Friday 20 November 2020

Voting-based approximation of dependability attributes and its application to redundancy schemata in distributed computing environments

On November 25 my student, Jonas Buys, is going to defend his doctoral dissertation. You are cordially invited to his on-line doctoral defense:

Voting-based approximation of dependability attributes and its application to redundancy schemata in distributed computing environments


Business- and mission-critical distributed applications are increasingly expected to exhibit highly dependable characteristics, particularly in the areas of availability and QoS-related factors such as timeliness. For this type of applications, a complete cessation or a subnormal performance of the service they provide, as well as late or invalid results, are likely to result in significant monetary penalties, environmental disaster or human injury. However, software components deployed within distributed computing systems may inherently suffer from several types of impairments, such as long response times or temporary unavailability.

Adopting classic redundancy-based fault-tolerant design patterns, such as NVP, in highly dynamic distributed computing systems does not necessarily result in the anticipated improvement in dependability. This primarily stems from the statically predefined redundancy configurations hardwired within such dependability strategies, i.e. a fixed degree of redundancy and, accordingly, an immutable selection of functionally-equivalent software components, which may negatively impact the schemes’ overall effectiveness, at least from the following two angles. Firstly, a static, context-agnostic redundancy configuration may in time lead to a more rapid exhaustion of the available redundancy and, therefore, fail to properly counterbalance any disturbances possibly affecting the operational status (context) of any of the components integrated within the dependability scheme. Secondly, the amount of redundancy, in conjunction with the voting algorithm, determines how many simultaneously failing versions the NVP composite can tolerate. A predetermined degree of redundancy is, however, cost ineffective in that it inhibits to economise on resource consumption in case the actual number of disturbances could be successfully overcome by a lesser amount of redundancy.

In this thesis, a novel dependability strategy is introduced encompassing advanced redundancy management, aiming to autonomously tune its internal redundancy configuration in function of the observed disturbances. Designed to sustain high availability and reliability, this adaptive fault-tolerant strategy may dynamically alter the amount of redundancy and the selection of functionally-equivalent resources employed within the redundancy scheme. In doing so, the algorithm relies on a number of measures designed for approximating the operational status of the redundancy configuration in terms of availability, and of individual resources in terms of reliability. Discrete-event simulation is used to analyse the effectiveness and performance of the algorithm, and to illustrate how it addresses the shortcomings commonly observed in conventional NVP approach.


#adaptive #faulttolerance #dependability #redundancy #redundancysupport #antifragile #antifragility #computationalantifragility #antifragileengineering

Monday 28 October 2019

The Sixth International Workshop on

Computational Antifragility
Antifragile Engineering

in the framework of the 11th International Conference on Ambient Systems, Networks and Technologies, April 6 - 9, 2020, Warsaw, Poland

Resilience is one of those "general systems attributes" that appear to play a central role in several disciplines--including ecology, business, psychology, industrial safety, microeconomics, computer networks, security, management science, cybernetics, control theory, crisis and disaster management. Despite being such an important systemic ingredient, no consensual definition of resilience has been proposed. Perhaps resilience could be better captured by considering the Aristotelian concept of entelechy: a resilient system is an entelechy, namely one that strives to preserve its characteristics; or with the words of Aristotle, it "is-at-work to stay-the-same", meaning that an antifragile system autonomosly adapts its function, structure, and identity, in order to systematically improve its system-environment fit. An antifragile system is thus one that may sacrifice some of its peculiar characteristics so long as it matches better with the conditions timely expressed by its deployment environment. It is a system able to take autonomic decisions as to its own adaptation and evolution.

Engineering a resilient system thus means designing a system whose major goal is to preserve its identity, and does so by adapting its function and structure so as to compensate for faults, failures, and attacks. In the context of computer systems, system identity is the set of functional and non-functional properties that are to characterize the system given the specifications of that system.

