𝐺𝑐 (𝑀0′ ), respectively, satisfying, given any 𝑘 ∈ N, and 𝑀0′ , and a controller 𝐺𝑐 = (𝑐 , 𝑇𝑐 , 𝛥𝑐 , 𝑀𝑐 0 ), ( R1) and ( R2) hold if
(R1) for any 𝜔 ∈ (𝑜 (𝑀0 , 𝑘)∖𝑜 (𝑀0′ , 𝑘)) ∪ (𝑜 (𝑀0′ , 𝑘)∖𝑜 (𝑀0 , 𝑘)), (∀𝑀𝑐 ∈ 𝑐 )(∀𝑒 ∈ 𝐸 ∪ {𝜀}) |𝑎 (𝑀𝑐 , 𝑒)| = |𝑏 (𝑀𝑐 , 𝑒)|.
there is no feasible transition sequence 𝜎 ∈ 𝑇 ∗ in 𝐺𝑐 (𝑀0 ) and 𝐺𝑐 (𝑀0′ )
such that 𝓁(𝜎) = 𝜔 holds, and Proof. For all 𝑀𝑐 = (𝑀𝑎 , 𝑀𝑏 ) ∈ 𝑐 and all 𝑒 ∈ 𝐸 ∪ {𝜀}, 𝑎 (𝑀𝑐 , 𝑒)
(R2) for any 𝜔 ∈ 𝑜 (𝑀0 , 𝑘) ∩ 𝑜 (𝑀0′ , 𝑘), it holds Pr(𝑀0 , 𝜔) = Pr(𝑀0′ , and 𝑏 (𝑀𝑐 , 𝑒) are the sets of one-step reachable states from 𝑀𝑎 in
𝜔) in 𝐺𝑐 (𝑀0 ) and 𝐺𝑐 (𝑀0′ ). 𝐺𝑟1 and 𝑀𝑏 in 𝐺𝑟2 by firing a candidate transition 𝑡 with 𝓁(𝑡) = 𝑒,

8
Y. Teng et al.
Fig. 4. Controller 𝐺𝑐 for ⟨𝐺1 𝑠 , 𝑀0 ⟩ and ⟨𝐺1 𝑠 , 𝑀0′ ⟩.
respectively. For all 𝑀𝑐 = (𝑀𝑎 , 𝑀𝑏 ) ∈ 𝑐 and all 𝑒 ∈ 𝐸 ∪ {𝜀}, due
to |𝑎 (𝑀𝑐 , 𝑒)| = |𝑏 (𝑀𝑐 , 𝑒)|, the probabilities of 𝑒 generated from 𝑀𝑎
in 𝐺(𝑀0 ) and 𝑀𝑏 in 𝐺(𝑀0′ ) are the same. The probability of generating
an observation from 𝑀0 in 𝐺𝑐 (𝑀0 ) or 𝑀0′ in 𝐺𝑐 (𝑀0′ ) is expressed by
Eq. (1). Suppose that at a time instance, the current observation length
is 𝑘 ∈ N. For all 𝜔 ∈ 𝑜 (𝑀0 , 𝑘) ∩ 𝑜 (𝑀0′ , 𝑘), the firing probabilities
of 𝜔 from 𝑀0 in 𝐺𝑐 (𝑀0 ) and 𝑀0′ in 𝐺𝑐 (𝑀0′ ) are the same, i.e., Pr(𝑀0 ,
𝜔) = Pr(𝑀0′ , 𝜔). For all 𝜔 ∈ (𝑜 (𝑀0 , 𝑘)∖𝑜 (𝑀0′ , 𝑘)) ∪ (𝑜 (𝑀0′ , 𝑘)∖𝑜 (𝑀0 ,
𝑘)), it holds Pr(𝑀0 , 𝜔) = Pr(𝑀0′ , 𝜔), i.e., there is no feasible transition
sequence 𝜎 ∈ 𝑇 ∗ in 𝐺𝑐 (𝑀0 ) and 𝐺𝑐 (𝑀0′ ) such that 𝓁(𝜎) = 𝜔 holds. Thus,
(R1) and (R2) hold. ■ 6. Numerical examples
Theorem 2. The controller 𝐺𝑐 due to Algorithm 5 is maximally permissive
for the enforcement of 0-state differential privacy.
