On June 4th and 5th I participated in the 7th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS 2012), which was co-located with the 34th International Conference on Software Engineering (ICSE 2012), in Zürich, Switzerland. I presented a paper called “(Requirement) Evolution Requirements for Adaptive Systems”, which one of the final pieces of my PhD work in the University of Trento, Italy.
Like last year, when I participated in SEAMS 2011, I wrote quick summaries of the presentations that were given in this track in order to share it with colleagues from DISI/Unitn. These papers are not yet published in the ACM Digital Library, so if you are interested in one of them and can’t find a copy in the author’s website, let me know because I got the proceedings of the symposium (and also of ICSE, for that matter).
The rest of the post summarizes the presentations in chronological order.
Day 1: Monday, June 4th
SEAMS started with the keynote of prof. Raffaello D’Andrea (ETH Zürich, Switzerland), titled Model-Based Adaptation and Learning for Robotic Systems. Prof. D’Andrea does research on adaptive robots, having won RoboCup from 1999 until 2005 and co-founded Kiva Systems in 2004. According to him, both successes are due to successful application of model-based control design and adaptation/learning.
The speaker thus highlighted the importance of models for the design of control systems: models are powerful, can give guarantees and allow reconfigurability of the system. However, they are also time-consuming, sensitive to modeling errors and not easy to do.
During the keynote, many examples of use of models for the design of control systems were given. In the RoboEarch project, robots learned to do tasks and shared what they learned in a common “Wikipedia-style” model repository so other robots would learn from experience. Models were also used in learning aerobatics, i.e., robots would do acrobatics while airborne and improve it little by little until they learn the proper movement (D’Andrea showed some cool videos of two quadrocopters throwing a ball to one another and another one of five quadrocopters performing a choreography to a song). Two other examples shown were a balancing cube and a “blind juggler”.
During the Q&A session, John mentioned socio-technical systems and uncertainty, asking for suggestions on how to model these. Prof. D’Andrea answered that their current models cannot handle complex, socio-technical systems, but suggested a review of the literature in the areas of “hybrid systems” and “robust control”, the latter of which focused on dealing with environmental uncertainty.
Session 2 (Service-Based Systems)
Dynamic Self-Adaptation for Distributed Service-Oriented Transactions (Hassan Gomaa, George Mason University, USA): part of the SASSY research project, this approach looks into software adaptation patterns for Service-Oriented Applications, based on SOA coordination patterns. The goal is to dynamically adapt distributed transactions at run-time, separating the concerns of individual components of the architecture from concerns of dynamic adaptation, using a connector adaptation state-machine. Moreover, a two-phase commit protocol was used to coordinate adaptation for distributed transactions.
OSIRIS-SR: A Safety Ring for Self-Healing Distributed Composite Service Execution (Nenad Stojnic, University of Basel, Switzerland): working with service composition in the cloud, which entails a high probability of software failure. The objective is then to try to guarantee some level of reliability. The proposed framework is called OSIRIS: Open Service Infrastructure for Reliable and Integrated process Support. It consists of a peer-to-peer decentralized service execution engine and organizes services into a self-organizing ring topology called “the OSIRIS Safety Ring”.
Proactive Adaptation of Service Composition (Andrea Zisman, City University London, UK): the presented defined a proactive adaptation as a process that is triggered by a failure (just like reactive adaptation) but that goes through the rest of the execution in the service composition to compensate for the unavailability or failure of some earlier component. She then proposes the ProAdapt Framework to deal with four different classes of problems: (a) composition stops its execution (failure); (b) composition continue but not in the best way (degradation); (c) emergence of new requirements; (d) emergence of better services; using a four-step process: (1) identification/observation of events (faults, new service); (2) analysis of the situations (need for adaptation? Uses spacial correlation of services); (3) decision of the actions to be taken (current/future execution instances? Replacement of services); (4) execution of the actions.
