1. EMS 2012 UKSIM – AMSS : 6th European Modelling Symposium
On Mathematical Modelling and Computer Simulation Malta , Nov

2. Presenter- Contributor: Vasilis Tsoulkas, Center for Security Studies (KEMEA)/Ministry of Citizen Protection & University of Athens, GR.
Co-Contributors: Dimitris Kostopoulos
KEMEA / Ministry of Citizen Protection, Athens, GR
George Leventakis
KEMEA & University of the Aegean, Dept. Of Shipping, Trade and Transport.
Mike Surridge
IT Innovation Centre, Univ. of Southampton, UK

3. SERSCIS Group IT Innovation Centre University of Southampton, UK
Joanneum Research (JRS)
Graz, Austria
Center for Security Studies (KEMEA)
Athens, Greece
Austro Control GmbH (ACG)
Vienna, Austria
Port Authority Gijon (PAG)
Gijon, Spain

4. Presentation Sections
Objectives
Brief SERSCIS Architecture description
Basics of SERSCIS System Modeling Strategy
SERSCIS – Proof of Concept
A-CDM (Airport - Collaborative Data Management) Ground Handler case (EUROCONTROL)
ACDM-components, Info. Sharing Concept, Traffic Critical Parameters, Data quality of KPIs & Metrics
SERSCIS Proof of Concept (Ground Handler)
SERSCIS Domain core (complete) Ontology and Semantic Models
SERSCIS Decision Support Tool (DST)
9. SERSCIS Stream Reasoning Process.
Conclusions- Impact

5. Objectives
Critical infrastructure ICT components are increasingly interconnected
information sharing → greater operational efficiency, but also reduced slack and flexibility
interconnections → new risks from ICT failure cascade effects
SERSCIS approach: use agile Service Oriented Architecture (SOA) to offset these threats
adapt ICT components and networks to meet changing needs
adapt ICT connections to prevent cascades and contain threats

6. To exploit agile Service Oriented Technology to
Objectives
To exploit agile Service Oriented Technology to
compose ICT connections related to critical infrastructure
monitor and manage ICT components against well-defined dependability criteria
adapt ICT connections in response to disruption or threats
To validate this approach in Proof of Concept Scenarios from the air traffic sector (A-CDM EUROCONTROL)

7. Brief SERSCIS Architecture description
Commitments
Resources
Management Channel
Application Channel
Separate two channels of communication:
Management Channel
Application Channel
Resource Manager
New capacity models that allow service providers to pursue dynamic provisioning strategies.
Semantic storage and discovery of resources that allow workflows matching dependability requirements to be composed from a pool of available resources.
Service Manager
Balance the level of commitments with the available resources and operate a flexible management strategy in the response to failure or under-performance in resources.
Variable level of autonomy between automated and assisted management.
Round trip from service monitoring to a risk management process and back to service management.
SLA Manager
SLA is a resource and the root of trust.
Dynamically manage trust across domains.

8. Basics of SERSCIS Systems Modelling Strategy
Semantic modelling of critical infrastructure ICT including inter-dependency and risks
Semantics service orchestration models exploiting dependability criteria
automatic composition of service inter-connections against dependability criteria
automated re-composition in response to threats
Dynamic security and trust management to control threat propagation between services
Decision support tool based on semantic system models to assist human operators (model driven DST)

9. A-CDM (basic concepts) EUROCONTROL
Airport Collaborative Decision Making (A-CDM): To improve Air Traffic Flow & Capacity Management (ATFCM) at airports by reducing delays, improving event predictability and optimizing the utilization of services and resources.
Implementation of Airport CDM: allows each Airport CDM Partner to optimise their decisions in collaboration with other A- CDM Partners
The decision making by the Airport CDM Partners is facilitated by the sharing of accurate and timely information and by adapted procedures, mechanisms and tools.

