MODEL DATA PREDICTION by VERIFICATION I NTRODUCTION B ACKGROUND S - - PowerPoint PPT Presentation

MACHINE LEARNING

MEETS

FORMAL VERIFICATION

Luca Bortolussi1,2

1Dipartimento di Matematica e Geoscienze

Università degli studi di Trieste, Italy

2Modelling and Simulation Group

Saarland University, Saarbücken, Germany

GANDALF, September 14, Catania, Italy

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 2 / 60

COMPLEX SYSTEMS

hex

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 3 / 60

MODELLING COMPLEX SYSTEMS

MODEL DATA

PREDICTION by VERIFICATION

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 4 / 60

MODELLING COMPLEX SYSTEMS

MODEL DATA

PREDICTION by VERIFICATION

UNCERTAINTY

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 5 / 60

MODELLING COMPLEX SYSTEMS

MODEL DATA

PREDICTION by VERIFICATION

UNCERTAINTY m a c h i n e l e a r n i n g f

• r

m a l m e t h

• d

s

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 6 / 60

THE “PHILOSOPHICAL” POINT

FORMAL METHODS

Quantitative Formal methods provide (scalable) tools to deal with both local (e.g. Stochastic Process Algebras) and global aspects (e.g. temporal logic), which are seamlessly integrated (through stochastic verification).

MACHINE LEARNING

Machine Learning provides us with sophisticated statistical tools to manage and refine uncertainty, in a computationally efficient way.

MANTRA

Integrate machine learning with quantitative formal methods to produce verification tools dealing consistently with uncertainty.

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 7 / 60

THE PROBLEMS TACKLED (SO FAR)

Satisfaction under Uncertainty: Compute satisfaction (probabilities) of formal properties for uncertain models. Synthesis and Design: Find model parameters satisfying (as robustly as possible) a set of formal specifications. Parameter Estimation: Learn model parameters from qualitative observations. Model simplification: Learn simplified models and correction maps. Control: Learn optimal control policies in MDPs.

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 8 / 60

BIBLIOGRAPHY

• L. Bortolussi, D. Milios, G. Sanguinetti. Smoothed model checking for uncertain Continuous-Time Markov
• Chains. Information and Computation, 2016.
• L. Bortolussi, D. Milios, G. Sanguinetti. U-Check: Model Checking and Parameter Synthesis Under
• Uncertainty. QEST 2015.
• E. Bartocci, L. Bortolussi, L. Nenzi, G. Sanguinetti. System design of stochastic models using robustness of

temporal properties. Theoretical Computer Science, 2015.

• E. Bartocci, L. Bortolussi, D. Milios, L. Nenzi, G. Sanguinetti. Studying Emergent Behaviours in

Morphogenesis Using Signal Spatio-Temporal Logic. HSB, 2015.

• L. Bortolussi, G. Sanguinetti. Learning and Designing Stochastic Processes from Logical Constraints.

Logical Methods in Computer Science, 2015.

• L. Bortolussi, D. Milios, G. Sanguinetti. Efficient Stochastic Simulation of Systems with Multiple Time Scales

via Statistical Abstraction. CMSB 2015

• L. Bortolussi, G. Caravagna, G. Sanguinetti. Matching Models Across Abstraction Levels with Gaussian
• Processes. CMSB 2016.
• E. Bartocci, L. Bortolussi, T. Bradzil, D. Milios, G. Sanguinetti. Policy Learning for Time-Bounded

Reachability in Continuous-Time Markov Decision Processes via Doubly-Stochastic Gradient Ascent. QEST 2016.

