monitoring decentralized specifications Antoine El-Hokayem Ylis - - PowerPoint PPT Presentation

monitoring decentralized specifications

Antoine El-Hokayem Yliès Falcone

• Univ. Grenoble Alpes, Inria, CNRS

Grenoble, France

(Decentralized) Monitoring

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

monitoring (aka runtime verification) ֒

→ Overview

· Lightweight verification technique · Checks whether a run of a program conforms to a specification (As opposed to model checking which verifies all runs) · Monitors are synthesized and integrated to observe the system · Monitors determine a verdict: B3 = {⊤, ⊥, ?} · ⊤ (true): run complies with specification · ⊥ (false): run does not comply with specification · ?: verdict cannot be determined (yet)

Monitor specification run verdicts

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

1

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

monitoring ֒

→ System Abstraction

• 1. Components (C)

2. 3. 4.

Example

• 1. {c0, c1} (Temp sensor + Fan)

2. 3. is is not 4.

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

2

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

monitoring ֒

→ System Abstraction

• 1. Components (C)
• 2. Atomic propositions (AP)

3. 4.

Example

• 1. {c0, c1} (Temp sensor + Fan)
• 2. {tlow, tmed, thigh, tcrit, fan} (e.g., tcrit “temperature critical”)

3. is is not 4.

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

2

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

monitoring ֒

→ System Abstraction

• 1. Components (C)
• 2. Atomic propositions (AP)
• 3. Observations/Events (AP → B2, possibly partial )

4.

Example

• 1. {c0, c1} (Temp sensor + Fan)
• 2. {tlow, tmed, thigh, tcrit, fan} (e.g., tcrit “temperature critical”)
• 3. {tlow, ⊤, fan, ⊥} — “temperature is low and fan is not on”

4.

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

2

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

monitoring ֒

→ System Abstraction

• 1. Components (C)
• 2. Atomic propositions (AP)
• 3. Observations/Events (AP → B2, possibly partial )
• 4. Trace: a sequence of events for each component (partial function)

Example

• 1. {c0, c1} (Temp sensor + Fan)
• 2. {tlow, tmed, thigh, tcrit, fan} (e.g., tcrit “temperature critical”)
• 3. {tlow, ⊤, fan, ⊥} — “temperature is low and fan is not on”

4.    0 → c0 → {tlow, ⊤, tmed, ⊥, . . .} 0 → c1 → {fan, ⊥} 1 → c0 → {tmed, ⊤, . . .} 1 → c1 → {fan, ⊥} 2 → c0 → {thigh, ⊤, . . .} 2 → c1 → {fan, ⊤}   

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

2

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

monitoring ֒

→ System Abstraction

• 1. Components (C)
• 2. Atomic propositions (AP)
• 3. Observations/Events (AP → B2, possibly partial )
• 4. Trace: a sequence of events for each component (partial function)

Example

• 1. {c0, c1} (Temp sensor + Fan)
• 2. {tlow, tmed, thigh, tcrit, fan} (e.g., tcrit “temperature critical”)
• 3. {tlow, ⊤, fan, ⊥} — “temperature is low and fan is not on”

4.    0 → c0 → {tlow, ⊤, tmed, ⊥, . . .} 0 → c1 → {fan, ⊥} 1 → c0 → {tmed, ⊤, . . .} 1 → c1 → {fan, ⊥} 2 → c0 → {thigh, ⊤, . . .} 2 → c1 → {fan, ⊤}    {tlow, ⊤, fan, ⊥, . . .} · {tmed, ⊤, fan, ⊥, . . .} · {thigh, ⊤, fan, ⊤, . . .}

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

2

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

monitoring using automata ֒

→ Example

“Fan must always be turned on when temperature is high”

q0 q1 q2 thigh fan ∧ thigh ¬thigh ¬fan fan ∧ ¬thigh ⊤

G(thigh = ⇒ Xfan)

• 1. At t = 1, from q0:

1.1 1.2 2. 2.1 2.2 Monitoring this property requires a central observation point!

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

3

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

monitoring using automata ֒

→ Example

“Fan must always be turned on when temperature is high”

q0 q1 q2 thigh fan ∧ thigh ¬thigh ¬fan fan ∧ ¬thigh ⊤

G(thigh = ⇒ Xfan)

• 1. At t = 1, from q0:

1.1 Observe thigh ⊤ fan ⊥ 1.2 2. 2.1 2.2 Monitoring this property requires a central observation point!

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

3

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

monitoring using automata ֒

→ Example

“Fan must always be turned on when temperature is high”

q0 q1 q2 thigh fan ∧ thigh ¬thigh ¬fan fan ∧ ¬thigh ⊤

G(thigh = ⇒ Xfan)

• 1. At t = 1, from q0:

1.1 Observe thigh ⊤ fan ⊥ 1.2 Eval ¬thigh ⊥ thigh ⊤ 2. 2.1 2.2 Monitoring this property requires a central observation point!

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

3

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

monitoring using automata ֒

→ Example

“Fan must always be turned on when temperature is high”

q0 q1 q2 thigh fan ∧ thigh ¬thigh ¬fan fan ∧ ¬thigh ⊤

G(thigh = ⇒ Xfan)

• 1. At t = 1, from q0:

1.1 Observe thigh ⊤ fan ⊥ 1.2 Eval ¬thigh ⊥ thigh ⊤

• 2. At t = 2, from q1:

2.1 2.2 Monitoring this property requires a central observation point!

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

3

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

monitoring using automata ֒

→ Example

“Fan must always be turned on when temperature is high”

q0 q1 q2 thigh fan ∧ thigh ¬thigh ¬fan fan ∧ ¬thigh ⊤

G(thigh = ⇒ Xfan)

• 1. At t = 1, from q0:

1.1 Observe thigh ⊤ fan ⊥ 1.2 Eval ¬thigh ⊥ thigh ⊤

• 2. At t = 2, from q1:

2.1 Observe thigh ⊤ fan ⊥ 2.2 Monitoring this property requires a central observation point!

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

3

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

monitoring using automata ֒

→ Example

“Fan must always be turned on when temperature is high”

q0 q1 q2 thigh fan ∧ thigh ¬thigh ¬fan fan ∧ ¬thigh ⊤

G(thigh = ⇒ Xfan)

• 1. At t = 1, from q0:

1.1 Observe thigh ⊤ fan ⊥ 1.2 Eval ¬thigh ⊥ thigh ⊤

• 2. At t = 2, from q1:

2.1 Observe thigh ⊤ fan ⊥ 2.2 Eval fan ∧ ¬thigh ⊥ fan ∧ thigh ⊥ ¬fan ⊤ Monitoring this property requires a central observation point!

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

3

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

monitoring using automata ֒

→ Example

“Fan must always be turned on when temperature is high”

q0 q1 q2 thigh fan ∧ thigh ¬thigh ¬fan fan ∧ ¬thigh ⊤

G(thigh = ⇒ Xfan)

• 1. At t = 1, from q0:

1.1 Observe thigh ⊤ fan ⊥ 1.2 Eval ¬thigh ⊥ thigh ⊤

• 2. At t = 2, from q1:

2.1 Observe thigh ⊤ fan ⊥ 2.2 Eval fan ∧ ¬thigh ⊥ fan ∧ thigh ⊥ ¬fan ⊤ Monitoring this property requires a central observation point!

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

3

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

monitoring using automata ֒

→ Example

“Fan must always be turned on when temperature is high”

q0 q1 q2 thigh fan ∧ thigh ¬thigh ¬fan fan ∧ ¬thigh ⊤

G(thigh = ⇒ Xfan)

• 1. At t = 1, from q0:

1.1 Observe thigh ⊤ fan ⊥ 1.2 Eval ¬thigh ⊥ thigh ⊤

• 2. At t = 2, from q1:

2.1 Observe thigh ⊤ fan ⊥ 2.2 Eval fan ∧ ¬thigh ⊥ fan ∧ thigh ⊥ ¬fan ⊤ Monitoring this property requires a central observation point!

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

3

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

decentralized monitoring ֒

→ Problem statement

· General setting unpredictability ineffjciency

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

4

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

decentralized monitoring ֒

→ Problem statement

· General setting · C = {c0, . . . , cn}: components no central observation point unpredictability ineffjciency

c1 . . . ci . . . cn

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

4

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

decentralized monitoring ֒

→ Problem statement

· General setting · C = {c0, . . . , cn}: components · AP = AP0 ∪ . . . ∪ APn: atomic propositions, partitioned by C no central observation point unpredictability ineffjciency

c1 . . . ci . . . cn AP1 APi APn

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

4

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

decentralized monitoring ֒

→ Problem statement

· General setting · C = {c0, . . . , cn}: components · AP = AP0 ∪ . . . ∪ APn: atomic propositions, partitioned by C · no central observation point unpredictability ineffjciency

c1 . . . ci . . . cn AP1 APi APn

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

4

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

decentralized monitoring ֒

→ Problem statement

· General setting · C = {c0, . . . , cn}: components · AP = AP0 ∪ . . . ∪ APn: atomic propositions, partitioned by C · no central observation point · but monitors attached to components unpredictability ineffjciency

c1 . . . ci . . . cn M1 . . . Mi . . . Mn AP1 APi APn

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

4

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

decentralized monitoring ֒

→ Problem statement

· General setting unpredictability ineffjciency

c1 . . . ci . . . cn M1 . . . Mi . . . Mn AP1 APi APn Monitoring specifjcation over AP effjciently?