10. Applications and SERSCIS Impact
Airport Collaborative Decision Making (A-CDM)
sharing information between air-traffic control, airports, airlines and airport service providers
allows greater operational efficiency, but creates interdependencies that need to be managed
SERSCIS SOLUTION: enables improved risk management of complex interconnected assets
SERSCIS Impact
greater awareness of risks in Airtraffic proof of concept scenarios
analysis of requirements and application in other sectors
novel risk management capabilities for managing interdependency and cascading threats

11. A-CDM components
The Airport CDM concept is divided in the following Components:
• Airport CDM Information Sharing Component
• CDM Turn-around Process – Milestones Approach
• Variable Taxi Time Calculation
• Collaborative Management of Flight Updates
• Collaborative Pre-departure Sequence
• Advanced CDM
The efficiency of the Air Transport System is highly dependant on the traffic predictability critical parameters.

12. Airport CDM Information Sharing Concept Component (ACIS)
The Airport CDM Information Sharing Component :
Defines the sharing of accurate and timely information between the Airport CDM Partners to achieve common situational awareness and to improve traffic parameters predictability.
The main Airport CDM Partners are:
• Airport Operator
• Aircraft Operators
• Ground Handlers
• De-icing companies
• Air Traffic Service Provider
• CFMU

13. Air -Traffic Critical Parameters

14. Air -Traffic Critical Parameters

15. Data Quality of A-CDM Key Performance Indicators (KPIs) and metrics
Data Confidentiality, Data Integrity, Alarms, Data Display.
KPIs data properties: Quality of Time Estimates
Accuracy
Predictability
Stability

16. Actors and Ground Handling Services Architecture (Proof of Concept)

17. Ground Handler Services Architecture (Proof of Concept)
Service accessible by a consumer (aircraft operator) through SLA template consumer. The GH is responsible for coordination of Ramp Services (catering, fuelling, cleaning, baggage handling)

18. Turn Around - Ground Handling Process

19. Ground Handling Basic Services
Information Sharing Platform Component
Provides methods to update data
Performs internal consistency checks of data
CFMU (Central Flow Management Unit)
Provides ELDT update of inbound flights
ATC (Air Traffic Control )
Drives simulation by providing milestone events
Aircraft Operator / Ground Handler
Orchestrates turn around process
Triggers sub-services
Aircraft Crew
Report ready to ATC
Request startup

20. Ground Handler Basic Services and Functions
Fuelling Service
Baggage Handling Service
Catering Service
Aircraft Cleaning Service
All triggered by aircraft operator or ground handler
Provide specific service within turn-around
Methods
Schedule and reschedule a service
Prepare for service delivery
Start service delivery
Provide status on remaining service time

21. Ground Handling Workflow Execution Phase (austro control partner)

22. Ground Handler Possible Services Workflow Disruption – Execution Phase
Passenger no-show
TOBT delayed, potentially resulting in new slot (CTOT)
Offload baggage
Landing of inbound aircraft delayed
Changes in workflow and service choice
Changes in TOBT (Targeted Off Block Time)
Ground handling resource problems
Heightened security status
Alternate workflow path
Reduced choice of service providers

23. General SERSCIS Modeling Approach
The SERSCIS system modelling approach is based on:
A generic dependability model - domain ontology - composed of OWL classes. :
1). This model captures generic types of SOA system assets such as: services, resources, customers, threats to those assets, and controls that can mitigate those threats.
2). The dependability model captures expertise in security of Service- Oriented Systems (SOA).
3) The Proof-of-Concept covers a subset of security threats and controls relevant to the Proof-of-Concept evaluation scenario,

24. SERSCIS Modeling Achieved Objectives
Development of modelling tools and models capturing
system requirements and interdependencies
system threats and vulnerabilities
system degradation and relevant countermeasures
Development of system level models for CI in airports
Provide a basis for wider application of the modelling approach

25. New Domain Ontologies have been created :
Creation of a new Semantic Dependability Modeling Approach and SERSCIS Ontology
New Domain Ontologies have been created :
 a critical infrastructure systems of systems ontology to model interdependencies of: airport services such as fuel, food, telecommunications, ATM, etc; (assets and dependabilities)
 a cause and effect ontology that models potential threats and consequences;
 a resource dependability metrics ontology that models the dynamic behavior of system entities.

