Departmental Papers (CIS)

Security and Interoperable Medical Device Systems: Part 1

Krishna K. Venkatasubramanian et al. — Tue, 22 Jan 2013 10:35:02 PST

Security and Interoperable Medical Device Systems, Part 2: Failures, Consequences and Classifications

Eugene Vasserman et al. — Tue, 22 Jan 2013 10:34:57 PST

Interoperable medical devices (IMDs) face threats due to the increased attack surface presented by interoperability and the corresponding infrastructure. Introducing networking and coordination functionalities fundamentally alters medical systems' security properties. Understanding the threats is an important first step in eventually designing security solutions for such systems. Part 2 of this two-part article defines a failure model, or the specific ways in which IMD environments might fail when attacked. An attack-consequences model expresses the combination of failures experienced by IMD environments for each attack vector. This analysis leads to interesting conclusions about regulatory classes of medical devices in IMD environments subject to attacks.

Formally Verifiable Networking

Anduo Wang et al. — Tue, 15 Jan 2013 09:57:08 PST

This paper proposes Formally Verifiable Networking (FVN), a novel approach towards unifying the design, specification, implementation, and verification of networking protocols within a logic-based framework. In FVN, formal logical statements are used to specify the behavior and the properties of the protocol. FVN uses declarative networking as an intermediary layer between high-level logical specifications of the network model and low-level implementations. A theorem prover is used to statically verify the properties of declarative network protocols. Moreover, a property preserving translation exists for generating declarative networking implementations from verified formal specifications. We further demonstrate the possibility of designing and specifying well-behaved network protocols with correctness guarantees in FVN using meta-models in a systematic and compositional way.

A Model-Based I/O Interface Synthesis Framework for the Cross-Platform Software Modeling

BaekGyu Kim et al. — Tue, 15 Jan 2013 09:57:07 PST

In model-based development, executable software (e.g., C or Java code) can be generated from a high-level model using a code generator. However, the execution of the generated software on a target platform remains a challenge due to a mismatch in communication semantics assumed by the model and the platform-dependent software (e.g., sampling/actuation routines). This paper proposes an input/output (I/O) interface module that bridges this semantic gap by means of buffers and interface policies, which explicitly capture the information required to adapt the model’s communication semantics to that of the platform. We present a framework that can be used to systematically synthesize – directly from the model – the I/O interfaces and accompanying APIs that the generated software and the platform-dependent software need to communicate with one another. Our interface policies can also encode relaxations of a model semantics that may not be implementable, thus making derivations of the implemented systems from the model traceable. We illustrate the applicability and the benefits of our framework with a case study of an infusion pump.

DMaC: Distributed Monitoring and Checking

Wenchao Zhou et al. — Tue, 15 Jan 2013 09:57:05 PST

We consider monitoring and checking formally specified properties in a network. We are addressing the problem of deploying the checkers on different network nodes that provide correct and efficient checking. We present the DMaC system that builds upon two bodies of work: the Monitoring and Checking (MaC) framework, which provides means to monitor and check running systems against formally specified requirements, and declarative networking, a declarative domain-specific approach for specifying and implementing distributed network protocols. DMaC uses a declarative networking system for both specifying network protocols and performing checker execution. High-level properties are automatically translated from safety property specifications in the MaC framework into declarative networking queries and integrated into the rest of the network for monitoring the safety properties. We evaluate the flexibility and efficiency of DMaC using simple but realistic network protocols and their properties

Assessing the Overall Sufficiency of Safety Arguments

Anaheed Ayoub et al. — Tue, 15 Jan 2013 09:57:03 PST

Safety cases offer a means for communicating information about the system safety among the system stakeholders. Recently, the requirement for a safety case has been considered by regulators for safety-critical systems. Adopting safety cases is necessarily dependent on the value added for regulatory authorities. In this work, we outline a structured approach for assessing the level of sufficiency of safety arguments. We use the notion of basic probability assignment to provide a measure of sufficiency and insufficiency for each argument node. We use the concept of belief combination to calculate the overall sufficiency and insufficiency of a safety argument based on the sufficiency and insufficiency of its nodes. The application of the proposed approach is illustrated by examples.

A Theorem Proving Approach towards Declarative Networking

Anduo Wang et al. — Tue, 15 Jan 2013 09:57:01 PST

We present the DRIVER system for designing, analyzing and implementing network protocols. DRIVER leverages declarative networking, a recent innovation that enables network protocols to be concisely specified and implemented using declarative languages. DRIVER takes as input declarative networking specifications written in the Network Datalog (NDlog) query language, and maps that automatically into logical specifications that can be directly used in existing theorem provers to validate protocol correctness. As an alternative approach, network designer can supply a component-based model of their routing design, automatically generate PVS specifications for verification and subsequent compilation into veriffied declarative network implementations. We demonstrate the use of DRIVER for synthesizing and verifying a variety of well-known network routing protocols.