If we define resilience as above, it is easier to understand what is Antifragility, the concept recently highlighted by Professor Nassim Nicholas Taleb in his book. Antifragility is the property of a system that "is-at-work to get better",

This means that an antifragile system would autonomosly adapt its function, structure, and identity, in order to systematically improve its system-environment fit. An antifragile system is thus one that may sacrifice some of its peculiar characteristics (at least, peculiar with reference to its specification!) so long as it matches better with the conditions timely expressed by its deployment environment. It is a system able to take autonomic decisions as to its own adaptation and evolution.

As explained, e.g., in this article by Dr. Kennie H. Jones of NASA, the engineering of antifragile computer-based systems is a challenge that, once met, would allow systems and ambients to self-evolve and self-improve by learning from accidents and mistakes in a way not dissimilar to that of human beings. Learning how to design and craft antifragile systems is an extraordinary challenge whose tackling is likely to reverberate on many a computer engineering field. New methods, programming languages, even custom platforms will have to be designed. The expected returns are extraordinary as well: antifragile computer engineering promises to enable realizing truly autonomic systems and ambients able to meta-adapt to changing circumstances; to self-adjust to dynamically changing environments and ambients; to self-organize so as to track dynamically and proactively optimal strategies to sustain scalability, high-performance, and energy efficiency; to personalize their aspects and behaviors after each and every user. And to learn how to get better while doing it.
Learning how to design and craft antifragile systems is an extraordinary challenge whose tackling is likely to reverberate on many a computer engineering field. New methods, programming languages, even custom platforms will have to be designed. The expected returns are extraordinary as well: antifragile computer engineering promises to enable realizing truly autonomic systems and ambients able to meta-adapt to changing circumstances; to self-adjust to dynamically changing environments and ambients; to self-organize so as to track dynamically and proactively optimal strategies to sustain scalability, high-performance, and energy efficiency; to personalize their aspects and behaviors after each and every user. And to learn how to get better while doing it. The last six Editions of our workshop were enriched by the participation of Professor Taleb and Dr. Kennie H. Jones who kindly provided their keynote speeches. Today we aim to further enhance the awareness of the challenges of antifragile engineering and extend the discussion on how computer and software engineering may address them, also considering additional domains where antifragile behaviors would be very desirable. In particular, we shall consider two new domains to this seventh Edition of ANTIFRAGILE:

  • A first domain is antifragile transition onto sustainable development: Thus far, societal transitions have been spontaneous collective behaviors that did not result in any sustainable relationship with our environments. Interaction between the human societies and the global eco-system they inhabit interaction has resulted in phenomena that in the long run could endanger our species and the whole planet. Is an antifragile, human-induced transition onto sustainable development possible? How to design and steer such a transition so that our societies learn to systematically improve the human-environment fit?
  • A second domain is antifragile drone control: The focus here is air traffic management and how the advent of drones is impacting on all aspects of the air transportation industry. Self-learning, self-safe drones could represent a key ingredient to prevent disruptions and accidents.