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 9 / 60

OUTLINE OF THE TALK

Quick background on stochastic modelling and formal methods Gaussian Processes and Smoothed Model Checking (Robust System Design)

OUTLINE

1 INTRODUCTION 2 BACKGROUND 3 SMOOTHED MODEL CHECKING 4 ROBUST DESIGN 5 CONCLUSIONS

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 11 / 60

A SIMPLE EXAMPLE: EPIDEMIC SPREADING

S R I inf ext recover

S R I inf ext patch loss S R I inf ext patch loss S R I inf ext patch loss S R I inf ext patch loss S R I inf ext patch loss S R I inf ext patch loss

We consider a simple model of epidemic spreading in a homogeneous network (with average degree ⟨k⟩). Each individual can be in three states: susceptible (S), infected (I), and recovered (R). The state of an agent can change due to three events:

1

(infection) I + S → I + I at rate ki⟨k⟩SI

2

(ext infection) S → I at rate keS

3

(recovery) I → R at rate krI

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 12 / 60

THE STOCHASTIC PROCESS BEHIND: CTMC

We consider population CTMC models, that describe the dynamics of a population of interacting agents.

STATE SPACE

The state space is described by a set of n variables X = X1,...,Xn ∈ N, each counting the number of agents (jobs, molecules, ...) of a given kind.

TRANSITIONS

The dynamics is given by a set of rules of the form s1X1 + ... + snXn → r1X1 + ... + rnXn, with rate given by a function f(X,θ), depending on the system variables and on a set of parameters θ.

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 13 / 60

THE STOCHASTIC PROCESS BEHIND: CTMC

RULES

s1X1 + ... + snXn → r1X1 + ... + rnXn Update vector: v = (r1 − s1,...,rn − sn) Rate: f(X,θ).

MASTER EQUATION

dP(X,t) = ∑

j

P(X − vj,t)f(X − vj,θ)dt − ∑

j

P(X,t)f(X,θ)dt

SIMULATION

We can simulate such model with standard algorithms, the most known is Gillespie’s one.

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 14 / 60

A SIMPLE EXAMPLE: EPIDEMIC SPREADING

S R I inf ext patch loss S R I inf ext patch loss S R I inf ext patch loss S R I inf ext patch loss S R I inf ext patch loss S R I inf ext patch loss

We are often interested in qualitative features of the system, such as

1

The epidemics stopped between days 60 and 90.

2

The final fraction of infected people is between 80% and 90%.

3

The fraction of infected people remained below 45%.

We will formalise them with metric interval temporal logic.

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 15 / 60

METRIC INTERVAL TEMPORAL LOGIC

We express qualitative properties by Metric (interval) Temporal Logic. Linear continuous time: in experiments we observe single realisations. Metric bounds: we can observe a system only for a finite amount of time.

SYNTAX

ϕ ∶∶= tt ∣ µ ∣ ¬ϕ ∣ ϕ1 ∧ ϕ2 ∣ ϕ1U[T1,T2]ϕ2, As customary: F[T1,T2]ϕ ≡ ttU[T1,T2]ϕ, G[T1,T2]ϕ ≡ ¬F[T1,T2]¬ϕ. F[T1,T2]ϕ: ϕ is eventually true between time T1 and T2. G[T1,T2]ϕ: ϕ is always true between time T1 and T2. ϕ1U[T1,T2]ϕ2: ϕ1 is true until ϕ2 becomes true between time T1 and T2.

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 16 / 60

MITL FOR EPIDEMIC SPREADING

S R I inf ext patch loss S R I inf ext patch loss S R I inf ext patch loss S R I inf ext patch loss S R I inf ext patch loss S R I inf ext patch loss

G[0,200](XI < 45) the fraction of infected never exceeds 45% in the first 200 time units. This upper bounds the number of active infecting indivuals. F[22,40](XI > 35) between time 22 and 40, the fraction of infected exceeds 35%. This locates the infection peak between time 22 and 40. (XI > 0)U[100,120](XI = 0) the epidemic stops between time 100 and 120. G[90,200](82 < XR < 88) the final fraction of recovered is between 82% and 88%. This corresponds to the fraction of population which was infected.

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 17 / 60

THE MODEL CHECKING PROBLEM

Given a MiTL formula ϕ, and a trajectory σ, we can algorithmically check if ϕ holds in the world described by σ (starting at time zero). In this case, we say that σ is a model of ϕ, and we write σ ⊧ ϕ. A stochastic model defines a probability distribution on the space of trajectories. In this case, given a MiTL formula ϕ, we are interested in the probability of the subset of trajectories that satisfies ϕ: p(ϕ) = p{X = σ ∣ σ ⊧ ϕ} The stochastic model checking problem is thus the problem of computing p(ϕ), for a given stochastic process X(t).

