Software architecture—the high level structure of a software system including a collection of components, connectors and constraints—plays an increasingly critical role in the design and development of any large complex software system. These artifacts (i.e., components, connectors, and constraints) are needed to reason about the system and act as a bridge between requirements and implementation as well as provide a blueprint for system construction and composition. The architecture helps in the understanding of complex systems, supports reuse at both the component and architectural level, indicates the major components to be developed together with their relationships and constraints, exposes changeability of the system, and allows for verification and validation of the target system at a high level [ 32 ].

Software architectures have been very influential in self-adaptive systems, i.e., systems that are capable of self-configuration, self-optimization, self-healing and selfprotection, and are also called self-* or autonomic systems [ 17 ]. In architecture-based self-adaptive systems, components dynamically change in order to continuously adhere to architectural properties and system goals. As a result, these systems require runtime architectural models when making adaptation decisions [ 11 ]. However, when these systems are distributed and highly dynamic there is an added need to discover the system’s architectural model at runtime.

Current methods of runtime architecture discovery take a centralized approach to constructing architectures dynamically. These methods are inadequate for large distributed systems because they do not scale up well and have a single point of failure. Also, systems of such size are often dynamic in nature due to changes in the runtime environment, where nodes join and leave the system unpredictably, and are subject to failures. Existing approaches do not address the aforementioned concerns.

We describe a method for runtime software architecture discovery in a completely decentralized manner. This is accomplished by keeping message logs at each node and disseminating among the nodes identified component interaction patterns (i.e., synchronous, asynchronous, single or multiple destination) derived from the logs through selective gossip exchanges. With selective gossiping, information dissemination takes place only between nodes that are part of the same application. This results in the containment of network traffic, which in effect reduces communication overhead. All references to DeSARM’s gossiping method heretofore refer to selective gossiping. Through its use of gossiping, our mechanism addresses the limitations of the current approaches and exhibits the following properties: (1) resiliency to failures, where the gossiping protocol always converges irrespective of node failures, (2) global consistency among participating nodes, where all nodes converge to the same architectural view, and (3) scalability, where the gossiping protocol can accomodate systems of increasing size [ 29 ]. Accordingly, the scope of our work is the derivation of architectural models at runtime to be used in decentralized decision making for architecture-based adaptation in large distributed systems. This effort is part of a larger project, RASS: Resilient Autonomic Software Systems [ 27 ], aimed at developing a highly-resilient and highly-dependable system, which is capable of making adaptation decisions in a distributed fashion without centralized control. To achieve this goal, each node requires a complete model of the system at runtime.

Thus, the main contribution of this paper is DeSARM: Decentralized Software Architecture discoveRy Mechanism, a completely decentralized and automated method and system for runtime discovery of software architecture models of distributed systems using gossiping [ 6 ][ 18 ] and message tracing. The information dissemination and relatively fast convergence capability of the gossiping protocol aid each node in deriving a complete model of the architecture. We also demonstrate experimentally DeSARM properties of resiliency, global consistency, and scalability. It is important to note that these properties relate to the architecture discovery process and not to application failure recovery or adaptation, which are outside the scope of this paper.

The rest of this paper is organized as follows. Section II discusses related work. Section III provides some basic assumptions. Section IV describes the architecture of DeSARM. Section V presents the results of our experiments with DeSARM. Section VI provides a discussion on important issues related to the architecture discovery mechanism. Finally, Section VII presents some concluding remarks and discusses possible future work.

In this paper we use architecture discovery instead of recovery as is often found in the literature. Architecture recovery refers to cases where the architecture was known but may have been lost due to erosion or improper documentation [ 3 ], [ 15 ], [ 33 ]. In contrast, architecture discovery refers to situations in which the architecture was not previously known. This is due to the fact that the architecture may not have previously existed or may have changed at runtime due to the dynamic nature of the system as is the case with dynamic software adaptation.

