A case study in verification of UML statecharts the PROFIsafe protocol

A Survey of Cyber-Physical SystemsJiafu Wan a,ba School of Computer Science and EngineeringSouth China University of Technology,Guangzhou,Chinajiafuwan_76@Hehua Yan*,b,Hui Suo bb College of Information EngineeringGuangdong Jidian PolytechnicGuangzhou,China*Corresponding Author,hehua_yan@Abstract—Cyber Physical Systems(CPSs)are characterized by integrating computation and physical processes.The theories and applications of CPSs face the enormous challenges.The aim of this work is to provide a better understanding of this emerging multi-disciplinary methodology.First,the features of CPSs are described,and the research progresses are summarized from different perspectives such as energy control,secure control, transmission and management,control technique,system resource allocation,and model-based software design.Then three classic applications are given to show that the prospects of CPSs are engaging.Finally,the research challenges and some suggestions for future work are in brief outlined.Keywords-cyber physical systems(CPSs);communications; computation;controlI.I NTRODUCTIONCyber Physical Systems(CPSs)integrate the dynamics of the physical processes with those of the software and communication,providing abstractions and modeling,design, and analysis techniques for the integrated whole[1].The dynamics among computers,networking,and physical systems interact in ways that require fundamentally new design technologies.The technology depends on the multi-disciplines such as embedded systems,computers,communications,etc. and the software is embedded in devices whose principle mission is not computation alone,e.g.cars,medical devices, scientific instruments,and intelligent transportation systems[2]. Now the project for CPSs engages the related researchers very much.Since2006,the National Science Foundation(NSF)has awarded large amounts of funds to a research project for CPSs. Many universities and institutes(e.g.UCB,Vanderbilt, Memphis,Michigan,Notre Dame,Maryland,and General Motors Research and Development Center,etc.)join this research project[3,4].Besides these,the researchers from other countries have started to be aware of significance for CPSs research.In[5-7],the researchers are interested in this domain,including theoretical foundations,design and implementation,real-world applications,as well as education. As a whole,although the researchers have made some progress in modeling,control of energy and security,approach of software design,etc.the CPSs are just in an embryonic stage.The rest of this paper is outlined as follows.Section II introduces the features of CPSs.From different perspectives, the research processes are summarized in Section III.Section IV gives some classic applications.Section V outlines the research challenges and some suggestions for future work and Section VI concludes this paper.II.F EATURES OF CPS SGoals of CPSs research program are to deeply integrate physical and cyber design.The diagrammatic layout for CPSs is shown in Figure1.Obviously,CPSs are different from desktop computing,traditional embedded/real-time systems, today’s wireless sensor network(WSN),etc.and they have some defining characteristics as follows[7-10].∙Closely integrated.CPSs are the integrations of computation and physical processes.∙Cyber capability in every physical component and resource-constrained.The software is embedded inevery embedded system or physical component,andthe system resources such as computing,networkbandwidth,etc.are usually limited.∙Networked at multiple and extreme scales.CPSs,the networks of which include wired/wireless network,WLAN,Bluetooth,GSM,etc.are distributed systems.Moreover,the system scales and device categoriesappear to be highly varied.∙Complex at multiple temporal and spatial scales.In CPSs,the different component has probablyinequable Figure1.Diagrammatic layout for CPSsgranularity of time and spatiality,and CPSs are strictlyconstrained by spatiality and real time.∙Dynamically reorganizing/reconfiguring.CPSs as very complicated systems must have adaptive capabilities.∙High degrees of automation,control loops must close.CPSs are in favor of convenient man-machineinteraction,and the advanced feedback controltechnologies are widely applied to these systems.∙Operation must be dependable,certified in some cases.As a large scale/complicated system,the reliability andsecurity are necessary for CPSs.III.R EASEARCH P ROCESSSince2007,American government has treated CPSs as a new development strategy.Some researchers from various countries discussed the related concepts,technologies, applications and challenges during CPSweek and the international conference on CPS subject[11].The results of this research mainly concentrate in the following respects[7]. A.Energy ControlOne of the features of CPSs is distributed system.Though the vast majority of devices in CPSs need less energy,the energy supply is still a great challenge because the demand and supply of energy is inconvenient.In[12],a control strategy is proposed for realizing best trade-off between satisfying user requests and energy consumption in a data center.In[13-15],these papers concern the basic modeling of cyber-based physical energy systems.A novel cyber-based dynamic model is proposed in which a resulting mathematical model greatly depends on the cyber technologies supporting the physical system.F.M.Zhang et al [16]design optimal and adaptive discharge profile for a square wave impulsive current to achieve maximum battery life.J. Wei et al and C.J.Xue et al[17,18]develop an optimal lazy scheduler to manage services with minimum energy expenditure while not violating time-sensitive constraints.In [19],a peak inlet temperature minimization problem is formulated to improve the energy efficiency.J.R.Cao et al[20] present a clustering architecture in order to obtain good performance in energy efficiency.B.Secure ControlNow,the research for secure control mainly includes key management,identity authentication,etc.In[21],the existing security technologies for CPSs are summarized,and main challenges are proposed.C.Singh et al[22]explore the topic of the reliability assurance of CPSs and possibly stimulate more research in this area.T.T.Gamage et al[23]give a general theory of event compensation as an information flow security enforcement mechanism for CPSs.Then a case study is used to demonstrate this concept.In[24],a certifcateless signature scheme for mobile wireless CPSs is designed and validated.Y.Zhang et al[25]present an adaptive health monitoring and management system model that defines the fault diagnosis quality metrics and supports diagnosis requirement specifications.J.Wei et al[26]exploit message scheduling solutions to improve security quality of wireless networks for mission-critical cyber-physical applications.C.Transmission and ManagementCPSs need to conduct the transmission and management of multi-modal data generated by different sensor devices.In[27], a novel information-centric approach for timely,secure real-time data services in CPSs is proposed.In order to obtain the crucial data for optimal environment abstraction,L.H.Kong et al[28]study the spatio-temporal distribution of CPS nodes.H. Ahmadi et al[29]present an innovative congestion control mechanism for accurate estimation of spatio-temporal phenomena in wireless sensor networks performing monitoring applications.A dissertation on CPSs discusses the design, implementation,and evaluation of systems and algorithms that enable predictable and scalable real-time data services for CPS applications[30].Now,the exiting results are still rare,and there are many facets to be studied.D.Model-based Software DesignNow,the main model-based software design methods include Model Driven Development(MDD)(e.g.UML), Model-Integrated Computing(MIC),Domain-Specific Modeling(DSM),etc[31,32].An example,abstractions in the design flow for DSM,is shown in Figure2.These methods have been widely applied to the embedded system design[34, 35].On the basis of these,some researchers conduct model-based software design for CPSs in the following aspects:event model,physical model,reliability and real-time assurance,etc.Figure2.Abstractions in the design flow for DSM[33]1)Event model.E.A.Lee et al[36]make a case that the time is right to introduce temporal semantics into programming models for CPSs.A programming model called programming temporally-integrated distributed embedded systems(PTIDES) provides a coordination language rooted in discrete-event semantics,supported by a lightweight runtime framework and tools for verifying concurrent software components.In[37],a concept lattice-based event model for CPSs is proposed.This model not only captures the essential information about events in a distributed and heterogeneous environment,but it alsoPlatform mapping Abstractions are linkedthrough refinementrelationsAbstraction layers allowthe verification ofdifferent propertiesPlatform mappingAbstraction layersdefine platformsallows events to be composed across different boundaries of different components and devices within and among both cyber and physical domains.In addition,A CPS architecture along with a novel event model for CPS is developed[38].2)Physical model.In[39],a methodology for automatically abstracting models of CPSs is proposed.The models are described using a user-defined language inspired by assembly code.For mechanical systems,Y.Zhu et al[40]show how analytical models of a particular class of physical systems can be automatically mapped to executable simulation codes.S.Jha et al[41]present a new approach to assist designers by synthesizing the switching logic,given a partial system model, using a combination of fixpoint computation,numerical simulation,and machine learning.This technique quickly generates intuitive system models.3)Reliability and real-time assurance. E. A.Lee[42] emphasizes the importance of security,reliability and real-time assurance in CPSs,and considers the effective orchestration of software and physical processes requires semantic models. From the perspective of soft real-time and hard real-time,U. Kremer[43]conducts the research that the role of time in CPS applications has a fundamental impact on the design and requirements.In CPSs,the heterogeneity causes major challenges for compositional design of large-scale systems including fundamental problems caused by network uncertainties,such as time-varying delay,jitter,data rate limitations,packet loss and others.To address these implementation uncertainties,X.Koutsoukos et al[44]propose a passive control architecture.For improving reliability,T.L. Crenshaw et al[45]describe a simplex reference model to assist developers with CPS architectures which limit fault-propagation.A highly configurable and reusable middleware framework for real-time hybrid testing is provided in[46].Though the model-based software design has an early start, the present development of CPSs progresses at a fast enough rate to provide a competitive challenge.E.Control TechniqueCompared with other control applications,the control technique for CPSs is still at an elementary stage.F.M.Zhang et al[2]develop theoretical results in designing scheduling algorithms for control applications of CPS to achieve balances among robustness,schedulability and power consumption. Moreover,an inverted pendulum as a study object is designed to validate the proposed theory.N.Kottenstette et al[47] describe a general technique:passivity and a particular controller structure involving the resilient power junction.In [48],a design and implementation of CPSs for neutrally controlled artificial legs is proposed.In[49],J.L.Ny et al approach the problem of certifying a digital controller implementation from an input-output,robust control perspective.F.System Resource AllocationUntil now,the relative research for system resource allocation mainly focuses on embedded/real-time systems, networked control systems,WSN,etc[50-52].Towards the complicated CPSs,this work is in the beginning stage.V.Liberatore[53]gives a new train of thought on bandwidth allocation in CPSs.In[54],the model dynamics are presented to express the properties of both software and hardware of CPSs,which is used to do resource allocation.K.W.Li et al [55]research the problem of designing a distributed algorithm for joint optimal congestion control and channel assignment in the multi-radio multi-channel networks for CPSs.The ductility metric is developed to characterize the overload behavior of mixed-criticality CPSs in[56].IV.C LASSIC A PPLICATIONSApplications of CPSs include medical devices and systems, assisted living,traffic control and safety,advanced automotive systems,process control,energy conservation,environmental control avionics and aviation software,instrumentation,critical infrastructure(e.g.power,water),distributed robotics,weapons systems,manufacturing,distributed sensing command and control,smart structures,biosystems,communications systems, etc.