Towards Machine Learning Enhanced LTL Monitoring

In this work, we outline an extension of a recently proposed framework for failure detection that additionally supports the detection of anomalies and drops of performance of a given system. The extended framework is based on a tight integration of monitoring with unsupervised learning techniques, that are used to generate formulas able to capture possible deviations from the normal behaviour of the system or early signs of degradation phenomena. Other improvements to the framework are proposed like, for instance, the use of canonical forms for the safety and cosafety (monitorable) fragments of temporal logics and the support for assumption-based runtime verification

LTL over Finite Words Can Be Exponentially More Succinct Than Pure-Past LTL, and vice versa

Linear Temporal Logic over finite traces (LTLf) has proved itself to be an important and effective formalism in formal verification as well as in artificial intelligence. Pure past LTLf (pLTL) is the logic obtained from LTLf by replacing each (future) temporal operator by a corresponding past one, and is naturally interpreted at the end of a finite trace. It is known that each property definable in LTLf is also definable in pLTL, and vice versa. However, despite being extensively used in practice, to the best of our knowledge, there is no systematic study of their succinctness. In this paper, we investigate the succinctness of LTLf and pLTL. First, we prove that pLTL can be exponentially more succinct than LTLf by showing that there exists a property definable with a pLTL formula of size n such that the size of all LTLf formulas defining it is at least exponential in n. Then, we prove that LTLf can be exponentially more succinct than pLTL as well. This result shows that, although being expressively equivalent, LTLf and pLTL are incomparable when succinctness is concerned. In addition, we study the succinctness of Safety-LTL (the syntactic safety fragment of LTL over infinite traces) with respect to its canonical form G(pLTL), whose formulas are of the form G(α), G being the globally operator and α a pLTL formula. We prove that G(pLTL) can be exponentially more succinct than Safety-LTL, and that the same holds for the dual cosafety fragment. 2012 ACM Subject Classification Theory of computation → Modal and temporal logics; Theory of computation → Logic and verificatio

Probably Safe or Live

This paper presents a formal characterisation of safety and liveness properties \`a la Alpern and Schneider for fully probabilistic systems. As for the classical setting, it is established that any (probabilistic tree) property is equivalent to a conjunction of a safety and liveness property. A simple algorithm is provided to obtain such property decomposition for flat probabilistic CTL (PCTL). A safe fragment of PCTL is identified that provides a sound and complete characterisation of safety properties. For liveness properties, we provide two PCTL fragments, a sound and a complete one. We show that safety properties only have finite counterexamples, whereas liveness properties have none. We compare our characterisation for qualitative properties with the one for branching time properties by Manolios and Trefler, and present sound and complete PCTL fragments for characterising the notions of strong safety and absolute liveness coined by Sistla

An Abstract Interpretation-based Model for Safety Semantics

In this paper, we describe safety semantics as abstract interpretation of a trace-based operational semantics of a transition system. Intuitively, a property is safety if \u2018nothing bad will happen\u2019. Formally this is described by saying that a property is safety if it is maximal with respect to a given set of allowed partial executions. We show that this can be specified in the standard Cousot\u2019s framework of abstract interpretation. In particular, we show that this semantics can be derived as fixpoint of a semantic operator. This construction provides a formal characterization of the constructive nature of safety properties, that can be enforced by means of execution monitors. By using the same construction, we show that while safety without stuttering preserves the constructive nature, safety properties allowing cancellation of states lose the constructive characterization. Finally, we characterize safety properties as the closed elements of a closure, and we show that in the abstract interpretation framework safety and liveness properties lose their complementary nature

