Andrew Berns amp Sukumar Ghosh University of Iowa Background Autonomic systems are characterized by a number of properties that exhibit its ability of selfmanagement Collectively known as ID: 269043
Download Presentation The PPT/PDF document "Dissecting Self-* Properties" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Dissecting Self-* Properties
Andrew
Berns
&
Sukumar
Ghosh
University of IowaSlide2
Background
Autonomic systems
are characterized by a number of properties that exhibit its
ability of self-management.
Collectively known as
self-* propertiesSlide3
Goal
Self-
organizing
Self-
stabilizing
Self-optimizingSelf-adaptiveSelf-healingSelf-scalingSelf-managing
What do they precisely mean?
How do they differ?
Can we find some common framework
to satisfy different characterizations of
the various self-star properties?Slide4
The model of a system
Network of processes: topology
G = (V, E)
Processes execute
actions
. Each action by a process changes its local state.Global state S is the collection of local states.A computation is a sequence of global states. Slide5
What is a “good” system
Safety
. Property
P
must
always holdBad things never happen. Example: no deadlock, at least onetoken must always exist etc.
Liveness
. Property
Q
must
eventually hold
Good things eventually happen. Example:
termination
,
convergence
,
progress
etc.
A system configuration is
legal
when these properties holdSlide6
The Environment
System
Environment
Consists of variables that a process can
read
but
not modify
.
A system is
legal
when it satisfies its safety properties.
Legality
is defined
with respect to
an environment
Time of day
Network topology
User demands for service
Output from another system
Failures etcSlide7
System vs. adversary
Adversary
Disrupts or challenges the system
The
adversary
causes failures, perturbation, allows processes
to join or leave without notice, changes global state, launches
security attacks, changes the environment etc.
Ultimately the system must win
.
System
EnvironmentSlide8
Tolerance to Adversarial actions
Masking
. Safety and
Liveness
Properties are
NEVER violated. The system always remains in a legal configurationNon masking.
Safety properties (but not
Liveness
)
are
temporarily violated, but eventually restored
.
The system
state may temporarily become illegal
Self-management = tolerance to adversarial actionsSlide9
Masking vs. Non-masking
Legal
State spaceSlide10
More on tolerance
Tolerance to adversarial actions also depends on
its
type
and
extent.A system may be masking tolerant to a single crash failure, but exhibit non-masking tolerance to
multiple
failuresSlide11
Graceful degradation
The system
negotiates the adversarial action
, but recovers to a configuration that satisfies a predicate
P’ ⊃ P’
(P= original safety predicate). To be graceful, P’ predicate must be acceptable to the application.Slide12
Types of actions
Actions can be
internal
or
external.
External actions can change the environment.Processes execute internal actions onlyThe adversary executes both internal and external actions. Slide13
Self-management
Self-management is a vision. It encompasses
all self-* properties
. Typically attributed to systems
that exhibit
at least one self-star property.Slide14
The framework
Generally, in defining a specific self-* property,
the important issues are:
Interpretation of the legal configuration
type of adversarial action
Type of tolerance permitted like masking, non-masking
, or
graceful degradationSlide15
Self-stabilization
Starting from an
arbitrary configuration
, a self-stabilizing
system eventually
recovers to a legal configuration (satisfies a predefined predicate P) and remains in that configuration thereafter.
Adversarial action:
transient failure corrupting the system state
Tolerance:
non-maskingSlide16
Self-adaptation
if
R
k
then Pk
will hold
Can be viewed as an
extension
of a self-stabilizing system, where the legal configuration satisfies the predicate
P
=
∨
(
Ri ∧ Pi
)
Environment ∈ {
R
1
R
2 …,
R
m
}. A system adapts to an
environment R.
Environment R
P
i
Process
j
crashes
implies that
adversary changes the environment variable
crashed (
j
) from
false
to
trueSlide17
Self-healing
A system is self-healing
with respect to a
subset
of
external actions if occurrence of those actions causeat most a temporary violation of the system’s legal configuration (safety Property P)
Adversarial action:
a subset of all possible external actions
Tolerance:
typically
non-masking,
but
masking
not ruled outSlide18
Comments on Self-healing
A self-healing system may not be self-healing
with respect to an enlarged set of adversarial actions.