Proof. To show that 𝐺𝑐 is maximally permissive for the enforcement of
0-state differential privacy, we need to prove that there is no controller
where the state and transition relation is larger than that of 𝐺𝑐 .
Given 𝐺𝑐 = (𝑐 , 𝑇𝑐 , 𝛥𝑐 , 𝑀𝑐 0 ) derived from an extended RG 𝐺𝑒 =
(𝑒 , 𝑇𝑒 , 𝛥𝑒 , 𝑀𝑒0 ) with the profit function , for all 𝑀𝑒 = (𝑀𝑎 , 𝑀𝑏 ) ∈
𝑒 and all 𝑒 ∈ 𝐸 ∪{𝜀}, by resetting the profits of all one-step reachable
states of 𝑀𝑒 , the numbers of one-step reachable states from 𝑀𝑎 in 𝐺𝑟1
and 𝑀𝑏 in 𝐺𝑟2 by firing a candidate transition 𝑡 with 𝓁(𝑡) = 𝑒 are the
same. In this way, the controlled PLPNs 𝐺𝑐 (𝑀0 ) and 𝐺𝑐 (𝑀0′ ) can reach
the maximum number of states while satisfying 0-state differential
privacy.
For all 𝑀𝑒 = (𝑀𝑎 , 𝑀𝑏 ) and all 𝑀𝑒′ = (𝑀𝑎′ , 𝑀𝑏′ ) ∈ (𝑀𝑒 ), the set
 (𝑀𝑒 , 𝑀𝑒′ ) denotes all candidate transitions from 𝑀𝑒 to 𝑀𝑒′ . By com-
puting candidate transitions between a state and its one-step reachable
state from 𝐺𝑒 , the number of transitions from a state and its one-step
reachable state in 𝐺𝑐 is maximum while the firing probabilities of any
label from 𝑀𝑎 yielding 𝑀𝑎′ and from 𝑀𝑏 yielding 𝑀𝑏′ are equal. Since
the selection of states in 𝐺𝑒 as the states in 𝐺𝑐 follows the profit func-
tion, and the profit of a state 𝑀𝑒 is actually the maximum number of
transitions from 𝑀𝑒 to any state in 𝐺𝑒 , the controlled PLPNs 𝐺𝑐 (𝑀0 ) and
𝐺𝑐 (𝑀0′ ) contain the maximum number of transition relations satisfying
0-state differential privacy. ■ The proposed method in this paper introduces differential privacy
Example 4. Consider again the extended RG 𝐺𝑒 in Fig. 3 with the profit
function . A controller can be constructed for two 2-adjacent initial
states 𝑀0 and 𝑀0′ . The initial state 𝑀𝑐 0 of 𝐺𝑐 is that of 𝐺𝑒 , i.e., 𝑀𝑐 0 =
𝑀𝑒0 . By (𝑀𝑒0 ) = {𝑀𝑒1 }, (𝑀𝑒1 ) ≥ 0, and  (𝑀𝑒0 , 𝑀𝑒1 ) = {𝑡1 }, we
obtain 𝑀𝑐 1 = 𝑀𝑒1 and (𝑀𝑐 0 , {𝑡1 }, 𝑀𝑐 1 ) ∈ 𝛥𝑐 . Similarly, 𝑀𝑐 2 = 𝑀𝑒2
and (𝑀𝑐 1 , {𝑡2 }, 𝑀𝑐 2 ) ∈ 𝛥𝑐 hold. For 𝑀𝑐 2 , by (𝑀𝑒2 ) = {𝑀𝑒3 , 𝑀𝑒4 },
(𝑀𝑒3 ) ≥ 0,  (𝑀𝑒2 , 𝑀𝑒3 ) = {𝑡3 }, and (𝑀𝑒4 ) < 0, 𝑀𝑐 3 = 𝑀𝑒3
holds and 𝑀𝑒4 is not a state in 𝐺𝑐 . It holds (𝑀𝑐 2 , {𝑡3 }, 𝑀𝑐 3 ) ∈ 𝛥𝑐 .
