10.1.1.21.9911 (2)

Embed Size (px)

Citation preview

  • 8/2/2019 10.1.1.21.9911 (2)

    1/15

    1

    Policy Evaluation for Network ManagementRandeep Bhatia Jorge Lobo Madhur Kohli

    Network Computing Research

    Bell Labs600 Mountain Ave

    Murray Hill, NJ 07974

    Abstract

    Policies are increasingly being used to manage com-

    plex communication networks. In this paper we

    present our work on a policy server which is being

    used to provide centralized administration of packet

    voice gateways and soft switches in next generation

    circuit and packet telephony networks. The policies

    running in the policy server are specified using a do-

    main independent policy description language (P D L

    ).

    This paper is motivated by the problem of evalu-

    ating policies specified in P D L . We present an algo-

    rithm for evaluating policies and study both its theo-

    retical and empirical behavior. We show that the prob-

    lem of evaluating policies is quite intractable. How-

    ever we note that the hard instances of the policy eval-

    uation problem are quite rare in real world networks.

    Under some very realistic assumptions we are able to

    show that our policy evaluation algorithm is quite ef-

    ficient and is well suited for enforcing policies in com-

    plex networks. These results constitute the first at-tempt to develop a formal framework to study the in-

    formal concepts of policy based network management.

    I. INTRODUCTION

    A network policy defines the behavior of the net-

    work under various circumstances. Many of these

    policies can be formulated as sets of low-level rules

    that describe how to (re)configure a device or how to

    manipulate the different network elements under dif-

    ferent network conditions [4]. These conditions mayinclude a network element going down or too many

    calls arriving at a router etc. The condition or state

    of the network is conveyed by primitive events which

    originate at network elements. For example when

    a device is powered up it may generate a PowerUp

    event. In general a primitive event is a conveyor of

    the state of the network element which originated

    it, at the time when the event was generated. State

    data in an event may contain information such as the

    name of the originating device and the time when

    the event was generated etc. A policy defines the set

    of actions which must be taken, to control the be-

    havior of the network elements, when certain primi-tive events occur. For example when a router fails a

    policy may require that all switches route their calls

    through a different router.

    Consider a simplified example of setting some of

    the parameters of a modem pool for an Internet Ser-

    vices Provider (ISP). The ISP has two customers,

    A

    andB

    , and gives a different telephone number

    to each customer:5 5 9 9 9 9 1

    toA

    and5 5 9 9 9 9 2

    to

    B

    . Both telephone numbers share the same pool

    of2 0

    modems. There can be many simultaneous

    connections from the same customer to the modempool, however the server can be configured to limit

    the maximum number of connections allowed per

    customer. A policy can describe how these lim-

    its change according to the time of the day. For

    example, during office hours a customer may ac-

    cess1 5

    of the modems, but only1 0

    after hours.

    Let us say we have a clock generating a primitive

    event, sayC o a r s e T i m e E v e n t

    . Instances of this

    event occur four times a day, with an attribute named

    T i m e

    with a value from the setf

    morning, noon,

    evening, midnightg

    . The policy rules for the

  • 8/2/2019 10.1.1.21.9911 (2)

    2/15

    2

    morning changes are:

    1 ) C o a r s e T i m e E v e n t

    causesM o d e m P o o l A s s i g m e n t ( 5 5 5 9 9 9 1 ; 1 5 )

    if ( C o a r s e T i m e E v e n t : T i m e = \ m o r n i n g " ) :

    2 ) C o a r s e T i m e E v e n t

    causes M o d e m P o o l A s s i g m e n t ( 5 5 5 9 9 9 2 ; 5 )

    if( C o a r s e T i m e E v e n t : T i m e = \ m o r n i n g " ) :

    The actionM o d e m P o o l A s s i g m e n t

    changes the

    maximum number of connections that a telephone

    number (and hence a customer) can make to the mo-

    dem pool. There will be similar rules for the evening

    actions.

    We have developed a policy based management

    system that is being used to do Operations, Admin-

    istration, Maintenance and Provisioning (OAM&P)

    in carrier-grade communication networks. Thisnext generation circuit and packet telephony net-

    work comprises of packet voice gateways, soft

    switches, and device servers among other net-

    work entities. An event occurring at a device (due

    to some conditions being met in the device opera-

    tions) is received by its device server and streamed

    out to the policy server as a java object of a pre de-

    fined java class. The java object carries with it the

    state information about the device when the event

    occurred. In the policy server, policies are written

    using the names, attributes and methods of the javaclasses for the events. We have developed a domain-

    independent policy description language (P D L

    ) for

    specifying policies.P D L

    provides a succinct repre-

    sentation of complex policies in a very general way.

    The policy server registers the events that define

    the behavior of the policies, with the device servers,

    thus informing the device servers to stream only

    those events that may be required by some policy.

    Policies are enforced by the policy server by stream-

    ing action objects to the device servers which results

    in device specific commands being sent to the un-derlying devices. At the heart of all this is the policy

    evaluator that evaluates the policies to determine the

    set of actions to enforce the policies, given the be-

    havior of the network, as reported by the events. A

    description of the first version of the system can be

    found in [1].

    Policies are becoming central to network manage-

    ment to the point that industry has already started

    standardization efforts related to policy description

    and manipulation [2], [8]. However these efforts

    have been quite ad-hoc and do not address the prob-

    lem of evaluating policies per se. In this paper

    we mainly focus on the problem of evaluating poli-

    cies specified usingP D L

    . The results constitute to

    our knowledge the first attempt to develop a formal

    framework to study the informal concepts of policy

    based network management. We provide a complete

    characterization of the underlying complexities of

    evaluating these policies. We show that the evalu-

    ation of policies is quite hard, by showing that even

    restricted instances of this problem are NP-complete.

    However, we note that the hard instances of the prob-

    lem are quite rare in real world networks. Motivatedby our observations we present an algorithm for eval-

    uating policies which works very well in practice as

    supported by our empirical results. We also analyze

    the complexity of the algorithm fixing various policy

    and network parameters.

    The rest of the paper is organized as follows. In

    Section II we give a brief description ofP D L

    . Sec-

    tion III presents an efficient algorithm for evaluat-

    ing policies specified usingP D L

    . In Section IV we

    study the complexity of evaluating policies, specified

    using P D L . In Section V, we present simulation re-sults on the performance of the algorithm.

    II. POLICY DESCRIPTION LANGUAGE

    A policy description is a succinct representation of

    a policy. We have developed a domain-independent

    policy description language that we callP D L

    . A

    detailed description ofP D L

    can be found in [6]. In

    P D L

    , a policyP

    is represented as a collection of ex-

    pressions of two types: (1) policy rule propositions

    which are expressions of the form

    e v e n t

    causesa c t i o n

    ifc o n d i t i o n

    (1)

    and (2) policy defined event propositions which are

    expressions of the form

    e v e n t triggers p d e ( m1

    = t

    1

    ; : : : ; m

    k

    = t

    k

    )

  • 8/2/2019 10.1.1.21.9911 (2)

    3/15

    3

    ifc o n d i t i o n

    (2)

    A policy rule reads: If thee v e n t

    occurs under the

    c o n d i t o n

    thea c t i o n

    is executed. A policy defined

    event proposition reads: If thee v e n t

    occurs under

    the c o n d i t i o n the policy defined event p d e is trig-gered.

    Thee v e n t

    may be primitive or complex. A prim-

    itive event may have attributes which may be of

    type integer, float, string, etc, or simple data struc-

    tures such as stacks, or queues, etc. There are stan-

    dard attributes in every primitive event class such

    as time and location (URL) of the generation of

    the event. There are two types of primitive events,

    system defined primitive events and policy defined

    events. System defined events are generated by the

    environment while policy defined primitive eventsare only generated by the policy according to the pol-

    icy defined event propositions. In the policy defined

    event proposition above, them

    i

    s are the attributes of

    the policy defined eventp d e

    and their values are the

    t

    i

    s. Thet

    i

    s can be attributes from other primitive

    events that appear ine v e n t

    , they could be constants

    or the result of operations applied to the attributes

    of the other primitive events in the proposition. The

    conditions are boolean functions over the event at-

    tributes and the actions may take event attributes as

    arguments and yield commands for controlling de-vices.

