Connect-WP5

Dependability Assurance

@ 2011 - Site Map - Credits

Dependability Assurance

Objectives

As CONNECT aims at enabling open networking of systems, it is of paramount importance to ensure that this is realised in a dependable way. Dependability assurance research is conducted on a broad scope, including classical dependability attributes, performance, security and trust: we coin the term CONNECTability to include the CONNECT relevant properties (see below). We target the development of new concepts, metrics and approaches for the CONNECTability of the eternally CONNECTed systems, in spite of changes and accidental (or intentional) faults (or attacks).

While of course CONNECT is not immune to other sources and kinds of failures, we focus our work on understanding what is the potential impact on system dependability, performance, security and trust of communication established through the CONNECT approach. Thus, building on the existing literature and other related projects for general dependability needs, we concentrate on the threats specifically entailed by on-the-fly synthesis of CONNECTors: e.g., is the CONNECTor reliable?, is the CONNECTion secure?, is the CONNECTed System trustworthy?, and so on.

CONNECT Properties and CONNECTability Metrics

Suitable properties for CONNECTed systems must be defined in order to be used as a reference for CONNECTability analysis. Elaborating on traditional, well-understood dependability metrics, a conceptual model has been developed as a structured framework, which refines generic metrics into CONNECT-dependent and context-dependent metrics. These metrics apply to each of the four CONNECT actors: the Enabler (e.g., discovery, learning and synthesis), the CONNECTor, the Networked System, the CONNECTed system.

The elements and relations in this conceptual model are being formalized into a Meta-Model implemented in eCore in the Eclipse Modeling Framework. Based on it, a relevant model for a specific scenario under consideration can be instantiated using Model-driven approaches.

An excerpt of such Meta-Model is provided below. It allows the definition of (qualitative and quantitative) Properties. At the moment, we focus on the quantitative ones that embed Metrics obtained by actualizing abstract MetricsTemplates. Both the Metrics and the MetricsTemplate definition are based on the concept of an Event, whose Specification is the bridge between a generic metrics and its actualization over a specific application domain. By changing the Application Domain, the Metrics, and hence the related Property, different systems can be targeted (CONNECT framework, Photo sharing Networked System, Terrorism Alert NetworkedSystem, ...).

Verification & Validation

Concerning verification and validation, we study two complementary approaches: state-based stochastic methods, supported by Mobius, and probabilistic model checking, supported by PRISM. Using both approaches, a variety of scenarios and user/application needs in terms of dependability analysis can be satisfied. In fact, the different formalisms and tools implied by the two methods allow: i) on the one side, to complement the analysis from the point of view of a number of aspects, such as level of abstraction/scalability/accuracy, for which the two approaches may show different abilities to cope with; and ii) on the other hand, through their inner diversity, provide cross-validation to enhance confidence in the correctness of the analysis itself. Our activity on dependability assessment is strictly related and complemented by a verification framework on quantitative compositional reasoning, which is under investigation as part of our work on formal foundations for CONNECTors.

We are currently addressing automated dependability analysis performed by the Dependability Enabler to assess, before deployment, if the dependability requirements requested by the Networked Systems can be satisfied by the synthesised CONNECTor. The architecture of the Dependability Enabler is logically split into four main functional modules: Builder, Analyser, Evaluator and Enhancer. The Builder module derives the dependability model of the CONNECTed System from the specification provided by Synthesis. The Analyser module uses the generated dependability model to perform a quantitative assessment of the non-functional requirements reported by the Discovery Enabler. The Evaluator module checks the analysis results to determine if the non-functional requirements are met. If the requirements are not satisfied, the Evaluator activates the Enhancer module to determine possible solutions to improve the dependability level of the CONNECTed System. If the requirements are satisfied, the Evaluator reports to Synthesis that the CONNECTor can be successfully deployed, and reports to the Monitoring Enabler the aspects that must be observed for the CONNECTor that is going to be deployed, e.g., transition durations, and probability of transitions failure.

We are also working on an on-line quantitative verification approach dedicated to the case where the verification needs to be performed repeatedly with differing probability values, .e.g., provided by the Monitoring Enabler (see below). Such runtime analysis can incur significant time and memory overheads. Our approach aims at improving the performance by reusing results from previous verifications to obtain fast accurate results, i.e., the results obtained in each round of verification are stored in order to avoid re-computation for the part of model that is not affected by probability changes. We also improve on efficiency of a probabilistic verification adopted in the approach, which typically requires a combination of graph-based analysis techniques and iterative numerical solution methods.

Security & Privacy

Security mechanisms are studied and developed for guaranteeing security requirements while two Networked Systems communicate through a CONNECTor. In CONNECT, the Security-by-Contract-with-Trust (SxCxT) paradigm is conceived as an unified framework for managing both security and trust in an integrated way.

Trust Management

The proposed CONNECT Trust model, depicted in the figure below, highlights three categories of trust relations, namely: relations for assessing CONNECTors, relations for assessing Enablers, and relations for assessing Networked Systems.

Currently, we assume that CONNECTors and Enablers are trusted and we focus on interoperable trust management among heterogeneous Networked Systems through the CONNECT Trust Enabler. More precisely, we introduce a trust meta-model in the form of TMDL (Trust Model Description Language) to allow describing any trust model. Given the TMDL specification of trust models implemented by Networked Systems, we are able to infer composite trust models for them to be able to interact in a trusted way. In the proposed CONNECT trust model, Enablers can estimate a measure of confidence on a CONNECTor. Enablers can also safely coordinate with one another to jointly synthesise and deploy CONNECTors, and finally to manage feedbacks to detect dysfunction and update trust relations.

Monitoring

A generic lightweight architecture for monitoring, called GLIMPSE (Generic fLexIble Monitoring based on a Publish-Subscribe

infrastructure) has been developed.

Monitoring is conceived as a common core service offered to the other Enablers to detect conditions that they deem relevant, in order to implement feedback loops whereby approaches to dependability analysis,CONNECTor synthesis (shown in the picture below), and behaviour learning can be applied to an on-line setting and can be enhanced to cope with change and dynamism.

Selected Publications

Further Information

More information about the CONNECT work on dependability assurance can be found from the Publications page

The CONNECT project acknowledges the financial support of the Future and Emerging Technologies (FET) programme within the ICT theme of the Seventh Framework Programme for Research of the European Commission.

News