Cascading Verification Fokion Zervoudakis (UCL) David S. Rosenblum - PowerPoint PPT Presentation

Cascading Verification Fokion Zervoudakis (UCL) David S. Rosenblum (NUS) Sebastian Elbaum (UNL) Anthony Finkelstein (UCL) supported in part by AFOSR-FA9550-09-1-0687 and EOARD-FA8655-10-1-3007

Introduction Enhancing the dependability of complex missions through automated analysis from http://www.asctec.de/ Fokion Zervoudakis / David S. Rosenblum / Sebastian Elbaum / Anthony Finkelstein

Introduction Enhancing the dependability of complex missions through automated analysis from http://www.asctec.de/ Fokion Zervoudakis / David S. Rosenblum / Sebastian Elbaum / Anthony Finkelstein

Introduction Industrial inspection from http://www.asctec.de/ Fokion Zervoudakis / David S. Rosenblum / Sebastian Elbaum / Anthony Finkelstein

Introduction Aerial mapping from http://www.asctec.de/ Fokion Zervoudakis / David S. Rosenblum / Sebastian Elbaum / Anthony Finkelstein

Introduction Aerial photography from http://www.asctec.de/ Fokion Zervoudakis / David S. Rosenblum / Sebastian Elbaum / Anthony Finkelstein

Cascading Verification Motivation Complex UAV mission plans can be analyzed with probabilistic model checking. Fokion Zervoudakis / David S. Rosenblum / Sebastian Elbaum / Anthony Finkelstein

Cascading Verification Motivation Model checkers (e.g., PRISM) verify system models against a set of desired behavioral properties. Fokion Zervoudakis / David S. Rosenblum / Sebastian Elbaum / Anthony Finkelstein

Cascading Verification Motivation Problem #1: model checkers support low-level languages that complicate model and property specifications.

Cascading Verification Motivation Problem #2: specification complexity is exacerbated by the need to encode domain knowledge. Fokion Zervoudakis / David S. Rosenblum / Sebastian Elbaum / Anthony Finkelstein

Cascading Verification Related work Semantic model checking * leverages domain knowledge encoded in OWL to decrease specification costs. * (Boaro, 2010; Oghabi, 2011; Di Pietro, 2012) Fokion Zervoudakis / David S. Rosenblum / Sebastian Elbaum / Anthony Finkelstein

Cascading Verification Intermission Web Ontology Language * * Owl in Winnie the Pooh Fokion Zervoudakis / David S. Rosenblum / Sebastian Elbaum / Anthony Finkelstein

Cascading Verification Motivation Problem #3: OWL is constrained by expressive and reasoning limitations. Fokion Zervoudakis / David S. Rosenblum / Sebastian Elbaum / Anthony Finkelstein

Cascading Verification Motivation SWRL * extends OWL with Horn clause-like rules, but OWL+SWRL cannot reason effectively with negation. * approved by the W3C Fokion Zervoudakis / David S. Rosenblum / Sebastian Elbaum / Anthony Finkelstein

Cascading Verification Motivation Prolog can reason effectively with negation, but lacks the expressivity afforded by OWL. Fokion Zervoudakis / David S. Rosenblum / Sebastian Elbaum / Anthony Finkelstein

Cascading Verification Contribution We have developed an accessible * and effective * method for domain-specific probabilistic model checking called cascading verification. * see evaluation slides Fokion Zervoudakis / David S. Rosenblum / Sebastian Elbaum / Anthony Finkelstein

Cascading Verification Who cares? Model builders (e.g., UAV mission developers) want an accessible method to verify domain- specific system models. Fokion Zervoudakis / David S. Rosenblum / Sebastian Elbaum / Anthony Finkelstein

Cascading Verification Architecture domain expert Fokion Zervoudakis / David S. Rosenblum / Sebastian Elbaum / Anthony Finkelstein

Cascading Verification Architecture model builder Fokion Zervoudakis / David S. Rosenblum / Sebastian Elbaum / Anthony Finkelstein

Cascading Verification Architecture Fokion Zervoudakis / David S. Rosenblum / Sebastian Elbaum / Anthony Finkelstein

Cascading Verification Architecture Fokion Zervoudakis / David S. Rosenblum / Sebastian Elbaum / Anthony Finkelstein

Cascading Verification Architecture Fokion Zervoudakis / David S. Rosenblum / Sebastian Elbaum / Anthony Finkelstein

Cascading Verification Architecture Fokion Zervoudakis / David S. Rosenblum / Sebastian Elbaum / Anthony Finkelstein

Cascading Verification Architecture Action: TraversePathSegmentAction : - id: TPSA1 duration: 60 coordinates : [ -118.27017 , 34.04572 , -118.27279 , 34.04284] - id: TPSA2 duration: 60 coordinates : [ -118.2739 , 34.03928] preconditions : [TPSA1 , TPSA3] - id: TPSA3 duration: 60 coordinates : [ -118.26482 , 34.03332 , -118.27383 , 34.03824] - id: TPSA4 duration: 60 coordinates : [ -118.28204 , 34.0376] preconditions : [TPSA3] PhotoSurveillanceAction : - id: PSA5 duration: 50 preconditions : [TPSA3] Asset: Hummingbird : - id: H1 actions: [TPSA1 , TPSA2] - id: H2 actions: [TPSA3 , TPSA4 , PSA5] Fokion Zervoudakis / David S. Rosenblum / Sebastian Elbaum / Anthony Finkelstein