[9,10].The classic application architecture of CPSs is described in[38].Now,some application cases for CPSs have been conducted in[57-64].Here,three examples(Health Care and Medicine,Intelligent Road and Unmanned Vehicle,and Electric Power Grid)are used to illuminate the classic applications of CPSs[8,9].A.Health Care and MedicineThe domain of health care and medicine includes national health information network,electronic patient record initiative, home care,operating room,etc.some of which are increasingly controlled by computer systems with hardware and software components,and are real-time systems with safety and timing requirements.A case of CPSs,an operating room,is shown in Figure3.Figure3.A case of CPSs:An operating room[8,9]B.Electric Power GridThe power electronics,power grid,and embedded control software form a CPS,whose design is heavily influenced by fault tolerance,security,decentralized control,and economic/ ethical social aspects[65].In[8,9],a case of CPSs,electric power grid,is given as shown in Figure4.Figure4.A case of CPSs:Electric power grid[8,9]C.Integrate Intelligent Road with Unmanned VehicleWith the development of sensor network,embedded systems,etc.some new solutions can be applied to unmanned vehicle.We are conducting a program that intelligent road and unmanned vehicle are integrated in the form of CPSs.Figure5 shows another case of CPSs:Integrate intelligent road with unmanned vehicle.Figure5.A case of CPSs:Integrate intelligent road with unmanned vehicleV.R ESEARCH C HALLENGESCPSs as a very active research field,a variety of questions need to be solved,at different layers of the architecture and from different aspects of systems design,to trigger and to ease the integration of the physical and cyber worlds[66].In[10, 42,66-68],the research challenges are mainly summarized as follows:1)Control and hybrid systems.A new mathematical theory must merge event-based systems with time-based systems for feedback control.This theory also must be suitable for hierarchies involving asynchronous dynamics at different time scales and geographic scope.2)Sensor and mobile networks.In practical applications, the need for increased system autonomy requires self-organizing/reorganizing mobile networks for CPSs.Gathering and refining critical information from the vast amount of raw data is essential.3)Robustness,reliability,safety,and security.It is a critical challenge because uncertainty in the environment,security attacks,and errors in physical devices make ensuring overall system robustness,security,and safety.Exploiting the physical nature of CPS by leveraging location-based,time-based and tag-based mechanisms is to realize security solutions.4)Abstractions.This aspect includes real-time embedded systems abstractions and computational abstractions,which needs new resource allocation scheme to ensure that fault tolerance,scalability,optimization,etc.are achieved.New distributed real-time computing and real-time group communication methods are needed.In addition,the physical properties also should be captured by programming abstractions.5)Model-based development.Though there several existing model-based development methods,they are far from meeting demands in puting and communications,and physical dynamics must be abstracted and modeled at different levels of scale,locality,and time granularity.6)Verification,validation,and certification.The interaction between formal methods and testing needs to be established. We should apply the heterogeneous nature of CPS models to compositional verification and testing methods.VI.C ONCLUSIONSIn the last few years,this emerging domain for CPSs has been attracting the significant interest,and will continue for the years to come.In spite of rapid evolution,we are still facing new difficulties and severe challenges.In this literature, we concisely review the existing research results that involve energy control,secure control,model-based software design transmission and management,control technique,etc.On this basis,some classic applications used to show the good prospects.Then,we propose several research issues and encourage more insight into this new field.A CKNOWLEDGMENTThe authors would like to thank the National Natural Science Foundation of China(No.50875090,50905063), National863Project(No.2009AA4Z111),Key Science and Technology Program of Guangdong Province(No. 2010B010700015),China Postdoctoral Science Foundation (No.20090460769)and Open Foundation of Guangdong Key Laboratoryof Modern Manufacturing Technology(No. GAMTK201002)for their support in this research.R EFERENCES[1]Available at:/cps/.[2] F.M.Zhang,K.Szwaykowska,W.Wolf,and V.Mooney,“Taskscheduling for control oriented requirements for Cyber-Physical Systems,”in Proc.of2008Real-Time Systems Symposium,2005,pp.47-56.[3]Available at:/news/17248-nsf-funds-cyber-physical-systems-project/.[4]J.Sprinkle,U.Arizona,and S.S.Sastry,“CHESS:Building a Cyber-Physical Agenda on solid foundations,”Presentation Report,Apr2008.[5]Available at:/.[6]Available at:/gdcps.html.[7]J.Z.Li,H.Gao,and B.Yu,“Concepts,features,challenges,andresearch progresses of CPSs,”Development Report of China Computer Science in2009,pp.1-17.[8]R.Rajkumar,“CPS briefing,”Carnegie Mellon University,May2007.[9] B.H.Krogh,“Cyber Physical Systems:the need for new models anddesign paradigms,”Presentation Report,Carnegie Mellon University. [10] B.X.Huang,“Cyber Physical Systems:A survey,”Presentation Report,Jun2008.[11]Available at:/.[12]L.Parolini,N.Toliaz,B.Sinopoli,and B.H.Krogh,“A Cyber-PhysicalSystems approach to energy management in data centers,”in Proc.of First International Conference on Cyber-Physical Systems.April2010, Stockholm,Sweden.[13] F.M.Zhang,Z.W.Shi,and W.Wolf,“A dynamic battery model forco-design in cyber-physical systems,”in Proc.of29th IEEE International Conference on Distributed Computing Systems Workshops.2009.[14]M.D.Ilić,L.Xie,U.A.Khan,et al.“Modeling Future Cyber-PhysicalEnergy Systems,”in Proc.of Power and Energy Society General Meeting-Conversion and Delivery of Electrical Energy in the21st Century,2008.[15]M.D.Ilić,L.Xie,U.A.Khan,et al.“Modeling of future Cyber–Physical Energy Systems for distributed sensing and control,”IEEE Transactions on Systems,Man,and Cybernetics-Part A:Systems and Humans,Vol.40,2010,pp.825-838.[16] F.M.Zhang,and Z.W.Shi,“Optimal and adaptive battery dischargestrategies for Cyber-Physical Systems,”in Proc.of Joint48th IEEE Conference on Decision and Control,and28th Chinese Control Conference,2009,Shanghai,China.[17]W.Jiang,G.Z.Xiong,and X.Y.Ding,“Energy-saving servicescheduling for low-end Cyber-Physical Systems,”in Proc.of The9th International Conference for Young Computer Scientists,2008.[18] C.J.Xue,G.L.Xing,Z.H.Yuan,et al.“Joint sleep scheduling andmode assignment in Wireless Cyber-Physical Systems,”in Proc.of29th IEEE International Conference on Distributed Computing Systems Workshops,2009.[19]Q.H.Tang,S.K.S.Gupta,and G.Varsamopoulos,“Energy-efficientthermal-aware task scheduling for homogeneous high-performance computing data centers:A cyber-physical approach,”IEEE Transactions on Parallel and Distributed Systems,Vol.19,2008,pp.1458-1472. [20]J.R.Cao,and H.A.Li,“Energy-efficient structuralized clustering forsensor-based Cyber Physical Systems,”in Proc.of Symposia and Workshops on Ubiquitous,Autonomic and Trusted Computing,2009. [21] A. A.Cárdenas,S.Amin,and S.Sastry,“Secure control:towardssurvivable Cyber-Physical Systems,”in Proc.of The28th International Conference on Distributed Computing Systems Workshops,2008. [22] C.Singh,and A.Sprintson,“Reliability assurance of Cyber-PhysicalPower Systems,”in Conference Proc.,2010.[23]T.T.Gamage,B.M.McMillin,and T.P.Roth,“Enforcing informationflow security properties in Cyber-Physical Systems:A generalized framework based on compensation,”in Proc.of34th Annual IEEE Computer Software and Applications Conference Workshops,2010. [24]Z.Xu,X.Liu,G.Q.Z,et al.“A cert ificateless signature scheme formobile wireless Cyber-Physical Systems,”in Proc.of The28th International Conference on Distributed Computing Systems Workshops, 2008.[25]Y.Zhang,I.L.Yen,F.B.Bastani,et al.“Optimal adaptive systemhealth monitoring and diagnosis for resource constrained Cyber-Physical Systems,”in Proc.of20th International Symposium on Software Reliability Engineering,2009.[26]W.Jiang,W.H.Guo,and N.Sang,“Periodic real-time messagescheduling for confidentiality-aware Cyber-Physical System in wireless networks,”in Proc.of Fifth International Conference on Frontier of Computer Science and Technology,2010.[27]K.D.Kang,and S.H.Son,“Real-time data services for Cyber PhysicalSystems,”in Proc.of28th International Conference on Distributed Computing Systems Workshops,2008.[28]L.H.Kong,D.W.Jiang,and M.Y.Wu,“Optimizing the spatio-temporal distribution of Cyber-Physical Systems for environment abstraction,”in Proc.of International Conference on Distributed Computing Systems,2010.[29]H.Ahmadi,T.F.Abdelzaher,and I.Gupta,“Congestion control forspatio-temporal data in Cyber-Physical Systems,”in Proc.of the1st ACM/IEEE International Conference on Cyber-Physical Systems,2010.[30]W.Kang,“Adaptive real-time data management for Cyber-PhysicalSystems,”PhD Thesis,University of Virginia,2009.[31]Z.M.Song,“Devlopment method of embedded equipment controlsystems based on Model Integrated Computing,”PhD Thesis,South China University of Technology,2007.[32]Available at:/research/MIC.[33]J.Sztipanovits,“Cyber Physical Systems:New challenges for model-based design,”Presentation Report,Vanderbilt University,Apr2008. [34] F.Li,D.Li,J.F.Wan,et al.“Towards a component-based modelintegration approach for embedded computer control system,”in Proc.of International Conference on Computational Intelligence and Security, 2008.[35] D.Li,F.Li,and X.Huang,et al.“A model based integration frameworkfor computer numerical control system development,”Robotics and Computer-Integrated Manufacturing,Vol.26,2010,pp.848-860. [36] E.A.Lee,S.Matic,S.A.Seshia,et al.“The case for timing-centricdistributed software,”in Proc.of29th IEEE International Conference on Distributed Computing Systems Workshops,2009.[37]Y.Tan,M.C.Vuran,and S.Goddard,“A concept lattice-based eventmodel for Cyber-Physical Systems,”in Proc.of CCPS,Apr2010, Stockholm,Sweden.[38]Y.Tan,M.C.Vuran,and S.Goddard,“Spatio-temporal event model forCyber-Physical Systems,”in Proc.of29th IEEE International Conference on Distributed Computing Systems Workshops,2009. [39]R.A.Thacker,K.R.Jones,C.J.Myers,et al.“Automatic abstractionfor verification of Cyber-Physical Systems,”in Proc.of CCPS,Apr2010, Stockholm,Sweden.[40]Y.Zhu, E.Westbrook,J.Inoue,et al.“Mathematical equations asexecutable models of mechanical systems,”in Proc.of CCPS,Apr2010, Stockholm,Sweden.[41]S.Jha,S.Gulwani,S.A.Seshia,et al.“Synthesizing switching logic forsafety and dwell-time requirements,”in Proc.of CCPS,Apr2010, Stockholm,Sweden.[42] E.A.Lee,“Cyber Physical Systems:Design challenges,”in Proc.ofISORC,May,2008,Orlando,USA.[43]U.Kremer,“Cyber-Physical Systems:A case for soft real-time,”Available at:/.[44]X.Koutsoukos,N.Kottenstette,J.Hall,et al.“Passivity-based controldesign for Cyber-Physical Systems,”Available at:http://citeseerx.ist./.[45]T.L.Crenshaw, E.Gunter, C.L.Robinson,et al.“The simplexreference model:Limiting fault-propagation due to unreliable components in Cyber-Physical System architectures,”in Proc.of IEEE International Real-Time Systems Symposium,2008.[46]T.Tidwell,X.Y.Gao,H.M.Huang,et al.“Towards configurable real-time hybrid structural testing:A Cyber-Physical Systems approach,”in Proc.of IEEE International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing,2009.[47]N.Kottenstette,G.Karsai,and J.Sztipanovits,“A passivity-basedframework for resilient Cyber Physical Systems,”in Proc.of2nd International Symposium on Resilient Control Systems,2009.[48]H.Huang,Y.Sun,Q.Yang,et al.“Integrating neuromuscular and CyberSystems for neural control of artificial legs,”in Proc.of CCPS,Apr 2010,Stockholm,Sweden.[49]J.L.Ny,and G.J.Pappas,“Robustness analysis for the certification ofdigital controller implementations,”in Proc.of CCPS,Apr2010, Stockholm,Sweden.[50]J.F.Wan,D.Li,and P.Zhang,“Key technology of embedded systemimplementation for software-based CNC system,”Chinese Journal of Mechanical Engineering,Vol.23,2010,pp.241-248.[51]J.F.Wan,D.Li,H.H.Yan,and P.Zhang,“Fuzzy feedback schedulingalgorithm based on central processing unit utilization for a software-based computer numerical control system,”Journal of Engineering Manufacture,Vol.224,2010,pp.1133-1143.[52]J.F.Wan,and D.Li,“Fuzzy feedback scheduling algorithm based onoutput jitter in resource-constrained embedded systems,”In Proc.of International Conference on Challenges in Environmental Science and Computer Engineering,March2010,Wuhan,China.[53]V.Liberatore,“Bandwidth allocation in sense-and-respond systems,”Report,Available at:/~vxl11/NetBots/.[54]M.Lindberg,and K.E.Årzén,“Feedback control of cyber-physicalsystems with multi resource dependencies and model uncertainties,”in Proc.of the31st IEEE Real-Time Systems Symposium,Dec2010. [55]K.W.Li,Q.W.Liu,F.R.Wang,et al.“Joint optimal congestioncontrol and channel assignment for multi-radio multi-channel wireless networks in Cyber-Physical Systems,”in Proc.of Symposia and Workshops on Ubiquitous,Autonomic and Trusted Computing,2009. [56]kshmanan,D.Niz,R.Rajkumar,et al.“Resource allocation indistributed mixed-criticality Cyber-Physical Systems,”in Proc.of International Conference on Distributed Computing Systems,2010. [57] D.Dragomirescu,“Cyber-Physical Systems for aeronautic applications,”Presentation Report,2010,University of Toulouse,France.[58] A.M.K.Cheng,“Cyber-Physical Medical and Medication Systems,”inProc.of the28th International Conference on Distributed Computing Systems Workshops,2008.[59]T.Dillon,and E.Chang,“Cyber-Physical Systems as an embodiment ofdigital ecosystems,”in Proc.of4th IEEE International Conference on Digital Ecosystems and Technologies,2010.[60]J.Madden,B.McMillin,and A.Sinha,“Environmental obfuscation of aCyber Physical System-Vehicle example,”in Proc.of34th Annual IEEE Computer Software and Applications Conference Workshops,2010. [61]I.Lee,and O.Sokolsky,“Medical Cyber Physical Systems,”in Proc.ofDAC,2010,Anaheim,California,USA.[62]W.Harrison,J.Moyne,and D.Tilbury,“Virtual fusion:The completeintegration of simulated and actual,”Presentation Report,2008, University of Michigan,USA.[63]M.Li,Y.H.Liu,J.L.Wang,et al.“Sensor network navigation withoutlocations,”in Proc.of IEEE INFOCOM,2009.[64]G.L.Xing,W.J.Jia,Y.F.Du,et al.“Toward ubiquitous video-basedCyber-Physical Systems,”in Proc.of IEEE International Conference on Systems,Man and Cybernetics,2008.[65] B.McMillin,C.Gill,M.L.Crow,et al,“Cyber-Physical Systemsdistributed control-The advanced electric power grid,”Available at: /.[66]L.Sha,S.Gopalakrishnan,X.Liu,et al.“Cyber-Physical Systems:Anew frontier,”in Proc.of IEEE International Conference on Sensor Networks,Ubiquitous,and Trustworthy Computing,2008.[67]M.Broy,“Cyber-Physical Systems:Technological&scientificchallenges,”Presentation Report,2010.[68]R.Rajkumar,I.Lee,L.Sha,et al.“Cyber-Physical Systems-The nextcomputing revolution,”in Proc.of Design Automation Conference,2010, Anaheim,California,USA.。

