~sa-circa/talks/cog-arch-03/cog-arch-03.ppt Honeywell Laboratories Goals and Threats: Motivations in CIRCA David J. Musliner Honeywell Laboratories [email protected](612) 951-7599 Still working on my (Michigan) thesis topic. 13 years since first CIRCA paper.
37
Embed
~sa-circa/talks/cog-arch-03/cog-arch-03.ppt Honeywell Laboratories Goals and Threats: Motivations in CIRCA David J. Musliner Honeywell Laboratories [email protected].
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
• Time-critical, hazardous, open-world domains: CIRCA guarantees that it will respond in a timely way to threats in its environment, avoiding failures and pursuing goals.
– Requires robustness beyond human performance.
• Bounded reactivity: CIRCA reasons explicitly about the time needed for sensing and actions (“perceptual-motor limits”).
• Bounded rationality: CIRCA dynamically builds reactive plans for only the immediately relevant parts of the situation. CIRCA is self-aware, using meta-level deliberation scheduling to optimize its online planning process.
~sa-circa/talks/cog-arch-03/cog-arch-03.ppt
Multi-Agent Self-Adaptive CIRCAMulti-Agent Self-Adaptive CIRCAApproach: • Automatic synthesis and adaptation of guaranteed real-time controllers.
Performance:• Reactive control responses to threats and contingencies in
milliseconds.
• Coordinated multi-agent behaviors in tens of milliseconds.
• Dynamic reconfiguration of team mission plan in less than 10 seconds.
• Demonstrations in simulated UAV team domains: coordinated defense, dynamic replanning for contingencies.
Impact:• Robust UAVs that rebuild their own control systems in response to
contingencies (e.g., damage, target of opportunity).
• Smart UAV teams that actively coordinate distributed capabilities/resources to maximize mission effectiveness.
• Sponsor: DARPA ANTS.
• Teammate: Univ. of Michigan
Goal: Adaptive real-time coordination and control of multi-UAV teams.
~sa-circa/talks/cog-arch-03/cog-arch-03.ppt
Intelligent Real-Time Cyber SecurityIntelligent Real-Time Cyber SecurityApproach: • Use CIRCA to plan and execute reactive security controllers.
• Tailor responses automatically according to available resources, varying threat levels & security policies.
Performance:• Fully autonomous operations defeating attacks in microseconds.
Impact:• Real-time responses defeat manual and automated attack scripts.
• Automatic tradeoffs of security vs. service level and accessibility.
• System derives responses for novel attacks built from known components.
Sponsor: DARPA CyberPanel.
Teammate: Secure Computing
Goal: Automatic real-time response to computer security intrusions.
Computing services
Active Security ControllerExecutive
Controller Synthesis ModuleNetworks, Computers
Attacks, intrusions
Intrusion Assessment
Security Tradeoff Planner
~sa-circa/talks/cog-arch-03/cog-arch-03.ppt
CIRCA ArchitectureCIRCA Architecture
Adaptive Mission Planner: Divides an overall mission into multiple phases, with limited performance goals designed to make the planning problem solvable with available time and available execution resources. Deliberation scheduling.
Controller Synthesis Module: For each mission phase, plans a set of real-time reactions according to the constraints sent from AMP. Planning.
Real Time Subsystem: Continuously executes planned control reactions in hard real-time environment; does not “pause” waiting for new plans. Execution.
Adaptive Mission Planner
Controller Synthesis Module
Real Time
System
~sa-circa/talks/cog-arch-03/cog-arch-03.ppt
Generate controller
How CIRCA WorksHow CIRCA Works
Adaptive Mission Planner
Controller Synthesis Module
Real Time
System
Break down mission
Generate controller
Execute controllerif (state-1) then action-1if (state-2) then action-2
...