Linearna temporalna logika

U ovom diplomskom radu se upoznajemo s jednom vrstom temporalne logike koja vrijeme modelira linearno, kao niz vremenskih trenutaka izomorfan skupu $\mathbb{N}$. Diplomski rad je podijeljen u dvije cjeline: 'Jezik LTL-a' i 'Formalna verifikacija'. U prvoj cjelini definiramo jezik LTL-a, tj. njegovu sintaksu i semantiku. Ugrubo, jezik LTL-a možemo opisati kao jezik klasične logike sudova s komponentom vremena, pri čemu se statički način interpretiranja formula zamjenjuje sa jednim dinamičkim, u kojem se istinitost formule može mijenjati kroz vrijeme. Nakon što definiramo sintaksu i semantiku LTL-a, u sklopu prve cjeline još promatramo i jedno proširenje LTL-a (tzv. PLTL), u kojem postoje i temporalni operatori prošlosti. Pokazuje se da dodavanjem operatora prošlosti ništa ne dobivamo na izražajnosti jezika, u kontekstu inicijalne ekvivalencije. Znači, za svaku formulu proširenog LTL-a $\Phi$ postoji LTL formula koja je ekvivalentna sa $\Phi$ u početnom trenutku. Ovaj rezultat se lagano izvodi korištenjem Gabbayevog teorema separacije. Na kraju prvog poglavlja dajemo i neke rezultate vezane za ocjene složenosti transformacije PLTL formula u inicijalno ekvivalentne LTL formule, odnosno razliku u veličini između PLTL formula i najmanjih njima inicijalno ekvivalentnih LTL formula (tzv. raskorak u sažetosti). Jedan od novijih rezultata je karakterizacija tih ocjena pomoću tzv. usidrenih LTL formula. Pokazuje se da je složenost transformacije elementarna, odnosno raskorak u sažetosti je elementaran, ako i samo ako je složenost separacije usidrenog PLTL-a elementarna, odnosno raskorak u sažetosti između usidrenog PLTL-a i separiranog usidrenog PLTL-a je elementaran. U drugom poglavlju se bavimo LTL-om u kontekstu formalne verifikacije. Poglavlje je podijeljeno na teorijski i praktični dio. U teorijskom dijelu razmatramo karakterizacije različitih vrsta svojstava, tj. sintaktičke karakterizacije LTL formula koje izražavaju određenu vrstu svojstava. Svojstva u kontekstu modela zapravo odgovaraju skupovima puteva. Modeli u formalnoj verifikaciji predstavljaju apstrakcije sustava koje verificiramo. Pomoću LTL formula izražavamo svojstva koja želimo da promatrani sustav zadovoljava. Također, pokazujemo da je LTL zatvoren za topološko zatvorenje, tj. za svako svojstvo koje možemo izraziti LTL formulom znamo da se i najmanje svojstvo sigurnosti koje sadrži to svojstvo može izraziti LTL formulom. Kao posljedicu dobivamo da LTL prihvaća dekompoziciju na sigurnost i životnost (eng. safety-liveness decomposition), iz čega slijedi da se svaka LTL formula može prikazati kao konjunkcija formule sigurnosti i formule životnosti. U praktičnom dijelu drugog poglavlja kroz primjere pokazujemo kako se LTL konkretno primjenjuje u sklopu jedne metode za verifikaciju, tzv. provjere modela (eng. model checking). LTL provjera modela se svodi na ispitivanje da li je za dani model $\mathcal{M}$ i početno stanje $s_{0}$, određena LTL formula $\Phi$ istinita na svim putevima iz stanja $s_{0}$ u modelu $\mathcal{M}$. Glavna literatura za diplomski rad je Ben-Arijeva knjiga ([3]), ali značajniji utjecaj na sadržaj diplomskog rada su imali i članci Grugura Petric-Maretića ([18],[19]), članak A.P. Sistle [22] te knjiga [13] autora M.Huth i M.Ryan. Htio bih se zahvaliti mojim roditeljima na podršci. Također, htio bih se zahvaliti Grguru Petric-Maretiću s doktorskog studija fakulteta ETH u Zürichu za pomoć pri nabavljanju literature te razjašnjavanju nekih nedoumica vezanih za usidreni PLTL. Posebno, htio bih se zahvaliti mojem mentoru, prof.dr.sc. Mladenu Vukoviću koji je bio vrlo pristupačan i susretljiv, te od neizmjerne pomoći prilikom izrade ovog diplomskog rada.In this thesis we get acquainted with a type of temporal logic that has a linear model of time. Time is modeled as a set of sequences of moments isomorphic with $\mathbb{N}$. Roughly, we could describe LTL as classical propositional logic with the ability to express time. In LTL time is expressed through temporal operators X, F, W, U, G and R. Another peculiarity of LTL is that all of the temporal operators only refer to the future. In LTL we cannot refer to the past. A more pronounced difference between LTL and classical propostional logic is in the way formulas are interpreted. In LTL formulas are interpreted with the use of transitional systems, which are also called models. More precisely, LTL formulas are interpreted on sequences of states of a transitional system, that are labeled with propostional variables. Such sequences are called paths. If a state is labled with a certain variable, then it means that the propositional variable is true in that state. In other words, the static notion of truth in classical propostitional logic is replaced with a dynamic one, in which the formulas may change their truth values as the system evolves from state to state. As we already mentioned, in LTL there are no operators with which we could refer to the past. By studying an expansion of LTL (so called PLTL), that has operators that refer to the past, we see that by adding these operators we don't get anything as far as expressiveness is concerned, within the context of initial equivalence. So, for every PLTL formula $\Phi$ there is an LTL formula that's equivalent to $\Phi$ in the initial moment. This result can be easily deduced by using Gabbay's separation theorem. Separation is a fundamental concept for temporal logics, which was first introduced by Gabbay. Roughly, a temporal logic has the separation property if for every formula of that logic is an equivalent boolean combination of a future, past and present formula. By Gabbay's separation theorem we know that PLTL has the separation property. There are various results that describe the complexity of transforming PLTL formulas into initially equivalent LTL formulas and the difference in size between PLTL formulas and the shortest initally equivalent LTL formulas (this difference is also called the succinctness gap). One of the newer results is a characterization that we get by observing a strict subset of PLTL formulas that are called anchored PLTL formulas. It is shown that the complexity of the transformation is elementary if and only if the complexity of anchored PLTL separation is elementary. Also, the succinctness gap between LTL and PLTL is elementary if and only if the succinctness gap between anchored PLTL and seperated anchored PLTL is elementary. Linear temporal logic has shown to be a suitable logic for formal verification of systems. Formal verification is very important in the industry for determining the correctness of, so called, critical hardware $\backslash$ software systems. There are various formal verification methods. One of the more popular for use is model checking. For a model $\mathcal{M}$, initial state $s_{0}$ and an LTL formula $\Phi$, LTL model checking comes down to determining whether the formula $\Phi$ is true on all paths beggining at $s_{0}$ in model $\mathcal{M}$. The models in formal verification represent abstractions of systems that need to be verified. With LTL formulas we express properties of the system that we want to check. There are different algorithms for model checking. The type of the property that we want to check has a significant influence on the way we shape the process of verification and on the selection of the algorithm for model checking. Within the context of models, properties are sets of paths. We distinguish different types of properties, some of which are safety properties, liveness properties, fairness... Because the type of the property influences the way systems are verified, it is important to determine the type of the property we want to check. For this purpose, characterization of properties, that is syntactic characterizations of LTL formulas that express a certain type of property, can be very helpful. In section 2.1. we give characterizations of different types of properties. Also, in this section we show that LTL is closed for topological closure, that is for every property that we can express with an LTL formula the smallest safety property that contains it can also be expressed with an LTL formula. Corollarily we get that LTL admits the saftey-liveness decomposition, which means that every LTL formula is equivalent to a conjunction of a safety formula and a liveness formula. The main literature for this thesis was Ben-Ari's book ([3 ]), but a significant contribution to the content of the thesis was also drawn from Grgur Petric-Maretic's articles ([18 ],[19 ]), A.P. Sistla's article [ 22 ] and the book [13 ] written by authors M.Huth and M.Ryan

