analysis techniques for a secure nas
DESCRIPTION
Analysis Techniques for a Secure NAS. Shankar Sastry Department of EECS University of California, Berkeley JUP Kickoff, Nov 23 rd , 2002. [email protected] 510-642-0253. Prequel: The Impact of Sept. 11 on Air Transportation. Prof. R. John Hansman, Director - PowerPoint PPT PresentationTRANSCRIPT
Analysis Techniques for a Secure NAS
Shankar SastryDepartment of EECS
University of California, Berkeley
JUP Kickoff, Nov 23rd, 2002
[email protected] 510-642-0253
Prequel: The Impact of Sept. 11 on Air
Transportation
Prof. R. John Hansman, DirectorMIT International Center for Air Transportation
[email protected] 617-253-2271
0
10,000
20,000
30,000
40,000
50,000
60,000
Jan-99
Apr-99
Jul-99
Oct-99
Jan-00
Apr-00
Jul-00
Oct-00
Jan-01
Apr-01
Jul-01
Oct-01
En
pla
nem
ents
in
000
s
Domestic Enplanements: 1999-2001
Sep. 11Sep. 11thth Attacks Attacks
Source: ATASource: ATA
Aviation’s Macro Economic Impact
Air transportation has four types of effects: DIRECT: air carriers, airports, air navigation providers, etc INDIRECT: airline passengers and air freight forwarding business
in other industries (hotels, rental cars, finance and banking, etc) INDUCED: expenses by the recipients of income generated by the
direct and indirect economic activities ENABLING: provides access to markets and other activities that
would not be possible without aviation
Direct 36%
Indirect 64%
Employment in the US (1993): 8.84 Million jobs
Excludes enabling effect. Source: ICAO, FAA
Economic activity in the US (1993): $771.1 Billion Direct 15%
Indirect 18%
Induced 67%
Information Technology Hypotheses
Infrastructure Advanced Information Technologies have the potential to allow efficient
use of constrained infrastructure in developed regions and to allow regions with immature air transportation infrastructure to rapidly reach parity with mature systems
Operations Advanced Information Technologies will improve the efficiency and
security of operations through enhanced information sharing and collaborative decision making
Profitability Information Technology related improvements are a key component of
profitability of mature airlines
Usability The potential benefits of Information Technology are limited by inadequate
attention to the users cognitive and operational needs and “entropic” growth of complexity which limit usability and acceptance
Airports Runways Terminals Ground transport interface Servicing Maintenance
Air Traffic Management Communications Navigation Surveillance Control
Weather Observation Forecasting Dissemination
Skilled personnel
Cost recovery mechanisms
Components of theAir Transportation System
AIR TRAFFIC CONTROL STRUCTURE TRENDS
Current structure Surface control (ground) Local control (tower) Terminal area control (approach and departure) Enroute control (center) Oceanic control
Proposed structures “Free Flight”
RTCA/ATA proposal Collaborative Decision Making 4-D Control Segregated Airspace “Super Centers” Conformance Monitoring Issues
ATM System Current Functional Structure
Aircraft StateAircraftGuidance and
Navigation
AC StateSensor
SectorTraffic Control
TrafficSensor
Vectors
Clearances
SectorTraffic
Planning
NationalFlow
Planning
ApprovedFlight Plans
ApprovedHandoffs
DesiredSectorLoads
ClearanceRequests
Other AircraftStates
FlightPlanning
Weather
FlightSchedule
FiledFlight Plans
NegotiateHandoffs
Schedule ofCapacities
< 5min 5 min5-20 minhrs - day
FacilityFlow
Planning
hrs
