580 likes | 701 Views
Analysis Techniques for a Secure NAS. Shankar Sastry Department of EECS University of California, Berkeley JUP Kickoff, Nov 23 rd , 2002. Sastry@eecs.berkeley.edu 510-642-0253. Prequel: The Impact of Sept. 11 on Air Transportation. Prof. R. John Hansman, Director
E N D
Analysis Techniques for a Secure NAS Shankar Sastry Department of EECS University of California, Berkeley JUP Kickoff, Nov 23rd, 2002 Sastry@eecs.berkeley.edu 510-642-0253
Prequel: The Impact of Sept. 11 on Air Transportation Prof. R. John Hansman, Director MIT International Center for Air Transportation rjhans@mit.edu 617-253-2271
Domestic Enplanements: 1999-2001 Sep. 11th Attacks Source: ATA
Aviation’s Macro Economic Impact • Air transportation has four types of effects: • DIRECT: air carriers, airports, air navigation providers, etc • INDIRECT: airline passengers and air freight forwarding business in other industries (hotels, rental cars, finance and banking, etc) • INDUCED: expenses by the recipients of income generated by the direct and indirect economic activities • ENABLING: provides access to markets and other activities that would not be possible without aviation Employment in the US (1993): 8.84 Million jobs Economic activity in the US (1993): $771.1 Billion Direct 15% Direct 36% Indirect 18% Indirect 64% Induced 67% Excludes enabling effect. Source: ICAO, FAA
Information Technology Hypotheses • Infrastructure • Advanced Information Technologies have the potential to allow efficient use of constrained infrastructure in developed regions and to allow regions with immature air transportation infrastructure to rapidly reach parity with mature systems • Operations • Advanced Information Technologies will improve the efficiency and security of operations through enhanced information sharing and collaborative decision making • Profitability • Information Technology related improvements are a key component of profitability of mature airlines • Usability • The potential benefits of Information Technology are limited by inadequate attention to the users cognitive and operational needs and “entropic” growth of complexity which limit usability and acceptance
Components of theAir Transportation System • Airports • Runways • Terminals • Ground transport interface • Servicing • Maintenance • Air Traffic Management • Communications • Navigation • Surveillance • Control • Weather • Observation • Forecasting • Dissemination • Skilled personnel • Cost recovery mechanisms
AIR TRAFFIC CONTROL STRUCTURE TRENDS • Current structure • Surface control (ground) • Local control (tower) • Terminal area control (approach and departure) • Enroute control (center) • Oceanic control • Proposed structures • “Free Flight” • RTCA/ATA proposal • Collaborative Decision Making • 4-D Control • Segregated Airspace • “Super Centers” • Conformance Monitoring Issues
Planning - Strategic Level Execution - Tactical Level Desired Sector Loads Schedule of Capacities Clearance Requests Clearance Requests Weather AOC Filed Flight Plans Approved Flight Plans Planned Flow Rates Approved Handoffs National Flow Planning Facility Flow Planning Sector Traffic Planning Sector Traffic Control Aircraft Guidance and Navigation Aircraft State Flight Planning Vectors Clearances Negotiate Handoffs < 5min Flight Schedule hrs - day hrs 5-20 min 5 min Traffic Sensor Airline CFMU TMU D-side R-side Pilot Real State AC State Sensor Plan/Intent Other Aircraft States Measurement Requests Efficiency Throughput Safety Increasing Criticality Level ATM System Current Functional Structure Adapted from; A. Haraldsdottir Boeing
US Air Route Traffic Control Center (ATRCC) Airspace - 20 Centers ZSE ZMP ZLC ZBW ZAU ZOB ZNY ZDV ZID ZOA ZKC ZDC ZME ZLA ZTL ZAB ZFW ZJX ZHU ZMA
COMMUNICATION TRENDS • Voice • VHF (line of sight) • HF (over the horizon) • Ground lines • Datalink (line of sight) • ACARS (VHF) • Mode S • Satellite • Geosynchronous (data, voice, images) • Air-ground • Ground-ground • LEO and MEO Networks • Aeronautical Telecommunications Network (ATN) • CDMA, TDMA • TCP/IP • Voice Data Link (VDL-2, VDL-3)
NAVIGATION TRENDS (ENROUTE) • Radionavigation beacon • VHF Omnidirectional Range (VOR) • Non-Directional Beacon (NDB) • Distance Measuring Equipment (DME) • TACAN • Area navigation systems (ground based) • Omega • LORAN • Inertial navigation systems • Satellite navigation systems • GPS (CA) • GNSS
