SecuriDN is a tool for the representation of the assets composing the IT and the OT subsystems of DER (Distributed Energy Resources) control networks and the possible cyberattacks that can threaten them. In this paper the main goals of such tool and its features are described using a simple example. Cybersecurity of critical systems is receiving a great attention in the endeavour to guarantee national safety. Cyberattacks to such systems can have global and disastrous consequences. We focus in particular on the electro-energetic sector, which in recent decades is following a trend of increasing complexity, transitioning from a unidirectional “producer to consumer” model to a grid in which each actor can be both producer and consumer. The coordination and optimisation of the generated/consumed fluxes requires a continuous exchange of information and therefore a high level of connectivity of all involved devices. This in turn provides an environment rich of opportunities for adversarial activity, since complexity tends to bring along vulnerability. Several European and national legislative acts address the data exchanges of energy infrastructures and their cybersecurity. The European Union Regulation 2017/1485 SOGL System Operation Guideline aims to provide a set of guidelines including operation security for transmission grid, harmonised rules for transmission and distribution system operators and Significant Grid User (SGU) for interconnection operations. The EU cybersecurity Directive
NIS, introduced in 2016, has been updated with NIS2 Directive which came into force in 2023 and introduces new cybersecurity obligations for essential and important critical infrastructure operators. Each member state including Italy implements the NIS2 Directive through a series of national legislative acts. Moreover specific national norms of the energy sector include cybersecurity obligations based on international standards, as for example CEI 0-16 (high and medium voltage SGU connection rules) and CEI 0-21 (low voltage SGU connection rules).
In this setting, we are working on the development of a set of tools to enable the cybersecurity analyst to face the threats in a more informed way, requiring fewer competences on the side of the specialised personnel. It is well known that cyberattacks progress through various steps of a cyber kill-chain, and our objective is to enable early detection of threats, in order to be able to discover adversarial activity in its first phases of the process to prevent any damage to the assets and any degradation of functionality.
In this paper we present a graphical tool, called SecuriDN1, that enables the security analyst to define AI based detection models by just defining, through a graphical interface, the network architecture of interest. The user combines predefined assets and defines their relationships according to the existing architecture. Each resource that intervenes in this construction contains information on the attacks that can be made to the resource itself, and their relations indicate how such attacks can propagate to other assets. When the architecture is complete, SecuriDN combines the information present on the various nodes into an attack graph that represents the possible attack processes that the adversary can choose. Since in realistic complex systems manual generation of the attack graph can be time-consuming and error-prone, its automatic production is a first valuable support to the security analyst’s work.
Moreover, the tool is capable of deriving from the attack graph a Dynamic Bayesian Network (DBN) used to compute the probability that a specific target is or will be compromised. In the field of artificial intelligence, Bayesian Networks are graphic-probabilistic models that are widely used for the representation of uncertain knowledge and in particular DBNs are able to model the temporal aspects, useful for capturing the dynamics of an attack process. Furthermore, the formalism allows exploiting the dependencies between the modeled entities to significantly reduce the number of parameters necessary to specify the stochastic behavior of the process. The DBN’s parameterization, out of the scope of this paper, can be achieved in two possible ways in our system: using measurements observed in a real system or experimental testbed; or learning from data extracted from a simulation model.
The SecuriDN tool is a component of a larger platform that provides a complete architecture
for a flexible detection system of adversarial activity. SecuriDN runs on the cyber security
analyst’s workstation and enables the design of new models for analysis of the evidences. Such
models will be deployed as detection modules in the framework. Evidences collected from the
monitored network are filtered in real time by an Opensearch database pipeline and provided to
the detection modules through a communication channel implemented according to a
producerconsumer scheme to enable coexistence and cooperation of diferent modules at the same time.
The results of the analyses performed by the modules is then presented to the analyst via the
Opensearch Dashboard, enabling detection of adversarial activity while it is taking place. The
platform is currently part of a testbed for detection models [
Since SecuriDN is capable of working with multiple formalisms, it enables to collect in a single tool the experiences of heterogeneous experts that can then be leveraged using a simple graphic interface. The diversification possible thanks to this multiformalism approach enables the selection of the most appropriate formalism, possibly customized to tackle more precisely the specific detection problem.
