1 / 58

Analysis Techniques for a Secure NAS

Analysis Techniques for a Secure NAS. Shankar Sastry Department of EECS University of California, Berkeley JUP Kickoff, Nov 23 rd , 2002. Sastry@eecs.berkeley.edu 510-642-0253. Prequel: The Impact of Sept. 11 on Air Transportation. Prof. R. John Hansman, Director

janina
Télécharger la présentation

Analysis Techniques for a Secure NAS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Analysis Techniques for a Secure NAS Shankar Sastry Department of EECS University of California, Berkeley JUP Kickoff, Nov 23rd, 2002 Sastry@eecs.berkeley.edu 510-642-0253

  2. Prequel: The Impact of Sept. 11 on Air Transportation Prof. R. John Hansman, Director MIT International Center for Air Transportation rjhans@mit.edu 617-253-2271

  3. Domestic Enplanements: 1999-2001 Sep. 11th Attacks Source: ATA

  4. Aviation’s Macro Economic Impact • Air transportation has four types of effects: • DIRECT: air carriers, airports, air navigation providers, etc • INDIRECT: airline passengers and air freight forwarding business in other industries (hotels, rental cars, finance and banking, etc) • INDUCED: expenses by the recipients of income generated by the direct and indirect economic activities • ENABLING: provides access to markets and other activities that would not be possible without aviation Employment in the US (1993): 8.84 Million jobs Economic activity in the US (1993): $771.1 Billion Direct 15% Direct 36% Indirect 18% Indirect 64% Induced 67% Excludes enabling effect. Source: ICAO, FAA

  5. Information Technology Hypotheses • Infrastructure • Advanced Information Technologies have the potential to allow efficient use of constrained infrastructure in developed regions and to allow regions with immature air transportation infrastructure to rapidly reach parity with mature systems • Operations • Advanced Information Technologies will improve the efficiency and security of operations through enhanced information sharing and collaborative decision making • Profitability • Information Technology related improvements are a key component of profitability of mature airlines • Usability • The potential benefits of Information Technology are limited by inadequate attention to the users cognitive and operational needs and “entropic” growth of complexity which limit usability and acceptance

  6. Components of theAir Transportation System • Airports • Runways • Terminals • Ground transport interface • Servicing • Maintenance • Air Traffic Management • Communications • Navigation • Surveillance • Control • Weather • Observation • Forecasting • Dissemination • Skilled personnel • Cost recovery mechanisms

  7. AIR TRAFFIC CONTROL STRUCTURE TRENDS • Current structure • Surface control (ground) • Local control (tower) • Terminal area control (approach and departure) • Enroute control (center) • Oceanic control • Proposed structures • “Free Flight” • RTCA/ATA proposal • Collaborative Decision Making • 4-D Control • Segregated Airspace • “Super Centers” • Conformance Monitoring Issues

  8. Planning - Strategic Level Execution - Tactical Level Desired Sector Loads Schedule of Capacities Clearance Requests Clearance Requests Weather AOC Filed Flight Plans Approved Flight Plans Planned Flow Rates Approved Handoffs National Flow Planning Facility Flow Planning Sector Traffic Planning Sector Traffic Control Aircraft Guidance and Navigation Aircraft State Flight Planning Vectors Clearances Negotiate Handoffs < 5min Flight Schedule hrs - day hrs 5-20 min 5 min Traffic Sensor Airline CFMU TMU D-side R-side Pilot Real State AC State Sensor Plan/Intent Other Aircraft States Measurement Requests Efficiency Throughput Safety Increasing Criticality Level ATM System Current Functional Structure Adapted from; A. Haraldsdottir Boeing

  9. ATM Basic Control Loops

  10. US Air Route Traffic Control Center (ATRCC) Airspace - 20 Centers ZSE ZMP ZLC ZBW ZAU ZOB ZNY ZDV ZID ZOA ZKC ZDC ZME ZLA ZTL ZAB ZFW ZJX ZHU ZMA

  11. High Level Sectors257

  12. Low Level Sectors378

  13. TRACONS

  14. COMMUNICATION TRENDS • Voice • VHF (line of sight) • HF (over the horizon) • Ground lines • Datalink (line of sight) • ACARS (VHF) • Mode S • Satellite • Geosynchronous (data, voice, images) • Air-ground • Ground-ground • LEO and MEO Networks • Aeronautical Telecommunications Network (ATN) • CDMA, TDMA • TCP/IP • Voice Data Link (VDL-2, VDL-3)

