Monitoring the full range of ω-regular properties of Stochastic Systems

Transcription

1 Monitoring the full range of ω-regular properties of Stochastic Systems Kalpana Gondi, Yogesh K. Patel, A. Prasad Sistla University of Illinois at Chicago

2 Outline of the talk Motivation

3 Outline of the talk Motivation Monitoring Stochastic Systems

4 Outline of the talk Motivation Monitoring Stochastic Systems Deterministic, Probabilistic, Hybrid Algorithms

5 Outline of the talk Motivation Monitoring Stochastic Systems Deterministic, Probabilistic, Hybrid Algorithms Implementation

6 Motivation A component C, not thouroughly tested/verified.

7 Motivation A component C, not thouroughly tested/verified. C may exhibit computations that violate the correctness spec Φ

8 Motivation A component C, not thouroughly tested/verified. C may exhibit computations that violate the correctness spec Φ Need a monitor M that detects incorrect computations at run time

9 Motivation A component C, not thouroughly tested/verified. C may exhibit computations that violate the correctness spec Φ Need a monitor M that detects incorrect computations at run time M observes the computation of C and checks for violation of Φ

10 Another Motivation Liveness of C verified assuming fairness.

11 Another Motivation Liveness of C verified assuming fairness. Need to monitor C for violation of liveness or fairness.

12 Solution If Φ is Safety Property then easy ([AS85,Si85,Si87,KV99])

13 Solution If Φ is Safety Property then easy ([AS85,Si85,Si87,KV99]) How to monitor general Φ??

14 Solution If Φ is Safety Property then easy ([AS85,Si85,Si87,KV99]) How to monitor general Φ?? Φ conjunction of a safety and a liveness property

15 Solution If Φ is Safety Property then easy ([AS85,Si85,Si87,KV99]) How to monitor general Φ?? Φ conjunction of a safety and a liveness property Over approximate Φ by a safety property [AR05] (Liberal Monitor)

16 Solution If Φ is Safety Property then easy ([AS85,Si85,Si87,KV99]) How to monitor general Φ?? Φ conjunction of a safety and a liveness property Over approximate Φ by a safety property [AR05] (Liberal Monitor) Under approximate it by a safety property [MSSZ05,SZZ06] (Conservative Monitor)

17 Comparison to earlier work Earlier Work [SS08]: Deterministic Monitors for the case Φ is a Det. Buchi automaton.

18 Comparison to earlier work Earlier Work [SS08]: Deterministic Monitors for the case Φ is a Det. Buchi automaton. New Work:

19 Comparison to earlier work Earlier Work [SS08]: Deterministic Monitors for the case Φ is a Det. Buchi automaton. New Work: Φ is a Det. Streett automaton all ω-regular properties.

20 Comparison to earlier work Earlier Work [SS08]: Deterministic Monitors for the case Φ is a Det. Buchi automaton. New Work: Φ is a Det. Streett automaton all ω-regular properties. Accurate Deterministic, Probablistic and Hybrid Algs.

21 Comparison to earlier work Earlier Work [SS08]: Deterministic Monitors for the case Φ is a Det. Buchi automaton. New Work: Φ is a Det. Streett automaton all ω-regular properties. Accurate Deterministic, Probablistic and Hybrid Algs. Implementation: Tool Stochastic Monitor(SM)

22 Monitoring Stochastic Systems A Hidden Markov Chain (HMC) is a pair (G,O) where G = (S,R,φ) is a finite Markov chain;

23 Monitoring Stochastic Systems A Hidden Markov Chain (HMC) is a pair (G,O) where G = (S,R,φ) is a finite Markov chain; O : S Σ is an output function

24 Monitoring Stochastic Systems A Hidden Markov Chain (HMC) is a pair (G,O) where G = (S,R,φ) is a finite Markov chain; O : S Σ is an output function Σ = 2 P, P set of atomic propositions

25 Monitoring Stochastic Systems A Hidden Markov Chain (HMC) is a pair (G,O) where G = (S,R,φ) is a finite Markov chain; O : S Σ is an output function Σ = 2 P, P set of atomic propositions Define E the class of measurable subsets of Σ ω as the smallest set so that For every α Σ, ασ ω E. Closed under complementation and countable union.

26 Example 1 1/3 s 0 1/3 s 1 P,Q Q 1/3 s 2 Q 1 For any state s, F s defines a probability measure on E. F s0 ( P) = 1 2.

27 Accuracy of a Monitor The system is given by a HMC H which is known.

28 Accuracy of a Monitor The system is given by a HMC H which is known. Outputs of H are observable but not the state

29 Accuracy of a Monitor The system is given by a HMC H which is known. Outputs of H are observable but not the state Correctness spec given by a det. Streett automaton A

30 Accuracy of a Monitor The system is given by a HMC H which is known. Outputs of H are observable but not the state Correctness spec given by a det. Streett automaton A Acceptance condition of A: Pairs of subsets (RED, GREEN)

31 Accuracy of a Monitor The system is given by a HMC H which is known. Outputs of H are observable but not the state Correctness spec given by a det. Streett automaton A Acceptance condition of A: Pairs of subsets (RED, GREEN) Construct a monitor M so that L(M) L(A). L(M) is a safety property.