Furthermore, we obtain (𝑀𝑐 3 , {𝑡4 }, 𝑀𝑐 0 ) ∈ 𝛥𝑐 . The controller 𝐺𝑐 is
shown in Fig. 4. ■ observable transitions 𝑡1 –𝑡4 , 𝑡7 –𝑡11 , 𝑡13 –𝑡17 , 𝑡19 –𝑡23 , and 𝑡26 represent
9
Expert Systems With Applications 237 (2024) 121454
Fig. 5. PLPN structure 𝐺2 𝑠 .
An example of a hospital management system is provided to illus-
trate the proposed method. Based on the public database of medical
examinations for diseases recorded in a hospital, an external observer
can obtain the probability distributions of the observed behavior of pa-
tients performing examinations with different diseases in the hospital.
An attacker (a malicious observer) may obtain the location information
of a large number of patients in the surgical building by invading
mobile base stations. Due to limited detection accuracy, the attacker
only knows which area the patients have gone to but does not know
the specific initial department. Patients in similar initial locations are
considered to depart from the same initial department, meaning that
patients have the same disease information. The disease information
of patients varies depending on the location of the initial department.
For patients with similar initial locations, the attacker knows that these
patients are from the same initial department, but does not know what
their initial department is.
An attacker can obtain the probability distribution of the observed
behavior of patients from the same initial department by observing
the subsequent examinations performed by these patients. The attacker
may infer the initial department by comparing the observed probability
distribution with the previously obtained probability distributions, that
is, obtaining the disease information of the patients. In this way, the
attacker can achieve the purpose of recommending drugs to certain
patients. The disease information of patients is not intended to be
disclosed to the public.
into hospital management systems to protect the disease information
of patients. For patients from two different initial departments, if the
probability distributions of the observed behavior of the patients per-
forming examinations in a hospital are similar, an attacker is unlikely
to infer the initial department of the patients. Therefore, the proposed
method in this paper protects the privacy of patients.
A PLPN is used to simulate the behavior of patients performing
examinations in a hospital, whose structure 𝐺2𝑠 is shown in Fig. 5.
It is assumed that an external attacker fully knows the structure of
the hospital management system, but only partially observes the event
occurrences in it. For 𝐺2𝑠 , the labels 𝑎, 𝑏, 𝑐, 𝑑, 𝑒, and 𝑓 of the
CT, X-ray, ultrasound scan, magnetic resonance, electrocardiograph, and
Y. Teng et al. Expert Systems With Applications 237 (2024) 121454

Fig. 6. RGs 𝐺2 𝑟 1 and 𝐺2 𝑟 2 .

Fig. 7. Probability distributions of observations generated from 𝑀0 and 𝑀0′ bounded by 𝑘 = 10 in 𝐺2 (𝑀0 ) and 𝐺2 (𝑀0′ ).

Fig. 9. Controller 𝐺𝑐 for ⟨𝐺2 𝑠 , 𝑀0 ⟩ and ⟨𝐺2 𝑠 , 𝑀0′ ⟩.

Fig. 8. Extended RG 𝐺𝑒 between 𝐺2 𝑟 1 and 𝐺2 𝑟 2 .

radiographs performed by patients, respectively, which can be observed
by the attacker. To prevent the privacy of patients from being leaked,
the hospital can add turbulence to or shield positioning signals to
make the moving of patients to some departments indistinguishable or
undetectable. In this work, the behavior of patients performing blood
routine, urine routine, liver function and other laboratory examinations
are invisible to the attacker, represented by the unobservable events
𝑡5 , 𝑡6 , 𝑡12 , 𝑡18 , 𝑡24 , and 𝑡25 . Two initial states 𝑀0 = 𝑝1 + 𝑝10 + 𝑝19 and
𝑀0′ = 𝑝10 + 𝑝19 + 𝑝20 are 2-adjacent for 𝐺2𝑠 , which represent that a
patient is located in two different surgical departments.