Execution - Tactical LevelPlanning - Strategic Level
Airline CFMU TMU D-side R-sidePilot
PlannedFlowRates
ClearanceRequests
Measurement
Real State
Plan/Intent
Requests
AOC
Efficiency Throughput
Increasing Criticality Level
Safety
Adapted from; A. Haraldsdottir Boeing
Vectors
AircraftFlight
Management Comp uter
State
Navigation
Flight Plan Amendments
Autop ilot Autothrust
MCP Controls
ATCFlight Strip s
Surveillance: Enroute: 12.0 s Terminal: 4.2 s
State Commands
Trajectory Commands
Initial Clearances
CDU
ADS: 1 sDisp lays
AOC: Airline Operations Center
Pilot
Disp laysManual Control
Voice
ACARS (Datalink)
Decision Aids
ATM Basic Control Loops
US Air Route Traffic Control Center (ATRCC) Airspace - 20 Centers
ZBW
ZNYZOB
ZAU
ZMA
ZMP
ZKC ZID
ZDC
ZTL
ZJX
ZME
ZFW
ZDV
ZLC
ZHU
ZSE
ZOA
ZLAZAB
COMMUNICATION TRENDS
Voice VHF (line of sight) HF (over the horizon) Ground lines
Datalink (line of sight) ACARS (VHF) Mode S
Satellite Geosynchronous (data, voice, images)
Air-ground Ground-ground
LEO and MEO Networks
Aeronautical Telecommunications Network (ATN) CDMA, TDMA TCP/IP Voice Data Link (VDL-2, VDL-3)
NAVIGATION TRENDS (ENROUTE)
Radionavigation beacon VHF Omnidirectional Range (VOR) Non-Directional Beacon (NDB) Distance Measuring Equipment (DME) TACAN
Area navigation systems (ground based) Omega LORAN
Inertial navigation systems
Satellite navigation systems GPS (CA) GNSS
NAVIGATION TRENDS (APPROACH)
Instrument Landing System (ILS) Cat. I (200 ft; 1/4 mile) Cat. II (50 ft; 800 RVR) Cat. III (0,0)
Microwave Landing System (MLS)
Differential GPS (100m) Wide Areas Augmentation System (5m)
Cat. I, Cat. II Local Areas Augmentation System (0.1m)
Cat. III
Change to Required Navigation Performance (RNP)
GPS ISSUES
Precision Ionosphere Clock Errors
Availability
Integrity RAIM Differential
Vulnerability Jamming
Trust Control by US DoD International concerns Selective Availability, turned off 1999
Continuity US guarantee of service free to world through 2005
SURVEILLANCE TRENDS
Primary radar Enroute (12 sec scan) Terminal area (4.2 sec scan)
Secondary radar Transponders
Mode C (altitude) Mode S (2-way data exchange)
Onboard surveillance TCAS
Automatic Dependent Surveillance (ADS) Oceanic (INS Based) Broadcast (ADS-B)
SEPARATION ASSURANCE CONSIDERATIONS
PROCEDURAL SAFETY BUFFER
PERSONALSAFETY BUFFER
MINIMUMSEPARATIONSTANDARD
HAZARDZONE
SURVEILLANCEUNCERTAINTY
0
20
40
60
80
100
120
ARSR-1 ARSR-4 ASR-6 ASR-9 Mode A Mode S
EN ROUTE MINIMA HAVE NOT CHANGED DESPITE 5 x IMRPOVEMENT IN RADAR
PERFORMANCE
Long rangeprimary radars
Medium rangeprimary radars
Medium rangesecondary radars
Azi
mu
th r
eso
luti
on
at
max
imu
mra
ng
e as
% o
f en
ro
ute
min
ima
5 nm en route separation minima
1950
2000
1960
20001960
2000
1950 2000
IMPROVED SURVEILLANCE HAS NOT LED TO REDUCED EN ROUTE MINIMA
WHEN STANDARDSWERE DEVELOPED
(e.g. 1950s for en route radar)
IMPROVED SURVEILLANCEENVIRONMENT
(e.g. today for en route radar)
Surveillance has improved, but separation minima have not changed: procedural safety buffer has implicitly increased
MinimumSeparationStandard
Increased use of Software in Critical Applications
Potential for common mode software failure (not present in h/w)
Lack of metrics and evaluation methods: How to measure 10-8
Human factors problems: induced human errors
Today we control the lifecycle (process) since we don’t know how to evaluate the product Unknown efficacy Expensive. Industry attributes 60% of avionics development cost to V&V Doesn’t scale to very large systems: more automation is needed to reduce errors and for increased reuse (e.g., code synthesis)
