Probabilistic model Probabilistic model c Probabilistic model Probabilistic model c c checking with PRISM: hecking with PRISM: hecking with PRISM: hecking with PRISM: an overview an overview an overview an overview Marta Kwiatkowska Department of Computer Science, University of Oxford EQINOCS, Paris, January 2014
What is probabilistic model checking? • Probabilistic model checking… − is a formal verification technique for modelling and analysing systems that exhibit probabilistic behaviour • Formal verification… − is the application of rigorous, mathematics-based techniques to establish the correctness of computerised systems 2
Why formal verification? • Errors in computerised systems can be costly… Pentium chip (1994) Infusion pumps Toyota Prius (2010) Bug found in FPU. (2010) Software “glitch” Intel (eventually) offers Patients die because found in anti-lock to replace faulty chips. of incorrect dosage. braking system. Estimated loss: $475m Cause: software 185,000 cars recalled. malfunction. 79 recalls. • Why verify? • “Testing can only show the presence of errors, not their absence.” [Edsger Dijstra] 3
Model checking Finite-state model System Result Model checker e.g. SMV, Spin Counter- ¬EF fail example System Temporal logic require- specification ments 4
Probabilistic model checking Probabilistic model Result e.g. Markov chain System 0.4 0.5 0.1 Quantitative Probabilistic results model checker e.g. PRISM P <0.1 [ F fail ] Counter- System Probabilistic example require- temporal logic ments specification e.g. PCTL, CSL, LTL 5
Why probability? • Some systems are inherently probabilistic… • Randomisation, e.g. in distributed coordination algorithms − as a symmetry breaker, in gossip routing to reduce flooding • Examples: real-world protocols featuring randomisation: − Randomised back-off schemes • CSMA protocol, 802.11 Wireless LAN − Random choice of waiting time • IEEE1394 Firewire (root contention), Bluetooth (device discovery) − Random choice over a set of possible addresses • IPv4 Zeroconf dynamic configuration (link-local addressing) − Randomised algorithms for anonymity, contract signing, … 6
Why probability? • Some systems are inherently probabilistic… • Randomisation, e.g. in distributed coordination algorithms − as a symmetry breaker, in gossip routing to reduce flooding • To model uncertainty and performance − to quantify rate of failures, express Quality of Service • Examples: − computer networks, embedded systems − power management policies − nano-scale circuitry: reliability through defect-tolerance 7
Why probability? • Some systems are inherently probabilistic… • Randomisation, e.g. in distributed coordination algorithms − as a symmetry breaker, in gossip routing to reduce flooding • To model uncertainty and performance − to quantify rate of failures, express Quality of Service • To model biological processes − reactions occurring between large numbers of molecules are naturally modelled in a stochastic fashion 8
Verifying probabilistic systems • We are not just interested in correctness • We want to be able to quantify: − security, privacy, trust, anonymity, fairness − safety, reliability, performance, dependability − resource usage, e.g. battery life − and much more… • Quantitative, as well as qualitative requirements: − how reliable is my car’s Bluetooth network? − how efficient is my phone’s power management policy? − is my bank’s web-service secure? − what is the expected long-run percentage of protein X? 9
Probabilistic models Fully probabilistic Fully probabilistic Fully probabilistic Fully probabilistic Nondeterministic Nondeterministic Nondeterministic Nondeterministic Markov decision Discrete-time processes (MDPs) Discrete Discrete Discrete Discrete Markov chains time time time time Simple stochastic (DTMCs) games (SMGs) Probabilistic timed automata (PTAs) Continuous-time Continuous Continuous Continuous Continuous Markov chains time time time time Interactive Markov (CTMCs) chains (IMCs) 10
Probabilistic models Fully probabilistic Fully probabilistic Fully probabilistic Fully probabilistic Nondeterministic Nondeterministic Nondeterministic Nondeterministic Markov decision Discrete-time processes (MDPs) Discrete Discrete Discrete Discrete Markov chains time time time time Simple stochastic (DTMCs) games (SMGs) Probabilistic timed automata (PTAs) Continuous-time Continuous Continuous Continuous Continuous Markov chains time time time time Interactive Markov (CTMCs) chains (IMCs) 11