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

4

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

decentralized monitoring ֒

→ Problem statement

· General setting · Issues in decentralized monitoring unpredictability ineffjciency

c1 . . . ci . . . cn M1 . . . Mi . . . Mn AP1 APi APn Monitoring specifjcation over AP effjciently?

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

4

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

decentralized monitoring ֒

→ Problem statement

· General setting · Issues in decentralized monitoring · partial views of AP – unknown global state unpredictability ineffjciency

c1 . . . ci . . . cn M1 . . . Mi . . . Mn AP1 APi APn Monitoring specifjcation over AP effjciently?

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

4

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

decentralized monitoring ֒

→ Problem statement

· General setting · Issues in decentralized monitoring · partial views of AP – unknown global state · partial execution of the automaton (evaluation) unpredictability ineffjciency

c1 . . . ci . . . cn M1 . . . Mi . . . Mn AP1 APi APn Monitoring specifjcation over AP effjciently?

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

4

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

decentralized monitoring ֒

→ Problem statement

· General setting · Issues in decentralized monitoring · partial views of AP – unknown global state · partial execution of the automaton (evaluation) · communication between monitors unpredictability ineffjciency

c1 . . . ci . . . cn M1 . . . Mi . . . Mn AP1 APi APn Monitoring specifjcation over AP effjciently?

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

4

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

decentralized monitoring ֒

→ Problem statement

· General setting · Issues in decentralized monitoring · partial views of AP – unknown global state · partial execution of the automaton (evaluation) · communication between monitors · Existing approaches: unpredictability ineffjciency

c1 . . . ci . . . cn M1 . . . Mi . . . Mn AP1 APi APn Monitoring specifjcation over AP effjciently?

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

4

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

decentralized monitoring ֒

→ Problem statement

· General setting · Issues in decentralized monitoring · partial views of AP – unknown global state · partial execution of the automaton (evaluation) · communication between monitors · Existing approaches: · based on LTL rewriting — unpredictability of monitor performance ineffjciency

c1 . . . ci . . . cn M1 . . . Mi . . . Mn AP1 APi APn Monitoring specifjcation over AP effjciently?

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

4

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

decentralized monitoring ֒

→ Problem statement

· General setting · Issues in decentralized monitoring · partial views of AP – unknown global state · partial execution of the automaton (evaluation) · communication between monitors · Existing approaches: · based on LTL rewriting — unpredictability of monitor performance · all monitors check the same specification — ineffjciency

c1 . . . ci . . . cn M1 . . . Mi . . . Mn AP1 APi APn Monitoring specifjcation over AP effjciently?

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

4

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

goals

Define a methodology of design and evaluation of decentralized monitoring 1. predictable Automata compare

• 2. Separate

Decentralized

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

5

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

goals

Define a methodology of design and evaluation of decentralized monitoring

• 1. Aim for predictable behavior

Automata compare

• 2. Separate

Decentralized

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

5

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

goals

Define a methodology of design and evaluation of decentralized monitoring

• 1. Aim for predictable behavior

· Move from LTL → Automata compare

• 2. Separate

Decentralized

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

5

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

goals

Define a methodology of design and evaluation of decentralized monitoring

• 1. Aim for predictable behavior

· Move from LTL → Automata · Common ground to compare existing (and future) strategies

• 2. Separate

Decentralized

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

5

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

goals

Define a methodology of design and evaluation of decentralized monitoring

• 1. Aim for predictable behavior

· Move from LTL → Automata · Common ground to compare existing (and future) strategies

• 2. Separate monitor synthesis from monitoring strategies

Decentralized

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

5

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

goals

Define a methodology of design and evaluation of decentralized monitoring

• 1. Aim for predictable behavior

· Move from LTL → Automata · Common ground to compare existing (and future) strategies

• 2. Separate monitor synthesis from monitoring strategies

· Centralized specification → Decentralized specification

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

5

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

goals

Define a methodology of design and evaluation of decentralized monitoring

• 1. Aim for predictable behavior

· Move from LTL → Automata · Common ground to compare existing (and future) strategies

• 2. Separate monitor synthesis from monitoring strategies

· Centralized specification → Decentralized specification · Monitorability of a decentralized specification

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

5

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

goals

Define a methodology of design and evaluation of decentralized monitoring

• 1. Aim for predictable behavior

· Move from LTL → Automata · Common ground to compare existing (and future) strategies

• 2. Separate monitor synthesis from monitoring strategies

· Centralized specification → Decentralized specification · Monitorability of a decentralized specification · Define a general decentralized monitoring algorithm

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

5

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

goals

Define a methodology of design and evaluation of decentralized monitoring

• 1. Aim for predictable behavior

· Move from LTL → Automata · Common ground to compare existing (and future) strategies

• 2. Separate monitor synthesis from monitoring strategies

· Centralized specification → Decentralized specification · Monitorability of a decentralized specification · Define a general decentralized monitoring algorithm ⋆ Extend tooling support for the design methodology

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

5

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

goals

Define a methodology of design and evaluation of decentralized monitoring

• 1. Aim for predictable behavior

· Move from LTL → Automata · Common ground to compare existing (and future) strategies

• 2. Separate monitor synthesis from monitoring strategies

· Centralized specification → Decentralized specification · Monitorability of a decentralized specification · Define a general decentralized monitoring algorithm ⋆ Extend tooling support for the design methodology ⋆ Ensure reproducibility

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

5

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

(Decentralized) Monitoring Monitoring with EHEs

Monitoring Decentralized Specifjcations

The THEMIS Approach Conclusions

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

5

Monitoring with EHEs

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Information as Atoms

⋆ Encode the execution as a datastructure that fmexibility partial

• rder

predictable Atoms add data Memory rewrite simplify

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

6

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Information as Atoms

⋆ Encode the execution as a datastructure that · supports fmexibility when receiving partial information

• rder

predictable Atoms add data Memory rewrite simplify

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

6

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Information as Atoms

⋆ Encode the execution as a datastructure that · supports fmexibility when receiving partial information · is insensitive to the reception order of information predictable Atoms add data Memory rewrite simplify

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

6

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Information as Atoms

⋆ Encode the execution as a datastructure that · supports fmexibility when receiving partial information · is insensitive to the reception order of information · has predictable size and operations Atoms add data Memory rewrite simplify

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

6

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Information as Atoms

⋆ Encode the execution as a datastructure that · supports fmexibility when receiving partial information · is insensitive to the reception order of information · has predictable size and operations · Atomic propositions → Atoms add data Memory rewrite simplify

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

6

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Information as Atoms

⋆ Encode the execution as a datastructure that · supports fmexibility when receiving partial information · is insensitive to the reception order of information · has predictable size and operations · Atomic propositions → Atoms · Allow algorithms to add data to observations (enc : AP → Atoms) Memory rewrite simplify

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

6

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Information as Atoms

⋆ Encode the execution as a datastructure that · supports fmexibility when receiving partial information · is insensitive to the reception order of information · has predictable size and operations · Atomic propositions → Atoms · Allow algorithms to add data to observations (enc : AP → Atoms) · Ordering information (timestamp, round number, vector clock etc.) Memory rewrite simplify

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

6

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Information as Atoms

⋆ Encode the execution as a datastructure that · supports fmexibility when receiving partial information · is insensitive to the reception order of information · has predictable size and operations · Atomic propositions → Atoms · Allow algorithms to add data to observations (enc : AP → Atoms) · Ordering information (timestamp, round number, vector clock etc.) · Monitors store Atoms in their Memory rewrite simplify

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

6

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Information as Atoms

⋆ Encode the execution as a datastructure that · supports fmexibility when receiving partial information · is insensitive to the reception order of information · has predictable size and operations · Atomic propositions → Atoms · Allow algorithms to add data to observations (enc : AP → Atoms) · Ordering information (timestamp, round number, vector clock etc.) · Monitors store Atoms in their Memory · Monitors need to evaluate ExprAtoms rewrite simplify

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

6

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Information as Atoms

⋆ Encode the execution as a datastructure that · supports fmexibility when receiving partial information · is insensitive to the reception order of information · has predictable size and operations · Atomic propositions → Atoms · Allow algorithms to add data to observations (enc : AP → Atoms) · Ordering information (timestamp, round number, vector clock etc.) · Monitors store Atoms in their Memory · Monitors need to evaluate ExprAtoms · rewrite using Memory simplify

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

6

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Information as Atoms

⋆ Encode the execution as a datastructure that · supports fmexibility when receiving partial information · is insensitive to the reception order of information · has predictable size and operations · Atomic propositions → Atoms · Allow algorithms to add data to observations (enc : AP → Atoms) · Ordering information (timestamp, round number, vector clock etc.) · Monitors store Atoms in their Memory · Monitors need to evaluate ExprAtoms · rewrite using Memory · simplify using Boolean logics (much easier than simplification for LTL)