The RGs of ⟨𝐺2𝑠 , 𝑀0 ⟩ and ⟨𝐺2𝑠 , 𝑀0′ ⟩ are shown in Figs. 6(a) and
(b), respectively. Suppose that at a time instance, the current obser-
vation length is 𝑘 = 10. Fig. 7 graphically represents the probability
distributions of observations generated from 𝑀0 and 𝑀0′ bounded by
𝑘 = 10 in 𝐺2 (𝑀0 ) and 𝐺2 (𝑀0′ ). It is obvious that the probabilities of
generating observations from 𝑀0 and 𝑀0′ in 𝐺2𝑠 are quite different
and thus the PLPN does not satisfy 0.05-state differential privacy with
respect to 𝑀0 and 𝑀0′ . An external attacker can infer the initial state

10
Y. Teng et al.
Fig. 10. Probability distributions of observations generated from 𝑀0 and 𝑀0′ bounded by 𝑘 = 10 in 𝐺2 𝑐 (𝑀0 ) and 𝐺2 𝑐 (𝑀0′ ).
Table 2
Algorithm complexity.
Algorithm computational complexity space complexity
Algorithm 1 𝑂(2𝑛 ) 𝑂(2𝑛 )
Algorithm 2 𝑂(𝑛3 ) 𝑂(𝑛2 )
Algorithm 3 𝑂(𝑛2 ) 𝑂(𝑛)
Algorithm 4 𝑂(𝑛3 ) 𝑂(𝑛)
Algorithm 5 𝑂(𝑛2 ) 𝑂(𝑛)
by the probability distributions of observations generated from 𝑀0 and
𝑀0′ bounded by the length 𝑘 in 𝐺2 (𝑀0 ) and 𝐺2 (𝑀0′ ).
The extended RG 𝐺𝑒 by 𝐺2𝑟 1 and 𝐺2𝑟 2 is shown in Fig. 8. Next, let
us compute the profits of states in 𝐺𝑒 . Since 𝑀𝑒0 is a first-cycled state
and |𝑒 | × |𝑇 | = 260, the profit of 𝑀𝑒0 is initialized as (𝑀𝑒0 ) = 260.
The profits of other states in 𝐺𝑒 are initialized to −1. For state 𝑀𝑒9 , by
(𝑀𝑒9 ) = {𝑀𝑒0 } and (𝑀𝑒0 ) = 260 ≥ 0, we find (𝑀𝑒9 ) = (𝑀𝑒0 ) +
(𝑀𝑒9 , 𝑀𝑒0 ) = 261 by Eq. (3). Similarly, (𝑀𝑒7 ) = 262 and (𝑀𝑒8 ) =
262 hold. For state 𝑀𝑒6 and label 𝑒, we have 𝑎 (𝑀6 , 𝑒) = {𝑀7 } and
𝑏 (𝑀5′ , 𝑒) = {𝑀6′ , 𝑀7′ }. By (𝑀𝑒6 , 𝑀𝑒7 ) = 2 and (𝑀𝑒6 , 𝑀𝑒8 ) = 1, we
have (𝑀𝑒7 ) + (𝑀𝑒6 , 𝑀𝑒7 ) = 264, and (𝑀𝑒8 ) + (𝑀𝑒6 , 𝑀𝑒8 ) = 263.
By step (2.3) of the computation of the profit function of states in
𝐺𝑒 , the profit of 𝑀𝑒8 is reset as −1. Finally we have (𝑀𝑒9 ) = 261,
(𝑀𝑒7 ) = 262, (𝑀𝑒8 ) = −1, (𝑀𝑒6 ) = 264, (𝑀𝑒5 ) = 265, (𝑀𝑒4 ) =
266, (𝑀𝑒2 ) = 267, (𝑀𝑒3 ) = −1, (𝑀𝑒1 ) = 269, and (𝑀𝑒0 ) = 270.