    The representation of more interesting policies re-

    quires descriptions of more elaborate events. In

    P D L

    , primitive events can be composed into com-

    plex events using notions from regular expressions.

    A. Complex events

    Policy decisions are made based on the stream

    of primitive event instances observed by the policy

    server running the policy. We will call the streamsof event instances event histories. There may be sev-

    eral instances of one or more primitive events occur-

    ring at the same time (for example several calls may

    start simultaneously). Each set of primitive event

    instances occurring simultaneously in a stream is

    called an epoch. An event literal is a primitive event

    symbole

    or a primitive event symbol preceded by!

    .

    The event literal! e

    occurs in an epoch if there are no

    instances of the evente

    in the epoch. We will use

    the standard dot . notation to refer to the attributes

    of an event. Primitive events can be composed into

    basic events. A basic event is either an expression of

    the forme

    1

    & : : : & e

    n

    representing the occurrence of

    instances ofe

    1

    throughe

    n

    in the current epoch (i.e.

    the simultaneous occurrence of then

    events) where

    eache

    i

    is an event literal, ore

    1

    j : : : j e

    n

    representing

    the occurrence of an instance of one of thee

    i

    s in the

    current epoch. Basic events only refer to instances

    of events that occur in a single epoch. However,

    we could have composite events that refer to several

    epochs simultaneously. For example, the sequence

    l o g i n F a i l ; l o g i n F a i l ; l o g i n F a i l

    may represent the

    event: three consecutive attempts to login that resultin failure. We can describe many other situations if

    we borrow the notion of a sequence of zero or more

    events from regular expressions. In general, a (com-

    plex) event is either a basic event, or an expression

    that can be formed by a finite number of applications

    of the following rules:

    1. IfE

    1

    throughE

    n

    are events thenE

    1

    ; : : : ; E

    n

    is

    a (complex) event representing the sequence: event

    E

    1

    , immediately followed by eventE

    2

    ,: : :

    , imme-

    diately followed by eventE

    n

    .

    2. IfE

    is an event then E

    is a (complex) event rep-

    resenting the sequence of zero or more occurrences

    of the eventE

    .

    3. IfE

    is an event then( E )

    is a (complex) event.

    We can interpret the semantics of a complex event

    by associating a non deterministic finite automaton

    (NDFA) with a complex event expression. Arcs of

    the automaton are labeled with the basic events ap-

    pearing in the expression and transitions are made

    based on the sequences and the caret operators. For

    example, the complex evente

    1 e

    2

    ;

    e

    2

    ; e

    3

    & e

    4 is as-sociated with the automaton:

    e

    3

    & e

    4

    e

    2

    e

    2

    e

    1

  • 8/2/2019 10.1.1.21.9911 (2)

    4/15

    4

    B. Traces of events

    LetH = E

    1

    ; : : : ; E

    m

    be a sequence of con-

    tiguous epochs. A trace of an eventE

    is

    a sequences

    j ? 1

    ; E

    0

    j

    ; s

    j

    ; E

    0

    j + 1

    ; : : : ; s

    m ? 1

    ; E

    0

    m

    ; s

    m

    ,

    where sj ? 1

    ; s

    j

    s

    j + 1

    : : : s

    m

    is an accepting path fromthe initial state

    s

    j ? 1

    to a final states

    m

    in the NDFA

    forE

    , withs

    m

    being the only final state, andE

    0

    i

    is

    a minimal subset of events fromE

    i

    that triggers the

    transition from the states

    i ? 1

    to the states

    i

    of the

    automaton. Note that two different instances of a

    primitive event in an epoch are considered to be dis-

    tinct events for set membership. In a given stream of

    epochsH

    there is an instance of the complex event

    E

    for each distinct trace ofE

    inH

    . When a trace

    ofE

    reaches the final states

    m

    of the NDFA forE

    ,

    thec o n d i t i o n

    of the proposition is evaluated. If thec o n d i t i o n

    is true and the proposition is a policy rule

    thea c t i o n

    in the proposition is invoked and the trace

    is terminated. If the proposition is a policy defined

    event rule, an instance of the policy defined event is

    generated and is appended to the incoming epoch.

    C. Conditions

    Ac o n d i t i o n

    is a sequence of predicates of the

    formt t

    0 , wheret

    andt

    0 can be attributes from

    primitive events that appear in e v e n t , or they couldbe constants or the result of operations applied to

    the attributes of the primitive events that appear in

    e v e n t

    .

    is a comparison operator such as

    ,

    etc. There is a special class of operators that can be

    used to form terms, called aggregators. For a given

    generic aggregatorA g g

    , the syntax of the operator

    will beA g g ( e : x )

    orA g g ( e )

    . Heree

    is a primitive

    or policy defined event that appears in thee v e n t

    part

    of the proposition,e : x

    is an attribute ofe

    . As the

    name suggests the aggregator operators are used to

    aggregate values over multiple epochs. For examplea count aggregator

    C o u n t ( e )

    can be used to count

    the number of occurrences of evente

    over multiple

    epochs. An aggregator could also add the values of

    the attributee : x

    or get the largest value, etc. These

    aggregation terms are applied to primitive events that

    appear under the scope of a caret operator. The

    rule

    e

    1

    ; e

    2

    causesa

    ifC o u n t ( e

    2

    ) = 2 0

    (3)

    will executea

    if 20 instances ofe

    2

    follow an instance

    ofe

    1 .

    D. Notation and Assumptions

    In the rest of the paper we will denote the event

    historyH

    at timet

    to beH = E

    1

    ; : : : ; E

    t

    . We will

    callE

    j

    the epoch at timej

    . Note that epochs are

    not associated with time, they appear when events

    arrive at the policy server. Once an epoch is started,

    it terminates according to a global parameter of the

    system: length which is application dependent. For

    example, we can consider all events occurring in thesame day as members of the same epoch, or change

    the scale (length) to minutes or seconds.

    III . POLICY EVALUATION ALGORITHM

    In this section we present an algorithm for evalu-

    ating policies specified usingP D L

    . The algorithm

    is implemented as the Policy Engine of a Policy

    Server embedded in the softswitch, a next gen-

    eration switch for circuit and packet telephony net-

    works. and has been used to implement policies for

    detecting alarm conditions, fail-overs, device config-

    uration and provisioning, service class configuration,

    congestion control etc.

    The algorithm to evaluate a policy works in real-

    time: The algorithm only gets to see the current

    epoch. Based on the set of events that happen in the

    current epoch and the past history the algorithm eval-

    uates all the actions that must happen in the current

    epoch, as specified by the policy.

    We present the algorithm for a single rule of the

    policy. The only interaction between the rules of apolicy happens as a result of policy defined events

    which may be shared between rules. The policy de-

    fined events that get triggered in an epoch get added

    to the next epoch. The evaluation of a rule at any

    epocht

    is therefore independent of the policy defined

    events triggered by other rules in the epocht

    . Thus

  • 8/2/2019 10.1.1.21.9911 (2)

    5/15

    5

    we can treat the evaluation of the rules independent

    of each other.

    High level idea: Let the policy rule be

    E causes A if B or E triggers T if B :

    The algorithm maintains the setR ( t )

    of all possi-

    ble distinct partial traces for eventE

    at epocht

    (recall that the history at epocht

    isE

    1

    ; E

    2

    : : : E

    t

    ).