Terrorists may employ highly malicious attacks much worse than those seen to date
Current technology is not designed nor intended to withstand such attacks
Vulnerabilities in our networked systems can be exploited by anyone anywhere in the world
Successful attacks may not be detected
Critical systems must be designed to provide continuous correct operation even under successful attack
Security Challenges
Strong enough barriers to penetration
Accurate intrusion detection
Ability to fuse incident reports across a global area and deduce possible plans and intentions
For warning
To guide interventions
Systems that tolerate attacks and keep on ticking
What is missing
And, because the above will never be perfect:
Tolerating attacks
System designs that give some inherent resistance to attack
Diversity
Redundancy
Decentralization
Detect and repair damage
Biological models
Diversity
Economic forces have turned the global computing environment into a monoculture
Diversity can reduce overall losses from attack
Hedges against unknown means of attack
Surviving elements support continued operation
Obtaining diversity manually is expensive
(e.g., n-version programming)
Could explore automatic artificial diversity
Redundancy
Current uses of redundancy are expensive and do not scale E.g., replication of servers
Scalable methods provide weaker guarantees Probabilistic Eventual consistency
E.g., epidemic and gossip protocols Information exchanges involve randomly or opportunistically
chosen gossip partners
E.g., Quorum systems Operations access quorums (subsets) of servers
Decentralization
Behavior is the result of autonomous activity by member entities
Undetected error states are tolerated
Stateless: State is regenerated
Can tolerate loss of some components
No single points of failure
Control, management, gateway, etc, functions redundant and/or migratable
Trend toward decentralized design for maximum utilization
Get inspiration from nature
Robustness mechanisms at many levels
Highly decentralized and redundant
Widespread use of diversity
Automated damage detection and repair
Adaptive and evolving
Dispensable components
A Solution Strategy for the Conflict Resolution Problem in 2D and 3D Airspaces
Jianghai Hu
with Maria Prandini, Arnab Nilim, Shankar Sastry
Department of EECS
University of California, Berkeley
2-D Conflict Resolution: Problem Formulation
Maneuver ifor aircraft i
n aircraft flying on R2
a1
a2
a3
n starting positions
b1
b2
b3
n destination positions
Time interval T=[t0 , tf]
Joint maneuver n)
Minimal separation r=5 nmi
Conflict-free (joint) maneuver
Problem Formulation (continued)
Goal: Among all the conflict-free maneuvers …,n), find the one that minimizes the energy:
where …,n represent aircraft priorities
Collision Avoidance and Tracking using Nonlinear Model Predictive
Tracking
• Five helicopters given a straight line trajectory that will lead to a collision.• Each vehicle can detect other vehicles position within the sensing/communication region.• Each vehicle dynamically replans safe trajectory under input/state constraints in real-time.
Hybrid Systems Modeling, Analysis, Control
Datta Godbole, John Lygeros, Claire Tomlin, Gerardo Lafferiere, George Pappas, John Koo
Jianghai Hu, Rene Vidal, Shawn Shaffert, Jun Zhang,
Slobodan Simic, Kalle Johansson, Maria Prandini
(with the interference of) Shankar Sastry
Why Hybrid Systems?