  15. NAVIGATION TRENDS (ENROUTE) • Radionavigation beacon • VHF Omnidirectional Range (VOR) • Non-Directional Beacon (NDB) • Distance Measuring Equipment (DME) • TACAN • Area navigation systems (ground based) • Omega • LORAN • Inertial navigation systems • Satellite navigation systems • GPS (CA) • GNSS

  16. NAVIGATION TRENDS (APPROACH) • Instrument Landing System (ILS) • Cat. I (200 ft; 1/4 mile) • Cat. II (50 ft; 800 RVR) • Cat. III (0,0) • Microwave Landing System (MLS) • Differential GPS (100m) • Wide Areas Augmentation System (5m) • Cat. I, Cat. II • Local Areas Augmentation System (0.1m) • Cat. III • Change to Required Navigation Performance (RNP)

  17. GPS ISSUES • Precision • Ionosphere • Clock Errors • Availability • Integrity • RAIM • Differential • Vulnerability • Jamming • Trust • Control by US DoD • International concerns • Selective Availability, turned off 1999 • Continuity • US guarantee of service free to world through 2005

  18. SURVEILLANCE TRENDS • Primary radar • Enroute (12 sec scan) • Terminal area (4.2 sec scan) • Secondary radar • Transponders • Mode C (altitude) • Mode S (2-way data exchange) • Onboard surveillance • TCAS • Automatic Dependent Surveillance (ADS) • Oceanic (INS Based) • Broadcast (ADS-B)

  19. SEPARATION ASSURANCE CONSIDERATIONS PERSONAL SAFETY BUFFER SURVEILLANCE UNCERTAINTY MINIMUM SEPARATION STANDARD HAZARD ZONE PROCEDURAL SAFETY BUFFER

  20. EN ROUTE MINIMA HAVE NOT CHANGED DESPITE 5 x IMRPOVEMENT IN RADAR PERFORMANCE 5 nm en route separation minima 1950 2000 1950 Azimuth resolution at maximum range as % of en route minima 1960 2000 1960 2000 2000 Long range primary radars Medium range primary radars Medium range secondary radars

  21. IMPROVED SURVEILLANCE HAS NOT LED TO REDUCED EN ROUTE MINIMA WHEN STANDARDS WERE DEVELOPED (e.g. 1950s for en route radar) IMPROVED SURVEILLANCE ENVIRONMENT (e.g. today for en route radar) • Surveillance has improved, but separation minima have not changed: procedural safety buffer has implicitly increased Minimum Separation Standard

  22. Critical Infrastructure Protection forATM Shankar Sastry

  23. Increased use of Software in Critical Applications • Potential for common mode software failure (not present in h/w) • Lack of metrics and evaluation methods: How to measure 10-8 • Human factors problems: induced human errors • Today we control the lifecycle (process) since we don’t know how to evaluate the product • Unknown efficacy • Expensive. Industry attributes 60% of avionics development cost to V&V • Doesn’t scale to very large systems: more automation is needed to reduce errors and for increased reuse (e.g., code synthesis)

  24. Security Challenges • Terrorists may employ highly malicious attacks much worse than those seen to date • Current technology is not designed nor intended to withstand such attacks • Vulnerabilities in our networked systems can be exploited by anyone anywhere in the world • Successful attacks may not be detected Critical systems must be designed to provide continuous correct operation even under successful attack

  25. What is missing • Strong enough barriers to penetration • Accurate intrusion detection • Ability to fuse incident reports across a global area and deduce possible plans and intentions • For warning • To guide interventions • Systems that tolerate attacks and keep on ticking And, because the above will never be perfect:

  26. Tolerating attacks System designs that give some inherent resistance to attack • Diversity • Redundancy • Decentralization • Detect and repair damage • Biological models

  27. Diversity Economic forces have turned the global computing environment into a monoculture Diversity can reduce overall losses from attack • Hedges against unknown means of attack • Surviving elements support continued operation Obtaining diversity manually is expensive (e.g., n-version programming) Could explore automatic artificial diversity

  28. Redundancy • Current uses of redundancy are expensive and do not scale • E.g., replication of servers • Scalable methods provide weaker guarantees • Probabilistic • Eventual consistency • E.g., epidemic and gossip protocols • Information exchanges involve randomly or opportunistically chosen gossip partners • E.g., Quorum systems • Operations access quorums (subsets)of servers

  29. Decentralization • Behavior is the result of autonomous activity by member entities • Undetected error states are tolerated • Stateless: State is regenerated • Can tolerate loss of some components • No single points of failure • Control, management, gateway, etc, functions redundant and/or migratable • Trend toward decentralized design for maximum utilization

  30. Get inspiration from nature • Robustness mechanisms at many levels • Highly decentralized and redundant • Widespread use of diversity • Automated damage detection and repair • Adaptive and evolving • Dispensable components

