Optimal Aviation Security Screening Strategies With ... - IEEE Xplore

IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 13, NO. 1, MARCH 2012

203

Optimal Aviation Security Screening Strategies With Dynamic Passenger Risk Updates Alexander G. Nikolaev, Adrian J. Lee, Member, IEEE, and Sheldon H. Jacobson

Abstract—Passenger screening is a critical component of aviation security systems. This paper introduces the multistage sequential passenger screening problem (MSPSP), which models passenger and carry-on baggage screening operations in an aviation security system with the capability of dynamically updating the perceived risk of passengers. The passenger screening operation at an airport terminal is subdivided into multiple screening stages, with decisions made to assign each passenger to one of several available security classes at each such stage. Each passenger’s assessed threat value (initially determined by an automated passenger prescreening system) is updated after the passenger proceeds through each screening stage. The objective of MSPSP is to maximize the total security of all passenger screening decisions over a fixed time period, given passenger perceived risk levels and security device performance parameters. An optimal policy for screening passengers in MSPSP is obtained using optimal sequential assignment theory. A Monte Carlo simulation-based heuristic is presented and compared with stochastic sequential assignment and feedback control algorithms. Computational analysis of a two-stage security system provides an assessment of the total security performance. Index Terms—Aviation security, Monte Carlo simulation, optimal sequential assignment, policy modeling.

I. I NTRODUCTION

O

VER the past decade, aviation security has become a high-priority issue of national interest and concern. The events of September 11, 2001 prompted multiple operational changes at all commercial airports, as well as sweeping changes in aviation security policy [1], [2]. An important class of problems that arise in aviation security is the screening of passengers as they enter the airport terminal. Developing flexible screening policies that provide optimal passenger assignments under imperfect passenger risk information can be quite challenging. Moreover, even after such a policy is selected, it can be very difficult to measure its effectiveness due to uncertainManuscript received March 6, 2011; revised July 20, 2011; accepted August 27, 2011. Date of publication September 23, 2011; date of current version March 5, 2012. This work was supported in part by the National Science Foundation under Grant DMI-0114499 and in part by the Air Force Office of Scientific Research under Grant FA9550-10-1-0387. The views expressed in this paper are those of the authors and do not reflect the official policy or position of the United States Air Force, Department of Defense, National Science Foundation, or the United States Government. The Associate Editor for this paper was J.-P. B. Clarke. A. G. Nikolaev is with the Department of Industrial and Systems Engineering, State University of New York at Buffalo, Buffalo, NY 14260 USA (e-mail: [email protected]). A. J. Lee is with the Central Illinois Technology and Education Research Institute, Springfield, IL 62704 USA (e-mail: [email protected]). S. H. Jacobson is with the Department of Computer Science, University of Illinois at Urbana-Champaign, Urbana, IL 61801 USA (e-mail: [email protected]). Digital Object Identifier 10.1109/TITS.2011.2167230

ties surrounding accurate risk perception and the probabilistic nature of threat detection. The policy of making distinctions between passengers based on perceived levels of risk has been in place in the United States since 1998, when explosive detection systems (EDSs) with very limited capacities were installed at the nation’s commercial airports to screen passengers’ checked baggage. At that time, the Computer-Assisted Passenger Prescreening System (CAPPS) was developed [3], in conjunction with the Federal Aviation Administration, Northwest Airlines, and the United States Department of Justice, to identify selectee passengers whose baggage was designated to receive special attention (i.e., be screened by EDS). The Aviation and Transportation Security Act, enacted by the United States Congress on November 19, 2001, required 100% checked baggage screening by December 31, 2002, and hence eliminated the distinction between selectee and nonselectee passengers. However, limited security resources and evolving screening technologies have thrust passenger risk assessment into the forefront of risk management tools across several areas of aviation security operations. The Transportation Security Administration (TSA), which has managed aviation security operations in the United States since November 19, 2001, is committed to developing new security system paradigms that can optimally use and simultaneously coordinate multiple security technologies and procedures. Aviation security research suggests that greater scrutiny of passengers perceived as high risk (from a security standpoint) is more cost effective. Butler and Poole [4] suggested that the TSA’s policy of 100% checked baggage screening is not cost effective and that enhancing the binary screening paradigm to a multivariate screening system would be a more efficient approach. Poole and Passantino [5] endorsed risk-based aviation security procedures, where passengers and baggage are assigned to security devices in proportion to their perceived risk. The TSA further revised computerized risk assessment systems with the introduction of CAPPS II but abandoned its development on July 14, 2004, due to privacy concerns [6]. Shortly thereafter, the TSA announced Secure Flight, which exclusively focuses on terrorist watch lists [7]. Several articles formulate aviation security problems with variable passenger risk levels. Most of these problems addressed in literature are static, where passenger risk levels are assumed to be fixed [8]. Babu et al. [9] investigated the advantages of partitioning passengers into several groups, where a different screening strategy is used for passengers in each of the groups and the probability that each passenger is a threat is assumed to be constant. McLay et al. [10] solved a deterministic passenger assignment problem using integer and

1524-9050/$26.00 © 2011 IEEE

204


linear programming models. Other research endeavors consider dynamic models, where passenger risk levels are assumed to be stochastic, as defined by various distribution functions. McLay et al. [11] considered the real-time operation of passenger screening systems by formulating a passenger assignment problem as a Markov decision process and showed how the optimal policy can be obtained through dynamic programming. Nikolaev et al. [12] solved a two-stage aviation security system design problem where an optimal device allocation and a passenger screening policy are determined under sequential stochastic passenger arrival assumptions. Lee and Jacobson [13] approached the passenger assignment problem from a dualobjective standpoint, creating a balance between expediting screening and maximizing threat identification. Until recently, political forces and popular opinion have pressured the TSA to focus their energies and resources on shortterm tactical issues associated with the operation of aviation security systems. Now, discussions on risk management analysis suggest a growing interest in this approach within the TSA [14]. The dynamic nature of airport security operations suggests that existing static approaches are inadequate to overcome these deficiencies. As part of their risk management analysis framework, the TSA has recently expressed interest in pursuing tiered passenger screening policies based on risk perception criteria [15]. The practical advantages of such a policy is that available security devices could be more efficiently used and that it would be significantly more difficult (if not impossible) for terrorists to game such a system. This paper introduces a modeling approach that analyzes multistage passenger screening systems with a dynamic passenger risk update capability. Optimal sequential assignment theory and Monte Carlo simulation technique are used to create a new aviation security screening system solution: a passenger screening policy that will provide strategic insights into the operation and performance of such systems. This paper is organized as follows: In Section II, the concept of multistage modeling of passenger screening systems is discussed. Section III presents the multistage sequential passenger screening problem (MSPSP), which is a multistage stochastic optimization model for passenger and carry-on baggage screening operations. Section IV reports computational results and a sensitivity analysis of this model. Section V offers concluding comments and directions for future research. II. M ULTISTAGE S CREENING A PPROACH Aviation security devices deployed at airport security checkpoints (e.g., magnetometers, EDSs, and advanced imaging technologies) are used to detect prohibited items (e.g., guns, knives, and explosives). Each security device offers a different screening intensity, and once security devices are selected for deployment, the practical issue of determining how to optimally use such devices can be challenging. There are several approaches to capturing security performance. For passenger screening, performance can be measured by the number of prohibited items detected as a result of screening. Alternatively, performance can be measured by the rate at which nonthreatening passengers receive additional screening.

