Difference between revisions of "Policy Analysis"

Policy-based management has been proposed in recent years as a suitable means for managing Quality of Service (QoS) in IP networks. Yet despite research projects, standardisation efforts, and substantial interest from industry, policy-based management is still not a reality. There are some vendor tools, mostly part of virtual private network provisioning toolsets, but policy-based management is still far from being widely adopted despite its potential benefits of flexibility and constrained programmability. One of the reasons for the reticence to adopt this technology is that it is difficult to analyse policies to determine that they will actually work given the capabilities of managed network devices, and to guarantee the stability of the network configuration given that policies may have conflicts leading to unpredictable effects.

In addition to analysing policies for consistency, there is a need to translate business needs into policies that can be enforced by the underlying systems. Often these requirements can be expressed as high-level policies which then must be transformed into lower-level policies, expressed in terms of management operations supported by the system. This process is called policy refinement and is another area of policy based systems research.

This section of the Quality of Service Management Information Portal serves as a focal point for research related to Policy Analysis.

General Description

The rapid evolution of the Internet, the increasing complexities and heterogeneity of modern networking technology, and the increase in the number of resources to be managed, pose a significant challenge to network management models. Policy Based Network Management (PBNM) is a promising solution for these demands, providing the means by which the administration process can be simplified and largely automated in a flexible manner. PBNM has been the subject of extensive research over the past decade, evidenced by several research and development efforts in both academia and industry, working groups leading standardization efforts, new technical conferences, and new commercial products. The policy-based approach can be used to manage different aspects of a network, commonly known as policy disciplines, including Quality of Service (QoS) and network security.

Although extensive work has been done in developing policy specification languages, protocols and architectures to support policy-based management, little attention has been devoted to the area of policy analysis. Policy analysis is considered to be an essential component of modern PBNM solutions and comprises two functionalities: namely conflict analysis and policy refinement.

Policy conflicts can be classified into domain-independent and application-specific. Conflicts of the first type can occur irrespective of the application domain for which the policies are being specified due to generic relationships that may exist between policy actions such as redundancy, mutual exclusion and modality. In the case of application-specific conflicts these relationships are bounded by the context of the application domain. In an environment where a number of policies need to coexist, there is always the likelihood that several policies will be in conflict, either because of a specification error or because of application-specific constraints. It is therefore important to provide a means of detecting conflicts in the policy specification.

Once the policy driven operation of a system has been analysed and the different types of conflicts that can arise have been identified, it is possible to define rules that can be used to recognise conflicting situations in the policy specification. In order to keep a system "conflict-free", these rules can be invoked during a conflict detection process prior to policy deployment to identify potential inconsistencies. This is known as static conflict detection and takes place at specification time. Although this process can reduce run-time errors and detect specification errors, its limitation is that it may not be possible to evaluate policy constraints, as they may depend on the run-time state of the system, so only potential than actual conflicts can be detected. This signifies the need of dynamic conflict detection, which makes use of similar detection rules but takes place at run-time. This leads us to the main difference between static and dynamic analysis techniques – conflict resolution.

The process of resolving some static conflict types involves giving precedence to one or more of the conflicting policies. Research on conflict resolution identified metrics that can be used to assign priorities to conflicting policies, which can automate the resolution in limited situations. However, many types of conflicts rely on human intervention for resolution. Although this process is manual, it does not impose any overheads on the functionality of the underlying system since it takes place before policy enforcement. In contrast to the above dynamic conflicts can only be determined at run-time, which signifies the need for an automated resolution process so as to minimize the delay induced on the operation of the system when a conflict is to be resolved.

Although policies can be defined at different levels of abstraction, they are usually referred to as high-level and low-level, with the former representing business objectives and the latter device-specific configuration. Typically policies will be introduced in a policy management tool in the form of high-level business needs. Thus, a requirement of the tool would be to bridge the gap between these needs and the technology being deployed. In other words there has to be a process to refine the high-level policies and provide a low-level representation that corresponds to the configuration of each device responsible to support the business needs. The main objectives of a refinement process are the following:

• Determine the resources that are needed to satisfy the requirements of the policy.

• Translate high-level policies into operational policies that the system can enforce.

• Verify that the lower level policies actually meet the requirements specified by the high-level policy.

The first of these objectives involves mapping abstract entities defined as part of a high-level policy to concrete objects/devices that make up the underlying system. The second specifies the need to ensure that any policies derived by the refinement process be in terms of operations that are supported by the underlying system. The final objective requires that a process should exist for incrementally decomposing abstract requirements into successively more concrete ones, ensuring that at each stage the decomposition is correct and consistent.

The general view is that a policy analysis process should be as automated as possible with the system providing a certain degree of reasoning ability upon which to base its decisions. For this reason, attention has been lately given to logic-based formalisms (and supported reasoning types) for the representation of policies and managed systems such as the Event Calculus.

