Luca Aceto,Antonis Achilleos,Adrian Francalanza,Anna Ingólfsdóttir,Karoliina Lehtinen

DOI: https://doi.org/10.48550/arXiv.1902.00435

2019-02-01

Logic in Computer Science

Abstract:This paper establishes a comprehensive theory of runtime monitorability for Hennessy-Milner logic with recursion, a very expressive variant of the modal $\mu$-calculus. It investigates the monitorability of that logic with a linear-time semantics and then compares the obtained results with ones that were previously presented in the literature for a branching-time setting. Our work establishes an expressiveness hierarchy of monitorable fragments of Hennessy-Milner logic with recursion in a linear-time setting and exactly identifies what kinds of guarantees can be given using runtime monitors for each fragment in the hierarchy. Each fragment is shown to be complete, in the sense that it can express all properties that can be monitored under the corresponding guarantees. The study is carried out using a principled approach to monitoring that connects the semantics of the logic and the operational semantics of monitors. The proposed framework supports the automatic, compositional synthesis of correct monitors from monitorable properties.

Angelo Ferrando,Rafael C. Cardoso

DOI: https://doi.org/10.4204/EPTCS.348.3

2021-10-25

Abstract:Runtime Verification is a lightweight formal verification technique. It is used to verify at runtime whether the system under analysis behaves as expected. The expected behaviour is usually formally specified by means of properties, which are used to automatically synthesise monitors. A monitor is a device that, given a sequence of events representing a system execution, returns a verdict symbolising the satisfaction or violation of the formal property. Properties that can (resp. cannot) be verified at runtime by a monitor are called monitorable and non-monitorable, respectively. In this paper, we revise the notion of monitorability from a practical perspective, where we show how non-monitorable properties can still be used to generate partial monitors, which can partially check the properties. Finally, we present the implications both from a theoretical and practical perspectives.

Logic in Computer Science,Artificial Intelligence,Formal Languages and Automata Theory

Christian Batrolo Burlò,Adrian Francalanza,Alceste Scalas

DOI: https://doi.org/10.48550/arXiv.2105.06291

2021-05-13

Programming Languages

Abstract:In concurrent and distributed systems, software components are expected to communicate according to predetermined protocols and APIs - and if a component does not observe them, the system's reliability is compromised. Furthermore, isolating and fixing protocol/API errors can be very difficult. Many methods have been proposed to check the correctness of communicating systems, ranging from compile-time to run-time verification; among such methods, session types have been applied for both static type-checking, and run-time monitoring. This work takes a fresh look at the run-time verification of communicating systems using session types, in theory and in practice. On the theoretical side, we develop a novel formal model of session-monitored processes; with it, we formulate and prove new results on the monitorability of session types, connecting their run-time and static verification - in terms of soundness (i.e., whether monitors only flag ill-typed processes) and completeness (i.e., whether all ill-typed processes can be flagged by a monitor). On the practical side, we show that our monitoring theory is indeed realisable: building upon our formal model, we develop a Scala toolkit for the automatic generation of session monitors. Our executable monitors can be used to instrument black-box processes written in any programming language; we assess the viability of our approach with a series of benchmarks.

Volker Diekert,Anca Muscholl,Igor Walukiewicz

DOI: https://doi.org/10.48550/arXiv.1507.01020

2015-07-04

Abstract:When a property needs to be checked against an unknown or very complex system, classical exploration techniques like model-checking are not applicable anymore. Sometimes a~monitor can be used, that checks a given property on the underlying system at runtime. A monitor for a property $L$ is a deterministic finite automaton $M_L$ that after each finite execution tells whether (1) every possible extension of the execution is in $L$, or (2) every possible extension is in the complement of $L$, or neither (1) nor (2) holds. Moreover, $L$ being monitorable means that it is always possible that in some future the monitor reaches (1) or (2). Classical examples for monitorable properties are safety and cosafety properties. On the other hand, deterministic liveness properties like "infinitely many $a$'s" are not monitorable. We discuss various monitor constructions with a focus on deterministic omega-regular languages. We locate a proper subclass of of deterministic omega-regular languages but also strictly large than the subclass of languages which are deterministic and codeterministic, and for this subclass there exists a canonical monitor which also accepts the language itself. We also address the problem to decide monitorability in comparison with deciding liveness. The state of the art is as follows. Given a Büchi automaton, it is PSPACE-complete to decide liveness or monitorability. Given an LTL formula, deciding liveness becomes EXPSPACE-complete, but the complexity to decide monitorability remains open.

