Verifying social expectations by model checking truncated paths - - PowerPoint PPT Presentation

verifying social expectations by model checking truncated
SMART_READER_LITE
LIVE PREVIEW

Verifying social expectations by model checking truncated paths - - PowerPoint PPT Presentation

Dec 25, 2023 459 likes •814 views

Verifying social expectations by model checking truncated paths Stephen Cranefield Department of Information Science University of Otago, Dunedin, New Zealand and Michael Winikoff School of CS & IT, RMIT University, Melbourne, Australia

slide-1
SLIDE 1

Verifying social expectations by model checking truncated paths

Stephen Cranefield

Department of Information Science University of Otago, Dunedin, New Zealand

and Michael Winikoff

School of CS & IT, RMIT University, Melbourne, Australia

slide-2
SLIDE 2

Relationship to other papers in the session

  • Spoletini and Verdicchio

– Monitoring commitments (vs. “social expectations”) – Language is a propositional temporal logic – Application of model checking (automata vs. labelling approaches) – Different viewpoint when representing commitments – Applicable to online monitoring only? (may not avoid premature fulfilment in offline mode) – Basic architecture proposed (word composer and word analyser) – Separation of past and present operators

slide-3
SLIDE 3
  • Lacroix et al.

– Generating behaviour for simulations vs. analysing observed behaviour – Spatial rather than temporal focus – Parameter-based rather than logical model of institutions and norms

slide-4
SLIDE 4

Motivation

  • ANIREM@AAMAS’05
slide-5
SLIDE 5

Motivation

  • ANIREM@AAMAS’05
  • Language for expressing

conditional expectations with a rich temporal structure If you pay me the fe If you pay me the fee for e for this service, this service, starting starting the week after payment is the week after payment is made, each week made, each week for a year I will send a for a year I will send a current market current market analysis report to you, analysis report to you, unless you cancel the unless you cancel the subscription subscription first. first.

slide-6
SLIDE 6

Motivation

  • ANIREM@AAMAS’05
  • Language for expressing

conditional expectations with a rich temporal structure

  • hyMITL± combined Metric

Interval Temporal Logic with 1st order CTL± (with bounded quantification) and hybrid logic

slide-7
SLIDE 7

Motivation

  • ANIREM@AAMAS’05
  • Language for expressing

conditional expectations with a rich temporal structure

  • hyMITL± combined Metric

Interval Temporal Logic with 1st order CTL± (with bounded quantification) and hybrid logic

  • Evolution of expectations

using formula progression

slide-8
SLIDE 8

Motivation

  • ANIREM@AAMAS’05
  • Language for expressing

conditional expectations with a rich temporal structure

  • hyMITL± combined Metric

Interval Temporal Logic with 1st order CTL± (with bounded quantification) and hybrid logic

  • Evolution of expectations

using formula progression

  • Process defined

algorithmically, not logically

slide-9
SLIDE 9

Goals of this work

  • Provide a logical account of the fulfilment and violation
  • f temporally rich social expectations over observed

histories

  • Introduce expectations by rules. Informally: l → Exp r
  • Express expectations in terms of the current time point

(i.e. use formula progression to carry then forward)

  • Show that the theory can be implemented in a model

checker

– Currently need restriction to propositional temporal logic

r … p p q

φ

For each state in model: Yes/No

“Model checking a path”

slide-10
SLIDE 10

Points of difference

  • The concept of social expectations as a generalisation
  • f learned regularities, promises, formal commitments,

etc.