Publications

• M. Charalambides, G. Pavlou, P. Flegkas, J. Loyola, A. Bandara, E. Lupu, A. Russo, N. Dulay, M. Sloman, "Policy Conflict Analysis for DiffServ Quality of Service Management," IEEE Transactions on Network and Service Management (TNSM), Vol. 6, No. 1, IEEE, March 2009.
• M. Charalambides, P. Flegkas, G. Pavlou, J. Loyola, A. Bandara, E. Lupu, A. Russo, N. Dulay, M. Sloman, "Dynamic Policy Analysis and Conflict Resolution for DiffServ Quality of Service Management," Proceedings of IEEE/IFIP Network Operations and Management Symposium (NOMS 2006), Vancouver, Canada, April 2006.
• M. Charalambides, P. Flegkas, G. Pavlou, A. Bandara, E. Lupu, A. Russo, N. Dulay, M. Sloman, J. Loyola, "Policy Conflict Analysis for Quality of Service Management," Proceedings of the 6th IEEE Workshop on Policies for Networks and Distributed Systems (Policy 2005), Stockholm, Sweden, 2005.
• E.C. Lupu, M.S. Sloman, "Conflicts in Policy-based Distributed Systems Management", IEEE Transactions on Software Engineering - Special Issue on Inconsistency Management, vol. 25, pp. 852-869, 1999.
• N. Dunlop, J. Indulska, and K. Raymond, "Methods for Conflict Resolution in Policy-based Management Systems," Proceedings of the 7th International Conference on Enterprise Distributed Object Computing (EDOC 2003), Brisbane, Australia, 2003
• J.D. Moffett and M.S. Sloman, "Policy Conflict Analysis in Distributed System Management," Journal of Organisational Computing, vol. 4, pp. 1-22, 1994.
• N. Dunlop, J. Indulska, and K. Raymond, "Dynamic Conflict Detection in Policy-based Management Systems," Proceedings of the 6th International Conference on Enterprise Distributed Object Computing (EDOC 2002), Lausanne, Switzerland, 2002.
• E. Al-Shaer and H. Hamed, "Modeling and Management of Firewall Policies," IEEE Transactions on Network and Service Management (eTNSM 2004), Volume 1-1, April 2004.
• J. Chomicki, J. Lobo, and S. Naqvi, "A Logic Programming Approach to Conflict Resolution in Policy Management," Proceedings of the 7th International Conference on Principles of Knowledge Representation and Reasoning (KR2000), Breckenridge, Colorado, USA, 2000.
• T.C. Son and J. Lobo, "Reasoning about Policies Using Logic Programs," Proceedings of the AAAI Spring Symposium on Answer Set Programming, Stanford University, CA, 2001.
• A.K. Bandara, E. Lupu, A. Russo, N. Dulay, M. Sloman, P. Flegkas, M. Charalambides, G. Pavlou, "Policy Refinement for IP Differentiated Services Quality of Service Management," IEEE e-Transactions on Network and Service Management, 3(2), 2006.
• A.K. Bandara, E. Lupu, A. Russo, N. Dulay, M. Sloman, P. Flegkas, M. Charalambides, G. Pavlou, "Policy Refinement for DiffServ Quality of Service Management," Proceedings of the 9th IEEE/IFIP Integrated Management Symposium (IM 2005), Nice, France, 2005
• A.K. Bandara, E.C. Lupu, A. Russo, "Using Event Calculus to Formalise Policy Specification and Analysis," Proceedings of the 4th IEEE Workshop on Policies for Networks and Distributed Systems (Policy 2003), Lake Como, Italy, 2003.
• A.K. Bandara, E. C. Lupu, A. Russo, "A Goal-based Approach to Policy Refinement," Proceedings of 5th IEEE International Workshop on Policies for Distributed Systems and Networks, IBM TJ Watson Research Centre, New York, USA, IEEE Press, June 2004.
• J. Loyola, J. Serrat, M. Charalambides, P. Flegkas, G. Pavlou, "A Functional Environment Solution for Goal-oriented Policy Refinement," Proceedings of the 7th IEEE Workshop on Policies for Distributed Systems and Networks (Policy 2006), Ontario, Canada, June 2006.
• J. Loyola, J. Serrat, M. Charalambides, P. Flegkas, G. Pavlou, "GOREMOCH: A Distributed Goal-oriented Policy Refinement Environment," Proceedings of IEEE/IFIP Network Operations and Management Symposium (NOMS 2006), Vancouver, Canada, April 2006.
• J. Loyola, J. Serrat, M. Charalambides, P. Flegkas, G. Pavlou, A. Lafuente, "Using Linear Temporal Model Chacking for Goal-oriented Policy Refinement Frameworks," Proceedings 6th IEEE Workshop on Policies for Distributed Systems and Networks (Policy 2005), Stockholm, Sweden, June 2005.