As a design aspect cross-cutting through all system and communication layers, antifragile engineering calls for multi-disciplinary visions and approaches able to bridge the gaps between “distant” research communities so as to:
  • propose novel solutions to design, develop, and evaluate antifragile systems and ambients
  • devise computational models and paradigms for antifragile engineering
  • provide analytical and simulation models and tools to measure a system's ability to withstand faults, adjust to new environments, and enhance their identity and resilience in the process
  • foster the exchange of ideas and promote discussions able to steer future research and development efforts in the area of computational antifragility
The main topics of the workshop include, but are not limited to:
  • Antifragile Societal Transitions
  • Antifragile Drone Systems
  • Antifragile Social Systems
  • Antifragile Cities
  • Antifragile Communities
  • Antifragile Services
  • Antifragile Learning (Evolving Learning Machines)
  • Machine learning as a foundation to antifragile behaviors: Reinforcement learning, deep learning, and so on
  • Antifragile games
  • Antifragile cars
  • Internet-of-(Antifragile?)-Things
  • Conceptual frameworks for antifragile systems, ambients, and behaviours
  • Dependability, resilience, and antifragile requirements and open issues
  • Design principles, models, and techniques for realizing antifragile systems and behaviours
  • Frameworks and techniques enabling resilient and antifragile applications
  • Discussion and analysis if antifragile applications
  • Antifragile human-machine interaction
  • End-to-end approaches towards antifragile services
  • Autonomic antifragile behaviours
  • Middleware architectures and mechanisms for resilience and antifragility
  • Theoretical foundation of resilient and antifragile behaviours
  • Formal methods for resilience and antifragility
  • Programming language support for resilience and antifragility
  • Machine learning as a foundation of resilient and antifragile architectures
  • Antifragility and resiliency against malicious attacks
  • Modeling of antifragile systems (e.g., through Petri Nets)
  • Antifragility and the Cloud
  • Resilience and antifragility in human-computer interaction
  • Identity drifting in evolving systems (e.g., security aspects)
  • Specification and verification of resilient and antifragile systems
  • Programming language support for antifragility
  • Models of concurrent behaviors of "parts" leading to antifragile behaviors of the "whole"
  • Safety and security issues with reference to systems able to self-evolve their identity
  • Ethics issues related to antifragility
All ANT-2020 accepted papers (thus including the ANTifragile 2020 papers) will be published by Elsevier Science in the open-access Procedia Computer Science series on-line. Procedia Computer Sciences is hosted on and on Elsevier content platform, and will be freely available worldwide.
All papers in Procedia will be indexed by and by Thomson Reuters' Conference Proceeding Citation Index. The papers will contain linked references, XML versions and citable DOI numbers. You will be able to provide a hyperlink to all delegates and direct your conference website visitors to your proceedings. All accepted papers will also be indexed in DBLP (
Selected papers may be invited for publication in special issues of international journals. For example, the December 2015 issue of the Springer's Journal of Reliable Intelligent Environment was one such special issue.

Finally, as in previous editions, this year ANTifragile shall include a t-Workshop, namely an event taking place at the same time in the physical venue of the Workshop in Warsaw and in the Twitter social space! We're evaluating solutions making it possible for the live talks to be streamed to Twitter users, and at the same time to allow Twitter users to interact with the speakers, pose questions at the end of their presentations, and also to participate to our open discussion on the future of computational antifragility. People interested in the event may follow the hashtag #ANtWorkshop to receive fresh news about our event!

Contact Information

For any further information, please do not hesitate to contact any of the Chairs of this edition:
  • Vincenzo De Florio - Global Brain Institute - vincenzo.deflorio at
  • Stefano Serafini - Bio Urbanism - stefano.serafini at
  • Stefano Marrone - Second University of Naples - stefano.marrone at
  • Bryan Knowles - University of Wisconsin Madison - baknowles at

Important Dates

Submission deadline: January 10, 2020
Review reports sent to authors: January 17, 2020
Final submission deadline: January 24, 2020
Workshop date: April 6 or 7, 2020 date to be confirmed


Antifragile computing systems are those resilient systems that are:
  • auto-resilient, namely open to their own system-environment fit
  • auto-predictive, namely able to extrapolate on the reconfigurations that improve their own system-environment fit
  • and that develop wisdom as a result of matches between available strategies and obtained results
A few resources on computational antifragility are listed herein:
  • A description of two of the papers of the first edition of the workshop, as well as their presentations, is available here
  • The ERACLIOS blog (Elasticity, Resilience, Antifragility in CoLlective and Individual Objects and Systems)
  • "On Resilient Behaviors in Computational Systems and Environments", by V. De Florio - download - bibtex
  • "On environments as systemic exoskeletons: Crosscutting optimizers and antifragility enablers", by V. De Florio - download - bibtex
  • "Antifragility = Elasticity + Resilience + Machine Learning Models and Algorithms for Open System Fidelity", by V. De Florio - download

Submission and Camera Ready Instructions

Submissions shall be managed by sending submissions to vincenzo.deflorio at
Paper size is limited to 6 pages. Two additional pages may be added for a price. Please refer to the pages of ANT 2020 for more detail on this.