Generate controller
Start Goal
~sa-circa/talks/cog-arch-03/cog-arch-03.ppt
Extending Performance Guarantees to Multi-Agent TeamsExtending Performance Guarantees to Multi-Agent Teams
Adaptive Mission Planner: Negotiates roles and responsibilities between agents in collaborative team.
Controller Synthesis Module: Builds controllers that include coordinated actions by multiple agents.
Real Time Subsystem: Executes coordinated controllers predictably, including distributed sensing and acting.
Only system to guarantee timing of end-to-end multi-agent coordinated behaviors
Adaptive Mission Planner
Controller Synthesis Module
Real Time
System
Roles, Goals
Real-Time Reactions
Planned Actions,Planned Negotiations
Adaptive Mission Planner
Controller Synthesis Module
Real Time
System
~sa-circa/talks/cog-arch-03/cog-arch-03.ppt
Real Time Subsystem (RTS)Real Time Subsystem (RTS)
• The RTS executes loops of Test-Action Pairs (TAPs).
• The RTS executes in parallel with the other CIRCA modules.
• Parallel execution permits re-planning using computationally-expensive algorithms while preserving platform safety.
• Special-purpose TAPs used to download and switch to next controller.
• RTS includes multiple TAP schedule caches to hold controllers before they are activated.
• Example TAP:
- If (radar-missile-tracking T) then begin-evasives with max-delay: 300 msec.
• State Space Planner predicts future threats and opportunities, plans actions with timing constraints for future states.
• Verifier reasons about complex temporal model to ensure that all failures are preempted.
• TAP compiler reduces timed automata controller model to time-constrained reactions (Test-Action Pairs).
• Scheduler builds executable cycle of TAPs to meet time constraints.
Controller SynthesisModule
TAP Compiler
Scheduler
State Space PlannerVerifier
~sa-circa/talks/cog-arch-03/cog-arch-03.ppt
CSM AlgorithmCSM Algorithm
• CSM essentially determines a strategy in a timed game against a worst-case adversary.
• Search loop iteratively selects a state and chooses action for that state.
– Heuristics guide choice for safety and goal achievement.
– Approximations indicate that timing will work.
– Formal reachability analysis called after each action choice, to confirm that all planned preemptions will occur.
– If failure reachable, path to failure can be used to backjump to most recent decision related to any state on the path.
~sa-circa/talks/cog-arch-03/cog-arch-03.ppt
CIRCA Motivations: ThreatsCIRCA Motivations: Threats
• Threats represented by temporal transitions to failure (TTFs).
• CSM only returns plans that make failure unreachable, using:
– Prevention: planned actions never allow TTF preconditions to become true.
– Preemption: planned actions will definitely happen before TTFs.
OK Threatened
Failure
Safe
~sa-circa/talks/cog-arch-03/cog-arch-03.ppt
Radar Threat Domain - 1Radar Threat Domain - 1
;; Radar-guided missile threats can occur at any time.(make-instance 'event :name "radar_threat" :preconds '((radar_missile_tracking F)) :postconds '((radar_missile_tracking T)))
;; You die if don't defeat a threat by 1200 time units.(make-instance 'temporal :name "radar_threat_kills_you" :preconds '((radar_missile_tracking T)) :postconds '((failure T)) :min-delay 1200)
~sa-circa/talks/cog-arch-03/cog-arch-03.ppt
Radar Threat Domain - 2Radar Threat Domain - 2
;; It takes no more than 10 time units to start evasives.(make-instance 'action :name "begin_evasive" :preconds '((path normal)) :postconds '((path evasive)) :max-delay 10)
;; We defeat missile in between 250 and 400 time units.(make-instance 'reliable-temporal :name "evade_radar_missile" :preconds '((radar_missile_tracking T) (path evasive)) :postconds '((radar_missile_tracking F)) :delay (make-range 250 400))
~sa-circa/talks/cog-arch-03/cog-arch-03.ppt
FAILURE
Radar-threat-kills-you
Radar-missile-tracking TPath normal
RadarThreat
Key Concept: Prevent Failure
Preemption as Key Planning StructurePreemption as Key Planning Structure
Radar-missile-tracking FPath normal
Begin-evasive
Radar-missile-tracking TPath evasive
preemption
~sa-circa/talks/cog-arch-03/cog-arch-03.ppt
FAILURE
Radar-threat-kills-you
Radar-missile-tracking TPath normal
RadarThreat
Non-Markov Temporal ModelNon-Markov Temporal Model
Radar-missile-tracking FPath normal
Begin-evasive
Radar-missile-tracking TPath evasive
Radar-threat-kills-you
Evade-radar-missile
Radar-missile-tracking FPath evasive
Why non-Markov? Efficient reactive plan construction.
