Ritam Raha,Rajarshi Roy,Nathanael Fijalkow,Daniel Neider,Guillermo A. Perez

DOI: https://doi.org/10.48550/arXiv.2310.17410

IF: 14.4

2023-10-26

Artificial Intelligence

Abstract:In runtime verification, manually formalizing a specification for monitoring system executions is a tedious and error-prone process. To address this issue, we consider the problem of automatically synthesizing formal specifications from system executions. To demonstrate our approach, we consider the popular specification language Metric Temporal Logic (MTL), which is particularly tailored towards specifying temporal properties for cyber-physical systems (CPS). Most of the classical approaches for synthesizing temporal logic formulas aim at minimizing the size of the formula. However, for efficiency in monitoring, along with the size, the amount of "lookahead" required for the specification becomes relevant, especially for safety-critical applications. We formalize this notion and devise a learning algorithm that synthesizes concise formulas having bounded lookahead. To do so, our algorithm reduces the synthesis task to a series of satisfiability problems in Linear Real Arithmetic (LRA) and generates MTL formulas from their satisfying assignments. The reduction uses a novel encoding of a popular MTL monitoring procedure using LRA. Finally, we implement our algorithm in a tool called TEAL and demonstrate its ability to synthesize efficiently monitorable MTL formulas in a CPS application.

Léo Henry,Thierry Jéron,Nicolas Markey,Victor Roussanaly

2024-10-01

Abstract:In formal verification, runtime monitoring consists of observing the execution of a system in order to decide as quickly as possible whether or not it satisfies a given property. We consider monitoring in a distributed setting, for properties given as reachability timed automata. In such a setting, the system is made of several components, each equipped with its own local clock and monitor. The monitors observe events occurring on their associated component, and receive timestamped events from other monitors through FIFO channels. Since clocks are local, they cannot be perfectly synchronized, resulting in imprecise timestamps. Consequently, they must be seen as intervals, leading monitors to consider possible reorderings of events. In this context, each monitor aims to provide, as early as possible, a verdict on the property it is monitoring, based on its potentially incomplete and imprecise knowledge of the current execution. In this paper, we propose an on-line monitoring algorithm for timed properties, robust to time imprecision and partial information from distant components. We first identify the date at which a monitor can safely compute a verdict based on received events. We then propose a monitoring algorithm that updates this date when new information arrives, maintains the current set of states in which the property can reside, and updates its verdict accordingly.

Software Engineering

Hendra Gunadi,Alwen Tiu

DOI: https://doi.org/10.48550/arXiv.1311.2362

2013-11-11

Abstract:We present a design and an implementation of a security policy specification language based on metric linear-time temporal logic (MTL). MTL features temporal operators that are indexed by time intervals, allowing one to specify timing-dependent security policies. The design of the language is driven by the problem of runtime monitoring of applications in mobile devices. A main case the study is the privilege escalation attack in the Android operating system, where an app gains access to certain resource or functionalities that are not explicitly granted to it by the user, through indirect control flow. To capture these attacks, we extend MTL with recursive definitions, that are used to express call chains betwen apps. We then show how the metric operators of MTL, in combination with recursive definitions, can be used to specify policies to detect privilege escalation, under various fine grained constraints. We present a new algorithm, extending that of linear time temporal logic, for monitoring safety policies written in our specification language. The monitor does not need to store the entire history of events generated by the apps, something that is crucial for practical implementations. We modified the Android OS kernel to allow us to insert our generated monitors modularly. We have tested the modified OS on an actual device, and show that it is effective in detecting policy violations.

Logic in Computer Science,Cryptography and Security,Operating Systems

Giuseppe De Giacomo,Riccardo De Masellis,Marco Grasso,Fabrizio Maggi,Marco Montali

DOI: https://doi.org/10.48550/arXiv.1405.0054

2014-05-01

Abstract:Runtime monitoring is one of the central tasks to provide operational decision support to running business processes, and check on-the-fly whether they comply with constraints and rules. We study runtime monitoring of properties expressed in LTL on finite traces (LTLf) and in its extension LDLf. LDLf is a powerful logic that captures all monadic second order logic on finite traces, which is obtained by combining regular expressions and LTLf, adopting the syntax of propositional dynamic logic (PDL). Interestingly, in spite of its greater expressivity, LDLf has exactly the same computational complexity of LTLf. We show that LDLf is able to capture, in the logic itself, not only the constraints to be monitored, but also the de-facto standard RV-LTL monitors. This makes it possible to declaratively capture monitoring metaconstraints, and check them by relying on usual logical services instead of ad-hoc algorithms. This, in turn, enables to flexibly monitor constraints depending on the monitoring state of other constraints, e.g., "compensation" constraints that are only checked when others are detected to be violated. In addition, we devise a direct translation of LDLf formulas into nondeterministic automata, avoiding to detour to Buechi automata or alternating automata, and we use it to implement a monitoring plug-in for the PROM suite.