The paper is organized as follows. In Sec. 2 we discuss related work. Sec. 3 provides necessary preliminary notions. SecuriDN is presented in Sec. 4. Finally we conclude the paper in Sec. 5.
There has been a significant amount of work on developing quantitative evaluation tools for
computer security. In particular, the methodology of Attack Trees (AT) has become popular
and has been applied in several contexts, such as SCADA systems [
Since the basic AT does not include any defense mechanism, extensions have been proposed
to incorporate defense mechanisms (or countermeasures) [
In general, AT models are easy to build and very readable, but they lack modelling power
because they can only represent the features that Boolean gates can express. PN based models
can model more sophisticated events, but they are harder to build, less readable and less intuitive
to interpret. A trade-of is the generation of PN models from AT [
An example of a security assessment tool that combines some of the previously mentioned
formalisms is ADVISE (ADversary VIew Security Evaluation) [
Bayesian Networks (BN) are a widely used formalism for representing uncertain knowledge in probabilistic systems, applied to a variety of real-world and complex problems. The adoption of BNs, and their temporal aware versions, Dynamic Bayesian Networks (DBN), for security modeling has been advocated by several researchers [18, 19, 20, 21]. Such approaches start from AG models to show how BNs can be derived, stressing the evidence-based analysis allowed by such a formalism.
SecuriCAD [22] is a security assessment tool that allows to define the architecture of ICT infrastructures and automatically generates the AG according to a predefined library of attack steps. Models can be defined using a Domain Specific Language (DSL) expressed in the Meta Attack Language (MAL) [23]. The resulting AG is evaluated by Monte Carlo simulation to compute the distribution of the mean completion time of the identified critical paths. In comparison, SecuriDN allows to define the architecture and customize the attack process of each asset in a graphic version of a MAL-based DSL. It also generates an AG, which is translated in a DBN capable to capture the temporal evolution of the attack. Its evaluation provides results conditioned on a stream of observations. These features make the model suitable to be used as an online detection module able to adjust its results learning from the collected evidences.
The cybersecurity of energy infrastructures has increasingly become a relevant field of study that has attracted attention from both industry and academic world. This interest has grown along the years with cyber incidents that have occurred in the recent past, such as Stuxnet [24] and CrashOverride/Industroyer [25]. The first one targeted Iranian nuclear power plants and, by exploiting communication through the programmable controller, it successfully reconfigured some operational parameters of the centrifuge units. The second one instead targeted some Ukrainian distribution grids and, among its other capabilities, it could send malicious control commands directly to Remote Terminal Units (RTU) to toggle circuit breakers in a rapid openclose-open-close pattern and caused a widespread blackout. This kind of cyberattacks were made possible by the capability to compromise IT/OT networks infrastructures based on TCP/IP technologies. The energy transition that will characterize the next future requires a pervasive digitalisation of the infrastructure. This increases the cyber risk in terms of extension of attack surface. This new landscape requires new functionalities and systems for the operation of power infrastructures, including control centers, substations, generation plants and loads. In particular distributed energy resources connected in medium and low voltage, especially generation resources from renewable sources and electric vehicle charging infrastructure are characterized by an unpredictable power profile. The operation of the infrastructure including these components, the management of the flexibility of the power demand and the need to provide ancillary services to grid operators requires secure ICT infrastructures.
An example of this kind of trend can be observed in the infrastructure of modern substations [26]. Power transformation substations are in fact responsible for managing the voltage/current transition from transmission grids (e.g. 66 ) to distribution grids (e.g. 11 ). Human Machine Interface (HMI) and a Supervisory Control & Data Acquisition (SCADA) system are typical nodes of the control architecture. These allow to monitor the status of the power grid and initiate control operations. Within this complex framework it is essential to adopt a communication standard to ensure interoperability between various devices and vendors. For this purpose, the IEC 61850 [27] standard has been defined, in fact it specifies both the data model underlying the substation and its mappings onto various communication protocols. Some of them are specific to perform station-bus communication (mainly SCADA/HMI querying IEDs and PLCs) such as the Manufacturing Message Specification (MMS) that works over TCP/IP and for this reason it is vulnerable to cyberattacks such as Man In The Middle (MITM) or Distributed Denial of Service (DDoS). Others are responsible for process-bus communication such as the Sampled Values (SV) and the Generic Object Oriented Substation Event (GOOSE) protocols. The SV protocol is used to carry digitalized measurements taken from physical devices to the remote IED, while the GOOSE protocol has been introduced for announcing status updates across various IEDs (e.g. open or closed state of a circuit breaker controlled by a certain IED). These last two protocols are more time critical so they function directly upon link-layer communication, but they can still be target of False Data Injection attacks (FDI) [28].