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

6

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Information as Atoms

⋆ Encode the execution as a datastructure that · supports fmexibility when receiving partial information · is insensitive to the reception order of information · has predictable size and operations · Atomic propositions → Atoms · Allow algorithms to add data to observations (enc : AP → Atoms) · Ordering information (timestamp, round number, vector clock etc.) · Monitors store Atoms in their Memory · Monitors need to evaluate ExprAtoms · rewrite using Memory · simplify using Boolean logics (much easier than simplification for LTL) ExprAtoms × Mem → B3 eval(expr, M) = simplify(rw(expr, M)) eval(1, thigh ∧ 2, fan, [1, thigh → ⊥]) = ⊥ ∧ 2, fan = ⊥

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

6

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Automata Execution

· EHE is a partial function: I : I( timestamp state EHE recursively lazily

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

7

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Automata Execution

· EHE is a partial function: I : N I(t · For a given timestamp t state EHE recursively lazily

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

7

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Automata Execution

· EHE is a partial function: I : N × QA I(t, q) · For a given timestamp t · The automaton is in state q iff EHE recursively lazily

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

7

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Automata Execution

· EHE is a partial function: I : N × QA → ExprAtoms I(t, q) = expr · For a given timestamp t · The automaton is in state q iff · eval(expr, M) = ⊤ EHE recursively lazily

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

7

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Automata Execution

· EHE is a partial function: I : N × QA → ExprAtoms I(t, q) = expr · For a given timestamp t · The automaton is in state q iff · eval(expr, M) = ⊤ I(2, q0) = [¬1, thigh ∧ ¬2, thigh] ∨ [1, thigh ∧ (2, fan ∧ ¬2, thigh)]

q0 q1 q2 thigh fan ∧ thigh ¬thigh ¬fan fan ∧ ¬thigh ⊤

EHE recursively lazily

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

7

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Automata Execution

· EHE is a partial function: I : N × QA → ExprAtoms I(t, q) = expr · For a given timestamp t · The automaton is in state q iff · eval(expr, M) = ⊤ I(2, q0) = [¬1, thigh ∧ ¬2, thigh] ∨ [1, thigh ∧ (2, fan ∧ ¬2, thigh)] eval(I(2, q0), [1, thigh → ⊥]) = eval(¬2, thigh, . . .) = ?

q0 q1 q2 thigh fan ∧ thigh ¬thigh ¬fan fan ∧ ¬thigh ⊤

EHE recursively lazily

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

7

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Automata Execution

· EHE is a partial function: I : N × QA → ExprAtoms I(t, q) = expr · For a given timestamp t · The automaton is in state q iff · eval(expr, M) = ⊤ I(2, q0) = [¬1, thigh ∧ ¬2, thigh] ∨ [1, thigh ∧ (2, fan ∧ ¬2, thigh)] eval(I(2, q0), [1, thigh → ⊥]) = eval(¬2, thigh, . . .) = ?

q0 q1 q2 thigh fan ∧ thigh ¬thigh ¬fan fan ∧ ¬thigh ⊤

· EHE is constructed recursively and lazily (as needed and on-the-fly) using A

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

7

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Construction

I2 = mov([0 → q0 → ⊤], 0, 2) q0 q1 a ∨ b ⊤ ¬a ∧ ¬b t q expr q0 ⊤ 1 1 2 2

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

8

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Construction

I2 = mov([0 → q0 → ⊤], 0, 2) q0 q1 a ∨ b ⊤ ¬a ∧ ¬b t q expr q0 ⊤ 1 1 2 2

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

8

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Construction

I2 = mov([0 → q0 → ⊤], 0, 2) q0 q1 a ∨ b ⊤ ¬a ∧ ¬b t q expr q0 ⊤ 1 q0 1 q1 2 2

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

8

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Construction

I2 = mov([0 → q0 → ⊤], 0, 2) q0 q1 a ∨ b ⊤ ¬a ∧ ¬b t q expr q0 ⊤ 1 q0 ⊤ ∧ ¬1, a ∧ ¬1, b 1 q1 2 2

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

8

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Construction

I2 = mov([0 → q0 → ⊤], 0, 2) q0 q1 a ∨ b ⊤ ¬a ∧ ¬b t q expr q0 ⊤ 1 q0 ¬1, a ∧ ¬1, b 1 q1 1, a ∨ 1, b 2 2

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

8

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Construction

I2 = mov([0 → q0 → ⊤], 0, 2) q0 q1 a ∨ b ⊤ ¬a ∧ ¬b t q expr q0 ⊤ 1 q0 ¬1, a ∧ ¬1, b 1 q1 1, a ∨ 1, b 2 q0 2 q1

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

8

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Construction

I2 = mov([0 → q0 → ⊤], 0, 2) q0 q1 a ∨ b ⊤ ¬a ∧ ¬b t q expr q0 ⊤ 1 q0 ¬1, a ∧ ¬1, b 1 q1 1, a ∨ 1, b 2 q0 (¬1, a ∧ ¬1, b) 2 q1 . . .

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

8

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Construction

I2 = mov([0 → q0 → ⊤], 0, 2) q0 q1 a ∨ b ⊤ ¬a ∧ ¬b t q expr q0 ⊤ 1 q0 ¬1, a ∧ ¬1, b 1 q1 1, a ∨ 1, b 2 q0 (¬1, a ∧ ¬1, b) ∧ (¬2, a ∧ ¬2, b) 2 q1 . . .

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

8

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Construction

I2 = mov([0 → q0 → ⊤], 0, 2) q0 q1 a ∨ b ⊤ ¬a ∧ ¬b t q expr q0 ⊤ 1 q0 ¬1, a ∧ ¬1, b 1 q1 1, a ∨ 1, b 2 q0 (¬1, a ∧ ¬1, b) ∧ (¬2, a ∧ ¬2, b) 2 q1 [(¬1, a ∧ ¬1, b) ] ∨ [(1, a ∨ 1, b) ] . . .

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

8

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Construction

I2 = mov([0 → q0 → ⊤], 0, 2) q0 q1 a ∨ b ⊤ ¬a ∧ ¬b t q expr q0 ⊤ 1 q0 ¬1, a ∧ ¬1, b 1 q1 1, a ∨ 1, b 2 q0 (¬1, a ∧ ¬1, b) ∧ (¬2, a ∧ ¬2, b) 2 q1 [(¬1, a ∧ ¬1, b) ∧ (2, a ∨ 2, b)] ∨ [(1, a ∨ 1, b) ∧ ⊤] . . .

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

8

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Properties

• 1. Soundness (provided that observations can be totally ordered)

EHE

• 2. Strong Eventual Consistency

EHE EHE EHE same centralized multiple 3. potential past potential assess EHE

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

9

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Properties

• 1. Soundness (provided that observations can be totally ordered)

· For the same trace, EHE and A report the same state

• 2. Strong Eventual Consistency

EHE EHE EHE same centralized multiple 3. potential past potential assess EHE

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

9

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Properties

• 1. Soundness (provided that observations can be totally ordered)

· For the same trace, EHE and A report the same state

→ They find the same verdict

• 2. Strong Eventual Consistency

EHE EHE EHE same centralized multiple 3. potential past potential assess EHE

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

9

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Properties

• 1. Soundness (provided that observations can be totally ordered)

· For the same trace, EHE and A report the same state

→ They find the same verdict

• 2. Strong Eventual Consistency (SEC)

EHE EHE EHE same centralized multiple 3. potential past potential assess EHE

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

9

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Properties

• 1. Soundness (provided that observations can be totally ordered)

· For the same trace, EHE and A report the same state

→ They find the same verdict

• 2. Strong Eventual Consistency (SEC)

· We can merge EHEs by disjoining (∨) each entry t, q EHE EHE same centralized multiple 3. potential past potential assess EHE

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

9

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Properties

• 1. Soundness (provided that observations can be totally ordered)

· For the same trace, EHE and A report the same state

→ They find the same verdict

• 2. Strong Eventual Consistency (SEC)

· We can merge EHEs by disjoining (∨) each entry t, q · ∨ is commutative, associative and idempotent EHE EHE same centralized multiple 3. potential past potential assess EHE

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

9

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Properties

• 1. Soundness (provided that observations can be totally ordered)

· For the same trace, EHE and A report the same state

→ They find the same verdict

• 2. Strong Eventual Consistency (SEC)

· We can merge EHEs by disjoining (∨) each entry t, q · ∨ is commutative, associative and idempotent

→ EHE is a state-based replicated data-type (CvRDT)

EHE same centralized multiple 3. potential past potential assess EHE

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

9

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Properties

• 1. Soundness (provided that observations can be totally ordered)

· For the same trace, EHE and A report the same state

→ They find the same verdict

• 2. Strong Eventual Consistency (SEC)

· We can merge EHEs by disjoining (∨) each entry t, q · ∨ is commutative, associative and idempotent

→ EHE is a state-based replicated data-type (CvRDT) → Monitors that exchange their EHE find the same verdict

centralized multiple 3. potential past potential assess EHE

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

9

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Properties

• 1. Soundness (provided that observations can be totally ordered)

· For the same trace, EHE and A report the same state

→ They find the same verdict

• 2. Strong Eventual Consistency (SEC)

· We can merge EHEs by disjoining (∨) each entry t, q · ∨ is commutative, associative and idempotent

→ EHE is a state-based replicated data-type (CvRDT) → Monitors that exchange their EHE find the same verdict → Can monitor centralized specification shared with multiple monitors

3. potential past potential assess EHE

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

9

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Properties

• 1. Soundness (provided that observations can be totally ordered)

