e. ciancamerla, m. minichino enea cr casaccia

24
1 Denial of safety critical services Denial of safety critical services of a Public Mobile Network for a of a Public Mobile Network for a critical transport infrastructure critical transport infrastructure E. Ciancamerla, M. Minichino ENEA Cr Casaccia SNI 2005 – First workshop on Safeguarding National SNI 2005 – First workshop on Safeguarding National Infrastructures Infrastructures August 25 -27, 2005 – Glasgow, UK August 25 -27, 2005 – Glasgow, UK

Upload: irma-brennan

Post on 30-Dec-2015

21 views

Category:

Documents


3 download

DESCRIPTION

Denial  of safety critical services of  a Public Mobile Network for  a  critical transport  infrastructure. E. Ciancamerla, M. Minichino ENEA Cr Casaccia. SNI 2005 – First workshop on Safeguarding National Infrastructures August 25 -27, 2005 – Glasgow, UK. Issues. - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: E. Ciancamerla, M. Minichino ENEA Cr Casaccia

1

Denial  of safety critical services of  a Public Mobile Denial  of safety critical services of  a Public Mobile Network for  a  critical transport  infrastructureNetwork for  a  critical transport  infrastructure

E. Ciancamerla, M. MinichinoENEA Cr Casaccia

SNI 2005 – First workshop on Safeguarding National InfrastructuresSNI 2005 – First workshop on Safeguarding National InfrastructuresAugust 25 -27, 2005 – Glasgow, UKAugust 25 -27, 2005 – Glasgow, UK

Page 2: E. Ciancamerla, M. Minichino ENEA Cr Casaccia

2

IssuesIssues• PMN for a Tele Control system for a Critical Transport Infrastructure (Alpine Road

Tunnel - SAFETUNNEL project )

– Tele Control System main issues– TCS validation by modelling

• Stochastic measures of denial of safety critical services of PMN for voice and data connection

Modelling assumptions Denial of service measures Stochastic methodology Denial of service models

Availability model Performance model for voice connection Performance model for data connection

Numerical results

• Conclusions

Page 3: E. Ciancamerla, M. Minichino ENEA Cr Casaccia

3

Tele Control system dependability issuesTele Control system dependability issues

TCS implements preventive SAFETY functions in REAL TIME, with the aim to enhance accident prevention inside alpine road tunnels (Critical Transport Infrastructures)TCS does not born at once, but grows up from the existing subsystemsInteracts with operators (the drivers and the tunnel operators) relies on a Public Mobile Network that interconnects instrumented vehicles, crossing a road tunnel infrastructure, to a Tunnel Control Centre PMN increases benefits, giving a major support to the drivers and to the road operators in performing their tasksPMN poses problems of dependability and performability evaluation on the frontier of the technology.

• the novelty and complexity of TCS • the topology of the network, that dynamically changes for the presence of mobile nodes • security aspects could weaken availability, performability and safety properties of TCS

Page 4: E. Ciancamerla, M. Minichino ENEA Cr Casaccia

4

MSMVSM

MSMVSM

IP Access

Public

Network

(GSM/GPRS/UMTS)

Public

Network

(GSM/GPRS/UMTS)Public Mobile Network

SAFE TUNNEL Control Center

GPRS links

BT Barriers

IP Private Network

BlueTooth links

SITAFSITAFControl Control CenterCenter

TILAB Control TILAB Control CenterCenter

Data exchange (TCP/IP socket)

Tele Control System General architectureTele Control System General architecture

Page 5: E. Ciancamerla, M. Minichino ENEA Cr Casaccia

5

Tele Control System monitoring area limitsTele Control System monitoring area limits

Access Barrier 1 Access Barrier 2

Tunnel

Monitoring Area (R)

Monitoring Area (R)

Access Barrier 2 Access Barrier 1

Page 6: E. Ciancamerla, M. Minichino ENEA Cr Casaccia

6

• Prognostics : on board equipment is able to detect existing fault or evaluate the possibility of an imminent fault (predictive analysis) and send information to a control center.

