1 / 29

Statistical probabilistic model checking

Statistical probabilistic model checking. H åkan L. S. Younes Carnegie Mellon University (now at Google Inc.). Introduction. Model-independent approach to probabilistic model checking Relies on simulation and statistical sampling

chaeli
Download Presentation

Statistical probabilistic model checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Statistical probabilistic model checking Håkan L. S. Younes Carnegie Mellon University (now at Google Inc.)

  2. Introduction • Model-independent approach to probabilistic model checking • Relies on simulation and statistical sampling • Wrong answer possible, but can be bounded (probabilistically) • Low memory requirements (can handle large/infinite models) • Trivially parallelizable (distributed sampling gives linear speedup) • Topics covered in this talk: • Error control • Hypothesis testing vs. estimation • Dealing with unbounded properties/infinite trajectories Statistical probabilistic model checking

  3. Probabilistic model checking • Given a model M, a state s, and a property , does  hold in s for M? • Model: stochastic discrete-event system • Property: probabilistic temporal logic formula • Example: tandem queuing network arrive route depart q1 q2 “The probability is at least 0.1 that both queuesbecome full within 5 minutes” Statistical probabilistic model checking

  4. Probabilistic temporal logic (PCTL, CSL) • Standard logic operators: ,  , … • Probabilistic operator: ≥ [] • Holds in state s iff probability is at least  for paths satisfying  and starting in s • Bounded until: ≤T  • Holds over path iff  becomes true along  within time T, and  is true until then • Unbounded until:   • Holds over path iff  becomes true eventually along , and  is true until then Statistical probabilistic model checking

  5. Property examples • “The probability is at least 0.1 that both queues become full within 5 minutes” • ≥0.1[≤5full1 full2] • “The probability is at most 0.05 that the second queue becomes full before the first queue” • ≤0.05[ full1full2] Statistical probabilistic model checking

  6. The problem (in detail) • Before we propose a solution, we need to fully define the problem • Possible outcomes of model-checking algorithm • Ideal vs. realistic error control Statistical probabilistic model checking

  7. Possible outcomes of model-checking algorithm • Given a state s and a formula , a model-checking algorithm A can: • Accept as true in s (s) • Reject as false in s (s) • Return an undecided result (sI) • An error occurs if: • A rejects  when  is true (false negative) • A accepts  when  is false (false positive) • Note: an undecided result is not an error, but still not desirable Statistical probabilistic model checking

  8. Ideal error control • Bound the probability of false negatives/positives and undecided results under all circumstances • Bound on false negatives:  Pr[s|s ]   • Bound on false positives:  Pr[s|s ]   • Bound on undecided results:  Pr[sI]   • If , , and  are all low, then model-checking algorithm A produces a correct result with high probability Statistical probabilistic model checking

  9. Unrealistic expectations • Ideal error control for verifying probabilistic formula ≥ [] in state s False negatives 1 1 –  1 –  –  s≥ [] s≥ [] Probability of acceptingP≥[] as true in s Undecided  +   p  False positives Actual probability of  holding Statistical probabilistic model checking

  10. Relaxing the problem • Indifference region of width 2 centered around probability thresholds • Probabilistic operator: ≥ [] • Holds in state s if probability is at least + for paths satisfying  and starting in s • Does not hold if probability is at most − for paths satisfying  and starting in s • “Too close to call” if probability is within distance of  (indifference) • Essentially three-valued logic, but we care only about true and false Statistical probabilistic model checking

  11. Error control for relaxed problem • Option 1: bound the probability of false positives/negatives outside of the indifference region; no undecided results • Bound on false negatives:  Pr[s|s]   • Bound on false positives:  Pr[s|s]   • No undecided results: = 0Pr[sI] = 0 • Option 2: bound the probability of undecided results outside of the indifference region; low error probability under all circumstances • Bound on false negatives:  Pr[s|s ]   • Bound on false positives:  Pr[s|s ]   • Bound on undecided results:  Pr[sI|(s)  (s)]       Statistical probabilistic model checking

  12. Realistic error control—no undecided results • Error control for verifying probabilistic formula ≥ [] in state s False negatives 1 1 –  s≥ [] s≥ []   Probability of acceptingP≥[] as true in s High error probabilityin indifference region  p  −   +  False positives Actual probability of  holding Statistical probabilistic model checking

  13. Realistic error control—with undecided results • Error control for verifying probabilistic formula ≥ [] in state s Rejection probability Acceptance probability 1 1 –  s≥ [] s≥ []   Probability of acceptingP≥[] as true in s High undecided probability in indifference region   p  −   +  Actual probability of  holding  − Statistical probabilistic model checking