In order to defend against this type of cyber assaults, the IEC 62351 series of standards [29] was developed, but the security measures it introduces (e.g. digital signatures and authentication schemes) are not often implemented in brownfields due to legacy issues related to existing equipment and applications [30]. As specified by the Norm CEI 0-16 for the new applications performing DER control, in the focus of this paper, the implementation of cybersecurity profiles compliant with IEC 62351 is mandatory.
The design of complex systems can be fruitfully supported by modeling: both qualitative and quantitative measures can be evaluated on the models, and the results can be used to guide the design. Models are the basis of Model Driven Engineering (MDE) techniques [31], and it is very important to pursue the goal of embedding in a single flexible framework the possibility of choosing among multiple modeling formalisms and solution methods, in order to represent and evaluate the system by means of the most suitable model and solver. Software tools for performance and dependability analysis have been developed with this goal in mind, such as Möbius [32] and SHARPE [33], but the set of supported formalisms is usually predefined and closed.
The Draw-Net Modeling System (DMS) [34, 35, 36] is a customizable framework supporting the design and the solution of models expressed in any graph-based formalism. The system is characterized by an open architecture and includes an XML based language family that can be used to define existing as well as new formalisms and the models expressed through such formalisms. The original idea behind DMS, that diferentiates it from the other approaches, is the possibility of easily adding new formalisms without recompiling the DMS source code and the fact that it favours the reuse and integration, with a small programming efort, of existing tools for solving models.
During the years, many formalisms (Petri Nets, Bayesian Networks, Fault Trees, etc.) and the
corresponding solvers have been included in DMS [
DMS is a Java-based framework exploiting the DNlib library [34, 35]. The general architecture of DMS is composed by the following main levels (Fig. 1).
The formalism level defines all the primitives that can be used to design a model. A formalism is defined as the tuple = {, , , , , } where is the set of Elements; is the set of Properties; is the set of Constraints; is the structure function associating each element to its properties; is the inheritance function setting that one or more elements inherit the properties of a specific (abstract) element; is the property typing function setting the type of each property.
Elements correspond to the possible nodes and arcs in the model. Properties are the attributes associated with an element. Moreover, an element has graphical properties (shape, size, color, etc.). Properties are typed: they can only contain values of a specific type (integer, float, string, Boolean, etc.). Finally, Constraints are logical propositions that describe required consistency relations among elements and properties of a model.
XML files contain the elements, their properties (including the graphical ones), and the solver(s) associated with the formalism.
The model level describes a system using the primitives defined in the formalism to specify a model which is defined by the tuple = {, , 0, , , } where is the formalism; is the set of element instances (every ∈ represents an instance of an element of ); 0 ∈ is the main element; is the element typing function associating ∈ with the formalism element to which corresponds (the element must not be abstract); is the assignment function which specifies the property values ( (, ) is the value of property of instance ∈ ).
The user exploits Draw-Net to select a formalism among the available ones, load its definition from the XML files, and design models conforming that formalism (Fig. 1).
The solver level concerns the conversion, the analysis, the simulation, or any other elaboration of the model. Still by means of Draw-Net the user can set the results to compute, save the model into one XML file, and execute the solver on the model. The results produced by the solver can be shown by Draw-Net at the end of the model solution (Fig. 1).
Bayesian Networks (BN) [
A DBN can in general represent semi-Markovian stochastic processes of order − 1, providing the modeling for time slices. When the Markovian assumption holds ( = 2), only 2 time slices are considered in order to model the system temporal evolution: the slice at time depends only on the previous slice at − ∆ , and is conditionally independent of the past ones. In such a case we have a two time slice temporal Bayesian Network (a 2-TBN, see Appendix A).
