Resilient group consensus in heterogeneously robust networks with hybrid dynamics

This paper studies resilient coordinated control over networks with hybrid dynamics and malicious agents. In a hybrid multi‐agent system, continuous‐time and discrete‐time agents concurrently exist and communicate through local interaction. We introduce the notion of heterogeneous robustness to capture the topological structure and facilitate convergence analysis of hybrid agents over multiple subnetworks, where the exact number and identities of malicious agents are not known. A hybrid resilient strategy is first designed to ensure group consensus of the heterogeneously robust network admitting completely distributed implementation. We then develop a scaled consensus protocol which allows different clusters within each subnetwork, providing further flexibility over the resilient control tasks. Finally, some numerical examples are worked out to illustrate the effectiveness of theoretical results.

systems. Some necessary and sufficient conditions guaranteeing consensus are derived based on matrix analysis. The results are later extended to second-order multi-agent systems. 13 A game-theoretic approach is developed in Ma et al. 14 to tackle consensus in hybrid multi-agent systems featuring a cost function for interacting agents. As the capability of preventing faults and adversarial attacks is essential in many engineered and natural systems, a resilient version of consensus in hybrid systems is introduced in Shang, 15 where each agent removes a given number of the highest and lowest values amongst those received from its neighbors. This extends the class of Weighted-Mean-Subsequence-Reduced algorithms (W-MSR), which has played an important role in dealing with Byzantine nodes in networked control systems. [16][17][18][19][20] An overarching assumption of the W-MSR algorithms in the literature is that each normal agent in the network knows a priori a given maximum number r of agents which are malicious. Normal agents then are allowed to remove some number of values that are most far from its own during the interaction with neighbors in order to eliminate the influence of potentially deceptive information. To ensure resilient consensus, the entire underlying communication network is required to be sufficient robust, which imposes a rather restrictive and rigid connectivity condition [15][16][17][18][19][20] for many real-world networks as practical networks are often heterogeneously connected and have unequal connectedness/robustness in parts. In mobile networks, for example, irregular deployment of gateway nodes gives rise to heterogeneous connectivity. 23 In combat networks involving different parts of force nodes, intelligence nodes, and command and control nodes, 24 heterogeneous functional robustness is shown to improve overall network performance.
In this paper, we develop distributed protocols for resilient consensus over complex networks with heterogeneous robustness. We introduce the method of group consensus to W-MSR algorithms in order to allow convergence to different subgroup-level consensus values. In our resilient consensus framework, the agent dynamics are assumed to be hybrid continuing the line of research in the work. [12][13][14][15] The main novelty of the work is summarized as follows. First, we extend the monolithic network robustness concept [15][16][17][18][19][20] to accommodate heterogeneously robust subgroups of agents; cf. Definition 1 and Definition 2. This provides needed flexibility in practical applications. Second, resilient control protocols are designed to achieve group consensus on directed networks with hybrid agent dynamics; cf. Section 2.3. This generalizes Shang 15 to allow for subgroup-level individual consensus behavior, which, to the best of our knowledge, has so far only been investigated for systems containing either all discrete-time agents 25,26 or all continuous-time agents. [27][28][29] Finally, as a further generalization, resilient scaled group consensus protocols are designed to achieve scaled consensus in each subnetwork containing hybrid agents, where the values of agents reach any prescribed ratio instead of a consistent value. Scaled group consensus problem has been studied for agents with discrete-time dynamics 30 as well as continuous-time dynamics, 31 but no fault-tolerant feature has been considered in these works.
It is worth noting that resilient group consensus problems have been approached very recently in Öksüz and Akar 32 for discrete-time agents in a different spirit. The network considered there is structured into multiple functional layers according to certain connectivity properties, and conditions for distribution of normal and adversarial nodes in these layers are proposed to guarantee group consensus without a fault-tolerant strategy.
In the context of consensus problems of multi-agent systems, a different type of hybridity alternating between discrete and continuous behaviors in the same system has also been investigated in the literature. 21,22 Such problems have been studied under the name of "switched multi-agent systems". In this sense, the hybrid systems studied in the present paper might be better interpreted as hybrid networks as the hybridity lies more in the type of nodes.
The rest of the paper is organized as follows. In Section 2, we provide some preliminaries, hybrid system model, and our resilient consensus strategy. In Section 3, we present our main results with convergence analysis. Some numerical examples are given in Section 4. The paper is concluded in Section 5.