UML i:The Unified Modeling Language forInteractive ApplicationsPaulo Pinheiro da Silva and Norman W.Paton Department of Computer Science,University of Manchester Oxford Road,Manchester M139PL,England,UK.e-mail:{pinheirp,norm}@AbstractUser interfaces(UIs)are essential components of most software sys-tems,and significantly affect the effectiveness of installed applications.Inaddition,UIs often represent a significant proportion of the code deliveredby a development activity.However,despite this,there are no modellinglanguages and tools that support contract elaboration between UI devel-opers and application developers.The Unified Modeling Language(UML)has been widely accepted by application developers,but not so much byUI designers.For this reason,this paper introduces the notation of theUnified Modelling Language for Interactive Applications(UML i),that ex-tends UML,to provide greater support for UI design.UI elements elicitedin use cases and their scenarios can be used during the design of activitiesand UI presentations.A diagram notation for modelling user interfacepresentations is introduced.Activity diagram notation is extended to de-scribe collaboration between interaction and domain objects.Further,acase study using UML i notation and method is presented.1IntroductionUML[9]is the industry standard language for object-oriented software design. There are many examples of industrial and academic projects demonstrating the effectiveness of UML for software design.However,most of these success-ful projects are silent in terms of UI design.Although the projects may even describe some architectural aspects of UI design,they tend to omit important aspects of interface design that are better supported in specialist interface de-sign environments[8].Despite the difficulty of modelling UIs using UML,it is becoming apparent that domain(application)modelling and UI modelling may occur simultaneously.For instance,tasks and domain objects are interde-pendent and may be modelled simultaneously since they need to support each other[10].However,task modelling is one of the aspects that should be consid-ered during UI design[6].Further,tasks and interaction objects(widgets)areinterdependent as well.Therefore,considering the difficulty of designing user interfaces and domain objects simultaneously,we believe that UML should be improved in order to provide greater support for UI design[3,7].This paper introduces the UML i notation which aims to be a minimal exten-sion of the UML notation used for the integrated design of applications an their user interfaces.Further,UML i aims to preserve the semantics of existing UML constructors since its notation is built using new constructors and UML exten-sion mechanisms.This non-intrusive approach of UML i can be verified in[2], which describes how the UML i notation introduced in this paper is designed in the UML meta-model.UML i notation has been influenced by model-based user interface develop-ment environment(MB-UIDE)technology[11].In fact,MB-UIDEs provide a context within which declarative models can be constructed and related,as part of the user interface design process.Thus,we believe that the MB-UIDE technology offers many insights into the abstract description of user interfaces that can be adapted for use with the UML technology.For instance,MB-UIDE technology provides techniques for specifying static and dynamic aspects of user interfaces using declarative models.Moreover,as these declarative models can be partially mapped into UML models[3],it is possible to identify which UI aspects are not covered by UML models.The scope of UML i is restricted to form-based user interfaces.However, form-based UIs are widely used for data-intensive applications such as database system applications and Web applications and UML i can be considered as a baseline for non-form-based UI modelling.In this case,modifications might be required in UML i for specifying a wider range of UI presentations and tasks.To introduce the UML i notation,this paper is structured as follows.MB-UIDE’s declarative user interface models are presented in terms of UML i dia-grams in Section2.Presentation modelling is introduced in Section3.Activity modelling that integrates use case,presentation and domain models is presented in Section4.The UML i method is introduced in Section5when a case study ex-emplifying the use of the UML i notation is presented along with the description of the method.Conclusions are presented in Section6.2Declarative User Interface ModelsA modelling notation that supports collaboration between UI developers and application developers should be able to describe the UI and the application at the same time.From the UI developer’s point of view,a modelling notation should be able to accommodate the description of users requirements at appro-priate levels of abstraction.Thus,such a notation should be able to describe abstract task specifications that users can perform in the application in order to achieve some goals.Therefore,a user requirement model is required to describe these abstract tasks.Further,UI sketches drawn by users and UI developers can help in the elicitation of additional user requirements.Therefore,an abstract presentation model that can present early design ideas is required to describethese UI ter in the design process,UI developers could also refine abstract presentation models into concrete presentation models,where widgets are selected and customised,and their placement(layout)is decided.From the application developer’s point of view,a modelling notation that integrates UI and application design should support the modelling of application objects and actions in an integrated way.In fact,the identification of how user and application actions relate to a well-structured set of tasks,and how this set of tasks can support and be supported by the application objects is a challenging activity for application designers.Therefore,a task model is required to describe this well-structured set of tasks.The task model is not entirely distinct from the user requirement model.Indeed,the task model can be considered as a more structured and detailed view of the user requirement model.The application objects,or at least their interfaces,are relevant for UI de-sign.In fact,these interfaces are the connection points between the UI and the underlying application.Therefore,the application object interfaces compose an application model.In an integrated UI and application development environ-ment,an application model is naturally produced as a result of the application design.UML i aims to show that using a specific set of UML constructors and dia-grams,as presented in Figure1,it is possible to build declarative UI models. Moreover,results of previous MB-UIDE projects can provide experience as to how the declarative UI models should be inter-related and how these models can be used to provide a declarative description of user interfaces.For instance, the links(a)and(c)in Figure1can be explained in terms of state objects,as presented in Teallach[5].The link(d)can be supported by techniques from TRI-DENT[1]to generate concrete presentations.In terms of MB-UIDE technology there is not a common sense of the models that might be used for describing a UI.UML i does not aim to present a new user interface modelling proposal,but to reuse some of the models and techniques proposed for use in MB-UIDEs in the context of UML.Figure1:UML i declarative user interface models.3User Interface DiagramUser interface presentations,the visual part of user interfaces,can be modelled using object diagrams composed of interaction objects,as shown in Figure2(a). These interaction objects are also called widgets or visual components.The selection and grouping of interaction objects are essential tasks for modelling UI presentations.However,it is usually difficult to perform these tasks due to the large number of interaction objects with different functionalities provided by graphical environments.In a UML-based environment,the selection and grouping of interaction objects tends to be even more complex than in UI de-sign environments because UML does not provide graphical distinction between domain and interaction objects.Further,UML treats interaction objects in the same way as any other objects[3].For instance,in Figure2(a)it is not easy to see that the Results Displayer is contained by the SearchBookUI FreeContainer. Considering these presentation modelling difficulties,this section introduces the UML i user interface diagram,a specialised object diagram used for the concep-tual modelling of user interface presentation.(a)(b)Figure2:An abstract presentation model for the SearchBookUI can be modelled as an object diagram of UML,as presented in(a).The same presentation can alternatively be modelled using the UML i user interface diagram,as presented in(b).3.1User Interface Diagram NotationThe SearchBookUI abstract presentation modelled using the user interface dia-gram is presented in Figure2(b).The user interface diagram is composed of six constructors that specify the role of each interaction object in a UI presentation.•FreeContainers,•Containers,,are rendered as a pair of semi-overlapped triangles pointing to the right.They are responsible for receiving information from users in the form of events.Graphically,Containers,Inputters,Displayers,Editors and ActionInvokers must be placed into a FreeContainer.Additionally,the overlapping of the bor-ders of interaction objects is not allowed.In this case,the“internal”lines of Containers and FreeContainers,in terms of their two-dimensional representa-tions,are ignored.3.2From an Abstract to a Concrete PresentationThe complexity of user interface presentation modelling can be reduced by work-ing with a restricted set of abstract interaction objects,as specified by the user interface diagram notation.However,a presentation modelling approach as proposed by the UML i user interface diagram is possible since form-based pre-sentations respect the Abstract Presentation Pattern1(APP)in Figure3.Thus, a user interface presentation can be described as an interaction object acting as a FreeContainer.The APP also shows the relationships between the abstract interaction objects.As we can see,the APP is environment-independent.In fact,a UI presen-tation described using the user interface diagram can be implemented by any object-oriented programming language,using several toolkits.Widgets should be bound to the APP in order to generate a concrete presentation model.In this way,each widget should be classified as a FreeContainer,Container, Inputter,Displayer,Editor or ActionInvoker.The binding of widgets to the APP can be described using UML[3].Widget binding is not efficient to yield afinal user interface implementation. In fact,UML i is used for UI modelling and not for implementation.However, we believe that by integrating UI builders with UML i-based CASE tools we canFigure3:The Abstract Presentation Patternproduce environments where UIs can be modelled and developed in a system-atic way.For instance,UI builder facilities may be required for adjusting UI presentation layout and interaction object’s colour,size and font.4Activity Diagram ModellingUML interaction diagrams(sequence and collaboration diagrams)are used for modelling how objects collaborate.Interaction diagrams,however,are limited in terms of workflow modelling since they are inherently sequential.Therefore, concurrent and repeatable workflows,and especially those workflows affected by users decisions,are difficult to model and interpret from interaction diagrams.Workflows are easily modelled and interpreted using activity diagrams.In fact,Statechart constructors provide a graphical representation for concurrent and branching workflows.However,it is not so natural to model object col-laboration in activity diagrams.Improving the ability to describe object col-laboration and common interaction behaviour,UML i activity diagrams provide greater support for UI design than UML activity diagrams.This section explains how activities can be modelled from use cases,how activity diagrams can be simplified in order to describe common interactive behaviours,and how interaction objects can be related to activity diagrams.4.1Use Cases and Use Case ScenariosUse case diagrams are normally used to identify application functionalities. However,use case diagrams may also be used to identify interaction activi-ties.For instance,a communicates association between a use case and an actor indicates that the actor is interacting with the use case.Therefore,forexample,in Figure4the CollectBook use case cannot identify an interaction activity since its association with Borrower is not a communicates associa-tion.Indeed,the CollectBook use case identifies a functionality not supported by the application.Figure4:A use case diagram for the BorrowBook use case with its component use cases.Use case scenarios can be used for the elicitation of actions[12].Indeed,ac-tions are identified by scanning scenario descriptions looking for verbs.However, actions may be classified as Inputters,Displayers,Editors or ActionInvokers. For example,Figure5shows a scenario for the SearchBook use case in Figure4. Three interaction objects can be identified in the scenario:∇providingthat specifies some query details;and displaysits title,authors,year,or a combination of this information.Addi-tionally,John can∇specifythe details of the matching books,if any.Figure5:A scenario for the SearchBook use case.4.2From Use Cases to ActivitiesUML i assumes that a set of activity diagrams can describe possible user interac-tions since this set can describe possible application workflows from application entry points.Indeed,transitions in activity diagrams are inter-object transi-tions,such as those transitions between interaction and domain objects that can describe interaction behaviours.Based on this assumption,those activity diagrams that belong to this set of activity diagrams can be informally classified as interaction activity diagrams.Activities of interaction activity diagrams can also be informally classified as interaction activities.The difficulty with this classification,however,is that UML does not specify any constructor for mod-elling application entry points.Therefore,the process of identifying in which activity diagram interactions start is unclear.The initial interaction state constructor used for identifying an application’s entry points in activity diagrams is introduced in UML i.This constructor is rendered as a solid square,,and it is used as the UML initial pseudo-state[9], except that it cannot be used within any state.A top level interaction activ-ity diagram must contain at least one initial interaction state.Figure6 shows a top level interaction activity diagram for a library application.Figure6:Modelling an activity diagram from use cases using UML i.Use cases that communicate directly with actors are considered candidate interaction activities in UML i.Thus,we can define a top level interaction ac-tivity as an activity which is related to a candidate interaction activity.This relationship between a top level interaction activity and a candidate interaction activity is described by a realisation relationship,since activity diagrams can describe details about the behaviour of candidate interaction activities.The diagram in Figure6is using the UML i activity diagram notation explained in the next section.However,we can clearly see in the diagram which top level interaction activity realises which candidate interaction activity.For instance, the SearchBook activity realises the SearchBook candidate interaction activity modelled in the use case diagram in Figure4.In terms of UI design,interaction objects elicited in scenarios are primitive interaction objects that must be contained by FreeContainers(see the APP in Figure3).Further,these interaction objects should be contained by FreeCon-tainers associated with top-level interaction activities,such as the SearchBookUI FreeContainer in Figure6,for example.Therefore,interaction objects elicited from scenarios are initially contained by FreeContainers that are related to top-level interaction through the use of a presents objectflow,as described in Section4.4.In that way,UI elements can be imported from use case diagrams to activity diagrams.For example,the interaction objects elicited in Figure5 are initially contained by the SearchBookUI presented in Figure6.4.3Selection StatesStatechart constructors for modelling transitions are very powerful since they can be combined in several ways,producing many different compound transi-tions.In fact,simple transitions are suitable for relating activities that can be executed sequentially.A combination of transitions,forks and joins is suitable for relating activities that can be executed in parallel.A combination of transitions and branches is suitable for modelling the situation when only one among many activities is executed(choice behaviour).However,for the de-signing of interactive applications there are situations where these constructors can be held to be rather low-level,leading to complex models.The following behaviours are common interactive application behaviours,but usually result in complex models.•The order independent behaviour is presented in Figure7(a).There, activities A and B are called selectable activities since they can be acti-vated in either order on demand by users who are interacting with the application.Thus,every selectable activity should be executed once dur-ing the performance of an order independent behaviour.Further,users are responsible for selecting the execution order of selectable activities.An or-der independent behaviour should be composed of one or more selectable activities.An object with the execution history of each selectable activity (SelectHist in Figure7(a))is required for achieving such behaviour.•The optional behaviour is presented in Figure7(b).There,users can execute any selectable activity any number of times,including none.In this case,users should explicitly specify when they arefinishing the Select activity.Like the order independent behaviour,the optional behaviour should be composed of one or more selectable activities.•The repeatable behaviour is presented in Figure7(c).Unlike the order independent and optional behaviours,a repeatable behaviour should have only one associated activity.A is the associated activity of the repeat-able behaviour in Figure7.Further,a specific number of times that the associated activity can be executed should be specified.In the case of the diagram in Figure7(c),this number is identified by the value of X.An optional behaviour with one selectable activity can be used when aselectable activity can be executed an unspecified number oftimes.(a)(b)(c)Figure7:The UML modelling of three common interaction application be-haviours.An order independent behaviour is modelled in(a).An optional behaviour is modelled in(b).A repeatable behaviour is modelled in(c).As optional,order independent and repeatable behaviours are common in interactive systems[5],UML i proposes a simplified notation for them.The no-tation used for modelling an order independent behaviour is presented in Fig-ure8(a).There we can see an order independent selector,rendered as a circle overlying a plus signal,⊕,connected to the activities A and B by return transi-tions,rendered as solid lines with a single arrow at the selection state end and a double arrow at the selectable activity end.The order independent selector identifies an order independent selection state.The double arrow end of return transitions identify the selectable activities of the selection state.The distinc-tion between the selection state and its selectable activities is required when selection states are also selectable activities.Furthermore,a return transition is equivalent of a pair of Statechart transitions,one single transition connecting the selection state to the selectable activity,and one non-guarded transition connecting the selectable activity to the selection state,as previously modelled in Figure7(a).In fact,the order independent selection state notation can beconsidered as a macro-notation for the behaviour described in Figure7(a).(b)The notations for modelling optional and repeatable behaviours are similar, in terms of structure,to the order independent selection state.The main dif-ference between the notation of selection states is the symbols used for their selectors.The optional selector which identifies an optional selection state is rendered as a circle overlaying a minus signal, .The repeatable selector which identifies a repeatable selection state2is rendered as a circle overlaying a times signal,⊗.The repeatable selector additionally requires a REP constraint,as shown in Figure8(c),used for specifying the number of times that the asso-ciated activity should be repeated.The value X in this REP constraint is the X parameter in Figure7(c).The notations presented in Figures8(b)and8(c) can be considered as macro-notations for the notation modelling the behaviours presented in Figures7(b)and7(c).4.4Interaction Object BehaviourObjects are related to activities using objectflows.Objectflows are basically used for indicating which objects are related to each activity,and if the objects are generated or used by the related activities.Objectflows,however,do not describe the behaviour of related objects within their associated activities.Ac-tivities that are action states and that have objectflows connected to them can describe the behaviour of related objects since they can describe how methods may be invoked on these objects.Thus,a complete decomposition of activities into action states may be required to achieve such object behaviour description. However,in the context of interaction objects,there are common functions that do not need to be modelled in detail to be understood.In fact,UML i pro-videsfive specialised objectflows for interaction objects that can describe these common functions that an interaction object can have within a related activity. These objectflows are modelled as stereotyped objectflows and explained as follows.•An interacts objectflow relates a primitive interaction object to an action state,which is a primitive activity.Further,the objectflow indi-cates that the action state involved in the objectflow is responsible for an interaction between a user and the application.This can be an interaction where the user is invoking an object operation or visualising the result of an object operation.The action states in the SpecifyBookDetails activity, Figure9,are examples of Inputters assigning values to some attributes of the SearchQuery domain object.The Results in Figure9is an exam-ple of a Displayer for visualising the result of SearchQuery.SearchBook().As can be observed,there are two abstract operations specified in the APP (Figure3)that have been used in conjunction with these interaction ob-jects.The setValue()operation is used by Displayers for setting the values that are going to be presented to the users.The getValue()op-eration is used by Inputters for passing the value obtained from the users to domain objects.Figure9:The SearchBook activity.•A presents objectflow relates a FreeContainer to an activity.It spec-ifies that the FreeContainer should be visible while the activity is ac-tive.Therefore,the invocation of the abstract setVisible()operation of the FreeContainer is entirely transparent for the developers.In Figure9 the SearchBookUI FreeContainer and its contents are visible while the SearchBook activity is active.•A confirms objectflow relates an ActionInvoker to a selection state. It specifies that the selection state hasfinished normally.In Figure9the event associated with the“Search”directly related to it.The optional selection state in the SpecifyBookDetails relies on theSpecifyDetails a user is also confirming the optional selection state in SpecifyBookDetails.•A cancels objectflow relates an ActionInvoker to any composite ac-tivity or selection state.It specifies that the activity or selection state has notfinished normally.Theflow of control should be re-routed to a previ-ous state.Theinteraction objects of abstract use cases are also very abstract,and may not be useful for exporting to activity diagrams.Therefore,the UML i method suggests that interaction objects can be elicited from less abstract use cases.Step3Candidate interaction activity identification.Candidate interaction activities are use cases that communicate directly with actors,as described in Section4.1.Step4Interaction activity modelling.A top level interaction activity diagram can be designed from identified candidate interaction activities.A top level in-teraction activity diagram must contain at least one initial interaction state. Figure6shows a top level interactive activity diagram for the Library case study.Top level interaction activities may occasionally be grouped into more abstract interaction activities.In Figure6,many top level interaction activ-ities are grouped by the SelectFunction activity.In fact,SelectFunction was created to gather these top level interaction activities within a top level interaction activity diagram.However,the top level interaction activities,and not the SelectFunction activity,remain responsible for modelling some of the major functionalities of the application.The process of moving from candidate interaction activities to top level interaction activities is described in Section4.2. Step5Interaction activity refining.Activity diagrams can be refined,decom-posing activities into action states and specifying objectflows.Activities can be decomposed into sub-activities.The activity decomposition can continue until the action states(leaf activities)are reached.For instance, Figure9presents a decomposition of the SearchBook activity introduced in Figure6.The use of interacts objectflows relating interaction objects to action states indicates the end of this step.Step6User interface er interface diagrams can be refined to support the activity diagrams.User interface modelling should happen simultaneously with Step5in order to provide the activity diagrams with the interaction objects required for describing action states.There are two mechanisms that allow UI designers to refine a conceptual UI presentation model.•The inclusion of complementary interaction objects allows designers to improve the user’s interaction with the application.•The grouping mechanism allows UI designers to create groups of interac-tion objects using Containers.At the end of this step it is expected that we have a conceptual model of the user interface.The interaction objects required for modelling the user interface were identified and grouped into Containers and FreeContainers.Moreover,the interaction objects identified were related to domain objects using action states and UML iflow objects.Step7Concrete presentation modelling.Concrete interaction objects can be bound to abstract interaction objects.The concrete presentation modelling begins with the binding of concrete inter-action objects(widgets)to the abstract interaction objects that are specified by the APP.Indeed,the APP isflexible enough to map many widgets to each abstract interaction object.Step8Concrete presentation refier interface builders can be used for refining user interface presentations.The widget binding alone is not enough for modelling a concrete user interface presentation.Ergonomic rules presented as UI design guidelines can be used to automate the generation of the user interface presentation.Otherwise,the concrete presentation model can be customised manually,for example,by using direct manipulation.6ConclusionsUML i is a UML extension for modelling interactive applications.UML i makes extensive use of activity diagrams during the design of interactive applications. Well-established links between use case diagrams and activity diagrams explain how user requirements identified during requirements analysis are described in the application design.The UML i user interface diagram introduced for mod-elling abstract user interface presentations simplifies the modelling of the use of visual components(widgets).Additionally,the UML i activity diagram notation provides a way for modelling the relationship between visual components of the user interface and domain objects.Finally,the use of selection states in activity diagrams provides a simplification for modelling interactive systems.The reasoning behind the creation of each new UML i constructor and con-straint has been presented throughout this paper.The UML i notation was en-tirely modelled in accordance to the UML i meta-model specifications[2].This demonstrates that UML i is respecting its principle of being a non-intrusive ex-tension of UML,since the UML i meta-model does not replace the functionalities of any UML constructor[2].Moreover,the presented case study indicates that UML i may be an appropriate approach in order to improve UML’s support for UI design.In fact,the UIs of the presented case study were modelled us-ing fewer and simpler diagrams than using standard UML diagrams only,as described in[3].As the UML i meta-model does not modify the semantics of the UML meta-model,UML i is going to be implemented as a plug-in feature of the ARGO/UML case tool.This implementation of UML i will allow further UML i evaluations using more complex case studies.Acknowledgements.Thefirst author is sponsored by Conselho Nacional de Desenvolvimento Cient´ıfico e Tecnol´o gico-CNPq(Brazil)–Grant200153/98-6.。

