Verifying social expectations by model checking truncated paths - PowerPoint PPT Presentation

Verifying social expectations by model checking truncated paths Stephen Cranefield Department of Information Science University of Otago, Dunedin, New Zealand and Michael Winikoff School of CS & IT, RMIT University, Melbourne, Australia

Relationship to other papers in the session • Spoletini and Verdicchio – Monitoring commitments (vs. “social expectations”) – Language is a propositional temporal logic – Application of model checking (automata vs. labelling approaches) – Different viewpoint when representing commitments – Applicable to online monitoring only? (may not avoid premature fulfilment in offline mode) – Basic architecture proposed (word composer and word analyser) – Separation of past and present operators

• Lacroix et al. – Generating behaviour for simulations vs. analysing observed behaviour – Spatial rather than temporal focus – Parameter-based rather than logical model of institutions and norms

Motivation • ANIREM@AAMAS’05

Motivation • ANIREM@AAMAS’05 • Language for expressing If you pay me the fe If you pay me the fee for e for conditional expectations this service, this service, starting starting with a rich temporal structure the week after payment is the week after payment is made, each week made, each week for a year I will send a for a year I will send a current market current market analysis report to you, analysis report to you, unless you cancel the unless you cancel the subscription subscription first. first.

Motivation • ANIREM@AAMAS’05 • Language for expressing conditional expectations with a rich temporal structure hyMITL ± combined Metric • Interval Temporal Logic with 1 st order CTL ± (with bounded quantification) and hybrid logic

Motivation • ANIREM@AAMAS’05 • Language for expressing conditional expectations with a rich temporal structure hyMITL ± combined Metric • Interval Temporal Logic with 1 st order CTL ± (with bounded quantification) and hybrid logic • Evolution of expectations using formula progression

Motivation • ANIREM@AAMAS’05 • Language for expressing conditional expectations with a rich temporal structure hyMITL ± combined Metric • Interval Temporal Logic with 1 st order CTL ± (with bounded quantification) and hybrid logic • Evolution of expectations using formula progression • Process defined algorithmically, not logically

Goals of this work • Provide a logical account of the fulfilment and violation of temporally rich social expectations over observed histories • Introduce expectations by rules. Informally: l → Exp r • Express expectations in terms of the current time point (i.e. use formula progression to carry then forward) • Show that the theory can be implemented in a model checker – Currently need restriction to propositional temporal logic “Model checking a path” r … p p q For each state in model: φ Yes/No

Points of difference • The concept of social expectations as a generalisation of learned regularities, promises, formal commitments, etc. – Abstracts away from social context (e.g. debtor and creditor for a commitment) and the implications of violation and fulfilment – Focuses on conditional activation (dependent on history and current state), and monitoring to determine fulfilment and violation • Online vs. offline monitoring – Online: events arrive sequentially and the new last state in the history is checked for fulfilments and violations – Offline: traces may be kept for later analysis. All states in the provided history need to be checked

Our logic • A hybrid propositional temporal logic, with past and future operators (an extension of the Hybrid Logics Model Checker’s language): • Plus derived temporal operators Exp, Fulf, Viol and Progress (more detail later)

Premature fulfilment in offline monitoring (informal notation) ?

Premature fulfilment in offline monitoring (informal notation) Unknown at s 1

Semantics on complete paths Model ( ℳ ) … … V: Props →℘ (States) ⊨ Op( φ 1 , … , φ n ) Variable bindings iff … g: StateVars → States Some constraint Point in model on the model structure

Semantics on truncated paths • Based on work of Eisner et al. (2003). • Introduce Trunc S operator (truncate and use “strong” semantics) Model ( ℳ ) … … V: Props →℘ (States) ⊨ Trunc S φ iff … Variable bindings g: StateVars → States Point in model

Semantics on truncated paths • Based on work of Eisner et al. (2003). • Introduce Trunc S operator (truncate and use “strong” semantics) Model ( ℳ ) Model ( ℳ ) � … … … … V: Props →℘ (States) V: Props →℘ (States) ⊨ + φ Variable bindings Variable bindings g: StateVars → States g: StateVars → States Point in model Point in model

Strong ( ⊨ + ) vs. weak ( ⊨ - ) semantics ℳ, g, i ⊨ + φ : φ strongly holds at index i of model ℳ . ℳ “supplies all the evidence needed” to conclude that φ holds ℳ, g, i ⊨ - φ : φ weakly holds at index i of model ℳ . ℳ “carries no evidence” against φ