– Abstracts away from social context (e.g. debtor and creditor for a commitment) and the implications of violation and fulfilment – Focuses on conditional activation (dependent on history and current state), and monitoring to determine fulfilment and violation

  • Online vs. offline monitoring

– Online: events arrive sequentially and the new last state in the history is checked for fulfilments and violations – Offline: traces may be kept for later analysis. All states in the provided history need to be checked

slide-11
SLIDE 11

Our logic

  • A hybrid propositional temporal logic, with past and future
  • perators (an extension of the Hybrid Logics Model

Checker’s language):

  • Plus derived temporal operators Exp, Fulf, Viol and

Progress (more detail later)

slide-12
SLIDE 12

Premature fulfilment in offline monitoring (informal notation)

?

slide-13
SLIDE 13

Premature fulfilment in offline monitoring (informal notation)

Unknown at s1

slide-14
SLIDE 14

Semantics on complete paths

… …

V: Props →℘(States) g: StateVars → States Model (ℳ ) Point in model Variable bindings

⊨ Op(φ1,…,φn)

iff …

Some constraint

  • n the model

structure

slide-15
SLIDE 15

Semantics on truncated paths

  • Based on work of Eisner et al. (2003).
  • Introduce TruncS operator (truncate and use “strong” semantics)

⊨ TruncSφ

… …

V: Props →℘(States) g: StateVars → States Model (ℳ ) Point in model Variable bindings

iff …

slide-16
SLIDE 16

Semantics on truncated paths

  • Based on work of Eisner et al. (2003).
  • Introduce TruncS operator (truncate and use “strong” semantics)

… …

V: Props →℘(States) g: StateVars → States Model (ℳ ) Point in model Variable bindings

⊨+ φ

… …

V: Props →℘(States) g: StateVars → States Model (ℳ ) Point in model Variable bindings

slide-17
SLIDE 17

Strong (⊨+) vs. weak (⊨-) semantics ℳ, g, i ⊨+ φ :

φ strongly holds at index i of model ℳ. ℳ “supplies all the evidence needed” to conclude that φ holds

ℳ, g, i ⊨- φ :

φ weakly holds at index i of model ℳ. ℳ “carries no evidence” against φ

slide-18
SLIDE 18

Strong semantics

If i > |ℳ| ℳ, g, i ⊭+ φ (Skeptical) else ℳ, g, i ⊨+ p (for proposition p) iff si ∈ V(p) ℳ, g, i ⊨+ ¬φ iff ℳ, g, i ⊭- φ ℳ, g, i ⊨+ φ ∧ ϕ iff ℳ, g, i ⊨+ φ and ℳ, g, i ⊨+ ϕ ℳ, g, i ⊨+ 〇φ iff ℳ, g, i+1 ⊨+ φ ℳ, g, i ⊨+ φ U ϕ iff ∃k ≥ i: ℳ, g, k ⊨+ ϕ and ∀j s.t. i ≤ j < k, ℳ, g, j ⊨+ φ …

slide-19
SLIDE 19

Weak semantics

If i > |ℳ| ℳ, g, i ⊨- φ (Generous) else ℳ, g, i ⊨- p (for proposition p) iff si ∈ V(p) ℳ, g, i ⊨- ¬φ iff ℳ, g, i ⊭+ φ ℳ, g, i ⊨- φ ∧ ϕ iff ℳ, g, i ⊨- φ and ℳ, g, i ⊨- ϕ ℳ, g, i ⊨- 〇φ iff ℳ, g, i+1 ⊨- φ ℳ, g, i ⊨- φ U ϕ iff ∃k ≥ i: ℳ, g, k ⊨- ϕ and ∀j s.t. i ≤ j < k, ℳ, g, j ⊨- φ …

slide-20
SLIDE 20

Defining Fulf and Viol

  • Fulf φ ≡ Exp φ ∧ TruncS φ
  • Viol φ ≡ Exp φ ∧ TruncS ¬φ
slide-21
SLIDE 21

Carrying forward unresolved expectations

  • Expections should always be expressed in terms of the current

state:

  • – Exp 〇 φ Exp φ
  • Expectations should be simplified if partially satisfied in previous

state

  • – Exp (p ∧ 〇 φ) Exp φ

if p held in the earlier state

  • This is the notion of formula progression (Bacchus and Kabanza,

2000), so we have (informally, again):