The multistage screening framework presented in this paper captures the operation of aviation security systems with the capability of updating the perceived risk of passengers from a dynamic standpoint. To begin, several definitions and terms are used to describe this concept. A threat item is any object carried by a passenger that is currently classified on the TSA prohibited item list, along with any item that could be considered as an improvised explosive device. Note that the definition of a threat item can change based on intercepted attacks, intelligence, and the current status of the National Terrorism Advisory System. A security device is an aviation security technology and/or procedure used to identify a threat item. Examples of security devices include baggage X-ray machines, explosive trace detectors, EDSs, and detailed hand search by an airport security official. A security class is defined by a preassigned subset of security devices through which passengers are screened prior to boarding an aircraft. An assessed threat (AT) value of a passenger quantifies the perceived risk associated with the passenger. Passenger AT values are initially (upon arrival) determined by a prescreening system, such as CAPPS. Passengers then arrive at the security checkpoint sequentially to undergo screening. Due to the uncertainty surrounding the passenger arrival order, the AT values are mathematically modeled through the use of random variables, where the TSA observes the passenger’s realized AT value prior to the passenger entering each screening stage. The central idea of multistage screening is that the security checkpoint located at an airport terminal can be broken up into multiple screening stages. Such a classification is done for modeling purposes only and hence is invisible to passengers, with no obvious changes to any security area configuration. For example, each security area that passengers go through on their way from the airport entrance to their departure gate would be viewed as a separate screening stage. Similarly, a single security checkpoint can be subdivided into two or more screening stages. The key contribution of this paper is that, at each stage, the TSA is provided the capability of reassessing a passenger’s AT value based on the associated device responses from prior screening stages. Therefore, as each passenger completes their security screening at one stage and proceeds to the next stage, their AT values may be updated in practice via an automated system, such as by using radio-frequency identification tags, e.g., [16] and [17]. For each passenger, this revised value is considered an improved estimate of the passengers’ true level of risk (since it is based on background information, current screening results, and behavioral observations) and is more effectively used to assign the passenger to a security class at the next screening stage. Each security class must serve two purposes. One purpose is to detect threats, which is quantified by true alarm and false alarm rates. The other purpose is to provide a better estimate of harmful intent, which is probabilistically accomplished by updating the passengers’ AT values. For example, a behavior detection officer observing peoples’ behavioral characteristics in security lanes could be considered a “security device” that has limited capability of detecting a threat item but has the ability to assess intent.

NIKOLAEV et al.: OPTIMAL AVIATION SECURITY SCREENING STRATEGY WITH PASSENGER RISK UPDATE

This paper focuses on multistage passenger screening problems, where passenger screening policies are determined for each screening stage, given a set of security classes and security device performance characteristics. Possible objective functions include maximizing the number of threat items detected (i.e., true alarms) or minimizing the number of occurrences of incorrectly identifying nonthreat items (i.e., false alarms). III. M ULTISTAGE S EQUENTIAL PASSENGER S CREENING P ROBLEM This section introduces the MSPSP, which models the screening operations of passengers and carry-on baggage in an aviation security system. An exact solution to this problem provides an optimal passenger screening policy for each screening stage within the security system. For hub airports in the United States, airport security resources are allocated based on peak-period passenger throughput. The idea behind this assumption is that, if a certain level of security can be provided during a peak hour of airport operation, then, during all other operational periods, lower passenger volumes can be handled as well. The few exceptions (such as periods around major holidays) are handled on a caseto-case basis by extending the number of peak hours and/or by scheduling additional security personnel on such days. Consider a security system with L screening stages in place within an airport terminal, and a fixed time period during which the passenger arrival rate to the security area in the terminal can be assumed to be constant. Assume that the total number of passengers scheduled to check in during this time period is fixed and that the security classes available at each screening stage are predetermined based on cost, available personnel, and the overall perceived risk of the passenger population. Upon check-in, a passenger’s initial AT value is realized, and the passenger is assigned to a security class at stage 1. However, the passenger’s AT value is considered to be unknown for determining the assignments in future screening stages until the screening device response is analyzed in the prior stages. Then, the passenger’s AT value is updated as a result of the device responses in stage 1, and this new realized threat value is used to assign the passenger to an appropriate security class at the subsequent stage. To formulate MSPSP, the following sets, variables, parameters, and functions are defined as follows: 1) N : number of passengers scheduled to enter the airport security system over a given fixed time period, indexed from i = 1, 2, . . . , N upon sequential arrival at the security checkpoint; 2) J (l) : the set of available security classes at stage l = 1, 2, . . . , L, indexed from j = 1, 2, . . . , J; (l) 3) Γj : a numerical measure of security associated with (l)

security class j at stage l = 1, 2, . . . , L, 0 ≤ Γj ≤ 1; (l) cj :

capacity of security class j at stage l = 1, 2, . . . , L, which was defined as the hourly rate at which passengers can be screened by the class; (l) 5) ATi : continuous random variable corresponding to the AT value for passenger i = 1, 2, . . . , N , prior to screen4)