PRELIMINARIES
Some graph theory preliminaries, the hybrid system model, and heterogeneous resilient strategy are detailed in this section.

Graph theory
We denote by R and N the sets of real numbers and non-negative integers, respectively. A directed graph (or network) G = (V, E) of order n is composed of the node set V = {v 1 , v 2 , … , v n } and the edge set E ⊆ V × V. The nodes are often referred to as agents in distributed coordination and are partitioned as V = N ∪ M, where N is composed of all normal agents and M encompasses the agents which may be malicious or adversarial; see Definition 3 below. The identities of malicious agents are generally not known by the normal agents, which could make the consensus-seeking process very challenging. We divide the graph G into Θ subgraphs G = (V , E ) for = 1, 2, … , Θ, where V 1 = {v 1 , v 2 , … , v n 1 }, V 2 = {v n 1 +1 , … , v n 1 +n 2 }, … , V Θ = {v n 1 + … +n Θ−1 +1 , … , v n 1 + … +n Θ }, and E ⊆ E contains directed edges within V . Here, |V | = n represents the number of agents in the -th subgroup for 1 ≤ ≤ Θ, and n = ∑ Θ =1 n . The edge (v i , v j ) ∈ E indicates that agent v i can send information to agent v j by means of the network topology G. Let If there exists a directed path from v r to all other nodes in V, then G is said to have a directed spanning tree with root node v r . Given r ∈ N, a subset S ⊆ V is called r-reachable 16 if there is some node v i ∈ S satisfying |N i ∖ S|≥r. Furthermore, the graph G is called r-robust if for any two nonempty and mutually exclusive subsets S 1 , S 2 ⊆ V at least one of them is r-reachable. Some basic properties of robust graphs are summarized as follows.
Lemma 1 ( 16 ). Fix s, r ∈ N (s < r), and assume that H is obtained by removing up to s incoming edges of every node in an r-robust directed graph G. Then H is (r − s)-robust. Moreover, G is a 1-robust directed graph if and only if G contains a directed spanning tree.
Given r ∈ N for 1 ≤ ≤ Θ, we extend the graph robustness concept to the heterogeneous robustness.
Intuitively, a graph G is (r 1 , … , r Θ )-robust if each of its constituent subgraph possesses the specified extent of connectivity. Note that if r ≡ r for all 1 ≤ ≤ Θ, then an r-robust graph G must be (r 1 , … , r Θ )-robust. However, (r 1 , … , r Θ )-robustness of G does not imply r-robustness for any number r. For example, if G does not have a spanning tree, then by Lemma 1, G is not r-robust for any r ∈ N.

Hybrid system model
We consider a hybrid multi-agent system over the network G with both discrete-time and continuous-time agents. In each subgroup V , we partition the nodes into two sets: V  represents the set of discrete-time agents and V  = V ∖V  denotes the set of agents with continuous-time dynamics. Define V  = ∪ Θ =1 V  and V  = ∪ Θ =1 V  the sets composing all continuous-time and discrete-time agents, respectively. Hence, V = V  ∪ V  . The state of the agent v i at time t ≥ 0 is denoted by x i (t) ∈ R if it is has continuous-time dynamics and denoted by x i (k) ∈ R at time k ∈ N if it has discrete-time dynamics.
Definition 2 (Resilient group consensus for hybrid systems). The normal agents in G are said to achieve resilient group consensus if the following two conditions hold for all 1 ≤ ≤ Θ. (i) Validity: For any v i ∈ N ∩ V and t ≥ 0, For k ∈ N, the dynamics of a continuous-time normal and the dynamics of a discrete-time normal agent v i ∈ N ∩ V  can be written as where x i (t) means the state value sent from agent v j to agent v i at time t, and we assume x i (t) = x (t) for any normal v j ∈ N.
Here, the functions  (·) and  (·) govern the state update of the normal node v i . For agent v i ∈ V  with discrete-time dynamics, we will write x i (t) ∶= x i (k) when t ∈ [k, k + 1) for simplicity. Malicious agents in M, on the other hand, may use different update rules that are unavailable to normal ones. A formal definition of malicious agents is as follows.  16 defines malicious nodes to be those simply not applying the normal rules and Byzantine nodes the same as Definition 3.) A malicious agent is able to apply potentially any destructive strategy as well as collude with other malicious agents and hence viewed as notoriously dangerous. We set an upper bound on the number of malicious agents that a normal agent has in its neighborhood. In particular, given r ∈ N (1 ≤ ≤ Θ), we consider the (r 1