In our setting the nodes of a DBN represent either attack steps or evidence collected from the monitored network by the analytics. The DBN enables inference of the security posture of the network through the observed evidence. Several kinds of inferences can be carried out using a DBN, supporting the analyst’s decision process in various ways: • Monitoring of the security posture: it is possible to compute in real time the probability that an attack attempt is taking place, based on the observations gathered by the analytics. When this probability value exceeds a given threshold, the analyst can infer that an attack attempt is in progress. This feature can support early detection. • Prediction of adversarial activity: the predictive inference task allows to identify the subset of techniques that the attacker will more likely exploit in the future, again based of evidence obtained from the analytics. This allows the analyst to plan ahead, setting up appropriate defensive actions. • Diagnosis: DBNs also help understand the causes of security events. The diagnosis can be carried out in real time ("what is happening?") or it can be a deeper post-incident investigation. This feature supports revision of security and monitoring decisions. Moreover, when security measures are also modelled through the DBN, the inference tasks can enable assessment of the efectiveness of such measures. The temporal dimension of DBNs allows to process streams of evidence maintaining the above support information up to date. A higher level of confidence of such data on the part of the analyst is possible because DBNs guarantee explainability, i.e. it is possible to understand the reasoning behind the conclusions drawn by the model. This is in contrast to the black box character of other AI models.
Diferent algorithms, either exact or approximate, can be exploited in order to implement
inference tasks in DBN [
We implemented a prototype of the tool called SecuriDN, which allows us to define the architecture of an IT/OT system, the attacks afecting the system, and the parameters that characterize the various attack steps. Given these definitions, the tool generates models that allow us to analyze the behavior of the system. The implementation of SecuriDN is based on DMS (Sec. 3.2) which provides the graphical user interface (GUI) and a library (DNlib) for model construction and manipulation.
SecuriDN allows us to model these aspects: • the ICT architecture consisting of a set of assets (hosts, networks, applications, etc.), relationships between assets, the asset where the attack begins, the asset which is the goal of the attack. • The possible attacks afecting each asset: the attacks are made up of multiple techniques combined with each other. For each asset, an Attack Graph (AG) is defined, modeling these combinations. The AG contains a node for each technique while the edges indicate how the execution of a technique can enable subsequent techniques. In addition, the AG can contain logical operators (AND, OR) and nodes to represent defenses, analytics and the asset impairment. • The global AG obtained by combining the AGs of the individual assets present in the architecture. The union of the various AGs takes place through shared nodes. After that, the paths from the initial point of attack to the goal are maintained, and all the other paths are removed.
• The DBN derived from the global AG.
The first step consists in defining the architecture. The assets currently foreseen in the formalism represent the main possible targets of an attack in a control network: specific hardware equipment, such as IED and physical communication Networks, together with software applications, like SCADA, MMS server, HMI. Also logical communication Channels, such as TCP connections and the Dataflow inside them are included as possible attack goals. Fig. 2 shows in background the architecture window of SecuriDN’s GUI. In this window, the assets can be chosen by the user from the model panel, located on the top right side.
The resources are connected by oriented arcs whose graphic style indicates the specific relationship (In, Connect, Cross, Execute, etc.). Such relations represent potential means of attack propagation across assets. In the background of Fig. 2 we see an arc of type In that goes from IED to DER to indicate that the IED is connected to the DER. We also see an arc of type Execute that goes from IED to MMSServer to indicate that the IED is the device that executes the MMS Server performing the DER control functions and so when an adversary compromises the IED, the attack can propagate by taking control of the MMS server running on it.
The architecture contains two special nodes: Attacker and Goal. In the background of Fig. 2 the node Attacker is connected to the asset MMSServer to indicate the asset where the attack begins and the initial technique (spoRepMes in the example). The node Goal is connected to DER, i.e. the renewable energy source, that is the final goal of the attack.
In the current implementation the nodes Attacker and Goal are unique: so the attack begins from one specific asset and the final goal involves only one asset. The possibility of multiple attackers and goals may be a future development.
