Approximate LTL model checking
AApproximate LTL model checking
Weijun ZHU*, Jianwei WANG and Yongwen FANSchool of Information Engineering, Zhengzhou UniversityZhengzhou City, 450001 China * E-mail: [email protected]
February 19, 2019
Abstract
Linear Temporal Logic (LTL) Model Checking (MC) has been appliedto many fields. However, the state explosion problem and the exponentiallycomputational complexity restrict the further applications of LTL modelchecking. A lot of approaches have been presented to address theseproblems. And they work well. However, the essential issue has not beensolved due to the limitation of inherent complexity of the problem. As aresult, the running time of the existing LTL model checking algorithmswill be inacceptable if a LTL formula is too long. To this end, this studytries to seek an acceptable approximate solution for LTL model checkingby introducing the Machine Learning (ML) technique, and a methodfor predicting results of LTL model checking via the Boosted Tree (BT)algorithm is proposed in this paper. First, for a number of Kripke structuresand LTL formulas, a data set A containing their model checking resultsis obtained, using the existing LTL model checking algorithm. Second,the LTL model checking problem can be induced to a binary classificationproblem of machine learning. In other words, some records in A form atraining set for the BT algorithm. On the basis of it, a ML model M isobtained to predict the results of LTL model checking. As a result, anapproximate LTL model checking technique occurs. The experiments showthat the new method has the predictive accuracy of 98.0%, and its averageefficiency is 9.4 million times higher than that of the representative modelchecking method, if the length of each of LTL formulas equals to 500.These results indicate that the new method can quickly and accuratelydetermine results of LTL model checking for a given Kripke structure anda given long LTL formula since the new method avoid the famous stateexplosion problem.
Model checking was presented by Turing Award winner Prof. Clarke et al [1].And it is a key technique which can verify automatically whether a computingsystem satisfies a given property. Up to now, model checking has been applied to1 a r X i v : . [ c s . L O ] F e b any fields, such as CPU design [2], security protocols [3] and malware detection[4], and this technique has been used by some leading IT companies, includingINTEL and IBM [5].The basic principle of model checking can be depicted as follows: (1) afinite automaton or a Kripke structure is employed to construct a systematicmodel, while a formula of a temporal logic is employed to describe a propertywhich should be satisfied by this system; (2) a model checking algorithm decideswhether the automaton or the Kripke structure satisfies the formula or not;(3) the result of model checking will be “true”, if the automaton or the Kripkestructure satisfies the formula; (4) otherwise, the result of model checking willbe “false”. In model checking, linear temporal logic [6], which was introduced tocomputer science by Turing Award winner Prof. Pnueli, and computational treelogic (CTL) [7][8], which was proposed by Turing Award winner Prof. Clarke,are the two popular temporal logics. And these two logics have been used widelyin international IT industry.The state explosion problem is always one of the important bottlenecksof LTL model checking. To address this problem, many methods includingsymbolic, partial order reduction, equivalence, compositional reasoning, abstractand symmetry et al [1], have been proposed to reduce the huge state space, whichis caused by the model checking algorithms. As a result, these methods work well.In a special case, states were verified automatically by a symbolic modelchecker [9]. However, the huge state space still restricts the further applicationsof model checking. The game of Go is a famous example. The huge state spacewill prevent any Go method from exhausted search for all strategies for the twoplayers, if the model checking technique is employed.Unfortunately, the state explosion problem inherently originates from thegene of model checking, LTL model checking in particular. Thus, no solutionwithin the framework of hard computing exists. It is well known that softcomputing have the following properties: uncertainties, inaccuracies, incompletetrue value, low-cost and robust. Is there any better solution in soft computing?This is the open issue. Motivated by it, we will conduct a study in this paper. The basic principle of LTL model checking can be depicted as follows [1]: (1)the not form of a LTL formula is converted to a Kripke structure; (2) the aboveKripke structure intersects another Kripke structure expressing a systematicmodel; (3) the algorithm will decide that the systematic Kripke structure satisfiesthe LTL formula, if the intersection set is empty; (4) otherwise, the systematicKripke structure does not satisfy the LTL formula.NuSMV is developed by Carnegie Mellon University, University of Genova,University of Trento and FBK-IRST [10]. It is a free tool for symbolic CTLmodel checking and symbolic LTL model checking. See Ref.[10] for more details2n NuSMV.In addition, NuXMV extends NuSMV. And NuXMV features a strong verifi-cation engine based on state-of-the-art SAT-based algorithms.