205

ing at stage l = 1, 2, . . . , L, with realized AT value 0 < (l) ati ≤ 1; (1) 6) FAT(1) (ati ): cumulative distribution function (cdf) of (1) ATi for passenger i = 1, 2, . . . , N , at stage 1; (l) (l−1) (l−1) (l) 7) FAT(l) (ati |ATi ,j ): conditional cdf of ATi at stage l = 2, 3, . . . , L, for passenger i = 1, 2, . . . , N , (l−1) was asgiven that passenger i with the AT value ATi (l−1) at stage (l − 1). Ultimately, signed to security class j the screening device response used to update the threat value results from being assigned to security class j (l−1) . (l)

Xij = 1(0) if passenger i = 1, 2, . . . , N is (not) assigned to security class j ∈ J (l) at stage l = 1, 2, . . . , L, where J L N (l) (l) (l) i=1 Xij = 1, j=1 Xij = 1, and l=1 Xij = 1. Security class parameters are used to formulate feasibility (l) constraints at each of the L screening stages. Define Γj as the conditional probability of detecting a threat item by security class j (l) at screening stage l, given that a passenger is carrying a threat item (i.e., P (Alarm in j (l) |Threat)). This probability, which is known as the true alarm rate, is a function of the detection probabilities associated with the devices and the procedures used to screen passengers in security class j (l) . Conversely, the false alarm rate is defined as the conditional probability of an alarm being signaled by security class j (l) , given that no threat item exists (i.e., P (Alarm in j (l) |No Threat)). The former captures the sensitivity of the security system (i.e., the overall effectiveness in preventing terrorist success), whereas the latter captures the specificity of the security system (i.e., the overall efficiency of focusing expensive time-consuming devices and procedures toward screening those with harmful intent). (l) The random variable ATi , denoting the AT value for passenger i, is used to model the risk uncertainty associated with passenger i prior to screening at stage l. The realized AT value (l) of passenger i at screening stage l, i.e., ati , quantifies the TSA’s perception of risk or harmful intent and is hence an estimate of the probability that passenger i carries a threat item based on the initial perceived risk performed during prescreening and the screening results at all previous stages up to (but not including) stage l. It is impossible to know if a passenger is indeed carrying a threat item prior to undergoing screening, and hence, the realized AT value at screening stage 1 is obtained using background information and other security sensitive information, which is processed (in real time) through an automated prescreening system such as CAPPS. Assume that the random variables denoting the AT values for each passenger at stage 1 are independent and identically distributed (i.i.d). Fig. 1 shows the multistage screening framework. As a passenger arrives at the security checkpoint, a TSA official confirms the passenger’s identity and directs the passenger to the appropriate security class in stage 1. Then, depending on the screening results in stage 1, the passenger is directed to the appropriate security class in each subsequent stage. If a threat item is uncovered during this process, the passenger may be removed from the standard screening operation if the item’s severity necessitates interrogation, or the item is confiscated (in the case

206


The AT value at stage l is equal to the AT value at stage l − 1, (l−1) (l−1) . Recourse variables i replus the recourse variable i flect the variability (spread) in the distributions of passenger AT values at screening stages of a given security system and capture the effects of the device response at stage l − 1. From (2) 2 (l−1) (l) (l−1) = E ATi −ATi , l = 2, 3, . . . , L V ar i

Fig. 1. Multistage multilevel security framework.

of scissors, mace, or excessive liquid volume, for example) and the passenger proceeds to the next screening stage. The sequence of device responses influences the AT value as the passenger proceeds through each stage. Initially, the passenger’s AT value is considered unknown until the passenger arrives at the security checkpoint. When this value becomes known by the TSA, the passenger is assigned to the appropriate security class. The operator making the second stage assignment, however, does not know the next passenger’s AT value until the passenger arrives at the second stage. Thus, (l) the value ATi is realized, following the device response at the prior stage. Note that a human operator is not required to be positioned at each stage. Rather, a computer system automatically performs this decision while a TSA official oversees the sequence of device responses and updated risk profile. The next section describes how the passenger’s AT value is updated based on the sequence of detection device responses. A. AT Value Update Mechanism To model the AT value update mechanism, assume that the true risk level of passenger i (i.e., the probability that passenger i carries a threat item) can be expressed as (1)

= ATi ATtrue i

(1)

+ i

(2)

+ i

(L)

+ · · · + i

+ i

(1)

(l)

where, for any l = 1, 2, . . . , L, i is the recourse (correction) (l) determined by the results of screening at stage l, with E(i ) = 0 and E(i ) = 0, such that (1) (2) (L) . = E ATi = E ATi = · · · = E ATi E ATtrue i Upon screening at screening stage l = 1, 2, . . . , L, the realized (l−1) AT value ati of passenger i = 1, 2, . . . , N is updated to provide a better estimate of the true level of risk for the passenger, based on the screening results and other observations (e.g., a passenger’s behavioral pattern or remote detection of stress levels [18]) at stage l. As a consequence, the distribution (l) of ATi progressively pushes the probability mass toward the discrete value 0 (no risk) or 1 (is a risk) over the sequence of (l) screening stages. The random variables ATi , i = 1, 2, . . . , N , then reflect a distribution of security device responses and the passengers’ prior AT values, i.e., (l)

(l−1)

ATi = ATi

(l−1)

+ i

,

l = 2, 3, . . . , L.

(2)

and hence, in a system with an effective risk update strategy (l) (where, for any passenger i, ATi gradually approaches ATtrue i (l−1) as l increases), i should converge to zero as l increases. However, it is difficult to address the nature of such conver(l−1) , l = 2, 3, . . . , L, may be dependent (i.e., the gence since i devices may have overlapping detection characteristics). Relationships (1)–(3) indicate that, while the AT value update capabilities at consecutive screening stages provide a better estimate of the risk level of each single passenger, the expected threat value in a random passenger sample is the same for all screening stages. Moreover, at any screening stage l = (l) 1, 2, . . . , L, the AT values ATi should be viewed as the best available representation of the passengers’ true level of risk (i.e., passengers with higher AT values are more likely to be a threat than passengers with lower AT values). Therefore, the problem of identifying an optimal passenger assignment policy (i.e., achieving the highest level of security) can be independently stated and solved at each screening stage. Assume that each passenger is indeed either carrying or not carrying threat items. (In contrast, the AT value corresponds to the perception that the passenger is carrying a threat item.) Then, for a given set of passengers passing through a given screening stage, the expected number of threat items detected at this stage is the sum (over the set of N passengers) of the products of each passenger’s AT value and the measure of security associated with the class to which the passenger is assigned. At each screening stage, a decision is made such that the expected number of detected threat items is maximized over all possible incoming passenger samples. The AT value updates are therefore viewed as a by-product of the passenger assignment decisions at the current screening stage. If a threat item on a passenger is uncovered, then the assignment decision process operates by reducing the number of passengers by one. The MSPSP, for each screening stage l = 1, 2, . . . , L is formally stated. 1) Given: N passengers sequentially arriving for screening at stages 1 through l; security classes J (1) , J (2) , . . . , J (l) ; (1) (1) (2) security and capacities Γj and cj for j ∈ J (1) , Γj (2)