Session 3 (Exemplars)
Traffic Routing for Evaluating Self-Adaptation: An Exemplar (Jochen Wuttke, University of Washington, USA): analyzed papers from last 5 years of SEAMS to see how people evaluate their approaches, concluding that although prototypes are implemented and experiments are run to see if the adaptation happens, comparison between different works is missing. The presenter argued that exemplars (e.g., ZNN.com) are useful for this kind of comparison. They should be well-defined problems with many opportunities for adaptation and many environmental variables to require adaptation.
In that sense, ZNN.com is a good exemplar for architecture, and so the authors propose an exemplar for adaptation algorithms: the automated traffic routing problem. It has adaptation in different granularities and multiple sources of uncertainty, churn and noise. The authors provide both a definition of the problem and a simulator that generates inputs for the adaptation algorithm that is being tested. Using this simulator, two algorithms developed by the authors for a test comparison were done with only 140 Java LOCs.
Following Wuttke’s presentation, which actually referred to a paper published in the conference proceedings, some people were invited for short presentations of exemplars they have used in their research.
Joel Greenyer (Politecnico di Milano, Italy, formerly University of Paderborn, Germany) presented The RailCab System – (Self-)Adaptation Challenges.The RailCab System consists of autonomous rail carts traveling in the same rail network and Joel presented challenges for adaptation in this scenario.
Liliana Pasquale (LERO, Ireland) presented Adaptive Security for the Cloud, which focused on adaptive security (capture and analyze changes in security concerns and how to apply them to running systems) in a smart grid scenario (she would come back to the topic in her short paper presentation, the last one in the program).
Danny Weyns (Linnaeus University, Sweden) presented Software Product Line for Distributed Game Environments: Exemplar for Self-Adaptive Systems. The work considered the following requirements for exemplars: they should be attractive, have manageable complexity, have explicit self-adaptive requirements, well documented and open. Given these requirements, they designed a distributed game environment as an exemplar, which currently supports online updates and crash recovery as adaptation requirements. It uses the Software Product Line approach (based on Autonomic SPL) to derive different game environments.
Session 4 (Control Theory and Resilience)
A Systematic Survey on the Design of Self-Adaptive Software Systems Using Control Engineering Approaches (Tharindu Patikirikorala, Swinburne University of Technology, Australia): this work analyzed 161 papers on adaptive systems that used Control Engineering practices and tried to answer 5 research questions: how to classify existing approaches? What are the methods used to model dynamics of software systems? What are the control schemes/architectures? Which techniques were used to validate them? And what are common trends and patterns on this research field?
Reliability-Driven Dynamic Binding via Feedback Control (Antonio Filieri, Politecnico di Milano, Italy): focuses on SOA as architecture and dynamic binding of services at runtime as adaptation mechanism. The goal is to make the system continuously provide the desired reliability. Current approaches use either heuristics (fast, but no guarantees) or optimization (best decision, but slow). Their work, therefore, exploits established control theory for the solution. The approach provides an auto-tuner to decide the configuration of the controller, allowing also a trade-off between responsiveness and overshooting. Experiments using MatLab, standard Java and Java EE are available in the author’s website.
Evaluation of Resilience in Self-Adaptive Systems Using Probabilistic Model-Checking (Javier Cámara, University of Coimbra, Portugal): the objective of this work is to provide assurances for adaptive systems, that a set of stated properties are satisfied during system operation. This is difficult to do given the uncertainty of the environment, so novel methodologies are needed to reason in terms of probabilities. The approach is divided in four stages: (1) stimulus generation (forcing situations that require adaptation); (2) experimental data collection (see how the system responds); (3) model generation (create a probabilistic model using DTMCs); (4) property verification (over the probabilistic models). Experiments were conducted using the Rainbow framework.
Session 5 (Distributed Systems)
Coordination of Distributed Systems through Self-Organizing Group Topologies (Panteha Saeedi, Politecnico di Milano, Italy): coordinating distributed pervasive systems is already a challenging task. Considering the uncertainty of the environment, this becomes even more complex. The authors propose A-3, a model and a self-organizing distributed middleware for designing and implementing high-volume and highly volatile distributed systems, focusing on the coordination needs of such systems.
The proposal was evaluated with an RFID-based distributed surveillance system in a health-care organization.
