Statistical Probabilistic Model Checking Håkan L. S. Younes Carnegie Mellon University
2 Introduction Model checking for stochastic processes Stochastic discrete event systems Probabilistic time-bounded properties Model independent approach Discrete event simulation Statistical hypothesis testing
3 Example: Tandem Queuing Network q1q1 q2q2 arriveroutedepart q 1 = 0 q 2 = 0 q 1 = 1 q 2 = 0 q 1 = 1 q 2 = 1 q 1 = 2 q 2 = 0 q 1 = 1 q 2 = 0 t = 0t = 1.2t = 3.7t = 3.9t = 5.5 With both queues empty, is the probability less than 0.5 that both queues become full within 5 seconds? q 1 = 1 q 2 = 0 q 1 = 2 q 2 = 0 q 1 = 1 q 2 = 1 q 1 = 1 q 2 = 0
4 Probabilistic Model Checking Given a model M, a state s, and a property , does hold in s for M ? Model: stochastic discrete event system Property: probabilistic temporal logic formula
5 Continuous Stochastic Logic (CSL) State formulas Truth value is determined in a single state Path formulas Truth value is determined over a path Discrete-time analogue: PCTL
6 State Formulas Standard logic operators: , 1 2, … Probabilistic operator: P ≥ ( ) Holds in state s iff probability is at least that holds over paths starting in s P < ( ) P ≥1– ( )
7 Path Formulas Until: 1 U ≤T 2 Holds over path iff 2 becomes true in some state along before time T, and 1 is true in all prior states
8 CSL Example With both queues empty, is the probability less than 0.5 that both queues become full within 5 seconds? State: q 1 = 0 q 2 = 0 Property: P <0.5 (true U ≤5 q 1 = 2 q 2 = 2)
9 Model Checking Probabilistic Time-Bounded Properties Numerical Methods Provide highly accurate results Expensive for systems with many states Statistical Methods Low memory requirements Adapt to difficulty of problem (sequential) Expensive if high accuracy is required
10 Statistical Solution Method [Younes & Simmons 2002] Use discrete event simulation to generate sample paths Use acceptance sampling to verify probabilistic properties Hypothesis: P ≥ ( ) Observation: verify over a sample path Not estimation!
11 Error Bounds Probability of false negative: ≤ We say that is false when it is true Probability of false positive: ≤ We say that is true when it is false
12 Performance of Test Actual probability of holding Probability of accepting P ≥ ( ) as true 1 –
13 Ideal Performance of Test Actual probability of holding Probability of accepting P ≥ ( ) as true 1 – False negatives False positives Unrealistic!
14 Realistic Performance of Test Actual probability of holding Probability of accepting P ≥ ( ) as true 1 – p1p1 p0p0 Indifference region False negatives False positives 22
15 Sequential Acceptance Sampling [Wald 1945] True, false, or another observation?
16 Graphical Representation of Sequential Test Number of observations Number of positive observations
17 Graphical Representation of Sequential Test We can find an acceptance line and a rejection line given , , , and acceptance line rejection line reject accept continue Number of observations Number of positive observations Start here Verify over sample paths Continue until line is crossed
18 Special Case p 0 = 1 and p 1 = 1 – 2 Reject at first negative observation Accept at stage m if p 1 m ≤ Sample size at most d log / log p 1 e “Five nines”: p 1 = 1 – 10 –5 Maximum sample size 10 –2 460, –4 921, –8 1,842,059
19 Case Study: Tandem Queuing Network M/Cox 2 /1 queue sequentially composed with M/M/1 queue Each queue has capacity n State space of size O(n 2 ) 11 22 a …… 1 − a
20 Tandem Queuing Network (results) [Younes et al. 2004] Verification time (seconds) Size of state space −2 10 − P ≥0.5 (true U ≤T full) = 10 −6 = = 10 −2 = 0.5·10 −2
21 Tandem Queuing Network (results) [Younes et al. 2004] Verification time (seconds) T 10 −2 10 − = 10 −6 = = 10 −2 = 0.5·10 −2 P ≥0.5 (true U ≤T full)
22 Case Study: Symmetric Polling System Single server, n polling stations Stations are attended in cyclic order Each station can hold one message State space of size O(n·2 n ) Server … Polling stations
23 Symmetric Polling System (results) [Younes et al. 2004] Verification time (seconds) Size of state space 10 −2 10 − serv1 P ≥0.5 (true U ≤T poll1) = 10 −6 = = 10 −2 = 0.5·10 −2
24 Symmetric Polling System (results) [Younes et al. 2004] Verification time (seconds) T 10 −2 10 − = 10 −6 = = 10 −2 = 0.5·10 −2 serv1 P ≥0.5 (true U ≤T poll1)
25 Symmetric Polling System (results) [Younes et al. 2004] ( =10 −6 ) = =10 −2 = =10 −4 = =10 −6 = =10 −8 = =10 −10 Verification time (seconds) 10 − −4 10 −2 10 −3 n = 10 T = 40 serv1 P ≥0.5 (true U ≤T poll1)
26 Tandem Queuing Network: Distributed Sampling Use multiple machines to generate samples m 1 : Pentium IV 3GHz m 2 : Pentium III 733MHz m 3 : Pentium III 500MHz % samples m 1 only n m1m1 m2m2 m3m3 timem1m1 m2m
27 Summary Acceptance sampling can be used to verify probabilistic properties of systems Sequential acceptance sampling adapts to the difficulty of the problem Statistical methods are easy to parallelize
28 Other Research Failure trace analysis “failure scenario” [Younes & Simmons 2004a] Planning/Controller synthesis CSL goals [Younes & Simmons 2004a] Rewards (GSMDPs) [Younes & Simmons 2004b]
29 Tools Ymer Statistical probabilistic model checking Tempastic-DTP Decision theoretic planning with asynchronous events
30 References Wald, A Sequential tests of statistical hypotheses. Ann. Math. Statist. 16: Younes, H. L. S., M. Kwiatkowska, G. Norman, and D. Parker Numerical vs. statistical probabilistic model checking: An empirical study. In Proc. TACAS Younes, H. L. S., R. G. Simmons Probabilistic verification of discrete event systems using acceptance sampling. In Proc. CAV Younes, H. L. S., R. G. Simmons. 2004a. Policy generation for continuous-time stochastic domains with concurrency. In Proc. ICAPS Younes, H. L. S., R. G. Simmons. 2004b. Solving generalized semi- Markov decision processes using continuous phase-type distributions. In Proc. AAAI-2004.