• D. Agrawal, J. Giles, K.W. Lee, and J. Lobo, "Policy Ratification," Proceedings of the 6th IEEE Workshop on Policies for Networks and Distributed Systems (Policy 2005), Stockholm, Sweden, 2005.
• R. Darimont and A. van Lamsweerde, "Formal Refinement Patterns for Goal-Driven Requirements Elaboration," Proceedings of the 4th ACM Symp on the Foundations of Software Engineering (FSE4): 179-190, 1996.
• M. S. Beigi, S. Calo, and D. Verma, "Policy Transformation Techniques in Policy-based Systems Management," Proceedings of International Workshop on Policies for Distributed Systems and Networks, Yorktown Heights, New York, IEEE, June 2004.
• J. Lobo, R. Bhatia, and S. Naqvi, "A Policy Description Language," Proceedings of the 16th National Conf. on Artificial Intelligence, Orlando, Florida, USA, 1999.
• N. Damianou, N. Dulay, E.C. Lupu, M.S. Sloman, "The Ponder Policy Specification Language," Proceedings of the 2nd IEEE Workshop on Policies for Networks and Distributed Systems (Policy 2001), Bristol, UK, 2001.
• M. Casassa Mont, A. Baldwin, C. Goh, "POWER Prototype: Towards Integrated Policy-Based Management," Technical Report: HP Laboratories Bristol, Bristol, UK, 1999.
• D. Agrawal, J. Giles, K.W. Lee, and J. Lobo, "Policy-based Management of Networked Computing Systems," IEEE Communications Magazine, vol. 43 No. 10, pp. 69-75, 2005.
• P. Flegkas, P. Trimintzios, G. Pavlou, "A Policy-based Quality of Service Management Architecture for IP DiffServ Networks," IEEE Network Magazine Special Issue on Policy Based Networking, vol. 16 No. 2, pp. 50-56, 2002.
• J. Moffett and M. S. Sloman, "Policy Hierarchies for Distributed Systems Management," IEEE Journal on Selected Areas in Communications 11(9 - Special Issue on Network Management): 1404-14, 1993
• D. Verma, "Policy-based Networking, Architecture and Algorithms," New Riders Publishing, 2001.
• R.A. Kowalski and M.J. Sergot, "A Logic-based Calculus of Events," New Generation Computing, vol. 4, pp. 67-95, 1986.
• A. Russo, R. Miller, B. Nuseibeh, J. Kramer, "An Abductive Approach for Analysing Event-based Requirements Specifications," Proceedings of the 18th International Conference on Logic Programming (ICLP), Copenhagen, Denmark, 2002.
• C. Efstratiou, A. Friday, N. Davies, and K. Cheverst, "Utilising the Event Calculus for Policy Driven Adaptation on Mobile Systems," Proceedings of the 3rd IEEE Workshop on Policies for Networks and Distributed Systems (Policy 2002), Monterey, CA, USA, 2002.
• A.C. Kakas, R.A. Kowalski, and F. Toni, "The Role of Abduction in Logic Programming," Handbook of Logic in Artificial Intelligence and Logic Programming, vol. 5, pp. 235-324, 1998.
• B. van Nuffelen and A. Kakas, "A-System: Programming with Abduction," Proceedings of Logic Programming and Nonmonotonic Reasoning (LPNMR 2001), 2001.
• R. Miller and M. Shanahan, "The Event Calculus in Classical Logic - Alternative Axiomatisations," Computational Logic: Logic Programming and Beyond, Essays in Honour of Robert A. Kowalski, Part II. A. Kakas and F. Sadri, Springer. 2048: 452-490, 1999.

Related Links

• European Network of Excellence for the Management of Internet Technologies and Complex Services - EMANICS
• Policy Analysis for Quality of Service Management - EPSRC PAQMAN
• IBM Policy Management for Autonomic Computing - PMAC

Dissemination

The list of journals, conferences and technical societies related to policy analysis does not mean to be exhaustive rather it is indicative. For additions/updates please contact the webmaster.

Journals

• IEEE Transactions on Network and Service Management
• Journal of Network and Systems Management
• IEEE Transactions on Software Engineering
• IEEE Communication Magazine
• IEEE Journal on Selected Areas in Communications

Major Conferences

• IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY)
• IFIP/IEEE Network Operations and Management Symposium (NOMS)
• IFIP/IEEE International Symposium on Integrated Network Management (IM)
• IEEE/IFIP International Conference on Network and Service Management (CNSM)
• International Week on Management of Networks and Services (MANWEEK)

Software/Tools

• Java™ Technology
• SWI-Prolog
• ACLP: Abductive Constraint Logic Programming
• The Ponder Policy Specification Language