A Trustworthiness Evaluation Method for Software Architectures Based on the Principle of Maximum Entropy (pome) and the Grey Decision-making Method (gdmm)

As the early design decision-making structure, a software architecture plays a key role in the final software product quality and the whole project. In the software design and development process, an effective evaluation of the trustworthiness of a software architecture can help making scientific and reasonable decisions on the architecture, which are necessary for the construction of highly trustworthy software. In consideration of lacking the trustworthiness evaluation and measurement studies for software architecture, this paper provides one trustworthy attribute model of software architecture. Based on this model, the paper proposes to use the Principle of Maximum Entropy (POME) and Grey Decision-making Method (GDMM) as the trustworthiness evaluation method of a software architecture and proves the scientificity and rationality of this method, as well as verifies the feasibility through case analysis.


Introduction
With the increasing spread and complexity of software systems, software is not always trusted and its behaviors and consequences sometimes do not conform to people's expectation and even may lead to disasters.This kind of accident is common.In 2007, the software system of Los Angeles International Airport broke down, which led to 60 flights, and 20,000 passengers in total failing to land [1].Due to the OPEN ACCESS whole collapse of the ambulance dispatch software system in London (UK), many patients lost their lives because of the resulting untimely rescues [2].In 2005, Japan's Tokyo Stock Exchange suffered a stock market lockout due to a software system failure [1].In 2003, the Russian Alliance-TMA1 satellite deviated 460 Km from the expected landing spot on the way back due to a design error in its navigation software [1].Therefore, constructing trustworthy software has been an important trend and inevitable choice for modern software technology development and application.
In the software design and development process, effective tracking and control software trustworthiness is an effective means of improving the overall software trustworthiness [3].Numerous practices shows that 70% of errors of the software development projects (especially in large-scale systems) are caused by the architecture and requirements.The longer the error in the system is, the more difficult it is to find and the more expensive the costs to solve it are [4].Thus, the control in the early stage of software development can have a sound effect.One of the founders of UML, Grady Booch, a famous computer professional, thinks a weak software architecture is one reasons for the failure of software projects.Perry [4,5] considers the software architecture as the 1st most important design object in software development project management, while Boehm [4,6] clearly points out that if there are no architecture and rules, the whole project can not go on.As the first semi-product the from problem space to the solution space, a software architecture is an important part of the software development and project management.The trustworthiness of an architecture is the basis of developing a highly trustworthy software.How to use the analysis and evaluation of a software architecture to guarantee and improve the software trustworthiness and quality has been a research hotspot of software project management academic research and engineering practice [7].However, is a specific software architecture really trustworthy?How to evaluate and measure the trustworthiness?How to select the most trustworthy architecture from the among the various candidates?All these issues must be solved urgently in the software project quality management field.

Trustworthiness Software
In 1985, Laprie [8] proposed the concept of dependable computing.For many years, people put forward various statements on the concept of the dependable software from different views.So far, there is still no definite definition with wide acceptation and good form.It can be called Trustworthiness, Credibility, Dependability, Confidence and Assurance [2].The International Trusted Computing Group think that Trustworthiness refers to thye fact that the system completely complies with the intentions of the designers and programmers to implement a specific task [9].The US National Science and Technology Council (NSTC) thinks that the high confidence of a information system is a predictability measurement that conforms to the set expectations [10].This concept emphasizes the behavior predictability and target conformity of a software (object).
In recent years, many countries have attached importance to the study of trustworthy software and proposed relevant research plans with clear targets.The US National Software Development Strategy (2006)(2007)(2008)(2009)(2010)(2011)(2012)(2013)(2014)(2015) places the development of highly trustworthy software in the first place and put forward the idea of the next-generation software engineering.
Formalization theory and software verification technology have been paid great attention in the trustworthy software field.The Turing Award winners Edsger Wybe Dijkstra, Tony Hoare, Robin Milner, Amir Pnueli and others have all adopted various formalization methods to improve the trustworthiness, reliability and safety of programs in the programming field.For example, the axiomatization theory of sequential program put forward by Tony Hoare gave the formalization inference system of sequential program with partial correctness and complete correctness through pre-or post-assertion.
Besides, there are also many research achievements in trustworthiness software.Suri et al. [11] developed a dependability-driven framework that helps conduct the integration of SW components onto HW resources for dependable embedded systems.Shin et al. [12] studied integration testing through reusing representative unit test cases for high-confidence medical software.Oza et al. [13] presented a detailed empirical investigation of trust in commercial software outsourcing relationships, and the investigation presents what vendor companies perceive about obtaining trust from client companies in outsourcing relationships.Babar et al. [14] study establishing and maintaining trust in software outsourcing relationships.Their research objective is to understand software outsourcing practitioners' perceptions of the role of trust in managing client-vendor relationships and the factors that are critical to trust in off-shore software outsourcing relationships.Ahamed et al. [15] presented a flexible, manageable, and configurable software-based trust framework for the handheld devices of managers to access distributed information systems.