关于：IATF为了加强TS16949的价值和可信度，通过发布认证导则第四版“提升认证门槛”1. Site extensions制造现场延伸场地Site extensions as defined previously will no longer exist as part of the ISO/TS 16949 Certification Scheme.制造现场延伸场地将不再存在于ISO/TS 16949 认证方案中IATF will withdraw, and therefore make obsolete, the current possibility to include site extensions effective 1st of April 2014. IATF 将从2014 年4 月1 日开始撤销并从而废除, 目前包含现场延伸场地的的认证Clients with an existing manufacturing site extension will need to transition this site extension to a single site between the time period of 1st of April 2014 – 1st of April 2015. 现有制造现场延伸场地的客户将需要按CB 公告2013-006 所述流程在2014 年4 月1日至2015 年4 月1 日期间将其转换为单个现场.Different Choices for transition”您可以选择下列方案之一进行“转换”：1 Single Site Certification单现场认证2 Corporate Scheme, if comply with Rules 5.3TÜV Rheinland Greater ChinaPage 2 of 7如果满足认证规则5.3 条款关于“集团审核方案”的要求，可与现在主证书相结合，形成“集团审核方案”。

Models of Software Systems Fall 2004ObjectivesScientific foundations for software engineering depend on the use of precise, abstract models and logics for characterizing and reasoning about properties of software systems. There are a number of basic models and logics that over time have proven to be particularly important and pervasive in the study of software systems. This course is concerned with that body of knowledge. It considers many of the standard models for representing sequential and concurrent systems, such as state machines, algebras and traces. It shows how different logics can be used to specify properties of software systems, such as functional correctness, deadlock freedom, and internal consistency. Concepts such as composition mechanisms, abstraction relations, invariants, non-determinism, and inductive and denotational descriptions are recurrent themes throughout the course.By the end of the course you should be able to understand the strengths and weaknesses of certain models and logics, including state machines, algebraic and trace models, and temporal logics. You should be able to apply this understanding to select and describeabstract formal models for certain classes of systems. Further, you should be able to reason formally about the elementary properties of modeled systems.OrganizationLectures. Classes meet Monday & Wednesday, 5:30-6:50 am, in Newell-Simon 1305.Communication. We will be using the CMU Blackboard System this year for distributing most course materials, providing a general course bulletin board, and keeping track of student email addresses. In addition you can useOffice Hours: The instructor and the TAs have weekly office hours, listed above. We are also available other times by appointment.1.Email: We welcome email about the course at any time.2.Readings. Most lectures will have a reading assignment that we expect you to complete before you come to class. There is one required textbook for the course: Concurrency: State Models and Java Programs, by Magee and Kramer [MK99]. In addition, there is an optional companion text Using Z: Specification, Refinement, and Proof, by Woodcock and Davies [WD96]. This text is available on-line at /.An optional reference book may also be useful: The Z Notation: A Reference Manual, Second Edition, by J. M. Spivey (available on the web through /~mike/zrm). Some readings are in the form of handouts to supplement lectures; other additional readings are technical papers. These will be made available as needed throughout the course. Finally, for supplementary detail, there are a number of books noted in the References section at the end of this document.Homework Assignments. The course is organized around (roughly) weekly homework assignments and a set of three projects. The purpose of the assignments and projects is to give you practice in using the models, logics, and tools of the course. We encourage you to discuss your homework with other students, but the final write-up must be your own work.To give you the most opportunities to learn from the homework assignments, we will allow you to redo problems that didn't receive a passing grade. A redone homework must be turned in at the class following the one on which it is handed back. Problems done correctly the first time will be given more weight in the final grade.Projects. We will be assigning three group projects that are designed to give you a chance to apply the ideas of the course tosemi-realistic case studies. Each project will be completed by a team. Team members are expected to participate equally in the projects.We will distribute a team peer evaluation at the end of the semester.On-line materials. Most of the course materials will be available electronically via the CMU Blackboard System(/blackboard/). You will find copies of the lecture slides, handouts, homework, and readings. It will be your responsibility to make copies of these to bring to class or to use for homework.Some of the course materials have web sites. These are:Using Z: /Concurrency: State Models and Java Programs: /concurrency/The Z Notation: /~mike/zrm/PhD Option. Students taking the course for PhD credit students will be required to complete a course project. This project is described in separate handout.Exams. There will be a (take-home) mid-term (handed out Wednesday, October 20, due back Friday, October 22 by 5:00 p.m.) and a formal (in-class) final examination. Both exams will be open-book.Grading. The course grade will be determined as a combination of five factors: homework assignments (30%), projects (30%), midterm exam (15%), and final exam (25%). Final grades may be adjusted based on instructors judgment.Bold refers to Using Z [WD96].*Marks classes that follow a holiday.。