Software architecture discovery approaches can be classified into dynamic, static, and hybrid, i.e., combining both dynamic and static analysis. Some examples of static analysis approaches include [ 24 ][ 4 ][ 19 ] and examples of hybrid approaches are [ 28 ][ 30 ]. However, as the objective of this paper is discovering architectural models at runtime, we shall focus only on dynamic approaches as follows.

Israr et al. [ 16 ] describe SAMEtech, a dynamic approach for automating the discovery of architecture models and layered performance models from message trace information. DiscoTect [ 31 ] uses a set of pattern recognizers and knowledge of the architectural style being implemented to map lowlevel system events into high-level architecturally meaningful events. Bojic and Velasevic [ 3 ] use test cases that cover relevant use-cases, and concept analysis to group system entities together that implement similar functionality. Vasconcelos et al. [ 33 ] use specified use-cases to generate execution traces from which interaction patterns are identified using pattern detection in order to define architectural elements. Yuan and Malek [ 35 ] take a dynamic approach to discovering the architectural model of a distributed application by generating a component interaction model using data mining. Huang et al. [ 15 ] use the reflective ability of the component framework to discover an up-to-date architecture from the running system. In contrast to the aforementioned, DeSARM is based on a decentralized approach to architecture discovery. This approach is effective for large distributed systems which pose scalability, single point of failure and dynamicity concerns, which are not addressed by the existing methods.

Also related to our work is architecture-based software dynamic adaptation, which addresses the dynamic software reconfiguration of the architecture model and corresponding implementation for the purpose of runtime adaptation and evolution (see e.g., [ 10 ], [ 21 ], [ 23 ], [ 25 ], [ 34 ]).

This paper makes the following assumptions: 1) If a component fails, it is restarted on the same node if the node is still running. This is common in modern component-based systems whereby components can be restarted when they are detected to have failed. 2) If a node fails, all the components running on that node fail. This assumption is obvious and does not require further comments. 3) If a node cannot be restarted after a failure, its components can be moved to other node(s) using an existing component recovery mechanism not within the scope of this work. This assumption is based on existing work on a runtime application recovery mechanism with which DeSARM is being integrated. See Section VII. 4) Software components can communicate either through a connection-less transport protocol such as UDP or a connection-oriented protocol such as TCP. Both types of communication are common in distributed systems and DeSARM supports either. 5) The software architecture is not known because it may dynamically change due to churn and failures. As explained in the introduction, this is the focus of this work. 6) The software deployment on physical nodes is not known. The set of nodes on which the software system is deployed is not assumed to be known and is discovered by DeSARM.

IV. SOFTWARE ARCHITECTURE DISCOVERY METHOD This section discusses DeSARM’s architecture. We first describe the structure of a node running DeSARM. Then, we give an overview of how gossiping and message tracing are incorporated into the discovery process. We then delve into the details of the architecture model discovery method.

A node in a distributed system consists of three layers according to Fig. 1: application layer, DeSARM layer, and communication middleware. The application layer consists of the distributed application components that communicate over the network via messaging events. Each component has two logs: message sent log (MSL) and message received log (MRL) as shown in Fig. 2. The DeSARM layer forms a wrapper around the communication middleware and provides the same interface to the application layer components as the communication middleware. DeSARM consists of a number of modules each providing different functionality (see Fig.2): Message logging: All incoming messages are logged before being passed to the application layer components and all outgoing messages are logged before being passed to the communication middleware. All messages are logged to stable storage.

Message log aggregation: The MSLs and MRLs of all components are aggregated to form an aggregate message log (AML) at each node. The AML contains the interactions between all components and their respective destination components. This is further merged with the AMLs from incoming gossip messages received from other nodes (see below).

Gossip-based dissemination: This forms the core of our architecture discovery method and enables the distribution of AMLs from each node throughout the system. Peer node selection: This is achieved through the maintenance of a component/node database which is derived by identifying component IDs and their related node IDs from incoming and outgoing messages. This ensures that only nodes running components that are part of the same application are selected for dissemination.

Control: The DeSARM controller manages the execution of the gossip process by maintaining the timing between consecutive rounds.