A controller 𝐺𝑐 can be constructed for 𝐺2𝑠 with two 2-adjacent
initial states 𝑀0 and 𝑀0′ . 𝑀𝑐 0 = 𝑀𝑒0 and 𝑀𝑐 1 = 𝑀𝑒1 hold. By
(𝑀𝑒1 ) = {𝑀𝑒2 , 𝑀𝑒3 }, (𝑀𝑒2 ) ≥ 0, and (𝑀𝑒3 ) < 0, we obtain
𝑀𝑐 2 = 𝑀𝑒2 . By  (𝑀𝑒1 , 𝑀𝑒2 ) = {𝑡2 , 𝑡3 , 𝑡15 , 𝑡16 }, we obtain (𝑀𝑐 1 , {𝑡1 , 𝑡6 ,
𝑡2 , 𝑡7 }, 𝑀𝑐 2 ) ∈ 𝛥𝑐 . Finally, we obtain all states and transition relations
in 𝐺𝑐 . The controller 𝐺𝑐 is shown in Fig. 9.
The sets of observations generated from 𝑀0 and 𝑀0′ bounded by
𝑘 = 10 in 𝐺2𝑐 (𝑀0 ) and 𝐺2𝑐 (𝑀0′ ) are updated to 𝑜 (𝑀0 , 10)= 𝑜 (𝑀0′ ,
10) = {𝜀, 𝑑, 𝑑𝑎, 𝑑𝑏, 𝑑𝑎𝑐, 𝑑𝑏𝑐, …, 𝑑𝑎𝑐𝑑𝑒𝑎𝑑𝑏𝑐𝑑, 𝑑𝑎𝑐𝑑𝑓 𝑎𝑑𝑏𝑐𝑑, 𝑑𝑏𝑐𝑑𝑒𝑎𝑑𝑏𝑐𝑑,
𝑑𝑏𝑐𝑑𝑓 𝑎𝑑𝑏𝑐𝑑}. For all 𝜔 ∈ 𝑜 (𝑀0 , 10)∪𝑜 (𝑀0′ , 10), the probability distri-
butions of observations generated from 𝑀0 and 𝑀0′ bounded by 𝑘 = 10
in 𝐺2𝑐 (𝑀0 ) and 𝐺2𝑐 (𝑀0′ ) are shown in Fig. 10. For any observation 𝜔,
it satisfies 𝑒𝑥𝑝(−𝜖) × Pr(𝑀0′ , 𝜔) ≤ Pr(𝑀0 , 𝜔) ≤ 𝑒𝑥𝑝(𝜖) × Pr(𝑀0′ , 𝜔) if 𝜖 = 0.
The controlled PLPNs 𝐺2𝑐 (𝑀0 ) and 𝐺2𝑐 (𝑀0′ ) satisfy 0-state differential
privacy. Table 2 provides the algorithm complexity of the proposed
method in this paper. An external attacker is unlikely to infer the initial
state by the probability distributions of observations generated from
𝑀0 and 𝑀0′ bounded by the length 𝑘 in 𝐺2𝑐 (𝑀0 ) and 𝐺2𝑐 (𝑀0′ ). In
the controlled hospital management system, an attacker is unlikely to
infer the initial department of patients with similar initial locations by
observing their sequential examinations. The disease information of the
patients is protected by the proposed method in this paper.
7. Conclusions
Findings: This paper introduces differential privacy into the framework
of DESs modeled by PLPNs to solve the problems pertaining to initial
state protection. A state differential privacy verification method is
11
Expert Systems With Applications 237 (2024) 121454
proposed by analyzing the probability distributions of observations
generated from adjacent initial states. The proposed method can verify
whether a system satisfies state differential privacy with respect to
the adjacent initial states, i.e., whether the initial state is protected. A
supervisory control method is proposed for enforcement if the system
does not satisfy state differential privacy. A maximally permissive
controller is constructed based on the control specification to supervise
the evolution of a PLPN.
Research limitations: In this paper, we aim at the strictest control
specification such that the controller constructed by our supervisory
control method is maximally permissive for the enforcement of 0-state
differential privacy. For other control specifications, this paper does not
develop a maximally permissive supervisory control method.