32 Accuracy of a Monitor The system is given by a HMC H which is known. Outputs of H are observable but not the state Correctness spec given by a det. Streett automaton A Acceptance condition of A: Pairs of subsets (RED, GREEN) Construct a monitor M so that L(M) L(A). L(M) is a safety property. (Acceptance) Accuracy of M is the conditional probability F s0 (L(M) L(A)) s 0 initial system state.

33 Monitoring Algorithms Preprocessing 1

34 Monitoring Algorithms Preprocessing Compute Markov chain G the product of G and A. 1

35 Monitoring Algorithms Preprocessing Compute Markov chain G the product of G and A. A state (s,q) in G is good if F s (L(A q )) = 1 and bad if F s (L(A q )) is 0. A q same as A with starting state q. 1

36 Monitoring Algorithms Preprocessing Compute Markov chain G the product of G and A. A state (s,q) in G is good if F s (L(A q )) = 1 and bad if F s (L(A q )) is 0. A q same as A with starting state q. Compute good and bad states of G. 1

37 Monitoring Algorithms Preprocessing Compute Markov chain G the product of G and A. A state (s,q) in G is good if F s (L(A q )) = 1 and bad if F s (L(A q )) is 0. A q same as A with starting state q. Compute good and bad states of G. Simulates A on the sequence of system outputs. 1

38 Deterministic Monitoring Algorithm Maintains the following variables 1

39 Deterministic Monitoring Algorithm Maintains the following variables X: possible system states, initialized to {s 0 }. 1

40 Deterministic Monitoring Algorithm Maintains the following variables X: possible system states, initialized to {s 0 }. q: the automaton state, initialized to q 0. 1

41 Deterministic Monitoring Algorithm Maintains the following variables X: possible system states, initialized to {s 0 }. q: the automaton state, initialized to q 0. i: denotes the number of times an accepting automaton state is reached. Initialized to 0. 1

42 Deterministic Monitoring Algorithm Maintains the following variables X: possible system states, initialized to {s 0 }. q: the automaton state, initialized to q 0. i: denotes the number of times an accepting automaton state is reached. Initialized to 0. counter : denotes the number of expected outputs before an accepting automaton state. 1

43 Det. Alg. Continued Procedure GetInputAndU pdate(): Get next input from the system; Simulate A for one step and Update q as well as X; If all states in X {q} are good then accept; If all states in X {q} are bad then reject; 1

44 Deterministic Algorithm Contd Loop forever GetInputAndUpdate(); If q RED then counter := counter 1; If counter = 0 then reject; If q GREEN then {i := i + 1; counter := f(q,x,i)} 1

45 Theorem: For any y, 0 y < 1, there exists a constant c such that if f(q,x,i) = c i then the acceptance accuracy of the monitor is at least y. Theorem: If the HMC is fully visible, then the monitor can be simplified to have acceptance accuracy to be 1. 1

46 Example:Resource Acquisition T v 1 T t 1/2 1/2 1/2 w C 1 1/2 s N 1/3 N 1/3 s 1 1/3 1/3 w C t 1/3 T 1/3 s is the initial state. v the state where the server crashed. Property to be monitored (T C). Acceptance accuracy of 0.9 can be achieved by choosing k = 3. 1

47 Probabilistic Algorithm Uses probability variable p instead of counter. p initialized to probability value p 0. Uses variables X, q as before. Loop forever GetInputAndUpdate(); If q RED then reject with probability p; If q GREEN then p := p c 1

48 Probabilistic Algorithm Contd. Theorem: For any y, 0 y < 1, there exists constants p 0,c for which the acceptance accuracy of the monitor is at least y. 1

49 Hybrid Algorithm Combines both deterministic, probabilistic algs. Uses variable counter initialized to k. Uses variables X, q as before. 1

50 Hybrid Algorithm Contd. Loop forever GetInputAndUpdate(); If q RED then counter, Toss a fair coin; If counter = 0 then If last k coin tosses were tails then reject Else counter := k; If q GREEN then counter := + + k 1

51 Hybrid Algorithm Contd. Theorem: For any y, 0 y < 1, there exists an initail counter value such that the acceptance accuracy of the monitor is at least y. 2

52 Implementation Developed a tool : SM (Stochastic Monitor) Input: high level description of a synch. probabilistic program; Uses PRISM tool to obtain the Markov chain M; Takes automaton A as another input; Constructs product Markov Chain M ; Computes its good, bad product states; Generates a monitor using other parameters. 2

53 Experimental Results Considered three examples; Peterson s Mutual Excl Alg: Second process can die in the critical section; Property Monitored: (T 1 C 1 ); Mutual Excl with Semaphores: Second can die in the critical section Property Monitored: T 1 C 1 ; Bounded Retransmission Protocol: Packets can be lost in transmission; Property Monitored: The file will eventually be transmitted. 2

54 Experimental results Contd 2

55 Experimental Results Contd 2

56 Related Work Our [SS08] paper gave det algs for det.buchi automata Monitoring for safety properties done by many people [Si87], [KV99], etc. Recent work Amorium and Rosu (CAV2005) handle some liveness. Concentrate on evaluating efficiently atomic propositions in system states. The paper [PZZ 2005] uses game theoretic approach. 2

57 Conclusion Need to extend to Hidden Markov Decision Processes to handle asynchronous concurrency Other cost measures for tuning deterministic algs for HMCs. How to monitor for complex systems? Use Assume/guarantee paradigms. 2