Probabilistic Model Checking Probabilistic Model Checking Marta - PowerPoint PPT Presentation

Probabilistic Model Checking Probabilistic Model Checking Marta Kwiatkowska Kwiatkowska Marta Gethin Norman Norman Gethin Dave Parker Dave Parker University of Oxford University of Oxford Part 4 - - Markov Decision Processes Markov Decision Processes Part 4

Overview • Nondeterminism • Markov decision processes (MDPs) − definition, examples, adversaries, probabilities • Properties of MDPs: The logic PCTL − syntax, semantics, equivalences, … • PCTL model checking − algorithms, examples, … • Costs and rewards 2

Recap: DTMCs • Discrete-time Markov chains (DTMCs) − discrete state space, transitions are discrete time-steps − from each state, choice of successor state (i.e. which transition) is determined by a discrete probability distribution 1 {fail} s 2 0.01 {try} s 0 s 1 1 0.98 1 s 3 {succ} 0.01 • DTMCs are fully probabilistic − well suited to modelling, for example, simple random algorithms or synchronous probabilistic systems where components move in lock-step 3

Nondeterminism • But, some aspects of a system may not be probabilistic and should not be modelled probabilistically; for example: • Concurrency - scheduling of parallel components − e.g. randomised distributed algorithms - multiple probabilistic processes operating asynchronously • Unknown environments − e.g. probabilistic security protocols - unknown adversary • Underspecification - unknown model parameters − e.g. a probabilistic communication protocol designed for message propagation delays of between d min and d max 4

Probability vs. nondeterminism {fail} s 2 {try} • Labelled transition system s 0 s 1 − (S,s 0 ,R,L) where R ⊆ S×S s 3 − choice is nondeterministic {succ} 1 {fail} • Discrete-time Markov chain s 2 − (S,s 0 ,P,L) where P : S×S → [0,1] 0.01 {try} s 0 s 1 0.98 1 − choice is probabilistic 1 s 3 {succ} 0.01 • How to combine? 5

Overview • Nondeterminism • Markov decision processes (MDPs) − definition, examples, adversaries, probabilities • Properties of MDPs: The logic PCTL − syntax, semantics, equivalences, … • PCTL model checking − algorithms, examples, … • Costs and rewards 6

Markov decision processes • Markov decision processes (MDPs) − extension of DTMCs which allow nondeterministic choice • Like DTMCs: − discrete set of states representing possible configurations of the system being modelled − transitions between states occur in discrete time-steps • Probabilities and nondeterminism {heads} s 2 − in each state, a nondeterministic {init} a 0.5 a 1 choice between several discrete 1 s 0 s 1 c probability distributions over 1 a s 3 0.7 b successor states 0.5 0.3 {tails} 7

Markov decision processes • Formally, an MDP M is a tuple (S,s init ,Steps Steps,L) where: − S is a finite set of states (“state space”) − s init ∈ S is the initial state Steps : S → 2 Act×Dist(S) is the transition probability function − St where Act is a set of actions and Dist(S) is the set of discrete probability distributions over the set S − L : S → 2 AP is a labelling with atomic propositions {heads} • Notes: s 2 − Steps(s) is always non-empty, {init} 0.5 a a 1 1 i.e. no deadlocks s 0 s 1 c 1 − the use of actions to label a s 3 0.7 b 0.5 distributions is optional 0.3 {tails} 8

Simple MDP example • Modification of the simple DTMC communication protocol − after one step, process starts trying to send a message − then, a nondeterministic choice between: (a) waiting a step because the channel is unready; (b) sending the message − if the latter, with probability 0.99 send successfully and stop − and with probability 0.01, message sending fails, restart restart {fail} 1 s 2 0.01 {try} start send s 0 s 1 1 stop 0.99 s 3 1 wait 1 {succ} 9

Simple MDP example 2 • Another simple MDP example with four states − from state s 0 , move directly to s 1 (action a) − in state s 1 , nondeterminstic choice between actions b and c − action b gives a probabilistic choice: self-loop or return to s 0 − action c gives a 0.5/0.5 random choice between heads/tails {heads} s 2 a 0.5 1 {init} a 1 c s 0 s 1 1 a 0.7 0.5 b s 3 0.3 {tails} 10

Simple MDP example 2 AP = {init,heads,tails} M = (S,s init ,Ste Steps,L) L(s 0 )={init}, L(s 1 )= ∅ , S = {s 0 , s 1 , s 2 , s 3 } L(s 2 )={heads}, s init = s 0 L(s 3 )={tails} St Steps(s 0 ) = { (a, s 1 ↦ 1) } Steps(s 1 ) = { (b, [s 0 ↦ 0.7,s 1 ↦ 0.3]), (c, [s 2 ↦ 0.5,s 3 ↦ 0.5]) } St {heads} Steps(s 2 ) = { (a, s 2 ↦ 1) } St Steps(s 3 ) = { (a, s 3 ↦ 1) } St s 2 a 0.5 1 {init} a 1 s 0 s 1 c 1 a 0.7 0.5 b s 3 0.3 {tails} 11