计算机软件与理论专业课程介绍（P39－P71）课程编号：S0115010812001课程名称：自然辩证法课程英文名称：Politics学分：2 周学时：2 总学时：36课程性质：工程硕士学位必修适用专业：软件工程、计算机软件与理论教学内容及基本要求：教学内容：掌握近代科学的诞生情况；尤其了解当代自然科学对社会正在产生的深远影响。

教学要求：主要通过课堂教学的方式，使学生理解自然科学的起源及其发展规律，了解自然科学与社会的相互关系，了解著名科学家的生平及工作方式。

考核方式及要求：考试学习本课程的前期课程要求：无教材及主要参考书目、文献与资料：1、《宗教与现代科学的兴起》，R. 霍伊卡著，四川人民出版社，1991年。

2、《科学的历程》，（上下两册）吴国盛著，湖南科技出版社，1997年。

3、《进化的阶梯》，陈蓉霞著，中国社会科学出版社，1996年。

4、《科学与近代世界》，N. 怀特海著，商务印书馆，1989年。

5、《意大利文艺复兴时期的文化》，布克哈特著，商务印书馆，1991年。

填写人：陈蓉霞审核人：姜宁康课程编号：S1*******、 S1*******课程名称：英语口译翻译课程英文名称：English Interpretation学分：2 周学时：2 总学时：72课程性质：工程硕士学位适用专业：软件工程、计算机软件与理论教学内容及基本要求：积累实用英语词汇和表达方式，了解中外翻译历史和翻译标准的演变、英语汉语表达差异、单词层面的翻译技巧、翻译措辞、定语从句的翻译、被动句式的翻译、长句的翻译、成语、习语、俗语的翻译、人名、地名、数字等细节的翻译、汉语特殊句型的翻译、说明文翻译、科技英语翻译、论述文体翻译、文学翻译、实用文体翻译、翻译常见错误分析等考核方式及要求：考试学习本课程的前期课程要求：无教材及主要参考书目、文献与资料：1、所有有关“口译翻译理论与实践”书籍均可参考2、网上资源：鼓励学生上网浏览英语网站，积累实用英语词汇和表达方式填写人：严文庆审核人：姜宁康课程编号：S1*******课程名称：英语写作课程英文名称：English Translation学分：2 周学时：2 总学时：72课程性质：工程硕士学位必修适用专业：软件工程、计算机软件与理论教学内容及基本要求：This course will thoroughly familiarize students with reading skills andhelp them to read more effectively by developing the various skills neededfor successful reading comprehension. Instruction also includes vocabulary building strategies, grammar review, and writing strategies.考核方式及要求：考试学习本课程的前期课程要求：无教材及主要参考书目、文献与资料：教材：练习讲义，随堂分发，Effective Reading课程编号：S1******* 课程名称：专业英语课程英文名称：Computer English学分：2周学时：4总学时：36课程性质：工程硕士学位必修适用专业：软件工程、计算机软件与理论教学内容及基本要求：本课程旨在提高学生计算机英语文献的阅读能力。

CASE STUDY: THE IMPACT OF TECHNOLOGY ON EDUCATION1. IntroductionTechnology has be an integral part of our d本人ly lives, and its influence on education cannot be understated. In this case study, we will explore the impact of technology on education, including its benefits and challenges.2. Evolution of Technology in EducationOver the years, technology has revolutionized the way education is delivered and received. From the introduction ofputers in classrooms to the implementation of online learning platforms, technology has transformed the traditional educational landscape.3. Benefits of Technology in Education3.1 Enhanced Learning ExperienceTechnology has enabled educators to create interactive and engaging learning materials, making the learning process more enjoyable and effective for students.3.2 Access to InformationWith the internet and online databases, students have access to a wealth of information at their fingertips, allowingthem to explore beyond the confines of the traditional classroom.3.3 Personalized LearningTechnology has made it possible for educators to t本人lor learning materials to individual student needs, providing a personalized learning experience for each student.4. Challenges of Technology in Education4.1 Technology-DependentThe overreliance on technology in education can lead to a lack of critical thinking and problem-solving skills in students.4.2 Privacy and Security ConcernsThe use of technology in education r本人ses concerns about student privacy and data security, especially in online learning environments.4.3 Technology AccessibilityNot all students have equal access to technology, creating a digital divide that may hinder their learning opportunities.5. Case Studies5.1 Flipped Classroom ModelThe flipped classroom model utilizes technology to deliver instructional content outside of the classroom, allowing formore active and engaged learning during class time.Case Study: A high school in Florida implemented the flipped classroom model and saw a significant improvement in student engagement and academic performance.5.2 Online Learning PlatformsOnline learning platforms provide students with the flexibility to learn at their own pace and convenience, breaking down geographical barriers to education.Case Study: A university in the United Kingdom adopted online learning platforms and witnessed an increase in enrollment and student satisfaction.6. Rmendations for Future Integration of Technology in Education6.1 Digital Literacy Tr本人ningEducators should receive tr本人ning on how to effectively integrate technology into their teaching practices, ensuring that students develop essential digital literacy skills.6.2 Equity in Access to TechnologyEfforts should be made to bridge the digital divide and ensure that all students have equal access to technology for learning purposes.6.3 Data Privacy and Security MeasuresEducational institutions should prioritize the implementation of robust data privacy and security measures to protect student information in digital learning environments.7. ConclusionAs technology continues to advance, its impact on education will only grow in significance. By understanding the benefits and challenges of technology in education, we can work towards harnessing its potential to provide quality and equitable education for all.。