Strong semantics If i > | ℳ | ℳ, g, i ⊭ + φ (Skeptical) else ℳ, g, i ⊨ + p (for proposition p) iff s i ∈ V(p) ℳ, g, i ⊨ + ¬φ iff ℳ, g, i ⊭ - φ iff ℳ, g, i ⊨ + φ and ℳ, g, i ⊨ + ϕ ℳ, g, i ⊨ + φ ∧ ϕ iff ℳ, g, i+1 ⊨ + φ ℳ, g, i ⊨ + 〇 φ ℳ, g, i ⊨ + φ U ϕ ∃ k ≥ i: iff ℳ, g, k ⊨ + ϕ and ∀ j s.t. i ≤ j < k, ℳ, g, j ⊨ + φ …

Weak semantics If i > | ℳ | ℳ, g, i ⊨ - φ (Generous) else ℳ, g, i ⊨ - p (for proposition p) iff s i ∈ V(p) ℳ, g, i ⊨ - ¬φ iff ℳ, g, i ⊭ + φ ℳ, g, i ⊨ - φ ∧ ϕ iff ℳ, g, i ⊨ - φ and ℳ, g, i ⊨ - ϕ iff ℳ, g, i+1 ⊨ - φ ℳ, g, i ⊨ - 〇 φ ℳ, g, i ⊨ - φ U ϕ ∃ k ≥ i: iff ℳ, g, k ⊨ - ϕ and ∀ j s.t. i ≤ j < k, ℳ, g, j ⊨ - φ …

Defining Fulf and Viol • Fulf φ ≡ Exp φ ∧ Trunc S φ • Viol φ ≡ Exp φ ∧ Trunc S ¬φ

Carrying forward unresolved expectations • Expections should always be expressed in terms of the current state: � – Exp 〇 φ � Exp φ • Expectations should be simplified if partially satisfied in previous state � – Exp (p ∧ 〇 φ ) � Exp φ if p held in the earlier state • This is the notion of formula progression (Bacchus and Kabanza, 2000), so we have (informally, again): – Exp φ ∧ ¬ Fulf φ ∧ ¬ Viol φ ∧ Progress( φ , ϕ ) → 〇 Exp ϕ

Comparison with the Verdicchio and Colombetti semantics V&C: Done(e, mc(a, b, ûû p)) p … Comm(e,a,b, ûû p) Comm(e,a,b, ûû p) Comm(e,a,b, ûû p) Fulf(e,a,b ûû p) Our approach: p … Exp(l,r,n, ûû p) Exp(l,r,n, û p) Exp(l,r,n,p) Progress( ûû p, û p) Progress( û p,p) Fulf p

Formula progression

Semantics of progression

Monitoring expectations using HLMC • The Hybrid Logics Model Checker (HLMC) [Dragone, 2005] – Inputs: an XML representation of a model and a textual encoding of the formula to be checked. The model can have multiple modalities with no restrictions on their structure. – Output: List of states in which the formula is true – Two algorithms: MCLITE (binders excluded from language; runs in polynomial time) and MCFULL (runs in polynomial space and time exponential on the nesting degree of binders in the formula) [Franceschet and de Rijke, 2006] MCFULL: a r ecursive algorithm that labels each subformula with true or false , for each – state, then uses those labels to label the formula itself – “ MCFULL can be viewed as a general model checker for the hybridization of any temporal logic” (by adding appropriate labelling subprocedures for each modal operator) • Extensions made: – Based on a restriction to a single “next state” modality – Generalised notion of a label: for each subformula and each state index i, store values under the weak and strong semantics for each possible future truncation point – Implement ExistsExp, ExistsFulf, ExistsViol and Progress modalities

The need for generalised labels

The MCFULL labelling procedure … … L i ( ¬ p ∩ û q) = ¤ i ≤ k ≤ n (L k ( û q) , ⁄ i ≤ j ≤ k L j ( ¬ p)) … … … … … … ¬ … … … … … … Labelling ↓ x φ (x) is a little more complicated (not discussed today) •

HLMC extensions Formula for ∩ is modified to act on generalised labels. Also, weak semantics allows U to act like W (weak until) up to truncation point Swap and negate copy If trunc’d after Labels under weak & strong State semantics “Generalised label”

Hypothetical Exp, Fulf and Viol modalities • We use these versions of Exp, Fulf and Viol: – Exp( λ , ρ , n, φ ) Fulf( λ , ρ , n, φ ) Viol( λ , ρ , n, φ ) If we had a rule with condition λ and expectation ρ , the rule would have fired at the state named by nominal n, giving rise to the [fulfilled or violated] expectation φ in the current state (Note: ρ may have become φ by multiple progression steps) • We actually implement ExistsExp( λ , ρ ), etc. – “There exists some pair (n, φ ) making Exp( λ , ρ , n, φ ) true” • For each state, the extended model checker reports all such pairs making the input formula Exists…( λ , ρ )