Model Repair

Model Repair for Probabilis0c Systems

Ezio Bartocci

JOINT WORK WITH R. GROSU, P. KATSAROS, CR RAMAKRISHNAN, S. SMOLKA

  Motivation   The Model Repair problem   Model Repair as a nonlinear programming

problem   Model Repair feasibility & optimality   Related Work   Conclusion

E. BARTOCCI, R. GROSU, P. KATSAROS, CR RAMAKRISHNAN, S. SMOLKA TACAS 2011

Model Repair for Probabilistic Systems

2

Presentation Outline

Motivation (1/3)

  Model Checking problem: Given a model M and a temporal logic formula φ determine if M |= φ.   If φ is not satisfied, the model checker returns a

counterexample, i.e. an execution path in M leading to the violation of φ.

  Are existing model checkers adequate in assisting the analyst to repair a model that fails to satisfy a formula? Can we do it better?

  Model Repair: aims to automate the repair process assuming the problem lies within M and not in φ.

3



Motivation (2/3)

  The Model Repair problem in Probabilistic Systems: Given a probabilistic model M and a probabilistic temporal logic formula φ such that M fails to satisfy φ, find an M’ that satisfies φ and differs from M only in the transition flows of those states in M that are deemed controllable. The cost associated with modifying the transition flows of M should be minimized.

  which states are controllable

depends on the model parameters that can be tuned for some modeled system

  cost:

find the minimal change in the parameters to be tuned

4



Motivation (3/3)

  Motivating examples: Fair die simulated by fair coin “Formal analysis of the Kaminsky

(Knuth & Yao, 76) DNS cache-poisoning attack

using prob. model checking”

Alexiou, Deshpande, Basagiannis Smolka, Katsaros, HASE 2010

Continuous Time Markov Chain

Attack fix: randomize the UDP port

used in name-resolution requests.

Problem: what is the minimum bias Problem: what is the minimum

for the coin to satisfy the property range of port id values that should be used, such that the attack prob

5



parameter that can be controlled




6



  For probabilistic systems, Model Repair is expressed as a new version of parametric probabilistic model checking, which is shown to yield a nonlinear optimization problem with a minimal-cost objective function.

  Preliminaries on Parametric Probabilistic Model Checking (Daws, 2005 & Hahn et al, 2010)   A parametric DTMC (PDTMC) is a tuple , where S

is a finite set of states, is the initial state and for a finite set of parameters.

  For a PDTMC, an evaluation is said to be valid, if the induced probability transition matrix is such that


7

The Model Repair problem (1/8)


$ield of real-‐valued rational functions over V

stochastic

  Preliminaries on Parametric Probabilistic Model Checking   For a PDTMC D and a PCTL formula (Prob. Comp. Tree Logic)

with , Daws defines the derived finite state automaton with   finite alphabet the rational functions for the non-zero elements of   transition function derived from   set of final states that depends on ψ.

  Also, every member of R(Σ) -regular expressions over alphabet Σ- is translated into a multivariate rational function by using

which is inductively defined by the rules:

where E. BARTOCCI, R. GROSU, P. KATSAROS, CR RAMAKRISHNAN, S. SMOLKA TACAS 2011


8


The Model Repair problem (3/8) 9


3

1

2

0

3

4

5

6

b 1-b

1-b

b 1-b

b

1-b


=?

p.a.((b.a)*.(1-b)

pa 11− ba

(1− b)⎛⎝⎜

⎞⎠⎟=

16

if p = a = (1− b) = 12

Example

  Preliminaries on Parametric Probabilistic Model Checking   It is proved that comp(α) yields a probability measure of the set of

paths in from s0 to some state sf in Sf.   The set of paths satisfying a PCTL formula without nested

probabilistic quantifiers is characterized as a derived finite state automaton and:

Proposition For a PDTMC D and a PCTL formula , with ψ a path formula, let α be the regular expression for L( ). Then,

  Hahn et al have extended parametric probabilistic model checking to bounded reachability properties.

  PARAM tool for parametric probabilistic model checking (Hahn et al, 2010).


10



  Controllable DTMC Introduce a matrix Z that implements a strategy for altering or controlling the behavior of a DTMC for the purpose of repair.

Definition A controllable DTMC over a set of parameters V is a tuple , where is a DTMC and

is a matrix such that . A state is a controllable state of ,if such that .


11



DTMC controllable

DTMC

s0, s2 controllable by Z

set of linear combinations of elements in V

  The constraint on Z implies that the control strategy embodied in Z should neither change the structure of the DTMC nor its stochasticity.

  Which states of the DTMC are controllable depends on the model parameters that can be tuned. In general, a model may be repaired by a number of different strategies.


12



Model Repair with the use of a single biased coin

Model Repair with three different biased coins

  Model Repair seeks to manipulate the parameters of the controllable DTMC in order to obtain a DTMC D’, such that D’, s0 |= φ and the cost of deriving probability transition matrix from is minimized.