A core goal of Machine Learning (ML) is to classify data. There are manyways applied for classification, such as support vector machines, random forests,decision trees, BT and deep learning. As a class of popular ML algorithms,BT has the following advantages: good effect, insensitive to input and lowcomputational complexity. Thus, BT has been applied to many fields, such astext segmentation [11], face detection [12], hand pose recognition [13], multi-view,multi-pose object detection [14] and emotion recognition [15], etc. In this paper,we use a kind of BT algorithm called Gradient Boosted Regression Trees (GBRT)[16] to conduct our studies.As one of the most effective ML algorithms, the GBRT algorithm has thestrong generalization ability. GBRT will generate multiple decision trees, and theresults of all the trees are accumulated to form the final answer. The core of thisalgorithm is that each tree learns from the residuals of all previous trees. GBRTcan be employed to deal with not only some regression problems but also somebinary classification problems. If the latter problem is dealt with, a thresholdwill be set. A logical 1 will be gotten if the value of regression computation isgreater than the threshold. Otherwise, a logical 0 will be gotten.The advantage of GBRT lies in [17]: (1) Strong ability in handling mixedtype of data; (2) Strong predictive ability; (3) Strong robustness against outliers.The disadvantage of GBRT is that [17] parallel processing cannot be performed.Graph Lab is an open source ML package [18], which was developed byCarnegie Mellon University. This tool integrates a variety of ML algorithmsincluding GBRT, which greatly simplifies the training process of the model, andfacilitates users’ operations and implementation of specific ML algorithms.
We consider the following specific problem introduced in section 1. How todetermine whether systematic model K satisfies a LTL formula f or not, giving apair of K and f using a ML approach.The principle of our method is shown in Figure 1. The core is to train witha number of records containing information on systematic models, LTL formulasand their model checking results, using BT algorithm. Thus, a ML model calledM which has a predictive ability is obtained. And then, a given pair of K and fis input into the model M. As a result, the output of M is the predicted resultindicating whether K satisfies f or not.The steps of the process can be described as follows. (1) As shown inFigure 1(a), one can run a LTL model checking algorithm and obtain a resultof model checking for a given pair of K and f. On the basis of it, he or she can3 a) for a given pair of Kripke structure K and aLTL formula f, determine whether K satisfies f ornot(b) the model M can predict the model checkingresults for m − m pairs of K and f, since M isobtained by training m groups of K, f and theirmodel checking result r Figure 1: given one pair of model and formula, the new method can deter-mine/predict whether this model satisfies this formula or notperform a binary classification. The result of the classification will be 1, if theresult of model checking is true. Otherwise, the result of the classification will be0. (2) Step (1) is repeated m times, and a training set containing m records isgotten. See the left part of Figure 1(b). (3) Train using the BT algorithm withthe training set obtained in step (2), and the ML model M is obtained. See themiddle part of Figure 1(b). (4) Another pair of K and f which is required topredict their model checking result, is input to the trained model M. Whether Ksatisfies f or not? It can be predicted by M. We will explore the ability and the efficiency of the new method based on ML.Specifically, can the new method improve the efficiency significantly under thepremise that the new method can approach the popular LTL model checkingone in terms of power? 4igure 2: an example on Kripke structure K = K Figure 3: an example on MC, K satisfies the LTL formula f , where length of f is 25 (1) CPU: Intel(R) Core(TM) i7-4790 CPU @3.60GHz.(2) RAM: 8.0G RAM.(3)OS: Windows 10.(4) NuSMV and NuXMV: for performing LTL model check-ing.(5) Graph Lab: for implementing the BT algorithm. (1) 25 LTL formulas f are generated randomly, where the length of each offormula equals to 25. In addition, 25 Kripke structures K are generatedrandomly. Thus, ∗
