Efficient Probabilistic Model Checking of Systems with Ranged - PowerPoint PPT Presentation

Introduction Bounded Properties Unbounded Properties Experiments Efficient Probabilistic Model Checking of Systems with Ranged Probabilities Khalil Ghorbal 1 , 2 Parasara Sridhar Duggirala 1 , 3 c 1 Vineet Kahlon 1 Aarti Gupta 1 Franjo Ivanˇ ci´ 1 NEC Laboratories America, Inc. 2 now with Carnegie Mellon University 3 now with University of Illinois at Urbana-Champagne September 18th, 2012 Reachability Problems Ghorbal, Duggirala, Ivanˇ ci´ c, Kahlon, and Gupta RP2012 NEC Laboratories America

Introduction Bounded Properties Unbounded Properties Experiments Problem Statement Analyze real-world stochastic systems Large systems contain many components (including third-party) Full formal system description not available But: Execution logs are easily generated Ghorbal, Duggirala, Ivanˇ ci´ c, Kahlon, and Gupta RP2012 NEC Laboratories America

Introduction Bounded Properties Unbounded Properties Experiments State-of-the-art solution: Black Box Technique Black box techniques No system model Qualitative and quantitative properties Learning Models Many applications need models (for example: anomaly detection) Bootstrapping to learn stochastic models Can we use approximate learned models for sound analysis? Ghorbal, Duggirala, Ivanˇ ci´ c, Kahlon, and Gupta RP2012 NEC Laboratories America

Introduction Bounded Properties Unbounded Properties Experiments Motivation Analyze real-world stochastic systems Follow model based approach Analysis based on the (finite) set of execution logs generated at runtime (usually available for debugging purposes) Try to bridge the gap between the model and the system under analysis Need to provide a way of capturing confidence about the learned model Overview Phase I: Learning: set of logs �→ Stochastic Model ( Interval-Valued Discrete-Time Markov Models) Phase II: Model Checking (sound quantitative analysis ... of the model !) Ghorbal, Duggirala, Ivanˇ ci´ c, Kahlon, and Gupta RP2012 NEC Laboratories America

Introduction Bounded Properties Unbounded Properties Experiments Why Interval Discrete Time Markov Chains (IDTMC) ? Finite set of logs leads to approximate transition probabilities ± error due to the learning technique. To quantify the confidence in the model we use interval transition probabilities where the width of interval is related to the confidence parameters of the learning technique. B [0 . 29 , 0 . 31] A [0 . 69 , 0 . 71] C Figure : Small IDTMC Example Ghorbal, Duggirala, Ivanˇ ci´ c, Kahlon, and Gupta RP2012 NEC Laboratories America

Introduction Bounded Properties Unbounded Properties Experiments Outline Introduction 1 Bounded Properties 2 DTMC IDTMC Unbounded Properties 3 DTMC IDTMC Experiments 4 Ghorbal, Duggirala, Ivanˇ ci´ c, Kahlon, and Gupta RP2012 NEC Laboratories America

Introduction Bounded Properties Unbounded Properties Experiments Definitions DTMC A DTMC is a 4-tuple: M def = ( S , s 0 , P , ℓ ): S is a finite set of states, s 0 ∈ S the initial state, P a transition probability matrix, ℓ : S → 2 AP is a labelling function, ℓ ( s i ) gives the set of atomic propositions a ∈ AP that are valid in s , AP denotes a finite set of atomic propositions. The component p ij of the square matrix P denotes the transition probability between state s i and state s j : P [ X t = s j | X t − 1 = s i ] . Ghorbal, Duggirala, Ivanˇ ci´ c, Kahlon, and Gupta RP2012 NEC Laboratories America IDTMC

Introduction Bounded Properties Unbounded Properties Experiments Example p 2 , 1 s 1 s 2 a b p 1 , 2 p 1 , 3 p 4 , 2 p 1 , 4 p 4 , 1 p 3 , 2 p 2 , 4 s 4 s 3 a ∧ b b p 3 , 3 p 4 , 3 Figure : DTMC representation Ghorbal, Duggirala, Ivanˇ ci´ c, Kahlon, and Gupta RP2012 NEC Laboratories America

Introduction Bounded Properties Unbounded Properties Experiments Probabilistic Computation Tree Logic (PCTL) φ ::= true | a | ¬ φ | φ ∧ φ | P ⊲ ⊳γ [ ψ ] ψ ::= X φ | φ U ≤ k φ a ∈ AP ⊲ ⊳ ∈ { <, ≤ , >, ≥} γ ∈ [0 , 1] a threshold probability k ∈ N ∪ { + ∞} (bounded and standard until) Ghorbal, Duggirala, Ivanˇ ci´ c, Kahlon, and Gupta RP2012 NEC Laboratories America

Introduction Bounded Properties Unbounded Properties Experiments Semantics of the P operator Let Prob M ( s , ψ ) denote the probability that a random path σ in M starting from s ( σ [0] = s ) satisfies ψ , i.e. σ | = ψ . s | = P ⊲ ⊳γ [ ψ ] ⇐ ⇒ Prob M ( s , ψ ) ⊲ ⊳ γ for an IDTMC: M , s | = φ ⇐ ⇒ ∀ M ∈ M : M , s | = φ . Verifying PCTL properties over IDTMCs is known to be an NP-hard problem. Ghorbal, Duggirala, Ivanˇ ci´ c, Kahlon, and Gupta RP2012 NEC Laboratories America

