Application of Equivalence Checking in a Loan Origination Process in Banking Industry

Transcription

1 2013 Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises Application of Equivalence Checking in a Loan Origination Process in Banking Industry Antonella Santone Dipartimento di Ingegneria, Università degli Studi del Sannio, Italy santone@unisannio.it Valentina Intilangelo intivale@hotmail.it Domenico Raucci Dipartimento di Economia, Università degli Studi di Chieti-Pescara, Italy d.raucci@unich.it Abstract Equivalence checking is traditionally applied to computer system design. It is a promising formal technique for the improvement of software quality. However, it requires detailed specifications of systems and is therefore not very accessible, above all in certain restricted fields of application. One of this domain is business process management. In particular, we examine the applicability of equivalence checking to validation of Business Processes that are mapped through the systems of Workflow Management. The usage of formal methods in business domain, however, is still not widely used. This is due also to the state explosion problem, which says that the state space grows exponentially in the number of concurrent processes. In this paper we consider a heuristic-based methodology developed to combat the state explosion problem for checking process equivalence. Our proposal is two-fold: (i) we show how equivalence checking can be applied in the context of business modelling and analysis; (ii) we evaluate and test the heuristic-based methodology using, as a case study, a real-world banking workflow of a loan origination process. Our investigations suggest that the business community, especially in the banking field, can benefit from this efficient methodology developed in the process algebra area to prevent significant errors. We show and discuss the experimental results obtained. Index Terms Business Process Management; Formal Methods; CCS; Heuristic Search; Workflow Verification; Banking Process. I. INTRODUCTION Formal methods are powerful techniques for specifying and verifying complex systems. Several techniques for formal verification have been developed over the past three decade among them equivalence checking. Equivalence checking is the process of determining whether two systems are equivalent to each other according to some mathematically-defined notion of equivalence. Equivalence checking is typically used to verify if a system design conforms to its high-level service specification. Although equivalence checking is currently not applicable to all domains, it is useful for certain restricted fields of application. One of this domain is business process management. In particular, we examine the applicability of equivalence checking to validation of Business Processes that are mapped through the systems of Workflow Management. The usage of this formal method in the domain of business process management however, is still not widely used. This is due also to the state explosion problem, which says that the state space grows exponentially in the number of concurrent processes. In fact, the parallelism between the processes of the system leads to a number of reachable states which may become very large, in some cases on the order of millions or billions of states. When the number of states is too large to fit in a computer s main memory, verification quickly breaks down. In fact, in the business process taken into account, we came across the state explosion problem. Specifically, this problem has emerged as a result of a first modelling of the banking process, in which the excessive number of processes in parallel has made impracticable the verification using standard model checker. Several approaches have been developed to solve or reduce the state explosion problem. In this paper to combat the state explosion problem for checking process equivalence we consider an efficient procedure, based on heuristic search [1], proposed in [2]. The procedure is applied to processes defined through a specification language very compact, the Calculus of Communicating Systems (CCS)[3] defined by Milner, which is one of the most well known process algebras and it is largely used for modeling concurrent and distributed systems. The approach uses a heuristic function that suggests to expand first the states that offer the most promising way to deduce that two systems are not equivalent. This makes it possible to avoid the exhaustive exploration of the global state graph of the two systems when they are not equivalent. One of the authors of this paper has contributed to the design of Grease (GREedy Algorithm for System Equivalence), a C++ tool supporting the heuristic approach to check equivalence of CCS processes. The use of Grease on a sample of small CCS processes has shown a significant reduction of both state-space size and time, compared to traditional equivalence checking algorithms. Our proposal is two-fold: (i) we show how equivalence checking can be applied in the context of business modelling and analysis; (ii) we evaluate and test the heuristic-based methodology using, as a case study, a realworld banking workflow of a loan origination process. More precisely, in this paper we describe in CCS both the implementation of the banking process and the specifications of the expected behaviours. Our results obtained by evaluating /13 $ IEEE DOI /WETICE

