Title: Using Linear Temporal Model Checking for Goaloriented Policy Refinement Frameworks
1Using Linear Temporal Model Checking for
Goal-oriented Policy Refinement Frameworks
Javier Rubio-Loyola, Joan Serrat Universitat
Politècnica de Catalunya Marinos Charalambides,
Paris Flegkas, George Pavlou University of
Surrey Alberto Lluch Università di Pisa
POLICY 2005 June 6-8 Stockholm, Sweden
2Motivation
Policy Refinement is meant to derive lower-level
policies from higher-level ones Although it
is considered crucial for policy-based
management, Policy Refinement has received
relatively little attention
3Motivation
- Goal-elaboration techniques1 have been proposed
as an alternative to formalize Policy Refinement
(initially proposed by Bandara et al2) - They allow to derive lower-level goals from
higher-level ones using domain-independent
refinement patterns grounded in temporal logic - The refined goals logically entail the
higher-level directives and are
temporally-related one to the other - We propose to use Linear Temporal Model checking
to obtain system executions aimed at fulfilling
the refined goals - We take advantage of formal automated support
provided by reactive system analysis techniques
and LTL property patterns - From system executions, meaningful policy
information is abstracted - 1Darimont et al Formal Refinement Patterns for
Goal-driven Requirements Elaboration. FSE96 - 2Bandara et al A Goal-based Approach to Policy
Refinement. POLICY 2004
4Background
Goal-elaboration Technique Analysis2The KAOS
approach
Temporal behaviour prescription Achieve, Cease,
Maintain, Avoid
HG1
High-level Goal
P ? ? S
HG1
Tactic for Refinement
Tactic
Foundations
sG11
sG12
sG13
Sub-goals
Refinement Pattern
Tactic for Refinement
P ? ? Q
sG11
sG13
sG12
R ? ? S
Q ? ? R
sG131
sG132
Sub-goals
REFINED GOALS TEMPORALLY-RELATED
2Bandara et al A Goal-based Approach to Policy
Refinement. POLICY 2004
5Background
Linear Temporal Model Checking
Model Checking is a formal automated approach to
exhaustively analise wheter an event/state-based
system satisfies behavioural claims
Managed Entities
- PROMELA code or
- UML standards
- Class Diagrams
- State chart representation
- Collaboration Specification
Monitor10
Main 11
520
22
DRsMPMA 7
461
136
139
151
Condition
153
163
461
471
Actions
474
481
550
551
- 3LTL Properties that characterise goal
fulfillment
3Manna, Pnueli, The Temporal Logic of Reactive
and Concurrent Systems . Springer
6Background
Linear Temporal Model CheckingRequirements
Specification
- Properties that characterise goal fulfillment
? LTL Property Patterns4 use
LTL Property Patterns
Patterns that deal with the Occurrence of a given
event/state
Patterns that deal with the Order in which
multiple events/states occur
- It is feasible to design LTL formulae that
characterise the above patterns and any
combination of them ?
- LTL properties can be used to characterise goal
fulfillment
4Dwyer et al. Property Specification Patterns
for Finite-state Verification. FMSP98
7Policy Refinement Framework
- Following the Goal-oriented Policy Refinement
methodology initially proposed by Bandara et al2,
the next steps may be followed to deploy policies
from high-level goals - Goal-graph elaboration
- Responsibility assignment to managed entities
- Operationalization
- Policy Encoding
2 Bandara et al A Goal-based Approach to Policy
Refinement. POLICY 2004
8Using Linear Temporal Model Checking for
Goal-oriented Policy Refinement Frameworks
Goal graph elaboration
High-level goals
HG2
Refinement patterns
sG21
sG22
MC Management
sG221
- System specification
- PROMELA code
- UML standards
- Class Diagrams
- State chart representation
- Collaboration Specification
MC Engine SPIN
Goal selection
Counter- example mgmt
LTL Property formulation
Property mgmt
(sG11 -gt ( ! sG132 ))
Policy encoding
Policy deployment
Object distribution
9An Application ExampleManagement Domain
We present an example applied to a DiffServ QoS
management solution in the context of the TEQUILA
architecture5
ND performs long to medium-term configuration. It
is responsible for mapping the traffic onto the
physical network resources in order to
accommodate the forecasted traffic demands.