Runtime Verification of Traces under Recording Uncertainty

Shaohui Wang et al. — Tue, 15 Jan 2013 09:56:59 PST

We present an on-line algorithm for the runtime checking of temporal properties, expressed as past-time Linear Temporal Logic (LTL) over the traces of observations recorded by a "black box"-like device. The recorder captures the observed values but not the precise time of their occurrences, and precise truth evaluation of a temporal logic formula cannot always be obtained. In order to handle this uncertainty, the checking algorithm is based on a three-valued semantics for pasttime LTL defined in this paper. In addition to the algorithm, the paper presents results of an evaluation that aimed to study the effects of the recording uncertainty on different kinds of temporal logic properties.

A Systematic Approach to Justifying Sufficient Confidence in Software Safety Arguments

Anaheed Ayoub et al. — Thu, 03 Jan 2013 08:44:40 PST

Safety arguments typically have some weaknesses. To show that the overall confidence in the safety argument is considered acceptable, it is necessary to identify the weaknesses associated with the aspects of a safety argument and supporting evidence, and manage them. Confidence arguments are built to show the existence of sufficient confidence in the developed safety arguments. In this paper, we propose an approach to systematically constructing confidence arguments and identifying the weaknesses of the software safety arguments. The proposed approach is described and illustrated with a running example.

Introduction to the Special Issue on Runtime Verification

Oleg Sokolsky et al. — Thu, 03 Jan 2013 08:44:35 PST

Extending Task-level to Job-level Fixed Priority Assignment and Schedulability Analysis Using Pseudo-deadlines

Hoon Sung Chwa et al. — Wed, 19 Dec 2012 10:09:29 PST

In global real-time multiprocessor scheduling, a recent analysis technique for Task-level Fixed-Priority (TFP) scheduling has been shown to outperform many of the analyses for Job-level Fixed-Priority (JFP) scheduling on average. Since JFP is a generalization of TFP scheduling, and the TFP analysis technique itself has been adapted from an earlier JFP analysis, this result is counter-intuitive and in our opinion highlights the lack of good JFP scheduling techniques. Towards generalizing the superior TFP analysis to JFP scheduling, we propose the Smallest Pseudo-Deadline First (SPDF) JFP scheduling algorithm. SPDF uses a simple task-level parameter called pseudo-deadline to prioritize jobs, and hence can behave as a TFP or JFP scheduler depending on the values of the pseudodeadlines. This natural transition from TFP to JFP scheduling has enabled us to incorporate the superior TFP analysis technique in an SPDF schedulability test. We also present a pseudo-deadline assignment algorithm for SPDF scheduling that extends the well-known Optimal Priority Assignment (OPA) algorithm for TFP scheduling. We show that our algorithm is optimal for the derived schedulability test, and also present a heuristic to overcome the computational complexity issue of the optimal algorithm. Our simulation results show that the SPDF algorithm with the new analysis significantly outperforms state-of-the-art TFP and JFP analysis.

Clinical Decision Support for Integrated Cyber-Physical Systems: A Mixed Methods Approach

Alex Roederer et al. — Wed, 21 Nov 2012 07:48:56 PST

We describe the design and implementation of a clinical decision support system for assessing risk of cerebral vasospasm in patients who have been treated for aneurysmal subarachnoid hemorrhage. We illustrate the need for such clinical decision support systems in the intensive care environment, and propose a three pronged approach to constructing them, which we believe presents a balanced approach to patient modeling. We illustrate the data collection process, choice and development of models, system architecture, and methodology for user interface design. We close with a description of future work, a proposed evaluation mechanism, and a description of the demo to be presented.

Evaluation of a Smart Alarm for Intensive Care using Clinical Data

Andrew King et al. — Thu, 06 Sep 2012 16:06:15 PDT

We describe and report the results of an evaluation of a smart alarm algorithm for post coronary artery bypass graft (CABG) patients. The algorithm (CABG-SA) was applied to vital sign data streams recorded in a surgical intensive care unit (SICU) at a hospital in the University of Pennsylvania Health System. In order to determine the specificity of CABGSA, the alarms generated by CABG-SA were compared against the actual interventions performed by the staff of the critical care unit. Overall, CABG-SA alarmed for 55% of the time relative to traditional alarms while still generating alarms for 12 of the 13 recorded interventions.

Beyond SumBasic: Task-Focused Summarization with Sentence Simplification and Lexical Expansion

Lucy Vanderwende et al. — Tue, 21 Aug 2012 09:59:48 PDT

In recent years, there has been increased interest in topic-focused multi-document summarization. In this task, automatic summaries are produced in response to a specific information request, or topic, stated by the user. The system we have designed to accomplish this task comprises four main components: a generic extractive summarization system, a topic-focusing component, sentence simplification, and lexical expansion of topic words. This paper details each of these components, together with experiments designed to quantify their individual contributions. We include an analysis of our results on two large datasets commonly used to evaluate task-focused summarization, the DUC2005 and DUC2006 datasets, using automatic metrics. Additionally, we include an analysis of our results on the DUC2006 task according to human evaluation metrics. In the human evaluation of system summaries compared to human summaries, i.e., the Pyramid method, our system ranked first out of 22 systems in terms of overall mean Pyramid score; and in the human evaluation of summary responsiveness to the topic, our system ranked third out of 35 systems.

