Learning Mealy Machines with Timers Bengt Jonsson Frits Vaandrager - - PowerPoint PPT Presentation

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Learning Mealy Machines with Timers

Bengt Jonsson Frits Vaandrager

Uppsala University and Radboud University Nijmegen

IPA Fall Days, Nunspeet, November 2017

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Goal active automaton learning

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Minimally adequate teacher (Angluin)

Learner Teacher MQ

input sequences

• utput sequences

EQ

hypothesis counterexample

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Black box checking (Peled, Vardi & Yannakakis)

TQs SUL CT MQ EQ Learner Teacher Learner: Formulate hypotheses Conformance Tester (CT): Test correctness hypotheses

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

LearnLib

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Research method

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Research method

This talk: THEORY

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Research method

This talk: THEORY (motivated by earlier applications)

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Bugs in protocol implementations

Standard violations found in implementations of major protocols, e.g., TCP (CAV’16, FMICS’17), TLS (Usenix Security’15), SSH (Spin’17).

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Bugs in protocol implementations

Standard violations found in implementations of major protocols, e.g., TCP (CAV’16, FMICS’17), TLS (Usenix Security’15), SSH (Spin’17).

These findings led to several bug fixes in implementations.

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Learned model for SSH implementation

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

SSH model checking results

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

For background and applications see CACM review article

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Motivation for work presented today

Timing behavior plays a crucial role in applications of model learning, but existing algorithms and tools cannot handle it. There is some work on algorithms for learning timed systems: Grinchtein, Jonsson & Leucker. Learning of event-recording automata. TCS, 2010. Mens & Maler. Learning Regular Languages over Large Ordered Alphabets. LMCS, 2015. Caldwel, Cardell-Oliver & French. Learning time delay Mealy machines. IEEE TASE, 2016. but this is not so practical because of high complexity and/or limited expressivity.

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Timing Behavior in Network Protocols

Sender alternating-bit protocol, adapted from Kurose & Ross, Computer Networking: q0 start q1 q2 q3

in/send0 start timer(3sec) ack0/void stop timer timeout/send0 start timer(3sec) in/send1 start timer(3sec) ack1/void stop timer timeout/send1 start timer(3sec)

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Idea

Develop learning algorithm for Mealy machines with timers!!!

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Idea

Develop learning algorithm for Mealy machines with timers!!! Occurrence of timing dependent behavior fully determined by previous behavior

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

MMTs

Assume an unbounded set X of timers x, x1, x2, etc. For a set I, write ˆ I = I ∪ {to[x] | x ∈ X}. Definition A Mealy machine with timers (MMT) is a tuple M = (I, O, Q, q0, X, δ, λ, π), where I and O are finite sets of input and output events Q is a finite set of states with q0 ∈ Q the initial state X : Q → Pfin(X), with X(q0) = ∅ δ : Q × ˆ I ֒ → Q is a transition function, λ : Q × ˆ I ֒ → O is an output function, π : Q × ˆ I ֒ → (X ֒ → N>0) is a timer update function (satisfying some natural conditions)

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Operations on timers

Write q

i/o,ρ

− − − → q′ if δ(q, i) = q′, λ(q, i) = o and π(q, i) = ρ. Basically, four things can happen:

1 If x ∈ X(q) \ X(q′) then input i stops timer x. 2 If x ∈ X(q′) \ X(q) then i starts timer x with value ρ(x). 3 If x ∈ X(q) ∩ dom(ρ) then i restarts timer x with value ρ(x). 4 Finally, if x ∈ X(q′) \ dom(ρ) then timer x is unaffected by i. Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Timed Semantics (1)

A configuration of an MMT is a pair (q, κ) of a state q and a valuation κ : X(q) → R≥0 of its timers. When time advances, all timers decrease at the same rate; a timeout occurs when value of some timer becomes 0. A timed run of an MMT is a sequence (q0, κ0)

d1

− → (q0, κ′

0) i1/o1

− − − → (q1, κ1)

d2

− → · · ·

ik/ok

− − − → (qk, κk)

• f configurations, nonzero delays, and discrete transitions.

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Timed Semantics (2)

A timed word describes an observation we can make on an MMT: w = d1 i1 o1 d2 i2 o2 · · · dk ik ok, where dj ∈ R>0, ij ∈ I ∪ {to}, and oj ∈ O. To each timed run α we associate a timed word tw(α) by forgetting the configurations and names of timers in timeouts. Definition MMTs M and N are timed equivalent, denoted M ≈timed N, iff they have the same timed words.