ND Behaviour Specification Modelling PROMELA or
UML model
Network Dimensioning
Network Dimensioning
Traffic Engineering
Requirements
OFFLINE ONLINE
ND Goal-graph Document
Dynamic Route Mgmt
Dynamic Resource Mgmt
Network Monitoring
5P. Flegkas et al. A Policy-based Quality of
Service Management Architecture for IP DiffServ
Networks," IEEE Network
10Policy Refinement Process
Following the Goal-oriented Policy Refinement
methodology initially proposed by Bandara et al2,
the next steps may be followed to deploy policies
from high-level goals
- Goal-graph elaboration ? Goal Selection
- Responsibility assignment to managed entities
2 Bandara et al A Goal-based Approach to Policy
Refinement. POLICY 2004
11An Application ExampleDirectives and goal
selection
- The administrator wants to be extremely
conservative for the hop-count estimation for EF
PHB traffic and avoid under-loaded parts of the
network when other parts are over-loaded
- The administrator wants to be extremely
conservative for the hop-count estimation for EF
PHB traffic and avoid under-loaded parts of the
network when other parts are over-loaded
G53 Optimised
G4, G6 preProcessing
G67 loadNetwork Compromised
G9 delayLoss Estimated
G13 del_loss_Res Allocated
G54 costFct Configured
G10 conservative
G10 conservative
G69 optimistic
LTL Formula ?(G10 ? ?(!G68 ))
G16 optimistic
G70 average
G68 minLink OverLoaded
G68 minLink OverLoaded
G17 average
12Policy Refinement Process
Following the Goal-oriented Policy Refinement
methodology initially proposed by Bandara et al2,
the next steps may be followed to deploy policies
from high-level goals
- Goal-graph elaboration ? Goal Selection
- Responsibility assignment to managed entities
- Responsibility assignment to managed entities
2 Bandara et al A Goal-based Approach to Policy
Refinement. POLICY 2004
13An Application ExampleCounterexample Management
ND_PMA 3
22
HopCount2
30
Optimisation1
38
Managed Entities Responsible to make the
administrative guidelines fulfilled
14Policy Refinement Process
Following the Goal-oriented Policy Refinement
methodology initially proposed by Bandara et al2,
the next steps may be followed to deploy policies
from high-level goals
- Goal-graph elaboration ? Goal Selection
- Responsibility assignment to managed entities
- Responsibility assignment to managed entities
2 Bandara et al A Goal-based Approach to Policy
Refinement. POLICY 2004
15An Application ExampleExplore counterexample
trace
ND_PMA 3
ND_PMA 3
22
HopCount2
HopCount2
inst oblig busyHoursNDDelayLossEstimation
30
Optimisation1
Optimisation1
on doRPC()
38
Pointer to doRPC()
subject ND_PMA
target managers/TE/ND/hopCountDerivationManager
10!21
do calculate_hop_count(EF, maxDelayLink)
inst oblig busyHoursNDOptimisation
on doRPC()
108
subject ND_PMA
120
target managers/TE/ND/OptimisationManager
123
128
125
do set_exponent(maxValue)
133
140
Pointer to calc_hop_count(PHB, max)
152
155
2!13,8
185
160
188
2!1,6
190
Pointer to set_exponent(maxValue)
193
198
16Discussion
Two issues about counterexample generation
deserve discussion
1. No counterexamples are found Wrong goal
refinement patterns applied to elaborate the
goal-graph Alternative Selection of
Goals Alternative goal refinement patterns The
behavior of the system mismatches the goal
elaboration Extend System specification
2. More than one counterexample is found
Which is better?
17Discussion
A major concern of the AI community while
developing model checking techniques is the
state explosion problem
System specification is the most critical stage
while using model checking in favor of policy
refinement Additional specification management
procedures to avoid the state explosion problem
for large scale specifications HSF-SPIN for
heuristic search in large-scale system
specification
18Summary
Linear Temporal Model Checking can be used as the
analysis technique in the original Goal-oriented
policy refinement methodology developed by
Bandara et al2 State exploration through Linear
Temporal Model Checking can be used to search
system behavior aimed at fulfilling
temporally-related goals Counterexamples
provided by automated verification tools can be
used to abstract meaningful policy information in
favour of policy refinement
19Using Linear Temporal Model Checking for
Goal-oriented Policy Refinement Frameworks
Javier Rubio-Loyola, Joan Serrat Universitat
Politècnica de Catalunya Marinos Charalambides,
Paris Flegkas, George Pavlou University of
Surrey Alberto Lluch Università di Pisa
POLICY 2005 June 6-8 Stockholm, Sweden