Rationale and Architecture Principles for Medical Application Platforms

John Hatcliff et al. — Tue, 14 Aug 2012 13:23:55 PDT

The concept of “system of systems” architecture is increasingly prevalent in many critical domains. Such systems allow information to be pulled from a variety of sources, analyzed to discover correlations and trends, stored to enable realtime and post-hoc assessment, mined to better inform decisionmaking, and leveraged to automate control of system units. In contrast, medical devices typically have been developed as monolithic stand-alone units. However, a vision is emerging of a notion of a medical application platform (MAP) that would provide device and health information systems (HIS) interoperability, safety critical network middleware, and an execution environment for clinical applications (“apps”) that offer numerous advantages for safety and effectiveness in health care delivery.

In this paper, we present the clinical safety/effectiveness and economic motivations for MAPs, and describe key characteristics of MAPs that are guiding the search for appropriate technology, regulatory, and ecosystem solutions. We give an overview of the Integrated Clinical Environment (ICE) – one particular achitecture for MAPs, and the Medical Device Coordination Framework – a prototype implementation of the ICE architecture.

Trust in Collaborative Web Applications

Andrew G. West et al. — Wed, 01 Aug 2012 09:20:45 PDT

Collaborative functionality is increasingly prevalent in web applications. Such functionality permits individuals to add - and sometimes modify - web content, often with minimal barriers to entry. Ideally, large bodies of knowledge can be amassed and shared in this manner. However, such software also provide a medium for nefarious persons to operate. By determining the extent to which participating content/agents can be trusted, one can identify useful contributions. In this work, we define the notion of trust for Collaborative Web Applications and survey the state-of-the-art for calculating, interpreting, and presenting trust values. Though techniques can be applied broadly, Wikipedia's archetypal nature makes it a focal point for discussion.

The Pyramid Method: Incorporating Human Content Selection Variation in Summarization Evaluation

Ani Nenkova et al. — Tue, 31 Jul 2012 08:47:18 PDT

Human variation in content selection in summarization has given rise to some fundamental research questions: How can one incorporate the observed variation in suitable evaluation measures? How can such measures reflect the fact that summaries conveying different content can be equally good and informative? In this article, we address these very questions by proposing a method for analysis of multiple human abstracts into semantic content units. Such analysis allows us not only to quantify human variation in content selection, but also to assign empirical importance weight to different content units. It serves as the basis for an evaluation method, the Pyramid Method, that incorporates the observed variation and is predictive of different equally informative summaries. We discuss the reliability of content unit annotation, the properties of Pyramid scores, and their correlation with other evaluation methods.

To Memorize or to Predict: Prominence Labeling in Conversational Speech

Ani Nenkova et al. — Tue, 31 Jul 2012 08:38:33 PDT

The immense prosodic variation of natural conversational speech makes it challenging to predict which words are prosodically prominent in this genre. In this paper, we examine a new feature, accent ratio, which captures how likely it is that a word will be realized as prominent or not. We compare this feature with traditional accent-prediction features (based on part of speech and N-grams) as well as with several linguistically motivated and manually labeled information structure features, such as whether a word is given, new, or contrastive. Our results show that the linguistic features do not lead to significant improvements, while accent ratio alone can yield prediction performance almost as good as the combination of any other subset of features. Moreover, this feature is useful even across genres; an accent-ratio classifier trained only on conversational speech predicts prominence with high accuracy in broadcast news. Our results suggest that carefully chosen lexicalized features can outperform less fine-grained features.

Measuring Importance and Query Relevance in Toopic-Focused Multi-Document Summarization

Surabhi Gupta et al. — Tue, 31 Jul 2012 06:56:44 PDT

The increasing complexity of summarization systems makes it difficult to analyze exactly which modules make a difference in performance. We carried out a principled comparison between the two most commonly used schemes for assigning importance to words in the context of query focused multi-document summarization: raw frequency (word probability) and log-likelihood ratio. We demonstrate that the advantages of log-likelihood ratio come from its known distributional properties which allow for the identification of a set of words that in its entirety defines the aboutness of the input. We also find that LLR is more suitable for query-focused summarization since, unlike raw frequency, it is more sensitive to the integration of the information need defined by the user.

Entity-Driven Rewrite for Multi-Document Summarization

Ani Nenkova — Tue, 31 Jul 2012 06:47:19 PDT

In this paper we explore the benefits from and shortcomings of entity-driven noun phrase rewriting for multi-document summarization of news. The approach leads to 20% to 50% different content in the summary in comparison to an extractive summary produced using the same underlying approach, showing the promise the technique has to offer. In addition, summaries produced using entity-driven rewrite have higher linguistic quality than a comparison non-extractive system. Some improvement is also seen in content selection over extractive summarization as measured by pyramid method evaluation.