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 18 / 60

STATISTICAL MODEL CHECKING

We start with a CTMC with fixed parameters θ and a MiTL formula ϕ. We generate samples of the Bernoulli random variable Zϕ, equal to 1 if and only if ϕ is true as follows:

generate a sample trajectory of the CTMC, e.g. by SSA algorithm run a monitoring algorithm on the trajectory to establish the truth of ϕ.

Use statistical tools (Wald sequential testing, Bayesian approach) to establish if p(ϕ∣θ) > q is true (with confidence level α) or to estimate p(ϕ∣θ).

OUTLINE

1 INTRODUCTION 2 BACKGROUND 3 SMOOTHED MODEL CHECKING 4 ROBUST DESIGN 5 CONCLUSIONS

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 20 / 60

UNCERTAINTY AND CTMC

UNCERTAIN CTMC

Consider a Population CTMC model M depending on a set of d parameters θ. We only know θ ∈ D, but not their precise

• value. We call M an Uncertain CTMC (notation: Mθ for fixed θ).

SATISFACTION FUNCTION

Suppose we have a UCTMC M, θ ∈ D, and a Metric Temporal Logic formula ϕ. The the satisfaction probability of ϕ w.r.t. M is a function of θ: p(ϕ ∣ θ) = Prob{Mθ,x,0 ⊧ ϕ}. We call p(ϕ ∣ θ) the satisfaction function. Goal: can we estimate statistically pϕ(θ) = p(ϕ ∣ θ)?.

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 21 / 60

KEY PROPERTY OF SATISFACTION FUNCTION

THEOREM (L.B. AND G.S. 2014)

Consider a Population CTMC model M whose transition rates depend polynomially on a set of d parameters θ ∈ D. Let ϕ be a MITL formula. The satisfaction function p(ϕ ∣ θ)∶D → [0,1] is a smooth function of the parameters θ. This means that we can transfer information across neighbouring points. Can we define a statistical model checking technique which simultaneously computes the whole satisfaction function?

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 22 / 60

SMOOTHED MODEL CHECKING: AN INTUITIVE VIEW

parameter probability 1

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 23 / 60

SMOOTHED MODEL CHECKING: AN INTUITIVE VIEW

parameter probability 1

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 24 / 60

SMOOTHED MODEL CHECKING: AN INTUITIVE VIEW

parameter probability 1

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 25 / 60

SMOOTHED MODEL CHECKING: AN INTUITION

OBSERVATIONS

We observe boolean values at different points of the parameter space. They are generated by a Bernoulli (or Binomial) process: at each θ, we sample the boolean true with probability pϕ(θ).

REGRESSION

We can learn a statistical model of the function pϕ(θ) given the

• bservations, in a Bayesian way. For this, we need a prior

distribution over [0,1]-valued functions with domain D. But... how does a random function looks like?

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 26 / 60

RANDOM FUNCTIONS

The object we are interested in is a smooth function. How do we construct probability distributions over random functions? Simplest idea: fix a set of functions ξi(θ) i = 1,...,N (basis functions) Take a linear combination f of the basis function with random coefficients wi, f = ∑i wiξi(θ) If the coefficients are (multivariate) Gaussian distributed, the value of f at a point ˆ θ is Gaussian distributed By choosing suitable infinite sets of basis functions, we

• btain Gaussian Processes.

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 27 / 60

GAUSSIAN PROCESSES

A GP is a probability measure over the space of continuous functions (over a suitable input space) such that the random vector obtained by evaluating a sample function at a finite set of points follows a multivariate normal distribution. A GP is uniquely defined by its mean and covariance functions, denoted by µ(x) and k(x,x′): f ∼ GP(µ,k) ↔ f = (f(x1),...,f(xN)) ∼ N (µ,K), µ = (µ(x1),....µ(xN)), K = (k(xi,xj))i,j A kernel defines a space of functions, known as reproducing kernel Hilbert space.

