Model checking for probabilistic real-time systems Marta - PowerPoint PPT Presentation

Model checking for probabilistic real-time systems Marta Kwiatkowska School of Computer Science www.cs.bham.ac.uk/~mzk ETR 2005, Nancy

Overview • Motivation • Probabilistic model checking – The models – Specification languages – What does it involve? – The PRISM model checker • Case studies – IPv4 Zeroconf dynamic configuration protocol – Bluetooth device discovery • Challenges for future

For more information… J. Rutten, M. Kwiatkowska, G. Norman and D. Parker Mathem atical Techniques for Analyzing Concurrent and Probabilistic System s P. Panangaden and F. van Breugel (editors), CRM Monograph Series, vol. 23, AMS March 2004 www.cs.bham.ac.uk/~dxp/prism/ • Case studies, statistics, group publications • Download, version 2.1 (2500 downloads) • Unix/Linux, Windows, Apple platforms • Publications by others and courses that feature PRISM…

The future: ubiquitous computing Correct design a challenge for The Internet formal methods? Mobile, wearable, wireless devices (WiFi, Bluetooth) Ad hoc, dynamic, ubiquitous computing environment Security, privacy, anonymity protection on the Internet Self-configurable - no need for men/women in white coats! Fast, responsive, power efficient, …

Motivation • In distributed environment, probability helps – As a symmetry breaker – In gossip-based routing and multicasting • In distributed environment, clocks and real-time used – To measure delays and time-outs • Distributed computation implies non-determinism – Probabilistic timed automata combine • Probability (discrete or continuous – here discrete only) • Real-time (dense) • Non-determinism • Need model checking methods capable of dealing with – Quantitative probability, timing and non-determinism

Real-world protocol examples • Protocols featuring (discrete) probability, real-time and nondeterminism – Randomised back-off schemes • Ethernet • IEEE 802.11 (WiFi) Wireless LAN MAC protocol – Random choice of waiting time • CSMA/CD (Carrier Sensing Multiple Access – Collision Detection) • Bluetooth, device discovery phase – Random choice of a timing delay • Root contention in IEEE 1394 FireWire – Random choice over a set of possible addresses • IPv4 dynamic configuration (link-local addressing) • Continuous probability distribution needed to model network traffic, random delays… www.cs.bham.ac.uk/~dxp/prism

Probability elsewhere • In performance modelling – Pioneered by Erlang, in telecommunications, ca 1910 – Models: typically continuous time Markov chains – Emphasis on steady-state and transient probabilities • In stochastic planning – Cf Bellman equations, ca 1950s – Models: Markov decision processes – Emphasis on finding optimum policies • Our focus, probabilistic model checking – Distinctive, on automated verification for probabilistic systems – Temporal logic specifications, automata-theoretic techniques – Shared models – Exchanging techniques with the other two areas

Verification via model checking… or falsification? � or � The model Model Checker Error trace send → ◊ deliver Line 5: … Line 21: … Line 15: … … Temporal logic specification Line 27: … Line 45: ...

Probabilistic model checking… in a nutshell 0.4 0.3 � or � Probabilistic model Probabilistic or Model Checker The probability send → P ¸ 0.9 ( ◊ deliver) State 5: 0.6789 State 6: 0.9789 State 7: 1.0 Probabilistic temporal … State 12: 0 logic specification State 13: 0.1245

Markov Decision Processes (MDPs) • Characteristics: d fail 1 – Discrete probability, nondeterminism s 3 0.02 try – No real-time init a b s 0 s 1 0.98 1 succ • Formally, (S,s 0 ,Steps,L,Act,c): s 2 1 c – S finite set of states 1 e – s 0 initial state – Steps maps states s to sets of probability distributions μ over S – Act labelling of steps with actions L: S ! 2 AP atomic propositions – – c: S x Act ! R ¸ 0 cost function • Unfold into infinite paths s 0 a 0 μ 0 s 1 a 1 μ 1 s 2 … s.t. μ i (s i ,s i+1 ) > 0, all i • Probability space induced on Path s by adversary (policy) A mapping finite path s 0 a 0 μ 0 s 1 a 1 μ 1 …s n to a distribution from s n

Probability and cost • Intuitively, for a fixed adversary A 2 Adv: – Sample space = infinite paths Path A s from s – Event = set of paths s 0 … s k – Basic event = cone • Formally, probability space (Path A s , Ω , Pr A ) – Assign probability P ( . ) to finite paths ω = s 0 a 0 μ 0 s 1 a 1 μ 1 s 2 a 2 …s n Define Pr A (C( ω )) = P ( ω ), for cones C( ω ): – C( ω ) = { π 2 Path A s | ω is prefix of π } • Then cost for a finite path ω and target set F µ S min{i : ω (i) 2 F} c(a) if 9 i. ω (i) 2 F, Σ i=0 cost(F)( ω ) = (a, μ ) 2 Steps( ω (i-1)) 1 otherwise