  14. The solution • Statistical sampling (hypothesis testing vs. estimation) • Undecided results • Avoiding infinite sample trajectories in simulation for unbounded until Statistical probabilistic model checking

  15. Verifying probabilistic properties—no undecided resultsYounes & Simmons (CAV’02, Information and Computation’06) • Use acceptance sampling to verify ≥ [] in state s • Test hypothesis H0: p +  against hypothesis H1: p –  • Observation: verify  over sample trajectories generated using simulation Statistical probabilistic model checking

  16. Acceptance sampling with fixed sample size • Single sampling plan: n, c • Generate n sample trajectories • Accept H0: p +  iff more than c paths satisfy  • Pick n and c such that: • Probability of accepting H1 when H0 holds is at most  • Probability of accepting H0 when H1 holds is at most  • Sequential single sampling plan: • Accept H0 after m < n observations if more than c observations are positive • Accept H1 after m < n observations if at most k observations are positive and k + (n – m) ≤ c Statistical probabilistic model checking

  17. Graphical representation of sequential single sampling plan Continue untilline is crossed accept c continue Number of positiveobservations reject n – c n Start here Number of observations Make observations Statistical probabilistic model checking

  18. Sequential probability ratio test (SPRT)Wald (Annals of Mathematical Statistics’45) • More efficient than sequential single sampling plan • After m observations, k positive, compute ratio: • Accept H0: p +  if  ≤  ∕ (1 – ) • Accept H1: p –  if ≥ (1 – )∕  • No fixed upper bound on sample size, but much smaller on average Statistical probabilistic model checking

  19. Graphical representation of SPRT Continue untilline is crossed accept continue Number of positiveobservations reject Start here Number of observations Make observations Statistical probabilistic model checking

  20. Statistical estimationHérault et al. (VMCAI’04) • Estimate p with confidence interval of width 2 • Accept H0: p +  iff center of confidence interval is at least  • Choosing sample size: • Same as single sampling plan n, n + 1; never more efficient! Statistical probabilistic model checking

  21. Acceptance sampling with undecided resultsYounes (VMCAI’06) • Simultaneous acceptance sampling plans • H0: p against H1: p –  • H0: p +  against H1: p • Combining the results • Accept ≥ [] if H0 and H0 are accepted • Reject ≥ [] if H1 and H1 are accepted • Undecided result otherwise         Statistical probabilistic model checking

  22. Graphical representation of SPRT with undecided results Continue untilline is crossed accept undecided Number of positiveobservations reject continue Start here Number of observations Make observations Statistical probabilistic model checking

  23. Unbounded until—avoiding infinite sample trajectoriesYounes (unpublished manuscript) • Premature termination with probability pt after each state transition • Ensures finite sample trajectories • Change value of positive sample trajectory  from 1 to (1 – pt)–|| • Inspired by Monte Carlo method for matrix inversion by Forsythe & Leibler (1950) • Observations no longer 0 or 1: previous methods do not apply • Use sequential estimation by Chow & Robbins (1965) • Lower pt means fewer samples, by longer trajectories • Note: Sen et al. (CAV’05) tried to handle unbounded until with termination probability, but flawed because observations are still 0 or 1 Statistical probabilistic model checking

  24. Empirical evaluation Statistical probabilistic model checking

  25. Numerical vs. statistical (tandem queuing network)Younes et al. (TACAS’04)  P≥0.5(U ≤T full) 106 105 104  = 10−6 = = 10−2 = 0.5·10−2 103 Verification time (seconds) 102 101 100 10−1 10−2 101 102 103 104 105 106 107 108 109 1010 1011 Size of state space Statistical probabilistic model checking

  26. Numerical vs. statistical (symmetric polling system)Younes et al. (TACAS’04) serv1  P≥0.5(U≤T poll1) 106 105 104  = 10−6 = = 10−2 = 0.5·10−2 103 Verification time (seconds) 102 101 100 10−1 10−2 102 104 106 108 1010 1012 1014 Size of state space Statistical probabilistic model checking

  27. 20 = 10–2 = 0 15 Verification time (seconds) 10 5 0 14 14.1 14.2 14.3 14.4 14.5 Formula time bound (T) Undecided results (symmetric polling system)Younes (VMCAI’06) serv1  P≥0.5[U ≤Tpoll1] Statistical probabilistic model checking

  28. Undecided results (symmetric polling system)  =  =  = 10–2 Statistical probabilistic model checking

  29. Thank you! • Questions? Statistical probabilistic model checking

More Related