Overview • Introduction • Model checking for discrete-time Markov chains (DTMCs) − DTMCs: definition, paths & probability spaces − PCTL model checking − Costs and rewards − Case studies: Bluetooth, (CTMC) DNA computing • PRISM: overview − Functionality, GUI, etc • PRISM: recent developments − e.g. multi-objective, parametric, etc • Summary 12
Discrete-time Markov chains • Discrete-time Markov chains (DTMCs) − state-transition systems augmented with probabilities • States − discrete set of states representing possible configurations of the system being modelled • Transitions 1 {fail} − transitions between states occur s 2 in discrete time-steps 0.01 {try} s 0 s 1 0.98 1 • Probabilities 1 s 3 − probability of making transitions between states is given by {succ} 0.01 discrete probability distributions 13
Discrete-time Markov chains • Formally, a DTMC D is a tuple (S,s init ,P P P,L) where: P − S is a finite set of states (“state space”) − s init ∈ S is the initial state − P P P : S × S → [0,1] is the transition probability matrix P where Σ s’∈S P P P P(s,s’) = 1 for all s ∈ S − L : S → 2 AP is function labelling states with atomic propositions 1 {fail} • Note: no deadlock states s 2 0.01 {try} − i.e. every state has at least s 0 s 1 0.98 1 one outgoing transition 1 s 3 − can add self loops to represent {succ} 0.01 final/terminating states 14
Paths and probabilities • A (finite or infinite) path through a DTMC − is a sequence of states s 0 s 1 s 2 s 3 … such that P P(s i ,s i+1 ) > 0 ∀i P P − represents an execution (i.e. one possible behaviour) of the system which the DTMC is modelling • To reason (quantitatively) about this system − need to define a probability space over paths • Intuitively: − sample space: Path(s) = set of all s 1 s 2 s infinite paths from a state s − events: sets of infinite paths from s − basic events: cylinder sets (or “cones”) − cylinder set C(ω), for a finite path ω = set of infinite paths with the common finite prefix ω − for example: C(ss 1 s 2 ) 15
Probability space over paths • Sample space Ω = Path(s) set of infinite paths with initial state s • Event set Σ Path(s) − the cylinder set C(ω) = { ω’ ∈ Path(s) | ω is prefix of ω’ } − Σ Path(s) is the least σ-algebra on Path(s) containing C(ω) for all finite paths ω starting in s • Probability measure Pr s − define probability P P s (ω) for finite path ω = ss 1 …s n as: P P • P P s (ω) = 1 if ω has length one (i.e. ω = s) P P • P P P P s (ω) = P P P P(s,s 1 ) · … · P P P P(s n-1 ,s n ) otherwise P s (ω) for all finite paths ω • define Pr s (C(ω)) = P P P − Pr s extends uniquely to a probability measure Pr s :Σ Path(s) →[0,1] • See [KSK76] for further details 17
Probability space - Example • Paths where sending fails the first time 1 − ω = s 0 s 1 s 2 {fail} − C(ω) = all paths starting s 0 s 1 s 2 … s 2 0.01 {try} − P P P s0 (ω) = P P P P(s 0 ,s 1 ) · P P P P P(s 1 ,s 2 ) s 0 s 1 0.98 1 = 1 · 0.01 = 0.01 1 s 3 − Pr s0 (C(ω)) = P P s0 (ω) = 0.01 P P {succ} 0.01 • Paths which are eventually successful and with no failures − C(s 0 s 1 s 3 ) ∪ C(s 0 s 1 s 1 s 3 ) ∪ C(s 0 s 1 s 1 s 1 s 3 ) ∪ … − Pr s0 ( C(s 0 s 1 s 3 ) ∪ C(s 0 s 1 s 1 s 3 ) ∪ C(s 0 s 1 s 1 s 1 s 3 ) ∪ … ) = P P P P s0 (s 0 s 1 s 3 ) + P P s0 (s 0 s 1 s 1 s 3 ) + P P P P s0 (s 0 s 1 s 1 s 1 s 3 ) + … P P = 1·0.98 + 1·0.01·0.98 + 1·0.01·0.01·0.98 + … = 0.9898989898… = 98/99 18
PCTL • Temporal logic for describing properties of DTMCs − PCTL = Probabilistic Computation Tree Logic [HJ94] − essentially the same as the logic pCTL of [ASB+95] • Extension of (non-probabilistic) temporal logic CTL − key addition is probabilistic operator P − quantitative extension of CTL’s A and E operators • Example − send → P ≥0.95 [ true U ≤10 deliver ] − “if a message is sent, then the probability of it being delivered within 10 steps is at least 0.95” 19
PCTL syntax ψ is true with • PCTL syntax: probability ~p − φ ::= true | a | φ ∧ φ | ¬φ | P ~p [ ψ ] (state formulas) − ψ ::= X φ | φ U ≤k φ | φ U φ (path formulas) “bounded “next” “until” until” − define F φ ≡ true U φ (eventually), G φ ≡ ¬(F ¬φ) (globally) − where a is an atomic proposition, used to identify states of interest, p ∈ [0,1] is a probability, ~ ∈ {<,>,≤,≥}, k ∈ ℕ • A PCTL formula is always a state formula − path formulas only occur inside the P operator 20
Recommend
More recommend