Definition 3 (Malicious agents).
When r ≡ r for all , our (r 1 , … , r Θ )-bounded model reduces to the r-locally bounded model, which has been studied in various fault-tolerant settings in the literature. 16,18,34 The Dini derivative 35 of a function (t) ∶ R → R is defined as D + (t) = lim sup h→0+ ( (t+h)− (t))∕h. Dini derivative is a suitable language in the study of stability properties of functional differential equations, and it will be used in Theorem 2 to analyze the Lyapunov-like functional. To allow the normal agent in each subgraph to achieve consensus, we develop the following purely distributed heterogeneous resilient strategy extending the W-MSR protocols.

Hybrid (r 1 , … , r Θ )-resilient strategy
. We then perform a two-round removal procedure; see the algorithm below. In the first round, we remove values in the above ordered list sequentially starting from the highest value until r values in N i that are higher than x i (t) are removed. If there are less than r values that are higher than x i (t) in N i , the above removal process continues until all these values are removed. Analogously, we perform the same removal process for the lowest values. In the second round, let Γ i (t) be the set of values in N i that are higher than x i (t) in the remaining list. We remove all remaining values that are higher than max{Γ i (t)∪x i (t)}. Similarly, we perform the analogous removal process for the values that are lower than x i (t). Finally, we denote by R i (t) the set of values (or equivalently, the nodes holding these values) that are removed in the above two-round removal procedure (1): where the function i ∶ R 2 → R satisfies ( 1 ) f ij is locally Lipschitz continuous, These assumptions will be needed in the proof of main results in Section 3, and see also Remark 2.
In a similar manner, normal agent v i ∈ N ∩ V  (1 ≤ ≤ Θ) at time k takes the value x i (k) from its neighbor v j and sorts {x i (k)} v ∈N i in a non-increasing order. In the first round of removal, we remove values in the above ordered list sequentially starting from the highest value until r values in N i that are higher than x i (k) are removed. If there are less than r values that are higher than x i (k) in N i , the above removal process continues until all these values are removed. The similar process is adopted for the lowest values. In the second round of removal, let Γ i (k) be the set of values in N i that are higher than x i (k) in the remaining list. We remove all remaining values that are higher than max{Γ i (k) ∪ x i (k)}. Analogously, the same removal process applies for the values that are lower than x i (k). Finally, we denote by R i (k) the set of values that are removed in the above two-round procedure of v i at time k. The agent v i ∈ N ∩ V  updates its value through the following form of  i (·) in (2): where w ij (k) characterizes non-negative weight associated with the edge The two-round removal process is shown in the pseudocode below. Generally, in the first round, all nodes in N i possessing values greater than the r -th largest value of N i are culled (for the higher half) and those in N i possessing values less than the r -th smallest value of N i are culled (for the lower half). In the second round, all nodes in N i possessing values larger than the largest value of N i in the list left are scrapped (for the higher half) and those in N i possessing values smaller than the smallest value of N i in the list left are scrapped (for the lower half). This strategy is a natural generalization of W-MSR to accommodate a partitioned network with component-wise robustness. If there is only one subnetwork, i.e., Θ = 1, the first round literally reduces to the ordinary W-MSR 15,16 and the second round becomes void. It is also worth mentioning that we delete nodes only based on their values and whether they are within the current subnetwork rather than their identities or specific locations in the subnetworks, which are not known to a normal node (see also Remark 4). Hence, as in the ordinary W-MSR algorithms, both normal and malicious nodes might be culled in the two rounds of removal, and we do not require dropping all malicious nodes.