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

“Uncontrollable” Nondeterminism

q0 start q1 q3 q2

i/o, x := 1, y := 1 to[x]/o′ to[y]/o′′

Accepts timed words 1 i o 1 to o′ and 1 i o 1 to o′′.

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

“Uncontrollable” Nondeterminism

q0 start q1 q3 q2

i/o, x := 1, y := 1 to[x]/o′ to[y]/o′′

Accepts timed words 1 i o 1 to o′ and 1 i o 1 to o′′. ⇒ We assume at most one timer can be updated per transition.

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

“Controllable” Nondeterminism

q0 start q1 q2

i/o, x := 2 i/o, y := 1 to[x]/o, x := 2 to[x]/o′, x := 1 to[y]/o′′, y := 1

Accepts timed words 7 i o 1 i o 1 to o′ and 7 i o 1 i o 1 to o′′.

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

“Controllable” Nondeterminism

q0 start q1 q2

i/o, x := 2 i/o, y := 1 to[x]/o, x := 2 to[x]/o′, x := 1 to[y]/o′′, y := 1

Accepts timed words 7 i o 1 i o 1 to o′ and 7 i o 1 i o 1 to o′′. ⇒ During learning we will simply avoid these race conditions.

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

A timed MAT framework

A timed input word is a sequence u = d1 i1 · · · dk ik dk+1, with dj ∈ R>0 and ij ∈ I, for j ≤ k, and dk+1 ∈ R≥0. A timed (input) word is transparent if inputs occur at different fractional times.

Learner Teacher (knows M) MQ

transparent timed input word u maximal timed word w of M consistent with u

EQ

hypothesis H yes or no+transparent counterexample w

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

A timed MAT framework

A timed input word is a sequence u = d1 i1 · · · dk ik dk+1, with dj ∈ R>0 and ij ∈ I, for j ≤ k, and dk+1 ∈ R≥0. A timed (input) word is transparent if inputs occur at different fractional times.

Learner Teacher (knows M) MQ

transparent timed input word u maximal timed word w of M consistent with u

EQ

hypothesis H yes or no+transparent counterexample w

Main contribution: algorithm allowing learner to construct MMT N that is timed equivalent to M (under mild restrictions).

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Plan of attack

Untimed MMT learner

LearnLib Adapter

MQ EQ

• 1. Define untimed semantics
• 2. Prove equivalence with timed semantics
• 3. Define untimed MAT framework
• 4. Build untimed learner with LearnLib
• 5. Build untimed teacher with timed teacher

Untimed MMT teacher

Adapter Timed Teacher

MQ EQ MQ EQ

Oracle Lookahead

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Timed and Untimed Runs and Behaviors

(q0, κ0)

d1

− → (q0, κ′

0) i1/o1

− − − → (q1, κ1) · · · (qk−1, κ′

k−1) ik /ok

− − − → (qk, κk) q0

i1/o1,ρ1

− − − − − → q1 · · · qk−1

ik /ok ,ρk

− − − − − → qk κ0

d1

− → κ′

i1/o1,ρ1

− − − − − → κ1 · · · κ′

k−1 ik /ok ,ρk

− − − − − → κk X0

i1/o1,ρ1

− − − − − → X1 · · · Xk−1

ik /ok ,ρk

− − − − − → Xk

untime beh untime beh

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Timed and Untimed Runs and Behaviors

Diagram commutes and has a pullback: timed runs of M untimed runs of M timed behaviors untimed behaviors timed words

untime beh tw beh untime tw

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Timed and Untimed Runs and Behaviors

Diagram commutes and has a pullback: timed runs of M untimed runs of M timed behaviors untimed behaviors timed words

untime beh tw beh untime tw

CAN WE DEFINE SEMANTICS MMTs IN TERMS OF UNTIMED BEHAVIORS??

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Feasibility

Definition An untimed behavior β = X0

i1/o1,ρ1

− − − − → X1

i2/o2,ρ2

− − − − → X2 · · ·

ik/ok,ρk

− − − − − → Xk is feasible if there is a timed behavior σ such that untime(σ) = β. Example of untimed behavior that is not feasible: ∅

i1/o1,x:=1

− − − − − − → {x}

i2/o2,y:=100

− − − − − − − → {x, y}

to[y]/o3

− − − − − → ∅

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Isomorphism

An isomorphism between untimed behaviors β and β′ is a consistent renaming of timers:

∅

i1/o1,x:=2

− − − − − − → {x}

i2/o2,y:=1

− − − − − − → {x, y}

to[y]/o3,y:=100

− − − − − − − − − → {x, y} ∅

i1/o1,x1:=2

− − − − − − → {x1}

i2/o2,x2:=1

− − − − − − → {x1, x2}

to[x2]/o3,x3:=100

− − − − − − − − − − → {x1, x3}

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Isomorphism

An isomorphism between untimed behaviors β and β′ is a consistent renaming of timers:

∅

i1/o1,x:=2

− − − − − − → {x}

i2/o2,y:=1

− − − − − − → {x, y}

to[y]/o3,y:=100

− − − − − − − − − → {x, y} ∅

i1/o1,x1:=2

− − − − − − → {x1}

i2/o2,x2:=1

− − − − − − → {x1, x2}

to[x2]/o3,x3:=100

− − − − − − − − − − → {x1, x3}

An untimed behavior is in canonical form if, for each j, the timer that is updated in the j-th event (if any) is equal to xj. Each untimed behavior is isomorphic to a unique untimed behavior in canonical form.

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Untimed semantics

Definition MMTs M and N are untimed equivalent, M ≈untimed N, iff their sets of feasible untimed behaviors are isomorphic.

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Untimed semantics

Definition MMTs M and N are untimed equivalent, M ≈untimed N, iff their sets of feasible untimed behaviors are isomorphic. Theorem M ≈untimed N implies M ≈timed N.

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Untimed semantics

Definition MMTs M and N are untimed equivalent, M ≈untimed N, iff their sets of feasible untimed behaviors are isomorphic. Theorem M ≈untimed N implies M ≈timed N. Converse implication does not hold in general.

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Ghost timers

q0 start q1 q2 q3 q4

i/o, x := 1 i/o, y := 60 to[x]/o′′ to[x]/o′

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Equivalence of Timed and Untimed Semantics

Theorem Suppose that M and N are MMTs without ghost timers in which at most one timer is started on each transition. Then M ≈timed N implies M ≈untimed N.

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Equivalence of Timed and Untimed Semantics

Theorem Suppose that M and N are MMTs without ghost timers in which at most one timer is started on each transition. Then M ≈timed N implies M ≈untimed N. Main proof technique: wiggling of timed behaviors to ensure that fractional starting times of different inputs are different.

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

An untimed MAT framework

An untimed input word is a sequence u = i1 · · · ik over ˆ I such that ij = to[xl] implies l < j, and each timer expires at most once.

Learner Teacher MQs

untimed input word u canonical feasible behavior β consistent with u, or ⊥

EQ

hypothesis H yes or no+canonical counterexample β

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Nerode congruence

Definition Let S be a set of feasible untimed behaviors. Behaviors β, β′ ∈ S are equivalent, notation β ≡S β′, iff for any untimed behavior γ, β · γ ∈ S ⇔ β′ · γ ∈ S.

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Myhill-Nerode theorem

Theorem Let S be a set of feasible untimed behaviors over finite sets of inputs I and outputs O. Then S is the set of feasible untimed behaviors of an MMT M iff

1 S is nonempty, 2 all behaviors in S start with the empty set of timers, 3 the set of timers that occur in S is finite, 4 S is prefix closed, 5 S is behavior deterministic, 6 S is input complete, 7 S is timeout complete, and 8 ≡S has only finitely many equivalence classes (finite index). Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Building untimed MMT learner with Mealy machine learner

Untimed MMT learner

LearnLib Adapter

MQ EQ We assume learner knows bound n on the number of timers that can be active in a state. Adapter uses function uncan to translate canonical behaviors to behaviors involving at most n clocks.

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Building an untimed MMT teacher with a timed teacher

Untimed MMT teacher

Adapter Timed Teacher

MQ EQ

Oracle Lookahead

no or yes+timeout value untimed input word u + index j Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Query complexity

Number of queries polynomial in size canonical MMT N produced by Myhill-Nerode construction. This MMT may be exponentially bigger (in the number of clocks) than original MMT M of the teacher (cf register automata). For MMTs with single timer, learning is easy: all untimed behaviors are feasible, lookahead oracle is trivial if we assume learner knows bound on maximal timer value (just wait), and complexity is the same as for Mealy machine with the same size.

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Conclusions

Our work consitutes a major step towards a practical approach for active learning of timed systems. Just like timed automata paved the way to extend model checking to a timed setting, we expect that MMTs will make it possible to lift model learning to a timed setting.

Jonsson and Vaandrager Learning Mealy Machines with Timers

Introduction Mealy machines with timers Untimed semantics Learning algorithm Conclusions and future work

Future Work

1 Implement equivalence oracle 2 Implement lookahead oracle (inspired by Tomte tool) 3 Handle non transparent counterexamples 4 Deal with timing uncertainty in real applications 5 Implement our algorithm and apply to practical case studies 6 Many theoretical questions left! Jonsson and Vaandrager Learning Mealy Machines with Timers