· For the same trace, EHE and A report the same state

→ They find the same verdict

• 2. Strong Eventual Consistency (SEC)

· We can merge EHEs by disjoining (∨) each entry t, q · ∨ is commutative, associative and idempotent

→ EHE is a state-based replicated data-type (CvRDT) → Monitors that exchange their EHE find the same verdict → Can monitor centralized specification shared with multiple monitors

• 3. Predictable size

potential past potential assess EHE

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

9

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Properties

• 1. Soundness (provided that observations can be totally ordered)

· For the same trace, EHE and A report the same state

→ They find the same verdict

• 2. Strong Eventual Consistency (SEC)

· We can merge EHEs by disjoining (∨) each entry t, q · ∨ is commutative, associative and idempotent

→ EHE is a state-based replicated data-type (CvRDT) → Monitors that exchange their EHE find the same verdict → Can monitor centralized specification shared with multiple monitors

• 3. Predictable size

· The EHE encodes all potential and past states, as needed potential assess EHE

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

9

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Properties

• 1. Soundness (provided that observations can be totally ordered)

· For the same trace, EHE and A report the same state

→ They find the same verdict

• 2. Strong Eventual Consistency (SEC)

· We can merge EHEs by disjoining (∨) each entry t, q · ∨ is commutative, associative and idempotent

→ EHE is a state-based replicated data-type (CvRDT) → Monitors that exchange their EHE find the same verdict → Can monitor centralized specification shared with multiple monitors

• 3. Predictable size

· The EHE encodes all potential and past states, as needed · The more we keep track of potential states, the bigger the size assess EHE

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

9

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Properties

• 1. Soundness (provided that observations can be totally ordered)

· For the same trace, EHE and A report the same state

→ They find the same verdict

• 2. Strong Eventual Consistency (SEC)

· We can merge EHEs by disjoining (∨) each entry t, q · ∨ is commutative, associative and idempotent

→ EHE is a state-based replicated data-type (CvRDT) → Monitors that exchange their EHE find the same verdict → Can monitor centralized specification shared with multiple monitors

• 3. Predictable size

· The EHE encodes all potential and past states, as needed · The more we keep track of potential states, the bigger the size

→ We can assess algorithms by how they manipulate the EHE

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

9

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Analysis

determining Potential grows EHE t → q → ⊤                                                    t + 1 → q0 → e10 q1 → e11 . . . q|Q|−1 → e1(|Q|−1)            t + 2 → q0 → e20 . . . q|Q|−1 → e2(|Q|−1)      . . . t + δ → q0 → eδ0 q1 → eδ1 . . . q|Q|−1 → eδ(|Q|−1)         

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

10

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Analysis

determining Potential grows EHE t → q → ⊤                                                    t + 1 → q0 → e10 q1 → e11 . . . q|Q|−1 → e1(|Q|−1)            |Q| t + 2 → q0 → e20 . . . q|Q|−1 → e2(|Q|−1)      |Q| . . . t + δ → q0 → eδ0 q1 → eδ1 . . . q|Q|−1 → eδ(|Q|−1)          |Q|

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

10

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Analysis

· Information Delay (δ) Timestamps needed to expand before determining a state Potential states to keep track of grows EHE t → q → ⊤ δ                                                    t + 1 → q0 → e10 q1 → e11 . . . q|Q|−1 → e1(|Q|−1)            |Q| t + 2 → q0 → e20 . . . q|Q|−1 → e2(|Q|−1)      |Q| . . . t + δ → q0 → eδ0 q1 → eδ1 . . . q|Q|−1 → eδ(|Q|−1)          |Q|

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

10

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Analysis

· Information Delay (δ) Timestamps needed to expand before determining a state Potential states to keep track of · Size of expression grows with each move beyond t EHE t → q → ⊤ δ                                                    t + 1 → q0 → e10 q1 → e11 . . . q|Q|−1 → e1(|Q|−1)            |Q| t + 2 → q0 → e20 . . . q|Q|−1 → e2(|Q|−1)      |Q| . . . t + δ → q0 → eδ0 q1 → eδ1 . . . q|Q|−1 → eδ(|Q|−1)          |Q|

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

10

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

execution history encoding ֒

→ Analysis

· Information Delay (δ) Timestamps needed to expand before determining a state Potential states to keep track of · Size of expression grows with each move beyond t · Size of EHE: |Iδ| = O(δ|Q|

δ

• 1

LP) = O(δ2|Q|LP) t → q → ⊤ δ                                                    t + 1 → q0 → e10 q1 → e11 . . . q|Q|−1 → e1(|Q|−1)            |Q| t + 2 → q0 → e20 . . . q|Q|−1 → e2(|Q|−1)      |Q| . . . t + δ → q0 → eδ0 q1 → eδ1 . . . q|Q|−1 → eδ(|Q|−1)          |Q|

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

10

Monitoring Decentralized Specifications

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

decentralized specification

· Each monitor is associated with a tuple A, c specifjcation component local monitors

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

11

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

decentralized specification

· Each monitor is associated with a tuple A, c · A is its specifjcation automaton component local monitors

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

11

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

decentralized specification

· Each monitor is associated with a tuple A, c · A is its specifjcation automaton · c is the component the monitor is attached to local monitors

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

11

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

decentralized specification

· Each monitor is associated with a tuple A, c · A is its specifjcation automaton · c is the component the monitor is attached to · The transition labels of an automaton A are restricted to: local monitors

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

11

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

decentralized specification

· Each monitor is associated with a tuple A, c · A is its specifjcation automaton · c is the component the monitor is attached to · The transition labels of an automaton A are restricted to: · Atomic propositions local to the attached component monitors

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

11

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

decentralized specification

· Each monitor is associated with a tuple A, c · A is its specifjcation automaton · c is the component the monitor is attached to · The transition labels of an automaton A are restricted to: · Atomic propositions local to the attached component · References to other monitors

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

11

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

decentralized specification

· Each monitor is associated with a tuple A, c · A is its specifjcation automaton · c is the component the monitor is attached to · The transition labels of an automaton A are restricted to: · Atomic propositions local to the attached component · References to other monitors

q0 q1 q2 thigh fan ∧ thigh ¬thigh ¬fan fan ∧ ¬thigh ⊤

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

11

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

decentralized specification

· Each monitor is associated with a tuple A, c · A is its specifjcation automaton · c is the component the monitor is attached to · The transition labels of an automaton A are restricted to: · Atomic propositions local to the attached component · References to other monitors

q0 q1 q2 thigh fan ∧ thigh ¬thigh ¬fan fan ∧ ¬thigh ⊤ q00 A0 (Temp) q01 q02 thigh m1 ∧ thigh ¬thigh ¬m1 m1 ∧ ¬thigh ⊤ q10 q11 q12 A1 (Fan) fan ¬fan ⊤ ⊤

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

11

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

decentralized specification ֒

→ Semantics & Monitorability

· For an automaton Ak, to evaluate a label mj at t with a trace tr starting verdict

(!)

not

(?)

fjnal 1. taken 2. verdict 3. dependencies paths expr expr

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

12

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

decentralized specification ֒

→ Semantics & Monitorability

· For an automaton Ak, to evaluate a label mj at t with a trace tr · Run tr starting with t on Aj starting from qj0 verdict

(!)

not

(?)

fjnal 1. taken 2. verdict 3. dependencies paths expr expr

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

12

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

decentralized specification ֒

→ Semantics & Monitorability

· For an automaton Ak, to evaluate a label mj at t with a trace tr · Run tr starting with t on Aj starting from qj0 · Consider the verdict of the run to be the observation mj at t

(!)

not

(?)

fjnal 1. taken 2. verdict 3. dependencies paths expr expr

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

12

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

decentralized specification ֒

→ Semantics & Monitorability

· For an automaton Ak, to evaluate a label mj at t with a trace tr · Run tr starting with t on Aj starting from qj0 · Consider the verdict of the run to be the observation mj at t

(!) If Aj never reaches a final verdict we will not be able to monitor Ak (?)

fjnal 1. taken 2. verdict 3. dependencies paths expr expr

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

12

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

decentralized specification ֒

→ Semantics & Monitorability

· For an automaton Ak, to evaluate a label mj at t with a trace tr · Run tr starting with t on Aj starting from qj0 · Consider the verdict of the run to be the observation mj at t

(!) If Aj never reaches a final verdict we will not be able to monitor Ak (?) Monitorability: “From any state in Ak, we can reach a fjnal verdict”

1. taken 2. verdict 3. dependencies paths expr expr

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

12

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

decentralized specification ֒

→ Semantics & Monitorability

· For an automaton Ak, to evaluate a label mj at t with a trace tr · Run tr starting with t on Aj starting from qj0 · Consider the verdict of the run to be the observation mj at t

(!) If Aj never reaches a final verdict we will not be able to monitor Ak (?) Monitorability: “From any state in Ak, we can reach a fjnal verdict”

· monitorable(Ak) iff ∀q ∈ QAk, ∃qf ∈ QAk, ∃ef ∈ paths(q, qf ), s.t. 1. taken 2. verdict 3. dependencies paths expr expr

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

12

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

decentralized specification ֒

→ Semantics & Monitorability

· For an automaton Ak, to evaluate a label mj at t with a trace tr · Run tr starting with t on Aj starting from qj0 · Consider the verdict of the run to be the observation mj at t

(!) If Aj never reaches a final verdict we will not be able to monitor Ak (?) Monitorability: “From any state in Ak, we can reach a fjnal verdict”

· monitorable(Ak) iff ∀q ∈ QAk, ∃qf ∈ QAk, ∃ef ∈ paths(q, qf ), s.t.