and cj

(l)

for j ∈ J (2) , . . . , Γj

(l)

and cj

(1)

for j ∈ J (l) ; (1)

incoming passenger AT value cdf FAT (ati ); condii (2) (2) (1) tional cdfs FAT (ati |ATi , j (1) ) for j (1) ∈ J (1) , (3)

(3)

(2)

i

(l)

(l)

FAT (ati |ATi , j (2) ) for j (2) ∈ J (2) , . . . , FAT (ati | i

(l−1)

i

ATi , j (l−1) ) for j (l) ∈ J (l) . 2) Objective: Find a policy π ∗ that determines the passen(l) ger assignments, Xij ∈ {0, 1}, i = 1, 2, . . . , N , j = 1, (l) 2, . . . , J (l) , l = 1, 2, . . . , L, such that j∈J (l) Xij = 1,


(l) (l) (l) i = 1, 2, . . . , N , N i=1 Xij = cj , j ∈ J , and the expected number of detected threat items ⎛ ⎞ J (l) N

(l) (l) (l) π∗

N ⎝ (3) Γj Xij ATi ⎠ E AT(1) i i=1 i=1 j=1

is maximized (i.e., maximize the system’s effectiveness in preventing threat items from entering the restricted airport environment). An alternative objective function can be similarly constructed to minimize the number of alarms occurring from nonthreat items, thereby focusing resources toward screening more high-risk passengers rather than toward resolving false alarms. In MSPSP, the expected number of threat items detected at stage l, which is expressed by (3), is maximized when assigning the N passengers to security classes at that stage, given the distribution of passenger AT values at stage 1 and the AT value update distributions for each security class at stages 1 through l. A solution to MSPSP determines the number of passengers to be screened by each security class and individually assigns each passenger to a security class. The first set of constraints ensures that all passengers are screened. The second set of constraints ensures that the available security classes have enough capacity to accommodate all the passengers according to their assignments. B. Initial Stage Assignments MSPSP is an assignment problem formulated under a (1) sequential passenger arrival assumption. Since ATi , i = 1, 2, . . . , N , are i.i.d random variables, the results from [12] can be directly applied at stage 1 in the following way. For each n ≥ 1, there exist real numbers 0 ≤ a0,n ≤ a1,n ≤ a2,n ≤ · · · ≤ an,n = 1 such that, whenever there are n passengers to assign to n security “intervals,” then the next passenger to check in is optimally assigned to interval j ≤ n if the realized AT value (1) atn is contained in the interval (aj−1,n , aj,n ]. Furthermore, aj,n , j = 1, 2, . . . , n − 1 is the expected AT value, whenever there are (n − 1) passengers to assign, of the passenger, which is assigned to the jth least secure interval (assuming that an optimal policy is followed). Once an assignment is made, this security interval is no longer available, the number of passengers to arrive is decremented by one, and the procedure is repeated to determine the assignment for the next passenger to arrive for screening, with the endpoints of the subintervals (aj−1,n−1 , aj,n−1 ], j = 1, 2, . . . , n − 1 recomputed (see [12]), until all the assignments at screening stage 1 are determined. This assignment procedure occurs during each stage, following the realization of each passenger’s updated AT value from the prior stage. Successive intervals can easily be grouped together to form a smaller set of security classes. The challenge involves extending MSPSP to determine the optimal policy at the second screening stage (or more general, at all ensuing screening stages). The key obstacle is that the (l) AT values at stage l > 1, ATi , i = 1, 2, . . . , N follow different distributions since the assignment decisions at stage(s) 1

207

(1)

through (l − 1) are dependent (even though ATi are i.i.d. random variables for all i = 1, 2, . . . , N ). Kennedy [19] addressed sequential assignment problems and generalized the results presented by Derman et al. [20]. These results are used to determine passenger assignment decisions (l) at screening stage l > 1. For any ATi , i = 1, 2, . . . , N , an optimal sequential assignment policy can be obtained in a similar fashion to that used in the initial assignment stage (see Appendix for the general formulation), except that the interval breakpoint values are random variables due to the uncertainty in device responses in the prior stages. Unfortunately, computing the set of interval breakpoints for the passenger AT values at each stage can be very challenging (if not impossible). Fortunately, Monte Carlo simulation can provide a practical remedy. C. Monte Carlo Sampling Heuristic This section presents the use of a Monte Carlo simulation n technique to compute the (random) interval breakpoints Zr,i used for assigning passenger i to interval r ≤ n remaining intervals in each stage, l = 2, 3, . . . , L. Since the random variables n , 1 ≤ r ≤ n − i + 1, i ≤ n − 1, are recursively defined Zr,i (see Appendix), then it is possible to estimate their values in n n |Fn−1 ]; second, E[Z2,n−1 |Fn−2 ] and succession: first, E[Z1,n n n n |Fn−3 ] and E[Z1,n−1 |Fn−2 ]; third, E[Z3,n−2 |Fn−3 ], E[Z2,n−2 n |Fn−3 ]; and so forth, where F is a sigma field over E[Z1,n−2 n all possible realizations of vector {AT(l) r }r=1 , n = 1, 2, . . . , N . This is done by constructing random convergent approximating functions. Assume that passenger assignment policies at screening levels 1, 2, . . . , l − 1 have been selected and can be implemented for any given set of incoming passengers at these levels, respectively. The pseudocode for the Monte Carlo sampling-based heuristic algorithm for implementation at screening level l > 1 is now given. Optimal Assignment Policy (OAP) Heuristic Initialization: • Choose S, the number of passenger samples to generate. • Set n = N , k = n − 1. Repeat while n > 0. Repeat while k > 0. (1)

(1)

(1)

• Generate S i.i.d samples of {ATi }ni=1 : ω1 , ω2 , (1) . . . , ωS . • For each such sample, use existing policies at levels 1, 2, . . . , l − 1 to obtain S samples of n (l) (l) (l) (l) ATi : ω1 , ω2 , . . . , ωS (not i.i.d). i=1

n • For 1 ≤ r ≤ n − k, compute estimates of E[Zr,k+1 |Fk ] S n 1 n ˜ Zr,k+1 E |Fk = Zr,k+1 ωs(l) . S s=1

• Set k ← k − 1. End Repeat k.