Wednesday 2 January 2019

Anomaly detection as detecting identity drifting

Suppose you want to detect man-in-the-middle attacks – a typical case of cybercrime in which the legit user of a system is taken over by a malicious attacker (either human or computer-based).
Which machine learning would best match said problem? The major issue is that this a case of anomaly detection – one wants to detect a condition that is usually very rare. No or very few public datasets describe malicious transactions of this type, so if one wants to construct a training set for a machine learning algorithm, one has a large number of negative examples (legit transactions) and very few, if any, positive examples. How to deal with this issue?

A solution is the one modelled in my paper “Antifragility = Elasticity + Resilience + Machine Learning: Models and Algorithms for Open System Fidelity”: to encode the normal behaviour and detect anomalies as driftings from the normal behaviour. A way to do this is by means of Markov chains – a powerful mathematical model that has been used, e.g., to generate random text in the style of a reference text. The idea is to use a reference Corpus – for instance, the Plays of Shakespeare – and feed them into a program that approximates the probabilities of observing a given word, given that that word is preceded by a number of other words. As an oversimplified example, one would calculate the probability that « to » and « be » are followed by « or », the probability that « be » and « or » are followed by « not », the probability that « or » and « not » are followed by « to », and so forth: 

P { ( « to », « be » ) => « or » } = some value x
P { ( « be », « or » ) => « not » } = some value y

Those probabilities would capture the peculiar way in which sentences are constructed in the reference Corpus – its identity, if you like. The random text would then be generated by taking a “random walk” from an initial sequence to a final one – as if the probabilities were the orbits of a dynamic system on words (namely, through the same approach I used in my paper “Permutation Numbers”).

How can the above mathematical model be of use to solve of our anomaly detection problem? It’s actually quite simple: one has to construct an analogy between the sentences in a reference Corpus and the behaviour exercised by the user of a software system. What does a user of a software system typically does? S/he uses a graphical user interface to specify actions that s/he requires to be executed. How is this done in practice? By visiting the widgets of the user interface, pressing keys, and so forth. Think of those actions as words in a sentence, and the interaction sessions of user U as the sentences that user U “says”. Then we can use the Markov approach and approximate the probabilities that a given number of user interface actions be followed by another such action. Those probabilities then encode… the reference behaviour of user U when using a given interface!
For each user U then one could create a set of reference probabilities I(U), representing the stereotypical behaviour of U – namely, its identity. Every time U logs into the system, I(U) would then be loaded and used as a reference identity. The new interaction session would then be used to construct a new set of probabilities, C(U). The distance of I(U) from C(U) would then quantitatively express the experienced anomaly. When said distance would become larger than a given threshold, the system would declare a case of man-in-the-middle attack.

Note that the same approach could be used to detect a slow drifting away of C(U) from I(U). This would represent a monotonic change in the user stereotype, which could be a sign the user developing fatigue of perception/ cognitive disorders.

The pictures below describes the approach via a collaboration diagram. User U expresses actions such as "visualize flights"; an instrumented user interface received the action and forwards the information to an "interaction logger" that creates a suitable representation for the "sentence" that U is building. The Markovian analyzer is then notified so as to update the probabilities describing the "sentence". At the end, those probabilities are stored into I(U).