    A partial traceP

    of eventE

    at epocht

    is de-

    fined to be a proper prefix of a trace of event

    E

    at some future epocht + k

    (k > 0

    ). In

    other wordsP = s

    0

    ; E

    0

    j

    ; s

    j

    ; E

    0

    j + 1

    ; s

    j + 1

    : : : E

    0

    t

    ; s

    t

    ,

    and there exist epochsE

    t + 1

    ; : : : E

    t + k

    and states

    s

    t + 1

    ; : : : s

    t + k

    of the NDFA forE

    , withs

    t + k

    be-

    ing a final state, such thatP

    when appended with

    E

    t + 1

    ; s

    t + 1

    : : : E

    t + k

    ; s

    t + k

    is a trace ofE

    at epoch

    t + k

    . We refer to these distinct partial traces as

    active threads of event E . The set R ( t ? 1 ) and

    the epochE

    t

    is used to compute the setR ( t )

    . This

    computation also yields all the distinct traces of the

    eventE

    at epocht

    . The algorithm evaluates the pol-

    icy rule in each such trace at epocht

    , thus computing

    all the actions that are to be done, and all the policy

    defined events that are to be triggered at epocht

    . In

    order to facilitate the computation of the policy rule

    in a trace, some additional information is maintained

    for every (partial) trace. This information includes

    the value of the attributes of the events, and the ag-

    gregate operators that can be computed for the cur-

    rent history, for the (partial) trace. As a result the

    algorithm has complete information to compute the

    policy rule in a given trace.

    Intuitively an active thread (partial trace) repre-

    sents a partial evaluation of the policy rule in the

    current epoch that holds a potential of leading to a

    complete evaluation of the rule in some future epoch,

    thus becoming a trace of the event. Given an active

    threadA

    at epocht ? 1

    and the epochE

    t

    , the algo-

    rithm computes all possible ways of extendingA

    to

    an active thread or a trace for epocht

    . All such ac-

    tive threads are added to the setR ( t )

    . In addition set

    R ( t )

    gets an active thread which represents a partial

    evaluation of the policy rule that starts at epocht

    .

    In the following we will denote an active thread

    A = s

    0

    ; E

    0

    j

    ; s

    j

    : : : E

    0

    t

    ; s

    t

    by the tuple( A

    1

    ; A

    2

    )

    ,

    whereA

    1

    = f s

    0

    ; s

    j

    : : : s

    t ? 1

    ; s

    t

    g

    andA

    2

    =

    ( E

    0

    j

    ; E

    0

    j + 1

    : : : E

    0

    t

    )

    .

    The policy evaluation algorithm PE has two

    phases: the initialization phase and the real-timeevaluation phase. The former involves compiling the

    policy description to evaluate all the static informa-

    tion. The latter phase lasts from the time the algo-

    rithm is started to forever. In the real-time phase, the

    algorithm PE, at epocht

    , evaluates the policy rule in

    the current historyH

    , to determine the actions to be

    taken, or the policy defined events to be triggered at

    epocht

    .

    We will use a running example of a policy rule toillustrate the algorithm PE:

    e

    1

    ; e

    1

    ; e

    2

    ; e

    2

    causesA ( c o u n t ( e

    1

    1 ] ) ; e

    2

    2 ] : x )

    if B ( e1

    2 ] : y )

    Note that instance the complex eventE =

    e

    1

    ; e

    1

    ; e

    2

    ; e

    2

    consists of at least onee

    1

    followed by

    at least onee

    2

    . The conditionB

    tests for they

    at-

    tribute of the laste

    1

    in the instance ofE

    . If the con-

    ditionB

    evaluates to true then it causes actionA

    with

    two arguments which are dependent on the number

    ofe

    1

    and the value of thex

    attribute of the laste

    2

    in

    the instance ofE

    .

    A. Initialization phase

    This phase involves, among other things, the

    construction of a non-deterministic finite automata

    (NDFA)N

    for the complex eventE

    in the rule.

    Example: For our example the NDFA is shown in

    Fig. 1. It has three states1 ; 2 ; 3

    . State1

    is the initial

    state and state3

    is the final state.

    1 2 3

    e

    1

    e

    1

    e

    2

    e

    2

    Fig. 1. NDFA for the example.

  • 8/2/2019 10.1.1.21.9911 (2)

    6/15

    6

    B. Real-time evaluation phase

    We describe this phase for a particular epocht

    . As

    described earlier the algorithm maintains a set of ac-

    tive threadsR ( t )

    for eventE

    at epocht

    . In addition

    for every active thread A = ( A 1 ; A 2 ) in R ( t ) the al-gorithm maintains the partial information (attribute

    values, aggregated values etc), that can be obtained

    fromA

    and which is required to evaluate the if con-

    ditionB

    , the actionA

    or to construct policy defined

    eventsT

    .

    Example: Lett = 1

    andE

    1

    = f e

    1

    g

    . One of the

    active threads ofE

    at epoch1

    hasA

    1

    = f 1 ; 2 g

    and

    A

    2

    = ( f e

    1

    g )

    , corresponding to the only primitive

    event in the history att = 1

    . Another active thread

    ofE

    at epoch1

    hasA

    1

    = f 1 ; 1 g

    andA

    2

    = ( f e

    1

    g )

    .

    Note that for the first active thread c o u n t ( e1

    1 ] ) = 0

    ande

    1

    2 ]

    is instantiated to the primitive evente

    1

    in

    E

    1

    . Similarly for the second active thread we know

    thatc o u n t ( e

    1

    1 ] ) > = 1

    , and we do not have any

    information aboute

    1

    2 ]

    .

    The general structure of the algorithm PE is as

    follows. Let epocht

    be the next epoch. By our as-

    sumption the algorithm has the set of active threads

    R ( t ? 1 )

    . LetA ( t ? 1 ) 2 R ( t ? 1 )

    be an active

    thread. Lets

    be the last state of the NDFAN

    ofE

    ,

    in the pathA

    1

    forA ( t ? 1 )

    . We will say that the

    active threadR ( t ? 1 )

    is in states

    of the NDFAN

    .

    Let( s ; s

    0

    )

    be a transition inN

    which is labeled with

    a basic eventE

    ( s ; s

    0

    )

    . ThenE

    ( s ; s

    0

    )

    is of the forme

    or

    ! e

    ore

    1

    & e

    2

    & : : :

    ore

    1

    j e

    2

    j : : :

    , where eache ; e

    i

    is a

    primitive event. LetI

    be the set of minimal subsets

    ofE

    t

    in which eventE

    ( s ; s

    0

    )

    occurs. For each seti

    2 I

    a new active thread is generated, for which

    A

    1

    =

    append( A

    1

    ofA ( t ? 1 ) ; ( s

    0

    ) ) ;

    A

    2

    =

    append( A

    2

    ofA ( t ? 1 ) ; ( i ) )

    In addition the algorithm computes the additionalinformation obtained for evaluating the policy rule

    from the epochi

    . At this point it is checked if this

    new active thread is in a final state of the NDFAN

    ,

    and if it has all the information required to evaluate

    the policy rule. If it is then the policy rule is eval-

    uated in this active thread, and the active thread is

    terminated. Otherwise the active thread is added to

    the setR ( t )

    . This procedure is carried out for every

    active thread inR ( t ? 1 )

    . In addition a new active

    thread! ( 0 )

    is added toR ( t )

    withA

    1

    =

    the initial

    state of the NDFA and an emptyA

    2

    .

    Example: In the previous example there are three

    active threads at epoch1

    in this history. Two were

    described earlier and the third one is! ( 0 )

    .

    Example: Let the history at time t = 2 be E1

    =

    f e

    1

    g ; E

    2

    = f e

    3

    g

    . In this history all three active

    threads inR ( 1 )

    are discarded at epoch2

    . Therefore

    R ( 2 ) = f ! ( 0 ) g

    .

    The evaluation of a policy rule at an epoch may

    cause some actions or trigger some policy defined

    events. The algorithm PE ensures that the same ac-

    tion is not done twice or the same policy defined

    event is not triggered twice in an epoch. Two ac-

    tions are the same if they cause the invocation of

    the same function with the same values for the ar-

    guments. Two policy defined events are the same if

    they are an instance of the same event object with the

    same values for their attributes.