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 28 / 60

THE RADIAL BASIS FUNCTION KERNEL

The kernel function is the most important ingredient of GP (the prior mean function can be taken as the constant zero).

RADIAL BASIS FUNCTION KERNEL

k(x,x′) = γ exp[−∥x − x′∥2 λ2 ] It depends on two hyper-parameters, the amplitude γ and the lengthscale λ. Sample functions from a GP with RBF covariance are with probability 1 smooth functions.

UNIVERSALITY PROPERTY OF THE RBF KERNEL

Any smooth function can be approximated to arbitrary precision by a sample from a GP with RBF covariance

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 29 / 60

BAYESIAN PREDICTION WITH GPS

If we have noisy observations y = y1,...,yN of the function at inputs x = x1,...,xN, what can we say of the function value at a new point x∗? By Bayes’ theorem, we have p(y∗∣y) ∝ ∫ df(x)p(y∗,f(x))p(y∣f(x)) (1) where f(x) is the vector of function values at the input points If p(y∣f(x)) is Gaussian (say with zero mean and variance σ2), then we have a regression task and the integral in (1) can be computed analytically

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 30 / 60

GP REGRESSION - EXAMPLE

X

0.5 1 1.5 2 2.5 3 3.5 4

Y

• 1

1 2 3 4 5

True function GP prediction cb 95% cb 95%

• bservation

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 31 / 60

SMOOTHED MODEL CHECKING

We call the following statistical model checking algorithm Smoothed model checking

1

Input a set of parameter values and a number of

• bservations per parameter value

2

Perform (approximate) GP prediction to obtain estimates of satisfaction function and uncertainties (i.e. confidence bounds)

3

If uncertainty is too high, increase the resolution of the parameter grid/ number of observations and repeat.

4

Return estimated satisfaction function and uncertainties

We use GP regression on the inverse probit transform of the probability distribution, approximating the integral (1) by Expectation-Propagation. In fact, p(y∣f(x)) is Binomial and the integral cannot be computed analytically.

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 32 / 60

NETWORK EPIDEMICS

S R I inf ext recover loss

S R I inf ext patch loss S R I inf ext patch loss S R I inf ext patch loss S R I inf ext patch loss S R I inf ext patch loss S R I inf ext patch loss

SIR epidemic spreading model, with 100 nodes in one of three states: susceptible (XS), infected (XI), and recovered (XR). EXTERNAL INFECTION: S

ke

• → I, with rate function keXS;

INTERNAL INFECTION: S + I

ki

• → I + I, with rate function kiXSXI;

PATCHING: I

kr

• → R, with rate function krXI;

IMMUNITY LOSS: R

ks

• → S, with rate function ksXR;

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 33 / 60

EXAMPLE: EPIDEMICS

SIR MODEL

We investigate the dependence of truth probability of the property ϕ = (XI > 0)U[100,120](XI = 0)

• n the infection rate: kI and recovery rate: kR. We use 10 simulations

at each of 200 parameter values = 2000 runs.

0.05 0.1 0.15 0.2 0.25 0.3 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45

infection rate Probability Smoothed MC 95% Confidence SMC (5000 runs)

0.02 0.04 0.06 0.08 0.1 0.12 0.14 0.16 0.18 0.2 0.05 0.1 0.15 0.2 0.25

recovery rate Probability Smoothed MC 95% Confidence SMC (5000 runs)

(left: function of kI, right: function of kR. Blue dots, SMC for 5000 runs per parameter value)

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 34 / 60

EXAMPLE: EPIDEMICS

SIR MODEL

We estimate p(ϕ ∣ kI,kR) from 2560 traces for the same property. ϕ = (XI > 0)U[100,120](XI = 0)

0.1 0.2 0.3 0.4 0.5 0.05 0.1 0.15 0.2 0.1 0.2 0.3 0.4 0.5 ki kr prob 0.1 0.2 0.3 0.4 0.5 0.05 0.1 0.15 0.2 0.1 0.2 0.3 0.4 ki kr prob