Notice that it is not modeled how the achievement of the final goal afects the electrical system stability, and thus the real impact of the attack. For such objective it is necessary to resort to other approaches, e.g. power flow models or power grid simulations, which in principle can be integrated with SecuriDN, but are out of the paper scope.
Each asset has a predefined local Attack Graph (lAG) as submodel (it is possible to manually add further nodes and arcs). We consider the lAG in the foreground of Fig. 2 as an example, relating to the MMS Server resource, where we see these types of node: • an internal technique (simple circle) is a technique that takes place within the asset modeled by the lAG; in Fig. 2 we have spoRepMes (Spoof Report Message). • an external technique (double circle) is a technique that takes place in another asset, but which can enable an internal technique or be enabled by an internal technique; in Fig. 2 unaComMes (unauthorized command message) takes place in the asset IED, while Write takes place in Dataflow . • A defense has a graphic icon that reminds a shield, and is a node representing a countermeasure, such as a firewall or an antivirus, able to mitigate or even inhibit an internal technique to which it is connected.
The mitigation degree will be reflected in the final DBN as a reduction of the technique’s success probability.
In Fig. 2 we have the node defense modeling a generic countermeasure. • An analytic is graphically represented by a sort of notepad (an analytic could be a system log); in Fig. 2 we have the node analytics. Security analytics describe events whose observation is significant from a security perspective, e.g. a specific item on the system log that may be a clue about the exploitation of one or more techniques. • The compromise of the resource appears as a triangular signal of danger; in the example we have End. If in the graph relating to architecture, a certain asset is the final goal, then the compromise node in the lAG relating to the resource, corresponds to the node Goal in the architecture (Fig. 2) . For this reason, the node Goal of architecture and the compromise node of the lAG have the same graphic aspect.
In Fig. 2 we can also see the types of arc in an AG: • An arc of input/output (I/O) is an oriented arc and has diferent roles: – can go from a technique (internal or external) to another technique (internal or external) to indicate that the first technique enables the second one; in Fig. 2 an arc of I/O goes from Write to spoRepMes, and another arc of I/O goes from spoRepMes to unaComMes. – can go from an internal technique to an analytic to indicate that the execution of the technique determines the production of system log; in Fig. 2 it is traced from spoRepMes to Analytics. – can go from an internal technique to a compromise node to indicate that the success of the technique determines the compromise of the asset relating to the lAG; in Fig. 2 it is traced from spoRepMes to End. • An inhibitor arc goes from a defense to the technique inhibited by that defense, to specify the attack step impaired by the defense (the arc ends with a circle); in Fig. 2 it goes from defense to spoRepMes.
Once the architecture is manually defined, a global attack graph and a DBN can be automatically generated with one click.
On one hand, the generation of a global Attack Graph (gAG) is triggered. At a high level, the generation process is accomplished through the following steps: • Connection of lAGs: A first, raw gAG, is built in this step: it is initially created as the union of the lAGs of all the assets in the architecture. If two assets are connected in the architecture, then the relative AGs are joined in the gAG merging shared nodes. To ensure in the gAG the uniqueness of the technique names, which may appear multiple times in diferent lAG, the asset name is used as a prefix of the original name. • Identification of attacker and goal: According to the asset where the attack begins (node Attacker in the architecture) and the asset which is the goal of the attack (node goal in the architecture), the node relating to the initial technique and the node relating to the goal are identified in the gAG. • Reduction: By visiting the gAG, the nodes and arcs belonging to the paths from the initial node to the target node are marked. All the nodes and arcs that are not marked are eliminated from the gAG, thus obtaining the final, simplified gAG (Fig. 3a).
In the gAG in Fig. 3a the attack begins with the step MMSServer_spoRepMes (spoof reporting message) generating the analytic MMSServer_Analytics and mitigated by MMSServer_Defense. The possible success of MMSServer_spoRepMes enables the technique IED_unaComMes (unauthorised command message) whose success may compromise the DER (node DER_compromised) through the OR node IED_DERreconf (in the lAG of the DER, the OR node is connected to other nodes which have been deleted in the gAG during the reduction step because not reachable in this scenario). The arc connecting DER_compromised to DER_End indicates the end of the attack. The nodes MMSServer_spoRepMes, MMSServer_Analytics, and MMSServer_Defense come from the lAG of MMSServer (Fig. 2). The nodes IED_unaComMes and IED_DERreconf come from the lAG of IED. Finally, DER_compromised and DER_End come from the lAG of DER.