  31. A Solution Strategy for the Conflict Resolution Problem in 2D and 3D Airspaces Jianghai Hu with Maria Prandini, Arnab Nilim, Shankar Sastry Department of EECS University of California, Berkeley

  32. Maneuver aifor aircraft i b2 a3 nstarting positions a2 ndestination positions a1 a1 b1 a3 a2 b3 2-D Conflict Resolution: Problem Formulation naircraft flying onR2 Time intervalT=[t0 , tf] Joint maneuvera=(a1,..,an) Minimal separationr=5 nmi Conflict-free (joint) maneuver

  33. Problem Formulation (continued) Goal: Among all the conflict-free maneuvers a=(a1,…,an), find the one that minimizes the energy: where m1,…,mnrepresent aircraft priorities

  34. An Example of Optimal Maneuvers

  35. An 8-Aircraft Encounter Stochastic algorithm Optimization algorithm

  36. A 16-Aircraft Encounter Stochastic algorithm Optimization algorithm

  37. Multi-Legged Maneuvers • Using Successive Quadratic Optimization

  38. Animation of 3 d conflict resolution

  39. Collision Avoidance and Tracking using Nonlinear Model Predictive Tracking • Five helicopters given a straight line trajectory that will lead to a collision. • Each vehicle can detect other vehicles position within the sensing/communication region. • Each vehicle dynamically replans safe trajectory under input/state constraints in real-time.

  40. Hybrid Systems Modeling, Analysis, Control Datta Godbole, John Lygeros, Claire Tomlin, Gerardo Lafferiere, George Pappas, John Koo Jianghai Hu, Rene Vidal, Shawn Shaffert, Jun Zhang, Slobodan Simic, Kalle Johansson, Maria Prandini (with the interference of) Shankar Sastry

  41. What Are Hybrid Systems? • Dynamical systems with interacting continuous and discrete dynamics

  42. Why Hybrid Systems? • Modeling abstraction of • Continuous systems with phased operation (e.g. walking robots, mechanical systems with collisions, circuits with diodes) • Continuous systems controlled by discrete inputs (e.g. switches, valves, digital computers) • Coordinating processes (multi-agent systems) • Important in applications • Hardware verification/CAD, real time software • Manufacturing, chemical process control, • communication networks, multimedia • Large scale, multi-agent systems • Automated Highway Systems (AHS) • Air Traffic Management Systems (ATM) • Uninhabited Aerial Vehicles (UAV), Power Networks

  43. Control Challenges • Large number of semiautonomous agents • Coordinate to • Make efficient use of common resource • Achieve a common goal • Individual agents have various modes of operation • Agents optimize locally, coordinate to resolve conflicts • System architecture is hierarchical and distributed • Safety critical systems Challenge: Develop models, analysis, and synthesis tools for designing and verifying the safety of multi-agent systems

  44. Control Theory Computer Science Models of computation Control of individual agents Communication models Continuous models Discrete event systems Differential equations Hybrid Systems Proposed Framework

  45. Different Approaches

  46. Air Traffic Management Systems • Studied by NEXTOR and NASA • Increased demand for air travel • Higher aircraft density/operator workload • Severe degradation in adverse conditions • High business volume • Technological advances: Guidance, Navigation & Control • GPS, advanced avionics, on-board electronics • Communication capabilities • Air Traffic Controller (ATC) computation capabilities • Greater demand and possibilities for automation • Operator assistance • Decentralization • Free flight

  47. Hybrid Systems in ATM • Automation requires interaction between • Hardware (aircraft, communication devices, sensors, computers) • Software (communication protocols, autopilots) • Operators (pilots, air traffic controllers, airline dispatchers) • Interaction is hybrid • Mode switching at the autopilot level • Coordination for conflict resolution • Scheduling at the ATC level • Degraded operation • Requirement for formal design and analysis techniques • Safety critical system • Large scale system

  48. Control Hierarchy • Flight Management System (FMS) • Regulation & trajectory tracking • Trajectory planning • Tactical planning • Strategic planning • Decentralized conflict detection and resolution • Coordination, through communication protocols • Air Traffic Control • Scheduling • Global conflict detection and resolution

  49. Hybrid Research Issues • Hierarchy design • FMS level • Mode switching • Aerodynamic envelope protection • Strategic level • Design of conflict resolution maneuvers • Implementation by communication protocols • ATC level • Scheduling algorithms (e.g. for take-offs and landings) • Global conflict resolution algorithms • Software verification • Probabilistic analysis and degraded modes of operation

  50. Softwalls Adam Cataldo, Edward Lee and group

More Related