  • 8/2/2019 10.1.1.21.9911 (2)

    7/15

    7

    C. Pseudocode for the algorithm PE

    // Initialization phase

    P = the Policy

    for each rule r in P

    NDFA(r

    ) = the NDFA for eventE

    of ruler

    R ( 0 ; r ) = f the active thread ! ( 0 ) g

    t = 1

    i

    1

    = E

    1

    // Online phase

    while(true)

    // pde is the set of triggered events

    pde= ;

    actions = ;

    for each ruler

    inP

    // Compute active threads for epoch t

    R ( t ; r )

    = Update( R ( t ? 1 ; r ) ; i

    t

    ) R ( 0 ; r )

    // Compute actions for epoch t

    actions = actions Actions( R ( t ? 1 ; r ) ; i t )

    // Compute triggers for epoch t

    pde = pde

    Trigger( R ( t ? 1 ; r ) ; i

    t

    )

    // FIRE fires the actions

    FIRE(actions)

    i

    t + 1

    = pde Et + 1

    t = t + 1

    Example: Let the history H at epoch 2 be E1

    =

    f e

    1

    g ; E

    2

    = f e

    1

    ; e

    1

    ; e

    2

    ; e

    2

    g

    . The two instances of

    e

    1

    in the second epoch have they

    attributes set to4

    and5

    respectively. The two instances ofe

    2

    in thesecond epoch have the

    x

    attributes set to2

    and7

    re-

    spectively. Thee

    1

    in the first epoch hase

    1

    : y = 9

    .

    As described earlier there are three active threads in

    R ( 1 )

    . For each of these active threads we present

    below the new active threadsR ( 2 )

    that are created at

    epoch2

    .

    1. For the active thread! ( 0 ) 2 R ( 1 )

    two new

    active threads may be added toR ( 2 )

    , each with

    A

    1

    = f 1 ; 1 g

    andA

    2

    = ( f e

    1

    g )

    , one for eache

    1

    inE

    2

    . Note that for both these active threads we

    have the same information to evaluate the policyrule:

    c o u n t ( e

    1

    1 ] ) 1

    . Hence both these active

    threads are indistinguishable, in terms of the evalua-

    tion of the policy rule. Hence only one of these active

    threads is added toR ( 2 )

    . In addition for the active

    thread! ( 0 ) 2 R ( 1 )

    two new active thread are added

    toR ( 2 )

    , each withA

    1

    = f 1 ; 2 g

    andA

    2

    = ( f e

    1

    g )

    ,

    one for eache

    1

    inE

    2

    . Note that these two active

    threads are distinct since even though for both of

    them we havec o u n t ( e

    1

    1 ] ) = 0

    , one of them has

    e

    1

    2 ] : y = 4

    and the othere

    1

    2 ] : y = 5

    .

    2. For the active thread corresponding to the tuple

    ( f 1 ; 1 g ; ( f e

    1

    g ) ) in R ( 1 ) the two new active threads

    that are added toR ( 2 )

    are determined as for the ac-

    tive thread! ( 0 ) 2 R ( 1 )

    .

    3. For the active thread corresponding to the tu-

    ple( f 1 ; 2 g ; ( f e

    1

    g ) )

    inR ( 1 )

    one active thread cor-

    responding to the tuple( f 1 ; 2 ; 2 g ; ( f e

    1

    g ; f e

    2

    g ) )

    is

    added toR ( 2 )

    . Here the firste

    1

    refers to thee

    1

    in

    the first epoch and the seconde

    2

    may refer to any

    of the twoe

    2

    s in the second epoch. In this active

    threadc o u n t ( e

    1

    1 ] ) = 0 ; e

    1

    2 ] : y = 9

    . In addi-

    tion for the active thread( f 1 ; 2 g ; ( f e

    1

    g ) ) 2 R ( 1 )

    two traces of event E at epoch 2 are obtained, bothcorresponding to the tuple

    ( f 1 ; 2 ; 3 g ; ( f e

    1

    g ; f e

    2

    g ) )

    ,

    where the firste

    1

    refers to thee

    1

    in the first epoch

    and the seconde

    2

    refers to one of the twoe

    2

    s in

    the second epoch. For each of these active threads

    c o u n t ( e

    1

    1 ] ) = 0 ; e

    1

    2 ] : y = 9

    , and for one of them

    e

    2

    2 ] : x = 2

    and for the othere

    2

    2 ] : x = 7

    . Note that

    both these traces have enough information to eval-

    uate thec o n d i t i o n

    . If thec o n d i t i o n

    evaluates to

    true for both these traces, then the actionA

    is per-

    formed twice at epoch2

    , once asA ( 0 ; 2 )

    and once

    asA ( 0 ; 7 )

    .

    IV. THE COMPLEXITY OF POLICY EVALUATION

    In this section we show that even restricted in-

    stances of the policy evaluation problem are quite

    hard. However we observe that the hard instances of

    the policy evaluation problem are quite rare in real

    world networks. Under some very realistic assump-

    tions we are able to show that our policy evaluation

    algorithm (Section III) has a good worst case per-

    formance.

    A. Hardness of evaluating policies

    We establish the hardness of the easier decision

    version of the problem: Given a policyP

    of de-

    scription sizep

    and an actionA

    and historyH

    of

  • 8/2/2019 10.1.1.21.9911 (2)

    8/15

    8

    h

    epochs, isA

    caused byP

    in any of the epochs of

    H

    ? We show that the decision version of the policy

    evaluation problem is NP-Hard for many restricted

    class of policies.

    We first show that the decision version of the pol-icy evaluation problem is NP-complete if there is no

    bound onp

    , the policy description size. Our first

    two results show this for some very simple class of

    policies. One might makep

    a small bounded con-

    stant. Unfortunately we are able to show that the

    problem is hard even ifp

    is a small bounded con-

    stant. We present three more hardness results each

    bringing out a different aspect of the intractability of

    the problem. These are hardness results for policies

    with policy defined events, policies with double

    non-determinism , and policies that use aggregate

    operators for un-grouped events in the scope of a

    operator in the specification of policy eventE

    . From

    these three results we conclude that the intractibil-

    ities are due to: simple policies for which an expo-

    nential number of policy defined events may get trig-

    gered (exponential inh

    ), double non-determinism

    potentially leading to an exponential number of ac-

    tive threadsA = ( A

    1

    ; A

    2

    )

    , which differ in the path

    A

    1

    traversed in the NDFA, and for the third kind

    (un-grouped) of policies for which there may be an

    exponential number of active threadsA = ( A

    1

    ; A

    2

    )

    ,

    that differ only in the A 2 values. We are able to showthat these are the only necessary and sufficient condi-

    tion for the intractability of the problem. That is we

    show later that the class of policies, in which none of

    the above mentioned intractibilities are present, can

    be evaluated in polynomial time. And the algorithm

    presented in Section III does so.

    First of all note that the decision version of the

    policy evaluation problem is in the class NP, under

    the assumption that all functions in the policy rule

    are computable in polynomial time. This is because

    given a trace T for the event E , of the policy rule,

    at an epocht

    , it can be verified, in polynomial time,

    ifT

    is a valid trace and if actionA

    happens when

    the policy rule is evaluated inT

    . Below we present

    reductions from 3-SAT to this problem, thus estab-

    nested s?

    lishing its NP completeness.

    Theorem 1: The policy evaluation problem is NP-

    complete for policies in which the policy specifica-

    tion does not use the operator, For this result we

    requirep

    to be a polynomial inh

    , thus allowing un-bounded size policies.

    Proof: We reduce 3-SAT to the decision ver-

    sion of the policy evaluation problem. Let the given

    instance of 3-SAT haven

    variablesx

    1

    ; x

    2

    ; : : : x

    n

    .