Recommendations for future research: In future work, we will
consider more general control specifications, i.e., the general case for
any positive 𝜖.
CRediT authorship contribution statement
Yuanxiu Teng: Investigation, Writing – original draft, Method-
ology. Li Yin: Conceptualization, Supervision, Validation, Writing –
review & editing. Zhiwu Li: Formal analysis, Validation, Writing –
review & editing. Naiqi Wu: Writing – review & editing, Project
administration.
Declaration of competing interest
The authors declare that they have no known competing finan-
cial interests or personal relationships that could have appeared to
influence the work reported in this paper.
Data availability
No data was used for the research described in the article.
Acknowledgments
This work is supported by the Science Technology Development
Fund, MSAR, under Grants No. 0064/2021/A2 and 0101/2022/A.
References
Arichi, F., Cherki, B., Djemai, M., & Djouadi, S. (2022). Fault diagnosis for discrete
events systems described by partially observed Petri nets. ISA Transactions, 128,
220–228. http://dx.doi.org/10.1016/j.isatra.2021.09.010.
Basile, F., De Tommasi, G., & Motta, C. (2023). Assessment of initial-state-opacity in
live and bounded labeled Petri net systems via optimization techniques. Automatica,
152, http://dx.doi.org/10.1016/j.automatica.2023.110911.
Cabasino, M., Giua, A., & Seatzu, C. (2014). Diagnosability of discrete-event systems
using labeled Petri nets. IEEE Transactions on Automation Science and Engineering,
11(1), 144–153. http://dx.doi.org/10.1109/TASE.2013.2289360.
Cabasino, M., Hadjicostis, C., & Seatzu, C. (2015). Probabilistic marking estimation
in labeled Petri nets. IEEE Transactions on Automatic Control, 60(2), 528–533.
http://dx.doi.org/10.1109/TAC.2014.2343373.
Chaudhuri, K., Monteleoni, C., & Sarwate, A. (2011). Differentially private empirical
risk minimization. Journal of Machine Learning Research, 12, 1069–1109.
Y. Teng et al. Expert Systems With Applications 237 (2024) 121454

Ding, Z., Zhou, Y., & Zhou, M. (2018). Modeling self-adaptive software systems by Soria-Comas, J., Domingo-Ferrer, J., Sanchez, D., & Megias, D. (2017). Individual
fuzzy rules and Petri nets. IEEE Transactions on Fuzzy Systems, 26(2), 967–984. differential privacy: A utility-preserving formulation of differential privacy guar-
http://dx.doi.org/10.1109/TFUZZ.2017.2700286. antees. IEEE Transactions on Information Forensics and Security, 12(6), 1418–1429.
Dwork, C. (2008). Differential privacy: A survey of results. In Proc. 5th international http://dx.doi.org/10.1109/TIFS.2017.2663337.
conference on theory and applications of models of computation (pp. 1–19). http: Sweeney, L. (2002). K-anonymity: A model for protecting privacy. International Journal
//dx.doi.org/10.1007/978-3-540-79228-4_1. of Uncertainty, Fuzziness and Knowledge-Based Systems, 10(5), 557–570. http://dx.
Dwork, C., & Roth, A. (2013). The algorithmic foundations of differential privacy. doi.org/10.1142/S0218488502001648.
Foundations and Trends in Theoretical Computer Science, 9(3–4), 211–406. http: Tong, Y., Li, Z., Seatzu, C., & Giua, A. (2017a). Decidability of opacity verification
//dx.doi.org/10.1561/0400000042. problems in labeled Petri net systems. Automatica, 80, 48–53. http://dx.doi.org/
Fiore, D., & Russo, G. (2019). Resilient consensus for multi-agent systems subject 10.1016/j.automatica.2017.01.013.
to differential privacy requirements. Automatica, 106, 18–26. http://dx.doi.org/10. Tong, Y., Li, Z., Seatzu, C., & Giua, A. (2017b). Verification of state-based opacity
1016/j.automatica.2019.04.029. using Petri nets. IEEE Transactions on Automatic Control, 62(6), 2823–2837. http:
Gu, Z., & Zhang, G. (2023). Trajectory data publication based on differential privacy. //dx.doi.org/10.1109/TAC.2016.2620429.