Software Architecture
Since the proposal of the concept of software architecture in the 1990s, there have been hundreds of definitions [16,17].Garlan and Shaw [18] defined it as below: Software Architecture = {components, connectors, constrains) A component can be a group of codes (for example, the module of a program) and an independent program.A connector represents the interaction between components, for example, program calls, channels, remote procedure calls and others.A software architecture also includes some constraints.
Creps and Simos defined it as follows [19]: Software Architecture = {elements, interfaces, connections, connection semantics) A software system is composed of a group of elements, which can be divided into processing elements and data elements.Each element has one interface and the connection of a group of elements constitutes the topology of the system.The connected semantics of elements belongs to static interconnection semantics (for example, the connection of data elements), describing the information conversion protocol of dynamic connection (for example, program call, channel, etc.).
Rugina et al. [20] put forward a system trusted modeling framework based on Architecture Analysis and Design Language (AADL) and Generalized Stochastic Petri Net (GSPN) so as to guarantee the trustworthiness of the software.In [21] embedded system architecture trusted modeling based on the architectural analysis and design language and error model is studied.
Besides, there are also many research achievements in this field.Anjos et al. [22] proposed a software architecture based on LabVIEW for controlling discrete event systems.The proposed architecture is an adaptation of the producer-consumer design pattern.Weinreich and Buchgeher [23] presented a semi-formal architecture model, which is used in all activities of the architecture life cycle, and on a set of extensible and integrated tools supporting these activities.Kazman et al. [24] showed how architecture design and analysis techniques rest on a small number of foundational principles.Li et al. [25] aimed to collect studies on the application of knowledge-based approaches in software architecture and make a classification and thematic analysis on these studies.Breivold et al. [26] presented a systematic review of architectures for software evolvability to obtain an overview of the existing approaches in analyzing and improving software evolvability at an architectural level, and investigate the impacts on research and practice.

Trustworthiness Evaluation
Ding et al. [27] proposed a novel evidential reasoning based method for software trustworthiness evaluation under uncertain and unreliable environment conditions.Schmidt et al. [28] proposed not only a customisable trust evaluation model based on fuzzy logic.but also demonstrated the integration of post-interaction processes like business interaction reviews and credibility adjustment.Zarandi et al. [29] studied dependability evaluation of embedded systems, and proposed an experimental method to determine sensitivity to soft errors in an embedded system exploiting Altera SRAM-based FPGAs.An important concern for the successful deployment of a dependable system is its quality of service (QoS), which is significantly influenced by its architectural style.Bischofs et al. [30] proposed the comparative evaluation of architectural styles by simulation.

This Paper's Reviews
At present, there is a lot of literature on trustworthy software as well as on software architecture.However, the research achievements of the software trustworthiness evaluation and measurement are not so abundant and the relevant theories and methods are immature [1].The lack of trustworthy evaluation and measurement methods make the product have numerous defects and threaten the system operation when it is launched [31].
In [27][28][29] software trustworthiness evaluation and measurement are studied, while failing to study the software architecture.In [30] the style evaluation of a software architecture is studied, while failing to involve the concept of trustworthiness.In [20,21] the authors study the trusted modeling of a architecture while failing to involve trustworthiness evaluation and measurement.Paper [32] studies the service-oriented trustworthy software architecture and gives the corresponding algebraic model while it also fails to discuss trustworthiness evaluation and measurement.In [7] a software architecture quality evaluation is carried out, but it does not consider its trustworthiness.At present, the software architecture quality evaluation mainly includes questionnaire or checklist-based evaluations, scene-based evaluations, measurement-based evaluations and so on.According to the author's investigation, there is no literature about research achievements on the software architecture trustworthiness evaluation and measurement.