I. J. Computer Network and Information Security, 2017, 10, 50-56Published Online October 2017 in MECS (/)DOI: 10.5815/ijcnis.2017.10.06Improving Security Using a Three-Tier Authentication for Automated Teller Machine(ATM)Moses O. OnyesoluDepartment of Computer Science, Nnamdi Azikiwe Univerity, Awka, 420001, Nigeria.E-mail: mo.onyesolu@.ngAmara C. OkpalaDepartment of Computer Science, Nnamdi Azikiwe Univerity, Awka, 420001, Nigeria.E-mail: amaraokpala@Received: 20 February 2017; Accepted: 16 March 2017; Published: 08 October 2017Abstract—The current use of Personal Identification Number (PIN) for verification of the validity of a customer’s identity on Automated Teller Machine (ATM) systems is susceptible to unauthorized access and illegal withdrawal of cash from the ATM, hence, the need for more reliable means of carrying out user authentication. We present a three-tier authentication model with three layers of authentication using password, fingerprint and One-Time-Password (OTP). The identity of an ATM user is validated using password, fingerprint and OTP. Object-Oriented Analysis and Design Methodology (OOADM) was employed in the investigation of the existing system and analysis of the proposed system. Microsoft Visual and Microsoft SQL Server were employed in the implementation of the system. The result is a three-tier authentication model for ATM. Alphabetic keys and some special character keys were introduced to the existing numeric keypad for authentication. The ATM was interfaced with a fingerprint reader for improved security.Index Terms—Automated Teller Machine, Authentication, Password, Fingerprint, One-Time-Password, Security.I.I NTRODUCTIONAutomated Teller Machine (ATM) is considered the commonest e-banking technology adopted by banks. This assertion was supported by the report of the Nigeria Interbank Settlement System (NIBSS) in its electronic payment factsheet for 2016, which disclosed that the value of cash withdrawals through ATMs rose sharply to 4.7 trillion, indicating appetite for cash transactions among Nigerians [1]. ATM is a computerized machine that provides customers of banks the facility of accessing their accounts for dispensing cash and to carry out other financial transactions without the need for a human cashier, clerk or bank teller[2].It combines a computer terminal, recordkeeping system, and cash vault in one unit, permitting customers to enter a financial firm’s bookkeeping system either with plastic card containing a personal identification number (PIN) or by punching a special code number into a computer terminal linked to the financial firm’s computerized recor ds 24 hours a day [3]. ATMs have been adopted by banks because they offer considerable benefits to both banks and their depositors. The most exciting experience for customers as well as bankers is that the ATM is replacing all the difficulties of bank transactions such as personal attendance of the customer, banking hour restrictions and paper-based verification [4]. It is quite easy to withdraw money from ATM instantaneously at any time. ATMs allow one to perform multiple banking functions such as withdrawal of cash, making balance enquiries, transferring money from one account to another, paying insurance premium, making small loans and payment of bills.Notwithstanding the numerous benefits of ATM systems, security of customers’ information has become a huge challenge and source of worry not only on the part of the banking industry but also to the customers. Criminals tamper with the ATM and steal users’credit card and password by illegal means [5]. ATMs eliminate the need for round-the-clock human involvement and tend to be located in places that make them more vulnerable to attack as they are often attractive targets for perpetrators [6]. Activities of card fraudsters has been on the increase, this is as a result of the growth of the number of ATM card holders, e-payment awareness and deployment of ATM cash points, [7]. The proliferation of identity theft among ATM users calls for a more reliable method of carrying out the validity of customer s’ identity. In conventional ATM systems, authentication of use rs’ identity is performed using an ATM card and PIN. This method has some shortfalls as stolen cards can be used by unauthorized users to access customers’ account details if the PIN is known to them. This is possible because many ATM users resort to the use of PIN that is simple and canbe remembered easily such as birthdays and social security numbers.However, the introduction of three-tier authentication model to ATM system will in no small measure provide solution to the problem of identity theft which has bedeviled the conventional ATM. The use of password in place of PIN, biometrics identifier (fingerprint) and OTP to verify the validity of customers’ identity at three different layers of authentication will provide a robust security. Biometric identifier is a biological authentication based on some physical characteristics of the human body [8]. Authentication with biometric is reliable and always available. This is because it cannot be lost, stolen, forgotten or forged. An OTP is a passcode that is valid for only one login session or one single transaction. It expires once it is used [9]. The most important advantage addressed by OTP is that it is not vulnerable to replay attack in contrast to static password. The use of three-tier authentication model will undoubtedly improve ATM security by eliminating the rate of card fraud, currency fraud and identity theft thereby restoring the confidence of customers on the use of ATM systems.II.R ELATED W ORKSPatil, Chandrekar, Chavan and Chaudhri [10] proposed an ATM system built on the technology of embedded system. It uses an 8-bit AT Mega 16 microcontroller developed by Microchip technology and the original verifying method (the use of PIN) to authenticate users. Reference [10] aimed at improving ATM security through the use of biometrics technology (fingerprint). This ATM system is related to the model presented (three-tier authentication model) in the use of biometric authentication. However, the system by [10] employed PIN authentication as a second factor authentication. The use of PIN is susceptible to replay attack and illegal access to customers’ credentials. If a false acceptance rate error occurs with the fingerprint device, a criminal with the correct PIN of an account holder can easily access the customer’s account illegally.Jaynthi and Sarala [11] developed an ATM system that uses PIN for user authentication. The system sends an approval SMS alert to the corresponding mobile phone number of an account holder upon a successful authentication. An acceptance message received from the account holder grants access to the user else access is denied. Simultaneously, the image of the person who made the transaction is sent to the e-mail account of the bank and that of the account holder. If any misuse of card or ATM hijack occurs, the system automatically alerts both the bank manager and the police by switching on a buzzer. The system achieves this through the use of GSM technology and Internet communication network. Iwasokun and Akinyokun [12] developed a fingerprint-based authentication framework for ATM. This ATM system is based on fingerprint authentication, eliminating the use of PIN and ATM card for authentication. The Internet serves as the operational environment and platform for the system. The thumbprint database of customers is available on the Internet. User verification involves enrollment, enhancement, feature extraction and matching. This work is related to the current study in the use fingerprint authentication. However, it has some defects such as the use of PIN as a means of authentication. The use of PIN is considered to be unreliable, in that if false acceptance rate occurs, the security of the system will be greatly compromised. Again, hosting sensitive information as customer s’ fingerprint database on the Internet could be risky as well since cybercrime has been prevalent in recent times. Shimal and Jhunu [13] presented an enhanced ATM security system using two-level authentication where PIN and OTP were both used for user authentication. This second level authentication (the use of OTP) was employed if a customer wishes to exceed a specified withdrawal limit otherwise the customer is authenticated using only PIN. This ATM system operates in two modes. The first mode operates like the traditional ATM system when a customer-specified withdrawal limit is yet to be attained. The second mode is an enhancement on the traditional ATM system. It is only used when a customer wishes to exceed the withdrawal limit.Malviya [14] developed an ATM authentication model which uses face recognition technique to authenticate users for improved security. The ATM system consists of embedded camera that recognizes the face standing about 2 feet far in front of the system and performs matches against the facial database. The findings of Mwaikali [15] identified insecurity as one of the major challenges facing ATM users in Tanzania.III.T HE P ROPOSED T HREE-T IER ATM A UTHENTICATIONM ODELWe developed and implemented a an ATM model using three-tier authentications adopting the Object-Oriented Analysis and Design Method (OOADM). The investigative phase of the OOADM was deployed as the paradigm for systematic study in order to obtain information on the current trends in the research area of ATM. The information obtained necessitated the definition of a high-level model (Fig. 1). Universal model language (UML) diagrams were also used to represent processes within system. The implementation of the three-tier authentication model for ATM was achieved using a combination of windows operating system, Microsoft Visual and Microsoft SQL Server. The system uses three different layers of authentication to validate ATM users’ identity to foster improved security. The three authentication mechanisms used are: password, biometric identifier (fingerprint) and OTP. The system is made up of alphabetic keys, numeric keys and some special character keys for authentication (Fig. 2). The ATM was interfaced with a fingerprint reader for improved security. In addition, the system also has a card reader, cash dispenser, screen, fingerprint scanner, and bank database. When the system is idle, a greeting message is displayed, the keys on the keypad remaininactive until a bank card has been inserted.A. Customer RegistrationTo perform a transaction, a customer is expected to undergo a registration process in order to obtain an ATM card. During the registration, the cust omer’s personal detail is taken including the mobile phone number where OTP will be sent to. Fingerprint enrollment of customers is also carried out during registration and stored in the bank database together with other personal details. At the end of the registration process, the customer is issued an ATM card and a passcode which has to be changed to password of choice.Fig.1. High Level Model of the Proposed SystemB. User AuthenticationThe system proposes character password and OTP of more than four (4) characters. In this system and for the purpose of demonstration, a six-character password and an eight-character OTP were used. At the ATM, the customer inserts an ATM card into the card reader slot, after card validation, the system prompts that password be supplied by the customer which will be displayed on a screen. This is the first level of authentication; the customer uses the keypad to input six (6) alphanumeric characters as password.Fig.2. Alphanumeric KeypadThis is one of the distinguishing features of the proposed system. The system validates the password by comparing it with the one encoded on the card, if there is a match, the user proceeds to the second level of authentication which is the use of biometric identifier (fingerprint). A fingerprint is provided by the customer using the fingerprint scanner. The system compares the fingerprint with the one encoded on the card, if there is a match the user is provided with the final stage of authentication, which is the use of OTP. The customer is required to enter eight (8) characters OTP generated by the system and sent to the customer’s mobile phone. If the OTP is correct and entered within the specified time limit, the customer is authenticated and granted access to perform the transaction of choice which could be withdrawal, change of password, balance inquiry or transfer of fund.The transaction goes through a network and connect s to customer’s’ account in the bank’s database. The cash dispenser provides cash to the customer in the case of withdrawal transaction, if the customer wishes to perform no other transaction, a transaction receipt is printed and card ejected.C. Modeling the Functions of the Proposed SystemUse case modeling was used to model the functions of the system in terms of business events, who initiated the events, and how the system responds to the events. The use case models of the proposed system are shown in Fig. 3a. and Fig. 3b.D. Justifcation of the Proposed Three-Tier Authentication Model1.The system provides strong security with the use ofbiometric identifier and alphanumeric characters for password. This password becomes very difficult if notimpossible to be guessed correctly by fraudsters2. ATM card theft will be reduced since a person’s biometric is not transferrable. This is required before a successful authentication process.3. The level of security provided by the system will make it impossible for would-be perpetrators. This will discourage ATM fraud.4. The problem of replay attack is completely eliminated with the use of OTP.5. Custo mers’ confidence will be restored on the use of ATM to meet their banking needsFig.3a. Use Case Model of Events Initiated by CustomersFig.3b. Use Case Model of Events Initiated by Bank PersonnelIV. D ESIGN OF THE