Certificates and Witnesses for Probabilistic Model Checking

The ability to provide succinct information about why a property does, or does not, hold in a given system is a key feature in the context of formal verification and model checking. It can be used both to explain the behavior of the system to a user of verification software, and as a tool to aid automated abstraction and synthesis procedures. Counterexample traces, which are executions of the system that do not satisfy the desired specification, are a classical example. Specifications of systems with probabilistic behavior usually require that an event happens with sufficiently high (or low) probability. In general, single executions of the system are not enough to demonstrate that such a specification holds. Rather, standard witnesses in this setting are sets of executions which in sum exceed the required probability bound. In this thesis we consider methods to certify and witness that probabilistic reachability constraints hold in Markov decision processes (MDPs) and probabilistic timed automata (PTA). Probabilistic reachability constraints are threshold conditions on the maximal or minimal probability of reaching a set of target-states in the system. The threshold condition may represent an upper or lower bound and be strict or non-strict. We show that the model-checking problem for each type of constraint can be formulated as a satisfiability problem of a system of linear inequalities. These inequalities correspond closely to the probabilistic transition matrix of the MDP. Solutions of the inequalities are called Farkas certificates for the corresponding property, as they can indeed be used to easily validate that the property holds. By themselves, Farkas certificates do not explain why the corresponding probabilistic reachability constraint holds in the considered MDP. To demonstrate that the maximal reachability probability in an MDP is above a certain threshold, a commonly used notion are witnessing subsystems. A subsystem is a witness if the MDP satisfies the lower bound on the optimal reachability probability even if all states not included in the subsystem are made rejecting trap states. Hence, a subsystem is a part of the MDP which by itself satisfies the lower-bounded threshold constraint on the optimal probability of reaching the target-states. We consider witnessing subsystems for lower bounds on both the maximal and minimal reachability probabilities, and show that Farkas certificates and witnessing subsystems are related. More precisely, the support (i.e., the indices with a non-zero entry) of a Farkas certificate induces the state-space of a witnessing subsystem for the corresponding property. Vice versa, given a witnessing subsystem one can compute a Farkas certificate whose support corresponds to the state-space of the witness. This insight yields novel algorithms and heuristics to compute small and minimal witnessing subsystems. To compute minimal witnesses, we propose mixed-integer linear programming formulations whose solutions are Farkas certificates with minimal support. We show that the corresponding decision problem is NP-complete even for acyclic Markov chains, which supports the use of integer programs to solve it. As this approach does not scale well to large instances, we introduce the quotient-sum heuristic, which is based on iteratively solving a sequence of linear programs. The solutions of these linear programs are also Farkas certificates. In an experimental evaluation we show that the quotient-sum heuristic is competitive with state-of-the-art methods. A large part of the algorithms proposed in this thesis are implemented in the tool SWITSS. We study the complexity of computing minimal witnessing subsystems for probabilistic systems that are similar to trees or paths. Formally, this is captured by the notions of tree width and path width. Our main result here is that the problem of computing minimal witnessing subsystems remains NP-complete even for Markov chains with bounded path width. The hardness proof identifies a new source of combinatorial hardness in the corresponding decision problem. Probabilistic timed automata generalize MDPs by including a set of clocks whose values determine which transitions are enabled. They are widely used to model and verify real-time systems. Due to the continuously-valued clocks, their underlying state-space is inherently uncountable. Hence, the methods that we describe for finite-state MDPs do not carry over directly to PTA. Furthermore, a good notion of witness for PTA should also take into account timing aspects. We define two kinds of subsystems for PTA, one for maximal and one for minimal reachability probabilities, respectively. As for MDPs, a subsystem of a PTA is called a witness for a lower-bounded constraint on the (maximal or minimal) reachability probability, if it itself satisfies this constraint. Then, we show that witnessing subsystems of PTA induce Farkas certificates in certain finite-state quotients of the PTA. Vice versa, Farkas certificates of such a quotient induce witnesses of the PTA. Again, the support of the Farkas certificates corresponds to the states included in the subsystem. These insights are used to describe algorithms for the computation of minimal witnessing subsystems for PTA, with respect to three different notions of size. One of them counts the number of locations in the subsystem, while the other two take into account the possible clock valuations in the subsystem.:1 Introduction 2 Preliminaries 3 Farkas certificates 4 New techniques for witnessing subsystems 5 Probabilistic systems with low tree width 6 Explications for probabilistic timed automata 7 Conclusio

