Denial

1
Denial  of safety critical services of  a Public
Mobile Network for  a  critical transport 
infrastructure

• E. Ciancamerla, M. Minichino
• ENEA Cr Casaccia

SNI 2005 First workshop on Safeguarding
National Infrastructures August 25 -27, 2005
Glasgow, UK
2
Issues

• PMN for a Tele Control system for a Critical
  Transport Infrastructure (Alpine Road Tunnel -
  SAFETUNNEL project )
• Tele Control System main issues
• TCS validation by modelling
• Stochastic measures of denial of safety critical
  services of PMN for voice and data connection
• Modelling assumptions
• Denial of service measures
• Stochastic methodology
• Denial of service models
• Availability model
• Performance model for voice connection
• Performance model for data connection
• Numerical results
• Conclusions

3
Tele Control system dependability issues

• TCS implements preventive SAFETY functions in
  REAL TIME, with the aim to enhance accident
  prevention inside alpine road tunnels (Critical
  Transport Infrastructures)
• TCS does not born at once, but grows up from the
  existing subsystems
• Interacts with operators (the drivers and the
  tunnel operators)
• relies on a Public Mobile Network that
  interconnects instrumented vehicles, crossing a
  road tunnel infrastructure, to a Tunnel Control
  Centre
• PMN increases benefits, giving a major support
  to the drivers and to the road operators in
  performing their tasks
• PMN poses problems of dependability and
  performability evaluation on the frontier of the
  technology.
• the novelty and complexity of TCS
• the topology of the network, that dynamically
  changes for the presence of mobile nodes
• security aspects
• could weaken availability, performability and
  safety properties of TCS

4
Tele Control System General architecture
SAFE TUNNEL Control Center
TILAB Control Center
IP Access
Data exchange (TCP/IP socket)
SITAF Control Center
GPRS links
5
Tele Control System monitoring area limits
6
Tele Control system preventive safety functions

• Prognostics on board equipment is able to
  detect existing fault or evaluate the possibility
  of an imminent fault (predictive analysis) and
  send information to a control center.
• Access control A control center is able to
  inhibit access to vehicles with detected or
  imminent faults
• Speed and distance control The control center
  transmits to the vehicle recommended speed and
  safety distance from vehicle ahead. An on-board
  radar system measures distance from vehicle
  ahead. The on-board system control engine and
  brakes in order to automatically achieve
  recommended speed and distance.
• Emergency Message dissemination Emergency
  information and warning may be distributed from
  the control center directly to the On-board Human
  Machine Interface.

7
Tele Control System validation

• The Project designs the Tele Control System and
  develops a System Demonstrator (composed by a
  prototype of TCC, two instrumented vehicles and
  the PMN)
• The validation of the SAFETUNNEL system is
  planned according to the following steps
• Validation by FIELD EXPERIMENTATION, centered on
  System Demonstrator
• Validation by MODELLING, centered on the whole
  System
• Both FIELD TESTS and MODELLING are needed for
  system validation
• That is why
• Just a limited number of field tests can be
  planned on the actual system Demonstrator
• a set of validation measures have to be
  predicted on the SAFETUNNEL models, being the
  Demonstrator not suitable for such measures.

8
Validation by modelling

• Have been focused on PMN and has been conducted
  according to two main lines
• Functional Analysis of the system, by model
  checking, that looks at the interaction of the
  dimensioning of the PMN with the Tele Control
  system preventive safety functions, in system
  normal operational mode and for different tunnel
  scenarios
• Denial of service measures of the Public Mobile
  Network, by stochastic methodology, with the
  ideal goal to verify if and how a possible
  degradation of service of the network, in terms
  of performance and availability, does not affect
  Tele Control System preventive safety functions.

9
A Glance to the PMN
BTS- Base Transceiver Station BSC Base Station
Controller MSC Mobile Switching Centre GMSC
Gateway MSC
.
10
A glance to the PMN

• PMN transfers voice, commands and data between
  Instrumented Vehicles and the Tunnel Control
  Centre, with more than one Vehicle at the same
  time in bi-directional way.
• informative messages are transmitted in uplink
  (from Vehicles on-board system to TCC)
• Commands/messages are transmitted in downlink
• Data transmission, by GPRS connection.
• TCP transport protocol. Each Vehicle is
  characterized by a TCP address (IP address TCP
  port)
• TCC that is provided of an analogous address too.
  