• 1. Path can be taken: ef is satisfiable;

2. verdict 3. dependencies paths expr expr

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

12

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

decentralized specification ֒

→ Semantics & Monitorability

· For an automaton Ak, to evaluate a label mj at t with a trace tr · Run tr starting with t on Aj starting from qj0 · Consider the verdict of the run to be the observation mj at t

(!) If Aj never reaches a final verdict we will not be able to monitor Ak (?) Monitorability: “From any state in Ak, we can reach a fjnal verdict”

· monitorable(Ak) iff ∀q ∈ QAk, ∃qf ∈ QAk, ∃ef ∈ paths(q, qf ), s.t.

• 1. Path can be taken: ef is satisfiable;
• 2. Path leads to a verdict: verk(qf ) ∈ {⊥, ⊤};

3. dependencies paths expr expr

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

12

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

decentralized specification ֒

→ Semantics & Monitorability

· For an automaton Ak, to evaluate a label mj at t with a trace tr · Run tr starting with t on Aj starting from qj0 · Consider the verdict of the run to be the observation mj at t

(!) If Aj never reaches a final verdict we will not be able to monitor Ak (?) Monitorability: “From any state in Ak, we can reach a fjnal verdict”

· monitorable(Ak) iff ∀q ∈ QAk, ∃qf ∈ QAk, ∃ef ∈ paths(q, qf ), s.t.

• 1. Path can be taken: ef is satisfiable;
• 2. Path leads to a verdict: verk(qf ) ∈ {⊥, ⊤};
• 3. All its dependencies are monitorable:

∀mj ∈ dep(ef ): monitorable(Aj). paths expr expr

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

12

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

decentralized specification ֒

→ Semantics & Monitorability

· For an automaton Ak, to evaluate a label mj at t with a trace tr · Run tr starting with t on Aj starting from qj0 · Consider the verdict of the run to be the observation mj at t

(!) If Aj never reaches a final verdict we will not be able to monitor Ak (?) Monitorability: “From any state in Ak, we can reach a fjnal verdict”

· monitorable(Ak) iff ∀q ∈ QAk, ∃qf ∈ QAk, ∃ef ∈ paths(q, qf ), s.t.

• 1. Path can be taken: ef is satisfiable;
• 2. Path leads to a verdict: verk(qf ) ∈ {⊥, ⊤};
• 3. All its dependencies are monitorable:

∀mj ∈ dep(ef ): monitorable(Aj). · Expressions that determine paths between states (n = path length) expr expr

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

12

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

decentralized specification ֒

→ Semantics & Monitorability

· For an automaton Ak, to evaluate a label mj at t with a trace tr · Run tr starting with t on Aj starting from qj0 · Consider the verdict of the run to be the observation mj at t

(!) If Aj never reaches a final verdict we will not be able to monitor Ak (?) Monitorability: “From any state in Ak, we can reach a fjnal verdict”

· monitorable(Ak) iff ∀q ∈ QAk, ∃qf ∈ QAk, ∃ef ∈ paths(q, qf ), s.t.

• 1. Path can be taken: ef is satisfiable;
• 2. Path leads to a verdict: verk(qf ) ∈ {⊥, ⊤};
• 3. All its dependencies are monitorable:

∀mj ∈ dep(ef ): monitorable(Aj). · Expressions that determine paths between states (n = path length) · paths(qs, qe) =

• expr
• ∃n ∈ N : In(n, qe) = expr

∧ In = mov([0 → qs → ⊤], 0, n)

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

12

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

generalized monitoring algorithm ֒

→ Overview

• 1. Setup (Deploy)

1.1 Analyze and convert the specifjcation as necessary 1.2 Create monitors, and assign them a specification

(!) The monitor handles encoding of AP and Memory

1.3 Attach monitors to components 2. 2.1

• bservations

2.2 Receive 2.3 Process 2.4 Communicate

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

13

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

generalized monitoring algorithm ֒

→ Overview

• 1. Setup (Deploy)

1.1 Analyze and convert the specifjcation as necessary 1.2 Create monitors, and assign them a specification

(!) The monitor handles encoding of AP and Memory

1.3 Attach monitors to components

• 2. Monitoring

2.1 Wait to receive observations from attached component 2.2 Receive messages (EHE) from monitors 2.3 Process observations and messages (update the local EHE) 2.4 Communicate with other monitors

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

13

The THEMIS Approach

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

themis ֒

→ Overview

Design Instru- ment Execute Analyze Design Design a monitoring algorithm Instru- ment Create or re-use metrics. Metrics are automatically instrumented using AspectJ Execute Use THEMIS tools to execute

• ne or more monitoring run(s)

Analyze Measures are stored in a database for postmortem analysis

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

14

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

Setup

1 Map<Integer, ? extends Monitor> setup() { ֒ → 2 config.getSpec().put(”root”, 3 Convert.makeAutomataSpec( 4 config.getSpec().get(”root”))); 5 Map<Integer, Monitor> mons = new HashMap<Integer, Monitor>(); ֒ → 6 Integer i = 0; 7 for(Component comp : config.getComponents()) { ֒ → 8 MonMigrate mon = new MonMigrate(i); ֒ → 9 attachMonitor(comp, mon); 10 mons.put(i, mon); 11 i++; 12 } 13 return mons; 14 }

Monitor

1 void monitor(int t, Memory<Atom> observations) 2 throws ReportVerdict, ExceptionStopMonitoring { 3 m.merge(observations); 4 if(receive()) isMonitoring = true; 5 if(isMonitoring) { 6 if(!observations.isEmpty()) 7 ehe.tick(); 8 boolean b = ehe.update(m, -1); 9 if(b) { 10 VerdictTimed v = ehe.scanVerdict(); 11 if(v.isFinal()) 12 throw new ReportVerdict(v.getVerdict(), t); ֒ → 13 ehe.dropResolved(); 14 } 15 int next = getNext(); 16 if(next != getID()) { 17 Representation toSend = ehe.sliceLive(); 18 send(next, new RepresentationPacket(toSend)); ֒ → 19 isMonitoring = false; 20 } 21 } 22 }

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

15

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

examples ֒

→ Metrics

1 void setupRun(MonitoringAlgorithm alg) { 2

addMeasure(new Measure(”msg_num”,”Msgs”,0L,Measures.addLong));

3 } 4 after(Integer to, Message m) : Commons.sendMessage(to, m) { 5

update(”msg_num” , 1L);

6 }

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

16

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

existing algorithms

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

17

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

studying existing algorithms ֒

→ Expected Behavior

m0 m1 m2 m3 m4 1 1 1 1

• bs

m0 m1 m2 m3 m4 1 2 3 4 5 EHE m0 m1 m2 m3 m4 2 1 1 1 Verdict(B2)

Orchestration · δ is constant linear components constant Migration · δ is linear in components constant EHE quadratic components Choreography · δ is linear in network depth (algorithm) linear edges constant

#Msgs and |Msg| are predicted on a per round basis

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

18

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

studying existing algorithms ֒

→ Expected Behavior

m0 m1 m2 m3 m4 1 1 1 1

• bs

m0 m1 m2 m3 m4 1 2 3 4 5 EHE m0 m1 m2 m3 m4 2 1 1 1 Verdict(B2)

Orchestration · δ is constant · #Msgs is linear in components constant Migration · δ is linear in components · #Msgs is constant EHE quadratic components Choreography · δ is linear in network depth (algorithm) · #Msgs is linear in network edges constant

#Msgs and |Msg| are predicted on a per round basis

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

18

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

studying existing algorithms ֒

→ Expected Behavior

m0 m1 m2 m3 m4 1 1 1 1

• bs

m0 m1 m2 m3 m4 1 2 3 4 5 EHE m0 m1 m2 m3 m4 2 1 1 1 Verdict(B2)

Orchestration · δ is constant · #Msgs is linear in components · |Msg| constant:

• bservations per

component Migration · δ is linear in components · #Msgs is constant · |Msg| is size of EHE: O(δ2), quadratic in components Choreography · δ is linear in network depth (algorithm) · #Msgs is linear in network edges · |Msg| is constant

#Msgs and |Msg| are predicted on a per round basis

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

18

Conclusions

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

summary and future work

⋆ Decentralized Monitoring of (De)Centralized Specifications

• 1. Aim for predictable behavior → Automata + EHE data structure

2. decentralized specifjcations

• 3. Methodology

4. existing algorithms ⋆ Future Work 1. equivalent

topology

2. THEMIS

• 3. Runtime enforcement
• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

19

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

summary and future work

⋆ Decentralized Monitoring of (De)Centralized Specifications

• 1. Aim for predictable behavior → Automata + EHE data structure
• 2. Separate synthesis from monitoring: decentralized specifjcations
• 3. Methodology