Definition Let be a controllable DTMC over the parameters V, the DTMC underlying , φ a PCTL formula for which

and g(v) a possibly nonlinear cost function, which is always positive, continuous, and differentiable.

The Model Repair problem is to find a DTMC where is an evaluation function satisfying the following conditions:


13



evaluation function minimizing the cost to

derive P’

  Condition 3: insertion of new transitions and elimination of existing ones is not allowed

  A typical cost function is with weights specifying that some parameters affect the model to a greater extent than others. For , g is the square of the L2-norm .

  The repair process as defined is robust in the following sense: Proposition A controllable DTMC and its repaired version D’ are ε-bisimilar (Giacalone, Jou & Smolka, 1990), where ε is the largest value in the matrix .


14






15



  If , from we derive by parametric model checking a nonlinear constraint , where f is a multivariate rational function and .

Proposition A solution to the Model Repair problem satisfies the constraints of the following nonlinear program (NLP):

with


16

Model Repair by nonlinear progr. (1/4)


Constraints which assure that evaluation u

is valid

Constraint derived by parametric model

checking

  IPOPT tool for large-scale nonlinear optimization.

  All nonlinear optimization algorithms search for a locally feasible solution to the problem.

  Such a solution can be found by initiating the search from the point , representing the no-change scenario.

  If no solution is found, the problem is locally infeasible and the analyst has to initiate a new search from another point or to prove that the problem is not feasible.


17



  Knuth & Yao fair die problem


18



Solution found for Solution found for

  CTMC for the Kaminsky DNS cache-poisoning attack Model Repair to find the minimum range of port id values such that


19



Result found for the embedded DTMC

Time needed for parametric model checking with PARAM

Nonlinear optimization with Ipopt is instatntaneous




20



Model Repair is not feasible for b < 2/3

When is Model Repair not feasible?


21

Model Repair feasibility & optimality (1/5)


  For the Model Repair nonlinear program

we consider such that (or )

  Model Repair is feasible when the program NLPf is feasible


22



  For the Model Repair nonlinear program the Lagrangian function is defined as

  The Lagrange dual function

yields the minimum of the Lagrangian function over .

  The Lagrange dual function for NLPf is

  The Lagrange dual problem for NLPf is


23



Proposition (Boyd et al, 2003)

If the Lagrange dual problem of NLPf is feasible, then the NLP for model repair is infeasible. Conversely, if NLP is feasible, then the Lagrange dual problem of NLPf is infeasible.

The Lagrangian dual function for the NLPf program is

with and λ1, λ2 > 0. The rational function for the path formula is minimized in v1=0 and therefore

The Lagrange dual problem of NLPf becomes feasible when b < 2/3 and in this case the NLP for repairing the model becomes infeasible.


24



λ0 ≥ 0

  A local minimizer satisfies the so-called Karush-Kuhn-Tucker conditions, if it fulfills certain constraint qualifications.

  Because all the parameters are bounded, we can check global optimality with an appropriate constraint solver.

  In our examples global optimality was verified by RealPaver (Granvilliers et al, 2006).


25







26


Non-probabilistic systems

  “Enhancing model checking in verification by AI techniques”

Buccafurri et al, Artificial Intelligence, 112 (1-2), 57-104, 1999

Determine a suitable modification of a Kripke model by abductive reasoning. No cost is considered for a model repair.

  “Complexity results in revising UNITY programs”

Bonakdarpour et al, ACM Trans. on Auton. & Ad. Sys., 4 (1), 1-28, 2009

Automatically revise programs with respect to UNITY properties, such that the revised program satisfies a previously failed property, while preserving the other properties.

  “Program repair as a game” Jobstmann et al, CAV, LNCS 3576, 226-238, 2005

A game-based approach for automatically fixing faults in a finite-state program against an LTL property specification.



27

Related Work (1/2)

Probabilistic systems

  “Parametric probabilistic transition systems for system design and analysis”

Lanotte et al, Formal Aspects of Computing, 19 (1), 93-109, 2007

Parametric models are considered, for which it is shown that finding parameter values for a property to be satisfied is in general undecidable.

  “A model checking approach to the parameter estimation of biochemical pathways”

Donaldson et al, CMSB, LNCS 5307, 269-287, 2008

A simulation-based Monte Carlo model checker together with a genetic algorithm drive a parameter estimation process by reducing the distance between the desired behavior and the actual behavior.

  “Approximate parameter synthesis for probabilistic time-bounded reachability”

Han et al, RTSS, IEEE, 173-182, 2008

Approximation for parameter synthesis focused on parametric CTMCs and time-bounded properties.



28

Related Work (2/2)


29

Conclusion

  We defined the problem of Model Repair in probabilistic systems.   A non-trivial extension of parametric probabilistic model checking,   Model Repair is solved by nonlinear optimization program with a

minimal-cost objective function.   We investigated Model Repair feasibility and optimality. We

implemented and benchmarked the Model Repair problem with existing tools.

  Future work:   Investigate the problem of online Model Repair.   Better understand the relation between the Model Repair and controller

synthesis problems.



30


Technology

Model Repair