2 a real-world banking process are validated by comparing them to those obtained by a state-of-the-art tool for equivalence checking, i.e., the Concurrency Workbench of New Century (CWB-NC) [4], which one of the most popular environments for verifying concurrent system. Applying our approach we can prove the correctness of the system obtaining a considerable reduction of both state space size and time with respect to CWB-NC. Actually, for the proposed case study, differently from Grease, the CWB-NC is not able to give an answer, after waiting more than half an hour. This is due to the big number of states. This confirms that our approach is more scalable than CWB-NC. Our investigations suggest that the business community, especially in the banking field, can benefit from this efficient methodology developed in the process algebra area to prevent significant errors. The remainder of the paper is organized as follows. Section II is a review of the basic concepts of equivalence checking, while Section III briefly describes the heuristic-based approach for equivalence checking and its applicability in the business process management in banking industry. In Section IV the experimental results we obtained are reported and discussed. Finally, comparisons with related work and our conclusions are presented in Section V. II. EQUIVALENCE CHECKING In this section we introduce the basic concepts of formal methods. Formal methods are mathematically based languages, techniques, and tools for specifying and verifying complex systems. Several techniques for formal verification have been developed over the past three decade among them equivalence checking. For applying equivalence checking we first need a precise notation for defining systems. Specification is the process of describing a system. As starting point, we assume that system behaviour is represented as an automaton. It basically consists of a set of nodes together with a set of labelled edges between these nodes. A node represents a system state, while a labelled edge represents a transition from one system state to the next. That is, if the automaton contains an edge s a s, then the system can evolve from state s into state s by the execution of action a. One state is selected to be the root state, i.e., the initial state of the automaton. However, for the purpose of mathematical reasoning it is often convenient to represent automaton algebraically in the form of terms. For this aim, we use Milner s Calculus of Communicating Systems (CCS)[3], one of the most well known process algebras. CCS contains basic operators to build finite processes, communication operators to express concurrency, and some notion of recursion to capture infinite behaviour. The semantics of a CCS term p is precisely defined by means of the structural operational semantics. The semantic definition is given by a set of conditional rules describing the transition relation of the automaton corresponding to the behavior expression defining p. This automaton is called standard transition system for p and is denoted by S(p). More precisely, the syntax of processes is the following: p ::= nil α.p p + p p p p\l p[f] x where α ranges over a finite set of actions A = {τ,a,a, b, b,...}. Input actions are labeled with non-barred names, e.g. a, while output actions are barred, e.g. a. The action τ Ais called internal action. The set L ranges over sets of visible actions (A {τ}), f ranges over functions from actions to actions, while x ranges over a set of constant names: each constant x is defined by a constant definition x def = p. We give the semantics for CCS by induction over the structure of processes. The process nil can perform no actions. The process α.p can perform the action α and thereby become the process p. The process p + q can behave either as p or as q. The operator expresses parallel composition: if the process p can perform α and become p, then p q can perform α and become p q, and similarly for q. Furthermore, if p can perform a visible action l and become p, and q can perform l and become q, then p q can perform τ and become p q. The operator \ expresses the restriction of actions. If p can perform α and become p, then p\l can perform α to become p \L only if α, α L. The operator [f] expresses the relabeling of actions. If p can perform α and become p, then p[f] can perform f(α) and become p [f]. Each relabeling function f has the property that f(τ) = τ. Finally, a constant x behaves as p if x def = p. Equivalence checking is the process of determining whether two systems are equivalent to each other according to some mathematically defined notion of equivalence, such as strong and weak equivalence previously defined. The CCS language, like all other process algebras, can be used to describe both implementations of processes and specifications of their expected