Removal algorithm for a normal nodev
In the discrete-time subsystem (4), we do not require a positive bound like w ij (k) > w > 0 for all k ∈ N, which has been imposed by typical W-MSR algorithms. 16,18,20,34 The is facilitated by the concurrency of both continuous-time and discrete-time subsystems. In the hybrid system, we naturally view the discrete-time dynamics as a process with jump discontinuities at each k ∈ N as indicated in Section 2.2. This allows us to use a different approach and lift the restriction on the lower bound. A possible choice for w ij (k) in (4) may be w ij (k) = (|N i |+ 1 − |R i (k) |) −1 uniformly for every active neighbor v j . For continuous-time subsystem (3), an archetypal choice in the distributed decision making literature is f ij (x, y) = a ij (x − y) with a ij ≥ 0 being the adjacency weights of the underlying communication graph. 1,6,7 We referred to the above algorithm as hybrid (r 1 , … , r Θ )-resilient strategy in the sequel. Also note that V  = ∅ or V  = ∅ is allowed for any .
Remark 3. Note that the normal agents in G has no knowledge about the identities, i.e., normal/malicious/discrete time/continuous time, or number/size of the subgroups. Therefore, both normal agents and malicious agents can be deleted in the above two-round removal procedure and malicious agents may survive and be involved in the decision making. Our proposed strategy is fully distributed and only minimal information is required. While offering remarkable flexibility on network topology as well as agent dynamics, the complexity of the algorithm is fairly low. As in the case of the ordinary W-MSR algorithms, [16][17][18] the most time-consuming part is the sorting process, which can be dealt with by standard procedures such as Quicksort. Compared to W-MSR, our strategy just requires an additional round of checking in the neighborhood of each normal agent; cf. the pseudocode above. It is also worth noting that, as in the line of research of W-MSR algorithms, our strategy does not yield a closed estimate of convergence rate (Theorem 2 below) mainly due to the unpredictable behavior of malicious agents.
Remark 4. As mentioned in Remark 3, the normal agents do not need complete information on the size and number of the subgroups in G. However, a normal agent v i ∈ V needs to know whether or not a neighbor is inside V . As in real networks nodes are often partitioned according to different locations/functions/types, etc., this bit of prior information may be obtain through assigning node certain labels. In most existing group or cluster consensus protocols, complete information on all subgroups (group size and identities of nodes) is available to all nodes and is intrinsically embedded into the consensus protocols therein, and complicated matrix algebra conditions are required. [25][26][27][28][29][30][31]