• Voice calls, supported by GSM connection,
• between Vehicles and TCC, in case GPRS data
  transfer are not sufficient to manage an
  emergency.

11
PMN modelling assumptions

• For the sake of building manageable models
  of our PMN, the following assumptions have
  been made
• We focalized on Base Stations a single Base
  Station System is constituted by one Base
  Station Controller and multiple Base Transceiver
  Stations
• Data exploits the same physical channels used by
  voice
• The channel allocation policy is priority of
  voice on data
• We account for handoff procedure for voice
  connection
• We neglect the possibility of the handoff
  procedure for data connection
• One Control Channel (CCH) is dedicated to GSM
  and GPRS signalling and control CCH is randomly
  assigned to a BTS
• The GPRS implements a point to point connection
  

12
(No Transcript)
13
A measure of denial of service the Total
Service Blocking Probability

• Considering the PMN, as shown in figure , the
  GSM and the GPRS services can be denied, due to
  the following contributes
• a) the BSS, as a whole, becomes unavailable
  or
• b) the BSS is available and all its
  channels are full or
• c) the BSS is not completely available and
  all the channels in it, which are available, are
  also full.
• We named Total Service Blocking Probability
  (TSB), as a measure of the denial of service
  both for GSM and GPRS connection due to the
  occurrence of at least one of the contributes a),
  b), or c).

14
Stochastic Activity Networks

• The basic elements of SAN (extension of Petri
  Nets) are places, activities, input gates and
  output gates.
• Places and activities in SAN have the same
  meaning of places and transitions of Petri Nets.
  
• Input gates and output gates respectively consist
  in predicates and functions, which contain the
  rules of firing of the activities and how to
  distribute the tokens after the activities have
  fired.
• Two high-level constructs for hierarchical
  models REP and JOIN.
• The complexity of a SAN model could be hidden
  inside input and output gates.
• Differently from Petri Nets, the graphical
  representation of a SAN model is not correlated
  to its actual complexity.

15
PMN denial of service composed model
PMN denial of service
The same structure for voice and data connection
16
PMN Availability sub model
17
GSMGPRS performance sub model for data
18
Some numerical results
On the previous models we conduct availability,
performance and performability measures on voice
and data services. The input parameters to the
models and their numerical values are summarized
in the following tables
19
Input parameters and values of the availability
sub model
Parameter Value
Rate of BSC_fail 2,31 E-4 h-1
rate of BSC_repair 1 h-1
Rate of CCF_fail 3.47 E-4 h-1
rate of CCF_repair 0,5 h-1
Rate of BTS_fail 3.47 E-4 h-1
rate of BTS_repair 0,5 h-1
Number of BSC 1
Number of BTS 4
n. of channels of a BTS 8
Number of CCH 1
20
Input parameters and values of the GSM
performance sub model
Parameter value
arrival rate of new calls 0,27 s-1
duration of the calls 180 s
arrival rate of handoff calls 0,027 s-1
duration of outgoing handoff calls 80 s
21
Input parameters and values of the GSMGPRS
performance sub model
Parameter Value
arrival rate of voice calls 0,52,5 s-1
duration of voice calls 180 s
rate of session activation 2 s-1
session reading time 15 s
Packets inter arrival rate 0,0242 s-1
rate of suc. packet transmission 0,0513 s-1
buffer capacity (B) 100
n. of max opened sessions (D) 10,30,50
22
Total Service Blocking (TSB) probability for
voice service
23
Total Service Blocking (TSB) probability for
data packets
24
Conclusions

• We computed Total Blocking Service probabilities,
  as measures of the denial of service for GSM and
  GPRS connections of a PMN for a Tele Control
  System
• We have built modular sub models, hierarchically
  composed, by using Stochastic Activity Networks.
  
• Numerical results have been presented
• The research is still on going
• to account possible external adverse events, such
  as intrusions, in a global dependability model