4. existing algorithms ⋆ Future Work 1. equivalent

topology

2. THEMIS

• 3. Runtime enforcement
• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

19

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

summary and future work

⋆ Decentralized Monitoring of (De)Centralized Specifications

• 1. Aim for predictable behavior → Automata + EHE data structure
• 2. Separate synthesis from monitoring: decentralized specifjcations
• 3. Methodology + tool support for designing, measuring, comparing and

extending decentralized RV algorithms 4. existing algorithms ⋆ Future Work 1. equivalent

topology

2. THEMIS

• 3. Runtime enforcement
• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

19

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

summary and future work

⋆ Decentralized Monitoring of (De)Centralized Specifications

• 1. Aim for predictable behavior → Automata + EHE data structure
• 2. Separate synthesis from monitoring: decentralized specifjcations
• 3. Methodology + tool support for designing, measuring, comparing and

extending decentralized RV algorithms

• 4. Adapted and compared existing algorithms

⋆ Future Work 1. equivalent

topology

2. THEMIS

• 3. Runtime enforcement
• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

19

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

summary and future work

⋆ Decentralized Monitoring of (De)Centralized Specifications

• 1. Aim for predictable behavior → Automata + EHE data structure
• 2. Separate synthesis from monitoring: decentralized specifjcations
• 3. Methodology + tool support for designing, measuring, comparing and

extending decentralized RV algorithms

• 4. Adapted and compared existing algorithms

⋆ Future Work

• 1. Centralised specification → equivalent decentralized specifications

topology

2. THEMIS

• 3. Runtime enforcement
• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

19

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

summary and future work

⋆ Decentralized Monitoring of (De)Centralized Specifications

• 1. Aim for predictable behavior → Automata + EHE data structure
• 2. Separate synthesis from monitoring: decentralized specifjcations
• 3. Methodology + tool support for designing, measuring, comparing and

extending decentralized RV algorithms

• 4. Adapted and compared existing algorithms

⋆ Future Work

• 1. Centralised specification → equivalent decentralized specifications

· Optimize existing methods topology

2. THEMIS

• 3. Runtime enforcement
• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

19

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

summary and future work

⋆ Decentralized Monitoring of (De)Centralized Specifications

• 1. Aim for predictable behavior → Automata + EHE data structure
• 2. Separate synthesis from monitoring: decentralized specifjcations
• 3. Methodology + tool support for designing, measuring, comparing and

extending decentralized RV algorithms

• 4. Adapted and compared existing algorithms

⋆ Future Work

• 1. Centralised specification → equivalent decentralized specifications

· Optimize existing methods · Take into account topology of the monitored system

2. THEMIS

• 3. Runtime enforcement
• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

19

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

summary and future work

⋆ Decentralized Monitoring of (De)Centralized Specifications

• 1. Aim for predictable behavior → Automata + EHE data structure
• 2. Separate synthesis from monitoring: decentralized specifjcations
• 3. Methodology + tool support for designing, measuring, comparing and

extending decentralized RV algorithms

• 4. Adapted and compared existing algorithms

⋆ Future Work

• 1. Centralised specification → equivalent decentralized specifications

· Optimize existing methods · Take into account topology of the monitored system

• 2. Extend THEMIS
• 3. Runtime enforcement
• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

19

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

summary and future work

⋆ Decentralized Monitoring of (De)Centralized Specifications

• 1. Aim for predictable behavior → Automata + EHE data structure
• 2. Separate synthesis from monitoring: decentralized specifjcations
• 3. Methodology + tool support for designing, measuring, comparing and

extending decentralized RV algorithms

• 4. Adapted and compared existing algorithms

⋆ Future Work

• 1. Centralised specification → equivalent decentralized specifications

· Optimize existing methods · Take into account topology of the monitored system

• 2. Extend THEMIS

· New metrics

• 3. Runtime enforcement
• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

19

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

summary and future work

⋆ Decentralized Monitoring of (De)Centralized Specifications

• 1. Aim for predictable behavior → Automata + EHE data structure
• 2. Separate synthesis from monitoring: decentralized specifjcations
• 3. Methodology + tool support for designing, measuring, comparing and

extending decentralized RV algorithms

• 4. Adapted and compared existing algorithms

⋆ Future Work

• 1. Centralised specification → equivalent decentralized specifications

· Optimize existing methods · Take into account topology of the monitored system

• 2. Extend THEMIS

· New metrics · Support a fully-asynchronous monitoring approach

• 3. Runtime enforcement
• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

19

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

summary and future work

⋆ Decentralized Monitoring of (De)Centralized Specifications

• 1. Aim for predictable behavior → Automata + EHE data structure
• 2. Separate synthesis from monitoring: decentralized specifjcations
• 3. Methodology + tool support for designing, measuring, comparing and

extending decentralized RV algorithms

• 4. Adapted and compared existing algorithms

⋆ Future Work

• 1. Centralised specification → equivalent decentralized specifications

· Optimize existing methods · Take into account topology of the monitored system

• 2. Extend THEMIS

· New metrics · Support a fully-asynchronous monitoring approach · Better visualization of (the behavior of) algorithms

• 3. Runtime enforcement
• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

19

(Decent.) Monitoring EHE Decentralized Specifjcations THEMIS Conclusions

summary and future work

⋆ Decentralized Monitoring of (De)Centralized Specifications

• 1. Aim for predictable behavior → Automata + EHE data structure
• 2. Separate synthesis from monitoring: decentralized specifjcations
• 3. Methodology + tool support for designing, measuring, comparing and

extending decentralized RV algorithms

• 4. Adapted and compared existing algorithms

⋆ Future Work

• 1. Centralised specification → equivalent decentralized specifications

· Optimize existing methods · Take into account topology of the monitored system

• 2. Extend THEMIS

· New metrics · Support a fully-asynchronous monitoring approach · Better visualization of (the behavior of) algorithms

• 3. Runtime enforcement of centralized and decentralized specifications
• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

19

Related Work and Goals

RW + Goals Experiments More Formal Details

related work ֒

→ Decentralized RV

· General setting set of components Rewriting

(!)

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

20

RW + Goals Experiments More Formal Details

related work ֒

→ Decentralized RV

· General setting · C: a set of components Rewriting

(!)

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

20

RW + Goals Experiments More Formal Details

related work ֒

→ Decentralized RV

· General setting · C: a set of components · AP: a set of atomic propositions, partitioned by C Rewriting

(!)

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

20

RW + Goals Experiments More Formal Details

related work ֒

→ Decentralized RV

· General setting · C: a set of components · AP: a set of atomic propositions, partitioned by C · Issues in decentralized monitoring Rewriting

(!)

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

20

RW + Goals Experiments More Formal Details

related work ֒

→ Decentralized RV

· General setting · C: a set of components · AP: a set of atomic propositions, partitioned by C · Issues in decentralized monitoring · partial views of AP – unknown global state Rewriting

(!)

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

20

RW + Goals Experiments More Formal Details

related work ֒

→ Decentralized RV

· General setting · C: a set of components · AP: a set of atomic propositions, partitioned by C · Issues in decentralized monitoring · partial views of AP – unknown global state · partial execution of the automaton (evaluation) Rewriting

(!)

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

20

RW + Goals Experiments More Formal Details

related work ֒

→ Decentralized RV

· General setting · C: a set of components · AP: a set of atomic propositions, partitioned by C · Issues in decentralized monitoring · partial views of AP – unknown global state · partial execution of the automaton (evaluation) · communication between monitors Rewriting

(!)

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

20

RW + Goals Experiments More Formal Details

related work ֒

→ Decentralized RV

· General setting · C: a set of components · AP: a set of atomic propositions, partitioned by C · Issues in decentralized monitoring · partial views of AP – unknown global state · partial execution of the automaton (evaluation) · communication between monitors · Rewriting-based techniques

(!)

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

20

RW + Goals Experiments More Formal Details

related work ֒

→ Decentralized RV

· General setting · C: a set of components · AP: a set of atomic propositions, partitioned by C · Issues in decentralized monitoring · partial views of AP – unknown global state · partial execution of the automaton (evaluation) · communication between monitors · Rewriting-based techniques · (safety) LTL [Rosu et al 05], (full) LTL [BauerFalcone12,ColomboFalcone16]

(!)

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

20

RW + Goals Experiments More Formal Details

related work ֒

→ Decentralized RV

· General setting · C: a set of components · AP: a set of atomic propositions, partitioned by C · Issues in decentralized monitoring · partial views of AP – unknown global state · partial execution of the automaton (evaluation) · communication between monitors · Rewriting-based techniques · (safety) LTL [Rosu et al 05], (full) LTL [BauerFalcone12,ColomboFalcone16] · (safety) MTTL (real-time systems) [ThatiRosu05,Basin et al 15]

(!)

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

20

RW + Goals Experiments More Formal Details

related work ֒

→ Decentralized RV

· General setting · C: a set of components · AP: a set of atomic propositions, partitioned by C · Issues in decentralized monitoring · partial views of AP – unknown global state · partial execution of the automaton (evaluation) · communication between monitors · Rewriting-based techniques · (safety) LTL [Rosu et al 05], (full) LTL [BauerFalcone12,ColomboFalcone16] · (safety) MTTL (real-time systems) [ThatiRosu05,Basin et al 15] · Common assumptions

(!)