At run-time, a new set of reference probabilities, C(U), is constructed and compared with I(U). An alarm is issued when the discrepancy between those two values becomes too large:

Sunday 11 February 2018

A hypothesis in evolutionary biology

Many authors, starting with the classic work by Trivers and Willard [1], hypothesized the existence of “conditions” able to influence or control the sex of the offspring. Ever since the publication of that classic work, researchers have been producing an impressive amount of results that either bring evidence or contradict that hypothesis. This production has been chaotic to say the least, with scholars deriving their conclusions from “facts” ranging from dubious interpretations of microscope images to extremely serious mathematical and statistical models of the many organs and processes at play. I am merely an information scientist, lacking too many important pieces in this trans-disciplinary problem. But I have read several papers on this, and my focus on information led me to a simple observation: in information science, what is really important is the variation of the signal rather than the signal itself; in other words, it is a signal's variation that carries information -- it is a message -- while a steady signal it is not. As an example, a diet is a signal while a change in a diet, especially when it is a significant change – it is a message. Evidence corroborating this idea may be found in several works. Professor Elissa Cameron and her team, for instance, found out [2] that, rather than glucose, it is the glucose gradient that might play a role in adjusting the offspring’s sex ratio in mice. This gradient represents a “message” from the environment, declaring the onset of a more favorable condition. The existence of “messages” of the opposite sign and outcome is also discussed by Professor Kristen Navara, who hypothesizes “a bias toward females during times of stress”, mediated by glucocorticoids in her very interesting paper [3]. A stress / glucocorticoids-gradient signals in this case a time where an investment in a male offspring would not be advisable.
Testosterone gradients are another example. It is well known how such changes represent “boosts” that can lead to more daring behaviors. The late Dr. Valerie J Grant, in several articles (e.g. [4]) and her book ([5]) suggests that higher levels of testosterone might be associated with a higher sex ratio. Results are a little contradictory though, and I suspect that this might be due to measurements of the signal and not of its variations. Also it is not clear to me whether testosterone would have a causal role or rise “simply” as a side effect of some “first cause.”
Other examples of such gradients may be found in the huge bibliography of Dr. William H. James, who drew several hypotheses of endocrine mechanisms to control or influence the sex ratio (see e.g. [6], [7]).
Of course, if we assume that such messages are actually “there,” a logical question would be: Which type of messages are at play here? My answer comes from considering the theory of a fractal organization of the all – as one can find, for instance, the human body. The latter is composed of a primary unit "personifying" the whole – the brain – and a sophisticated hierarchy of organized systems, each of which is further composed of hierarchies of organized sub-systems. The overall functioning of the human body requires messages flowing from one end to the other, signaling actions that need to be taken when certain conditions are established; hormonal messages are a typical example of this large distributed organization.
My conclusion is then that mechanisms for the alteration of the gender of the offspring could possibly be formulated in terms of a distributed system of said messages. Perhaps a distributed system of fractally organized messages! Messages that is with a scope that ranges from the micro to the macro, signaling waves of actions that could "tune" our internal mechanisms after the external conditions expressed by the environment. In a number of my papers (e.g. [7], [8], [9]), I have suggested that said mechanism could be modeled, in sociotechnical systems, in terms of evolutionary game theory -- which I believe is very much in line with what had been theorized by Trivers and Willard. In fact, my conjecture is that particular messages from the “whole” (the brain) to the “parts” (the systems of organs) are meant to provide contextual information to the latter ones in order to adjust their local action in such a way as to favor a global condition matching the passed information. Local conditions favoring the birth of an offspring with an optimal evolutionary advantage are maybe the outcome of those messages. As a response, “thinner” messages would request the onset of other conditions of a “lesser” (hierarchical) scope. In this view, one could say that Dr. James' hypotheses characterize the endocrine nature of a "layer" of those messages.

As Dr. James himself expressed multiple times  [10], the verification of an hypothesis such as mine would require the collaboration of many a specialist in domains I’m not acquainted with. I hope this short text may produce some interest and trigger exchange of ideas and chances for collaboration.