(4)

208


• Using breakpoints n n n ˜ Zn−i,i+1 ˜ Zn−i−1,i+1 |Fi , . . . , E ˜ Z1,i+1 0, E |Fi , E |Fi , 1 (l)

assign passenger (N − n) with realized AT value atN −n to a security class in J (l) . • Remove security classes to which the last passenger is assigned to from J (1) , J (2) , . . . , J (l) . • Set n ← n − 1. End Repeat n. For the optimal policy at screening stage l = 1, 2, . . . , L, whenever there are n = 1, 2, . . . , N passengers to assign, n S samples are required in total to obtain all the interval breakpoint estimates necessary to determine the assignment for a single passenger. Therefore, a total of N (N + 1)S/2 samples are required to determine the assignments for all N passengers. n , For i ≤ n − 1, each sample provides realizations of Zn−i,i+1 (l) n n . . . , Z1,i+1 under different realizations of {ATr }r=1 . The Monte Carlo sampling-based heuristic can also be shown to converge in probability to the optimal policy as the number of samples S → +∞. By the Weak Law of Large Numbers, S (l) n n s=1 Zr,k+1 (ωs )/S → E[Zr,k+1 |Fk ], as S → +∞. Therefore, the probability of making an incorrect decision (i.e., a decision that differs from the optimal policy) converges to zero as the sample size approaches infinity. The objective in using the Monte Carlo sampling-based heuristic applied at screening stage l > 1 is to capture (via simulation) the possible outcomes of passenger assignment decisions at previous stages to help improve the assignment decisions at stage l. D. Subsequent Stage Assignments The OAP heuristic uses sampling to determine a passenger assignment policy at any screening stage l ≥ 2, taking into consideration the policies selected at previous stages. The estimates given by (4) do not require any knowledge of the decision-making mechanisms employed by such policies. However, if mathematical expressions defining such mechanisms can be explicitly given, then a more extensive analysis for the estimation of interval breakpoint values can be performed. In particular, sampling can be more efficiently used in the case when the OAP heuristic is applied at all stages prior to l. Since the OAP heuristic is shown to converge to an optimal policy at each screening stage, then a solution for the entire multistage security system is asymptotically optimal (as the number of samples S approaches infinity). Whenever there are n passengers remaining to assign at stage n,k+1 l, let FAT (l) denote the cdf of the AT value for passenger N − n + k. For l = 1 and any n = N , N − 1, . . . , 1 and k = n − n,k+1 = FAT(1) . For any l ≥ 2, this cdf can 1, n − 2, . . . , 1, FAT (l) be recursively obtained by n,k+1 FAT (l)

(l)

at

1 =

FAT(l) |AT(l−1) ,j (l−1) at(l−1) =0

∗ n,k+1 (l−1) × at(l) | . . . at(l−1) , j (l−1) ∈ J (l−1) dFAT (l−1) at

(5)

∗

where j (l−1) denotes the security device selected from set J (l−1) for screening the passenger with AT value at(l−1) , as determined by the OAP heuristic at stage (l − 1). Note that, n,k+1 for any n = 2, 3, . . . , N and k = 2, 3, . . . , n − 1, FAT and (l) n−1,k FAT(l) are the cdfs related to a single future passenger. For N,N N −1,N −1 example, FAT are the cdfs governing the AT (l) and FAT(l) value of the very last passenger expected to check in. However, these functions are different for any screening stage l ≥ 2 since, at such stages, the incoming passengers’ AT values are N −1,N −1 takes into account knowledge dependent. The cdf FAT (l) of the assignments of the first passenger at stages 1, 2, . . . , l, which affect the distributions of the AT values of all consecutive passengers and the last passenger in particular. Using (5), the interval breakpoints for the passenger AT values can be expressed as n |Fk = E Zr,k+1

1

n,k+1 n at(l) . Zr,k+1 dFAT (l)

(6)

at(l) =0

The practical difficulty in using (6) is that the cdf given by (5) cannot be exactly computed. By construction, when n,k+1 (l) FAT ) is computed, passengers 1, 2, . . . , N − n have (l) (at been assigned, and the set of available devices J (l−1) at stage (l − 1) is updated accordingly. However, the assignments of passengers N − n + 1, N − n + 2, . . . , N − n + k are still unknown; hence, set J (l−1) is unknown. The distribution of devices remaining in J (l−1) upon the (future) assignment of passengers yet to arrive can be approx(l−1) , s = 1, 2, . . . , S imated via sampling. For any sample ωs of AT values for passengers N − n + 1, N − n + 2, . . . , N − (l−1) ) as the updated set of devices availn + k, define J (l−1) (ωs able after assigning these passengers. Then, an approximating n,k+1 function for FAT (l) is given by the recursion S 1 at(l) = S s=1

n,k+1 FÃT (l)

1 FAT(l) |AT(l−1) ,j (l−1)

at(l−1) =0

∗ × at(l) | . . . at(l−1), j (l−1) ∈ J (l−1) ωs(l−1) n,k+1 (l−1) (7) × dFÃT (l−1) at

with estimates for the interval breakpoints in (6) given by ˜ Zn E r,k+1 |Fk =

1

n,k+1 n at(l) . Zr,k+1 dFÃT (l)

(8)

at(l) =0

These estimates replace (4) in the OAP heuristic pseudocode to obtain a more efficient method for solving a multistage passenger assignment problem with AT value updates when the OAP heuristic is used at all screening stages. n,k+1 is The computational time for approximating cdf FAT (l) more extensive than sampling a few data points from this cdf. However, given the same number of working samples S at each screening stage, the estimates in (8) are more accurate and precise than those offered by (4). Note that to obtain


n,k+1 an approximation for FAT at stage l ≥ 2, recursion (7) is (l) n,k+1 n,k+1 ˜ applied (l − 1) times: First, FAT(2) is computed; then, FÃT (3) ; and so forth. Therefore, a total of S l−1 incoming passenger samples at stage 1 are required to determine the assignment for a single passenger at stage l.

