Probabilisti tic Model Checking & P & PRIS RISM Dave Parker University of Birmingham HIERATIC kick-off meeting, Birmingham, Dec 2012
Overview • Quantitative verification − probabilistic model checking • Probabilistic models + logics − discrete-time Markov chains + PCTL − continuous-time Markov chains + CSL − discrete stochastic models of biological systems • PRISM: probabilistic model checker − overview, modelling language, symbolic implementation • Techniques for scalability, efficiency − bisimulation, symmetry, abstraction, simulation
Quantitative verification • Formal verification… − is the application of rigorous, mathematics-based techniques to establish the correctness of computerised systems • Quantitative verification − applies formal verification techniques to the modelling and analysing of non-functional aspects of system behaviour (e.g. probability, time, cost, …) • Probabilistic model checking… − is a an automated quantitative verification technique for systems that exhibit probabilistic behaviour
Verification via model checking Model ch Model checkin ecking: Automatic formal verification of correctness properties of computerised systems Finite-state System model Result Model checker e.g. SMV, Spin Counter- ¬EF fail example System Temporal logic require- specification ments
Probabilistic model checking • Why and what? • Why probability? − unreliability (e.g. component failures) − uncertainty (e.g. message losses/delays over wireless) − randomisation (e.g. in protocols such as Bluetooth, ZigBee) − stochasticity (e.g. biological/chemical reaction rates) • Quantitative properties − reliability, performance, quality of service, … − “the probability of an airbag failing to deploy within 0.02s” − “the expected power usage of a sensor network over 1 hour” − “the expected time for a cell signalling pathway to complete”
Probabilistic model checking Probabilisti tic model checking: Automatic verification of quantitative properties of systems with stochastic behaviour Result Probabilistic model System e.g. Markov chain 0.4 0.5 0.1 Quantitative results Probabilistic model checker e.g. PRISM Counter- P <0.01 [ F ≤ t fail] example System Probabilistic temporal require- logic specification ments e.g. PCTL, CSL, LTL
Probabilistic model checking • Construction and analysis of finite probabilistic models − e.g. Markov chains, Markov decision processes, … − specified in high-level modelling formalisms − exhaustive model exploration (all possible states/executions) • Automated analysis of wide range of quantitative properties − properties specified using temporal logic − “exact” results obtained via numerical computation − linear equation systems, iterative methods, uniformisation, … − as opposed to, for example, Monte Carlo simulations − efficient techniques from verification + performance analysis − mature tool support available, e.g. PRISM
Overview • Quantitative verification − probabilistic model checking • Probabilistic models + logics − discrete-time Markov chains + PCTL − continuous-time Markov chains + CSL − discrete stochastic models of biological systems • PRISM: probabilistic model checker − overview, modelling language, symbolic implementation • Techniques for scalability, efficiency − bisimulation, symmetry, abstraction, simulation
Probabilistic models Fully probabilisti tic Nondete terministi tic Discrete-time Markov decision Di Discrete te Markov chains processes (MDPs) time ti (DTMCs) (probabilistic automata) CTMDPs/IMCs Continuous-time Conti tinuous Markov chains time ti (CTMCs) Probabilistic timed automata (PTAs)
Probabilistic models • Discrete-time Markov chains (DTMCs) − discrete states + probability − for: randomisation, unreliable communication media, … • Continuous-time Markov chains (CTMCs) − discrete states + exponentially distributed delays − for: component failures, job arrivals, molecular reactions, … • Markov decision processes (MDPs) − in fact: probabilistic automata [Segala] − probability + nondeterminism (e.g. for concurrency) − for: randomised distributed algorithms, security protocols, … • Probabilistic timed automata (PTAs) − probability, nondeterminism + real-time − for wireless comm. protocols, embedded control systems, …
Discrete-time Markov chains • Formally, a DTMC D is a tuple (S,s init ,P,L) where: − S is a finite set of states (“state space”) − s init ∈ S is the initial state − P : S × S → [0,1] is the transition probability matrix where Σ s’ ∈ S P(s,s’) = 1 for all s ∈ S − L : S → 2 AP is function labelling states with atomic propositions 1 {fail} • Note: no deadlock states s 2 − i.e. every state has at least 0.01 {try} one outgoing transition s 0 s 1 1 0.98 1 s 3 − can add self loops to represent final/terminating states {succ} 0.01