26. SERSCIS Domain Ontology snapshot
05/08/2009
Copyright © 2008 University of Southampton IT Innovation Centre and other Members of the SERSCIS Consortium

27. SERSCIS Domain Ontology
05/08/2009
Copyright © 2008 University of Southampton IT Innovation Centre and other Members of the SERSCIS Consortium

28. SERSCIS Domain Ontology
05/08/2009
Copyright © 2008 University of Southampton IT Innovation Centre and other Members of the SERSCIS Consortium

29. SERSCIS Semantic Model
A core structure to model a system comprising assets, which may be subject to threats, and can be protected by controls;
A dependability semantic model that describes generic types of assets, threats & controls using OWL classes, with their relationships;
An abstract system semantic model that describes system-specific assets, threats and controls, extending the dependability model classes by incorporating system-specific security knowledge;
A concrete system semantic model that provides snapshots of a running system, with instances to represent participating assets, plus contextualised threats and controls.

30. Core structure of the system modelling approach (Dependability Semantic Model)
The approach is designed to capture 3-types of system entities:
1. generic asset classes: the types of assets that can be found in a system;
2. generic threat classes: ways in which these generic types of assets could be compromised;
3. generic control classes: describing the types of controls that could be used to protect these asset types from these threats.

31. Generic Systems Modelling Class – SERSCIS Core Ontology
Asset, Control and Threat instances
Threat class
Description
Controls needed
Unauthorized access
The service processes an unauthorised request from an attacker.
Client AuthN + Client AuthZ
Unaccountable access
Type of unauthorized access, designed to get the service without paying for it.
Service misdirection
Type of unauthorized access, designed to make the service mismanage its resources.

32. Generic Dependability Model Assets and Relationships

33. High Level view of SERSCIS Abstract Dependability Model

34. SERSCIS Threat Classification model
SWRL rules are evaluated and threats classified by using a semantic reasoner (to be shown in the in the following slides)

35. High Level view of SERSCIS Abstract Dependability Model
Services: Are Systems Components that provide services
Clients: Are Systems Components that access these services
Threat Types:
Unauthorized Access (to the service)
Data traffic Snooping
Man in the Middle
Client Impersonation
Resource Failure

36. Control types are defined for protecting services
Service AuthN: Client validates the identity (or attributes) of the service.
ClientAuthN: The service validates the identity (or attributes) of a requestor
Client AuthZ: The service determines wether a request is authorised.
Encryption: encrypts data exchanged with the service so it cannot be read in transit
Redundancy: Ti have multiple resources of a given type, so a failure in one does not cause failure of the service.

37. Treat Classes – Descriptions – Combined Controls
Threat class
Description
Controls needed
Unauthorized access
The service processes an unauthorised request from an attacker. This class is never actually used because the threat depends on why the attacker wants access – see the next three subclasses.
Client AuthN + Client AuthZ
Unaccountable access
Type of unauthorized access, designed to get the service without paying for it.
Service misdirection
Type of unauthorized access, designed to make the service mismanage its resources.
Data tampering
Type of unauthorized access, designed to alter the service data.
Data traffic snooping
An unauthorized attacker reads service requests and responses.
Encryption

38. Threat Vulnerability Classification
3 possible classifications are used as is shown previously
Blocked threat: if an attacker should carry out the threat (intentionally or otherwise), the system has controls that will prevent the attack from succeeding.
Mitigated threat: if an attacker should carry out the threat, the attack cannot be prevented, but the system controls provide a response that will counteract its effect on the targeted asset.
Vulnerability: the system does not have any means to prevent the attack or counteract its effects on the targeted system asset.