The gAG is then converted into a DBN (Fig. 3b) with a compact representation (see Appendix A), where all associated state variables are binary. Each node in the gAG is translated to a DBN node, and each arc to a DBN arc. In this way, not only the dynamics of the whole attack is described, as in the gAG, but also the underlying stochastic attack process is modeled. Technique nodes are enriched with a self-loop temporal arc (colored in blue) to model the dependence of their state from the state at the previous time instant. A successfully executed technique influences the activation of the connected analytic to model the occurrence of an alarm. Through the CPT parameters we configure the rates of false positives and negatives of each analytic. On the other hand, a defense node connected to a technique node influences the activation of the latter, reducing, possibly to zero, its probability of success; this models the mitigation or inhibition efect of the defense measure.
Each node is also enriched with a CPT whose parameters can be manually or automatically
set. In the former case using the GUI the user can inspect each node of the gAG and compile
the corresponding CPT. In the latter, it depends on how the parameter values are automatically
derived. Following the approach in [
The DBN model is then used as input to the detection module of the monitoring and detection
platform. The module can return predictive or diagnostic results conditioned by the evidences
(observations) about the events occurring in the monitored system, collected through the
(a)
platform. Several examples of the types of results provided by the analysis of the DBN can be
found in [
SecuriDN is a promising tool to support security analysts in the early detection of adversarial activity and in the assessment of the cybersecurity posture of the system. It is designed with the electro-energetic system in mind.
The integration with the detection platform (see the introduction) has not been fully
completed, yet. SecuriDN currently produces the description of the DBN, but in the near future it
will be enriched to produce an Octave [
The authors would like to thank Alberto Livio Beccaria for implementing DNlib library, and Marco Gribaudo for the development and the maintenance of Draw-Net over the years.
This work is original and has been supported by a joint collaboration between RSE S.p.A. and Università del Piemonte Orientale, financed by the Research Fund for the Italian Electrical System under the Three-Year Research Plan 2022-2024 (DM MITE n. 337, 15.09.2022), in compliance with the Decree of April 16th, 2018. [18] B. Kordy, L. Piètre-Cambacédès, P. Schweitzer, DAG-based attack and defense modeling:
Don’t miss the forest for the attack trees, Computer science review 13 (2014) 1–38. [19] P. Xie, J. Li, X. Ou, P. Liu, R. Levy, Using Bayesian Networks for cyber-security analysis, in: Int. Conf. on Dependable Systems and Networks, 2010, pp. 211–220. [20] S. Zhang, S. Song, A novel attack graph posterior inference model based on Bayesian network, Journal of Information Security 2 (2011) 8–27. [21] A. S. M. Frigault, L. Wang, S. Jajodia, Measuring network security using dynamic Bayesian network, in: Workshop on Quality of protection, 2008, pp. 23–30. [22] E. Mathias, J. Pontus, R. Lagerstrom, D.Gorton, J. Nydren, K. Shahzad, SecuriCAD by Foreseeti: A CAD Tool for Enterprise Cyber Security Management, in: Int. Workshop on Enterprise Distributed Object Computing, 2015, pp. 152–155. [23] P. Johnson, R. Lagerström, M. Ekstedt, A meta language for threat modeling and attack simulations, in: Int. Conf. on Availability, Reliability and Security, 2018. [24] P. Mueller, B. Yadegari, The stuxnet worm, Department of Computer Science, University of Arizona (2012). URL: https://www2.cs.arizona.edu/~collberg/Teaching/466-566/2012/ Resources/presentations/topic9-final/report.pdf. [25] Cybersecurity, I. S. Agency, CrashOverride Malware, https://www.cisa.gov/news-events/ alerts/2017/06/12/crashoverride-malware, 2017. [Online; accessed 08/02/2024]. [26] M. Kezunovic, Y. Guan, C. Guo, M. Ghavami, The 21st century substation design: Vision of the future, in: IREP Bulk Power System Dynamics and Control Symposium, 2010. [27] IEC TC 57 - Power systems management and associated information exchange, IEC 61850:2018 SER , 2018. [28] M. M. Roomi, S. M. S. Hussain, D. Mashima, E.