T HREE -T IER A UTHENTICATIONM ODEL Three-Tier Authentication Model seeks to design an ATM system with three layers of authentications – the use of password, fingerprint and OTP. Therefore, the system is interfaced with a fingerprint scanner for biometric authentication and it is capable of generating token as OTP. In addition, the system introduced alphabets and special characters to the existing numeric keypad of an ATM system. The design is aimed at providing robust security to the existing card-based ATM system by eliminating the problem of identity theft through the introduction of password as a substitute for PIN, and the use of fingerprint and OTP for second and third tier- authentication respectively. A. High Level Model (HLM) of the SystemThe HLM of the system (Fig. 1) presents the primary list of the system components from which the subsystems evolved. The proposed system is a complex one, hence, the need to break the system into subsystem for easy manageability.B. CusomerSubsystemThe Three-Tier Authentication Model consists of the customer and staff subsystems respectively as depicted in Fig. 1. The customer subsystem enables a customer to perform transactions such as withdrawal, fund transfer, balance inquiry and change password. However, before a customer can perform any transaction, the customer must undergo authentication to avoid unauthorized access to customers’ account details. The customer authentication subsystem handles the authentication process. The first level of authentication involves the use of six-character password, which is a combination of numbers, alphabets and special characters. The interface is shown in Fig. 4.Fig.4. First-Tier of User AuthenticationIf there is a match with the password encoded on the customer’s card, the customer is prompted with the second level of authentication which is the use of fingerprint.Fig.5. Second-Tier of User AuthenticationThe customer at this level provides a live fingerprint template using the fingerprint scanner attached to the ATM system. The fingerprint interface is depicted in Fig. 5. If there is a match with the one encoded on the card an OTP will be generated automatically and sent to the customer’s mobile phone. The customer will be prompted with the last level of authentication to supply the eight-character OTP received using the interface as shown in Fig. 6.Fig.6. Third-Tier of User AuthenticationIf the OTP entered is correct the customer will be granted access to perform transaction of choice. However, at every level of authentication, if a customer supplies a wrong parameter (password, fingerprint template or OTP), two more attempts will be granted to the customer to provide the correct parameter else the session will be terminated and card ejected. C. Staff SubsystemThe staff subsystem enables the bank personnel to perform ATM related tasks. Bank personnel must be authenticated before having access to the system. The bank personnel authentication interface is shown in Fig. 7.Fig.7. Bank Personnel AuthenticationThe bank personnel are saddled with the responsibility of opening a new account for customers, registering customers for ATM usage and issuance of ATM cards. Customers’ details collated by the bank personnel are stored in the bank’s database. Account opening interface is shown in Fig. 8. D. Transaction SubsystemThe transaction subsystem handles different transactions that can be performed by a customer. The interface is shown in Fig. 9. If a withdrawal transaction is selected, the user will be asked to specify the amount to be withdrawn. If the account contains sufficient fund, the fund will be dispensed to the user through the cashdispenser.Fig.8. Account Opening InterfaceIn the case of balance inquiry, the user will be asked to specify the account whose balance is requested, the balance will be displayed on the screen. In fund transfer transaction, the user will be asked to specify the account and bank in which the fund is to be transferred to and the amount to transfer. For change of password transaction, the user specifies the old password, the new password and confirms the new one for change to be effected.Fig.9. Transaction ModuleE. DatabaseThe database development tool used in the study is Microsoft SQL Server. It is a software product with the primary function of storing and retrieving data. The system proposed contains tables in the database, relationship among tables were created because a database consisting of independent and unrelated tables serves little purpose, this can lead to data redundancy and update inconsistency. The database used by the proposed ATM system stores customers account details. F. AlgorithmInsert ATM cardDO WHILE count <= 3PRINT ‘Enter Account number’ PRINT ‘Enter Password’IF Password = ‘Password’ And Account number =‘Account number’ THENPRINT ‘Capture fingerprint’IF fingerprint =’fingerprinttemplate’ THENPRINT ‘Enter OTP’IF OTP = ‘OTP passcode’ THEN GOTO 5050 PRINT ‘Select Option’REPEAT PRINT ‘1. Make withdrawal’PRINT ‘2. Make inquiry’PRINT ‘3. Change password’PRINT ‘4. Transfer fund’PRINT ‘5. Quit’IF Option = 1 THENPRINT ‘Enter amount to withdraw’Balance = Balance – amountELSEIF Option = 2 THENPRINT ‘Your Balance’ = BalanceELSEIF Option = 3 THENPRINT ‘Enter new Password’PRINT ‘Confirm Password’IF Newpassword = Confirmpassword THENPRINT ‘Password change successful’ELSEIF Option = 4 THENPRINT ‘Enter receiver’s account number’PRINT ‘Enter Amount’UNTIL Option = 5STOPV.R ESULTSThe result of the proposed Three-Tier Authentication Model for ATM a system with improved security, interfaced with a fingerprint scanner for biometric authentication and an ATM keypad with a modified form factor. The incorporation of alphabets and special character keys to the existing numeric keys changed the form factor of the keypad. The system is also capable of generating OTP for third-tier authentication to eliminate any possibility of replay attack. The system was evaluated alongside the existing system in terms of speed and the level of security each provides.A. SecurityThe existing systems employ only one means of verifying customers’ identity. In the case of identity theft, where a successful guess is made on a customer’s PIN by fraudsters or where customers’ debit cards and PINs are stolen or forcefully taken from them, cash are withdrawn from the ATM through illegal means. This undoubtedly leads to huge financial loss to both the customer and the bank.However, the new system provides improved security on ATM system by employing the use of three different authentication mechanisms. The essence is to cover up every loophole which could lead to identity theft. It is obvious that the three security protocols can never fail at the same time, hence, eliminating the problem of identity theft completely.Again, to prove the level of security the new system provides, different wrong passwords, OTPs and fingerprint templates were tried on the system but access was denied in all cases. This is an indication that the new system provided robust security and cannot be hacked by criminals whose aim is to withdraw customers’ cash illegally in a short time.B. SpeedTime taken to complete user authentication was collated for two categories of users who underwent authentication three times both in the existing system and the proposed system. The result was tabulated as shown in Table 1 and represented using a line chart in Fig. 10. Table 1. Time Taken to Complete Authentication in both the ExistingSystem and the Proposed SystemGroup A in Table 1 represents the existing system while Group B represents the proposed system. Three categories of users performed experiment with both systems to determine the total time it takes each user to complete authentication process in both systems. The result is presented (Fig. 10).Fig.10. Line Chart of the Time Taken to Complete AuthenticationProcess in both the Existing System and the Proposed System. Comparing the results from Table 1 and Fig. 10, it is evident that authentication process is faster with the existing system than the proposed system. It takes more time to be authenticated in the proposed system. This is as a result of three levels of authentication compared to one level of authentication in the existing system. It is important to note that security cannot be traded for speed.VI.C ONCLUSIONThe problem of identity theft, unauthorized access to customers’ ac count details and illegal withdrawal of cash from the ATM will be completely eliminated with the adoption of the proposed Three-Tier Authentication Model as the current use of PIN for ATM user’sverification and identification is marred with some level of insecurity. This Three-Tier Authentication Model uses password, biometric identifier and OTP to verify the validity of user’s identity at three different layers of authentication. These three authentication mechanisms must be in the affirmative before access is granted to the user. The adoption of the new system by financial institutions will strengthen the security of ATM systems and restore the confidence of customers. The study will no doubt foist a sense of futility on would-be perpetrators. This will discourage ATM fraud. Bank customers are reassured that their account details and cash cannot be tampered with, hence, better service delivery which will attract many customers to use ATM.R EFERENCES[1] B. Komolafe (2017, Jan.). Nigerians withdraw N4.7trillion through ATM in 2016 [Online]. Available: Http://www. /2017/01/nigerians-withdraw-n4-7-trillion-atms-2016.[2] N.Y. Asabere, R.O. Baah and A.A. Odefiya, “Measuringstandards and service quality of Automated Teller Machines (ATMs) in the banking industry of Ghana,” International Journal of Information and Communication Technology Research, vol 2, issue 3, pp 216– 226, 2012. [3] P.S. Rose and S.C. Hudgins, Management and FinancialServices, 9th ed. New York: McGraw-Hill, 2013.[4] J. Hota. (2012) “Window -based and web-enabled ATM:issues and scopes,” The IUP Journal of Information Technology, vol. 3, issue 4, pp 52-59. Available: /5043734 /windows-based-and-web-enabled-ATMs-issues-and-scopes[5] H.A. Hayder (2011) “Implementing addition al securitymeasure on ATM through biometric [Online]. Available: .my/2576[6] Diebold Incorporated (2012). ATM fraud and security.[Online]. Available: http:// securens.in/pdfs/KnowledgeCenter /5_ATM %20Fraud% 20and%20Security.pdf[7] S.A. Adelewo. (2010, August). “Challenges of automatedteller machine (ATM) usage and fraud occurrences in Nigeria. A case study of selected banks in Minna metropolis,” Journal of Internet Banking and Commerce, vol. 5, issue 2, pp 10-20. Available: / commerce /jibc[8] S.T. Bhosale and B.S. Sawant, “Security in e -banking viacardless biometric ATMs,” International Journal of Advanced Technology and Engineering Research (ITATER), vol. 2 issue 4, pp 9-12, July 2012.[9] Gemalto (2011, Feb). One-Time-Password Solution forSecure Network Access. [Online]. Available: /brochures-site/download-site/Documents/ent_otp_secure _access.pdf[10] B. Patil, B.S. Chandrekar, M.P. Chavan and B.S.Chaudhri, “RBI 3X – fingerprint based ATM,” International Journal of Advanced Research in Computer and Communication Engineering, vol. 5, issue 3, pp 577 – 581, March 2016. [11] P. Jaynthi and S. Sarala, “Enhanced ATM security usingdifferentiated passwords with GSM technology,” International Journal of Innovative Research in Engineering & Science, vol. 5, issue 4, pp 28 – 35, May 2015.[12] G.B. Iwasokun and O.C. Akinyokun. (2013) “Afingerprint-based authentication framework for ATM,” Journal of Computer Engineering and Information Technology, vol. 2, issue 3. Available: http// 10.4172/2324-9307.1000112.[13] D. Shimal and D. Jhunu. (2011). “Designing a biometricstrategy (fingerprint) measure for enhancing ATM security in Indian e-banking system,” International Journal of Information and Communication Technology Research, vol. 1, issue 5. Available: [14] D. Malviya. (2014, Dec.). “Face recognition technique:Enhanced safety approach for ATM,” International Journal of Scientific and Research Publications, vol 4, issue 12. Available: [15] E.J. Mwaikali, “Assessment of challenges facingcustomers in Automated Teller Machine in the banking industry in Tanzania: A case of some selected banks in Tanzania,” International Journal of Research in Business and Technology, vol. 4, issue 3, pp 480-488, 2014.Authors ’ ProfilesMoses O. Onyesolu: Has Ph.D. (Virtual Reality), M.Sc. B.Sc. (Computer Science) from Nnamdi Azikiwe University, Nigeria where he works as a lecturer and researcher. He was the Head, Department of Computer Science, Nnamdi Azikiwe University (October, 2014 to January, 2017).His research interests are mainly in computer modeling and simulation, e-learning/virtual reality technologies, software engineering and queueing system/ theory and its applications. He has published widely in those areas. He is a member of the following learned societies: Nigerian Computer Society (NCS), Computer Professionals (Registration Council of Nigeria)(CPN), and International Association of Engineers (IAENG), International Association of Computer Science and Information Technology (IACSIT) and European Association for Programming Languages and Systems (EAPLS).Amara C. Okpala: Has M.Sc. PGD. (Computer Science) and B.Sc.(Ed) (Computer Education) from Nnamdi Azikiwe University, Nigeria. She is a staff of Independent National Electoral Commission (INEC), Nigeria, where she works as a System Analyst in the Department ofInformation Communication Technology (ICT).Her research interests are mainly in Software Engineering, Database Administration and Information Security.How to cite this paper: Moses O. Onyesolu, Amara C. Okpala,"Improving Security Using a Three-Tier Authentication for Automated Teller Machine (ATM)", International Journal of Computer Network and Information Security(IJCNIS),Vol.9, No.10, pp.50-56, 2017.DOI: 10.5815/ijcnis.2017.10.06。