Architecture discovery: This is used to derive the architectural model of the system based on the message traces. Finally, the communication middleware provides network access allowing the sending and receiving of component-level and gossiping messages between nodes.

Gossip is an epidemic protocol, which due to its simplicity, robustness and flexibility makes it ideal for reliable dissemination of data in large-scale distributed systems. In gossipbased dissemination, data spreads exponentially fast and takes O (logN) rounds to reach all N nodes [ 18 ]. The essence of this approach, which lies at the core of all gossip-based dissemination approaches, was first introduced in the seminal !!!!"##$%&#'()'*&+,*'-) &&&&&!"##$%&*'.'$/'*&+,*'-)& &&&&0%''*&12&&&&&&&&&&&&&&&&&&&&&& &&&&&0%''*&32& !!!!)"&'/'*4&!"56'&7($+#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!*'.'%5"(&"8&*'97'#+&8*"6&1& !!!!!""!#$%$&'!$(&)*+,$!-*.'+$.! !!!!!!!!!#"$"%&'&()*&&+,-." !!!!!""!-./&$$0!'/!$(&)*+,$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!""!.$&$12$!3$##*,$! !!!!!!!!!%&/0,#1"234-."""""""""""""""""""""""""""""""""""""""""""""""""""""""""234*"$"+&(&56&7+89,*-." !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"! ! ! ! !!!!!!!!!!!!!!!!#!!!!!!!!!!!!!!! !!!!""!4*1'!5/.!.$#-/+#$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!""!-./&$$0!'/!$(&)*+,$! !!!!!!!!234#"$"+&(&56&7+89,#-.""""""""""""""""""""""""""""""""""""""""%&/0,*1"234-." !!!""!3$.,$!678#!'/!,$'!+$4!*,,.$,*'$0!678!!!!!!!!!!!!!""3$.,$!678#!'/!,$'!+$4!*,,.$,*'$0!678! !!!!!!!"234"$"9&+:&48:%,2341"234#-.&&&&&&&&&&&&&&&&&&&&&&&&&&&234"$"9&+:&48:%,2341"234*-." !!!!'()&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&'()&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& paper by Demers et al. [ 5 ] and involves the dissemination of data by allowing randomly chosen pairs of nodes to exchange new information. After the exchange, the two nodes forming a pair should have the same information effectively reducing the entropy of the system [ 29 ].

The main elements of the gossip-based dissemination framework are: (1) peer selection, where a peer (node) selects another peer uniformly at random from the set of available peers, (2) data exchanged, which involves the exchange of data between peers and is specific to the use of the gossip mechanism, and (3) data processing, which details how each peer handles the information received from other peers and is also specific to the use of the gossip mechanism [ 18 ]. DeSARM’s gossip-based dissemination is depicted in Fig. 3 and consists of:

Peer selection: A peer P periodically chooses another peer Q uniformly at random from the set of peers that participate in the same application, i.e., DeSARM uses selective gossiping.

Data exchanged: The AML is sent from one peer to another.

Data processing: The received AML is merged with the local AML at each node to produce an updated AML.

Once a node detects that there are no further updates to the gossiped AMLs, it assumes that convergence was reached and a complete software architecture can be derived.

Each log entry in the MSL or MRL has the following fields: Timestamp Destination Type: single destination (SD) or multiple destination (MD) Message Type (mt): request reply (RQ), no-reply requested (NR), a reply to previous request (RP) Transaction ID Message Unique ID (mid) Return ID: equals 0 if mt 6= RP, otherwise equals “mid” of original request message Source Component: component sending the message Destination Component: component receiving the message Source Node ID: ID of sending node

Destination Node ID: ID of receiving node

The MRL and MSL for each component are scanned and the interaction patterns for these messages are identified. The following types of messages are considered: Reply requests (RQ), No-reply requests (NR), and Replies (RP).