– Exp φ ∧ ¬ Fulf φ ∧ ¬ Viol φ ∧ Progress(φ,ϕ) → 〇 Exp ϕ

slide-22
SLIDE 22

Comparison with the Verdicchio and Colombetti semantics

Comm(e,a,b,ûûp) Done(e, mc(a, b, ûûp)) Comm(e,a,b,ûûp) Comm(e,a,b,ûûp) p Fulf(e,a,b ûûp)

V&C: Our approach: …

Exp(l,r,n,ûûp) Exp(l,r,n,ûp) Exp(l,r,n,p) p Fulf p Progress(ûûp,ûp) Progress(ûp,p)

slide-23
SLIDE 23

Formula progression

slide-24
SLIDE 24

Semantics of progression

slide-25
SLIDE 25

Monitoring expectations using HLMC

  • The Hybrid Logics Model Checker (HLMC) [Dragone, 2005]

– Inputs: an XML representation of a model and a textual encoding of the formula to be checked. The model can have multiple modalities with no restrictions on their structure. – Output: List of states in which the formula is true – Two algorithms: MCLITE (binders excluded from language; runs in polynomial time) and MCFULL (runs in polynomial space and time exponential on the nesting degree

  • f binders in the formula)

[Franceschet and de Rijke, 2006] – MCFULL: a recursive algorithm that labels each subformula with true or false, for each state, then uses those labels to label the formula itself – “MCFULL can be viewed as a general model checker for the hybridization of any temporal logic” (by adding appropriate labelling subprocedures for each modal

  • perator)
  • Extensions made:

– Based on a restriction to a single “next state” modality – Generalised notion of a label: for each subformula and each state index i, store values under the weak and strong semantics for each possible future truncation point – Implement ExistsExp, ExistsFulf, ExistsViol and Progress modalities

slide-26
SLIDE 26

The need for generalised labels

slide-27
SLIDE 27

The MCFULL labelling procedure

… … … … … … … … … …

… …

¬

… …

Li(¬p ∩ ûq) = ¤i≤k≤n (Lk(ûq) , ⁄i≤j≤k Lj(¬p))

  • Labelling ↓xφ(x) is a little more complicated (not discussed today)
slide-28
SLIDE 28

If trunc’d after State Labels under weak & strong semantics “Generalised label”

HLMC extensions

Swap and negate copy Formula for ∩ is modified to act on generalised labels. Also, weak semantics allows U to act like W (weak until) up to truncation point

slide-29
SLIDE 29

Hypothetical Exp, Fulf and Viol modalities

  • We use these versions of Exp, Fulf and Viol:

– Exp(λ, ρ, n, φ) Fulf(λ, ρ, n, φ) Viol(λ, ρ, n, φ)

If we had a rule with condition λ and expectation ρ, the rule would have fired at the state named by nominal n, giving rise to the [fulfilled or violated] expectation φ in the current state (Note: ρ may have become φ by multiple progression steps)

  • We actually implement ExistsExp(λ, ρ), etc.

– “There exists some pair (n, φ) making Exp(λ, ρ, n, φ) true”

  • For each state, the extended model checker reports all

such pairs making the input formula Exists…(λ, ρ)

slide-30
SLIDE 30

Semantics of Exp(λ, ρ, n, φ), Fulf(λ, ρ, n, φ) and Viol(λ, ρ, n, φ)

slide-31
SLIDE 31

Semantics of ExistsExp(λ, ρ, n, φ) Computing witnesses

slide-32
SLIDE 32

Example

  • Rule: “After ordering an item, you can’t
  • rder again until you’ve paid”
  • Scenario 1:
  • Scenario 2:
slide-33
SLIDE 33
slide-34
SLIDE 34

Conclusions

  • Logical account given of expectations and their

fulfilment and violation

  • Semantics applicable to both offline and online

monitoring (but implementation is only for the offline mode so far)

  • Implemented by extending the HLMC model checker
  • Further work:

– Extend to real-time temporal logic, and allow predicates and restricted quantification – Adapt implementation for online monitoring – Real-world applications