Formal Languages and Automata Theory

Zhe Chen,Yunyun Chen,Robert M. Hierons,Yifan Wu

DOI: https://doi.org/10.48550/arXiv.2002.06737

2020-02-17

Formal Languages and Automata Theory

Abstract:Runtime Verification (RV) is a lightweight formal technique in which program or system execution is monitored and analyzed, to check whether certain properties are satisfied or violated after a finite number of steps. The use of RV has led to interest in deciding whether a property is monitorable: whether it is always possible for the satisfaction or violation of the property to be determined after a finite future continuation. However, classical two-valued monitorability suffers from two inherent limitations. First, a property can only be evaluated as monitorable or non-monitorable; no information is available regarding whether only one verdict (satisfaction or violation) can be detected. Second, monitorability is defined at the language-level and does not tell us whether satisfaction or violation can be detected starting from the current monitor state during system execution. To address these limitations, this paper proposes a new notion of four-valued monitorability for $\omega$-languages and applies it at the state-level. Four-valued monitorability is more informative than two-valued monitorability as a property can be evaluated as a four-valued result, denoting that only satisfaction, only violation, or both are active for a monitorable property. We can also compute state-level weak monitorability, i.e., whether satisfaction or violation can be detected starting from a given state in a monitor, which enables state-level optimizations of monitoring algorithms. Based on a new six-valued semantics, we propose procedures for computing four-valued monitorability of $\omega$-regular languages, both at the language-level and at the state-level. We have developed a new tool that implements the proposed procedure for computing monitorability of LTL formulas.

Thomas A. Henzinger,N. Ege Saraç,N. Ege Sarac

DOI: https://doi.org/10.1109/lics52264.2021.9470547

2021-06-29

Abstract:In runtime verification, a monitor watches a trace of a system and, if possible, decides after observing each finite prefix whether or not the unknown infinite trace satisfies a given specification. We generalize the theory of runtime verification to monitors that attempt to estimate numerical values of quantitative trace properties (instead of attempting to conclude boolean values of trace specifications), such as maximal or average response time along a trace. Quantitative monitors are approximate: with every finite prefix, they can improve their estimate of the infinite trace's unknown property value. Consequently, quantitative monitors can be compared with regard to a precision-cost trade-off: better approximations of the property value require more monitor resources, such as states (in the case of finite-state monitors) or registers, and additional resources yield better approximations. We introduce a formal framework for quantitative and approximate monitoring, show how it conservatively generalizes the classical boolean setting for monitoring, and give several precision-cost trade-offs for monitors. For example, we prove that there are quantitative properties for which every additional register improves monitoring precision.

张鹏程,李宣东,李雯睿

DOI: https://doi.org/10.1360/112012-562

2014-01-01

Scientia Sinica Informationis

Abstract:In open environments, unsafe run-time changes of systems and environments may compromise the correct execution of the entire systems and make the software systems do not meet the original specifications, which may eventually lead to the occurrence of software failures. Runtime monitor which is a lightweight formal dynamic verification technology has become the basic means of detecting software failures in open environments. For scenario-based specification property sequence charts, this paper defines the multi-valued monitoring semantics from the perspective of game theory: satisfied, infinitely controllable, the system is finitely controllable, the system is emergency controllable, the environment is finitely controllable, the environment is emergency controllable, violated. Through the multi-valued semantics definition, the monitor can detect failures as early as possible and also provide sufficient information to help the system to take measures for failure prevention and recovery. Finally, the property sequence chart used in RailCab case study shows its extensive application prospect.