These message types allows us to identify synchronous vs asynchronous interactions. In the former case, since reply messages are guaranteed to have a request, then the original request reply message and its associated reply message are treated as a single synchronous interaction (SY). If the original message was sent as a unicast (SD) then the tuple (source, destination, SY, SD) is added to the AML. Otherwise, if the original message was sent as a multicast (MD), then the tuple (source, destination, SY, MD) is added to the AML. No-reply requested messages on the other hand are treated as asynchronous interactions (AS) and added to the AML as (source, destination, AS, SD) if the message was sent as a unicast, or (source, destination, AS, MD) if the message was multicasted. The AML is treated as a set so only unique tuple entries are allowed for each component interaction, irrespective of the frequency of such interactions in the message logs because a software architecture does not consider how many times a certain type of interaction occurred between components. Further details on the algorithms implemented by DeSARM can be found in [ 26 ].

After each round of gossiping, the updated AML is used to incrementally discover the architecture, which is represented as a labeled directed graph. The vertices of this graph correspond to unique component ids and the edges correspond to unique component interactions. Edges are labeled with the interaction patterns (SY or AS) and destination types (SD or MD). Further details on this process can also be found in [ 26 ].

To depict how DeSARM works, we use an example architecture of a distributed emergency monitoring system (see Fig. 4). The architecture consists of five types of components with three instances each of the Monitoring Sensor and RemoteSystem Proxy components, and a single instance of the other components. This example assumes that each component is assigned to a single node. When referring to components we mean component instances unless otherwise mentioned. The communication patterns within the system are:

Operator Presentation sends synchronous messages with reply to Alarm Service and Monitoring Data Service. !"#$%"&$#'(

)*#+"&( ,"-."#*#%( 6);():( Alarm Service and Monitoring Data Service send asynchronous multicast messages to Operator Presentation. Monitoring Sensor and Remote System Proxy send asynchronous unicast messages to Alarm Service and Monitoring Data Service.

The discovered architecture model corresponding to Fig. 4 is the graph shown in Fig.5. This shows the five component types of the system and their respective communication patterns as edge labels, which would have been derived by the architecture discovery process.

DeSARM was implemented in Java, and was developed by extending an open source implementation of gossip [ 14 ] that manages a list of nodes on a network for cluster membership. We extended the open source gosssip implementation by adding the core functionality of DeSARM, as described in Section IV above, as well as incorporated push-pull based gossip (discussed further below). We emulated a distributed system by implementing each node of the distributed system on a different virtual machine (VM) and spread the VMs over physical machines connected over a network. The VMs communicate over TCP/IP so they can be located anywhere on the network. The DeSARM implementation is heavily multithreaded with different functions of DeSARM implemented as different threads. Some examples of threads include sending and receiving of gossip messages, message log aggregation, architecture discovery, component/node database maintenance, and sending and receiving of component messages. All the communication between nodes uses Java sockets. DeSARM modules normally communicate using UDP, however if gossip exchanges become too large, resulting in message fragmentation in multiple packets, TCP is used to guarantee message integrity.

Our experiments demonstrate the operation of DeSARM and assess its convergence and the number of messages exchanged by the DeSARM middleware. Two sets of experiments were completed. In the first experiment, two types of tests were conducted. In the first test, there were no component/node failures. In the second test, we added random failures with subsequent recovery for each of the components. This second test reveals the impact of failures on the convergence of DeSARM to the final architecture. In the second experiment, the scalability of the mechanism is examined.

We discuss here some additional issues of interest, some of which are being addressed in ongoing work.

The first issue we address is whether DeSARM’s selective gossiping mechanism always converges, i.e., if there is the possibility of different nodes converging to different discovered architectural models. To address this issue and to ensure convergence, we employed anti-entropy based gossip in DeSARM. In anti-entropy gossip, the gossiping protocol runs indefinitely albeit at specified regular intervals [ 29 ]; this means that all nodes continuously make gossip exchanges. Because gossiping never stops, updates will reach all nodes and the system will always eventually converge. However, such a mechanism can result in unnecessary message exchanges especially if no architectural changes have taken place within the system. This problem is exacerbated in large distributed systems. To address this issue we adjusted the protocol to gradually decrease the gossip rate when no new updates to the AML have been detected over a period of time. Then, when an update is received, the original gossip rate is restored to speedup convergence.

