Copy of Overheads

Download Report

Transcript Copy of Overheads

Denial of safety critical services of a Public Mobile
Network for a critical transport infrastructure
E. Ciancamerla, M. Minichino
ENEA Cr Casaccia
SNI 2005 – First workshop on Safeguarding National Infrastructures
August 25 -27, 2005 – Glasgow, UK
1
Issues
• PMN for a Tele Control system for a Critical Transport Infrastructure
(Alpine Road Tunnel - SAFETUNNEL project )
– Tele Control System main issues
– TCS validation by modelling
• Stochastic measures of denial of safety critical services of PMN for
voice and data connection




Modelling assumptions
Denial of service measures
Stochastic methodology
Denial of service models
 Availability model
 Performance model for voice connection
 Performance model for data connection
 Numerical results
• Conclusions
2
Tele Control system dependability issues
 TCS implements preventive SAFETY functions in REAL TIME, with the aim
to enhance accident prevention inside alpine road tunnels (Critical Transport
Infrastructures)
TCS does not born at once, but grows up from the existing subsystems
Interacts with operators (the drivers and the tunnel operators)
 relies on a Public Mobile Network that interconnects instrumented vehicles,
crossing a road tunnel infrastructure, to a Tunnel Control Centre
PMN increases benefits, giving a major support to the drivers and to the road
operators in performing their tasks
PMN poses problems of dependability and performability evaluation on
the frontier of the technology.
• the novelty and complexity of TCS
• the topology of the network, that dynamically changes for the presence of
mobile nodes
• security aspects
could weaken availability, performability and safety properties of TCS
3
Tele Control System General architecture
SAFE TUNNEL
Control Center
TILAB Control
Center
Public
Network
Public Mobile Network
(GSM/GPRS/UMTS)
IP
Access
SITAF
Control
Center
GPRS
links
VSM
VSM
Data exchange
(TCP/IP socket)
MSM
BlueTooth
links
BT
Barriers
IP
Private
Network
MSM
4
Tele Control System monitoring area limits
Monitoring Area
(R)
Access Barrier 1
Access Barrier 2
Monitoring Area
(R)
Access Barrier 2
Access Barrier 1
Tunnel
5
Tele Control system preventive safety functions
•
Prognostics : on board equipment is able to detect existing fault or evaluate the
possibility of an imminent fault (predictive analysis) and send information to
a control center.
•
Access control: A control center is able to inhibit access to vehicles with
detected or imminent faults
•
Speed and distance control: The control center transmits to the vehicle
recommended speed and safety distance from vehicle ahead. An on-board
radar system measures distance from vehicle ahead. The on-board system
control engine and brakes in order to automatically achieve recommended
speed and distance.
•
Emergency Message dissemination: Emergency information and warning may
be distributed from the control center directly to the On-board Human
Machine Interface.
6
Tele Control System validation
The Project designs the Tele Control System and develops a System Demonstrator
(composed by a prototype of TCC, two instrumented vehicles and the PMN)
The validation of the SAFETUNNEL system is planned according to the following
steps:
– Validation by FIELD EXPERIMENTATION, centered on System
Demonstrator
– Validation by MODELLING, centered on the whole System
Both FIELD TESTS and MODELLING are needed for system validation
That is why:
– Just a limited number of field tests can be planned on the actual system Demonstrator;
– a set of validation measures have to be predicted on the SAFETUNNEL models, being the
Demonstrator not suitable for such measures.
7
Validation by modelling
Have been focused on PMN and has been conducted according
to two main lines:
 Functional Analysis of the system, by model checking,
that looks at the interaction of the dimensioning of the
PMN with the Tele Control system preventive safety
functions, in system normal operational mode and for
different tunnel scenarios
 Denial of service measures of the Public Mobile
Network, by stochastic methodology, with the ideal goal to
verify if and how a possible degradation of service of the
network, in terms of performance and availability, does not
affect Tele Control System preventive safety functions.
8
A Glance to the PMN
BTS- Base Transceiver Station
BSC – Base Station Controller
MSC – Mobile Switching Centre
GMSC – Gateway MSC
.
9
A glance to the PMN