Luca Aceto,Antonis Achilleos,Elli Anastasiadi,Anna Ingolfsdottir

DOI: https://doi.org/10.1016/j.jlamp.2022.100778

IF: 1.088

2022-04-01

Journal of Logical and Algebraic Methods in Programming

Abstract:Monitors are a key tool in the field of runtime verification, where they are used to verify system properties by analyzing execution traces generated by processes. Work on runtime monitoring carried out in a series of papers by Aceto et al. has specified monitors using a variation on the regular fragment of Milner's CCS and studied two trace-based notions of equivalence over monitors, namely verdict and ω-verdict equivalence. This article is devoted to the study of the equational logic of monitors modulo those two notions of equivalence. It presents complete equational axiomatizations of verdict and ω-verdict equivalence for closed and open terms over recursion-free monitors. It is also shown that verdict equivalence has no finite equational axiomatization over open monitors when the set of actions is finite and contains at least two actions.

computer science, theory & methods,logic

Luca Aceto,Antonis Achilleos,Adrian Francalanza,Anna Ingólfsdóttir,Karoliina Lehtinen

DOI: https://doi.org/10.48550/arXiv.1902.05152

2019-02-13

Logic in Computer Science

Abstract:We compare the succinctness of two monitoring systems for properties of infinite traces, namely parallel and regular monitors. Although a parallel monitor can be turned into an equivalent regular monitor, the cost of this transformation is a double-exponential blowup in the syntactic size of the monitors, and a triple-exponential blowup when the goal is a deterministic monitor. We show that these bounds are tight and that they also hold for translations between corresponding fragments of Hennessy-Milner logic with recursion over infinite traces.

David Basin,Felix Klaedtke,Samuel Müller,Eugen Zălinescu

DOI: https://doi.org/10.1145/2699444

IF: 2.269

2015-05-06

Journal of the ACM

Abstract:Runtime monitoring is a general approach to verifying system properties at runtime by comparing system events against a specification formalizing which event sequences are allowed. We present a runtime monitoring algorithm for a safety fragment of metric first-order temporal logic that overcomes the limitations of prior monitoring algorithms with respect to the expressiveness of their property specification languages. Our approach, based on automatic structures, allows the unrestricted use of negation, universal and existential quantification over infinite domains, and the arbitrary nesting of both past and bounded future operators. Furthermore, we show how to use and optimize our approach for the common case where structures consist of only finite relations, over possibly infinite domains. We also report on case studies from the domain of security and compliance in which we empirically evaluate the presented algorithms. Taken together, our results show that metric first-order temporal logic can serve as an effective specification language for expressing and monitoring a wide variety of practically relevant system properties.

computer science, information systems, theory & methods, software engineering, hardware & architecture

Adrian Francalanza,Andrew Gauci,Gordon J. Pace

DOI: https://doi.org/10.1016/j.jlap.2013.04.001

2013-07-01

The Journal of Logic and Algebraic Programming

Abstract:Runtime verification of distributed systems poses various challenges. A pivotal challenge is the choice of howto distribute the monitors themselves across the system.On one hand, centralised monitoringmay result in increased communication overhead and information exposure across locations, while, on the other hand, systems with dynamic topologies and properties are difficult to address using static monitor choreographies. In this paper we present mDPi, a location-aware π-calculus extension for reasoning about the distributed monitoring scenario.We also define numerousmonitoring strategies for a regular expression-based logic, including a novel approach in which monitors migrate to ensure local monitoring. Finally, we present a number of results which emerge from this formalism, justifying our approach.

English Else

Giuseppe De Giacomo,Riccardo De Masellis,Marco Grasso,Fabrizio Maggi,Marco Montali

DOI: https://doi.org/10.48550/arXiv.1405.0054

2014-05-01

Abstract:Runtime monitoring is one of the central tasks to provide operational decision support to running business processes, and check on-the-fly whether they comply with constraints and rules. We study runtime monitoring of properties expressed in LTL on finite traces (LTLf) and in its extension LDLf. LDLf is a powerful logic that captures all monadic second order logic on finite traces, which is obtained by combining regular expressions and LTLf, adopting the syntax of propositional dynamic logic (PDL). Interestingly, in spite of its greater expressivity, LDLf has exactly the same computational complexity of LTLf. We show that LDLf is able to capture, in the logic itself, not only the constraints to be monitored, but also the de-facto standard RV-LTL monitors. This makes it possible to declaratively capture monitoring metaconstraints, and check them by relying on usual logical services instead of ad-hoc algorithms. This, in turn, enables to flexibly monitor constraints depending on the monitoring state of other constraints, e.g., "compensation" constraints that are only checked when others are detected to be violated. In addition, we devise a direct translation of LDLf formulas into nondeterministic automata, avoiding to detour to Buechi automata or alternating automata, and we use it to implement a monitoring plug-in for the PROM suite.