Responsibility and verification: Importance value in temporal logics

We aim at measuring the influence of the nondeterministic choices of a part of a system on its ability to satisfy a specification. For this purpose, we apply the concept of Shapley values to verification as a means to evaluate how important a part of a system is. The importance of a component is measured by giving its control to an adversary, alone or along with other components, and testing whether the system can still fulfill the specification. We study this idea in the framework of model-checking with various classical types of linear-time specification, and propose several ways to transpose it to branching ones. We also provide tight complexity bounds in almost every case.Comment: 22 pages, 12 figure

Reachability in Dynamical Systems with Rounding

We consider reachability in dynamical systems with discrete linear updates, but with fixed digital precision, i.e., such that values of the system are rounded at each step. Given a matrix $M \in \mathbb{Q}^{d \times d}$, an initial vector $x\in\mathbb{Q}^{d}$, a granularity $g\in \mathbb{Q}_+$ and a rounding operation $[\cdot]$ projecting a vector of $\mathbb{Q}^{d}$ onto another vector whose every entry is a multiple of $g$, we are interested in the behaviour of the orbit $\mathcal{O}={}$, i.e., the trajectory of a linear dynamical system in which the state is rounded after each step. For arbitrary rounding functions with bounded effect, we show that the complexity of deciding point-to-point reachability---whether a given target $y \in\mathbb{Q}^{d}$ belongs to $\mathcal{O}$---is PSPACE-complete for hyperbolic systems (when no eigenvalue of $M$ has modulus one). We also establish decidability without any restrictions on eigenvalues for several natural classes of rounding functions.Comment: To appear at FSTTCS'2

Lattice dynamics reveals a local symmetry breaking in the emergent dipole phase of PbTe

Local symmetry breaking in complex materials is emerging as an important contributor to materials properties but is inherently difficult to study. Here we follow up an earlier structural observation of such a local symmetry broken phase in the technologically important compound PbTe with a study of the lattice dynamics using inelastic neutron scattering (INS). We show that the lattice dynamics are responsive to the local symmetry broken phase, giving key insights in the behavior of PbTe, but also revealing INS as a powerful tool for studying local structure. The new result is the observation of the unexpected appearance on warming of a new zone center phonon branch in PbTe. In a harmonic solid the number of phonon branches is strictly determined by the contents and symmetry of the unit cell. The appearance of the new mode indicates a crossover to a dynamic lower symmetry structure with increasing temperature. No structural transition is seen crystallographically but the appearance of the new mode in inelastic neutron scattering coincides with the observation of local Pb off-centering dipoles observed in the local structure. The observation resembles relaxor ferroelectricity but since there are no inhomogeneous dopants in pure PbTe this anomalous behavior is an intrinsic response of the system. We call such an appearance of dipoles out of a non-dipolar ground-state "emphanisis" meaning the appearance out of nothing. It cannot be explained within the framework of conventional phase transition theories such as soft-mode theory and challenges our basic understanding of the physics of materials

German Multicenter Study Analyzing Antimicrobial Activity of Ceftazidime-Avibactam of Clinical Meropenem-Resistant Pseudomonas aeruginosa Isolates Using a Commercially Available Broth Microdilution Assay

Multidrug resistance is an emerging healthcare issue, especially concerning Pseudomonas aeruginosa. In this multicenter study, P. aeruginosa isolates with resistance against meropenem detected by routine methods were collected and tested for carbapenemase production and susceptibility against ceftazidime-avibactam. Meropenem-resistant isolates of P. aeruginosa from various clinical materials were collected at 11 tertiary care hospitals in Germany from 2017–2019. Minimum inhibitory concentrations (MICs) were determined via microdilution plates (MICRONAUT-S) of ceftazidime-avibactam and meropenem at each center. Detection of the presence of carbapenemases was performed by PCR or immunochromatography. For meropenem-resistant isolates (n = 448), the MIC range of ceftazidime-avibactam was 0.25–128 mg/L, MIC90 was 128 mg/L and MIC50 was 16 mg/L. According to EUCAST clinical breakpoints, 213 of all meropenem-resistant P. aeruginosa isolates were categorized as susceptible (47.5%) to ceftazidime-avibactam. Metallo-β-lactamases (MBL) could be detected in 122 isolates (27.3%). The MIC range of ceftazidime-avibactam in MBL-positive isolates was 4–128 mg/L, MIC90 was >128 mg/L and MIC50 was 32 mg/L. There was strong variation in the prevalence of MBL-positive isolates among centers. Our in vitro results support ceftazidimeavibactam as a treatment option against infections caused by meropenem-resistant, MBL-negative P. aeruginosa