Resilience requires automatically adapting to a situation that impedes a mission. If an autonomous system adapts to achieve mission success and that adaptation is crafted at run time, then confidence in its compliance with functional and security requirements needs to be established. Traditional assurance techniques, such as testing and formal analysis of system reconfiguration (e.g., via code repair or reused code) are typically not applicable at run time given performance constraints. Moreover, for security threats, determined as part of system situational awareness, the expected level of confidence must be coupled with defensive resilience.
Maintaining a high level of confidence in guaranteeing compliance while defending against security threats in an autonomous system poses multiple research challenges. Security certification is a highly manual effort that documents the process and artifacts for a system to provide security compliance guarantees. When the system configures a new component, patch, or decision-making strategy at run time, there can be direct and propagated impact on security compliance. Thus, these run-time adaptations must be risk-assessed against both functional and security requirements. Prior work in this area must be extended to accommodate new system designs that embed adaptation and security frameworks, so that the adaptations can be holistically examined from architectural, verification and validation (V&V), and certification and accreditation (C&A) perspectives. Another challenge is pinpointing and alerting to the effect of the adaptation on the system architecture as it relates to the assurance of mission requirements and security constraints. The functional behavior of the system must be codified separately from and prior to its deployment into the system to enable trustworthiness and risk assessments.
To address these research challenges, our approach is to develop technology to express, codify, and automatically maintain operational system security assurance cases (SACs) for autonomous systems that are reconfiguring at run time in order to achieve mission objectives resiliently and securely in the face of adverse conditions. Assurance cases have been accepted as a means for certifying the utility and satisfaction of trustworthiness, safety, and mission objectives. SACs will capture the trustworthiness and risk assessment chain of evidence from initial development through system evolution during run-time adaptation in response to environmental and system uncertainty with respect to security threats. Given the dynamic updates to the physical and cyber aspects of the system functionality due to its interaction with the environment, we envision that the SACs will need dynamic updating to reflect the changing security conditions. In turn, security mitigations due to attacks or detected vulnerabilities may trigger subsequent system adaptations. The proposed project will explicitly address the dual and interacting dynamic updates of the autonomous system and the supporting SACs, with respect to system resilience, risk management, and assurance traceability.
Given the complexity and independent properties of the prior efforts on monitoring, planning, and risk assessment, the results of this effort will underscore and support the need to design technology for integration, so that the model transformation and translation effort is reduced, while the implementation efficiency and adaptation traceability are increased. The proposed project comprises three phases. Phase 1 will develop the infrastructure to support the construction, analysis, and updating of SACs for autonomous systems in the face of uncertainty. A key innovation of this project is the MAPE-SAC loop, inspired by the MAPE-K loop that serves as the foundation for the feedback loop to manage autonomous systems. Both loops involve the monitor, analyze, plan, and execute steps, differing only in the target of adaptation. For MAPE-K, the target is the autonomous system. For MAPE-SAC, the target is the collection of SACs. Phase 2 will expand the framework to include 3rd party monitoring technology from TRS (Trusted and Resilient Systems) program performers. The capabilities and methods from Phase 1 will be extended to accommodate the new monitoring technology. Phase 3 will incorporate 3rd party, TRS-related system configurations, such as bug repairs. These adaptations may be triggered by environmental changes (e.g., road conditions, sensor failures, etc.) and/or cyber threats (e.g., denial of service attacks, compromised data, etc.). We will extend the MAPE-K/MAPE-SAC framework to ensure that functional and security properties are satisfied.
We plan to demonstrate and evaluate the technology on two platforms to show broad applicability and scalability. One platform will use multiple, coordinating Cozmo robots with sensor-based situational awareness that will be integrated into the sensor security experimentation testbed developed at the University of Tulsa (TU). The second platform will be a rover running software developed using the Evo-ROS platform at Michigan State University (MSU). In addition, we will conduct multiple performance evaluations of the technology to assess (1) automated and embedded calculations of the potential risk to component, system, and mission operation of an adaptation at run time and (2) automated determination and alerting of component(s), system(s), and mission operation(s) impacted by the selected and deployed adaption. We will also leverage collaborations that MSU has with Ford and ZF-TRW on cybersecurity for autonomous vehicles.