The logic PCTL: syntax • Probabilistic Computation Tree Logic [HJ94,BdA95,BK98] – Based on CTL, for DTMCs/MDPs Add probabilistic operator, e.g. send → P ¸ 0.9 ( ◊ deliver) – – and expected cost operator, e.g. E > 1 (heads) • The syntax of state and path formulas of PCTL is: φ ::= true | a | φ Æ φ | : φ | P » p ( α ) | E » c ( φ ) α ::= X φ | φ U φ where p 2 [0,1] is a probability threshold, c 2 R ¸ 0 is a cost bound and » 2 { <, >, … }

The logic PCTL: semantics • Semantics is parameterised by a class of adversaries Adv – “under any scheduling, the probability/cost is … at state s” – reasoning about worst-case/best-case scenario • The probabilistic operator: s ² Adv P » p ( α ) Pr A s { π 2 Path A s j π ² Adv α } » p , for all A 2 Adv • The expectation operator: s ² Adv E » c ( φ ) E A s (cost{ s’ 2 S j s’ ² Adv φ }) » c , wrt Pr A s , for all A 2 Adv • Semantics of remaining formulas standard

PCTL Until model checking for MDPs • Reduces to minimum/maximum probability computation – p max s ( α ), p min s ( α ), defined sup/inf over all adversaries • Obtain linear optimisation problems solvable iteratively, e.g. Sat( P ¸ p ( φ 1 U φ 2 ) ) {s 2 S | x s ¸ p} , Maximise ∑ s 2 S? x s subject to the constraints: x s · ∑ s’ 2 S? μ (s’) ¢ x s’ + ∑ s’ 2 Syes μ (s’) for all s 2 S ? , (a, μ ) 2 Steps(s) • Note S yes , S no , S ? = S n (S no [ S yes ) can be precomputed by graph – traversal (BDD fixed point) [dA97,dAKNP00] – Combine graph-theoretic traversal and simplified value iteration

Expected cost model checking • Reduces to minimum/maximum expected cost computation – e max s ( φ ), e min s ( φ ), defined sup/inf over all adversaries • The linear equation generalises to linear optimisation problems solvable iteratively, e.g. Sat( E ¸ c ( φ )) {s 2 S | x s ¸ p} , Maximise ∑ s 2 S? x s subject to the constraints: x s · c(a) + ∑ s’ 2 Syes μ (s’) ¢ x s’ for all s 2 S ? , (a, μ ) 2 Steps(s) • Note S yes , S no , S ? = S n (S no [ S yes ) can be precomputed as before – – Unique solution, cost possibly 1 – Algorithm of [dAlf’97]

Continuous Time Markov Chains (CTMCs) • Features: empty 3 3 3 – Discrete states and full real time 1 0 2 3 – Exponentially 4 4 4 distributed random delays • Formally: – Set of states S plus rates R(s,s’) > 0 of moving from s to s’ – Probability of moving from s to s’ by time t > 0 is 1 - e -R(s,s’) ¢ t – Transition rate matrix S £ S ! R ¸ 0 • Unfold into infinite paths s 0 t 0 s 1 t 1 s 2 t 2 s 3 … – prob s (s’), probability of being in s’ in the long-run, starting in s – prob s (s’,t), probability of being in s’ at time instant t • But: no nondeterminism

The logic CSL: syntax • Continuous Stochastic Logic [ASSB96,BKH99] – For CTMCs, based on PCTL, for example P < 0.85 ( } <15 full), probability operator • “the probability of queue becoming full within 15 secs is < 0.85” • S < 0.01 (down), steady-state operator “in the long run, the probability the system is down is less than 1%” • The syntax of state and path formulas of CSL is: φ ::= true | a | φ Æ φ | : φ | S » p ( φ ) | P » p ( α ) α ::= X φ | φ U · t φ | φ U φ where p 2 [0,1] is a probability bound, t 2 R ¸ 0 and » 2 { <, >, … } • Extension with time intervals for until, cost/rewards and expectation operator E » c ( φ )

CSL semantics • Semantics of bounded until: π ² φ 1 U · t φ 2 iff φ 2 satisfied at time instant t , along π = s 0 L and φ 1 satisfied at all preceding time instants • The added operators: s ² S » p ( φ ) Σ s’ ² φ prob s (s’) » p , where prob s (s’) is prob. of being in s’ in the long-run, having started in s s ² P » p ( α ) Pr { π 2 Path s j π ² α } » p , where Pr is probability measure on paths as for PCTL • Semantics of remaining formulas as for PCTL

The logic CSL: model checking • By induction on structure of formula, as for PCTL except for S » p ( φ ) and P » p ( φ 1 U · t φ 2 ) – • The steady-state operator – Requires computation of steady-state probabilities – Reduces to graph traversal and (iterative) solution of linear equation system • The time-bounded until – Reduces to transient analysis – Transform CTMC by removing all outgoing transitions from states satisfying φ 2 or : φ 1 – Then Pr { π 2 Path s j π ² φ U · t φ } = Σ s’ ² φ 2 prob s (s’,t) – Computed by using uniformisation – More efficient and stable, iterative computation