(left: smoothed MC, right SMC on 16x16 points at 5000 runs per

• point. Time SMC= 580× smoothed MC)

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 35 / 60

EXAMPLE: EPIDEMICS

Obs. per value RMSE Bayesian SMC Smoothed MC 64 points 100 points 256 points 5 0.1251 ± 0.013 0.0755 ± 0.036 0.0591 ± 0.020 0.0362 ± 0.014 10 0.0887 ± 0.010 0.0513 ± 0.022 0.0444 ± 0.023 0.0283 ± 0.007 20 0.0619 ± 0.006 0.0321 ± 0.016 0.0302 ± 0.011 0.0202 ± 0.005 50 0.0393 ± 0.006 0.0225 ± 0.008 0.0194 ± 0.004 0.0154 ± 0.001 100 0.0269 ± 0.003 0.0190 ± 0.004 0.0162 ± 0.002 0.0140 ± 0.002 200 0.0198 ± 0.002 0.0174 ± 0.006 0.0146 ± 0.003 0.0100 ± 0.003

SmoothedMC produces consistently better estimates in the sampled grid points that Bayesian SMC, for the same number of samples. It also provides estimates with roughly the same standard deviation in all other points of the parameter space.

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 36 / 60

RUNNING TIMES

We report running times for another example (LacZ operon), for which simulation is more expensive, on a 2-dimensional parameter space. Method 100 points 256 points Smoothed MC SMC (10 runs) 31 sec 110 sec

• Hyperparam. Opt.

8 sec 30 sec GP Prediction 1 sec 2 sec Total 40 sec 142 sec Bayesian SMC (100 runs) 1100 sec

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 37 / 60

U-CHECK: A TOOL FOR STATISTICAL MODEL CHECKING

OF UNCERTAIN CTMC

GP Framework GP Optimisation Model Checking Framework Smoothed Model Checking Learning From Formulae U-check CLI

Java-based tool Command line interface Experiment configuration file

INPUT: Model specified in PRISM,

Bio-PEPA, . . .

INPUT: Properties specified in MITL. INPUT: Analysis mode and options

It supports smoothed Model Checking, robust parameter synthesis and parameter estimation. https://github.com/dmilios/U-check http://homepages.inf.ed.ac.uk/dmilios/ucheck/

OUTLINE

1 INTRODUCTION 2 BACKGROUND 3 SMOOTHED MODEL CHECKING 4 ROBUST DESIGN 5 CONCLUSIONS

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 39 / 60

ROBUST DESIGN WITH TEMPORAL LOGIC

QUALITATIVE DATA

We consider a set of system requirements specified as (linear) temporal logic formulae.

PROBLEM: ROBUST SYNTHESIS/ DESIGN

Find the set of model parameters that such that the model satisfies the requirements as robustly as possible.

NOTION OF ROBUSTNESS

This requires a proper notion of robustness of satisfaction for a temporal logic formula.

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 40 / 60

SIGNAL TEMPORAL LOGIC

STL is metric linear time logic for real-valued signals.

STL SYNTAX

Given a (primary) real-valued signal x[t] = (x1[t],...,xn[t]), t ∈ R⩾0, xi ∈ R, the STL syntax is given by ϕ ∶= µ ∣ ¬ϕ ∣ ϕ1 ∧ ϕ2 ∣ ϕ1 U[a,b] ϕ2 µ ∶ Rn → B is an atomic predicate s.t. µ(x) ∶= (y(x) ⩾ 0), y ∶ Rn → R a real-valued function, the secondary signal. As usual, F[a,b]ϕ ∶=⊤ U[a,b]ϕ and G[a,b]ϕ ∶= ¬F[a,b]¬ϕ.

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 41 / 60

SIGNAL TEMPORAL LOGIC

STL QUANTITATIVE SEMANTICS

The quantitative satisfaction function ρ is defined by

ρ(µ,x,t) = y(x[t]) where µ ≡ (y(x[t]) ⩾ 0) ρ(¬ϕ,x,t) = − ρ(ϕ,x,t) ρ(ϕ1 ∧ ϕ2,x,t) = min(ρ(ϕ1,x,t),ρ(ϕ2,x,t)) ρ(ϕ1 U[a,b]ϕ2,x,t) = max

t′∈t+[a,b](min(ρ(ϕ2,x,t′)), min t′′∈[t,t′](ρ(ϕ1,x,t′′))).