NAVIGATION TRENDS (APPROACH) • Instrument Landing System (ILS) • Cat. I (200 ft; 1/4 mile) • Cat. II (50 ft; 800 RVR) • Cat. III (0,0) • Microwave Landing System (MLS) • Differential GPS (100m) • Wide Areas Augmentation System (5m) • Cat. I, Cat. II • Local Areas Augmentation System (0.1m) • Cat. III • Change to Required Navigation Performance (RNP)
GPS ISSUES • Precision • Ionosphere • Clock Errors • Availability • Integrity • RAIM • Differential • Vulnerability • Jamming • Trust • Control by US DoD • International concerns • Selective Availability, turned off 1999 • Continuity • US guarantee of service free to world through 2005
SURVEILLANCE TRENDS • Primary radar • Enroute (12 sec scan) • Terminal area (4.2 sec scan) • Secondary radar • Transponders • Mode C (altitude) • Mode S (2-way data exchange) • Onboard surveillance • TCAS • Automatic Dependent Surveillance (ADS) • Oceanic (INS Based) • Broadcast (ADS-B)
SEPARATION ASSURANCE CONSIDERATIONS PERSONAL SAFETY BUFFER SURVEILLANCE UNCERTAINTY MINIMUM SEPARATION STANDARD HAZARD ZONE PROCEDURAL SAFETY BUFFER
EN ROUTE MINIMA HAVE NOT CHANGED DESPITE 5 x IMRPOVEMENT IN RADAR PERFORMANCE 5 nm en route separation minima 1950 2000 1950 Azimuth resolution at maximum range as % of en route minima 1960 2000 1960 2000 2000 Long range primary radars Medium range primary radars Medium range secondary radars
IMPROVED SURVEILLANCE HAS NOT LED TO REDUCED EN ROUTE MINIMA WHEN STANDARDS WERE DEVELOPED (e.g. 1950s for en route radar) IMPROVED SURVEILLANCE ENVIRONMENT (e.g. today for en route radar) • Surveillance has improved, but separation minima have not changed: procedural safety buffer has implicitly increased Minimum Separation Standard
Critical Infrastructure Protection forATM Shankar Sastry
Increased use of Software in Critical Applications • Potential for common mode software failure (not present in h/w) • Lack of metrics and evaluation methods: How to measure 10-8 • Human factors problems: induced human errors • Today we control the lifecycle (process) since we don’t know how to evaluate the product • Unknown efficacy • Expensive. Industry attributes 60% of avionics development cost to V&V • Doesn’t scale to very large systems: more automation is needed to reduce errors and for increased reuse (e.g., code synthesis)
Security Challenges • Terrorists may employ highly malicious attacks much worse than those seen to date • Current technology is not designed nor intended to withstand such attacks • Vulnerabilities in our networked systems can be exploited by anyone anywhere in the world • Successful attacks may not be detected Critical systems must be designed to provide continuous correct operation even under successful attack
What is missing • Strong enough barriers to penetration • Accurate intrusion detection • Ability to fuse incident reports across a global area and deduce possible plans and intentions • For warning • To guide interventions • Systems that tolerate attacks and keep on ticking And, because the above will never be perfect:
Tolerating attacks System designs that give some inherent resistance to attack • Diversity • Redundancy • Decentralization • Detect and repair damage • Biological models
Diversity Economic forces have turned the global computing environment into a monoculture Diversity can reduce overall losses from attack • Hedges against unknown means of attack • Surviving elements support continued operation Obtaining diversity manually is expensive (e.g., n-version programming) Could explore automatic artificial diversity
Redundancy • Current uses of redundancy are expensive and do not scale • E.g., replication of servers • Scalable methods provide weaker guarantees • Probabilistic • Eventual consistency • E.g., epidemic and gossip protocols • Information exchanges involve randomly or opportunistically chosen gossip partners • E.g., Quorum systems • Operations access quorums (subsets)of servers
Decentralization • Behavior is the result of autonomous activity by member entities • Undetected error states are tolerated • Stateless: State is regenerated • Can tolerate loss of some components • No single points of failure • Control, management, gateway, etc, functions redundant and/or migratable • Trend toward decentralized design for maximum utilization
Get inspiration from nature • Robustness mechanisms at many levels • Highly decentralized and redundant • Widespread use of diversity • Automated damage detection and repair • Adaptive and evolving • Dispensable components
