E. Ciancamerla, M. Minichino ENEA Cr Casaccia
-
Upload
irma-brennan -
Category
Documents
-
view
20 -
download
3
description
Transcript of E. Ciancamerla, M. Minichino ENEA Cr Casaccia
1
Denial of safety critical services of a Public Mobile Denial of safety critical services of a Public Mobile Network for a critical transport infrastructureNetwork for a critical transport infrastructure
E. Ciancamerla, M. MinichinoENEA Cr Casaccia
SNI 2005 – First workshop on Safeguarding National InfrastructuresSNI 2005 – First workshop on Safeguarding National InfrastructuresAugust 25 -27, 2005 – Glasgow, UKAugust 25 -27, 2005 – Glasgow, UK
2
IssuesIssues• PMN for a Tele Control system for a Critical Transport Infrastructure (Alpine Road
Tunnel - SAFETUNNEL project )
– Tele Control System main issues– TCS validation by modelling
• Stochastic measures of denial of safety critical services of PMN for voice and data connection
Modelling assumptions Denial of service measures Stochastic methodology Denial of service models
Availability model Performance model for voice connection Performance model for data connection
Numerical results
• Conclusions
3
Tele Control system dependability issuesTele Control system dependability issues
TCS implements preventive SAFETY functions in REAL TIME, with the aim to enhance accident prevention inside alpine road tunnels (Critical Transport Infrastructures)TCS does not born at once, but grows up from the existing subsystemsInteracts with operators (the drivers and the tunnel operators) relies on a Public Mobile Network that interconnects instrumented vehicles, crossing a road tunnel infrastructure, to a Tunnel Control Centre PMN increases benefits, giving a major support to the drivers and to the road operators in performing their tasksPMN poses problems of dependability and performability evaluation on the frontier of the technology.
• the novelty and complexity of TCS • the topology of the network, that dynamically changes for the presence of mobile nodes • security aspects could weaken availability, performability and safety properties of TCS
4
MSMVSM
MSMVSM
IP Access
Public
Network
(GSM/GPRS/UMTS)
Public
Network
(GSM/GPRS/UMTS)Public Mobile Network
SAFE TUNNEL Control Center
GPRS links
BT Barriers
IP Private Network
BlueTooth links
SITAFSITAFControl Control CenterCenter
TILAB Control TILAB Control CenterCenter
Data exchange (TCP/IP socket)
Tele Control System General architectureTele Control System General architecture
5
Tele Control System monitoring area limitsTele Control System monitoring area limits
Access Barrier 1 Access Barrier 2
Tunnel
Monitoring Area (R)
Monitoring Area (R)
Access Barrier 2 Access Barrier 1
6
• Prognostics : on board equipment is able to detect existing fault or evaluate the possibility of an imminent fault (predictive analysis) and send information to a control center.
• Access control: A control center is able to inhibit access to vehicles with detected or imminent faults
• Speed and distance control: The control center transmits to the vehicle recommended speed and safety distance from vehicle ahead. An on-board radar system measures distance from vehicle ahead. The on-board system control engine and brakes in order to automatically achieve recommended speed and distance.
• Emergency Message dissemination: Emergency information and warning may be distributed from the control center directly to the On-board Human Machine Interface.
Tele ControlTele Control system preventive safety functions system preventive safety functions
7
Tele Control System validationTele Control System validation
The Project designs the Tele Control System and develops a System Demonstrator (composed by a prototype of TCC, two instrumented vehicles and the PMN)
The validation of the SAFETUNNEL system is planned according to the following steps:
– Validation by FIELD EXPERIMENTATIONValidation by FIELD EXPERIMENTATION, centered on System Demonstrator
– Validation by MODELLINGValidation by MODELLING, centered on the whole System
Both FIELD TESTS and MODELLING are needed for system validationThat is why:
– Just a limited number of field tests can be planned on the actual system Demonstrator; – a set of validation measures have to be predicted on the SAFETUNNEL models, being the
Demonstrator not suitable for such measures.
8
Validation by modellingValidation by modelling Have been focused on PMN and has been conducted according to two main lines:
Functional Analysis of the systemFunctional Analysis of the system, by model checking, that looks at the interaction of the dimensioning of the PMN with the Tele Control system preventive safety functions, in system normal operational mode and for different tunnel scenarios
Denial of service measures of the Public Mobile Denial of service measures of the Public Mobile NetworkNetwork, by stochastic methodology, with the ideal goal to verify if and how a possible degradation of service of the network, in terms of performance and availability, does not affect Tele Control System preventive safety functions.