Cascading Verification dtmc const int max_e1 = 120; const int max_d1 = 60; const int max_d2 = 60; Architecture const int max_e2 = 120; const int max_d3 = 60; const int max_d4 = 60; const int max_d5 = 50; module Hummingbird1 e1 : [0.. max_e1] init max_e1; [asst1] e1 >0 & d1 >0 -> (e1 ’=e1 -1); [asst1] e1 >0 & d2 >0 -> (e1 ’=e1 -1); [asst1] e1=0 | d2=0 -> true; endmodule module TraversePathSegmentAction1 d1 : [0.. max_d1] init max_d1; [asst1] d1 >0 & e1 >0 -> (d1 ’=d1 -1); [asst1] d1=0 -> true; endmodule module TraversePathSegmentAction2 d2 : [0.. max_d2] init max_d2; [asst1] d1 >0 -> true; [asst1] d1=0 & d3=0 & d2 >0 & e1 >0 -> (d2 ’=d2 -1); [asst1] d2=0 -> true; endmodule module Hummingbird2 e2 : [0.. max_e2] init max_e2; [asst1] e2 >0 & d3 >0 -> (e2 ’=e2 -1); [asst1] e2 >0 & d4 >0 -> (e2 ’=e2 -1); [asst1] e2=0 | d4=0 -> true; endmodule module TraversePathSegmentAction3 d3 : [0.. max_d3] init max_d3; [asst1] d3 >0 & e2 >0 -> (d3 ’=d3 -1); [asst1] d3=0 -> true; endmodule module TraversePathSegmentAction4 d4 : [0.. max_d4] init max_d4; [asst1] d3 >0 -> true; [asst1] d3=0 & d4 >0 & e2 >0 -> (d4 ’=d4 -1); [asst1] d4=0 -> true; Action: endmodule TraversePathSegmentAction : - id: TPSA1 module PhotoSurveillanceAction5 duration: 60 d5 : [0.. max_d5] init max_d5; coordinates : [ -118.27017 , 34.04572 , r5 : bool init false; -118.27279 , 34.04284] [asst1] d3 >0 -> true; - id: TPSA2 [asst1] d3=0 & d5 >0 & e1 >0 -> (d5 ’=d5 -1)&(r5 ’= true ); duration: 60 [asst1] d5=0 -> (r5 ’= false ); coordinates : [ -118.2739 , 34.03928] endmodule preconditions : [TPSA1 , TPSA3] - id: TPSA3 const int start4 = 60; duration: 60 const int finish4 = 0; coordinates : [ -118.26482 , 34.03332 , formula actn4_tai = d4 >finish4 & d4 <= start4; -118.27383 , 34.03824] - id: TPSA4 module Hummingbird2_Survivability duration: 60 a2d : bool init false; coordinates : [ -118.28204 , 34.0376] [asst1] !a2d & actn4_tai -> 0.99:( a2d ’= false) + 0.01:( a2d ’= true ); preconditions : [TPSA3] [asst1] a2d | !actn4_tai -> true; PhotoSurveillanceAction : endmodule - id: PSA5 duration: 50 formula duration4 = start4 - finish4; preconditions : [TPSA3] Asset: formula tkad2 = duration4; Hummingbird : - id: H1 module SensorActionCounter2 actions: [TPSA1 , TPSA2] sad2 : [0.. tkad2] init 0; - id: H2 [asst1] actn4_tai & (r5) & sad2 <tkad2 -> (sad2 ’= sad2 +1); actions: [TPSA3 , TPSA4 , PSA5] [asst1] !actn4_tai | !(r5) -> true; endmodule formula raf2 = sad2 / tkad2; P=? [ F d2=0 & d4=0 & !a2d & raf2>0.6 ] Fokion Zervoudakis / David S. Rosenblum / Sebastian Elbaum / Anthony Finkelstein

Evaluation Accessibility PRISM-to-YAML ratio LOC tokens mean ratio 312.7% 449.0% 58 missions ∗ standard deviation 52.4% 95.4% mean ratio 393.3% 599.2% 6 specialist missions standard deviation 24.0% 59.2% * based on missions developed by DARPA and DRDC Fokion Zervoudakis / David S. Rosenblum / Sebastian Elbaum / Anthony Finkelstein

Evaluation Effectiveness System specification errors include: - failure of mission elements to participate in mandatory relationships (e.g., UAVs must execute at least one action); - and failure of mission elements to participate in specified relationships (e.g., UAVs execute only actions, not other UAVs). Fokion Zervoudakis / David S. Rosenblum / Sebastian Elbaum / Anthony Finkelstein

Evaluation Accessibility & effectiveness System model errors include: - incorrect variable declarations; - incorrect behavior for single threads of execution; - and incorrect synchronization across multiple threads of execution. Fokion Zervoudakis / David S. Rosenblum / Sebastian Elbaum / Anthony Finkelstein

Cascading Verification Contribution Cascading verification is an accessible and effective method for domain-specific probabilistic model checking. Fokion Zervoudakis / David S. Rosenblum / Sebastian Elbaum / Anthony Finkelstein

Cascading Verification Fokion Zervoudakis (UCL) David S. Rosenblum (NUS) Sebastian Elbaum (UNL) Anthony Finkelstein (UCL) supported in part by AFOSR-FA9550-09-1-0687 and EOARD-FA8655-10-1-3007