Correct-By-Construction Fault-Tolerant Control

Correct-by-construction control synthesis methods refer to a collection of model-based techniques to algorithmically generate controllers/strategies that make the systems satisfy some formal specifications. Such techniques attract much attention as they provide formal guarantees on the correctness of cyber-physical systems, where corner cases may arise due to the interaction among different modules. The controllers synthesized through such methods, however, may still malfunction due to faults, such as physical component failures and unexpected operating conditions, which lead to a sudden change of the system model. In these cases, we want to guarantee that the performance of the faulty system degrades gracefully, and hence achieve fault tolerance. This thesis is about 1) incorporating fault detection and detectability analysis algorithms in correct-by-construction control synthesis, 2) formalizing the graceful degradation specification for fault tolerant systems with temporal logic, and 3) developing algorithms to synthesize correct-by-construction controllers that achieve such graceful degradation, with possible delay in the fault detection. In particular, two sets of approaches from the temporal logic planning domain, i.e., abstraction-based synthesis and optimization-based path planning, are considered. First, for abstraction-based approaches, we propose a recursive algorithm to reduce the fault tolerant controller synthesis problem into multiple small synthesis problems with simpler specifications. Such recursive reduction leverages the structure of the fault propagation and hence avoids the high complexity of solving the problem monolithically as one general temporal logic game. Furthermore, by exploring the structural properties in the specifications, we show that, even when the fault is detected with delay, the problem can be solved by a similar recursive algorithm without constructing the belief space. Secondly, optimization-based path planning is considered. The proposed approach leverages the recently developed temporal logic encodings and state-of-art mixed integer programming (MIP) solvers. The novelty of this work is to enhance the open-loop strategy obtained through solving the MIP so that it can react contingently to faults and disturbance. Finally, the control synthesis techniques developed for discrete state systems is shown to be applicable to continuous states systems. This is demonstrated by fuel cell thermal management application. Particularly, to apply the abstraction-based synthesis methods to complex systems such as the fuel cell thermal management system, structural properties (e.g., mixed monotonicity) of the system are explored and leveraged to ease abstraction computation, and techniques are developed to improve the scalability of synthesis process whenever the system has a large number of control actions.PHDElectrical Engineering: SystemsUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttps://deepblue.lib.umich.edu/bitstream/2027.42/155031/1/yliren_1.pd