Artificial Intelligence,Software Engineering

Dogan Ulus

2024-08-11

Abstract:Metric Temporal Logic (MTL) is a popular formalism to specify temporal patterns with timing constraints over the behavior of cyber-physical systems with application areas ranging in property-based testing, robotics, optimization, and learning. This paper focuses on the unified construction of sequential networks from MTL specifications over discrete and dense time behaviors to provide an efficient and scalable online monitoring framework. Our core technique, future temporal marking, utilizes interval-based symbolic representations of future discrete and dense timelines. Building upon this, we develop efficient update and output functions for sequential network nodes for timed temporal operations. Finally, we extensively test and compare our proposed technique with existing approaches and runtime verification tools. Results highlight the performance and scalability advantages of our monitoring approach and sequential networks.

Logic in Computer Science,Formal Languages and Automata Theory

Angelo Ferrando,Rafael C. Cardoso

DOI: https://doi.org/10.4204/EPTCS.348.3

2021-10-25

Abstract:Runtime Verification is a lightweight formal verification technique. It is used to verify at runtime whether the system under analysis behaves as expected. The expected behaviour is usually formally specified by means of properties, which are used to automatically synthesise monitors. A monitor is a device that, given a sequence of events representing a system execution, returns a verdict symbolising the satisfaction or violation of the formal property. Properties that can (resp. cannot) be verified at runtime by a monitor are called monitorable and non-monitorable, respectively. In this paper, we revise the notion of monitorability from a practical perspective, where we show how non-monitorable properties can still be used to generate partial monitors, which can partially check the properties. Finally, we present the implications both from a theoretical and practical perspectives.

Logic in Computer Science,Artificial Intelligence,Formal Languages and Automata Theory

Xinyi Yu,Weijie Dong,Xiang Yin,Shaoyuan Li

DOI: https://doi.org/10.48550/arXiv.2203.16267

2022-03-30

Abstract:Online monitoring aims to evaluate or to predict, at runtime, whether or not the behaviors of a system satisfy some desired specification. It plays a key role in safety-critical cyber-physical systems. In this work, we propose a new model-based approach for online monitoring for specifications described by Signal Temporal Logic (STL) formulae. Specifically, we assume that the observed state traces are generated by an underlying dynamic system whose model is known. The main idea is to consider the dynamic of the system when evaluating the satisfaction of the STL formulae. To this end, effective approaches for the computation of feasible sets for STL formulae are provided. We show that, by explicitly utilizing the model information of the dynamic system, the proposed online monitoring algorithm can falsify or certify of the specification in advance compared with existing algorithms, where no model information is used. We also demonstrate the proposed monitoring algorithm by case studies.

Systems and Control

Xinyi Yu,Weijie Dong,Xiang Yin,Shaoyuan Li

2023-11-09

Abstract:Online monitoring aims to evaluate or to predict, at runtime, whether or not the behaviors of a system satisfy some desired specification. It plays a key role in safety-critical cyber-physical systems. In this work, we propose a new monitoring approach, called model predictive monitoring, for specifications described by Signal Temporal Logic (STL) formulae. Specifically, we assume that the observed state traces are generated by an underlying dynamical system whose model is known but the control law is unknown. The main idea is to use the dynamic of the system to predict future states when evaluating the satisfaction of the STL formulae. To this end, effective approaches for the computation of feasible sets of STL formulae are provided. We show that, by explicitly utilizing the model information of the dynamical system, the proposed online monitoring algorithm can falsify or certify of the specification in advance compared with existing algorithms, where no model information is used. We also demonstrate the proposed monitoring algorithm by several real world case studies.

Systems and Control,Formal Languages and Automata Theory

Andreas Bauer,Jan-Christoph Küster,Gil Vegliach

DOI: https://doi.org/10.48550/arXiv.1303.3645

2013-03-15

Abstract:The main purpose of this paper is to introduce a first-order temporal logic, LTLFO, and a corresponding monitor construction based on a new type of automaton, called spawning automaton. Specifically, we show that monitoring a specification in LTLFO boils down to an undecidable decision problem. The proof of this result revolves around specific ideas on what we consider a "proper" monitor. As these ideas are general, we outline them first in the setting of standard LTL, before lifting them to the setting of first-order logic and LTLFO. Although due to the above result one cannot hope to obtain a complete monitor for LTLFO, we prove the soundness of our automata-based construction and give experimental results from an implementation. These seem to substantiate our hypothesis that the automata-based construction leads to efficient runtime monitors whose size does not grow with increasing trace lengths (as is often observed in similar approaches). However, we also discuss formulae for which growth is unavoidable, irrespective of the chosen monitoring approach.