Paths and probabilities • A (finite or infinite) path through a DTMC − is a sequence of states s 0 s 1 s 2 s 3 … such that P(s i ,s i+1 ) > 0 ∀ i − represents an execution (i.e. one possible behaviour) of the system which the DTMC is modelling • To reason (quantitatively) about this system − need to define a probability space over paths • Intuitively: − sample space: Path(s) = set of all s 1 s 2 s infinite paths from a state s − basic events: cylinder sets (or “cones”) − cylinder set C( ω ), for a finite path ω = set of infinite paths with the common finite prefix ω − event set: least σ -algebra on Path(s) containing C( ω ) for all finite paths ω starting in s − probability of cylinder set, e.g. C(ss 1 s 2 )=P(s,s 1 )P(s 1 ,s 2 )
PCTL • Temporal logic for describing properties of DTMCs − PCTL = Probabilistic Computation Tree Logic [HJ94] • Extension of (non-probabilistic) temporal logic CTL − key addition is probabilistic operator P − quantitative extension of CTL’s A and E operators • Example − send → P ≥ 0.95 [ F ≤ 10 deliver ] − “if a message is sent, then the probability of it being delivered within 10 steps is at least 0.95” • Other possibilities for P operator − unbounded reachability (F), until (U), globally (G), … • Model checking for PCTL − determine states of a DTMC satisfying a PCTL formula − boils down to: graph analysis, solution of linear equation systems, iterative numerical solution
Quantitative properties • Consider a PCTL formula P ~p [ ψ ] − if the probability is unknown, how to choose the bound p? • When the outermost operator of a PTCL formula is P − we allow the form P =? [ ψ ] − “what is the probability that path formula ψ is true?” • Model checking is no harder: compute the values anyway • Useful to spot patterns, trends • Example − P =? [ F err/total>0.1 ] − “what is the probability that 10% of the NAND gate outputs are erroneous?”
Some real PCTL examples reliability • NAND multiplexing system − P =? [ F err/total>0.1 ] − “what is the probability that 10% of the NAND gate outputs are erroneous?” performance • Bluetooth wireless communication protocol − P =? [ F ≤ t reply_count=k ] − “what is the probability that the sender has received k acknowledgements within t clock-ticks?” fairness • Security: EGL contract signing protocol − P =? [ F (pairs_a=0 & pairs_b>0) ] − “what is the probability that the party B gains an unfair advantage during the execution of the protocol?”
Continuous-time Markov chains • Continuous-time Markov chains (CTMCs) − labelled transition systems augmented with rates − continuous time delays, exponentially distributed • Formally, a CTMC C is a tuple (S,s init ,R,L) where: − S is a finite set of states (the “state space”) 3/2 3/2 3/2 {empty} {full} − s init ∈ S is the initial state s 0 s 1 s 2 s 3 1 − R : S × S → ℝ ≥ 0 is the transition rate matrix 3 3 3 − L : S → 2 AP is a labelling with atomic propositions • Transition rate matrix assigns rates to each pair of states − used as a parameter to the exponential distribution − transition between s and s’ when R(s,s’)>0 − probability triggered before t time units: 1 – e -R(s,s’)·t
CSL • Temporal logic for describing properties of CTMCs − CSL = Continuous Stochastic Logic [ASSB00,BHHK03] − extension of (non-probabilistic) temporal logic CTL − transient, steady-state and path-based properties • Key additions: − probabilistic operator P (like PCTL) − steady state operator S • Example: down → P >0.75 [ ¬fail U ≤ [1,2.5] up ] − when a shutdown occurs, the probability of a system recovery being completed between 1 and 2.5 hours without further failure is greater than 0.75 • Example: S <0.1 [ insufficient_routers ] − in the long run, the chance that an inadequate number of routers are operational is less than 0.1
Modelling biological systems • Aim: model a mixture of interacting molecules − multiple molecular species, interacting through reactions − cell signalling pathway, gene regulatory network, … − fixed volume (spatially uniform), pressure and temperature • Simple example: − 3 species A, B and AB; 3 reactions: − reversible binding of A and B to form AB; degradation of A k 1 k 3 A + B AB A k 2 • Two approaches to modelling − discrete, stochastic − continuous, deterministic
Recommend
More recommend
![Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model](https://c.sambuz.com/809780/bounded-model-checking-s.jpg)