Artificial Intelligence,Software Engineering

Maximilian A. Köhl,Clemens Dubslaff,Holger Hermanns

2024-08-30

Abstract:The observable behavior of a system usually carries useful information about its internal state, properties, and potential future behaviors. In this paper, we introduce configuration monitoring to determine an unknown configuration of a running system based on observations of its behavior. We develop a modular and generic pipeline to synthesize automata-theoretic configuration monitors from a featured transition system model of the configurable system to be monitored. The pipeline further allows synthesis under partial observability and network-induced losses as well as predictive configuration monitors taking the potential future behavior of a system into account. Beyond the novel application of configuration monitoring, we show that our approach also generalizes and unifies existing work on runtime monitoring and fault diagnosis, which aim at detecting the satisfaction or violation of properties and the occurrence of faults, respectively. We empirically demonstrate the efficacy of our approach with a case study on configuration monitors synthesized from configurable systems community benchmarks.

Formal Languages and Automata Theory,Software Engineering

Serena S. Serbinowska,Nicholas Potteiger,Anne M. Tumlin,Taylor T. Johnson

DOI: https://doi.org/10.4204/EPTCS.411.4

2024-11-21

Abstract:Behavior Trees (BTs) are high level controllers that have found use in a wide range of robotics tasks. As they grow in popularity and usage, it is crucial to ensure that the appropriate tools and methods are available for ensuring they work as intended. To that end, we created a new methodology by which to create Runtime Monitors for BTs. These monitors can be used by the BT to correct when undesirable behavior is detected and are capable of handling LTL specifications. We demonstrate that in terms of runtime, the generated monitors are on par with monitors generated by existing tools and highlight certain features that make our method more desirable in various situations. We note that our method allows for our monitors to be swapped out with alternate monitors with fairly minimal user effort. Finally, our method ties in with our existing tool, BehaVerify, allowing for the verification of BTs with monitors.

Robotics

Luca Aceto,Antonis Achilleos,Elli Anastasiadi,Adrian Francalanza,Daniele Gorla,Jana Wagemaker

2024-05-21

Abstract:This paper focuses on the runtime verification of hyperproperties expressed in HypermuHML, an expressive yet simple logic for describing properties of sets of traces. To this end, we first consider a simple language of monitors that can observe sets of system executions and report verdicts w.r.t. a given HypermuHML formula. In this setting, a unique omniscient monitor observes all system traces, and, in this sense, it is 'centralized'. However, in a possibly distributed system, having a centralized entity is undesirable; hence, we also provide a language for 'decentralized' monitors, where each trace has its own monitor, and monitors for different traces can yield a unique verdict by communicating their observations. For both the centralized and the decentralized settings, we provide a synthesis procedure that, given a formula, yields a monitor that is correct (i.e., sound and violation complete). A key step in proving the correctness of the synthesis for decentralized monitors is a result showing that, for each formula, the synthesized centralized monitor and its corresponding decentralized one are weakly bisimilar for a suitable notion of weak bisimulation.

Logic in Computer Science

Volker Diekert,Anca Muscholl

DOI: https://doi.org/10.48550/arXiv.1208.2125

2012-08-10

Abstract:Distributed systems are notoriously difficult to understand and analyze in order to assert their correction w.r.t. given properties. They often exhibit a huge number of different behaviors, as soon as the active entities (peers, agents, processes, etc) behave in an asynchronous manner. Already the modelization of such systems is a non-trivial task, let alone their formal verification. The purpose of this paper is to discuss the problem of distributed monitoring on a simple model of finite-state distributed automata based on shared actions, called asynchronous automata. Monitoring is a question related to runtime verification: assume that we have to check a property $L$ against an unknown or very complex system $A$, so that classical static analysis is not possible. Therefore instead of model-checking a monitor is used, that checks the property on the underlying system at runtime. We are interested here in monitoring distributed systems modeled as asynchronous automata. It is natural to require that monitors should be of the same kind as the underlying system, so we consider here distributed monitoring. A distributed monitor does not have a global view of the system, therefore we propose the notion of locally monitorable trace language. Our main result shows that if the distributed alphabet of actions is connected and if $L$ is a set of infinite traces such that both $L$ and its complement $L^c$ are countable unions of locally safety languages, then $L$ is locally monitorable. We also show that over infinite traces, recognizable countable unions of locally safety languages are precisely the complements of deterministic languages.