behaviours. Therefore CCS supports the so-called single language approach to process theory, that is, the approach in which a single language is used to describe both actual processes and their specifications. One process description, say SYS, may describe an implementation, and another, say SPEC, may describe a specification of the expected behaviour. This approach to program verification is also sometimes called implementation verification. For example, if the observable behaviour of a communications protocol is identical to that of a perfect communication channel that delivers all messages in order, then it would be justifiable to deem the protocol correct. One of the most popular environments for verifying concurrent systems is the Concurrency Workbench of New Century (CWB-NC) [4], which supports several different specification languages, among which CCS. In the CWB-NC the verification can be based both on model checking [5] and on equivalence checking. III. HOW TO GREASE IN A LOAN ORIGINATION PROCESS Formal methods cannot be easily scaled due to the state explosion problem, which says that the state space grows exponentially in the number of concurrent processes. In fact, the parallelism between the processes of the system leads to a

3 number of reachable states which may become very large, in some cases on the order of millions or billions of states. When the number of states is too large to fit in a computer s main memory, verification quickly breaks down. Several approaches have been developed to solve or reduce the state explosion problem. We now present a methodology to combat the state explosion problem for equivalence checking. In [2] an efficient approach based on heuristic search techniques to check equivalences has been defined. In general, a heuristic search strategy [1] uses an evaluation function to determine the order in which the nodes in the search graph are selected for expansion. The evaluation function measures the distance to a goal node based on an heuristic function which gives the estimated shortest distance from the given node to a goal node. In [2] the equivalence checking has been formalized as a search problem on AND/OR graphs. Moreover, an efficient equivalence checking procedure has been proposed, defining a heuristic function that suggests to expand first the states that offer the most promising way to deduce that two systems are not equivalent. The heuristic function, which is inductively defined on the syntactic structure of the CCS process, assigns a value to each node of the graph. Roughly speaking, that value is a measure of the degree of not similarity of the two states considered in that node. This makes it possible to avoid the exhaustive exploration of the global state graph of the two systems when they are not equivalent. One of the authors of this paper has contributed to the design of Grease 1 (GREedy Algorithm for System Equivalence), a C++ tool supporting the heuristic approach to check equivalence of CCS processes. Currently Grease accepts only CCS processes but it can be easily extended to manage also other specification languages like for example CSP and LOTOS. The use of Grease on a sample of small CCS processes has shown a significant reduction of both state-space size and time, compared to traditional equivalence checking algorithms. In this paper we evaluate the methodology on a real-world banking workflow of a loan origination process. A. Banking Process Overview As stated above, the application of formal techniques consists of an algorithmic approach to verification of such systems that can be represented by a formal model. According to the mentioned outlook, these methodologies are primarily related to verification of hardware and software systems. However, formal techniques and tools have a number of features that make it possible to extend their use to specific business domains, including the formal verification of business processes that are mapped and administrated through the systems of Workflow Management. The latter are generally used by managers to automate all or part of business processes by flushing documents, information and tasks from one participant to another, according to a set of procedural rules. With specific reference to dynamic workflows, i.e. those that evolve according to the events that occur and to the ways in which tasks are handled by users, a particular problem is represented by fairness because it is necessary to ensure 1 a080224/grease/ that workflows have been defined adequately with regard to desired properties. To deal with this situation it is possible to use the formal verification techniques and the associated tools. The underlying idea consists in representing each business process, including interactions between human components, databases, and hardware/software elements of the information system as a finite state transition system [6], [7], [8]. However, the complexity of this approach ends to limit its applicability to restricted areas where its use is justified in the light of economic considerations arising from the natural tradeoff between the costs of implementation and the benefits