This satisfaction score can be computed efficiently for piecewise linear signals, see e.g. the Breach Matlab Toolbox

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 42 / 60

ROBUSTNESS OF STOCHASTIC MODELS

The quantitative satisfaction function ρ(ϕ,x) ∶ D → R induces a real-valued random variable Rϕ(X) with probability distribution P(Rϕ(X) ∈ [a,b]) = P(X ∈ {x ∈ D ∣ ρ(ϕ,x,0) ∈ [a,b]}) Indicators: E(Rϕ) (The average robustness degree) E(Rϕ ∣ Rϕ > 0) and E(Rϕ ∣ Rϕ < 0) (The conditional average)

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 43 / 60

SCHLÖGL SYSTEM

CTMC model of a Schlögl system. Biochemical reactions of the Schlögl model:

Reaction rate constant init pop A + 2X → 3X k1 = 3 ⋅ 10−7 X(0) = 247 3X → A + 2X k2 = 1 ⋅ 10−4 A(0) = 105 B → X k3 = 1 ⋅ 10−3 B(0) = 2 ⋅ 105 X → B k4 = 3.5

Simulation of the Schlogl model (100 runs): starting close to the boundary of the basin of attraction, the bistable behaviour is evident

X 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 time 50 100 150 200 250 300 350 400 450 500 550 600 650 700 750 800 values

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 44 / 60

SCHLÖGL SYSTEM

STL formula : ϕ ∶ F[0,T1]G[0,T2](X ≥ kt) kt = 300

−300 −200 −100 100 200 300 500 1000 1500 2000 2500 3000 3500 robustness degree frequency

Statistical estimation of ϕ: p = 0.4583 (10000 runs, error ±0.02 at 95% confidence level).

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 45 / 60

SCHLÖGL SYSTEM

Satisfaction probability versus average robustness degree

0.2 0.4 0.6 0.8 1 −400 −300 −200 −100 100 200 300 satisfaction probability robustness degree

Varying threshold kt Correlation around 0.8386, dependency seems to follow a sigmoid shaped curve.

0.2 0.4 0.6 0.8 1 −300 −200 −100 100 200 300 satisfaction probability robustness degree

Varying k3 Correlation around 0.9718 with an evident linear trend.

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 46 / 60

THE SYSTEM DESIGN PROBLEM

“Given a stochastic model, depending on a set of parameters θ ∈ K, and a specification ϕ (STL formula), find the parameter combination θ∗ s.t. the system satisfies ϕ as robustly as possible”.

Solution strategy: rephrase it as an unconstrained optimisation problem: we maximise the expected robustness degree. evaluate the function to optimise using statistical model checking with a fixed number of runs solve the optimisation problem using the Gaussian Process-Upper Confidence Bound optimisation (GP-UCB)

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 47 / 60

THE OPTIMISATION PROBLEM

We need to maximise the expected robustness. Each evaluation of these function is costly (we obtain it by SMC, need to run SSA many times). Each evaluation of these functions is noisy (we estimate the value by SMC - noise is approximatively gaussian). We need to maximise an unknown function, which we can

• bserve with noise, with the minimal number of evaluations.

We use the GP-UCB algorithm (Srinivas et al 2012)

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 48 / 60

THE GP-UCB ALGORITHM

BASIC IDEA

Use GP regression to emulate the unknown function, and to explore the region near the maximum of the posterior mean. Doing this naively ⇒ trapped in local optima.

BALANCE EXPLORATION AND EXPLOITATION

Maximise an upper quantile of the distribution, obtained as mean value plus a constant times the standard deviation: xt+1 = argmaxx [µt(x) + βt √ vart(x)] Then xt is added to the observation points. The algorithm has a convergence guarantee in terms of regret bounds (for slowly increasing βt).