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

20

RW + Goals Experiments More Formal Details

related work ֒

→ Decentralized RV

· General setting · C: a set of components · AP: a set of atomic propositions, partitioned by C · Issues in decentralized monitoring · partial views of AP – unknown global state · partial execution of the automaton (evaluation) · communication between monitors · Rewriting-based techniques · (safety) LTL [Rosu et al 05], (full) LTL [BauerFalcone12,ColomboFalcone16] · (safety) MTTL (real-time systems) [ThatiRosu05,Basin et al 15] · Common assumptions

· Reliable network with fully-connected components

(!)

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

20

RW + Goals Experiments More Formal Details

related work ֒

→ Decentralized RV

· General setting · C: a set of components · AP: a set of atomic propositions, partitioned by C · Issues in decentralized monitoring · partial views of AP – unknown global state · partial execution of the automaton (evaluation) · communication between monitors · Rewriting-based techniques · (safety) LTL [Rosu et al 05], (full) LTL [BauerFalcone12,ColomboFalcone16] · (safety) MTTL (real-time systems) [ThatiRosu05,Basin et al 15] · Common assumptions

· Reliable network with fully-connected components · Global clock

(!)

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

20

RW + Goals Experiments More Formal Details

related work ֒

→ Decentralized RV

· General setting · C: a set of components · AP: a set of atomic propositions, partitioned by C · Issues in decentralized monitoring · partial views of AP – unknown global state · partial execution of the automaton (evaluation) · communication between monitors · Rewriting-based techniques · (safety) LTL [Rosu et al 05], (full) LTL [BauerFalcone12,ColomboFalcone16] · (safety) MTTL (real-time systems) [ThatiRosu05,Basin et al 15] · Common assumptions

· Reliable network with fully-connected components · Global clock · Oblivious to order of messages

(!)

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

20

RW + Goals Experiments More Formal Details

related work ֒

→ Decentralized RV

· General setting · C: a set of components · AP: a set of atomic propositions, partitioned by C · Issues in decentralized monitoring · partial views of AP – unknown global state · partial execution of the automaton (evaluation) · communication between monitors · Rewriting-based techniques · (safety) LTL [Rosu et al 05], (full) LTL [BauerFalcone12,ColomboFalcone16] · (safety) MTTL (real-time systems) [ThatiRosu05,Basin et al 15] · Common assumptions

· Reliable network with fully-connected components · Global clock · Oblivious to order of messages

(!) Unpredictable runtime behavior of rewriting

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

20

RW + Goals Experiments More Formal Details

related work ֒

→ Decentralized RV

· General setting · C: a set of components · AP: a set of atomic propositions, partitioned by C · Issues in decentralized monitoring · partial views of AP – unknown global state · partial execution of the automaton (evaluation) · communication between monitors · Rewriting-based techniques · (safety) LTL [Rosu et al 05], (full) LTL [BauerFalcone12,ColomboFalcone16] · (safety) MTTL (real-time systems) [ThatiRosu05,Basin et al 15] · Common assumptions

· Reliable network with fully-connected components · Global clock · Oblivious to order of messages

(!) Unpredictable runtime behavior of rewriting → Hard to compare various strategies

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

20

RW + Goals Experiments More Formal Details

related work ֒

→ Decentralized RV (Cont’d)

· Automata-based techniques for regular languages [Falcone et al 14] expressive Predictable Tightly Consensus

(!)

same specifjcation

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

21

RW + Goals Experiments More Formal Details

related work ֒

→ Decentralized RV (Cont’d)

· Automata-based techniques for regular languages [Falcone et al 14] · Same assumptions as rewriting expressive Predictable Tightly Consensus

(!)

same specifjcation

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

21

RW + Goals Experiments More Formal Details

related work ֒

→ Decentralized RV (Cont’d)

· Automata-based techniques for regular languages [Falcone et al 14] · Same assumptions as rewriting

+ More expressive than LTL

Predictable Tightly Consensus

(!)

same specifjcation

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

21

RW + Goals Experiments More Formal Details

related work ֒

→ Decentralized RV (Cont’d)

· Automata-based techniques for regular languages [Falcone et al 14] · Same assumptions as rewriting

+ More expressive than LTL + Predictable behavior

Tightly Consensus

(!)

same specifjcation

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

21

RW + Goals Experiments More Formal Details

related work ֒

→ Decentralized RV (Cont’d)

· Automata-based techniques for regular languages [Falcone et al 14] · Same assumptions as rewriting

+ More expressive than LTL + Predictable behavior − Tightly linked to specification (synthesis)

Consensus

(!)

same specifjcation

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

21

RW + Goals Experiments More Formal Details

related work ֒

→ Decentralized RV (Cont’d)

· Automata-based techniques for regular languages [Falcone et al 14] · Same assumptions as rewriting

+ More expressive than LTL + Predictable behavior − Tightly linked to specification (synthesis) − No monitor topology nor communication strategy

Consensus

(!)

same specifjcation

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

21

RW + Goals Experiments More Formal Details

related work ֒

→ Decentralized RV (Cont’d)

· Automata-based techniques for regular languages [Falcone et al 14] · Same assumptions as rewriting

+ More expressive than LTL + Predictable behavior − Tightly linked to specification (synthesis) − No monitor topology nor communication strategy

· Monitor Consensus [MostafaBonakdarpour16]

(!)

same specifjcation

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

21

RW + Goals Experiments More Formal Details

related work ֒

→ Decentralized RV (Cont’d)

· Automata-based techniques for regular languages [Falcone et al 14] · Same assumptions as rewriting

+ More expressive than LTL + Predictable behavior − Tightly linked to specification (synthesis) − No monitor topology nor communication strategy

· Monitor Consensus [MostafaBonakdarpour16] · monitors deciding the same verdict

(!)

same specifjcation

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

21

RW + Goals Experiments More Formal Details

related work ֒

→ Decentralized RV (Cont’d)

· Automata-based techniques for regular languages [Falcone et al 14] · Same assumptions as rewriting

+ More expressive than LTL + Predictable behavior − Tightly linked to specification (synthesis) − No monitor topology nor communication strategy

· Monitor Consensus [MostafaBonakdarpour16] · monitors deciding the same verdict · Assumptions

(!)

same specifjcation

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

21

RW + Goals Experiments More Formal Details

related work ֒

→ Decentralized RV (Cont’d)

· Automata-based techniques for regular languages [Falcone et al 14] · Same assumptions as rewriting

+ More expressive than LTL + Predictable behavior − Tightly linked to specification (synthesis) − No monitor topology nor communication strategy

· Monitor Consensus [MostafaBonakdarpour16] · monitors deciding the same verdict · Assumptions

· Fully-connected components

(!)

same specifjcation

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

21

RW + Goals Experiments More Formal Details

related work ֒

→ Decentralized RV (Cont’d)

· Automata-based techniques for regular languages [Falcone et al 14] · Same assumptions as rewriting

+ More expressive than LTL + Predictable behavior − Tightly linked to specification (synthesis) − No monitor topology nor communication strategy

· Monitor Consensus [MostafaBonakdarpour16] · monitors deciding the same verdict · Assumptions

· Fully-connected components · Asynchronous Systems (Alternating Numbers)

(!)

same specifjcation

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

21

RW + Goals Experiments More Formal Details

related work ֒

→ Decentralized RV (Cont’d)

· Automata-based techniques for regular languages [Falcone et al 14] · Same assumptions as rewriting

+ More expressive than LTL + Predictable behavior − Tightly linked to specification (synthesis) − No monitor topology nor communication strategy

· Monitor Consensus [MostafaBonakdarpour16] · monitors deciding the same verdict · Assumptions

· Fully-connected components · Asynchronous Systems (Alternating Numbers)

+ Unreliable links (Monitors + System)

(!)

same specifjcation

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

21

RW + Goals Experiments More Formal Details

related work ֒

→ Decentralized RV (Cont’d)

· Automata-based techniques for regular languages [Falcone et al 14] · Same assumptions as rewriting

+ More expressive than LTL + Predictable behavior − Tightly linked to specification (synthesis) − No monitor topology nor communication strategy

· Monitor Consensus [MostafaBonakdarpour16] · monitors deciding the same verdict · Assumptions

· Fully-connected components · Asynchronous Systems (Alternating Numbers)

+ Unreliable links (Monitors + System) − 2k + 2 verdicts when resilience up to k failures

(!)

same specifjcation

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

21

RW + Goals Experiments More Formal Details

related work ֒

→ Decentralized RV (Cont’d)

· Automata-based techniques for regular languages [Falcone et al 14] · Same assumptions as rewriting

+ More expressive than LTL + Predictable behavior − Tightly linked to specification (synthesis) − No monitor topology nor communication strategy

· Monitor Consensus [MostafaBonakdarpour16] · monitors deciding the same verdict · Assumptions

· Fully-connected components · Asynchronous Systems (Alternating Numbers)

+ Unreliable links (Monitors + System) − 2k + 2 verdicts when resilience up to k failures

→ Determine consensus on a verdict in case of failures (!)

same specifjcation

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

21

RW + Goals Experiments More Formal Details

related work ֒

→ Decentralized RV (Cont’d)

· Automata-based techniques for regular languages [Falcone et al 14] · Same assumptions as rewriting

+ More expressive than LTL + Predictable behavior − Tightly linked to specification (synthesis) − No monitor topology nor communication strategy