Introduction Bounded Properties Unbounded Properties Experiments Model Checking over a DTMC X property: ψ = X φ � Prob M ( s i , X φ ) = p ij s j | = φ U property: ψ = φ 1 U ≤ k φ 2 def S yes = { s i | s i | = φ 2 } , def S no = { s i | s i �| = φ 1 ∧ s i �| = φ 2 } , def = S \ ( S yes ∪ S no ). S maybe If s i ∈ S yes , then Prob M ( s i , ψ ) = 1. If s i ∈ S no , then Prob M ( s i , ψ ) = 0. Ghorbal, Duggirala, Ivanˇ ci´ c, Kahlon, and Gupta RP2012 NEC Laboratories America

Introduction Bounded Properties Unbounded Properties Experiments Model Checking over a DTMC (Cont’d) Let v k [ i ] def = Prob M ( s i , ψ, k ), then n � v k [ i ] = p ij v k − 1 [ j ] j =1 � � = p ij v k − 1 [ j ] + p ij v k − 1 [ j ] . j ∈ I maybe j �∈ I maybe � �� � b i v k − 1 [ j ] are known for j �∈ I maybe (either 0 or 1). v k = P ′ v k − 1 + b , The square matrix P ′ is extracted from P such that: for all i such that s i ∈ S yes ∪ S no , we delete the i th row and the i th column. Ghorbal, Duggirala, Ivanˇ ci´ c, Kahlon, and Gupta RP2012 NEC Laboratories America

Introduction Bounded Properties Unbounded Properties Experiments Example M = ( S , s 1 , P , ℓ ) S = { s 1 , s 2 , s 3 , s 4 } AP = { a , b } s 1 is initial state ℓ ( s 1 ) = { b } , ℓ ( s 2 ) = { a } , ℓ ( s 3 ) = { a ∧ b } , ℓ ( s 4 ) = { b }   0 0 . 5 0 . 1 0 . 4 0 . 5 0 0 0 . 5   P =   0 0 . 8 0 . 2 0   0 . 5 0 . 3 0 . 2 0 Ghorbal, Duggirala, Ivanˇ ci´ c, Kahlon, and Gupta RP2012 NEC Laboratories America

Introduction Bounded Properties Unbounded Properties Experiments Example (Cont’d) P ≤ γ [ b U ≤ 2 ( a ∧ b )] S yes = { s 3 } , S no = { s 2 } and S maybe = { s 1 , s 4 } � 0 � 0 . 4 P ′ = and b = (0 . 1 , 0 . 2) t 0 . 5 0 � Prob M ( s 1 , ψ ) � � 0 . 18 � = Prob M ( s 4 , ψ ) 0 . 25 Ghorbal, Duggirala, Ivanˇ ci´ c, Kahlon, and Gupta RP2012 NEC Laboratories America

Introduction Bounded Properties Unbounded Properties Experiments Extension to IDTMCs Sample probability transition relation for IDTMC   0 [0 . 49 , 0 . 51] [0 . 09 , 0 . 11] [0 . 39 , 0 . 41] [0 . 49 , 0 . 51] 0 0 [0 . 49 , 0 . 51]   P =   0 [0 . 79 , 0 . 81] [0 . 19 , 0 . 21] 0   [0 . 49 , 0 . 51] [0 . 29 , 0 . 31] [0 . 19 , 0 . 21] 0 Analysis using Interval Arithmetic v k = P ′ v k − 1 + b Successive computation inherits from the loss of precision due to interval arithmetic To overcome this loss of precision, in the bounded case, we use affine arithmetic Ghorbal, Duggirala, Ivanˇ ci´ c, Kahlon, and Gupta RP2012 NEC Laboratories America

Introduction Bounded Properties Unbounded Properties Experiments Affine Forms Interval Analysis Problem: Compute x − x [ a , b ] − [ a , b ] = [ a − b , b − a ] ⊃ [0 , 0] In AA, the interval [ a , b ] is represented using the affine expression: a + b + b − a ǫ 1 , 2 2 ǫ 1 ∈ [ − 1 , 1] is introduced to capture the uncertainty. l � a def = α a 0 + α a 1 ǫ 1 + · · · + α a l ǫ l = α a α a ˆ 0 + i ǫ i , i =1 α a 0 , . . . , α a l are real coefficients (error weights). ǫ 1 , . . . , ǫ l are symbolic error variables. Ghorbal, Duggirala, Ivanˇ ci´ c, Kahlon, and Gupta RP2012 NEC Laboratories America

Introduction Bounded Properties Unbounded Properties Experiments Affine Arithmetic a and ˆ ˆ b are two affine forms λ, ζ be two finite real numbers Linear Operations l � b def a ± ˆ = ( α a 0 ± α b ( α a i ± α b ˆ 0 ) + i ) ǫ i i =1 l � a def = λα a ( λα a λ ˆ 0 + i ) ǫ i i =1 l � a + ζ def = ( α a α a ˆ 0 + ζ ) + i ǫ i i =1 Ghorbal, Duggirala, Ivanˇ ci´ c, Kahlon, and Gupta RP2012 NEC Laboratories America

Introduction Bounded Properties Unbounded Properties Experiments Model Checking IDTMC Main idea Split P into a central matrix P c , and an interval matrix E , which encodes the uncertainty of the model: P = P c + E Matrix P c is stochastic (all rows sum up to 1) in our case The matrix E is represented using AA error terms Thus, the equation for DTMC analysis v k = P ′ v k − 1 + b becomes: v k ( ǫ ) = ( P ′ c + E ′ ( ǫ )) v k − 1 ( ǫ ) + ( b + b ( ǫ )) The updated components of v k ( ǫ ) are non-linear (polynomial) functions of the perturbations ( ǫ ij ) 1 ≤ i , j ≤ n . Ghorbal, Duggirala, Ivanˇ ci´ c, Kahlon, and Gupta RP2012 NEC Laboratories America