    LetC = f c

    1

    ; c

    2

    : : : c

    m

    g

    be the set of clauses in the

    given 3-SAT instance. Thus eachc

    i

    is a disjunction

    of literals overx

    1

    ; x

    2

    ; : : : x

    n

    . We construct a policy

    P

    withn

    primitive events:e

    1

    ; e

    2

    : : : e

    n

    , such thate

    i

    has a boolean attributex

    i

    . The policyP

    has one rule:

    e

    1

    ; e

    2

    ; e

    3

    : : : ; e

    n

    causesA

    ifB :

    HereB

    is a conjunction of boolean expressions con-

    structed as follows. For every clausec

    i

    which is

    a disjunction of the three literals corresponding to

    the variablesx

    a

    ; x

    b

    ; x

    c

    , we define a boolean function

    f

    i

    with three argumentse

    a

    : x

    a

    ; e

    b

    : x

    b

    ; e

    c

    : x

    c

    that com-

    putes the disjunction of its arguments corresponding

    to the clausec

    i

    . For example if the clausec

    i

    is equal

    tox

    1

    j x

    2

    j x

    3

    thenf

    i

    ( x ; y ; z ) = x j y j z :

    For clausec

    i

    we have a boolean expressionb

    i

    which is true if and

    only if the functionf

    i

    ( e

    a

    : x

    a

    ; e

    b

    : x

    b

    ; e

    c

    : x

    c

    )

    evaluates

    to 1 . The condition B is a conjunction of the boolean

    expressionsb

    1

    ; b

    2

    : : : b

    m

    .

    Let there ben

    epochs in the history, withE

    j

    =

    f e

    j

    ; e

    j

    g ; ( 1 j n )

    , such thate

    j

    1

    : x

    j

    = 1

    and

    e

    j

    2

    : x

    j

    = 0 :

    In other words at thej

    -th epoch two

    instances of primitive evente

    j

    occur, one of which

    has attributee

    j

    : x

    j

    set to1

    and the other one has the

    attributee

    j

    : x

    j

    set to0

    .

    Note that there are2

    n traces (instances) of the

    complex eventE = e

    1

    ; e

    2

    ; e

    3

    ; : : : e

    n

    in the input his-

    toryH

    at epochn

    , each corresponding to the2

    n

    dif-ferent choices of picking one of the two primitive

    events in each epoch. Note that depending on which

    e

    i

    we pick from the epochi

    , either the value ofe

    i

    : x

    i

    is0

    or it is1

    . In other words each of the trace of

    the eventE

    corresponds to a distinct setting of the

    attributese

    i

    : x

    i

    ; ( 1 i n )

    . Hence there is a one

  • 8/2/2019 10.1.1.21.9911 (2)

    9/15

    9

    to one correspondence between an assignment to the

    variablesx

    1

    ; x

    2

    : : : x

    n

    and an trace of the eventE

    ,

    such that the value ofx

    i

    is equal to the value of the

    attributee

    i

    : x

    i

    in the trace. But then if the policyP

    on historyH

    causes the actionA

    to happen at epoch

    n , then there must be an trace of the event E for

    which the conditionB

    evaluates to true, which by

    construction implies a satisfying assignment for the

    given 3-SAT instance. On the other hand if there is

    a satisfying assignment for the given 3-SAT instance

    then in the corresponding trace of the eventE

    the

    conditionB

    evaluates to true, and hence the policy

    P

    on historyH

    must cause the actionA

    to happen at

    epochn

    .

    Remark 2: This result seems to suggest that the

    policy evaluation problem may be hard due to there

    being two primitive events per epoch which leads

    to doubling of the active threads at every epoch,

    even though all these active threads traverse the same

    path in the NDFA forE

    (they agree onA

    1

    ). Next

    we show that this is not the only reason for the in-

    tractability of the policy evaluation problem.

    Theorem 3: Even if there is only one primitive

    event, which may happen only once in each epoch,

    the decision version of the policy evaluation problem

    is NP-complete. For this result we requirep

    to be a

    polynomial inh

    .

    Proof: We again reduce 3-SAT to the de-

    cision version of the policy evaluation problem.

    Let the given instance of 3-SAT haven

    variables

    x

    1

    ; x

    2

    : : : x

    n

    . LetC = f c

    1

    ; c

    2

    : : : c

    m

    g

    be the set of

    clauses in the given 3-SAT instance. We construct a

    policyP

    with one primitive event, and one rule:

    e ; e ; : : : e

    causesA

    ifB :

    The history we consider hasn

    epochs (h = n

    ) with

    E

    j

    = f e g ; ( 1 j n ) :

    The proof is similar to

    the proof of Theorem 1. As before we have to es-tablish a correspondence between an assignment to

    then

    variablesx

    1

    ; x

    2

    : : : x

    n

    and a trace of the event

    E = e ; e ; : : : e

    in the inputH

    . Note that there are

    at least2

    n traces ofE

    in the historyH

    , each corre-

    sponding to a different set of values of the functions

    c o u n t ( e i ] ) ; ( 1 i n )

    . Given an trace ofE

    in the

    historyH

    we map it to an assignment of then

    vari-

    ablesx

    1

    ; x

    2

    : : : x

    n

    as follows. We correspondx

    i

    to

    c o u n t ( e i ] )

    :c o u n t ( e i ] ) > 0

    corresponds tox

    i

    = 1

    andc o u n t ( e i ] ) = 0

    corresponds tox

    i

    = 0

    . Now

    the proof is exactly the same as the proof of Theo-

    rem 1 where we replace ei

    : x

    i

    by c o u n t ( e i ] ) in the

    conditionB

    .

    So far we have seen that simple class of policies

    are hard to evaluate. In real life most policies are

    small and have bounded description size. For such

    policies the previous results do not hold. In the fol-

    lowing we will study such class of bounded size poli-

    cies.

    Theorem 4: Even if only two primitive events

    may happen in each epoch,p

    is a constant and poli-

    cies are defined using policy defined events, the deci-sion version of the policy evaluation problem is NP-

    complete.

    Proof: We reduce 3-SAT to this decision ver-

    sion of the policy evaluation problem. Let the given

    instance of 3-SAT be as in proof of Theorem 1, have

    n

    variablesx

    1

    ; x

    2

    ; : : : x

    n

    . LetC = f c

    1

    ; c

    2

    : : : c

    m

    g

    be the set of clauses in the given 3-SAT instance. We

    construct a constant size policyP

    with3

    primitive

    events:e

    1

    ; e

    2

    ; e

    3

    , such thate

    1

    has a boolean attribute

    x

    ande

    2

    has two attributesy

    andz

    . The attributesy

    and z of e 2 are used to encode a clause c 2 C . Thepolicy

    P

    has five rules:

    e

    1

    & ! t triggers t ( a = e1

    : x ; b = 0 ; c = 1 ) :

    e

    1

    & t

    triggers t ( a = 2 t b + 1 e1

    : x + t : a ; b = t : b + 1 ; c = 1 ) :

    e

    2

    & t triggers t ( a = t : a ; b = t : b ; c = 1 )

    iff ( t : a ; t : c ; e

    2

    : y ; e

    2

    : z ) :

    e

    2

    & t

    triggerst ( a = t : a ; b = t : b ; c = 0 )

    if! f ( t : a ; t : c ; e

    2

    : y ; e

    2

    : z ) :

    e

    3

    & t

    causesA

    ift : c = 1 :

    Heret

    is a policy defined event with three attributes:

    a ; b ; c

    . We consider a historyH

    ofn + m + 1

    epochs,

    E

    j

    = f e

    1

    ; e

    1

    g ; ( 1 j n ) ; E

    j

    = f e

    2

    g ; ( n + 1

    j n + m ) ;

    andE

    n + m + 1

    = f e

    3

    g :

    Note that the his-

    tory as described above does not include the policy

    defined events that get added to the epochs, it only

  • 8/2/2019 10.1.1.21.9911 (2)

    10/15

    10

    represents the system defined primitive events.