209

TABLE I PMF FOR A SSESSED T HREAT VALUES

IV. C OMPUTATIONAL R ESULTS This section reports computational results for the Monte Carlo sampling-based OAP heuristic for addressing MSPSP in comparison to two alternative passenger assignment policies (i.e., stochastic sequential assignment (SSA) and control; see [11] and [13], respectively). In general, the limited quantity and quality of aviation security data available in the public domain presents a challenge for researchers in this field. The classification of passengers according to perceived risk is considered security-sensitive information, whereas the performance characteristics of modern security devices are classified information. Given these constraints and limitations, it is difficult to provide an accurate measurement of how effective the OAP heuristic is for addressing MSPSP. However, the OAP heuristic can be compared with other potential approaches to solve MSPSP. Consider the following MSPSP instance: N = 400 passengers are expected to arrive (over a 1-h time period) at a twostage security screening area. Without loss of generality, assume that J (l) = N security classes, each with capacity (l) cj = 1, are available at screening stage l = 1, 2. In addition, assume that, for each stage, the measure of security across the (l) classes linearly increases between 0 and 1 such that Lj = j/N for l = 1, 2 and j = 1, 2, . . . , N , corresponding to the increasing screening intensity across the security classes. Although this is not a typical security class setup employed at airports today with primary and secondary stages, the multilevel structure has been shown to be more effective in identifying more threat items using limited security resources [11] and more efficient in expediting the overall screening process [13]. A. AT Value Distribution Each problem instance uses a set of passengers with a fixed (1) distribution for ATi , i = 1, 2, . . . , N . The probability mass function (PMF) for the passenger AT values may be designed in several ways. For this analysis, six different PMFs are considered (see Table I). PMF P1 assumes a low-risk set of passengers (with 92% of AT values equal to 0.1), and each subsequent PMF exhibits increasing proportions of higher risk passengers. B. Screening Device Response Distribution Three different distributions for updating the AT values as a result of the screening device responses are considered. The first has a conditional triangular distribution for (2) (1) ATi . For passenger i, if ati ≤ 0.5, then the parameters (1) (1) of the triangular distribution are (a, b, c) = (0, ati , 2 ati ), (1) (1) (1) whereas, if ati > 0.5, (a, b, c) = (2 ati − 1, ati , 1). The

TABLE II D EVICE R ESPONSE D ISTRIBUTIONS ACCORDING TO S ECURITY C LASS PARTITIONING

(2)

second has ATi uniformly distributed with parameters (1) (1) (1) (a, b) = (0, 2 ati ) if ati ≤ 0.5 and (a, b) = (2 ati − 1, 1) (1) if ati > 0.5. The third distribution is discrete with values (2) for ATi ∈ {0.05, 0.95}, with their weights selected such that (2) (1) E[ATi ] = ati . Three combinations of the device response distributions are considered for updating the AT values at each stage (see Table II). Combination D1 assumes that the first risk assessment update distribution will be applied whenever a passenger is assigned to any of the 200 classes with low screening intensity at stage 1, the second distribution will be applied whenever a passenger is assigned to any of the next 120 classes with moderate screening intensity, and the third distribution will be applied whenever a passenger is assigned to any of the 80 classes with the highest screening intensity. The device response distributions are different for each grouping of low, moderate, and high-risk passengers, because it is assumed that one set of screening devices and procedures is used in each of the three classes. C. OAP Sample Size Sensitivity To assess the sensitivity of the OAP heuristic to the choice of sample size S, seven sets of computational experiments were conducted. First, T = 100 test instances were created. For each instance t = 1, 2, . . . , T , a passenger set with realized (1) AT values {ati }N i=1 was generated. These values were then sequentially used at screening stage 1, where the SSA policy was used to determine optimal assignments of the passengers to security classes, and a passenger set of the realized AT values (2) {ati }N i=1 was obtained. Define vOAP (t) to be the expected number of threat items detected [from (3)] with the selected assignments at stage 2 as returned by the OAP heuristic. In addition, for each t = 1, 2, . . . , T , define vOPT (t) to be the value of overall security (2) that could be achieved if all passengers’ AT values ati ,

210


TABLE III A NALYSIS OF THE OAP H EURISTIC S ENSITIVITY TO THE C HOICE OF S AMPLE S IZE

i = 1, 2, . . . , N , are known a priori. Then, define the statistic fOAP (t) = vOAP (t)/vOPT (t) that measures the relative performance of the OAP heuristic compared to vOPT (t), where, by definition, 0 ≤ fOAP (t) ≤ 1, with larger values for fOAP (t) indicating better performance of the heuristic and fOAP (t) = 1 when all passenger risk is retrospectively known. Table III reports an MSPSP example for AT(1) constructed from the combination of P5 and D3 in Tables I and II. For sampling sizes S = 1, 2, 3, 5, 10, 30, 100, the mean and the standard deviation of fOAP (t) over all T test instances and the total OAP heuristic central processing unit (CPU) runtime are reported. Note that, for a discrete distribution, the number of distinct ordered sets of incoming passenger AT values can be exactly computed. For any distribution listed in Table I, this number is 9N . The results reported in Table III suggest that a sample size of S = 30 is adequate to compute the interval breakpoint estimates in (8) and obtain consistently good solutions at reasonable runtimes. In comparison, the OAP heuristic in the current implementation takes significantly more computational time than the SSA and control algorithms, which finish in less than a CPU second. However, the OAP heuristic still takes less than 1 s to determine a passenger assignment. Note that the average (peak) wait time for screening is under 4 (12) min, allowing passengers to proceed through the security checkpoint between 5 and 10 min on average [21].

