Statistical probabilistic model checking

1
Statistical probabilistic model checking

• Håkan L. S. Younes
• Carnegie Mellon University
• (now at Google Inc.)

2
Introduction

• Model-independent approach to probabilistic model
  checking
• Relies on simulation and statistical sampling
• Wrong answer possible, but can be bounded
  (probabilistically)
• Low memory requirements (can handle
  large/infinite models)
• Trivially parallelizable (distributed sampling
  gives linear speedup)
• Topics covered in this talk
• Error control
• Hypothesis testing vs. estimation
• Dealing with unbounded properties/infinite
  trajectories

3
Probabilistic model checking

• Given a model M, a state s, and a property ?,
  does ? hold in s for M ?
• Model stochastic discrete-event system
• Property probabilistic temporal logic formula
• Example tandem queuing network

arrive
route
depart
q1
q2
The probability is at least 0.1 that both
queuesbecome full within 5 minutes
4
Probabilistic temporal logic (PCTL, CSL)

• Standard logic operators ? ?, ? ? ?,
• Probabilistic operator ?? ?
• Holds in state s iff probability is at least ?
  for paths satisfying ? and starting in s
• Bounded until ? ? T ?
• Holds over path ? iff ? becomes true along ?
  within time T, and ? is true until then
• Unbounded until ? ? ?
• Holds over path ? iff ? becomes true eventually
  along ?, and ? is true until then

5
Property examples

• The probability is at least 0.1 that both queues
  become full within 5 minutes
• ?0.1? ? 5 full1 ? full2
• The probability is at most 0.05 that the second
  queue becomes full before the first queue
• ?0.05? full1 ? full2

6
The problem (in detail)

• Before we propose a solution, we need to fully
  define the problem
• Possible outcomes of model-checking algorithm
• Ideal vs. realistic error control

7
Possible outcomes of model-checking algorithm

• Given a state s and a formula ?, a model-checking
  algorithm A can
• Accept ? as true in s (s ?? ?)
• Reject ? as false in s (s ?? ?)
• Return an undecided result (s ?I ?)
• An error occurs if
• A rejects ? when ? is true (false negative)
• A accepts ? when ? is false (false positive)
• Note an undecided result is not an error, but
  still not desirable

8
Ideal error control

• Bound the probability of false negatives/positives
  and undecided results under all circumstances
• Bound on false negatives ? Prs ?? ? s ? ? ?
  ?
• Bound on false positives ? Prs ?? ? s ? ? ?
  ?
• Bound on undecided results ? Prs ?I ? ? ?
• If ?, ?, and ? are all low, then model-checking
  algorithm A produces a correct result with high
  probability

9
Unrealistic expectations

• Ideal error control for verifying probabilistic
  formula ?? ? in state s

False negatives
1
1 ?
1 ? ?
s ? ?? ?
s ? ?? ?
Probability of acceptingP? ? as true in s
Undecided
? ?
?
p
?
False positives
Actual probability of ? holding
10
Relaxing the problem

• Indifference region of width 2? centered around
  probability thresholds
• Probabilistic operator ?? ?
• Holds in state s if probability is at least ? ?
  for paths satisfying ? and starting in s
• Does not hold if probability is at most ? - ? for
  paths satisfying ? and starting in s
• Too close to call if probability is within ?
  distance of ? (indifference)
• Essentially three-valued logic, but we care only
  about true and false

11
Error control for relaxed problem

• Option 1 bound the probability of false
  positives/negatives outside of the indifference
  region no undecided results
• Bound on false negatives ? Prs ?? ? s ?? ? ?
  ?
• Bound on false positives ? Prs ?? ? s ?? ? ?
  ?
• No undecided results ? 0 Prs ?I ? 0
• Option 2 bound the probability of undecided
  results outside of the indifference region low
  error probability under all circumstances
• Bound on false negatives ? Prs ?? ? s ? ? ?
  ?
• Bound on false positives ? Prs ?? ? s ? ? ?
  ?
• Bound on undecided results ? Prs ?I ? (s ??
  ?) ? (s ?? ?) ? ?

