Using Continual Verification to Automate Service
Selection in Service-Based Systems
A
new, web-based intelligent proxy generator based on an adaptive
model learning method is now available:
- Pre-installed on public Amazon Machine Image WB-IPGen from
the us-east-1 (i.e., US East (Northern Virginia)) Amazon EC2 region)
- As an open-source application for deployment on a local
development machine here
Abstract
Over a decade of sustained research into the development of
self-adaptive service-based systems
(SBSs) has had little impact on the state of practice. SBSs that
select their services dynamically
in response to changes in workload or requirements may be
commonplace in academic software
engineering labs, but are rarely encountered in the real world. We
introduce a tool-supported
SBS engineering framework that aims to reduce this gap between
state-of-the-art research and
the current state of practice by using a three-pronged approach as
follows.
- First, our COVE (COntinual VErification) framework
guarantees that the automated service
selection complies with the SBS reliability requirements with
minimal cost. This is achieved
by using a combination of continual quantitative verification
and adaptive updating of the
SBS model that is verified at runtime.
- Second, COVE generates the software components that provide
its model updating, continual verification
and service selection functionality automatically.
Accordingly, COVE can be used by developers
with limited expertise in the theory underpinning its
operation.
- Finally, the COVE development workflow resembles current
SBS development processes,
so COVE adopters need not learn a new development paradigm.
Our technical report introduces the three COVE components, and
shows their effectiveness using a case study
from the telehealth application domain.
R. Calinescu, K. Johnson, Y. Rafiq (2013) Using Continual
Verification to Automate Service Selection in Service-Based-Systems,
Technical Report YCS-2013-484, available online at University
of York
The source code of the COVE framework is available to download here:
COVE-src.zip
Self-Adaptive Service-Based-System COVE Architecture
The architecture of a COVE self-adaptive SBS comprising n >= 1
operations performed by remote third-party services
is depicted in Figure above. The n > 0 COVE service proxies
in this architecture interface the SBS workflow with sets of
remote service such that the i-th SBS operation can be carried out
by mi ≥ 1 functionally equivalent services.
The runtime selection of the service for each SBS operation and, as
in the case of traditional web service proxies, the interactions
with the selected services are handled automatically by the COVE
proxies. Whenever an instance of the i-th proxy is created, it is
initialised with a sequence of (promised) service level agreements
(SLAs) represent the provider-supplied probability of success and
the
cost for an invocation of service sij, respectively.
The n proxies are also responsible for notifying a model updater
about each service invocation and its outcome.
The COVE model updater starts from a developer-supplied initial
model of the SBS workflow, and uses the COVE online learning
technique
to adjust the model parameters in line with these proxy
notifications. Finally, the up-to-date SBS model maintained by the
model updater is
used by an autonomic manager that controls the services selected by
the n proxies, to ensure that the service combination which
satisfies the
SBS requirements with minimal cost is selected at all times.
Accordingly, the COVE proxies, model updater and autonomic manager
implement a
monitor-analyse-plan-execute (MAPE) autonomic computing loop.
A key advantage of our COVE framework is that its model updater and
autonomic manager components are SBS- independent and therefore
reusable
across applications, while the SBS-specific proxies are generated
automatically using a COVE software engineering tool described in
Section V.
COVE Experiments: Scalability of the Autonomic Manager
To evaluate the scalability and generality of our approach, we
carried out a number
of experiments that assessed the overheads of executing the
runtime analysis within
the autonomic manager.
We selected the following workflows used by a number of projects in
this area.
Each problem domain is outlined and a description of each service is
given.
QoS requirements are given and formulated as PCTL formulas.
The workflow for each case study is formalised as a parameterised
DTMC model based on the PRISM high-level statebased
language and used as input to the autonomic manager.
The parameters are replaced by the autonmic manager in accordance to
the observed frequency of transition invocations
in the workflow and the reliability, and costing structure for each
concrete service.
Telehealth application domain
The primary case study in our paper is a service-based system for
remote medical assistance called TeleAssistance(TA) [1,2].
The system comprises the following three abstract
services:
- Alarm Service, which provides the operation sendAlarm.
- Medical Analysis Service, which provides the operation analyzeData,
and
- Drug Service, which provides the operations changeDrug.
Depending on the region offering the TeleAssistance medical
service, each of the abstract services listed above will have one
ore more implementations --
concrete services offered by telecommunication provides each
offering identical functionality. Our case study will be used to
show the effectivity of the
Intelligent Proxy in maintaining the following QoS requirements
(both reliability and performance):
QoS Requirements
The autonomic manager is used to maintain the following high-level
QoS requirements:
- The probability that one execution of the workflow ends in a
service failure is at most pR1 = 0.08.
- The probability that an alarm failure occurs within N = 10
executions of the workflow is at most pR2 = 0.05.
- The probability that an invocation of the analysis service is
followed by an alarm failure is at most pR3 = 0.0002.
We formalise these requirements in probabilistic computational tree
logic: teleassist.pctl
- P<=0.08[!(a=10)U(a=7|a=8|a=9)]
- P<=0.05[F(a=7)]
- filter(forall,P<=0.0002[!(a=10)U(a=7)],a=3)
The expected cost of a single invocation of the workflow
is determined by the PCTL formula "R=?[F a=10]", relative
to the rewards structure associating a monetary value to each
abstract operation, appropriate to the concrete services provided
by the user of COVE to the autonomic manager.
