Background

2.2.1 The METRIP project

METRIP2 _{was an European project under the Programme Prevention, Prepared-} ness and Consequence Management of Terrorism and other Security related Risks

coordinated by AnsaldoSTS. Its general objective was the development of method- ological tools for increasing the physical protection of railway infrastructure sys- tems with a focus on urban mass transportation. At this aim, METRIP dened a decision making system for supporting the design and evaluation of physical protection systems. The decision making system is intended to: (i) suggest the types and disposition of devices that maximize protection eectiveness; and (ii) help evaluate the eectiveness of a given PPS against attacks. The approach adopted within the METRIP project combines Model-Driven Engineering (MDE) techniques, optimization models and formal quantitative models to carry out a vul- nerability analysis of the critical assets of a Railway Infrastructure System (RIS) against various classes of attacks, and evaluate dierent solutions in the design of protection systems.

2.2.2 Model-Driven Engineering

Model-driven engineering (MDE) is a software development methodology which focuses on creating and exploiting domain models (they are representations of knowledge and activities that govern a particular application domain), rather than on the computing (i.e. algorithmic) concepts. MDE is a promising approach to address platform complexity and the inability of third-generation languages to alleviate this complexity and express domain concepts eectively combining the following [61]:

• Domain Specic Modeling Languages (DSML)s whose type systems formal- ize the application structure, behavior, and requirements within particular domains. DSMLs are described using metamodels, which dene the relation- ships among concepts in a given domain, specifying the key semantics and constraints associated with these domain concepts. In this way, for build- ing applications, developers use the elements captured by metamodels and express design intent declaratively rather than imperatively.

• Transformation engines and generators that analyze certain aspects of mod- els and then synthesize various types of artifacts, such as source code, simu- lation inputs, XML deployment descriptions or alternative model represen- tations. The ability to synthesize artifacts from models helps ensure the consistency between application and analysis information associated with functional requirements captured by models.

So, MDE focuses on developing domain models and it is very appealing in indus- trial settings. It allows for a high level of abstraction as well as the denition of modeling paradigms that are eective from the modeller's point of view, since they are based on the domain knowledge.

DSML and UML proles

DSMLs are small and well focused on domain scope, they simplify the design process, tracing recurring design patterns in the application domain, and promote communication by standardizing the terminology and the best practices to be used in the specic application domain. A key category of support for domain-specic modeling is represented by UML proles. UML proling is actually a lightweight meta-modeling technique to extend UML [62]. It is a powerful mean to dene DSMLs [63] which exploits two main advantages within a Model-Driven Engineer- ing context with respect to the development of ad-hoc DSMLs: i) a UML prole is eective from the modeler's perspective, as it captures and easily replicates the modeler's architectural knowledge of a specic domain at dierent levels; ii) a UML prole allows for the adoption of available and standard techniques and tools which maybe easily integrated into existing production systems. In addition, the usage of a modeling language based on few and well specied domain-related concepts supports the denition of model transformations so allowing the devel- opment of a complete model-driven design methodology. A UML Prole is just an extension of the UML, dened in terms of stereotypes or concepts in the target domain that will be added to UML and tags, the attributes of the stereotypes.

Transformation

The transformational approach is based on: a) denition of a set of proper trans- formation rules to map the high level conceptual languages to the formal languages used for quantitative modeling or to the input data format of solving tools; b) im- plementation of the transformations which translate the conceptual models into quantitative models or other artifacts needed for decision support. The transfor- mations can be classied in Model-to-Model (M2M) and Model-to-Text (M2T) transformations. The rst category aims at transforming the model in an other model, expressed for example in a dierent formalism. The main reason of their usage is that the new model may enable analysis that are not feasible in the previ- ous formalism. This approach are widely used in this thesis. The second category is typically performed by queries in order to obtain from the model some tex- tual information. For example, this can be useful when structured data must be extracted to perform the processing with other software tools.

2.2.3 Bayesian Networks

Bayesian Networks (BNs) [64,65], also known as belief networks, provide a graph- ical representation of a joint probability distribution over a set of random variables with a possible mutual causal relationship. The network is a directed acyclic graph (DAG) whose nodes represent random variables and arcs represent casual inu- ences between pair of nodes (i.e., an arc stands for a probabilistic dependence between two random variables). In addition to the DAG structure, which is often considered as the qualitative part of the model, one needs to specify the quan- titative parameters of the model [66]. The parameters are described through a conditional probability distribution which is dened for each node in the network. For discrete random variables, this conditional probability is often represented by a table (conditional probability table, CPT). Hence, the CPT gives the probability of each value of a child node given every possible combination of values for its par- ents. A prior probability should be provided for the source nodes of the DAG as they have no parents. Founded on the Bayes theorem, a BN provides a means to evaluate all possible inference queries, where the probabilities does not understand

as frequencies but rather as condence levels in the case an event occurs. In this way, it is possible to provide a predictive support for a node, based on evidence nodes connected to it through its parent nodes.