?
?
?
?
12
Realistic error controlno undecided results

• Error control for verifying probabilistic formula
  ?? ? in state s

False negatives
1
1 ?
s ?? ?? ?
s ?? ?? ?
?
?
Probability of acceptingP? ? as true in s
High error probabilityin indifference region
?
p
?
? ?
? - ?
False positives
Actual probability of ? holding
13
Realistic error controlwith undecided results

• Error control for verifying probabilistic formula
  ?? ? in state s

Acceptance probability
Rejection probability
1
1 ?
s ?? ?? ?
s ?? ?? ?
?
?
Probability of acceptingP? ? as true in s
High undecided probability in indifference region
?
?
p
?
? ?
? - ?
Actual probability of ? holding
? - ?
14
The solution

• Statistical sampling (hypothesis testing vs.
  estimation)
• Undecided results
• Avoiding infinite sample trajectories in
  simulation for unbounded until

15
Verifying probabilistic propertiesno undecided
resultsYounes Simmons (CAV02, Information and
Computation06)

• Use acceptance sampling to verify ?? ? in
  state s
• Test hypothesis H0 p ? ? ? against hypothesis
  H1 p ? ? ?
• Observation verify ? over sample trajectories
  generated using simulation

16
Acceptance sampling with fixed sample size

• Single sampling plan ?n, c?
• Generate n sample trajectories
• Accept H0 p ? ? ? iff more than c paths
  satisfy ?
• Pick n and c such that
• Probability of accepting H1 when H0 holds is at
  most ?
• Probability of accepting H0 when H1 holds is at
  most ?
• Sequential single sampling plan
• Accept H0 after m lt n observations if more than c
  observations are positive
• Accept H1 after m lt n observations if at most k
  observations are positive and k (n m) c

17
Graphical representation of sequential single
sampling plan
Continue untilline is crossed
accept
c
continue
Number of positiveobservations
reject
n c
n
Start here
Number of observations
Make observations
18
Sequential probability ratio test (SPRT)Wald
(Annals of Mathematical Statistics45)

• More efficient than sequential single sampling
  plan
• After m observations, k positive, compute ratio
• Accept H0 p ? ? ? if ? ? / (1 ?)
• Accept H1 p ? ? ? if ? (1 ?) / ?
• No fixed upper bound on sample size, but much
  smaller on average

19
Graphical representation of SPRT
Continue untilline is crossed
accept
continue
Number of positiveobservations
reject
Start here
Number of observations
Make observations
20
Statistical estimationHérault et al. (VMCAI04)

• Estimate p with confidence interval of width 2?
• Accept H0 p ? ? ? iff center of confidence
  interval is at least ?
• Choosing sample size
• Same as single sampling plan ?n, ?n? 1?? never
  more efficient!

21
Acceptance sampling with undecided resultsYounes
(VMCAI06)

• Simultaneous acceptance sampling plans
• H0 p ? ? against H1 p ? ? ?
• H0 p ? ? ? against H1 p ? ?
• Combining the results
• Accept ?? ? if H0 and H0 are accepted
• Reject ?? ? if H1 and H1 are accepted
• Undecided result otherwise

?
?
?
?
?
?
?
?
22
Graphical representation of SPRT with undecided
results
Continue untilline is crossed
accept
undecided
Number of positiveobservations
reject
continue
Start here
Number of observations
Make observations
23
Unbounded untilavoiding infinite sample
trajectoriesYounes (unpublished manuscript)

• Premature termination with probability pt after
  each state transition
• Ensures finite sample trajectories
• Change value of positive sample trajectory ? from
  1 to (1 pt)?
• Inspired by Monte Carlo method for matrix
  inversion by Forsythe Leibler (1950)
• Observations no longer 0 or 1 previous methods
  do not apply
• Use sequential estimation by Chow Robbins
  (1965)
• Lower pt means fewer samples, by longer
  trajectories
• Note Sen et al. (CAV05) tried to handle
  unbounded until with termination probability, but
  flawed because observations are still 0 or 1

24
Empirical evaluation
25
Numerical vs. statistical (tandem queuing
network)Younes et al. (TACAS04)
? P0.5(? U T full)
106
105
104
? 10-6 ? ? 10-2 ? 0.510-2
103
Verification time (seconds)
102
101
100
10-1
10-2
101
102
103
104
105
106
107
108
109
1010
1011
Size of state space
26
Numerical vs. statistical (symmetric polling
system)Younes et al. (TACAS04)
serv1 ? P0.5(? UT poll1)
106
105
104
? 10-6 ? ? 10-2 ? 0.510-2
103
Verification time (seconds)
102
101
100
10-1
10-2
102
104
106
108
1010
1012
1014
Size of state space
27
Undecided results (symmetric polling
system)Younes (VMCAI06)
serv1 ? P0.5? U T poll1
28
Undecided results (symmetric polling system)
? ? ? 102
29
Thank you!

• Questions?