~sa-circa/talks/cog-arch-03/cog-arch-03.ppt
CIRCA Motivations: GoalsCIRCA Motivations: Goals
• Represented by designation of specific desirable feature/value pairs.
• CSM heuristic guides system to choose actions that try to achieve (and re-achieve) maximum number of goal features.
• All goals are:
– Conjunctive.
– Optional.
~sa-circa/talks/cog-arch-03/cog-arch-03.ppt
Radar Threat Domain - 3Radar Threat Domain - 3
;; Your goal is to continue flying normal path.(make-instance ‘goal :condition '((path normal)))
Optional elements for different planners:• :reward• :priority
• Expected number of required samples only depends on failure probability and threshold, not state space size!
• Domain-dependent factors affecting time to generate each sample:
– Time period considered (tmax
).
– Mean values of the distribution functions F.
• In practice, this allows us to generate probabilistically-verified plans for very large domains that cannot be handled by complete (non-probabilistic) model-checking approaches.
~sa-circa/talks/cog-arch-03/cog-arch-03.ppt
Optimizing Plans in GSMPsOptimizing Plans in GSMPs
• Adding probabilistic delay distributions to timed automata yields Generalized Semi-Markov Process model:
– Efficient for representing real world.
– No analytic solutions available.
• Adding reward model gives opportunity for decision-theoretic solution criterion: maximize expected utility.
• Approach: generate plans and assess EU dominance using Monte Carlo sampling of GSMP executions.
– Backjump based on sample traces.
• New ideas: local search; evolutionary search in reaction space.
~sa-circa/talks/cog-arch-03/cog-arch-03.ppt
Learning in CIRCA: Not About SpeedupLearning in CIRCA: Not About Speedup
• Unique requirements on learning for mission-critical systems.
• Executive can learn primitive operator response times.
– Currently an offline, manual process transfers that knowledge to planner.
• Learning from failure: if a planned preemption does not occur, model can be revised because either:
– Action or reliable temporal process was slower than modeled bounds.
– Threat temporal process was faster than modeled bounds.
– Planner tells us what features to watch for learning.
• Learning from unexpected reachable states:
– Self-aware system knows what should happen, can explicitly build context-specific responses to surprises, including planning “harder”, invoking default safe modes, and revising models.
• Learning refined planner performance profiles.
– Performance monitoring during planning for a selected problem can indicate reduced probability of solution, prompt switch to different problem.
~sa-circa/talks/cog-arch-03/cog-arch-03.ppt
Summary: Cool Things About CIRCASummary: Cool Things About CIRCA
• Builds and executes plans that provide real-time performance guarantees.
• Automatically trades off mission goals with mission safety.
• Multiple CIRCA agents can coordinate and cooperate on teamed real-time behaviors.
• Self aware: adapts planning process to time available.
~sa-circa/talks/cog-arch-03/cog-arch-03.ppt
• The End.
~sa-circa/talks/cog-arch-03/cog-arch-03.ppt
Recent AdvancesRecent Advances
• Multi-agent CIRCA negotiates responsibilities (threats, goals).
• Coordinated real-time reactions.
• Planning with Generalized Semi-Markov Process models (GSMPs).