• Access control: A control center is able to inhibit access to vehicles with detected or imminent faults

• Speed and distance control: The control center transmits to the vehicle recommended speed and safety distance from vehicle ahead. An on-board radar system measures distance from vehicle ahead. The on-board system control engine and brakes in order to automatically achieve recommended speed and distance.

• Emergency Message dissemination: Emergency information and warning may be distributed from the control center directly to the On-board Human Machine Interface.

Tele ControlTele Control system preventive safety functions system preventive safety functions

Page 7: E. Ciancamerla, M. Minichino ENEA Cr Casaccia

7

Tele Control System validationTele Control System validation

The Project designs the Tele Control System and develops a System Demonstrator (composed by a prototype of TCC, two instrumented vehicles and the PMN)

The validation of the SAFETUNNEL system is planned according to the following steps:

– Validation by FIELD EXPERIMENTATIONValidation by FIELD EXPERIMENTATION, centered on System Demonstrator

– Validation by MODELLINGValidation by MODELLING, centered on the whole System

Both FIELD TESTS and MODELLING are needed for system validationThat is why:

– Just a limited number of field tests can be planned on the actual system Demonstrator; – a set of validation measures have to be predicted on the SAFETUNNEL models, being the

Demonstrator not suitable for such measures.

Page 8: E. Ciancamerla, M. Minichino ENEA Cr Casaccia

8

Validation by modellingValidation by modelling Have been focused on PMN and has been conducted according to two main lines:

Functional Analysis of the systemFunctional Analysis of the system, by model checking, that looks at the interaction of the dimensioning of the PMN with the Tele Control system preventive safety functions, in system normal operational mode and for different tunnel scenarios

Denial of service measures of the Public Mobile Denial of service measures of the Public Mobile NetworkNetwork, by stochastic methodology, with the ideal goal to verify if and how a possible degradation of service of the network, in terms of performance and availability, does not affect Tele Control System preventive safety functions.

Page 9: E. Ciancamerla, M. Minichino ENEA Cr Casaccia

9

A Glance to the PMNA Glance to the PMNFixed

network

BTS

MSC

VLRHLR

BTS

BTS

BSC

GMSC

MS

AUC

EIR

BSC

MS

Fixednetwork

BTSBTS

MSC

VLRHLR

BTSBTS

BTSBTS

BSC

GMSC

MS

AUC

EIR

BSC

MS

BTS- Base Transceiver Station

BSC – Base Station Controller

MSC – Mobile Switching Centre

GMSC – Gateway MSC

.

Page 10: E. Ciancamerla, M. Minichino ENEA Cr Casaccia

10

A glance to the PMNA glance to the PMN

PMN transfers voice, commands and data between Instrumented Vehicles and the Tunnel Control Centre, with more than one Vehicle at the same time in bi-directional way. informative messages are transmitted in uplink (from

Vehicles on-board system to TCC) Commands/messages are transmitted in downlink

Data transmission, by GPRS connection. TCP transport protocol. Each Vehicle is characterized by a

TCP address (IP address + TCP port) TCC that is provided of an analogous address too.

Voice calls, supported by GSM connection, between Vehicles and TCC, in case GPRS data transfer are

not sufficient to manage an emergency.

Page 11: E. Ciancamerla, M. Minichino ENEA Cr Casaccia

11

PMN modelling assumptions PMN modelling assumptions

For the sake of building manageable models of our PMN, the following assumptions have been made:

– We focalized on Base Stations: a single Base Station System is constituted by one Base Station Controller and multiple Base Transceiver Stations

– Data exploits the same physical channels used by voice– The channel allocation policy is priority of voice on data– We account for handoff procedure for voice connection– We neglect the possibility of the handoff procedure for data

connection– One Control Channel (CCH) is dedicated to GSM and GPRS

signalling and control; CCH is randomly assigned to a BTS– The GPRS implements a point to point connection

Page 12: E. Ciancamerla, M. Minichino ENEA Cr Casaccia

12

Page 13: E. Ciancamerla, M. Minichino ENEA Cr Casaccia

13

A measure of denial of service: the Total A measure of denial of service: the Total Service Blocking ProbabilityService Blocking Probability

Considering the PMN, as shown in figure , the GSM and the GPRS services can be denied, due to the following contributes:

a) the BSS, as a whole, becomes unavailable or

b) the BSS is available and all its channels are full or

c) the BSS is not completely available and all the channels in it, which are available, are also full.