TABLE IV C OMPARISON OF OAP H EURISTIC AND N O R ISK U PDATE AT S TAGE 2

TABLE V C OMPARISON OF SSA AND C ONTROL A LGORITHMS AT S TAGE 2

D. OAP Performance Comparison Eighteen MSPSP examples are analyzed as combinations of the six PMFs P1–P6 from Table I and the three device response distribution combinations D1–D3 from Table II. For each example, a total of T = 100 instances were generated and solved to compare the performance of the OAP heuristic with the other algorithms at Stage 2. For each instance t = 1, 2, . . . , T , four values of the expected number of threat items detected with the selected assignments at stage 2 were obtained. Define vNU (t) as the overall security achieved at stage 2 with the assignments as at stage 1; this solution is referred to as the No Update policy solution, which is obtained when the updated passenger AT values are not available to a decision maker. Define vSSA (t) as the expected number of threat items detected with the selected assignments at stage 2 as returned by the SSA policy based on the assumption that the updated (2) (1) AT values ATi are distributed as ATi , i = 1, 2, . . . , N . Define vCtrl (t) as the expected number of threat items detected with the selected assignments at stage 2 as returned by the control algorithm (see [13] for algorithm details). Similar to

fOAP (t), define the statistics fNU (t), fSSA (t), and fCtrl (t) as the performance ratios obtained from the No Update policy, SSA policy, and control algorithm, respectively, to the optimal a priori security vOPT (t). Using this notation, Tables IV and V reports computational results of the experiments for the 18 MSPSP examples. The No Update policy yielded the worst performance in comparison to the other algorithms, over all combinations of P(·) and D(·). This indicates that using updated passenger risk levels for making assignment decisions can improve the overall security system effectiveness and provides some empirical support for the multilevel screening concept. The more accurate the collected information about the true passenger AT values, the easier it is to ensure the optimal level of screening for each passenger and, hence, improve security. The SSA policy applied at stage 2 with thresholds aj,n , j = 0, 1, . . . , n, n = 1, 2, . . . , N , at stage 1 provides significant improvement in


211

size, where better solutions can be obtained for any example at the expense of longer computational time. F. Impact of Recourse on Objective Value (l)

Fig. 2.

AT(2) cdf: Low-risk (P1-D1) versus a high-risk (P6-D3) population.

comparison to the No Update policy. The OAP heuristic returned the highest average index of performance in 13 of the 18 examples under study. The feedback control algorithm produced better averages in the other five examples.

E. Impact of Assignment Policy Methodology For AT(1) PMFs P1, P2, and P3, which favored a large percentage of passengers with low risk, the OAP heuristic returns a higher performance index to achieve the retrospective optimal set of passenger assignments (i.e., the set of passenger assignments when all AT values are known a priori). The continuous piecewise linear approximation method in the control algorithm is less efficient in assigning the security class order of passengers with identical AT values. As a consequence, for discrete distributions with small fractions of high-risk passengers, it assigns more passengers to the incorrect security class, as determined in hindsight. Meanwhile, the limited number of samples used by the OAP heuristic is enough to obtain an accurate prediction of the future passenger AT value realizations at the time that each assignment decision is made. For P4, P5, and P6 involving higher risk populations, the control algorithm results are competitive with the OAP heuristic results, as the conditional distributions at stage 2 of device screening become primarily continuous, and each passenger risk level becomes unique (see Fig. 2). This continuous distribution at stage 2 provides a clear distinction separating individual passengers, and hence, the control algorithm provides a passenger assignment solution closer to the retrospective optimal. At the same time, the OAP heuristic’s performance gradually drops as the variability in the AT values of incoming passengers is increased. Based on sampling, the OAP heuristic finds it more difficult to make correct predictions about the order in which the AT values of passengers are likely to appear. Note that, for a given problem instance, the control algorithm produces a deterministic solution, given a sequence of realized passenger AT values, which cannot be improved. The OAP heuristic is stochastic and, hence, may return different solutions for different replications of the same instance of AT values. Moreover, its performance depends on the choice of the sample

The recourse variable i in (1) for passenger i screened at stage l corresponds to the amount by which the detection devices response obtained in stage l affects the passenger’s AT value. In Table II, D1 assigns twice as many passengers to undergo screening using devices that are characterized by a discrete response than in D2 and four times as many passengers than in D3. Likewise, the number of passengers screened by devices exhibiting a uniformly distributed response also decreases over the device response combinations D1–D3. Screening more passengers using devices that respond according to a similar distribution (i.e., as in D3) causes the OAP, SSA, Control, and No Update policies to all increase in their objective function value, providing a solution that becomes closer to the retrospective optimal. The reasoning for this is that the discrete distribution, in particular, magnifies the error of simulating a false clear on a passenger who has a high AT value and hence updates the high threat value into a low threat value for subsequent stages. In contrast, this passenger’s AT value would, in probability, be slightly reduced if the device response had instead been governed by the triangular distribution. In practice, care must be taken when reevaluating the perceived risk of a passenger when using devices that signal if the passenger either carries or does not carry a threat. In particular, the AT value should not be substantially reduced, even if the detection device is 99.9% accurate. The reasoning for this is that, while the device may perform extremely well at detecting a particular type of threat item, such as a metallic weapon, for example, it may not perform as well in detecting other threat items, such as a biological weapon. Moreover, the riskupdating concept ultimately links the detection of threats to a passenger’s true intent to cause harm. Thus, the risk perception of a passenger should only be increased by a greater degree when supported by a true response and decreased by a much lesser degree when unsupported by a false response. V. C ONCLUSION Passenger and carry-on baggage screening is a critical component of aviation security system operations. This paper has introduced the MSPSP, which models passenger and carry-on baggage screening operations in an aviation security system with dynamic passenger risk updates. A concept of multistage screening is explained. Optimal sequential assignment theory and Monte Carlo simulation techniques are used to describe an optimal policy for MSPSP and develop the OAP heuristic that can solve real-world problem instances. Several examples are provided to illustrate the application of the OAP heuristic and compare its performance with other algorithms. Unlike most work in aviation security, this research proactively aims to address potential areas of concern that are, at the present time, at the earliest stages of discussion among aviation security professionals. However, the assumptions stated allow the TSA to perform accurate comparative analysis of the

212


proposed methodologies on future security paradigms, such as those that might arise from the use of queueing theory and Bayesian network analysis, for example. A PPENDIX For any given n = 1, 2, . . . , N , i = 1, 2, . . . , n, and r = n such that 0, 1, . . . , n, define random variables Zr,i 1)

n ≡ +∞, Z0,i

for 1 ≤ i ≤ n

2)

n ≡ −∞, Zr,i

for r > n − i + 1

3)

n Z1,n = ATi n n (l) n Zr,i = ATi ∨ E Zr,i+1 |Fi ∧ E Zr−1,i+1 |Fi

4)