基于mssqlserver的银行信贷管理系统的设计与实现计算机应用专业研究生：指导老师：【摘要】随着银行业信息化的不断发展，银行信贷业务的管理系统建设，实现信贷业务进行管理信息化成为了当前发展趋势。

课题在技术框架下，利用了SQL Server数据库技术，研究了针对信贷业务的管理系统。

目前，所实现的银行信贷系统中，主要表现出操作不够便利、数据访问效率低等缺点，逐渐地无法适应当前银行业发展的需求。

课题分析、设计、实现、测试了基于B/S模式的信贷管理系统，提供给银行如：信贷过程管理、信贷客户管理、信用评级管理、贷后管理等操作功能。

本文的信贷管理系统将在三层架构下运行，具有数据传输效率高、维护方便等特点，主要研究内容如下。

首先，作者对银行信贷系统进行需求分析，先根据银行信贷系统的建设目标，设计了系统的用例图、系统数据流图，包括了：顶层数据、安全数据、查询数据等流程，同时，论文分析了银行信贷系统的运行性能和业务性能；其次，作者对银行信贷系统的总体架构进行设计，分析设计了系统的功能模块、功能流程、应用层次、网络拓扑结构，其次根据需求分析，具体地设计了系统的业务功能；同时，利用UML建模设计序列图和状态图的，设计了系统数据库，分别就数据库表字段信息、E-R关系图进行设计。

最后，分别就设计与实现银行信贷系统的模块有：信用评级管理模块、系统用户登录模块、信贷流程管理模块、授信额度管理模块、信贷客户信息管理模块、贷后信息管理模块、系统数据管理模块等，分别就模块的操作界面、功能操作代码、以及数据处理流程，进行了详细地设计与实现。

本课题设计与实现的银行信贷管理系统，在浏览器下运行和操作，相对于C/S模式下的系统来说，提高了系统的可操作性、便利性，更加方便了系统的数据维护。

系统的测试显示，通过系统的测试与分析，如数据添加、查询、删除等操作功能运行稳定，得出系统的测试结果，其性能与功能指标，页面响应时间均保持在200毫秒范围内，信贷管理系统的功能与运行性能，均满足业务需求，也符合通信类系统的特性需求。