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 49 / 60

THE GP-UCB ALGORITHM - EXAMPLE

1 1.2 1.4 1.6 1.8 2 2.2 2.4 2.6 2.8 3 10 12 14 16 18 20 22 24 26 28 30

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 50 / 60

THE GP-UCB ALGORITHM - EXAMPLE

1 1.2 1.4 1.6 1.8 2 2.2 2.4 2.6 2.8 3 10 12 14 16 18 20 22 24 26 28 30

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 51 / 60

THE GP-UCB ALGORITHM - EXAMPLE

1 1.2 1.4 1.6 1.8 2 2.2 2.4 2.6 2.8 3 10 12 14 16 18 20 22 24 26 28 30

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 52 / 60

THE GP-UCB ALGORITHM - EXAMPLE

1 1.2 1.4 1.6 1.8 2 2.2 2.4 2.6 2.8 3 10 12 14 16 18 20 22 24 26 28 30

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 53 / 60

EXPERIMENTAL RESULTS (SCHLÖGL SYSTEM)

Statistics of the results of ten experiments to optimize the parameter k3 , for ϕ ∶ F[0,T1]G[0,T2](X ≥ kt), in the range [50,1000]:

Parameter mean Parameter range Mean probability k3 = 997.78 [979.31 999.99] 1 Average Robustness Number of function evaluations Number of simulation runs 348.97 34.4 3440

The emulated robustness function in the optimisation of k3

100 200 300 400 500 600 700 800 900 1000 −3000 −2500 −2000 −1500 −1000 −500 500 k3 robustness degree

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 54 / 60

EXPERIMENTAL RESULTS (SCHLÖGL SYSTEM)

The distribution of the robustness score for ϕ ∶ F[0,T1]G[0,T2](X ≥ kt) with k3 = 999.99, T1 = 10, T2 = 15 and kt = 300

250 300 350 400 100 200 300 400 500 600 700 800 900 robustness degree

OUTLINE

1 INTRODUCTION 2 BACKGROUND 3 SMOOTHED MODEL CHECKING 4 ROBUST DESIGN 5 CONCLUSIONS

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 56 / 60

CONCLUSIONS

Uncertainty has implications also for formal analysis techniques. When there is uncertainty, machine learning is likely to be

• f use.

We proposed efficiently methods relying on Gaussian Processes for the satisfaction under uncertainty, system design, parameter estimation from qualitative

• bservations, . . .

We have a working tool: U-check. Challenges: uncertain model structure, model abstraction, modularisation, spatio-temporal models.

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 57 / 60

ACKNOWLEDGEMENTS

SPONSORS

FP7 QUANTICOL EU project and UniTS local funding.

COLLABORATORS

Guido Sanguinetti Dimitios Milios Laura Nenzi Ezio Bartocci Tomas Bradzil Giulio Caravagna

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 58 / 60

QEST 2017 (ADV)

14th Int. Conference on Quantitative Evaluation of SysTems Berlin, 5-7 September 2017 Deadline: 31 march 2017

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 59 / 60

THE END

INTRODUCTION BACKGROUND SMOOTHMC ROBUST DESIGN CONCLUSIONS 60 / 60

SMOOTHED MODEL CHECKING, MORE FORMALLY

At each θ, the distribution of observations is Binomial(m,pϕ(θ)). We collect observations at input points θi in a matrix D. The inverse probit transform of the satisfaction function gϕ(θ) = ψ(pϕ(θ)) (a smooth function of the parameters) is assigned a GP prior. Here ψ(p) = g ⇔ p = ∫

g ∞ N(0,1)

∀p ∈ [0,1],g ∈ R g∗ = gϕ(θ∗) at a new point θ∗, given observations D, is then distributed as p (gϕ(θ∗)∣D) ∝ ∫ dgN ((g∗,g)∣0,Σ)

N

∏

i=1

(pϕ(θi))∑ di (1 − pϕ(θi))m−∑ di An analytical approximation of this integral can be computed by a variant of the Expectation-Propagation algorithm.