Run-time requirements verification for reconfigurable systems

https://doi.org/10.1016/j.infsof.2016.04.005Get rights and content

Abstract

Context: Modern software systems often are distributed, run on virtualized platforms, implement complex tasks and operate on dynamically changing and unpredictable environments. Such systems need to be dynamically reconfigured or evolve in order to continue to meet their functional and non-functional requirements, as load and computation need to change. Such reconfiguration and/or evolution actions may cause other requirements to fail.

Objective: Given models that describe with a degree of confidence the requirements that should hold in a running software system, along with their inter-dependencies, our objective is to propose a framework that can process these models and estimate the degree requirements hold as the system is dynamically altered or adapted.

Method: We present an approach where requirements and their inter-dependencies are modeled using conditional goal models with weighted contributions. These models can be translated into fuzzy rules, and fuzzy reasoners can determine whether and to what degree, a requirement may be affected by a system change, or by actions related of other requirements.

Results: The proposed framework is evaluated for its performance and stability on goal models of varying size and complexity. The experimental results indicate that the approach is tractable even for large models and allows for dealing with models where contribution links are of varying importance or weight.

Conclusion: The use of conditional weighted goal models combined with fuzzy reasoners allowed for the tractable run-time evaluation of the degree by which system requirements are believed to hold, when such systems are dynamically altered or adapted. The approach aims to shed light towards the development of run-time requirements verification and validation techniques for adaptive systems or systems that undergo continuous, or frequent evolution.

Introduction

Over the past few years we experienced a significant growth on the deployment of highly interconnected systems operating in a number of domains such as banking, commerce, and government to name a few. These systems encompass complex requirements yielding thus large and complex models [1]. In addition to the complex requirements these systems entail, advances in virtualization technology make also possible the continuous evolution, dynamic provision, and dynamic adaptation of system resources, in a quest for these systems to constantly meet their numerous, and possibly diverse, functional and non-functional requirements. The problem has been recognized in the related research literature as an important one [2], [3], both from the requirements verification perspective and, from the policy compliance perspective. Hence, it is important to develop techniques, and tools for assessing at run time whether changes in the system structure, and, operating environment violate requirements set forth by its stakeholders.

To date, the software engineering community has responded by investigating models, and frameworks allowing for the specification, analysis, and evaluation of system requirements. In this respect, research efforts have focused so far on the off-line static analysis and reasoning in such models for the purpose of evaluating the completeness, and validity of system requirements against stakeholder goals [4], [5]. However, as business processes become more complex requiring highly inter-connected and inter-dependent services (e.g. Systems-of-Systems), issues related to the run-time verification of global system properties have emerged as very timely, important and challenging [6], [7], [8]. Work in the area of adaptive systems is attempting to address some of these issues, and research efforts aiming to model and analyze the run-time behavior of such systems have started emerging in the related literature [9], [10]. However, there is still limited work on dealing with large requirements models, especially when the dependencies and impact of one design decision or system requirement cannot be fully and deterministically modeled due to the high complexity of structural and behavioral inter-dependencies present in such complex systems. It is therefore important to investigate analysis techniques that are tractable so that can be applied at run-time, and allow for reasoning on large requirements models, especially in the presence of incomplete knowledge related to the impact changes in one system or component may have on the behavior and requirements of other interconnected systems or components.

For this paper, we adopt a goal-driven view of this run-time verification problem aiming to assess whether a system that operates in a specific context is compliant to a set of requirements. This issue entails a number of challenges that have to be considered and addressed. First, an appropriate modeling notation for denoting goals that should hold in the running system under various contexts must be used. Such a modeling notation should be expressive enough to capture dependencies that exist between goals, allow for the definition of multiple variations of the model under different contexts, and allow for modeling the way design decisions and system properties affect these goals. Such a notation must also have well defined semantics so as to enable the use of tools and algorithms that can automate the processing of the models. Second, as dependencies in a complex system may not be fully known, or properly recorded, a fuzzy approach should be used for specifying such dependencies within an acceptable degree of ambiguity. Third, a reasoning framework is required to evaluate at run-time how and to what degree system changes affect the requirements taking into account events collected from the running system.