    The two events in each of the firstn

    epochs sat-

    isfye

    1

    1

    : x = 1 ; e

    1

    2

    : x = 0 :

    Thus the events in the

    firstn

    epochs, as in the proof of Theorem 1, encode

    the2

    n

    assignments for then

    variablesx

    1

    ; x

    2

    : : : x

    n

    .The events in the next

    m

    epochs correspond to the

    m

    clauses, such that the evente

    2

    in the epochn + i

    encodes using its attributesy

    andz

    , thei

    -th clause.

    This is done as follows. Let thei

    -th clause involve

    the three variablesx

    1

    ; x

    2

    andx

    3

    . Let

    1

    ;

    2

    ;

    3

    be each0

    or1

    depending on if the corresponding lit-

    eralx

    1

    ; x

    2

    ; x

    3

    is positive or negative in thei

    -th

    clause. The evente

    2

    in epochn + i

    encodes thei

    -th

    clause by setting the attributey

    to the boolean vec-

    tor(

    1

    ;

    2

    ;

    3

    )

    and by setting the attributez

    to the

    vector(

    1

    ;

    2

    ;

    3

    )

    . The event in the last epoch ise

    3

    which serves as a flag to terminate the evaluation of

    the policy.

    Note that the first rule applies only in the first

    epoch, and that at the end of then

    epochs there are

    exactly2

    n policy defined eventst

    , each correspond-

    ing to one of the2

    n possible satisfying assignments,

    which is encoded in the attributea

    oft

    (as a decimal

    number corresponding to the binary vector). Each

    of these events at epochn

    hast : c = 1

    . We now

    show that if for some policy defined eventt

    , the at-

    tributet : c

    is equal to one at epochm + n + 1

    then

    the assignment encoded int : a

    is a satisfying assign-

    ment. Note that in them

    epochs,n + 1 : : : n + m

    ,

    only rules three and four are evaluated. In the epoch

    n + i

    , these rules ensure that if the encoded assign-

    mentt : a

    satisfies thei

    -th clause, for a policy defined

    eventt

    with attributec = 1

    , then a new instance of

    policy defined eventt

    with attributec = 1

    is added

    to the next epoch, otherwise an instance of policy de-

    fined eventt

    with attributec = 0

    is added to the next

    epoch. These rules also ensure that for a policy de-

    fined eventt

    with attributet : c = 0

    , the instance of

    the policy defined event t that gets added to the next

    epoch also has attributec = 0

    . Hence ift : c = 1

    for a

    policy defined eventt

    at epochm + n + 1

    then the as-

    signment encoded int : a

    is a satisfying assignment.

    Therefore actionA

    occurs at epochm + n + 1

    iff the

    given instance of 3-SAT has a satisfying assignment.

    Note that the functionf

    can be implemented in

    constant space, since it only checks the value of its

    second argument, and it only checks if the clause en-

    coded in its last two arguments is satisfied by the as-

    signment encoded in its first argument.

    Remark 5: We note that the reason triggers make

    the problem hard, is that policies may trigger an ex-

    ponential number of policy defined events (exponen-

    tial inh

    ) in historiesH

    of lengthh

    .

    Theorem 6: Even if only two primitive events

    may happen in each epoch,p

    is a constant, policy

    rules do not use policy defined events, however we

    allow double non-determinism in the event defi-

    nition, the decision version of the policy evaluation

    problem is NP-complete.

    Remark 7: An example of an event with dou-

    ble non-determinism is the complex eventE =

    ( e

    1

    ; e

    2

    )

    . Such an event may have an exponential

    number of active threads (exponential inh

    ) in an

    epoch historyH

    of lengthh

    .

    Proof: The proof is similar to the proof of The-

    orem 4. We reduce 3-SAT to this decision version

    of the policy evaluation problem. Let the given in-

    stance of 3-SAT haven

    variablesx

    1

    ; x

    2

    ; : : : x

    n

    . Let

    C = f c

    1

    ; c

    2

    : : : c

    m

    g

    be the set of clauses in the given

    3-SAT instance. We construct a constant size policy

    P

    with4

    primitive events:e

    1

    ; e

    0

    1

    ; e

    2

    ; e

    3

    , such thate

    1

    has an attributex

    ,e

    2

    ande

    3

    are the same event as in

    the proof of Theorem 4. The policyP

    has one rule:

    ( e

    1

    ; e

    0

    1

    ) ; e

    2

    ; e

    3

    causesA

    iff

    1

    ( f

    2

    ( e

    1

    : x ) ; e

    2

    : y ; e

    2

    : z )

    The historyH

    withh = n + m + 1

    is given by:

    E

    j

    = f e

    1

    ; e

    0

    1

    g ; ( 1 j n ) ; E

    j

    = f e

    2

    g ; ( n + 1

    j n + m ) ;

    andE

    n + m + 1

    = f e

    3

    g :

    Here the eventse

    1

    s in the firstn

    epochs of the

    history are used to encode the2

    n

    assignments forthe

    n

    variablesx

    1

    ; x

    2

    : : : x

    n

    . This is done by setting

    e

    1

    : x = 2

    j ? 1 for the evente

    1

    inE

    j

    ; ( 1 j n )

    .

    The events in the nextm

    epochs, as in the proof of

    Theorem 4, encode them

    clauses. The evente

    3

    as

    before serves as a flag to terminate the evaluation of

    the policy.

  • 8/2/2019 10.1.1.21.9911 (2)

    11/15

    11

    The functionf

    2

    is an aggregator operator that

    sums up thee

    1

    : x

    values. Note that at the end of

    the firstn

    epochs there are2

    n active threads for

    ( e

    1

    ; e

    0

    1

    )

    in the history, for each of which the func-

    tionf

    2

    ( e

    1

    : x )

    encodes a potential satisfying assign-

    ment, as its decimal value.

    The functionf

    1

    is an aggregator operator that

    checks, as in the proof of Theorem 4, if the assign-

    ment encoded inf

    2

    ( e

    1

    : x )

    satisfies the clause en-

    coded in its last two arguments. The value of this

    function is one at the end ofn + m + 1

    epochs if and

    only if all them

    clauses are satisfied by the encoded

    assignment. Note that both the functionsf

    1

    andf

    2

    can be implemented in constant space.

    Remark 8: The above shows that a complex event

    with double non-determinismE =

    (

    e

    1

    ;

    e

    2

    )

    , mayhave an exponential number of active threads in an

    epoch historyH

    of lengthh

    . Note that these active

    threadsA = ( A

    1

    ; A

    2

    )

    differ inA

    1

    , the path that they

    take in the NDFA forE

    , and for a complex event

    with non-determinism there can be an exponential

    number ofA

    1

    s.

    We now show that even if we do not allow dou-

    ble non-determinism, andp

    is a constant, the policy

    evaluation problem is still hard.

    Theorem 9: Even if only two primitive events

    may happen in each time instance,p

    is a constant,

    policy rules do not use policy defined events, and

    there is no non-determinism in the event definition,

    the decision version of the policy evaluation problem

    is NP-complete.

    Remark 10: The following proof establishes that

    there may be an exponential number of active threads

    A = ( A

    1

    ; A

    2

    )

    in an epoch historyH

    of lengthh

    , all

    of which have the sameA

    1

    , the path in the NDFA,

    however they may differ in theA

    2

    s.

    Proof: The proof is similar to the proof of The-orem 6. We reduce 3-SAT to this decision version

    of the policy evaluation problem. Let the given in-

    stance of 3-SAT haven

    variablesx

    1

    ; x

    2

    ; : : : x

    n

    . Let

    C = f c

    1

    ; c

    2

    : : : c

    m

    g

    be the set of clauses in the given

    3-SAT instance. We construct a constant size policy

    P

    with3

    primitive events:e

    1

    ; e

    2

    ; e

    3

    , such thate

    1

    has

    a attributex

    ,e

    2

    ande

    3

    are the same event as in the

    proof of Theorem 4. The policyP

    has one rule:

    e

    1

    ; e

    2

    ; e

    3

    causes A

    iff

    1

    ( f

    2

    ( e

    1

    : x ) ; e

    2

    : y ; e

    2

    : z )

    The historyH

    withh = n + m + 1

    is given by:

    E

    j

    = f e

    1

    ; e

    1

    g ; ( 1 j n ) ; E

    j

    = f e

    2

    g ; ( n + 1

    j n + m ) ;

    andE

    n + m + 1

    = f e

    3

    g :

    The pair of eventse

    1

    s in the firstn

    epochs dif-

    fer in their attributex

    value, one has it set to0

    and

    the other has it set to1

    . These events as in earlier

    proofs are used to encode the2

    n assignments for the

    n

    variablesx

    1

    ; x

    2

    : : : x

    n

    , since an active thread has

    to choose one of these events in each such epoch.