25 = 625 groups of sub-experiments on NuSMV will beconducted one by one for determining whether or not 25 Kripke structuressatisfy 25 LTL formulas, respectively. In fact, we only select 400 groups inall the 625 groups when the length of each formula is 500, as well as 405groups in all the 625 groups when the length of each formula is 25, due tosimplicity.(2) We program on NuSMV for each pair of K and f one by one, and run ourprogram so that the result of model checking is obtained.(3) 405 groups of sub-experiments for model checking produce 405 records, whereK and f are filled in the first field and the second one, respectively, in arecord, while the model checking result r is filled in the third field in thisrecord. The value of the third field, i.e., r will be 1, if the result of modelchecking between K and f is true. Otherwise, the value of the third field, i.e.,5igure 4: another example on MC, K doesn’t satisfy the LTL formula f , wherelength of f is 25r will be 0. As a result, a data set containing 405 records is obtained. Andthis is the original data set for our Graph Lab experiments.(4) A part of 405 records will take part in our training process on Graph Labwith BT algorithm. These records form a training set, and other recordsform a test set. How many records are there in the training set? It dependson the value of some parameters. In fact, we only need adjust the twoparameters presented in table 1.(5) We can obtain a ML model M, according to step (4). And we will get thepredictive result in terms of model checking if we input the values of thefirst filed and the second one in a record of the test set, to M.(6) We can compare the predictive result comes from step (5) with the valueof the third field, i.e., r. On the basis of it, we can make clear whetherthe prediction is accurate or not. Furthermore, the average accuracy ofprediction can be computed. In this way, we can analysis the power of thenew approach.(7) We can obtain and compute the average running time for model checkingone pair of K and f on NuSMV, as well as prediction of one pair of K andf on Graph Lab, with the timing function in these two experimental tools.On the basis of it, we can compare the efficiency of the two methods. Fromstep (1) to step (7), 405 groups sub-experiments on NuSMV and Graph Labare conducted to study model checking short-length LTL formulas(8) Some LTL formulas f are generated randomly, where the length of eachof formula equals to 500. In the similar way with the above procedures,i.e., from step (1) to step (7), we can perform another 400 groups sub-experiments on NuSMV and Graph Lab to study model checking long-lengthLTL formulas. 6able 1: Graphlab experiments where length of each formula is 25: What willbe the values of the parameters if the illustrations of Figure 5(a) occurNames of parameters Meaning of parameters Values of parametersseed Seed for the random numbergenerator used to split 1988fraction For determining the proportionof the records of training setin the total records of data set 0.83(9) In the similar way, NuXMV can replace NuSMV to conduct further experi-ments. Figure 2 illustrates an example on Kripke structure K = K . K has five states and eight transitions. All three atomic propositions p, q, r arenot satisfied in state S , while only atomic proposition q is satisfied in state S , and so on. The state S can be transformed to state S , and state S canbe transformed to state S or state S , and so on. K can be represented witha string 0000100100101110110122124303243. In this string, the first 15 bitsdescribe whether the three atomic propositions are satisfied in the five states ornot, while the rest bits represent the serial number of initial state and the one offinal state in the eight transitions.As for K = “0000100100101110110122124303243” and f = “! X ((! F ((! p & q | r ) U ( p | ! q | r ))) U ( F ( p & q &! r ))) ", the result of NuSMV model checking, i.e., “true(yes)", is illustrated in Figure 3, which indicates K satisfy f . Therefore,the three fields K, f, r of this record are “0000100100101110110122124303243” , “! X ((! F ((! p & q | r ) U ( p | ! q | r ))) U ( F ( p & q &! r )))” and “1” , respectively. Moreover,NuSMV model checking spends 0.018 second this time, as shown in Figure 3.As for K = “0000100100101110110122124303243” and f = “ X !