MAIN RESULTS
In this section, we study the resilient group consensus for hybrid system (3) and (4) (k) since r nodes in N i have been removed in the first round of deletion in the hybrid (r 1 , … , r Θ )-resilient strategy and there are no more than r malicious neighbors of v i in G . For any v j ∈ (N i ′ ∪ {v i }) ∖ R i (k) with ′ ≠ , we again have x i (k) ≤ (k). This is because the second round of removal in our strategy ensures either x i (k) ≤ x i (k) or x i (k) ≤ x l (k) for some v l ∈ N ∩ N i . Therefore, we arrived at x i (k + 1) ≤ (k). The other inequality x i (k + 1) ≥ (k) can be obtained analogously. Therefore, the second statement of Theorem 1 is proved.
Next, we consider the continuous-time part. Given v i ∈ N ∩ V  , we will first show x i (t) ≤ (0) for t ≥ 0 by contradiction. In fact, if this is not true, then there exists some time t * ∈ [k * , k * + 1) and t * < t for some k * ∈ N such that (a) x (t ′ ) ≤ (0) for any t ′ ≤ t * and v j ∈ N ∩ V ; and (b) x i (t * ) = (0) and Since there are no more than r malicious neighbors of v i in G , it follows from the first round of removal of our strategy, we have x i (t * ) ∩ V  , and from the second round of removal, we similarly have Due to properties ( 2 ) and ( 3 ), the first term on the right-hand side of (5) is non-positive. Similarly, . By ( 2 ) and ( 3 ), the second term on the right-hand side of (5) is also non-positive. Nevertheless, this contradicts the expression (5). Hence, we showed x i (t) ≤ (0) for t ≥ 0. The other half of the inequality can be shown similarly.
It follows from Theorem 1 that the interval [ (0), (0)] is an invariant set for all normal agents in G . Moreover, the sequence { (k)} k∈N is monotonically increasing while the sequence { (k)} k∈N is monotonically decreasing and both of them are bounded. This property will be useful in the analysis of convergence in Theorem 2 below. Assumption 1. Let { q } q∈N be the time steps at which the removal set R i (t) in the hybrid (r 1 , … , r Θ )-resilient strategy changes for some v i ∈ N. We assume that | q + 1 − q |≥ > 0 for some .
Remark 5. Our hybrid (r 1 , … , r Θ )-resilient strategy involves temporary removal of nodes and hence the communication network G is time-varying in nature. It is common in distributed coordination to restrict the dwell time so that the change rate is kept in check. 1,7,36 Assumption 1 is used in Claim 2 of the proof of Theorem 2 below to guarantee the existence of an infinite sequence of time intervals with constant length that knit through these discontinuity points { q } q∈N . Proof. For any fixed time t > 0, there exists some k ∈ N such that t ∈ [k,k + 1). We define (t) = (t) − (t) ≥ 0 for any 1 ≤ ≤ Θ. The normal agents in G that attained the maximum and minimum at time t are respectively denoted as Since there are only finite agents, these two sets are not empty. We prove the theorem through a series of claims.
In fact, this can be shown by considering four cases concerning the continuous-time and discrete-time agents. Fix 1 ≤ ≤ Θ. Case 1: x i (t). Taking the Dini derivation 35 of (t) along the dynamics of (3) yields When since r nodes are deleted from N i in the first round of removal of our strategy and there are at most r malicious agents in similarly due to the first round of removal.
due to the second round of removal. In view of (6) and x i (t). Taking the Dini derivation of (t) along the dynamics of (3) yields We arrive at D + (t) ≥ 0 on the basis of an analogous argument as in Case 1. x i (t) = 0 for t ∈ (k,k + 1). x i (t) = 0 for t ∈ (k,k + 1). Therefore, we proved Claim 1.
It follows from Theorem 1 that the two sequences (k) and (k) are both monotonic and bounded. Hence, for any 1 ≤ ≤ Θ, we have ∶= lim Using Claim 1, we arrive at lim k→∞ D + (k) = 0. This result can be enhanced as follows.
We have already shown that D + (t) ≤ 0 and D + (t) ≥ 0 for all t. By (8), we have lim t→∞ (t) = lim t→∞ x i (t) = and lim t→∞ (t) = lim t→∞ x i (t) = . If the following claim is true, then Theorem 2 is shown.