Timing Constraints for Runtime Adaptation in Real-time, Networked Embedded Systems (Marc Zeller, Fraunhofer ESK, Germany): focuses on complex automotive electronic systems, which are already very complex networked embedded systems, but complexity is increasing even more and there is a high demand on safety and reliability on this components, with real-time constraints. These kinds of systems also show many limitations, being heterogeneous hardware platforms, having limited resources, timing dependencies, etc. Thus, the goal here is to formalize the adaptation process, describe timing constraints for component migration and plan run-time adaptations efficiently. Planning was implemented in two different algorithms: automated planning and constraint solving (with a SAT solver). The former scales poorly, whereas the latter is not as accurate.
A Middleware and Algorithms for Trust Calculation from Multiple Evidence Sources (Hanan Lutfiyya, University of Western Ontario, Canada): focuses on Ultra-Large Software Systems, in which services will have multiple providers, with different quality of services. Decisions of which provider to use is done based on trust, by assessing the validity of the service offer of each provider. There are many works on service selection that incorporate trust, reputation systems or trust in peer-to-peer networks. The novelty in this work is a process for formulating trust as a belief in what a service will deliver based on evidence such as credential authority, experience, reputation and recommendation from multiple sources. Trust is then calculated as function of beliefs, each of which may use different evidence types. So the problem is to create a trust model that allows for trust calculation.
Report on 2012 SefSAS2 Book
Holger Giese (Hasso-Plattner-Institut, Germany) gave an update on the status of the upcoming Software Engineering for Self-Adaptive Systems 2 book, result of the second Dagsthul seminar on this topic. The book will be published by Springer in August or September, with four roadmap papers and 10 technical contributions, tackling the challenges selected for this edition: (1) design space for adaptive solutions; (2) towards software engineering processes for self-adaptive systems; (3) from centralized to decentralized control; and (4) practical run-time verification & validation for self-adaptive systems.
Day 2: Tuesday, June 5th
The second day of SEAMS started with a keynote from prof. Franco Zambonelli, from University of Modena and Reggio Emilia, Italy. The presentation was called Reconciling Self-adaptation and Self-organization and started tracing parallels between these two self-* concepts and traffic organization: a normal traffic light is non-adaptive; by adding a traffic guard that directs the flow according to needs makes this system self-adaptive, with a human in the loop; a smart traffic light that gives precedence to bicycles or trams is also self-adaptive (but in this case, autonomous); however, the famous Hanoi crossing with no stop signs or traffic lights is an example of a self-organizing system; finally, a roundabout is an example of reconciliation of self-adaptive with self-organizing.
On this topic, he started presenting his work on the SOTA (“State of the Affairs”) framework, which defines the set of states, goals and utilities (non-functional requirements) for a system, later associating them with “awareness” requirements which, by following patterns, are used in the design and construction of the feedback loops that operationalize adaptation. No need to mention that I contacted prof. Zambonelli after the keynote and sent him our Awareness Requirements paper… We exchanged some ideas about the differences between our AwReqs and theirs and I’m looking forward to a nice discussion on the topic.
Prof. Zambonelli then presented the first key question of the keynote: how can we integrate bottom-up self-organization patterns into large-scale self-adaptive systems? Top-down self-adaptive solutions might be good for a small group of agents where a leader centralizes the feedback control, whereas bottom-up self-organization patterns might be more suitable for large group of autonomous agents. He proceeded to describe another project, called SAPERE (“Self-Aware Pervasive Service Ecosystems”), whose goal is to define and implement a general framework for self-organizing service ecosystems (distributed systems). Components of the system can inject LSAs (Live Semantic Annotations) that propagate to other components, while EcoLaws define how they interact in the ecosystem.
