Post on 03-Aug-2015
A framework fortrustworthiness assessment based on fidelity
in cyber and physical domains
Vincenzo De Florio1 & Giuseppe Primiero2
1:MOSAIC group, Universiteit Antwerpen & iMindsvincenzo.deflorio@uantwerpen.be
2: Dept. of Computer Science, Middlesex Universityg.primiero@mdx.ac.uk
2015-6-29
Fidelity• A measure of the compliance between
corresponding figures of interest, or behaviors, in two or more pairs of separate but communicating domains
• Focus in what follows: fidelity of cyber-physical systems
• Three major domains:• "cyber"-properties & behaviors• "physical"-properties & behaviors• "human"-specific properties & behaviors
2015-6-29
Methodological assumption1."Ideal" fidelity may be expressed through the
algebraic concept of isomorphism• Isomorphism: preservation of algebraic
properties• In an ideal world, a perfect correspondance
between paired domains:
• In the real world: imperfect correspondance
2015-6-29
Methodological assumption• The Delta function is the drifting• "...quantifies a drifting in time of the ability to create a
trustworthy “internal” representation of an experienced raw fact."
• Four major types of drifting1.Hard-bound fidelity drifting (e.g., hard-real-time
systems).2.Statistically-bound fidelity drifting (e.g. soft real-
time systems).3.Unbound fidelity drifting characterised by a “trend”.
4.Unbound fidelity drifting with no known trend.
2015-6-29
Example: Patriot failure, 2/25/1991
• 28 US Army reservists killed, 97 injured by a Scud missile
• Drifting type #3: Unbound fidelity drifting characterized by a “trend”• 2-open system: velocity and time• physical time: represented as # of tenths of sec from
reference epoch; stored in a 24-bit integer variable; converted into real
• Imprecision in the conversion: • The more the Patriot operated w/o reboot, the larger the ∆
• ⇾ Greater and greater error in estimating position & velocity of an incoming Scud missile!
2015-6-29
Example: Patriot failure, 2/25/1991
• Simple workaround: S/A method• Biagio Fanelli: "If it doesn't work, turn it off and then
back on" ⇾ Rejuvenation
• "Both problem and workaround were known at the time of the accident, though common belief was that the unresilience threshold would never be reached in practice" ⇾ Monotonically increasing trend, though considered as harmless!
2015-6-29
Methodological assumption II2.If we monitor how the ∆i(t) vary, we can tell
something about the corresponding Fidelity• This can be applied to cyber, physical, and
even HCI-related properties & behaviors!"Behaviours such as those of a human operator or
those produced by a numerical algorithm are all translated into a same, homogeneous form: that of a stream of numerical data representing samples of the ∆i(t) dynamic systems."
• Application: Monitor ∆i(t) ; Identify class of drifting ; Detect hypothesis violation ; Manage violation.
2015-6-29
An architecture for theevaluation of fidelity
• Based on a sensory/qualia layer: RR vars• Main idea: memory accesses as a metaphor
for detecting changes / reacting from changes
• RR vars = volatile variables whose identifier links them with an external device: A sensor or an actuator
• Sensors: OS-specific, app-specific, HCI-specific• E.g., amount of CPU available; state of a
videoplayer; user behavior/stereotype
2015-6-29
*-to-cyber Reification
Also with callbacks. Example:int PrintCpu(); rrparse("cpu>0);",PrintCpu);
2015-6-29 14t
2015-6-29
Tracking CPU and mplayer• int mplayer returns the following values:
void SystemIsSlow(void) { mplayer = HARDFRAMEDROP;}
...rrparse("(cpu>98)&&(mplayer==2);",
SystemIsSlow);
2015-6-29 16
t
2015-6-29
Tracking users' behaviors and stereotypes
int ui is now == X
int ui is now == Y
HCI interactionactions arelogged...
...transcoded......analyzed...
...and reified...
2015-6-29
Tracking user behavior• We log the behavior of the user...• ...transcode/analyze it...• ...and "reify" our conclusions into
RR var "int ui"
2015-6-29
Currently, simple analyses• Typing frequency as simple user stereotype• Too high a frequency ⇾ discomfort• (cf. Therac-25 accidents...)
2015-6-29
Janus system
RR client mplayer UI
2015-6-29
• We partition fidelity into two major classes:• ΦU(t): user-side: fidelity related to HCI properties• ΦM(t): machine side: fidelity related to machine-
specific properties
• We estimate ΦU(t) and ΦM(t) as some function of the experienced driftings• ΦU(t) = 1 / ∆UI(t), ΦM(t) = 1 / f(∆CPU(t), ∆mplayer(t))
• And then "embed" fidelity into a MAPE loop
III: Fidelity asTrustworthiness
2015-6-29
• "Embedding" fidelity into a MAPE loop
• M: Janus / RR vars estimate ∆i(t)
• A: Approximate Φ(t) = (ΦU, ΦM)
• P: Assess situation; select strategy
• E: Enact strategy
Fidelity asTrustworthiness
2015-6-29
Possible cases• System is considered as• Trustworthy: when Φ(t) = (ΦU, ΦM) are both
high. Optimal, sustainable working conditions• Unstable: High-to-medium ΦU, low ΦM.
Reconfigurable working conditions• Unsafe: high-to-medium ΦM, low ΦU. Alarm-
rising working conditions• Untrustworthy: low Φ(t). Inadvisable /
below-safety working conditions
Conclusions• We introduced a model of fidelity for cyber-
physical systems• Methodological assumptions• Drifting data can be derived from domain
pairs• Drifting can be used to estimate fidelity• and trustworthiness
• Future work:• Fidelity as a self-* property• Systematic and monotonic improvement of
one's fidelity: ANTIFRAGILITY