Related Definition
For the convenience of studying software architecture trustworthiness, this paper provides the definitions below on the basis of the previous studies: Definition 1: Trustworthiness is when an entity realizes the set target, its behaviors and consequences always can be expected.

Definition 2:
Trustworthy software refers to the fact that the service provided by the software system always conforms to people's expectation and is still stable in case of interference.
Definition 3: Trustworthiness of a software architecture refers the degree by which a software architecture conforms to people's expectations, and supports the software life cycle and provides services in each stage of the life cycle.

Definition 4:
Trustworthy software architecture-if a software architecture meets people's expectations, then it is a trustworthy software architecture.

Trustworthiness Attribute of a Software Architecture
From Definitions 3 and 4, it can be seen that the trustworthiness of a software architecture is a subjective feeling of its trustworthiness attribute for people, and the trustworthiness attribute can further describe the trustworthiness of a software architecture.One trustworthy attribute expresses an objective ability of the software architecture relevant to the trustworthiness.As the semi-product in the software process, the software architecture determines the final software product and obviously its trustworthiness attribute is relevant to that of the software.Also undoubtedly the quality characteristic of the software architecture is an important indicator of its trustworthiness attribute.The higher the quality is, the higher the trustworthiness is.Therefore, the trustworthiness attribute modeling of a software architecture is based on the software trustworthiness attribute and software architecture quality attribute.Avizienis et al. [33] stated the fundamental concepts and classification of trustworthy computing and secure computing and first proposed the conceptual framework of trustworthiness.Bo et al. [31] came up with a software trustworthy hierarchy model.Albin [34] raised the issue of the software architecture quality attributes.
Based on these achievements, this paper presents a trustworthiness attribute model of software architecture in Figure 1, which enables the trustworthiness to be expressed.This model is a set of trustworthiness attributes and the defined trustworthiness attributes of a software architecture are constituted by its availability, simplicity, maintainability, reliability, security and performance, as well as their respective sub-attributes, as shown in Figure 1.
Availability refers to the ability that a software architecture has for the explicit and implicit requirement functions and the correct services for follow-up software processes.In details, it includes function conformity, function accuracy and function completeness.
Simplicity refers to the degrees of comprehension, learning, analysis and use of the software architecture, including the intelligibility and simplicity to use.
Maintainability refers to the ability to adjust and modify the software architecture.It demonstrates the simplicity to correct a defect or modify the software architecture, including the adaptability and modifiability.
Reliability refers to the ability to provide continuous correct services and support in each stage of software process, including maturity and fault tolerance.
Security refers to the ability to avoid thedisclosure of unauthorized information and the improper modification of the system.It includes confidentiality and integrity.
Performance refers to the convenience and speed of the software architecture for the support and service provision in the follow-up software process, including time characteristic and resource utilization.

Evaluation Method Based on POME and GDMM
Due to limitations on cognition and the inherent complexity of objects, we usually can only acquire incomplete information during any decision evaluation, that is, a small sample and poor information which is only partially known.In 1982, Deng Julong, a famous Chinese scholar, published his paper titled "Control Problems of the Grey System" in Elsevier's Systems & Control Letters, marking the birth of grey system theory which can effectively deal with uncertainty problem with poor information.In case of small samples and poor information, characteristic values of decision objects can be usually represented as grey numbers.
Software trustworthiness evaluation is a new direction in trustworthy software studies.However, the trustworthiness study of a software architecture still is in the exploration stage at present.The trustworthiness attribute model of a software architecture shown in Figure 1 belongs to a multi-attribute model.Each trustworthiness attribute has both greyness and fuzziness, which make the trustworthiness evaluation of the whole software architecture complex and difficult, which can be solved by inviting experts to make decisions.However, in consideration of the knowledge, experience, personal preference and other differences of each expert, there are both greyness and fuzziness when different experts evaluate the same specific issue, and their evaluations will vary.
To date, grey system theory has been applied to many different areas successfully.In terms of grey system decisions, Dang [35] achieved some pioneering research achievements and proposed the grey decision problem analysis method.On the basis of [35] and the trustworthiness attribute model of a software architecture (shown in Figure 1), the maximum entropy principle and grey decision-making method are used to evaluate the trustworthiness of a software architecture, shown as below.
Suppose X, U and D respectively represent the alternative design scheme set, trustworthiness attribute set and trustworthiness evaluation expert set of the software architecture.The evaluation expert D d k  gives the attribute value of the scheme xi X x i  in case of trustworthiness attribute . For a given expert dk, there is a equivalent grey fuzzy relation