 PMN transfers voice, commands and data between
Instrumented Vehicles and the Tunnel Control Centre,
with more than one Vehicle at the same time in bidirectional way.
 informative messages are transmitted in uplink (from Vehicles
on-board system to TCC)
 Commands/messages are transmitted in downlink
 Data transmission, by GPRS connection.
 TCP transport protocol. Each Vehicle is characterized by a
TCP address (IP address + TCP port)
 TCC that is provided of an analogous address too.
 Voice calls, supported by GSM connection,
 between Vehicles and TCC, in case GPRS data transfer are not
sufficient to manage an emergency.
10
PMN modelling assumptions
For the sake of building manageable models of our PMN, the
following assumptions have been made:
– We focalized on Base Stations: a single Base Station System is
constituted by one Base Station Controller and multiple Base
Transceiver Stations
– Data exploits the same physical channels used by voice
– The channel allocation policy is priority of voice on data
– We account for handoff procedure for voice connection
– We neglect the possibility of the handoff procedure for data
connection
– One Control Channel (CCH) is dedicated to GSM and GPRS
signalling and control; CCH is randomly assigned to a BTS
– The GPRS implements a point to point connection
11
12
A measure of denial of service: the Total
Service Blocking Probability
Considering the PMN, as shown in figure , the GSM and the
GPRS services can be denied, due to the following contributes:
a) the BSS, as a whole, becomes unavailable or
b) the BSS is available and all its channels are full or
c) the BSS is not completely available and all the channels in it, which
are available, are also full.
We named Total Service Blocking Probability (TSB), as a
measure of the denial of service both for GSM and GPRS
connection due to the occurrence of at least one of the
contributes a), b), or c).
13
Stochastic Activity Networks
 The basic elements of SAN (extension of Petri Nets) are places, activities,
input gates and output gates.
 Places and activities in SAN have the same meaning of places and
transitions of Petri Nets.
 Input gates and output gates respectively consist in predicates and
functions, which contain the rules of firing of the activities and how
to distribute the tokens after the activities have fired.
 Two high-level constructs for hierarchical models: REP and JOIN.
 The complexity of a SAN model could be hidden inside input and output
gates.
 Differently from Petri Nets, the graphical representation of a SAN model
is not correlated to its actual complexity.
14
PMN denial of service composed model
PMN denial of service
The same structure for voice and data connection
15
PMN Availability sub model
16
GSM&GPRS performance sub model for data
17
Some numerical results
On the previous models we conduct availability, performance and
performability measures on voice and data services.
The input parameters to the models and their numerical values are
summarized in the following tables
18
Input parameters and values of the
availability sub model
Parameter
Rate of BSC_fail
rate of BSC_repair
Rate of CCF_fail
Value
2,31 E-4 h-1
1 h-1
3.47 E-4 h-1
rate of CCF_repair
Rate of BTS_fail
rate of BTS_repair
0,5 h-1
3.47 E-4 h-1
0,5 h-1
Number of BSC
Number of BTS
n. of channels of a BTS
1
4
8
Number of CCH
1
19
Input parameters and values of the GSM
performance sub model
Parameter
arrival rate of new calls
duration of the calls
arrival rate of handoff calls
duration of outgoing handoff calls
value
0,27 s-1
180 s
0,027 s-1
80 s
20
Input parameters and values of the
GSM&GPRS performance sub model
Parameter
arrival rate of voice calls
Value
0,5…2,5 s-1
duration of voice calls
rate of session activation
session reading time
180 s
2 s-1
15 s
Packets inter arrival rate
0,0242 s-1
rate of suc. packet transmission
0,0513 s-1
buffer capacity (B)
n. of max opened sessions (D)
100
10,30,50
21
Total Service Blocking (TSB) probability
for voice service
22
Total Service Blocking (TSB) probability
for data packets
23
Conclusions
 We computed Total Blocking Service probabilities, as
measures of the denial of service for GSM and GPRS
connections of a PMN for a Tele Control System
 We have built modular sub models, hierarchically composed,
by using Stochastic Activity Networks.
 Numerical results have been presented
 The research is still on going:
to account possible external adverse events, such as
intrusions, in a global dependability model
…
24