Modeling abstraction of Continuous systems with phased operation (e.g. walking robots,
mechanical systems with collisions, circuits with diodes) Continuous systems controlled by discrete inputs (e.g. switches, valves,
digital computers) Coordinating processes (multi-agent systems)
Important in applications Hardware verification/CAD, real time software Manufacturing, chemical process control, communication networks, multimedia
Large scale, multi-agent systems Automated Highway Systems (AHS) Air Traffic Management Systems (ATM) Uninhabited Aerial Vehicles (UAV), Power Networks
Control Challenges
Large number of semiautonomous agents
Coordinate to Make efficient use of common resource Achieve a common goal
Individual agents have various modes of operation
Agents optimize locally, coordinate to resolve conflicts
System architecture is hierarchical and distributed
Safety critical systems
Challenge: Develop models, analysis, and synthesis tools for designing and verifying the safety of multi-agent systems
Proposed Framework
Control TheoryControl of individual agentsContinuous modelsDifferential equations
Computer ScienceModels of computationCommunication modelsDiscrete event systems
Hybrid Systems
xç = f 1(x; y)yç = f 2(x; y)
xç = g1(x; y)yç = g2(x; y)
x ô5
q1 q2x > 4à! x 2[0; 1]; y = 1
y > 10à! x = 0; y 2[1; 3]
y ô10
x 2[0; 1]y 2[0; 1]
Air Traffic Management Systems
Studied by NEXTOR and NASA
Increased demand for air travel Higher aircraft density/operator workload Severe degradation in adverse conditions High business volume
Technological advances: Guidance, Navigation & Control GPS, advanced avionics, on-board electronics Communication capabilities Air Traffic Controller (ATC) computation capabilities
Greater demand and possibilities for automation Operator assistance Decentralization Free flight
Hybrid Systems in ATM
Automation requires interaction between Hardware (aircraft, communication devices, sensors, computers) Software (communication protocols, autopilots) Operators (pilots, air traffic controllers, airline dispatchers)
Interaction is hybrid Mode switching at the autopilot level Coordination for conflict resolution Scheduling at the ATC level Degraded operation
Requirement for formal design and analysis techniques Safety critical system Large scale system
Control Hierarchy
Flight Management System (FMS) Regulation & trajectory tracking Trajectory planning Tactical planning
Strategic planning Decentralized conflict detection and
resolution Coordination, through communication
protocols
Air Traffic Control Scheduling Global conflict detection and resolution
Hybrid Research Issues
Hierarchy design
FMS level Mode switching Aerodynamic envelope protection
Strategic level Design of conflict resolution maneuvers Implementation by communication protocols
ATC level Scheduling algorithms (e.g. for take-offs and landings) Global conflict resolution algorithms
Software verification
Probabilistic analysis and degraded modes of operation
Outline
Soft Walls Overview
Current Research Reachability Approach Simulation Interface Crazyboard
Current Results Controller for Simplified Dynamics Model
Hybrid Controller(Cataldo)
Given the simple dynamics model:
We contstructed a controller that will prevent the aircraft from entering any no-fly zone, assuming the aircraft is initially far from the no-fly zone
max max[ , ]
( ) cos( ( ))
( ) sin( ( ))
( ) lim { }
x t V t
y t V t
t d u
Hybrid Controller
Definitions:
d1
d2
aircraft position(x,y) right center
(xright,yright)
left center (xleft,yleft)
current heading
minimum turning radius
Hybrid Controller
Definitions: dleft = distance of left-center point from no-fly zone dright = distance of right-center point from no-fly zone B = control bias that forces the aircraft to turn left at the maximum turning
rate N = no-fly zone, where N is an open subset of
2R
Hybrid Controller
Discrete State Transitions:
q0(no bias)
q2(leftward bias)
q1(rightward bias)dleft <= d2
dleft > d2dright >d2
dleft > d2dright >d2
dleft <= d2
dleft > d2dright <= d2
dleft >= d2dright < d2
Hybrid Controller
Continuous Control-Input Calculation:
0, 0
2( , , , ) , 1
2 12
, 22 1
right
left
q q
d du x y q B q q
d dd d
B q qd d
Hybrid Controller
Thereom: Given N, if dleft(t0) > d2, and dright(t0) > d2, then using this hybrid controller, (x,y) N t > t0
That is, this hybrid controller gaurantees the aircraft never enters the no-fly zone