Formal Languages and Automata Theory,Logic in Computer Science

Stefan Mitsch,André Platzer

DOI: https://doi.org/10.48550/arXiv.1811.06502

2019-02-25

Abstract:Formal verification provides strong safety guarantees but only for models of cyber-physical systems. Hybrid system models describe the required interplay of computation and physical dynamics, which is crucial to guarantee what computations lead to safe physical behavior (e.g., cars should not collide). Control computations that affect physical dynamics must act in advance to avoid possibly unsafe future circumstances. Formal verification then ensures that the controllers correctly identify and provably avoid unsafe future situations under a certain model of physics. But any model of physics necessarily deviates from reality and, moreover, any observation with real sensors and manipulation with real actuators is subject to uncertainty. This makes runtime validation a crucial step to monitor whether the model assumptions hold for the real system implementation. The key question is what property needs to be runtime-monitored and what a satisfied runtime monitor entails about the safety of the system: the observations of a runtime monitor only relate back to the safety of the system if they are themselves accompanied by a proof of correctness! For an unbroken chain of correctness guarantees, we, thus, synthesize runtime monitors in a provably correct way from provably safe hybrid system models. This paper addresses the inevitable challenge of making the synthesized monitoring conditions robust to partial observability of sensor uncertainty and partial controllability due to actuator disturbance. We show that the monitoring conditions result in provable safety guarantees with fallback controllers that react to monitor violation at runtime.

Logic in Computer Science

Léo Henry,Thierry Jéron,Nicolas Markey,Victor Roussanaly

2024-10-01

Abstract:In formal verification, runtime monitoring consists of observing the execution of a system in order to decide as quickly as possible whether or not it satisfies a given property. We consider monitoring in a distributed setting, for properties given as reachability timed automata. In such a setting, the system is made of several components, each equipped with its own local clock and monitor. The monitors observe events occurring on their associated component, and receive timestamped events from other monitors through FIFO channels. Since clocks are local, they cannot be perfectly synchronized, resulting in imprecise timestamps. Consequently, they must be seen as intervals, leading monitors to consider possible reorderings of events. In this context, each monitor aims to provide, as early as possible, a verdict on the property it is monitoring, based on its potentially incomplete and imprecise knowledge of the current execution. In this paper, we propose an on-line monitoring algorithm for timed properties, robust to time imprecision and partial information from distant components. We first identify the date at which a monitor can safely compute a verdict based on received events. We then propose a monitoring algorithm that updates this date when new information arrives, maintains the current set of states in which the property can reside, and updates its verdict accordingly.

Software Engineering

Ian Cassar,Adrian Francalanza

DOI: https://doi.org/10.4204/EPTCS.175.4

2015-02-12

Abstract:We study the impact of synchronous and asynchronous monitoring instrumentation on runtime overheads in the context of a runtime verification framework for actor-based systems. We show that, in such a context, asynchronous monitoring incurs substantially lower overhead costs. We also show how, for certain properties that require synchronous monitoring, a hybrid approach can be used that ensures timely violation detections for the important events while, at the same time, incurring lower overhead costs that are closer to those of an asynchronous instrumentation.

Logic in Computer Science,Software Engineering

Matteo Rucco,Luca Tesei,Emanuela Merelli

DOI: https://doi.org/10.48550/arXiv.1908.03489

2019-08-06

Abstract:In this paper we introduce a new data-driven run-time monitoring system for analysing the behaviour of time evolving complex systems. The monitor controls the evolution of the whole system but it is mined from the data produced by its single interacting components. Relevant behavioural changes happening at the component level and that are responsible for global system evolution are captured by the monitor. Topological Data Analysis is used for shaping and analysing the data for mining an automaton mimicking the global system dynamics, the so-called Persistent Entropy Automaton (PEA). A slight augmented PEA, the monitor, can be used to run current or past executions of the system to mine temporal invariants, for instance through statistical reasoning. Such invariants can be formulated as properties of a temporal logic, e.g. bounded LTL, that can be run-time model-checked. We have performed a feasibility assessment of the PEA and the associated monitoring system by analysing a simulated biological complex system, namely the human immune system. The application of the monitor to simulated traces reveals temporal properties that should be satisfied in order to reach immunization memory.

Logic in Computer Science,Formal Languages and Automata Theory,Tissues and Organs