The transition probability function • It is often useful to think of the function Steps Steps as a matrix − non-square matrix with |S| columns and Σ s ∈ S |St Steps(s)| rows • Example (for clarity, we omit actions from the matrix) Steps(s 0 ) = { (a, s 1 ↦ 1) } St St Steps(s 1 ) = { (b, [s 0 ↦ 0.7,s 1 ↦ 0.3]), (c, [s 2 ↦ 0.5,s 3 ↦ 0.5]) } St Steps(s 2 ) = { (a, s 2 ↦ 1) } Steps(s 3 ) = { (a, s 3 ↦ 1) } St {heads} 0 1 0 0 s 2 ⎡ ⎤ {init} 0.5 a a 1 ⎢ ⎥ 0 . 7 0 . 3 0 0 1 ⎢ ⎥ s 0 s 1 c 1 Steps Steps 0 0 0 . 5 0 . 5 = ⎢ ⎥ a s 3 ⎢ ⎥ 0.7 b 0.5 0 0 1 0 ⎢ ⎥ 0.3 ⎢ ⎥ 0 0 0 1 ⎣ ⎦ {tails} 12

Example - Parallel composition 1 0.5 Asynchronous parallel t 0 t 1 t 2 1 0.5 composition of two 3-state DTMCs 1 0.5 s 0 1 s 0 t 0 s 0 t 1 s 0 t 2 Action labels 0.5 omitted here 0.5 0.5 0.5 0.5 1 1 1 1 1 0.5 s 1 s 1 t 0 s 1 t 1 s 1 t 2 0.5 1 0.5 0.5 0.5 0.5 1 0.5 s 2 s 2 t 0 s 2 t 1 s 2 t 2 0.5 1 1 1 1 1 13

Paths and probabilities • A (finite or infinite) path through an MDP − is a sequence of states and action/distribution pairs − e.g. s 0 (a 0 , μ 0 )s 1 (a 1 , μ 1 )s 2 … − such that (a i , μ i ) ∈ St Steps(s i ) and μ i (s i+1 ) > 0 for all i ≥ 0 − represents an execution (i.e. one possible behaviour) of the system which the MDP is modelling − note that a path resolves both types of choices: nondeterministic and probabilistic • To consider the probability of some behaviour of the MDP − first need to resolve the nondeterministic choices − …which results in a DTMC − …for which we can define a probability measure over paths 14

Adversaries • An adversary resolves nondeterministic choice in an MDP − adversaries are also known as “schedulers” or “policies” • Formally: − an adversary A of an MDP M is a function mapping every finite path ω = s 0 (a 1 , μ 1 )s 1 ...s n to an element of Ste Steps(s n ) • For each A can define a probability measure Pr A s over paths − constructed through an infinite state DTMC (Path A fin (s),s,P A s ) − states of the DTMC are the finite paths of A starting in state s − initial state is s (the path starting in s of length 0) − P A s ( ω , ω ’)= μ (s) if ω ’= ω (a, μ )s and A( ω )=(a, μ ) − P A s ( ω , ω ’)=0 otherwise 15

Adversaries - Examples • Consider the previous example MDP − note that s 1 is the only state for which |St Steps eps(s)| > 1 − i.e. s 1 is the only state for which an adversary makes a choice − let μ b and μ c denote the probability distributions associated with actions b and c in state s 1 {heads} • Adversary A 1 s 2 {init} 0.5 a a 1 − picks action c the first time 1 s 0 s 1 c 1 − A 1 (s 0 s 1 )=(c, μ c ) a s 3 0.7 b 0.5 0.3 {tails} • Adversary A 2 − picks action b the first time, then c − A 2 (s 0 s 1 )=(b, μ b ), A 2 (s 0 s 1 s 1 )=(c, μ c ), A 2 (s 0 s 1 s 0 s 1 )=(c, μ c ) 16

Adversaries - Examples • Fragment of DTMC for adversary A 1 − A 1 picks action c the first time {heads} s 2 {init} 0.5 a a 1 1 s 0 s 1 c 1 a s 3 0.7 b 0.5 0.3 {tails} 1 0.5 s 0 s 1 s 2 s 0 s 1 s 2 s 2 1 s 0 s 0 s 1 s 0 s 1 s 3 s 0 s 1 s 3 s 3 0.5 1 17

Adversaries - Examples {heads} • Fragment of DTMC for adversary A 2 s 2 − A 2 picks action b, then c {init} a 1 0.5 a 1 s 0 s 1 c 1 a s 3 0.7 b 0.5 0.3 {tails} 0.5 s 0 s 1 s 0 s 1 s 2 1 s 0 s 1 s 0 s 0 s 1 s 0 s 1 0.7 s 0 s 1 s 0 s 1 s 3 0.5 1 s 0 s 1 s 0 1 0.5 s 0 s 1 s 1 s 2 s 0 s 1 s 1 s 2 s 2 0.3 s 0 s 1 s 1 s 0 s 1 s 1 s 3 s 0 s 1 s 1 s 3 s 3 0.5 1 18

Overview • Nondeterminism • Markov decision processes (MDPs) − definition, examples, adversaries, probabilities • Properties of MDPs: The logic PCTL − syntax, semantics, equivalences, … • PCTL model checking − algorithms, examples, … • Costs and rewards 19

PCTL • Temporal logic for describing properties of MDPs − identical syntax to the logic PCTL for DTMCs ψ is true with probability ~p − φ ::= true | a | φ ∧ φ | ¬ φ | P ~p [ ψ ] (state formulas) | φ U ≤ k φ − ψ ::= X φ | φ U φ (path formulas) “bounded “next” “until” until” − where a is an atomic proposition, used to identify states of interest, p ∈ [0,1] is a probability, ~ ∈ {<,>, ≤ , ≥ }, k ∈ ℕ 20