Three more key questions were presented, to which Zambonelli provided comments on the research directions for addressing them:
- Key question 2: how to control by design the behavior of self-organizing (sub)systems? How to guarantee that the final behavior of the whole system is the one I want? The answer lies around the roundabout lesson: we have to engineer the environment so agents organize themselves around it;
- Key question 3: are there different approaches to reconcile? Prof. Zambonelli said that he had no answers, however he thought that inspiration could come from jazz (the music genre), i.e., to have a few “engineered” rules to follow and freedom to self-organize for anything else. To quote the presenter: “Is it worth investigating? I have no idea but it is fascinating”;
- Key question 4: where will reconciliation approaches be firstly applied? Prof. Zambonelli has the feeling that pervasive urban applications will be the first area to see the need for this (what he calls “Socio-technical Urban Superorganisms”). These systems would have a feedback loop: sense the environment – compute the actions to be carried out – steer people to where they should go.
Session 7 (Surveys and Taxonomies)
Claims and Supporting Evidence for Self-Adaptive Systems: A Literature Study (Danny Weyns, Linnaeus University, Sweden): a literature study of SEAMS 2006–2011 publications plus SEfSAS1 book to obtain a clear view on what claims are made about self-adaptive systems and what is the evidence for these claims. The authors reviewed 96 out of the 124 papers (excluded theoretical, roadmap and short papers) to try and answer 5 research questions: what is the focus of the research? What are the claimed benefits and trade-offs in self-adaptations? What evidence assessment methods have been used? What are the limitations of the approaches? What are the interesting areas for future work?
After this review, the authors came to the following conclusions: (1) focus is shifting from architecture to runtime models, and little attention is given to verification, testing or multiple control loops; (2) we explain our problems and contributions very well, but provide poor treatment of research design and limitation; (3) main concerns of research are flexibility, reliability and performance, with poor treatment of trade-offs; (4) the community has mainly evaluated their proposals by “discussion” or use toy examples; (5) self-adaptation is proposed as an approach to manage complexity of IT, but that is not explicitly reflected in results. Based on these conclusions, prof. Weyns presented some suggestions for the community: (a) methods, tools and data should be made available; (b) papers should have an explicit section on limitations; (c) discussion of trade-offs should be an explicit aspect of reviews; and (d) award the best studies (“hall of fame”).
A Taxonomy of Uncertainty for Dynamically Adaptive Systems (Betty Cheng, Michigan State University, USA): since uncertainty can hinder the capabilities of a dynamically adaptive systems, how do we define uncertainty and where does it come from? The authors therefore propose a taxonomy of uncertainty, describing it following a template that includes fields: name, classification, context, impact, applicable techniques, sample illustration, related sources and “also known as” aliases. They are also categorized into requirements level, design level and runtime level.
A Taxonomy and Survey for Self-Protecting Software Systems (Eric Yuan, George Mason University): the motivation for this work is twofold. First, external motivation are cyber threats with increasing scale and sophistication (point security is no longer an answer). Second, internal motivation is the dynamic architectural behavior of software systems (as architectures become more dynamic, so must its protection: manual intervention will be too slow and costly). The authors thus provide three contributions: a taxonomy for classifying self-protecting software systems, a survey on existing research and how they fit into the taxonomy, and finally recommendations for future research based on the survey.
Fishbowl panel on Run-time Verification & Validation
Hausi Müller (University of Victoria, Canada) conducted a fishbowl panel, which works like a normal panel, with a few invited speakers, but with an addition: after the invited speakers finish talking, anyone from the audience can come forward and take the place of one of the current speakers, which should return to the audience. The motivation for the panel’s topic is the recent interest in Software Engineering @ Runtime (Requirements@runtime, Models@runtime, etc.).
To talk about run-time V&V, five speakers were invited and given a specific aspect of the topic that they should talk about: Anna Perini (FBK, Italy) talked about requirements; Mary Shaw (Carnegie Mellon University, USA) talked about design; Jeff Magee (Imperial College, UK) talked about models; Paola Inverardi (Università dell’Aquila, Italy) talked about uncertainty; and finally Yuriy Brun (University of Washington, USA) talked about self-organization.