International Journal of Information Security and Privacy, 17(1), http://dx.doi.org/ Varghese, F., & Sasikala, P. (2023). A detailed review based on secure data transmission
10.4018/IJISP.315593. using cryptography and steganography. Wireless Personal Communications, 129(4),
Hassan, M., Rehmani, M., & Chen, J. (2020). Differential privacy techniques for 2291–2318. http://dx.doi.org/10.1007/s11277-023-10183-z.
cyber physical systems: A survey. IEEE Communications Surveys & Tutorials, 22(1), Wang, X., Lu, F., Zhou, M., & Zeng, Q. (2022). A synergy-effect-incorporated fuzzy
746–789. http://dx.doi.org/10.1109/COMST.2019.2944748. Petri net modeling paradigm with application in risk assessment. Expert Systems
Hu, Y., & Cao, S. (2023). Asynchronous diagnosability enforcement in discrete event with Applications, 199, http://dx.doi.org/10.1016/j.eswa.2022.117037.
systems based on supervisory control. IEEE Sensors Journal, 23(9), 10071–10079. Yang, J., Deng, W., Qiu, D., & Jiang, C. (2020). Opacity of networked discrete event
http://dx.doi.org/10.1109/JSEN.2023.3259524. systems. Information Sciences, 543, 328–344. http://dx.doi.org/10.1016/j.ins.2020.
Jiang, H., Pei, J., Yu, D., Yu, J., Gong, B., & Cheng, X. (2023). Applications of 07.017.
differential privacy in social network analysis: A survey. IEEE Transactions on Yang, B., & Li, H. (2018). A novel dynamic timed fuzzy Petri nets modeling method with
Knowledge and Data Engineering, 35(1), 108–127. http://dx.doi.org/10.1109/TKDE. applications to industrial processes. Expert Systems with Applications, 97, 276–289.
2021.3073062. http://dx.doi.org/10.1016/j.eswa.2017.12.027.
Jones, A., Leahy, K., & Hale, M. (2019). Towards differential privacy for symbolic Yin, C., Xi, J., Sun, R., & Wang, J. (2018). Location privacy protection based on
systems. In Proc. American control conference (pp. 372–377). differential privacy strategy for big data in industrial Internet of Things. IEEE
Li, D., Wu, J., Le, J., Liao, X., & Xiang, T. (2023). A novel privacy-preserving location- Transactions on Industrial Informatics, 14(8), 3628–3636. http://dx.doi.org/10.1109/
based services search scheme in outsourced cloud. IEEE Transactions on Cloud TII.2017.2773646.
Computing, 11(1), 457–469. http://dx.doi.org/10.1109/TCC.2021.3098420. Yu, Y., Liu, G., & Hu, W. (2022). Security tracking control for discrete-time stochastic
Ma, Z., Li, Z., & Giua, A. (2020). Marking estimation in a class of time labeled Petri systems subject to cyber attacks. ISA Transactions, 127, 133–145. http://dx.doi.org/
nets. IEEE Transactions on Automatic Control, 65(2), 493–506. http://dx.doi.org/10. 10.1016/j.isatra.2022.02.001.
1109/TAC.2019.2907413. Zhu, G., Li, Z., & Wu, N. (2018). Model-based fault identification of discrete event
McSherry, F. (2010). Privacy integrated queries: An extensible platform for privacy- systems using partially observed Petri nets. Automatica, 96, 201–212. http://dx.
preserving data analysis. Communications of the ACM, 53(9), 89–97. http://dx.doi. doi.org/10.1016/j.automatica.2018.06.039.
org/10.1145/1810891.1810916. Zhu, T., Li, G., Zhou, W., & Yu, P. (2017). Differentially private data publishing and
analysis: A survey. IEEE Transactions on Knowledge and Data Engineering, 29(8),
1619–1638. http://dx.doi.org/10.1109/TKDE.2017.2697856.

12