In a nutshell, the proposed framework allows for a) system goals and their variations under multiple contexts, hereinafter referred to as views, to be modeled as conditional goal trees [11], whose nodes hold with a degree of truth; b) dependencies between goals to be modeled as weighted contributions [12], [13], where weights are interpreted as the degree by which a stakeholder’s belief for the target node satisfaction/dissatisfaction is increased given the satisfaction status of the source node; c) transformations to be utilized in order to map conditional goal trees to weighted fuzzy rules [14] and; d) fuzzy reasoning to be applied in order to tractably verify whether, and to what degree, specific system goals hold at run-time.

The paper is organized as follows. Section 2 formally defines the requirements-based view of the verification problem. Section 3 summarizes key concepts in the areas of Goal Models and weighted fuzzy rules. Section 4 briefly describes the details of our approach, and Section 5 presents a running example used throughout the paper. Section 6 introduces the semantics of the notation utilized to model system goals and views, and Section 7 describes the transformation of goal models to rules that can be used by the proposed inference engine. Subsequently, a lab experiment is presented in Section 8, and the performance of the proposed framework is evaluated against randomly generated models of varying size and complexity in Section 9. Finally, Section 10 presents related work and Section 11 concludes the paper.

Section snippets

Formal definition of the problem

Run-time verification is the process of evaluating, while the system operates, whether it meets certain expected behavior and goals [15], [16]. In this paper we adopt a requirements-based view of the run-time verification problem that we refer to as the ReqRV problem. To formally define it, we use as a starting point the seminal study by Zave and Jackson on software requirements [17].

According to this study, given a set of requirements R, and a set of domain assumptions D, the requirements

AND/OR goal trees

AND/OR goal trees are a modeling formalism extensively utilized in requirements engineering, where its basic concept is the top-down AND/OR decomposition of goals into sub-goals. An AND-decomposed goal can be satisfied if all of its sub-goals are true, while an OR-decomposed goal is fulfilled if at least one of its sub-goals holds.

Additionally, two goals may be connected by a contribution link. More specifically, a goal may potentially contribute to other goals in four ways, namely, SP, SN, DP

Process outline

We address the ReqRV problem by introducing a framework which is based on the principles of fuzzy controllers. A fuzzy controller is composed of four elements [23]: FC-a) a rule-base, i.e. rules describing the experts’ knowledge of the domain; FC-b) a fuzzification process for the transformation of the input in a processable form; FC-c) an inference mechanism which combines the rule-base with the input to deduce membership degrees for a set of output variables; and FC-d) a defuzzification

Running example

To better illustrate the proposed process for the ReqRV problem, we employ a running example which is partially based on examples used in [26], [27], [28]. The example is illustrated in Fig. 5, and describes a fraction of system goals of a simplified, yet realistic, data records management software.

For this example, we consider the goals stemming from two stakeholders, namely “Data Consumer” and “System Admin”. The former may correspond to an assistant trying to retrieve patients’ records and

Modeling stakeholder goals and views

To model the expected behavior of a system (i.e. system goals) under various contexts we utilize conditional goal models (an example is depicted in Fig. 5). What follows is a formal definition of these models in order to ease the formulation of their transformation to wf-rules. More specifically:

Definition 1

A Goal Model Rule (gm-rule) is a tuple of the form 〈Rt, gt, Gs, w〉, where Rt ∈ {AND, OR, SP, DP, SN, DN} is the type of the rule, gt is the target goal of the rule, Gs is a non-empty set of source

Reasoning on system goals

SEB models presented above provide the theoretical foundation for the ReqRV problem, and enable system goals to be expressed under various contexts. However, for reasoning to take place, the following actions must be performed (also see Section 4) :

  • 1.

    conditional wf-rules generation,

  • 2.

    rule-base determination and fuzzification of system observable characteristics’ values extracted via monitoring techniques,

  • 3.

    inference, i.e reasoning for all system goals using an appropriate inference mechanism,

  • 4.

Lab experiment

As a proof of concept we developed a prototype of the ReqRV inference engine, and a simulator for a data management application1 which uses the SEB model of Fig. 5. We designed the SEB model using Eclipse ecore tools, and we applied model to model and model to text transformation techniques to generate the conditional wf-rules. The parameters of the membership functions were set to aL=5, bL

Experiments and discussion

The performance of the proposed framework is evaluated by a series of experiments with randomly generated SEB models of varying size and complexity.