Human Computer Interaction and Emerging Technologies

The INTERACT Conferences are an important platform for researchers and practitioners in the field of human-computer interaction (HCI) to showcase their work. They are organised biennially by the International Federation for Information Processing (IFIP) Technical Committee on Human–Computer Interaction (IFIP TC13), an international committee of 30 member national societies and nine Working Groups. INTERACT is truly international in its spirit and has attracted researchers from several countries and cultures. With an emphasis on inclusiveness, it works to lower the barriers that prevent people in developing countries from participating in conferences. As a multidisciplinary field, HCI requires interaction and discussion among diverse people with different interests and backgrounds. The 17th IFIP TC13 International Conference on Human-Computer Interaction (INTERACT 2019) took place during 2-6 September 2019 in Paphos, Cyprus. The conference was held at the Coral Beach Hotel Resort, and was co-sponsored by the Cyprus University of Technology and Tallinn University, in cooperation with ACM and ACM SIGCHI. This volume contains the Adjunct Proceedings to the 17th INTERACT Conference, comprising a series of selected papers from workshops, the Student Design Consortium and the Doctoral Consortium. The volume follows the INTERACT conference tradition of submitting adjunct papers after the main publication deadline, to be published by a University Press with a connection to the conference itself. In this case, both the Adjunct Proceedings Chair of the conference, Dr Usashi Chatterjee, and the lead Editor of this volume, Dr Fernando Loizides, work at Cardiff University which is the home of Cardiff University Press

Establishing Properties of Interaction Systems

We exhibit sufficient conditions for generic properties of component based systems. The model we use to describe component based systems is the formalism of interaction systems. Because the state space explosion problem is encountered in interaction systems (i.e., an exploration of the state space gets unfeasible for a large number of components), we follow the guideline that these conditions have to be checkable efficiently (i.e., in time polynomial in the number of components). Further, the conditions are designed in such a way that the information gathered is reusable if a condition is not satisfied. Concretely, we consider deadlock-freedom and progress in interaction systems. We state a sufficient condition for deadlock-freedom that is based on an architectural constraint: We define what it means for an interaction system to be tree-like, and we derive a sufficient condition for deadlock-freedom of such systems. Considering progress, we first present a characterization of this property. Then we state a sufficient condition for progress which is based on a directed graph. We combine this condition with the characterization to point out one possibility to proceed if the graph-criterion does not yield progress. Both sufficient conditions can be checked efficiently because they only require the investigation of certain subsystems. Finally, we consider the effect that failure of some parts of the system has on deadlock-freedom and progress. We define robustness of deadlock-freedom respectively progress under failure, and we explain how the sufficient conditions above have to be adapted in order to be also applicable in this new situation

Software components and formal methods from a computational viewpoint

Software components and the methodology of component-based development offer a promising approach to master the design complexity of huge software products because they separate the concerns of software architecture from individual component behavior and allow for reusability of components. In combination with formal methods, the specification of a formal component model of the later software product or system allows for establishing and verifying important system properties in an automatic and convenient way, which positively contributes to the overall correctness of the system. Here, we study such a combined approach. As similar approaches, we also face the so-called state space explosion problem which makes property verification computationally hard. In order to cope with this problem, we derive techniques that are guaranteed to work in polynomial time in the size of the specification of the system under analysis, i.e., we put an emphasis on the computational viewpoint of verification. As a consequence, we consider interesting subclasses of component-based systems that are amenable to such analysis. We are particularly interested in ideas that exploit the compositionality of the component model and refrain from understanding a system as a monolithic block. The assumptions that accompany the set of systems that are verifiable with our techniques can be interpreted as general design rules that forbid to build systems at will in order to gain efficient verification techniques. The compositional nature of software components thereby offers development strategies that lead to systems that are correct by construction. Moreover, this nature also facilitates compositional reduction techniques that allow to reduce a given model to the core that is relevant for verification. We consider properties specified in Computation Tree Logic and put an emphasis on the property of deadlock-freedom. We use the framework of interaction systems as the formal component model, but our results carry over to other formal models for component-based development. We include several examples and evaluate some ideas with respect to experiments with a prototype implementation