It took a while for the audience to feel comfortable with going forward and taking the place of one of the invited speakers, but eventually the fishbowl dynamics worked and contributions were given by Norha Villegas (University of Victoria, Canada and Icesi University, Colombia), Luciano Baresi (Politecnico di Milano, Italy), Danny Weyns (Linnaeus University, Sweden), Holger Giese (Hasso-Plattner-Institut, Germany), Nelly Bencomo (INRIA, France) and Gabriel Tamura (INRIA, France).
Session 9 (Models and Mediators)
Model-based Adaptive DoS Attack Mitigation (Cornel Barna, York University): there has been a rise of Denial of Service (DoS) attacks on the Internet, due to availability of easy-to-use toolkits. Barna, therefore, proposes an adaptive DoS Mitigation framework composed of a dynamic firewall, which contains a decision engine whose filters separate possible DoS attacks to an analyzer, which submits a redirect response to verify that the request was legitimate or not.
A Language for Feedback Loops in Self-Adaptive Systems: Executable Runtime Megamodels (Thomas Vogel, University of Potsdam, Germany): there are many different types of feedback loops. Thus, the authors propose a modeling language to specify feedback loops and a model interpreter to execute them. The models are called “Megamodels” and they contains models and relations by means of model operations between those models (e.g., in MDA a PIM can be transformed into a PSM). The language is similar to activity diagrams, with stereotypes marking the model operations as one of the four MAPE activities, multiple operation outputs, control flow, model usage, etc., also allowing modularity (sub-models) and composition of loops (e.g., linearizing, placing them in a hierarchy, etc.).
Tomasz Haupt (Mississippi State University) was supposed to present Towards Mediation-Based Self-Healing of Data-Driven Business Processes, but did not show up.
At the end of the session, Nelly Bencomo (INRIA, France) presented Models@runtime Meet SEAMS, in which she talked about the results of the Daghstul seminar on Models@run.time and the upcoming LNCS State-of-the-Art Survey Volume on Models@run.time, which is still open for submissions (deadline: June 29th).
After Nelly, since one of the presenters of the session didn’t show up, the conference organization anticipated some announcements that would be given at the end of the program. Hausi Müller (University of Victoria, Canada) announced new SEAMS steering committee and general chair and program chair for SEAMS 2014. Unfortunately, I did not take note of the names, so I cannot report them here. However, the new steering committee can be seen in SEAMS 2013’s website.
Finally, Marin Litoiu (York University, Canada) and John Mylopoulos anticipated the presentation of SEAMS 2013, which will be held next year in San Francisco, USA, co-located with ICSE as usual. Litoiu and Mylopoulos are, respectively, general chair and PC chair.
Session 10 (Requirements and Specifications)
Synthesizing Dynamically Updating Controllers from Changes in Scenario-Based Specifications (Valerio Panzica La Manna, Politecnico di Milano, Italy): some types of system (e.g., critical systems like air control or autonomic transportation systems) have to update themselves dynamically at runtime. Therefore, this work proposes to switch from one specification to another while the system is running, based on specification of requirements and assumptions of the system. The authors provides a general formal definition of dynamic update and a way of synthesizing a controller based on this definition. The models are based on Modal Sequence Diagrams (MSDs).
Second to last, I presented my paper (Requirement) Evolution Requirements for Adaptive Systems. According to feedback that I got from some people, the presentation was good. I got one tough question about the complexity of the models since we can now have requirements the change the requirements model itself, but I guess that was expected (we mention it as a limitation in the paper).
On the Role of Primary and Secondary Assets in Adaptive Security: an Application in Smart Grids (Liliana Pasquale, LERO, Ireland): last presentation on the program, Liliana analyzed the role that assets play in modeling security requirements and on using these models at runtime. Currently, RE approaches do not consider assets as first class citizens. The work, therefore, defines primary asset as the ultimate object of value to the customer and secondary asset as an asset that can be targeted by an attacker in order to reach a primary asset. Asset models can then represent these: KAOS goal models would represent vulnerabilities and counter-measures, associated with assets. At runtime, vulnerabilities are monitored and aspects are applied to the components related to the assets to execute counter-measures. The proposal is experimented in the domain of smart grids.
Closing
After the tenth session, general chair Hausi Müller and program chair Luciano Baresi closed the symposium.