· Monitor Consensus [MostafaBonakdarpour16] · monitors deciding the same verdict · Assumptions

· Fully-connected components · Asynchronous Systems (Alternating Numbers)

+ Unreliable links (Monitors + System) − 2k + 2 verdicts when resilience up to k failures

→ Determine consensus on a verdict in case of failures (!) All monitors check the same specifjcation

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

21

Experiments

RW + Goals Experiments More Formal Details

studying existing algorithms ֒

→ Verifying Behavior

· Experiment Setup (5,868,800 runs) synthetic random random rounds

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

22

RW + Goals Experiments More Formal Details

studying existing algorithms ֒

→ Verifying Behavior

· Experiment Setup (5,868,800 runs) · 200 synthetic random traces of 100 events (2 observations/component) random rounds

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

22

RW + Goals Experiments More Formal Details

studying existing algorithms ֒

→ Verifying Behavior

· Experiment Setup (5,868,800 runs) · 200 synthetic random traces of 100 events (2 observations/component) · Vary |C| from 3 to 5 random rounds

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

22

RW + Goals Experiments More Formal Details

studying existing algorithms ֒

→ Verifying Behavior

· Experiment Setup (5,868,800 runs) · 200 synthetic random traces of 100 events (2 observations/component) · Vary |C| from 3 to 5 · At least 1,000 random specifications per scenario rounds

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

22

RW + Goals Experiments More Formal Details

studying existing algorithms ֒

→ Verifying Behavior

· Experiment Setup (5,868,800 runs) · 200 synthetic random traces of 100 events (2 observations/component) · Vary |C| from 3 to 5 · At least 1,000 random specifications per scenario · Monitoring is done by rounds

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

22

RW + Goals Experiments More Formal Details

results ֒

→ Delay

• 1.0

1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0

# Components Average Maximum Delay Algorithm

• Choreography

Migration MigrationRR Orchestration

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

23

RW + Goals Experiments More Formal Details

results ֒

→ Number of Messages

• 1

2 3 3.0 3.5 4.0 4.5 5.0

# Components Average Number of Messages/Round Algorithm

• Choreography

Migration MigrationRR Orchestration

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

24

RW + Goals Experiments More Formal Details

results ֒

→ Data Transfered

• 100

200 300 400 500 3.0 3.5 4.0 4.5 5.0

# Components Average Data Transfered/Round Algorithm

• Choreography

Migration MigrationRR Orchestration

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

25

RW + Goals Experiments More Formal Details

results

Alg. |C| δ #Msgs Data #S #S/Mon Conv Chor 3 2.37 2.02 18.05 15.27 6.63 0.18 4 2.49 2.54 22.62 18.22 6.79 0.20 5 2.37 3.08 27.18 21.29 6.95 0.22 Migr 3 1.02 0.36 49.46 4.80 4.80 1.00 4 1.38 0.41 128.26 5.67 5.67 1.00 5 2.28 0.57 646.86 9.40 9.40 1.00 Migrr 3 1.09 0.86 58.02 5.00 5.00 1.00 4 1.49 0.85 144.62 5.91 5.91 1.00 5 2.32 0.83 684.81 9.60 9.60 1.00 Orch 3 0.63 1.68 21.01 4.13 4.13 1.00 4 0.65 2.43 30.42 4.11 4.11 1.00 5 0.81 3.04 38.51 5.55 5.55 1.00

Lower conv = more evenly distributed computation across monitors

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

26

RW + Goals Experiments More Formal Details

results

Alg. |C| δ #Msgs Data #S #S/Mon Conv Chor 3 2.37 2.02 18.05 15.27 6.63 0.18 4 2.49 2.54 22.62 18.22 6.79 0.20 5 2.37 3.08 27.18 21.29 6.95 0.22 Migr 3 1.02 0.36 49.46 4.80 4.80 1.00 4 1.38 0.41 128.26 5.67 5.67 1.00 5 2.28 0.57 646.86 9.40 9.40 1.00 Migrr 3 1.09 0.86 58.02 5.00 5.00 1.00 4 1.49 0.85 144.62 5.91 5.91 1.00 5 2.32 0.83 684.81 9.60 9.60 1.00 Orch 3 0.63 1.68 21.01 4.13 4.13 1.00 4 0.65 2.43 30.42 4.11 4.11 1.00 5 0.81 3.04 38.51 5.55 5.55 1.00

Lower conv = more evenly distributed computation across monitors

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

26

RW + Goals Experiments More Formal Details

results

Alg. |C| δ #Msgs Data #S #S/Mon Conv Chor 3 2.37 2.02 18.05 15.27 6.63 0.18 4 2.49 2.54 22.62 18.22 6.79 0.20 5 2.37 3.08 27.18 21.29 6.95 0.22 Migr 3 1.02 0.36 49.46 4.80 4.80 1.00 4 1.38 0.41 128.26 5.67 5.67 1.00 5 2.28 0.57 646.86 9.40 9.40 1.00 Migrr 3 1.09 0.86 58.02 5.00 5.00 1.00 4 1.49 0.85 144.62 5.91 5.91 1.00 5 2.32 0.83 684.81 9.60 9.60 1.00 Orch 3 0.63 1.68 21.01 4.13 4.13 1.00 4 0.65 2.43 30.42 4.11 4.11 1.00 5 0.81 3.04 38.51 5.55 5.55 1.00

Lower conv = more evenly distributed computation across monitors

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

26

RW + Goals Experiments More Formal Details

results

Alg. |C| δ #Msgs Data #S #S/Mon Conv Chor 3 2.37 2.02 18.05 15.27 6.63 0.18 4 2.49 2.54 22.62 18.22 6.79 0.20 5 2.37 3.08 27.18 21.29 6.95 0.22 Migr 3 1.02 0.36 49.46 4.80 4.80 1.00 4 1.38 0.41 128.26 5.67 5.67 1.00 5 2.28 0.57 646.86 9.40 9.40 1.00 Migrr 3 1.09 0.86 58.02 5.00 5.00 1.00 4 1.49 0.85 144.62 5.91 5.91 1.00 5 2.32 0.83 684.81 9.60 9.60 1.00 Orch 3 0.63 1.68 21.01 4.13 4.13 1.00 4 0.65 2.43 30.42 4.11 4.11 1.00 5 0.81 3.04 38.51 5.55 5.55 1.00

Lower conv = more evenly distributed computation across monitors

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

26

RW + Goals Experiments More Formal Details

results

Alg. |C| δ #Msgs Data #S #S/Mon Conv Chor 3 2.37 2.02 18.05 15.27 6.63 0.18 4 2.49 2.54 22.62 18.22 6.79 0.20 5 2.37 3.08 27.18 21.29 6.95 0.22 Migr 3 1.02 0.36 49.46 4.80 4.80 1.00 4 1.38 0.41 128.26 5.67 5.67 1.00 5 2.28 0.57 646.86 9.40 9.40 1.00 Migrr 3 1.09 0.86 58.02 5.00 5.00 1.00 4 1.49 0.85 144.62 5.91 5.91 1.00 5 2.32 0.83 684.81 9.60 9.60 1.00 Orch 3 0.63 1.68 21.01 4.13 4.13 1.00 4 0.65 2.43 30.42 4.11 4.11 1.00 5 0.81 3.04 38.51 5.55 5.55 1.00

Lower conv = more evenly distributed computation across monitors

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

26

RW + Goals Experiments More Formal Details

Soundness

Given a decentralized trace tr of length n, we reconstruct the global trace e = ρ(tr) = e0 · . . . · en, we have: ∆∗(q0, e) = sel(In, Mn, n), with: In = mov([0 → q0 → ⊤], 0, n), and Mn = 2

t∈[1,n]{memc(et, tst)}.

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

26

RW + Goals Experiments More Formal Details

Convergence

convergence = 1 n

n

• t=1
• c∈C

st

c

st − 1 |C| 2 , with st =

• c∈C

st

c

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

26

RW + Goals Experiments More Formal Details

studying existing algorithms

· Example Algorithms Algorithm # Msg Orchestration Migration Choreography

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

27

RW + Goals Experiments More Formal Details

studying existing algorithms

· Example Algorithms · Orchestration: Central monitor + forwarding monitors Algorithm # Msg Orchestration Migration Choreography

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

27

RW + Goals Experiments More Formal Details

studying existing algorithms

· Example Algorithms · Orchestration: Central monitor + forwarding monitors · Migration: Specification hops from one component to another Algorithm # Msg Orchestration Migration Choreography

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

27

RW + Goals Experiments More Formal Details

studying existing algorithms

· Example Algorithms · Orchestration: Central monitor + forwarding monitors · Migration: Specification hops from one component to another · Choreography: Monitors are organized in a tree Algorithm # Msg Orchestration Migration Choreography

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

27

RW + Goals Experiments More Formal Details

studying existing algorithms

· Example Algorithms · Orchestration: Central monitor + forwarding monitors · Migration: Specification hops from one component to another · Choreography: Monitors are organized in a tree · Expected behavior of algorithms Algorithm δ # Msg |Msg| Orchestration Θ(1) Θ(|C|) O(|APc|) Migration O(|C|) O(m) O(m|C|2) Choreography O(depth(mroot)) Θ(|E|) Θ(1)

• A. El-Hokayem, Y. Falcone, Monitoring Decentralized Specifjcations

27