More specifically, we evaluate the proposed framework with respect to execution time and amount of memory required for models of different sizes in order to prove that time and memory requirements remain low even for large models, enabling thus its application to large models at run-time. Subsequently, we investigate the effect of membership

Related work

Approaches that utilize goal models for run-time analysis and adaptive software include [37] where the distinction between Design-time and Run-time Goal Models is made, [38] which proposes a set of extensions for the Tropos methodology related to failures and environment modeling, [39], [40] where the notions of awareness (AwReqs) and evolution (EvoReqs) requirements are introduced as meta-requirements allowing to model requirements adaptation at run-time, and [21] that provides a general

Conclusion and future work

In this paper, we presented an approach that utilizes conditional weighted goal models to denote system goals related to requirements that should hold in the running system. The choice of goal models as the modeling notation for the proposed framework is based on the fact that it is a notation extensively used in requirements engineering to represent functional and non-functional requirements. Additionally, its well defined semantics enable the development of an automated algorithmic

Acknowledgments

This research has been co-financed by the European Union (European Social Fund ESF) and Greek national funds through the Operational Program “Education and Lifelong Learning” of the National Strategic Reference Framework (NSRF) – Research Funding Program: Heracleitus II. Investing in knowledge society through the European Social Fund. We would also like to thank A. Chortaras for providing as with the implementation of his reasoner for weighted logic programs.

References (54)

  • Y. Falcone et al.

    Runtime verification of safety-progress properties

  • G. Chatzikonstantinou et al.

    A goal driven framework for software project data analytics

  • A. Cailliau et al.

    Assessing requirements-related risks through probabilistic goals and obstacles

    Requir. Eng.

    (2013)
  • A. van Lamsweerde

    Goal-oriented requirements enginering: a roundtrip from research to practice

    Proceedings of the 12th IEEE International Conference on Requirements Engineering (RE 2004), 6–10 September 2004, Kyoto, Japan

    (2004)
  • A.M. Sharifloo et al.

    LOVER: light-weight formal verification of adaptive systems at run time

  • Y. Falcone et al.

    Runtime verification of component-based systems

  • P. Giorgini et al.

    Reasoning with goal models

  • D. Amyot et al.

    Evaluating goal models within the goal-oriented requirement language

    Int. J. Intell. Syst.

    (2010)
  • I.H. Krüger et al.

    Interaction-based runtime verification for systems of systems integration

    J. Log. Comput.

    (2010)
  • R. Calinescu

    When the requirements for adaptation and high integrity meet

    Proceedings of the 8th Workshop on Assurances for Self-adaptive Systems, ASAS ’11

    (2011)
  • P. Sawyer et al.

    Requirements-aware systems: a research agenda for RE for self-adaptive systems

    Proceedings of the 18th IEEE International Requirements Engineering Conference, RE 2010, Sydney, New South Wales, Australia, September 27–October 1, 2010

    (2010)
  • C. Ghezzi

    Engineering evolving and self-adaptive systems: an overview

  • R. Ali et al.

    A goal-based framework for contextual requirements modeling and analysis

    Requir. Eng.

    (2010)
  • D. Amyot et al.

    Evaluating goal models within the goal-oriented requirement language

    Int. J. Intell. Syst.

    (2010)
  • S. Liaskos et al.

    On eliciting contribution measures in goal models

  • A. Chortaras et al.

    Definition and adaptation of weighted fuzzy logic programs

    Int. J. Uncertain. Fuzziness Knowl.-Based Syst.

    (2009)
  • M. Leucker et al.

    A brief account of runtime verification

    J. Log. Algebric Program.

    (2009)
  • P. Zave et al.

    Four dark corners of requirements engineering

    ACM Trans. Softw. Eng. Methodol.

    (1997)
  • R. Calinescu et al.

    Self-adaptive software needs quantitative verification at runtime

    Commun. ACM

    (2012)
  • A.K. Chopra et al.

    Reasoning about agents and protocols via goals and commitments

  • J. Mylopoulos et al.

    From object-oriented to goal-oriented requirements analysis

    Commun. ACM

    (1999)
  • L. Baresi et al.

    Fuzzy goals for requirements-driven adaptation

    Proceedings of the Requirements Engineering Conference, RE

    (2010)
  • Wikipedia.org, Centroid (accessed...
  • K.M. Passino et al.

    Fuzzy Control

    (1997)
  • T. Kalamatianos et al.

    Domain independent event analysis for log data reduction

  • S. Zaman et al.

    Features selection for intrusion detection systems based on support vector machines

    Proceedings of the 6th IEEE Consumer Communications and Networking Conference, CCNC 2009

    (2009)
  • View full text