The second issue is the relationship between gossip convergence speed and the gossip rate . A higher value of implies faster convergence at the cost of higher message overhead.

Other factors such as system size, component communication patterns, and gossip mode (see below) also affect convergence speed. For example, convergence speed is generally affected by the communication pattern among components, including how often they communicate and the number of components they communicate with. Two modes of gossiping can be used:

Time (sec) Similarity Metric push gossip (where a peer sends a message but does not to failures. These properties were demonstrated through varireceive one in return) vs. push-pull gossip (where a peer sends ous experiments, with and without component failures. These a message and receives one in return). Our implementation experiments assessed the rate of convergence of the DeSARM of DeSARM uses push-pull gossip, which accelerates conver- nodes towards the software architecture being discovered. gence. These experiments showed that DeSARM is resilient and

The third issue is the implication of dynamic architectural is able to discover the architecture even in the presence of changes during gossiping and how it affects convergence. We failures, albeit at a lower pace than the one when no failures are currenty addressing this issue through the integration of occur. DeSARM was implemented in Java using a multiDeSARM with an application recovery layer that runs above threaded architecture.

DeSARM and provides DeSARM with updates to events that In future work we plan to examine DeSARM’s capability cause architectural changes. Examples of such events include of discovering architectures that change over time as in the component failures as well as component removal due to adap- case of dynamic software adaptation [ 13 ], [ 12 ]. This work will tation. When such events occur, this layer informs DeSARM examine different recovery and adaptation models as well as of the affected component(s). Due to the decentralized nature dynamic components, i.e., components that change their comof DeSARM, this update can be received at any node. Upon munication patterns at runtime based on their state or phase receipt, the node will remove from its AML all entries related of execution, and the impact on DeSARM. Also of interest, to the removed component(s) that contain the component(s) is addressing the mechanism’s capacity for discovering the as a sender or receiver and use gossip to propogate these full behavioral architecture of a system such as identifying deletions to other nodes within the system. Note that archi- component interaction protocols. tectural changes that result in new components being added In the current experiments, we used a fixed architecture to are handled automatically by DeSARM as described here. illustrate how DeSARM converges with and without failures

The fourth issue is the overhead of the gossip mechanism and how it operates equally well with two or thirty physical in relation to both network traffic as well as latency in the machines. In the future, we will run experiments in which a vasending and receiving of component messages. DeSARM has riety of software architectures are generated following certain very little network overhead for two reasons: the size of the distributions for parameters such as number of components AMLs and its use of selective gossiping. As the AMLs contain and communication pattern types. only unique tuple entries of component interactions, the size As mentioned previously, DeSARM is being integrated of the AMLs are kept small. This in effect reduces the overall with an existing application recovery mechanism (ARM) that bandwidth needed for gossip exchanges. Also, as mentioned allows for the runtime recovery of component(s) due to node earlier, selective gossiping allows for the containment of failure [ 1 ]. Through the peer sampling capability of gossip network traffic to only those nodes that are part of the same [ 18 ], DeSARM is able to identify suspected node failures and application which further reduces the communication overhead alert the ARM. Once the node failure has been verified, the of the mechanism. With respect to the latency of component ARM proceeds to recover the failed component(s) to a new messaging, DeSARM can keep it at a minimum because, as node and re-instantiates them based on the current architecture previously mentioned, all major functionality is separated into provided by DeSARM. As a result of the decentralized nature different threads. This allows for all other processing to take of DeSARM, component recovery can be initiated from any place in the background thus reducing any major impact the node as each maintains a complete model of the architecture. gossip mechanism will have handling component messages. This integration will allow for the development of applications that are resilient to failures.

This paper described DeSARM, a completely decentralized and automated approach for software architecture discovery of distributed systems based on gossiping and message tracing. Through message tracing, DeSARM is able to identify important architectural characteristics such as components and connectors in addition to synchronous and asynchronous communication patterns. Furthermore, through the use of gossiping, DeSARM exhibits the properties of scalability, global consistency among participating nodes, and resiliency