achieved. We refer in particular to those business processes so-called business-critical or commercially-critical, where the characteristics of fairness and integrity are prerequisites for the success of a market or business transaction [9], [10], [11], [12], [13]. The above-mentioned banking process of loan origination fits into this context. The need to increase efficiency and reduce costs is pushing for a long time many banks to review internal processes, models, organizational procedures and technological applications, in order to ensure cost-effectiveness and maintain, at the same time, a high level of quality of services provided to customers. In this vein are situated very important projects including the reengineering of the process of investigation and provision of different forms of credit on mortgages and personal loans, aimed in particular to the introduction of new procedures supported by Workflow Management tools [14], [15], [16]. We introduce, at this point, the banking process in question, providing a broad overview of the same thanks to typical logic of workflow tools. The process is instantiated whenever a customer of the bank applies for a loan and it starts with the update of customer data if he/she is already present in the registry or with the insertion of a new record in the database if he/she is a new customer. Taking into account the information provided, the process proceeds with the identification of the type of customer and with its simultaneous location in the segmentation made by the bank. Then there is the need to make a series of internal and external controls in order to assign a rating to the customer, which is a synthetic judgment of reliability based on assets and income of the same, thanks to which it is possible to express the level of the loan credit-worthiness. Afterwards it is selected among the products that are part of the bank s offer, the one which corresponds to the set of features and price conditions that fits better the type of client that requested the funding. If the latter is satisfied with the proposal received, the bank proceeds to the signing of the contract and, therefore, the formalization of the agreement, reaching the end of the process. IV. EXPERIMENT RESULTS In this section we present and discuss our experience with using the Grease, implementing the heuristic-based approach, to verify the banking process previously described. The aim is to evaluate the performances of the approach and compare it against the CWB-NC. Experiments were executed on a 64 bit, 2.67 GHz Intel i5 CPU equipped with 8 GiB of RAM and running Gentoo Linux. The tool is freely available for download at the url a080224/grease/

4 Customer Clerk preprocessor Clerk postprocessor Supervisor Manager Loan Request Input Customer Data and Identification Rating Request Internal and External Rating Big Amount? No Pricing Bundled Product Yes Internal Rating Verification Possible Modifications No Three Attempts? No Negative feedback Yes Verification Request Price Bundled Product Adequate? Yes Customer Signature Positive feedback Manager Signature Fig. 1: Loan origination workflow. Figure 1 shows a typical loan origination process in the banking domain, as previously described. To formally verify the banking process it is firstly required to give a formal specification of each component of the system. Each component of the banking process involves complex interactions since the component can dialogue with other components. For example, the customer dialogue with the first phase clerk, for instance to ask for a loan request. Figure 2 shows a view of all the processes (the boxes in the figure) involved in this loan origination process as well as the synchronisations between these entities. Synchronisations are denoted using lines joining the involved agents with actions and their direction (prefixed by a quote for emissions). Each process is translated in CCS and all CCS processes are then composed using the parallel operator providing that all synchronisations are defined as restricted actions. All component have been specified in CCS; in Table I we show only the CCS specification of the first phase clerk, just to give the reader the flavor of the approach followed. From a textual CCS specification it is possible to generate the corresponding labeled transition system, which can be successively used for equivalence checking. We prefer textual syntax since it is more adapted to proof-writing and formal reasoning, as well as to the description of large-scale systems. Graphical notations are anyway complementary and can be used by user-friendly front-ends. The results for the verification of our system using weak equivalence are shown in Table II. In the table the second column shows the results in terms of generating states (gen) and time, expressed in seconds, using Grease. The third column should show the number of generated states and time resulting from the CWB-NC. The CCS specification (namely p) representing the CCS banking process has states and transitions. To apply equivalence checking we have to specify in CCS also the expected behaviours. Thus, in the