(l)

for 1 ≤ r ≤ n − i + 1,

i≤n−1

where Fi , i = 1, 2, . . . , n is a sigma field over all possible n realizations of vector {AT(l) r }r=1 , n = 1, 2, . . . , N , and the notations ∨ and ∧ imply max and min, respectively. Consider stage l > 1 when there are n = 1, 2, . . . , N remaining passengers to assign to n security “intervals.” For each passenger i = 1, 2, . . . , n, partition the line segment [0, 1] ⊂ R into n − i + 1 random intervals defined by the breakpoints 0, n n n |Fi ], E[Zn−i−1,i+1 |Fi ], . . . , E[Z1,i+1 |Fi ], 1. Then, E[Zn−i,i+1 the OAP is to assign the ith passenger to the rth most secure (l) interval remaining if ati lies in the rth highest interval or, (l) n equivalently, if zr,i = ati . ACKNOWLEDGMENT The authors would like to thank Dr. J. J. Nestor of the Transportation Security Administration for his feedback on the authors’ aviation security research program.

[11] L. A. McLay, A. J. Lee, and S. H. Jacobson, “Risk-based policies for aviation security checkpoint screening,” Transp. Sci., vol. 44, no. 3, pp. 333–349, Aug. 2010. [12] A. G. Nikolaev, S. H. Jacobson, and L. A. McLay, “A sequential stochastic security system design problem for aviation security,” Transp. Sci., vol. 41, no. 2, pp. 182–194, May 2007. [13] A. J. Lee and S. H. Jacobson, “The impact of aviation checkpoint queues on optimizing security screening effectiveness,” Reliab. Eng. Syst. Saf., vol. 96, no. 8, pp. 900–911, Aug. 2011. [14] E. Kahn and R. Robinson, “Risk management analysis for U.S. commercial aviation security,” in Proc. 4th Int. Aviation Sec. Tech. Symp., Washington, DC, 2006. [15] J. Ott. (Feb. 4, 2011). Airport checkpoints of the future. Aviation Week. [Online]. Available: http://www.aviationweek.com/ [16] T. McCoy, R. J. Bullock, and P. V. Brennan, “RFID for airport security and efficiency,” Proc. Inst. Elect. Eng.—Semin. Signal Process. Solutions Homeland Security, pp. 1–9, 2005. [17] C. Oberli, M. Torres-Torriti, and D. Landau, “Performance evaluation of UHF RFID technologies for real-time passenger recognition in intelligent public transportation systems,” IEEE Trans. Intell. Transp. Sys., vol. 11, no. 3, pp. 748–753, Sep. 2010. [18] J. A. Healey and R. W. Picard, “Detecting stress during real-world driving tasks using physiological sensors,” IEEE Trans. Intell. Transp. Syst., vol. 6, no. 2, pp. 156–166, Jun. 2005. [19] D. P. Kennedy, “Optimal sequential assignment,” Math. Oper. Res., vol. 11, no. 4, pp. 619–626, Nov. 1986. [20] C. Derman, G. J. Lieberman, and S. M. Ross, “A sequential stochastic assignment problem,” Manage. Sci., vol. 18, no. 7, pp. 349–355, Mar. 1972. [21] “Transportation Security Administration,” Screening Statistics: Facts and Figures for 2006. [Online]. Available: http://www.tsa.gov/research/ screening_statistics.shtm [22] A. J. Lee, L. A. McLay, and S. H. Jacobson, “Designing aviation security passenger screening systems using nonlinear control,” SIAM J. Control Optim., vol. 48, no. 4, pp. 2085–2105, Jun. 2009.

Alexander G. Nikolaev received the Ph.D. degree from the University of Illinois at Urbana-Champaign in 2009. He is currently an Assistant Professor with the Department of Industrial and Systems Engineering, State University of New York at Buffalo. His research interests include stochastic optimization, statistical inference, and social network modeling.

R EFERENCES [1] K. M. Mead, “Key challenges facing the Transportation Security Administration,” Office Inspector Gen., Dept. Transp., Washington, DC, Rep. CC-2002-180, 2002. [2] K. M. Mead, “Aviation security costs,” Office Inspector Gen., Dept. Transp., Washington, DC, Rep. CC-2003-066, 2003. [3] U.S. House of Representatives, “Aviation security with a focus on passenger profiling,” in Proc. Hearing Memo, 107th Congr., Committee Transp. Infrastructure Subcommittee Aviation, Washington, DC, Feb. 27, 2002. [4] V. Butler and R. W. Poole, Jr, “Rethinking checked-baggage screening,” in Proc. Reason Public Policy Inst., Policy Study No. 297, Los Angeles, CA, 2002. [5] R. W. Poole, Jr. and G. Passantino, “A risk-based airport security policy,” in Proc. Reason Public Policy Inst., Policy Study No. 308, Los Angeles, CA, 2003. [6] M. Hall and D. DeLollis, “Plan to collect flier data canceled,” USA Today, July 14, 2004. [Online]. Available: http://www.usatoday. com/news/washington/2004-07-14-flyplan_x.htm [7] R. Singer, “Life after death for CAPPS II?” Wired News, 2004. [Online]. Available: http://www.wired.com [8] Y. O. Yildiz, D. Q. Abraham, K. Panetta, and S. Agaian, “A new concept of airport security screening,” in Proc. IEEE Conf. Technol. Homeland Security, 2008, pp. 444–448. [9] V. L. Babu, R. Batta, and L. Lin, “Passenger grouping under constant threat probability in an airport security system,” Eur. J. Oper. Res., vol. 168, no. 2, pp. 633–644, Jan. 2006. [10] L. A. McLay, S. H. Jacobson, and J. E. Kobza, “Integer programming models and analysis for a multilevel passenger screening problem,” IIE Trans., vol. 39, no. 1, pp. 73–81, 2007.

Adrian J. Lee (M’09) received the Ph.D. degree from the University of Illinois at Urbana-Champaign in 2009. He is currently the President of Central Illinois Technology and Education Research Institute, Springfield. His research interests include the analysis of passenger and baggage screening operations within risk-uncertain environments.

Sheldon H. Jacobson received the Ph.D. degree from Cornell University, Ithaca, NY, in 1988. He is currently a Professor and Director of the Simulation and Optimization Laboratory, Department of Computer Science, University of Illinois, Urbana. His research interests include the application of operations research and industrial engineering to aviation security problems.