A Solution Strategy for the Conflict Resolution Problem in 2D and 3D Airspaces Jianghai Hu with Maria Prandini, Arnab Nilim, Shankar Sastry Department of EECS University of California, Berkeley
Maneuver aifor aircraft i b2 a3 nstarting positions a2 ndestination positions a1 a1 b1 a3 a2 b3 2-D Conflict Resolution: Problem Formulation naircraft flying onR2 Time intervalT=[t0 , tf] Joint maneuvera=(a1,..,an) Minimal separationr=5 nmi Conflict-free (joint) maneuver
Problem Formulation (continued) Goal: Among all the conflict-free maneuvers a=(a1,…,an), find the one that minimizes the energy: where m1,…,mnrepresent aircraft priorities
An 8-Aircraft Encounter Stochastic algorithm Optimization algorithm
A 16-Aircraft Encounter Stochastic algorithm Optimization algorithm
Multi-Legged Maneuvers • Using Successive Quadratic Optimization
Collision Avoidance and Tracking using Nonlinear Model Predictive Tracking • Five helicopters given a straight line trajectory that will lead to a collision. • Each vehicle can detect other vehicles position within the sensing/communication region. • Each vehicle dynamically replans safe trajectory under input/state constraints in real-time.
Hybrid Systems Modeling, Analysis, Control Datta Godbole, John Lygeros, Claire Tomlin, Gerardo Lafferiere, George Pappas, John Koo Jianghai Hu, Rene Vidal, Shawn Shaffert, Jun Zhang, Slobodan Simic, Kalle Johansson, Maria Prandini (with the interference of) Shankar Sastry
What Are Hybrid Systems? • Dynamical systems with interacting continuous and discrete dynamics
Why Hybrid Systems? • Modeling abstraction of • Continuous systems with phased operation (e.g. walking robots, mechanical systems with collisions, circuits with diodes) • Continuous systems controlled by discrete inputs (e.g. switches, valves, digital computers) • Coordinating processes (multi-agent systems) • Important in applications • Hardware verification/CAD, real time software • Manufacturing, chemical process control, • communication networks, multimedia • Large scale, multi-agent systems • Automated Highway Systems (AHS) • Air Traffic Management Systems (ATM) • Uninhabited Aerial Vehicles (UAV), Power Networks
Control Challenges • Large number of semiautonomous agents • Coordinate to • Make efficient use of common resource • Achieve a common goal • Individual agents have various modes of operation • Agents optimize locally, coordinate to resolve conflicts • System architecture is hierarchical and distributed • Safety critical systems Challenge: Develop models, analysis, and synthesis tools for designing and verifying the safety of multi-agent systems
Control Theory Computer Science Models of computation Control of individual agents Communication models Continuous models Discrete event systems Differential equations Hybrid Systems Proposed Framework
Air Traffic Management Systems • Studied by NEXTOR and NASA • Increased demand for air travel • Higher aircraft density/operator workload • Severe degradation in adverse conditions • High business volume • Technological advances: Guidance, Navigation & Control • GPS, advanced avionics, on-board electronics • Communication capabilities • Air Traffic Controller (ATC) computation capabilities • Greater demand and possibilities for automation • Operator assistance • Decentralization • Free flight
Hybrid Systems in ATM • Automation requires interaction between • Hardware (aircraft, communication devices, sensors, computers) • Software (communication protocols, autopilots) • Operators (pilots, air traffic controllers, airline dispatchers) • Interaction is hybrid • Mode switching at the autopilot level • Coordination for conflict resolution • Scheduling at the ATC level • Degraded operation • Requirement for formal design and analysis techniques • Safety critical system • Large scale system
Control Hierarchy • Flight Management System (FMS) • Regulation & trajectory tracking • Trajectory planning • Tactical planning • Strategic planning • Decentralized conflict detection and resolution • Coordination, through communication protocols • Air Traffic Control • Scheduling • Global conflict detection and resolution
Hybrid Research Issues • Hierarchy design • FMS level • Mode switching • Aerodynamic envelope protection • Strategic level • Design of conflict resolution maneuvers • Implementation by communication protocols • ATC level • Scheduling algorithms (e.g. for take-offs and landings) • Global conflict resolution algorithms • Software verification • Probabilistic analysis and degraded modes of operation
Softwalls Adam Cataldo, Edward Lee and group