9
A Glance to the PMNA Glance to the PMNFixed
network
BTS
MSC
VLRHLR
BTS
BTS
BSC
GMSC
MS
AUC
EIR
BSC
MS
Fixednetwork
BTSBTS
MSC
VLRHLR
BTSBTS
BTSBTS
BSC
GMSC
MS
AUC
EIR
BSC
MS
BTS- Base Transceiver Station
BSC – Base Station Controller
MSC – Mobile Switching Centre
GMSC – Gateway MSC
.
10
A glance to the PMNA glance to the PMN
PMN transfers voice, commands and data between Instrumented Vehicles and the Tunnel Control Centre, with more than one Vehicle at the same time in bi-directional way. informative messages are transmitted in uplink (from
Vehicles on-board system to TCC) Commands/messages are transmitted in downlink
Data transmission, by GPRS connection. TCP transport protocol. Each Vehicle is characterized by a
TCP address (IP address + TCP port) TCC that is provided of an analogous address too.
Voice calls, supported by GSM connection, between Vehicles and TCC, in case GPRS data transfer are
not sufficient to manage an emergency.
11
PMN modelling assumptions PMN modelling assumptions
For the sake of building manageable models of our PMN, the following assumptions have been made:
– We focalized on Base Stations: a single Base Station System is constituted by one Base Station Controller and multiple Base Transceiver Stations
– Data exploits the same physical channels used by voice– The channel allocation policy is priority of voice on data– We account for handoff procedure for voice connection– We neglect the possibility of the handoff procedure for data
connection– One Control Channel (CCH) is dedicated to GSM and GPRS
signalling and control; CCH is randomly assigned to a BTS– The GPRS implements a point to point connection
12
13
A measure of denial of service: the Total A measure of denial of service: the Total Service Blocking ProbabilityService Blocking Probability
Considering the PMN, as shown in figure , the GSM and the GPRS services can be denied, due to the following contributes:
a) the BSS, as a whole, becomes unavailable or
b) the BSS is available and all its channels are full or
c) the BSS is not completely available and all the channels in it, which are available, are also full.
We named Total Service Blocking Probability (TSB), as a measure of the denial of service both for GSM and GPRS connection due to the occurrence of at least one of the contributes a), b), or c).
14
Stochastic Activity NetworksStochastic Activity Networks
The basic elements of SAN (extension of Petri Nets) are places, activities, input gates and output gates.
Places and activities in SAN have the same meaning of places and transitions of Petri Nets.
Input gates and output gates respectively consist in predicates and functions, which contain the rules of firing of the activities and how to distribute the tokens after the activities have fired.
Two high-level constructs for hierarchical models: REP and JOIN.
The complexity of a SAN model could be hidden inside input and output gates.
Differently from Petri Nets, the graphical representation of a SAN model is not correlated to its actual complexity.
15
PMN denial of service PMN denial of service composed modelcomposed model
The same structure for voice and data connection
PMN denial of service
16
PMN PMN Availability Availability sub model sub model
17
GSM&GPRS performance GSM&GPRS performance sub model for data sub model for data
18
On the previous models we conduct availability, performance and performability measures on voice and data services.
The input parameters to the models and their numerical values are summarized in the following tables
Some numerical resultsSome numerical results
19
Input parameters and values of the Input parameters and values of the availability availability sub model sub model
Parameter Value
Rate of BSC_fail 2,31 E-4 h-1
rate of BSC_repair 1 h-1
Rate of CCF_fail 3.47 E-4 h-1
rate of CCF_repair 0,5 h-1
Rate of BTS_fail 3.47 E-4 h-1
rate of BTS_repair 0,5 h-1
Number of BSC 1
Number of BTS 4
n. of channels of a BTS 8
Number of CCH 1
20
Input parameters and values of the Input parameters and values of the GSM GSM performanceperformance sub model sub model
Parameter value
arrival rate of new calls 0,27 s-1
duration of the calls 180 s
arrival rate of handoff calls 0,027 s-1
duration of outgoing handoff calls 80 s
21
Input parameters and values of the Input parameters and values of the GSM&GPRS performanceGSM&GPRS performance sub model sub model
Parameter Value
arrival rate of voice calls 0,5…2,5 s-1
duration of voice calls 180 s
rate of session activation 2 s-1
session reading time 15 s
Packets inter arrival rate 0,0242 s-1
rate of suc. packet transmission 0,0513 s-1
buffer capacity (B) 100
n. of max opened sessions (D) 10,30,50
22
Total Service Blocking (TSB) probability Total Service Blocking (TSB) probability for voice servicefor voice service
23
Total Service Blocking (TSB) probability Total Service Blocking (TSB) probability for data packets for data packets
24
Conclusions Conclusions
We computed Total Blocking Service probabilities, as measures of the denial of service for GSM and GPRS connections of a PMN for a Tele Control System
We have built modular sub models, hierarchically composed, by using Stochastic Activity Networks.
Numerical results have been presented
The research is still on going:
to account possible external adverse events, such as intrusions, in a global dependability model
…