R
between the architecture design scheme set X and the trustworthiness attribute set U , which causes when membership degree (k) any scheme i x and trustworthiness attribute uj, there is grey level Then the grey fuzzy relation R , which is determined by evaluation expert k d , can be expressed as follows by aid of grey fuzzy relation matrix: Suppose the grey fuzzy weight vector of the evaluation expert is: where k λ 0 ), then the corresponding grey fuzzy relation matrix of expert group can be expressed as: where Definition 5-Deviation degree [35]: suppose there is grey fuzzy number 1 is referred to as the deviation degree of grey fuzzy number .The maximum entropy principle is used to process the weight problem.
Similar to the principle of entropy increase in the thermodynamics statistical physics, there also is a corresponding and famous theorem about the information entropy-the Principle of Maximum Entropy (POME).Jaynes [36] points out that when inferring according to partial information, we must choose such a probability to allocate, which shall possess the maximum information entropy and obey all the known information.This is the only unbiased allocation we can realize.Jaynes thinks this is the only unbiased allocation and the hypothesis of other forms may all introduce some uncertain subjective factors, which can bring in some irrationalities of the final results.Jaynes has theoretically proved that the information entropy can achieve the distribution of maximum value under some constraint conditions (usually some given mean values of some random variables) according to the Maximum Information Entropy Theory when we select the distribution from all the compatible distributions.When the information entropy is maximum, the probability of the corresponding set of probability distribution is in absolute advantage.Simply, the maximum entropy criterion is meant to select the maximum solution of the entropy from all the possible solutions.When we regard the entropy as the most suitable tool to measure the uncertainty, we basically have decided to select the random variable distribution with maximum uncertainty under the given constraints, because when the entropy is maximum, the corresponding random distribution is the most random and it means the artificial assumption (artificially added information) is minimum.At this time, the maximum entropy solution among all the reliable solutions has the minimum subjective component.This makes a maximum estimation distribution of the uncertain issues.In this way, it is the most objective and the solution is the most natural and has minimum artificial deviation.The Principle of Maximum Entropy can be expressed as the following optimization problem: Theorem 1 [37]: The solution of the maximum entropy optimization model (4) satisfying the moment constraints can be expressed as below: where j  is the Lagrange multiplier of the corresponding moment constraint j.
Proof: in consideration that the definition of entropy function has contained a non-negativity constraint condition of discrete probability, it is not necessary to consider it when computing.
Therefore, the Lagrange function of this issue can be written in the form below: where Entropy optimization problem ( 4) is convex programming, so it has a globally optimal solution, which can be directly solved through the stationary value condition of function L(P, α) .At the same time, this problem also is a divisible variable optimization problem, so it is easy to utilize the stationary value condition to obtain the closed-form solution in the form of a multiplier: Suppose: Then it has the same function as the partition function in statistical physics.Substituting Equations ( 8) and (9) into Equation (7), we can get the maximum entropy distribution expressed with partition function Z: It is known from the principle of maximum entropy and [35], that w should let the total deviation function: is the minimum and the artificially added information is the least, therefore the entropy maximum is the most objective.The weight of the trustworthiness attribute shall be the solution of the following optimization problem: Formula ( 12) can be solved through the Lagrange multiplier method.Generally, the rule of Lagrange multiplier method can be described as below.
For the conditional extremum point of an n-ary function ) , , , (


by constants


in order and then add them.In this way, we can get the following function: With n Equations ( 14) and m Equations ( 13) simultaneously, we can get m n  unknown numbers


may be the coordinates of the extremum point, called stationary point.
With the aid of the Lagrange multiplier method, we can get the unique solution of Formula (12) as follows: If we denote the attribute weight vector as: Let the weight of each known trustworthiness attribute and the corresponding point grey level constituting the following weight vector: where, j α 0 Gather the synthesized attribute value of each scheme, namely compute: where The ordering vector ) , , , ( B can be defined as: For Formula (19), the value of βi reflects that the larger the synthesized membership degree of scheme i is, the better it is; while the smaller the synthesized point grey level is, the better it is.From Formula (3) and Formula (15), we can get the synthesized grey fuzzy attribute value of each alternative software architecture design scheme, namely by computing Formula (8).According to Formula (19), we can get the ordering vector (18).Sizing down the corresponding schemes according to the component sizes 1 2 n β ,β , ,β  , the scheme with the largest component is the optimal scheme.