39. For example, the rules are : for
Threat Vulnerability Classification – Controlling a MissAccountedClientResourceAccess threat
Classification is performed by semantic reasoning over the concrete system model, using SWRL rules from the SERSCIS dependability model
For example, the rules are : for
MissAccountedClientResourceAccess (SWRL rules)
MissAccountedClientResourceAccess(?t)  ClientSpecifiedResource(?a1)  affects(?t,?a1)  Customer(?t,?a2)  affects(?t,?a2)  ServiceGroup(?t,?a3)  affects(?t,?a3)  ClientAuthentication(?c1)  protects(?c1, ?a1)  AccessControl(?c2)  protects(?c2, ?a1)  Delegation(?c3)  protects(?c3, ?a2)  Identification(?c4)  protects(?c4, ?a3)  BlockedThreat (?t)

40. Threat Vulnerability Classification - Controlling a MissAccountedClientResourceAccess threat

41. Main ideas embodied in the SERSCIS Ontology
Assets, threats and controls are described as OWL classes
Assets may have associated metrics for presence or absence of threat-induced behaviors
Threats have a human readable description, impact severity and prior & current likelihood ratings.
In the following schematic dashed arrows does not represent a conventional OWL relationship but SWRL rules.
These rules classify threat instances as: Mitigated or Blocked based on the presence of adequate controls.

42. Proof of Concept: Updated core Ontology

43. SERSCIS Decision Support Tool Framework – Run Time Dynamic Model

44. Old version of Decision Support Tool – Dynamic Interface

45. SERSCIS STREAM REASONING PROCESS - Basics

46. SERSCIS STREAM REASONING PROCESS - Basics
It allows the concrete system model to be continuously updated,
It reduces the time lag between the evolution of the real system and that of the concrete system model, making it possible to resolve recent and rapid changes in the real system;
It represents protracted as well as instantaneously observed behaviours in the model by including information over an extended (sliding) time window;
It allows reasoning algorithms to take account of system changes during the time window, target than only the instantaneous system composition and status.

47. Proposed SERSCIS Stream reasoning

48. Proposed SERSCIS stream reasoning – Behavior Analyzer basic notion
Time
TOBT updates (QoS)
TOBT updates (QoE)
(QoE-QoS)/totalFlights
29/07/ :00
0.000
29/07/ :50 15 30
0.313
29/07/ :00 19 38
0.396
29/07/ :15 20 40
0.417
29/07/ :05 22 44
0.458
29/07/ :30 25 50
0.521
29/07/ :00 32 64
0.667
29/07/ :25 33 66
0.688
29/07/ :00 76
0.792
29/07/ :25 42 84
0.875
29/07/ :50 45 90
0.938
29/07/ :10 48 96
1.000

49. Evolution of QoS and QoE in time

50. Intrusion Detection basics
We use the Non-Parametric CUSUM test
Two performance criteria: i). False Alarm Time
ii). Detection Time.

51. Recent (2012) DST design concepts (Under Constrution)
Physical asset display
Assets
Please select an asset class
Threats
Please select an asset
Behaviours
Please select an asset class
Update
Up to date

52. Recent (2012) DST design concepts (Under Constrution)
Assets
Please select an asset class
Threats
Please select an asset
Behaviours
Please select an asset class
Update

53. SERSCIS INNOVATIONS
Semantic system modelling of critical infrastructure ICT including inter- dependency and other risks
Semantic service dependability models encoded in SLA
semi-automatic management of services against dependability criteria
Semantic service orchestration models exploiting dependability criteria
automatic composition of service inter-connections against dependability criteria
automated re-composition in response to dependability threats
Dynamic security and trust management to control threat propagation between services
automatic policy updates driven by service dependability management
Advanced Decision support interface based on semantic system models to assist human operators
Innovative Stream reasoning technologies for Event Analytics and Behavior Assets Reasoning in conjunction with detection algorithms.

54. CONCLUSIONS- IMPACT Airport Collaborative Decision Making – (A-CDM)
sharing information between air-traffic control, airports, airlines and airport service providers
allows greater operational efficiency, but also creates interdependencies that need to be managed
SERSCIS will enable improved risk management
goal is not to enable A-CDM,  but to better manage it
Introduction of state of the art risk analysis procedures
Stream reasoning processes and event processing in risk management
Other applications will be considered (especially Port Community Operations)
Expected impact
greater awareness of risks in A-CDM especially from interdependency
analysis of requirements and application in other sectors
novel risk management capabilities based on agile SOA especially for managing interdependency and cascading threats ;

55. S E THANK YOU for your attention