A Formal Method for Service Choreography Verification Based on Description Logic

: Web Services Choreography Description Language lacks a formal system to accurately express the semantics of service behaviors and verify the correctness of a service choreography model. This paper presents a new approach of choreography model verification based on Description Logic. A meta model of service choreography is built to provide a conceptual framework to capture the formal syntax and semantics of service choreography. Based on the framework, a set of rules and constraints are defined in Description Logic for choreography model verification. To automate model verification, the UML-based service choreography model will be transformed, by the given algorithms, into the DL-based ontology, and thus the model properties can be verified by reasoning through the ontology with the help of a popular DL reasoned. A case study is given to demonstrate applicability of the method. Furthermore, the work will be compared with other related research.


Introduction
In recent years, the industry and researchers have proposed a new service composition construction based on Choreography. On this basis, the implementation of each part based on service orchestration is automatically generated [Khadka, Bramhananda and Pires (2013); Mendling and Hafner (2009) ;Cui, Zhang, Cai et al. (2018)]. In order to realize the automatic implementation mechanism of service choreography, the WS-CDL (Web Services Choreography Description Language) [Kavantzas, Burdett and Ritzinger (2015); Sheng (2015)] language is designed. It is a service-oriented description language based on global perspective, which defines a set of services from a global perspective. The rules of collaboration and interaction must be followed. However, WS-CDL, as an XML-based descriptive language, lacks formalized models and verification mechanisms, and it is difficult to ensure the correctness of collaboration and interaction. The correctness of the service orchestration model directly affects all participants involved in the interaction, which has a great impact on the implementation of the later system Where: N is the session name; Act is all activities that complete the session function; Ro is the role contained in the session; and Pr is the condition that makes sure the session to be carried out. The concept in the meta-concept model comes from WS-CDL, and extends the concepts of session, atomic session, compound session, and port based on the purpose of formal modeling and verification of service choreography. Tab. 1 gives a detailed definition and description of each major concept. The structure represents parallel activities, sequential activities, selection activities, and iteration activities, respectively, where the guardian condition p is enforced for the activity. If the true activity g p is executed in the iterative activity by A , if rep p is true after the execution of the activity A , the activity A will be executed iteratively until it is false. DL is a family of knowledge-representation-languages with strict formal semantics. It is a decidable subset of the first-order predicate logic. It contains a set of basic concept constructors, such as and (  ), implied (  ), full-name constraints ( ∀ indicates the session selected for execution. The session 1 S is executed when the guardian condition is true, and the session 2 S is executed when guardian condition 2 p is true; workunit S indicates the iterative execution session. If g p is a true session, then S will be executed. If the session S is completed, if it is true, then the session S will be iteratively executed until rep p is false. Inter-session relationship constraints satisfy the following DL expressions: ; ; . no silent assign req resp req resp perform atom

Field rule description
A domain rule is a description of constraints in a particular domain that is used to maintain business structure or to control and influence business behavior, providing validation criteria for the model validation process. This paper divides the domain rules of service collaboration into three categories: consistency rules, integrity rules and deductive inference rules. The domain rules are not fixed and will be continuously enriched and refined by domain experts in practical applications.
The consistency of the model includes multiple aspects, such as syntax consistency, semantic consistency, etc. Consistent reasoning based on Tableaux algorithm can slove the problem of consistency verification such as Subsumption, Equivalent, Satisfiability and so on [Wang, Dong and Zhu (2013)]. In this paper, the consistency of the model is defined as two aspects: whether there is behavioral semantic conflict inside the applied conceptual model; whether there exists semantic contradiction between the applied conceptual model and the meta-conceptual model. Based on the characteristics of service orchestration model integrity analysis, this paper focuses on the following service orchestration model integrity constraint rules based on the WS-CDL statute: S work is in the no-blocking mode, then the session executed iteratively will be shipped directly; the 'no-repeat' rule means it g p is true and rep p is false, and the execution of S via the basic session a is performed as ' S , then the session executed iteratively will be expressed as ' S via the execution of a ; the 'repeat' rule means that if g p and rep p are true simultaneously, and The execution of S is expressed as ' S via the basic session a , then the session executed iteratively is performed as '  The concepts, concept attributes, and concepts in the premise and conclusions are all converted into the pre-questions and results of the Horn clause. The pre-requisites and results of the Horn clause are combined into the conditions and inferences of the SWRL by logical connectors. For example, for the rule atom R , the converted SWRL expression is:

Case analyses
This section takes the shopping order choreographer model in e-commerce as an example. Under the guidance of the meta-concept model, the application conceptual model is constructed. Based on SHOIN(D), the consistency, integrity and state reachability of the model are verified by using Pellet.

The construction of service choreographer application concept model
The customer sends a purchase order request to the seller. After receiving the request, the seller will review the customer's credit record with the bank and check the supplier' inventory at the same time. If the credit is good and the inventory is sufficient, the order will be accepted, otherwise the order will be rejected. The Buyer sets its order status variable to "sent" and the Seller will place his order status, the variable of which is set to "received".
( . " "). The session creditCheck S completes the credit inquiry function, Seller sends a credit inquiry request ccReq to the Bank, and the Bank gives a reply ccResp="good"/"bad" to the request. Finally, the Bank and the Seller set the relevant state variables to "sent" and "received" respectively. ( . . , . . , @ ).
( . " "). The session invCheck S completes the inventory query function, the Seller sends an inventory inquiry request to the Supplier, and the supplier returns the inventory status icResp="sufficient"/"short" to Seller, and assigns values to the relevant state variables respectively. ( . . , . . , @ ).
( . " "). If the customer has good credit and sufficient inventory, the Seller will respond to the Buyer to accept the order, and the status of the order is set to "completed".
( . " "). If any of the customer's credit history and inventory status cannot be met, then the Seller will respond to the Buyer to reply a rejection of the order, and the status of the order is set to "uncompleted".

Model reasoning and verification
In the case of consistency and integrity verification of the service choreography model, taking R (Due to space limitations, the corresponding reasoning interface is no longer given here). Both types of rules are verified one by one until all possible inconsistencies and incompleteness are excluded. In the service accessibility model state reachability verification, the reasoning process of Cho is first given (where the rule used in the step inference is given in < >, in which * a represents several consecutive basic sessions).  If the guardian condition of the session is met and the basic session of each session is successfully executed, then the state represented by the session is reachable. If each step of the Cho is successfully executed, the final state is terminated after a number of intermediate states.
The reasoning results are shown in Fig. 1 Figure 1: Pellet engine-based modeling model reachability verification results

Conclusions and future works to do
This paper builds a conceptual model of service choreography based on WS-CDL specification, and proposes the consistency, integrity and state reachability deductive inference rules. On this basis, the method of transforming the verification problem of service director model into DL inference problem based on SHION(D) is proposed. The automatic inference engine is used to realize data consistency, integrity verification and rule-based logical reasoning. The main innovations of this paper are shown below: (1) The extended WS-CDL builds a WS-CDL-based service choreography meta-concept model, and gives related concepts and relationships between concepts.
(2) The consistency, integrity and state reachability verification methods for the service choreography model are proposed and the corresponding verification rules are given.
(3) The service choreography model verification method DLV-CM based on SHOIN(D) is proposed. The DLV-CM has the description ability, automation degree and verification efficiency of the traditional system verification method, and supports the decidability of reasoning and the reuse of knowledge. Compared with the complete semantic description and verification of WS-CDL, DLV-CM only focuses on some key issues of service coding. The service director metaconcept model and the DLV-CM verification method attempt to model and verify the consistency, integrity and state reachability of the service director model as simple as possible on the basis of absorbing the core idea of WS-CDL, and therefore ignore Some of the more advanced concepts and mechanisms in WS-CDL, such as exception handling and finalize blocks. Extending the service choreography conceptual model and incorporating more concepts of WS-CDL will be the next step of our working group. At the same time, we are also actively exploring the possibility of verifying more model attributes under the DLV-CM framework.