first experiment we represent as CCS process (namely q) the following requirement: the customer receives a copy of the contract only if the loan application was successful. The result is that p is not weak equivalent to q, since it must hold that the customer receives a copy of the contract not only if the loan application was successful but also when another condition is satisfied, i.e., when the customers he has affixed his signature. In the second experiment, we represent as CCS process (namely q) the following requirement: after a request by the customer for a loan, the procedure terminates with success. The result is that p is not weak equivalent to q, since obviously the procedure can terminate also with a failure. It is worth pointing out that, differently from Grease, the CWB-NC is not able to give an answer, after waiting more than half an hour for both the requirements. Therefore no verification can be performed. This is due to the big number of states. This confirms that our approach is more scalable than CWB-NC. Grease CWB-NC gen time gen time first requirement second requirement TABLE II: Results - weak equivalence. V. CONCLUSIONS AND RELATED WORK The work presented in this paper shows that equivalence checking can be very useful to enhance the quality in the doamin of business management. However, using traditional equivalence checkers we find some difficulties to prove the

5 Fig. 2: Graphic representation of the interactions among all the components involved in a loan origination process. proc FirstPhaseClerk = loanrequest. informationrequest.customerinformation.( insertcustumerdata. ratingrequest.firstphaseclerk + updatecustomerdata. ratingrequest.firstphaseclerk) TABLE I: The CCS first phase clerk specification concreteness of real-world banking. This is mainly due to the state explosion problem. To combat this problem we consider an efficient procedure, based on heuristic search, which uses a heuristic function that suggests to expand first the states that offer the most promising way to deduce that two systems are not equivalent. This makes it possible to avoid the exhaustive exploration of the global state graph of the two systems when they are not equivalent. We use Grease (GREedy Algorithm for System Equivalence), a C++ tool supporting the heuristic approach to check equivalence of CCS processes. Our investigations suggest that the business community, especially in the banking filed, can benefit from the efficient heuristic-based methodology developed in the process algebra area to prevent significant errors. A real-world banking workflow of a loan origination process was chosen as a case study to demonstrate the usefulness of Grease which reduces the state explosion problem. As shown by the above experiments, Grease obtains good results when compared with CWB-NC both in performance, i.e., the speed at which the tool returns its results, and its scalability, i.e., the extent to which the tool can manage increasingly large systems

6 Similarly to our investigation, in [17], the authors analyse the verification of the safety of a system (i.e., avoiding the undesired propagation of access rights or indirect access through some other granted resource) which is one of the goals of access control research. In particular, they consider delegation and revocation functionalities mainly focusing on organizational control principles. However, differently by our equivalence-checking approach, they propose a modelchecking based methodology using SMV tool. Moreover, our aim is also to reduce the state explosion problem arising when dealing with complex systems such as the loan origination processes in banking industry. The most challenging task when applying automated formal verification in practice is to conquer the state explosion problem. Several approaches have been developed to solve or reduce the state explosion problem for model checking. Among them, reduction techniques based on symbolic model checking techniques [18], partial order techniques [19], compositional techniques [20], [21], abstraction approaches [22], [23] and heuristic-based approaches [24], [25], [26]. Moreover, the above approaches has been successfully applied in several fields, like for example clone detection [27], [28], analysis of social networks [29], incremental construction of complex systems [30], secure information flow in concurrent programs [31]. For equivalence checking algorithms with minimal space complexity are of particular interest. Two algorithmic families can be considered to perform the equivalence checking. The first one is based on refinement principle: given an initial partition, find the coarsest partition stable with respect to the transition relation see for example the algorithm proposed by Paige and Tarjan in [32]. The other family of algorithms is based on a Cartesian product traversal from the initial state [33], [34]. These algorithms are both applied on the whole state graph, and they require an explicit enumeration of this state space. This approach leads to the well-known state explosion problem. Classical reduction algorithms already exist [35], [36], but