 
. According to Formula (3), we can get the grey fuzzy relation matrix of group evaluation expert, shown as Table 6.According to Formula (15), we can get: From Formula (18) and Formula ( 16), we can get: The trustworthiness of the third scheme is the best and that of the first one is the poorest.The design schemes x1, x2 x3, x4, adopt layers architecture, implicit invocation architecture, blackboard architecture and control loop architecture, respectively.The blackboard architecture can construct models for cooperating tasks.It can express the synergism as well as solve the uncertainty in a flexible mode.The implicit invocation architecture suits a complicated project owing its abundant planning function.The control loop architecture is not suitable for a complex system, but for a simple one.The main drawback to the layers architecture is that the frame will be damaged when detailed refinement requires a greater level.Therefore, the project decision maker selected x3 architecture.The software system based on the architecture was successfully developed and has been used by company H for two years in good conditions, showing that the evaluation method is scientific and reasonable.

Case 2
Another software project SPB of KSTC has three software architecture design alternative schemes X = {x1, x2 x3, x4} and four evaluation experts D = {d1, d2, d3, d4} to try to evaluate the trustworthiness of each software architecture design scheme.The operation procedure is the same with case 1.The expert evaluation results are shown from Tables 7-10.According to Formula (15), we can get: tworthiness of the first scheme is the best in the three software architecture alternative design schemes.Therefore, the project decision maker selected architecture 1 x .The software system based on that architecture was successfully developed and has been used by company P for a year in good condition, showing once again that the evaluation method is scientific and reasonable.

Discussion and Conclusions
To effectively trace and control the software trustworthiness in the design and development process is an efficient method.As the early design decision, a software architecture plays a key role for the software product quality and the success of the whole project.It is inevitable that an architecture with a low trustworthiness will lead to an untrustworthy software.Therefore, the evaluation and measurement of a software architecture trustworthiness can provide a basis for making decisions about a scientific and reasonable architecture and is necessary for the construction of highly trustworthy software.In view of the lack of studies on the evaluation and measurement of software architecture trustworthiness, this paper provides a trustworthiness attribute model of software architecture.Based on this model, the paper put forward one trustworthiness evaluation method of software architecture based on POME and GDMN.
The third section demonstrates the scientific soundness and reasonability of this method theoretically, while the fourth section validates the feasibility and effectiveness of the method through case analyses.In Case 1 mentioned in the fourth section, four alternative architecture design schemes were designed for project SPA and evaluated by five experts and eventually the third one was applied to the software system development.In Case 2, three alternative architecture design schemes were designed for project SPB and evaluated by four experts and eventually the first one was applied to the software system development.The two software systems have been put into use for over one year by now and remain operating in good condition without any major problems or breakdowns.Thus it can be seen that the decision making is scientific and reasonable and the evaluation method put forward in this paper is effective.

Figure 1 .
Figure 1.Trustworthiness attribute model of a software architecture.
Lagrange multiplier of constraint j and α0 represents the Lagrange multiplier of constraint 

R
According to Formula (19), we compute the ordering vector of each architecture alternative design scheme and we can get that:

Table 1 .
The evaluation expert 1 d gave the grey fuzzy relation matrix.

Table 2 .
The evaluation expert d2 gave the grey fuzzy relation matrix.

Table 3 .
The evaluation expert d3 gave the grey fuzzy relation matrix.

Table 5 .
The evaluation expert d5 gave the grey fuzzy relation matrix.

Table 6 .
The grey fuzzy relation matrix of group evaluation expert.

Table 7 .
The evaluation expert 1 d gave the grey fuzzy relation matrix.

Table 8 .
The evaluation expert d2 gave the grey fuzzy relation matrix.

Table 9 .
The evaluation expert d3 gave the grey fuzzy relation matrix.

Table 10 .
The evaluation expert d4 gave the grey fuzzy relation matrix.If the evaluation value of each evaluation expert is equally important, namely, λ1 = λ2 = λ3 = λ4.The grey values respectively are π1 = 0.1, π2 = 0.2, π3 = 0.25, π4 = 0.2, then .According to Formula (3), we can get the grey fuzzy relation matrix of group evaluation expert, shown as Table11.

Table 11 .
The grey fuzzy relation matrix of group evaluation expert.