    The events in the next m epochs, as in the proof ofTheorem 4, encode the

    m

    clauses. The evente

    3

    as

    before serves as a flag to terminate the evaluation of

    the policy.

    The functionf

    2

    is an aggregator operator that en-

    codes thee

    1

    : x

    values (as a decimal representation of

    the binary vector). Note that at the end of the first

    n

    epochs there are2

    n distinct active threads ofE

    ,

    each corresponding to a potential distinct satisfying

    assignment of the 3-SAT instance.

    The functionf

    1

    is an aggregator operator thatchecks, as in the proof of Theorem 6, if the assign-

    ment encoded inf

    2

    ( e

    1

    : x )

    satisfies the clause en-

    coded in its last two arguments. The value of this

    function is one at the end ofn + m + 1

    epochs if and

    only if all them

    clauses are satisfied by the encoded

    assignment. Note that both the functionsf

    1

    andf

    2

    can be implemented in constant space.

    Remark 11: In theP D L

    a group operator is

    provided to deal with this kind of intractability. For

    an event defined asg r o u p ( e )

    for some basic evente

    ,

    there is at most one instance in any given epoch, nomatter how many distinct instances of

    e

    are present

    in the epoch. As the name suggests the group op-

    erator groups all these instances into one instance.

    We will show later that policies where all the basic

    events within the scope of a operator are of the

    formg r o u p ( e )

    , in its specification can be efficiently

  • 8/2/2019 10.1.1.21.9911 (2)

    12/15

    12

    evaluated given some other restrictions.

    B. Complexity of the Policy Evaluation Algorithm

    We have seen that even very restricted instancesof the policy evaluation problem are hard to solve.

    However the hard cases seem to arise only for con-

    trived instances of the problem. In real life we can

    assume that the following may hold:

    All active threads have small length, i.e. there are

    only a small number of epochs in its underlying par-

    tial trace.

    The functions used in the policy rules can be effi-

    ciently computed.

    The policy rules have bounded size descriptions.

    There are only a small number of distinct instancesof a primitive (system defined or policy defined)

    event in any epoch of the history.

    Policies can be written without using double non-

    determinism to construct complex events.

    Policies can be written such that the basic events in

    the scope of a operator are also within the scope

    of theP D L

    group operator in the eventE

    .

    These assumptions are justified by the fact that

    real networks have finite memory: the events that

    must lead to an action, happen not too far back in

    the past. Also network policies can be generally

    expressed as simple rules which do not require too

    much computation to implement.

    Under these assumptions the policy evaluation al-

    gorithm PE is quite efficient.

    Theorem 12: Given a policy ruleR

    of sizep

    , de-

    fined using complex eventE

    that does not use dou-

    ble non-determinism, and uses the group operator

    for basic events in the scope of a , and a history

    H

    in which there are at mostk

    distinct instances of

    any primitive event (including policy defined) in anyepoch, such that all the active threads of

    E

    have a

    length bounded byl

    inH

    , and all ofR

    s functions

    can be computed efficiently then the algorithm PE,

    to evaluate ruleR

    , runs in timeO ( ( k l )

    p

    )

    per epoch.

    Note that ifp

    is a constant then the algorithm runs in

    time a polynomial ink

    andl

    .

    Proof: Note that the complexity of the algo-

    rithm for any given epoch is directly proportional to

    the number of active threads in that epoch. In the fol-

    lowing we will bound the number of active threads

    per epoch. It follows from our assumptions about

    event E that it can be written as E = C1

    ; C

    2

    : : : C

    m

    ,

    for eventsC

    i

    which have the following property: ei-

    therC

    i

    = D

    i

    for some eventD

    i

    which does not

    contain any and all its basic events are within the

    P D L g r o u p

    operator, orC

    i

    = F

    i

    , whereF

    i

    does

    not contain any operator. Note that bothD

    i

    and

    F

    i

    are of the forme

    1

    ; e

    2

    : : : e

    j

    , where eache

    i

    is a

    basic event possibly within ag r o u p

    operator. Note

    that from this it follows that that the NDFAN

    can

    also be partitioned as shown in Fig. 2, which we will

    write asN = N

    1

    ; N

    2

    : : : N

    m

    .

    N

    m

    N

    2

    N

    1

    transition

    Fig. 2. Partition of the NDFA of the complex event

    Let us first compute how many distinct active

    threadsA = ( A

    1

    ; A

    2

    )

    can have the same pathA

    1

    in the NDFAN

    . Two such active threads are dis-

    tinct if they have a different value of some attributeor some aggregate operator. Note that in any such

    active thread, an attributee s ] : x

    can have at mostk

    distinct values, one for each instance of the primitive

    evente

    in the epoch where this attribute is instan-

    tiated. This is because for any attributee s ] : x

    the

    epoch in which it gets instantiated is the same for all

    the active threads since they all agree on their paths

    A

    1

    in the NDFAN

    . Also note that all the aggre-

    gate operators have the same value for all these ac-

    tive threads, since aggregate operators involve events

    and their attributes which are within the scope of the

    operator and all such events by our assumption

    are also within the scope of ag r o u p

    operator. All

    this implies that there can be at mostO ( k

    p

    )

    active

    threads that have the sameA

    1

    value.

    Now we compute the number of distinct values for

    A

    1

    that the active threads in any epoch may have.

  • 8/2/2019 10.1.1.21.9911 (2)

    13/15

    13

    Note that the pathA

    1

    can be partitioned intom

    paths, with thei

    -th path completely contained inN

    i

    .

    Let the length of the chain (and hence the number of

    states) ofN

    i

    ben

    i

    . Note thatP

    m

    i = 1

    n

    i

    = O ( p )

    , and

    thereforem

    as well asn

    i

    s are each at mostO ( p )

    .

    Since the active thread A1

    has length a l , we must

    have:m

    X

    i = 1

    c

    i

    n

    i

    l :

    for some non negative integersc

    i

    s. Note thatA

    1

    can be completely specified by specifying thec

    i

    val-

    ues. A very crude estimate is0 c

    i

    l

    for all

    i

    . Hence the number of distinct values for all the

    c

    i

    and hence the number of distinctA

    1

    are at most

    O ( l

    m

    ) = O ( l

    p

    )

    .

    Combining the two results we get that the numberof active threads in any epoch are

    O ( ( k l )

    p

    )

    .

    V. SIMULATION RESULTS

    In this section we present our empirical results on

    the performance of the policy evaluation algorithm

    PE, based on simulations. Our experimental setup is

    as follows. For a given policyP

    and a historyH

    of

    h

    epochs we measure the timem ( t )

    (in milli-secs)

    that it takes to evaluate the policy P at the epocht

    onH

    . We plott

    on the X-axis andm ( t )

    on the

    y

    axis. In Fig. 3 we show the performance of the

    algorithm for4

    simple policies, each with rules of

    the forme causes A ( e : x ) : policies with one such

    rule, two such rules, four such rules and eight such

    rules. The rules in a policy use different primitive

    events. For this experiment, the epochs in the his-

    toryH

    grow linearly withh

    . That is thej

    -th epoch

    containsj

    distinct instances (with different value for

    attributex

    ) of each of the eight primitive events that

    may occur in any of the policy rule. As expectedthe time to evaluate a policy increases linearly with

    the number of epochs and the number of rules (for

    clarity we do not present the results for policy with

    9 ; 1 0 : : :

    rules) The results in Fig. 3 serve as a base-

    line to measure the performance of the algorithm for

    more complicated policies.

    s.8s.4s.2s.1

    200180160140120100806040200

    18001600140012001000

    800600400200

    0

    Fig. 3. Simple Policies

    The next policy that we used for our experiments

    is for admission control, it enforces two levels of

    admission control: at a global level it allows at

    most maxConn, and at a class level it allows atmost a class dependent number of simultaneous con-

    nections. The policy involves two external events

    TryConn and DisConn representing a request for

    a connection or for a disconnect respectively. In ad-

    dition it involves two policy defined events Class-

    Conn and GlobalConn, for enforcing the policy

    by keeping track of the number of connections at the

    class and global level respectively.