Suppose that Claim 3 does not hold. Thus, > for some . We fix such a . Since G is (2r + 1)-robust, and by Lemma 1 it contains a directed spanning tree under our hybrid (r 1 , … , r Θ )-resilient strategy. There is time T > 0 and > 0 such that Since G has finitely many agents, there exists T ′ ≥ T admitting two directed paths one of them connecting the root v r to v i and the other path connecting v r to v i at time T ′ . The two inequalities x r (T ′ ) > − and x r (T ′ ) < + hold as well. This however conflicts with the condition − > + . Therefore, Claim 3 and the theorem are proved.
As a generalization of ordinary consensus problem, Roy 37 introduced scaled consensus which is desirable for applications in for example water distribution systems, closed queuing networks and tests for simulating robots, where multiscale coordination control is essential. Fix (s 1 , s 2 , … , s n ) ∈ R n and s i ≠ 0 for all i = 1, … , n. We present the definition of resilient scaled group consensus as follows. Scaled group consensus has been studied for discrete-time and continuous-time dynamics in the perfect condition, where no malicious agents are present. 30,31 To accommodate malicious agents as well as hybrid dynamics, we extend hybrid (r 1 , … , r Θ )-resilient strategy in Section 2.3 to the following "scaled" strategy.
Fix r 1 , r 2 , … , r Θ ∈ N. For any k ∈ N, a normal agent v i ∈ N ∩ V  (1 ≤ ≤ Θ) at t ∈ [k, k + 1) takes the value x i (t) from its neighbor v j , and sorts {s x i (t)} v ∈N i in a non-increasing order. We then perform a two-round removal procedure. In the first round, we remove values in the above ordered list sequentially starting from the highest value until r values in N i that are higher than s i x i (t) are removed. If there are less than r values that are higher than s i x i (t) in N i , the above removal process continues until all these values are removed. Analogously, we perform the same removal process for the lowest values. In the second round, redefine Γ i (t) be the set of values in N i that are higher than s i x i (t) in the remaining list. We remove all remaining values that are higher than max{Γ i (t), s i x i (t)}. Similarly, we perform the analogous removal process for the values that are lower than s i x i (t). Finally, we denote by R i (t) the set of values that are removed in the above two-round removal procedure of v i at time t. The agent v i ∈ N ∩ V  updates its value through the following  i (·) in (1): where the function f ij satisfies ( 1 ), ( 2 ), and ( 3 ) as in Section 2.
In a similar manner, normal agent v i ∈ N ∩ V  (1 ≤ ≤ Θ) at time k takes the value x i (k) from its neighbor v j and sorts {s x i (k)} v ∈N i in a non-increasing order. In the first round of removal, we remove values in the above ordered list sequentially starting from the highest value until r values in N i that are higher than s i x i (k) are removed. If there are less than r values that are higher than s i x i (k) in N i , the above removal process continues until all these values are removed. The similar process is adopted for the lowest values. In the second round of removal, let Γ i (k) be the set of values in N i that are higher than s i x i (k) in the remaining list. We remove all remaining values that are higher than max{Γ i (k), s i x i (k)}. Analogously, the same removal process applies for the values that are lower than s i x i (k). Finally, we denote by R i (k) the set of values that are removed in the above two-round procedure of v i at time k. The agent v i ∈ N ∩ V  updates its value through the following  i (·) in (2): where w ij (k) delineates non-negative weight on edge (v j ,v i ) ∈ E such that the same ( 1 ) and ( ′ 2 ) |s i |w i (k) = 1 hold. For 1 ≤ ≤ Θ and t ≥ 0, redefine (t) = max v i ∈N∩V s i x i (t) and (t) = min v i ∈N∩V s i x i (t). The following theorem can be shown along the same line of Theorem 2.