Formulating a parameterised DTMC model
We formulate a parameterised DTMC model comprising 11 states of
the Teleassistant health application in PRISM: teleassist-dtmc.pm
The identifiers that begin with the symbol % are replaced by the
autonomic manager with values appropriate to the concrete service
implementing each abstract operation.
e-commerce application domain
We tested the scalability on an ecommerce application introduced in
[3]. The workflow represents a system in which new or returning
customers
log into an ecommerce application to purchase products. Once one or
more products have been selected the customer may choose to have
their purchases
shipped by an express service or a normal service. The customer logs
out and their session with the application is terminated
successfully .
The system comprises four abstract services:
- Authentication Service, which provides the operation Auth
- Payment Service, which provides the operation Payment
- Normal Shipping Service, which provides the operation NrmShipping,
- Express Shipping Service, which provides the operation ExpShipping.
QoS Requirements
The autonomic manager is used to maintain the following
high-level QoS requirements [3]:
- Probability of success shall be greater than 0.8
- Probability of a ExpShipping failure for a user recognized as
a returning customer shall be less than 0.035
- Probability of an authentication failure shall be less than
0.06
We formalise these requirements in probabilistic computational
tree logic: ecommerce.pctl
- P>0.8[F(s=16)]
- filter(forall,P<0.035[F(s=13)],s=1)
- P<0.06[F s=5]
The expected cost of a single invocation of the workflow
is determined by the PCTL formula
"R=?[F(s=16)|(s=15)|(s=5)|(s=13)|(s=8)]", relative
to the rewards structure associating a monetary value to each
abstract operation named in the ecommerce workflow, appropriate to
the concrete
services provided by the user of COVE to the autonomic manager.
Formulating a parameterised DTMC model
The figure, reproduced from [3], depicts the DTMC modelling the
reliability of the ecommerce application: ecommerce.pm
Travel application domain
Our third case study is a travel assistant application whose
workflow organises the invocation of services relating to
accommodation booking and vehicle rental, based on
the travel planner in [4]. Requests arriving to the workflow can
either be invocations to search for flights (90%) or search for
tourist attractions at a specific destination (10%),
when accommodation arrangements have otherwise been made. The drive
time between the hotel and the attraction is calculated and either a
car (70%) or bicycle (30%) is
hired based on the distance between locations.
The workflow comprises the following five services
- Attraction information service, which provides the operation Attract
- Flight reservation and booking service, which provides the
operation Flight
- Hotel reservation service, which provides the operation Hotel
- Bicycle rental service, which provides the operation Bike
- Car hire service, which provides the operation Car
QoS Requirements
The autonomic manager is used to maintain the following
high-level QoS requirements:
- More than 80% of users invoke the bike rental service.
- Less than 25% of invocations end in failure
- More than 80% of people who search for attractions rent a bike
Formulated as PCTL formulae: travelassist.pctl
- P>0.8 [ F (s=11) ]
- P<0.25 [F(s=4|s=5|s=7|s=9|s=12) ]
- filter(forall, P>0.8[F(s=11)], s=2)
The expected cost of a single invocation of the workflow is
determined by the PCTL formula "R=?[F s=13 ]", relative
to the rewards structure associating a monetary value to each
abstract operation named in the travel assistant workflow,
appropriate to the concrete services provided by the user of COVE to
the autonomic manager.
Formulating a parameterised DTMC model
The figure, depicts the DTMC modelling the reliability of the travel
assistant application: travelassist.pm
[4]
COVE Performance
We ran experiments that considered between two and six concrete
services for each of the abstract operations.
Each experiment measured the time taken to construct the autonomic
manager and select the optimal concrete service
configuration in the worst-case scenario whereby all combinations of
concrete services satisfied the workflow requirements.
The results of our experiments are averaged over several runs and
are summarised in the figure presented below:
(The original logging output is available here: results.zip)
Bibliography
[1] R. Calinescu, L. Grunske, M. Kwiatkowska, R. Mirandola, and G.
Tamburrelli, �Dynamic QoS management and optimization in
service-based systems,� IEEE Trans. Softw. Eng., vol. 37, pp.
387�409, 2011.
[2] R. Calinescu, C. Ghezzi, M. Kwiatkowska, and R. Mirandola,
�Self-adaptive software needs quantitative verification at runtime,�
Communications of the ACM, vol. 55, no. 9, pp. 69�77, September
2012.
[3] A. Filieri, C. Ghezzi, and G. Tamburrelli, �A formal approach to
adaptive software: continuous assurance of non-functional
requirements,� Formal Aspects of Computing, vol. 24, no. 2, pp.
163�186, 2012.
[4] L. Zeng, B. Benatallah, A. H.H. Ngu, M. Dumas, J. Kalagnanam,
and H. Chang, �Qos-aware middleware for web services composition,�
IEEE Trans. Softw. Eng., vol. 30, no. 5, pp. 311�327, May 2004.
Last updated: October 31st 2013, Kenneth Johnson
kenneth.johnson@york.ac.uk