We named Total Service Blocking Probability (TSB), as a measure of the denial of service both for GSM and GPRS connection due to the occurrence of at least one of the contributes a), b), or c).

Page 14: E. Ciancamerla, M. Minichino ENEA Cr Casaccia

14

Stochastic Activity NetworksStochastic Activity Networks

The basic elements of SAN (extension of Petri Nets) are places, activities, input gates and output gates.

Places and activities in SAN have the same meaning of places and transitions of Petri Nets.

Input gates and output gates respectively consist in predicates and functions, which contain the rules of firing of the activities and how to distribute the tokens after the activities have fired.

Two high-level constructs for hierarchical models: REP and JOIN.

The complexity of a SAN model could be hidden inside input and output gates.

Differently from Petri Nets, the graphical representation of a SAN model is not correlated to its actual complexity.

Page 15: E. Ciancamerla, M. Minichino ENEA Cr Casaccia

15

PMN denial of service PMN denial of service composed modelcomposed model

The same structure for voice and data connection

PMN denial of service

Page 16: E. Ciancamerla, M. Minichino ENEA Cr Casaccia

16

PMN PMN Availability Availability sub model sub model

Page 17: E. Ciancamerla, M. Minichino ENEA Cr Casaccia

17

GSM&GPRS performance GSM&GPRS performance sub model for data sub model for data

Page 18: E. Ciancamerla, M. Minichino ENEA Cr Casaccia

18

On the previous models we conduct availability, performance and performability measures on voice and data services.

The input parameters to the models and their numerical values are summarized in the following tables

Some numerical resultsSome numerical results

Page 19: E. Ciancamerla, M. Minichino ENEA Cr Casaccia

19

Input parameters and values of the Input parameters and values of the availability availability sub model sub model

Parameter Value

Rate of BSC_fail 2,31 E-4 h-1

rate of BSC_repair 1 h-1

Rate of CCF_fail 3.47 E-4 h-1

rate of CCF_repair 0,5 h-1

Rate of BTS_fail 3.47 E-4 h-1

rate of BTS_repair 0,5 h-1

Number of BSC 1

Number of BTS 4

n. of channels of a BTS 8

Number of CCH 1

Page 20: E. Ciancamerla, M. Minichino ENEA Cr Casaccia

20

Input parameters and values of the Input parameters and values of the GSM GSM performanceperformance sub model sub model

Parameter value

arrival rate of new calls 0,27 s-1

duration of the calls 180 s

arrival rate of handoff calls 0,027 s-1

duration of outgoing handoff calls 80 s

Page 21: E. Ciancamerla, M. Minichino ENEA Cr Casaccia

21

Input parameters and values of the Input parameters and values of the GSM&GPRS performanceGSM&GPRS performance sub model sub model

Parameter Value

arrival rate of voice calls 0,5…2,5 s-1

duration of voice calls 180 s

rate of session activation 2 s-1

session reading time 15 s

Packets inter arrival rate 0,0242 s-1

rate of suc. packet transmission 0,0513 s-1

buffer capacity (B) 100

n. of max opened sessions (D) 10,30,50

Page 22: E. Ciancamerla, M. Minichino ENEA Cr Casaccia

22

Total Service Blocking (TSB) probability Total Service Blocking (TSB) probability for voice servicefor voice service

Page 23: E. Ciancamerla, M. Minichino ENEA Cr Casaccia

23

Total Service Blocking (TSB) probability Total Service Blocking (TSB) probability for data packets for data packets

Page 24: E. Ciancamerla, M. Minichino ENEA Cr Casaccia

24

Conclusions Conclusions

We computed Total Blocking Service probabilities, as measures of the denial of service for GSM and GPRS connections of a PMN for a Tele Control System

We have built modular sub models, hierarchically composed, by using Stochastic Activity Networks.

Numerical results have been presented

The research is still on going:

to account possible external adverse events, such as intrusions, in a global dependability model