Skype is a Self-healing system,
but it crashed on August 16, 2007 and was down for nearly
two days. Why?Slide19
Comments on Self-healing
Also, self-healing frequently leads to
graceful degradation
.Slide20
Self-organization
A system is self-organizing
with respect to a
subset
of
external actions involving process join and leave ifthose actions cause at most a temporary violation of the system’s legal configuration (safety Property P)
Adversarial action:
join / leave actions (up to
N
processes may
concurrently join or
N/2
processes may concurrently leave)
Tolerance:
usually
non-masking,
but
masking not ruled out.Slide21
Self-organization
75
10
78
25
34
45
18
5
83Slide22
Self-organization
An example of gatheringSlide23
Comments on Self-organization
A self-organizing system is expected to recover
in
a reasonable time
.
[1] imposed a requirement of sub-linear recovery time per join or leave operation
[1]
Dolev
&
Tzachar
: Empire of Colonies, Theoretical Computer Science 2009Slide24
Self-protection
A system is self-protecting
with respect to a set of
malicious
external actions
if it maintains its legal configuration (data integrity and continuedfunctionality) in the presence of those actions.
Adversarial action:
malicious actions
Tolerance: masking.
Comment
: Hard to characterize what a malicious action is. It
may be a direct security attack, or something very subtle.Slide25
Self-optimization
A system is self-optimizing
when starting from an
initial configuration
if it spontaneously improves /
maximizes the value of an objective function (cost)relevant to the systems performanceAdversarial action:
A bad initialization, or an interim action that
makes the current configuration sub-optimal.
Tolerance: Non-masking.
Comment
: What if different nodes have different perceptions
of cost?
Selfishness
adds a new dimension.Slide26
Self-optimization with selfish agents
Selfish actions used to optimize a system may
never reach an equilibrium configuration
1
, 3
4
, 3
3, 10
1, 3
1, 10
3, 1
4
,1
1
, 10
From a game theory perspective,
no Nash Equilibrium exists
root
Shortest path tree with
two different types of
processesSlide27
Self-configuration
The
legal configuration
is defined over the
configuration space
: Various notions of configuration, like a set of optimal choices of hardware or software modules and connections among them, which is consistent with the environment.
Adversarial action:
A subset of external actions.
Tolerance: Non-masking.Slide28
Self-configuration
1
UserSlide29
Self-configuration
2
UserSlide30
Relationships among self-star properties
Self-stabilization
implies
self-healing
with respect to
any adversarial internal actionSelf-organization
implies
self-healing
with respect to join and leave operationsSlide31
Relationships among self-star properties
Self
-organization
implies
self
-configuration but the reverse is not trueFor example, a self-configuring web-server changes the connectionbetween server components, processor cycles and memory capacity to provide a stable response [2], but
is not self-organizing since it cannot
automatically integrate another server
[2] (
Wildstrom
et al ICAC 2005)Slide32
Relationships among self-star properties
Self-organization
Self-stabilization
A self-stabilizing system that allows a process to join or leave a system of N processes is O(N
2
) time is not self-organizing (some will disagree)Slide33
Relationships among self-star properties
Chord P2P network
is self-organizing, but not self-stabilizing, since once an adversarial action splits the Chord ring into two rings, they do not join.Slide34
New property: self-immunity
A system is
self-immune
with respect to an action C
, if
initially tolerance to action C is non-masking, but eventually the
system is able to mask the effect of action
C
The
system
learns
from experience, and
becomes
smarter
with timeSlide35
Self-immune behavior
Legal
State spaceSlide36
New property: self-containment
Self-containment is a variant of self-protection. It
prevents the total system from being compromised
by external
malicious actions.
At most a fraction of the system is compromised, but eventually the non-compromised processes are able to offer a meaningful level of service. (The system has the ability of damage control by saving a part of it in spite of a security attack. It is a non-masking version of self-protection, similar in spirit with the
fault-containment property
of self-stabilizing systems)Slide37
Self-containmentSlide38
Conclusion
There is a need for a framework to define what we actually mean by specific self-star property.
This will not satisfy everyone’s vision
, but as long as it satisfies the majority’s view,
the chance of further divergence of views is minimized.