[1] Trivers, Robert L. & Willard, Dan E.. Natural Selection of Parental Ability to Vary the Sex Ratio of Offspring. Science, 05 Jan 1973 : 90-92
[2] Cameron, Elissa & R Lemons, Patrick & Bateman, Philip & Bennett, Nigel. (2008). Experimental alteration of litter sex ratios in a mammal. Proceedings. Biological sciences / The Royal Society. 275. 323-7. 10.1098/rspb.2007.1401.
[3] Navara, Kristen. (2010). Programming of offspring sex ratios by maternal stress in humans: Assessment of physiological mechanisms using a comparative approach. Journal of comparative physiology. B, Biochemical, systemic, and environmental physiology. 180. 785-96. 10.1007/s00360-010-0483-9.
[4] Grant V. J., et al. (2010). Can mammalian mothers influence the sex of their offspring peri-conceptually? Reproduction 140(3):425-33. doi: 10.1530/REP-10-0137.
[5] Grant, Valerie J. (1998) Maternal Personality, Evolution and the Sex Ratio: Do Mothers Control the Sex of the Infant? Rouletdge. ISBN: 978-0415158800
[6] James, William H (2008). Evidence that mammalian sex ratios at birth are partially controlled by parental hormone levels around the time of conception. Journal of Endocrinology 198, 3–15
[7] De Florio, V. Interpretations of the concepts of resilience and evolution in the philosophy of Leibniz,
[8] De Florio, V. Resilience as concurrent interplays of opponents: preliminary ideas and call for collaborations!
[9] De Florio, V. (2017) Systems, Resilience, and Organization: Analogies and Points of Contact with Hierarchy Theory. Procedia Computer Science 109, pp. 935-942.
[10] James, William H. (2013). "How Studies Of Human Sex Ratios At Birth May Lead To The Understanding Of Several Forms Of Pathology" Human Biology Open Access Pre-Prints. Paper 37.

Saturday 3 February 2018

Remembering Jean-Claude Laprie

On May 2, 2007, I was in Erlangen, Germany, at the EWICS-ReSIST Joint Workshop on "Teaching Resilient Computing". I presented there my ideas about a possible M.Sc. course on software resilience. It was there that I had the pleasure to meet -- for the first and only time, Jean-Claude Laprie. I'm glad I had with me my camera, so that I could take a few picture of the Maestro.

Thursday 15 June 2017

Interesting questions about resilience and antifragility

A colleague and member of the Computational Antifragility linked-in group, Dr. Hans Konstapel, asked today:

"The resilient resists shocks and stays the same, while the antifragile entity gets better". What is the relationship between a Shock and the "Antifragile" or the "Resilient" and what is the difference between the "Antifragile" and the "Resilient". If both are "identities" perhaps a "shock" is also an identity. If so is a "shock" resilient or even anti-fragile?

 This is my reply to Dr. Konstapel's interesting questions.

My understanding is as follows:
the difference in the resilient and the antifragile is not in their reaction to a Change or a Shock. In fact, under certain circumstances, the reaction of a resilient system might be such that the system masks/tolerates the new conditions. The same conditions might lead the antifragile to a failure. The added value of the antifragile system is the "genetic feedback" that those conditions produce. The resilient system is an "entelechy", namely does its best to "stay the same", and in doing so it repeats the same strategy on and on. The identity of the system is immutable. Not so the antifragile system: the identity of such system is dynamic -- which of course might also introduce concern (see for instance Stephen Hawking's plea against unbound AI).
More information e.g. and

Re: your interesting question: in my opinion the Shock is an action of the system we are in contact with -- the "environment"-system. Said system may indeed be resilient; antifragile; elastic; or plain "stupid" (meaning, able to only exercise non-purposeful behaviors). In fact in my opinion Game Theory is the perfect modeling tool to reason about the outcome of the interaction between the system and its environment.
(As a side note, it is significant that all the above ideas can be found already in Leibniz and His concept of compossible and non-compossible substances...)
More information here:

Picture from