    Startup triggers GlobalConn(conncts = 0);

    StartClass triggers Class-Conn(class = Startup.class,

    conncts = 0);

    TryConn & ClassConn & GlobalConn

    causes Conn("Connection", TryConn.user)

    if GlobalConn.conncts < maxCon,

    TryConn.class = ClassConn.class,

    ClassConn.conncts < maxConn(TryConn.class);

    Disconn

    causes Disc("Disconnection", Disconn.user);

    TryConn & ClassConn & GlobalConn

    triggers ClassConn(class = ClassConn.class,

    conncts = ClassConn.conncts + 1)

    if GlobalConn.conncts < maxCon,

    TryConn.class = ClassConn.class,

    ClassConn.conncts < maxConn(TryConn.class);

    TryConn & ClassConn & GlobalConn

    triggers GlobalConn(conncts = Global-

    Conn.conncts + 1)

    if GlobalConn.conncts < maxCon,

    TryConn.class = ClassConn.class,

  • 8/2/2019 10.1.1.21.9911 (2)

    14/15

    14

    ClassConn.conncts < maxConn(TryConn.class);

    Disconn & ClassConn

    triggers ClassConn(class = ClassConn.class,

    conncts = ClassConn.conncts - 1)

    if Disconn.class = ClassConn.class;

    Disconn & GlobalConn

    triggers GlobalConn(conncts = Global-

    Conn.conncts - 1);

    Disconn & ClassConn

    triggers ClassConn(class = ClassConn.class,

    conncts = ClassConn.conncts )

    if Disconn.class != ClassConn.class;

    TryConn & ClassConn

    triggers ClassConn(class = ClassConn.class,

    conncts = ClassConn.conncts )

    if TryConn.class != ClassConn.class;

    StartClass & GlobalConn

    triggers Global-

    Conn(conncts = GlobalConn.conncts);

    This policy monitors and controls the number of

    simultaneous connections from different classes of

    users into a network. There is an overall limit of

    connections given by the constant maxCon. In a

    given moment the number of simultaneous connec-

    tions is limited to a maximum of maxCon. There

    is a second tier of control based on classes. Users

    have associated classes and each class has limited

    its maximum number of connection by the value of

    the function maxConn(class). The policy worksas follows. There is an event triggered at the time

    the policy is brought up (i.e. it is triggered by the

    event Startup). The event triggered, Global-

    Conn, has one attribute that keeps track of the total

    number of current connections in the system. It is

    initialized in 0. This is done by the first rule in the

    policy. Each time a new user class is introduced the

    event StartClass is generated by the registration

    process. This event has one attribute, the event class

    name. This event triggers an internal event, Class-

    Conn, with two attributes, one with the class nameand the other a counter, also initialized in 0, that will

    keep track of the number of simultaneous connec-

    tions for the class. This is encoded in the second

    rule. The next two rules process the connections

    and disconnection. The connection policy rule ex-

    ecutes the action (i.e. establishes the connection) if

    the limits are not exceeded. The fifth and six rules in-

    crement the appropriate class counter and the global

    counter if the connections will be established. The

    next two rules decrement the counters after discon-

    nect occurs. The last three rules handle the cases

    when event occurs but counters do not change. Note

    that there is a StartClass event for each class and

    these events are re-triggered each time an external

    event (TryCOnn and Disconn) not affecting the

    class occurs. For this policy the epochs are defined

    as follows. A new epoch is initiated whenever a re-

    quest for a connection or disconnection or any of the

    start events happen. We assume for this policy that

    every epoch contains exactly one external (system

    defined) event.

    We ran the experiments for randomly generated

    admission/dis-connection requests for the admiss-

    sion control policy, The running time of the algo-

    rithm stayed around1 0 0

    ms per epoch.

    V I . RELATED WORK

    Policy based network management has been a

    topic of research for several years. There has been

    work in formal models and methodologies to express

    policies (see, for example, [9] and the references

    therein) but no attention is directed to complexity is-

    sues. In many cases is not clear that the models al-ways describe computable policies. General purpose

    event programming languages have been around for

    a while. Good examples are the READY system [3]

    and its predecessor YEAST [5]. Event languages

    have also been studied in the context of network

    monitoring (see, for example, [4], [10]). There is

    also a tremendous amount of effort from the net-

    working industry to understand and standardize the

    concept of policy. The interest is reflected in the

    work of the Policy Working group in the Internet

    Engineering Task Force (IETF) [7], [8]. Our pri-mary interest has been to develop a policy server,

    with a complete understanding of the complexity of

    the problem being addressed. For the latter goal we

    needed more than an implemented event language

    system. We needed a formal specification of what

    a policy could do. We developedP D L

    with this in

  • 8/2/2019 10.1.1.21.9911 (2)

    15/15

    15

    mind. Although we cannot do formal comparisons

    betweenP D L

    and the standards being proposed at

    IETF y our complexity results show thatP D L

    is a

    very expressive language, and we believe sufficient

    for the policies required in real network applications.

    Details of the language and several examples can be

    found in [6].

    REFERENCES

    [1] R. Bhatia, M. Kohli, J. Lobo, and A. Virmani. A policy-

    based network management system. In Proc. of the In-

    ternational Conference on Parallel and Distributed Tech-

    niques and Applications/International Conference on Ar-

    tificial Intelligence, June 1999.

    [2] J. Boyle, R. Cohen, D. Durham, S. Herzog, R. Rajan, and

    A. Sastry. The COPS (Common Policy Service) protocol.

    Technical Report draft-ietf-rap-cops-06.txt, Internet Engi-

    neering Task Force, February 1999.[3] R. E. Gruber, B. Krishnamurthy, and E. Panagos. High-

    level constructs in the READY event notification system.

    In 8th ACM SIGOPS European Workshop, Sintra, Portu-

    gal, September 1998.

    [4] M. Z. Hasan. An active temporal model for network man-

    agement databases. In IFIP/IEEE 4th International Sym-

    posium on Integrated Network Management, pages 524

    535, Santa Barbara, California, May 1995.

    [5] B. Krishnamurthy and D. Rosenblum. YEAST: A general

    purpose event-action system. IEEE Transactions on Soft-

    ware Engineering, 21(10):845857, Octuber 1995.

    [6] J. Lobo, R. Bhatia, and S. Naqvi. A policy description

    language. In Proc. of AAAI, Orlando, FL, July 1999.

    [7] J. Strassner and E. Elleson. Terminology for describ-ing network policy and services. Technical Report draft-

    strassner-policy-terms-01.txt, Internet Engineering Task

    Force, February 1999.

    [8] J. Strassner and S. Schleimer. Policy framework definition

    language. Technical Report draft-ietf-policy-framework-

    pfdl-00.txt, Internet Engineering Task Force, November

    1998.

    [9] R. Wies. Policies in network and system management -

    formal definition and architecture. Journal of Network and

    System Management, 2(1):6383, 1994.

    [10] O. Wolfson, S. Sengupta, and Y. Yemini. Managing

    communication networks by monitoring databases. IEEE

    Transactions on Software Engineering, 17(9):944953,

    September 1991.

    y The models are work in progress and are still imprecise and

    incomplete.