NUMERICAL SIMULATIONS
In this section, we first consider a multi-agent system over directed network G = (V, E) Figure 1. The agents' dynamics are hybrid with and there is a malicious agent M = {v 5 } present in the network. Note that G 1 is 3-robust and G 2 is 1-robust. The malicious agent v 5 is highly connected and can influence both subgroups G 1 and G 2 , posing a significant threat to the decision making of the normal agents. Example 1. We take the initial condition of the agents in G as x 1 (0) = 1, x 2 (0) = −3, x 3 (0) = 0, x 4 (0) = 2, x 5 (0) = 1.5, x 6 (0) = −1, x 7 (0) = −2, and x 8 (0) = 3. The malicious agent v 5 is assumed to follow its own dynamics as x 5 (k + 1) = x 5 (k)∕2 + ln(k∕10). We assume that normal agents follow f ij (x,y) = (x − y)/2 in (3) if they have continuous-time dynamics, and we take Since G 1 is 3-robust with one malicious agent and G 2 is 1-robust with all normal ones, we show in Figure 2 the state trajectories of the agents following our hybrid (1,0)-resilient strategy. We observe that agents in G 1 and G 2 are able to reach group consensus despite the presence of malicious agent v 5 . The gap between of the final state of agents in G 1 (green curves) and that in G 2 (blue curves) indicates that group consensus has been achieved say when t ≥ 10. This agrees well with the prediction of Theorem 2.
Next, we consider the consensus time for large robust networks albeit an analytical estimation is not available; cf. Remark 3. It is shown in Zhang et al. 38 that determining the robustness of an arbitrary graph is an NP-hard problem. Here, we consider an Erdős-Rényi random graph G(n,p r ) with edge probability p r = 10(ln n + r ln ln n)n −1 for r ∈ N. As is known, such a graph is almost surely (2r + 1)-robust. 38  Example 3. We take the initial condition of the agents in G(n, p r ) following the uniform distribution over the unit interval (0,1). Moreover, we consider Θ = 2 and |V  | = |V  | = n∕4 for = 1,2. Hence, the two subnetworks G 1 and G 2 and G(n, p r ) itself are all (2r + 1)-robust for large n. In each subnetwork, we randomly choose r malicious agents following their own dynamics as .
x i (t) = − 1 x i (t) + 2 cos(t∕2) for all v i ∈ M, where 1 and 2 are taken randomly in the interval (0,0.1) for each malicious agent. We assume that normal agents follow f ij (x,y) = x − y in (3) if they have continuous-time dynamics, and we take w i (k) = 1∕ (|N i | + 1 − |R i (k)|) for v j ∈ (N i ∪ {v i }) ∖ R i (k) in (4) if they have discrete-time dynamics.
In Figure 4A, we illustrate the state evolution for a subset of 20 agents in G 1 and 20 agents in G 2 in the network G(500, p r ) (together with the r malicious agents) following our hybrid (r, r)-resilient strategy with r = 1. As a comparison, we plot in Figure 4B the corresponding state evolution with the same initial conditions following the hybrid resilient strategy in Shang, 15 where G(n, p r ) as a whole is viewed as a monolithic network. As one would expect, in both cases, consensus has been finally reached despite the interference of the malicious agent. Through extensive simulations for different n and r, we observe that there is no obvious difference in terms of convergence time. This is worth noting as our current group consensus strategy with the two-round removal procedure in general deletes more nodes as compared to the non-group strategy in the previous work. 15 To quantify the consensus time for the current hybrid (r, r)-resilient strategy, we formally define for a small . From Figure 5, we observe that the consensus time t * ( ) for G(n, p r ) is increasing nearly linearly with respect to both the network size. Furthermore, the consensus time also increases when the network robustness grows. This reveals that although G(n, p r ) with a larger r is denser, the effect of two-round removal seems to have more influence on the consensus seeking dynamics (as more edges will be deleted for a larger r).

CONCLUSION
In this paper, we considered distributed coordination of hybrid dynamical systems composed of agents with both discrete-time and continuous-time dynamics. The concept of heterogeneous robustness is introduced to facilitate consensus analysis of the network where agents interact between and within multiple subgraphs. We proposed a purely distributed hybrid resilient strategy enabling resilient group consensus of normal agents in the network, where malicious agents are bounded in the neighborhoods. The theoretical framework is then extended to the scaled group consensus to allow different convergence clusters in each subgroup. Interesting future research directions could be the extension to higher-order multi-agent systems and communication constraints including the delays.

ACKNOWLEDGEMENT
This work was supported by UoA Flexible Fund No. 201920A1001. The author would like to thank the two anonymous reviewers for their valuable comments that helped to improve the quality of the paper.

AUTHOR CONTRIBUTIONS
Y. S. wrote the paper.

FUNDING INFORMATION
None reported.

CONFLICT OF INTEREST
The author declares no potential conflict of interests.