Logic in Computer Science,Formal Languages and Automata Theory

Felix Klaedtke

2024-04-24

Abstract:This paper presents the monitoring tool POLIMON for checking system behavior at runtime against specifications expressed as formulas in the real-time logic MTL or its extension with the freeze quantifier. The tool's distinguishing feature is that POLIMON can receive messages describing the system events out of order. Furthermore, since POLIMON processes received messages immediately, it outputs verdicts promptly when a message's described system event leads to a violation of the specification. This makes the tool well suited, e.g., for verifying the behavior of distributed systems with unreliable channels at runtime.

Logic in Computer Science

Giorgio Audrito,Volker Stolz,Gianluca Torta

DOI: https://doi.org/10.48550/arXiv.2209.00538

2022-09-01

Software Engineering

Abstract:The distributed monitoring of swarms of devices cooperating to common global goals is becoming increasingly important, as such systems are employed for critical applications, e.g., in search and rescue missions during emergencies. In this paper, we target the distributed run-time verification of global properties of a swarm expressed as logical formulas in a temporal logic. In particular, for the implementation of decentralized monitors, we adopt the Field Calculus (FC) language, and exploit the results of previous works which have shown the possibility of automatically translating temporal logic formulas into FC programs. The main limitation of such works lies in the fact that the formulas are expressed in the past-CTL logic, which only features past modalities, and is therefore ineffective in predicting properties about the future evolution of a system. In this paper, we inject some limited prediction capability into the past-CTL logic by providing an extended semantics on a multi-valued logic, then assessing how this affects the automated translation into field calculus monitors.

Raven Beutner,Bernd Finkbeiner,Hadar Frenkel,Niklas Metzger

2024-04-15

Abstract:Hyperproperties express the relationship between multiple executions of a system. This is needed in many AI-related fields, such as knowledge representation and planning, to capture system properties related to knowledge, information flow, and privacy. In this paper, we study the monitoring of complex hyperproperties at runtime. Previous work in this area has either focused on the simpler problem of monitoring trace properties (which are sets of traces, while hyperproperties are sets of sets of traces) or on monitoring first-order hyperproperties, which are expressible in temporal logics with first-order quantification over traces, such as HyperLTL. We present the first monitoring algorithm for the much more expressive class of second-order hyperproperties. Second-order hyperproperties include system properties like common knowledge, which cannot be expressed in first-order logics like HyperLTL.

Logic in Computer Science,Artificial Intelligence,Multiagent Systems

Thomas A. Henzinger,N. Ege Saraç,N. Ege Sarac

DOI: https://doi.org/10.1109/lics52264.2021.9470547

2021-06-29

Abstract:In runtime verification, a monitor watches a trace of a system and, if possible, decides after observing each finite prefix whether or not the unknown infinite trace satisfies a given specification. We generalize the theory of runtime verification to monitors that attempt to estimate numerical values of quantitative trace properties (instead of attempting to conclude boolean values of trace specifications), such as maximal or average response time along a trace. Quantitative monitors are approximate: with every finite prefix, they can improve their estimate of the infinite trace's unknown property value. Consequently, quantitative monitors can be compared with regard to a precision-cost trade-off: better approximations of the property value require more monitor resources, such as states (in the case of finite-state monitors) or registers, and additional resources yield better approximations. We introduce a formal framework for quantitative and approximate monitoring, show how it conservatively generalizes the classical boolean setting for monitoring, and give several precision-cost trade-offs for monitors. For example, we prove that there are quantitative properties for which every additional register improves monitoring precision.

Martin Fränzle,Thomas M. Grosen,Kim G. Larsen,Martin Zimmermann

2024-09-10

Abstract:Timed Büchi automata provide a very expressive formalism for expressing requirements of real-time systems. Online monitoring of embedded real-time systems can then be achieved by symbolic execution of such automata on the trace observed from the system. This direct construction however only is faithful if observation of the trace is immediate in the sense that the monitor can assign exact time stamps to the actions it observes, which is rarely true in practice due to the substantial and fluctuating parametric delays introduced by the circuitry connecting the observed system to its monitoring device. We present a purely zone-based online monitoring algorithm, which handles such parametric delays exactly without recurrence to costly verification procedures for parametric timed automata. We have implemented our monitoring algorithm on top of the real-time model checking tool UPPAAL, and report on encouraging initial results.

Formal Languages and Automata Theory

Daniela Lepri,Peter Csaba Ölveczky,Erika Ábrahám

DOI: https://doi.org/10.4204/EPTCS.36.7

2010-09-22

Abstract:This paper presents a transformational approach for model checking two important classes of metric temporal logic (MTL) properties, namely, bounded response and minimum separation, for nonhierarchical object-oriented Real-Time Maude specifications. We prove the correctness of our model checking algorithms, which terminate under reasonable non-Zeno-ness assumptions when the reachable state space is finite. These new model checking features have been integrated into Real-Time Maude, and are used to analyze a network of medical devices and a 4-way traffic intersection system.