-C. Chang, T. S. Ustun, Analysis of false data injection attacks against automated control for parallel generators in iec 61850-based smart grid systems, IEEE Systems Journal 17 (2023) 4603–4614. [29] IEC TC 57 - Power systems management and associated information exchange, IEC 62351:2024 SER, 2024. [30] H. C. Tan, C. Cheh, B. Chen, D. Mashima, Tabulating cybersecurity solutions for substations: Towards pragmatic design and planning, in: IEEE Innovative Smart Grid Technologies Asia (ISGT Asia), 2019, pp. 1018–1023. [31] D. C. Schmidt, Model driven engineering, guest editor’s introduction, IEEE Computer,
Special Issue on Model Driven Engineering (2006) 25–31. [32] S. Gaonkar, K. Keefe, R. Lamprecht, E. Rozier, P. Kemper, W. H. Sanders, Performance and dependability modeling with Möbius, SIGMETRICS Performance Evaluation Review 36 (2009) 16–21. [33] K. S. Trivedi, R. Sahner, SHARPE at the age of twenty two, SIGMETRICS Performance
Evaluation Review 36 (2009) 52–57. [34] M. Gribaudo, D. Codetta-Raiteri, G. Franceschinis, Draw-Net, a customizable multiformalism, multi-solution tool for the quantitative evaluation of systems, in: International Conference on the Quantitative Evaluation of Systems, IEEE, 2005, pp. 257–258. [35] D. Codetta-Raiteri, G. Franceschinis, M. Gribaudo, Defining formalisms and models in the Draw-Net Modelling System, in: International Workshop on Modelling of Objects, Components and Agents, 2006, pp. 123–144. [36] D. Codetta-Raiteri, UML class diagrams supporting formalism definition in the Draw-Net
Formal definition of BNs. A BN is a pair = ⟨⟨, ⟩, ⟩ where ⟨, ⟩ are the nodes and the edges of a Directed Acyclic Graph (DAG) respectively, and is a probability distribution over . Discrete random variables = {1, 2, . . . } are assigned to the nodes, while each 1 2 3 4 5 6 7 8 0 0 1 1 0 0 1 1 edge ∈ from node to node represents a conditional dependency relationship between the variables represented by and , where directly depends on . This interpretation allows us to factorize the joint probability of the variables of the model, by considering only the conditional distribution of each variable with respect to their parent variables in the DAG: [1, 2, . . . , ] = ∏︀
=1 [| ()]. Each local distribution can be described in a tabular form called Conditional Probability Table (CPT). Any kind of probabilistic query of the form (|) can be computed, where is any set of unobserved variables and is a configuration of a set of observed variables called the evidence.
Formal definition of DBNs. Given a set of time-dependent state variables 1 . . . and given a BN defined on such variables, a DBN is essentially a replication of over two time slices − ∆ and (being ∆ the so called time discretization step), with the addition of a set of arcs representing the transition model. Let denote the copy of variable at time slice , the transition model is defined through a distribution [|− Δ, − Δ, ] where − Δ is any set of variables at slice − ∆ diferent from (possibly the empty set), and is any set of variables at slice diferent from (possibly the empty set).
The dependencies of a certain node are quantified in terms of conditional probabilities and are stored in its CPT. The probability in every table entry has to be set according to the state of the parent nodes (possibly including the historical copy of the node). A DBN can be represented by explicitly drawing the two replicas of a 2-TBN, as shown in Fig. 4(a), or with a compact representation as in Fig. 4(b). In both cases two types of arcs are defined: intra-slice arcs indicate dependencies between nodes in the same time slice and are shown as continuous arrows; inter-slice arcs model dependencies between nodes in diferent slices and are depicted as dashed arrows. In the example 2 depends on 1 at the same time slice, and on its copy in the previous slice. Assuming that all nodes are associated with two-state variables, Fig. 4(c) shows an example of the CPT of 2: each entry represents a specific state configuration of the parent nodes, and provide the probability that node 2 changes state to 0 or 1.