they can be applied only when the whole state space has been computed, which limits their interest. A possible solution is to reduce the state graph before performing the check as shown in [37], where symbolic representation of the state space is used. REFERENCES [1] J. Pearl, Heuristics - intelligent search strategies for computer problem solving, Addison-Wesley series in artificial intelligence, Addison- Wesley, [2] A. Santone, Heuristic for simulation checking, in: Proceedings of the 2011 International Conference on Artificial Intelligence, ICAI 2011, Vol. 1, 2011, pp [3] R. Milner, Communication and concurrency, PHI Series in computer science, Prentice Hall, [4] R. Cleaveland, S. Sims, The ncsu concurrency workbench, in: R. Alur, T. A. Henzinger (Eds.), CAV, Vol of Lecture Notes in Computer Science, Springer, 1996, pp [5] E. M. Clarke, O. Grumberg, D. Peled, Model checking, MIT Press, [6] M. Kohlbacher, The effects of process orientation on customer satisfaction, product quality and time-based performance, 29th International Conference of the Strategic Management Society, Washington DC (2009). [7] G. Gorry, M. S. Morton, A framework for management information systems, vol. 13, n. 1, Sloan Management Review (1971). [8] R. Daft, Organization theory and design, South Western Educ Pub. (2009). [9] R. Kaplan, D. Norton, The execution premium: linking strategy to operations for competitive advantage, Harward Business School Press, Boston (2008). [10] M. Porter, Competitive advantage, Free Press, New York (1985). [11] M. Morrow, M. Hazell, Activity mapping for business process redesign, management accounting, feb. p. 36 (1992). [12] M. Hammer, J. Champy, Reengineering the corporation, Harper Business, NY (1993). [13] T. Davenport, Process innovation, Harvard Business School Press, Boston (1993). [14] S. Drew, Business re-engineering in financial services, Pitman Publishing, London (1994). [15] G. De Laurentis, (edited by), Performance measurements frontiers in banking and finance, Egea (2004). [16] P. Allen, Reengineering the bank, Probus Publishing Company (1994). [17] A. Schaad, V. Lotz, K. Sohr, A model-checking approach to analysing organisational controls in a loan origination process, in: SACMAT, 2006, pp [18] K. L. McMillan, Symbolic model checking, Kluwer, [19] P. Godefroid, Partial-Order Methods for the Verification of Concurrent Systems - An Approach to the State-Explosion Problem, Vol of Lecture Notes in Computer Science, Springer, [20] E. M. Clarke, D. E. Long, K. L. McMillan, Compositional model checking, in: LICS, IEEE Computer Society, 1989, pp [21] A. Santone, Automatic verification of concurrent systems using a formula-based compositional approach, Acta Inf. 38 (8) (2002) [22] A. Santone, G. Vaglini, Abstract reduction in directed model checking ccs processes, Acta Inf. 49 (5) (2012) [23] E. M. Clarke, O. Grumberg, D. E. Long, Model checking and abstraction, ACM Trans. Program. Lang. Syst. 16 (5) (1994) [24] A. Santone, Heuristic search + local model checking in selective mucalculus, IEEE Trans. Software Eng. 29 (6) (2003) [25] S. Gradara, A. Santone, M. L. Villani, Delfin + : An efficient deadlock detection tool for ccs processes, J. Comput. Syst. Sci. 72 (8) (2006) [26] S. Gradara, A. Santone, M. L. Villani, Using heuristic search for finding deadlocks in concurrent systems, Inf. Comput. 202 (2) (2005) [27] A. Cuomo, A. Santone, U. Villano, A novel approach based on formal methods for clone detection, in: IWSC, IEEE, 2012, pp [28] A. Santone, Clone detection through process algebras and java bytecode, in: IWSC, 2011, pp [29] A. Santone, G. Vaglini, Modelling and analysing social networks through formal methods and heuristic searches, in: ICSOFT, 2012, pp [30] A. Santone, G. Vaglini, M. Villani, Incremental construction of systems: An efficient characterization of the lacking sub-system, Science of Computer Programming. [31] N. D. Francesco, A. Santone, L. Tesei, Abstract interpretation and model checking for checking secure information flow in concurrent systems, Fundam. Inform. 54 (2-3) (2003) [32] R. Paige, R. E. Tarjan, Three partition refinement algorithms, SIAM J. Comput. 16 (6) (1987) [33] J.-C. Fernandez, L. Mounier, on the fly verification of behavioural equivalences and preorders, in: Larsen and Skou [38], pp [34] J. Godskesen, K. Larsen, M. Zeeberg, TAV - tools for automatic verification: users manual, Institute for Electronic Systems, Department of Mathematics and Computer Science, The University of Aalborg, URL [35] J.-C. Fernandez, An implementation of an efficient algorithm for bisimulation equivalence, Sci. Comput. Program. 13 (1) (1989) [36] P. C. Kanellakis, S. A. Smolka, Ccs expressions, finite state processes, and three problems of equivalence, Inf. Comput. 86 (1) (1990) [37] J.-C. Fernandez, A. Kerbrat, L. Mounier, Symbolic equivalence checking, in: C. Courcoubetis (Ed.), CAV, Vol. 697 of Lecture Notes in Computer Science, Springer, 1993, pp [38] K. G. Larsen, A. Skou (Eds.), Computer Aided Verification, 3rd International Workshop, CAV 91, Aalborg, Denmark, July, 1-4, 1991, Proceedings, Vol. 575 of Lecture Notes in Computer Science, Springer,