Logic in Computer Science

Feng Chen,Grigore Roşu

DOI: https://doi.org/10.1016/s1571-0661(04)81045-4

2003-01-01

Electronic Notes in Theoretical Computer Science

Abstract:With the explosion of software size, checking conformance of implementation to specification becomes an increasingly important but also hard problem. Current practice based on ad-hoc testing does not provide correctness guarantees, while highly confident traditional formal methods like model checking and theorem proving are still too expensive to become common practice. In this paper we present a paradigm for combining formal specification with implementation, called monitoring-oriented programming (MoP), providing a light-weighted formal method to check conformance of implementation to specification at runtime. System requirements are expressed using formal specifications given as annotations inserted at various user selected places in programs. Efficient monitoring code using the same target language as the implementation is then automatically generated during a pre-compilation stage. The generated code has the same effect as a logical checking of requirements and can be used in any context, in particular to trigger user defined actions, when requirements are violated. Our proposal is language- and logic- independent, and we argue that it smoothly integrates other interesting system development paradigms, such as design by contract and aspect oriented programming. A prototype has been implemented for Java, which currently supports requirements expressed using past time and future time linear temporal logics, as well as extended regular expressions.

Zhenya Zhang,Jie An,Paolo Arcaini,Ichiro Hasuo

2023-05-28

Abstract:Online monitoring is an effective validation approach for hybrid systems, that, at runtime, checks whether the (partial) signals of a system satisfy a specification in, e.g., Signal Temporal Logic (STL). The classic STL monitoring is performed by computing a robustness interval that specifies, at each instant, how far the monitored signals are from violating and satisfying the specification. However, since a robustness interval monotonically shrinks during monitoring, classic online monitors may fail in reporting new violations or in precisely describing the system evolution at the current instant. In this paper, we tackle these issues by considering the causation of violation or satisfaction, instead of directly using the robustness. We first introduce a Boolean causation monitor that decides whether each instant is relevant to the violation or satisfaction of the specification. We then extend this monitor to a quantitative causation monitor that tells how far an instant is from being relevant to the violation or satisfaction. We further show that classic monitors can be derived from our proposed ones. Experimental results show that the two proposed monitors are able to provide more detailed information about system evolution, without requiring a significantly higher monitoring cost.

Systems and Control,Formal Languages and Automata Theory,Logic in Computer Science

Hao Shi,Wei Dong,Ge Zhou,Liangze Yin

DOI: https://doi.org/10.1109/QRS-C.2017.66

2017-01-01

Abstract:With the increasingly application of discrete control software in automatic control field, the security and reliability of its behavior becomes even more essential. However, the traditional verification methods are of high complexity and poor flexibility, so the lightweight Runtime Verification becomes an alternative. In this paper, aiming at real-time properties in discrete control software, an improved runtime verification framework is pro-posed. According to characteristics of real-time properties, we introduce DT-MTL in specifications to describe these properties, and two algorithms of monitor's generation are proposed. Based on the idea of parametric runtime verification, the framework can be used to automate the monitoring of parameterized real-time properties, which are described by DT-MTL. We carried out experiments on the high speed train control system to prove the validity of the framework.

Giles Reger,Helena Cuenca Cruz,David Rydeheard

DOI: https://doi.org/10.1007/978-3-662-46681-0_55

2015-01-01

Abstract:Runtime monitoring is the process of checking whether an execution trace of a running system satisfies a given specification. For this to be effective, monitors which run trace-checking algorithms must be efficient so that they introduce minimal computational overhead. We present the MarQ tool for monitoring properties expressed as Quantified Event Automata. This formalism generalises previous automata-based specification methods. MarQ extends the established parametric trace slicing technique and incorporates existing techniques for indexing and garbage collection as well as a new technique for optimising runtime monitoring: structural specialisations where monitors are generated based on structural characteristics of the monitored property. MarQ recently came top in two tracks in the 1st international Runtime Verification competition, showing that MarQ is one of the most efficient existing monitoring tools for both offline monitoring of trace logs and online monitoring of running systems.

Ramakrishna V. Vishnuvajjala,Satish Subramanian,Wei-Tek Tsai,Lynn Elliott,Ramin Mojdehbakhsh

DOI: https://doi.org/10.1016/s1474-6670(17)44825-7

1995-01-01

IFAC Proceedings Volumes

Abstract:In this paper, techniques for designing run-time monitorS for a class of real-time constraints have been presented. The constraints express relationships between different event occurrence rates over intervals of time and are useful in many safety-aitical applications. Monitor algorithms that focus on reporting any changes with minimum delay, while keeping the monitor overhead also low have been presented The algorithms aim at reporting not only constraint violations, but also check if the corrective actions are working by detecting changes from a violated to a not-violated state.