(( F ( G !(! p | ! q & r ))) U (( p & q | r ) U (! p | q & r ))) ", the result of NuSMV model checking, i.e., “false(no)", is illustrated in Figure 4, which indicates K does not satisfy f . Therefore,the three fields K, f, r of this record are “0000100100101110110122124303243” , “ X !(( F ( G !(! p | ! q & r ))) U (( p & q | r ) U (! p | q & r )))” and “0” , respectively. Moreover,NuSMV model checking spends 0.017 second this time, as shown in Figure 4.Example 1 is over.Example 1 gives a sample on the two groups of NuSMV model checkingexperiments. And the two records in the target database are obtained. It shouldbe noted that the database mentioned above is a target database which is theoutcome of our model checking experiments. And this database provides rawdata for our ML experiments. A data set A containing 405 records is obtained7able 2: Graphlab experiments where length of each formula is 500: What willbe the values of the parameters if the illustrations of Figure 5(b) occurNames of parameters Meaning of parameters Values of parametersseed Seed for the random numbergenerator used to split 926fraction For determining the proportionof the records of training setin the total records of data set 0.87by repeating the similar way with the example 1, where the length of eachformula is 25 in this data set. Furthermore, the average running time requiredfor one group of experiment, i.e., model checking for a pair of formula and Kripkestructure, is 0.015 second, if the length of each formula is 25.Similarly, a data set A containing 400 records is obtained by repeating theabove way, where the length of each formula is 500 in this data set. Furthermore,the average running time required for one group of experiment, i.e., modelchecking for a pair of formula and Kripke structure, is 227.28 seconds, if thelength of each formula is 500. The data sets A in section 4.4.1 provides initial data for Grap Lab experimentsin section 4.4.2, where the length of each formula is 25. The training set consistsof a part of records in data set A . And the number of records in the trainingset can be modified by adjusting some parameters. A ML model M1 can beobtained by employing the training set of A with the BT algorithm. The restrecords in A form a test set. For each record, we put the f and K into M1.Comparing the results classified by M1 with r in this record, we can determinewhether the predictive result is accurate or not.Figure 5(a) depicts our optimum result which can be obtained by adjustingthe parameters. And the values of the parameters are shown in the Table 1.In this experiment, the accurate rate of the BT algorithm for predicting theresults of LTL model checking is 98.4% and the average time for prediction is0.000038 second, as shown in the Figure 5(a). In comparison, the average timeconsumed by one of 405 groups of NuSMV experiments is 0.015 second. Thus,the efficiency of BT algorithm is . / . ≈ times higher than that ofthe LTL model checking algorithm, if the length of each formula is 25.The data sets A in section 4.4.1 provides initial data for Grap Lab experi-ments in section 4.4.2, where the length of each formula is 500. The trainingset consists of a part of records in data set A . And the number of records inthe training set can be modified by adjusting some parameters. A ML modelM2 can be obtained by employing the training set of A with the BT algorithm.The rest records in A form a test set. For each record, we put the f and K8 a) experiments on prediction, where length of each formula is 25(b) experiments on prediction, where length of each formula is 500 Figure 5: the different predictive results under circumstance of the differentlengths of formulasinto M2. Comparing the results classified by M2 with r in this record, we candetermine whether the predictive result is accurate or not.Figure 5(b) depicts our optimum result which can be obtained by adjustingthe parameters. And the values of the parameters are shown in the Table 2.In this experiment, the accurate rate of the BT algorithm for predicting the9 a) predictive accuracy (b) average predictive time for onerecord
Figure 6: power and efficiency of new method under circumstance of differentlengths of formulasTable 3: compared with NuSMV, the new method enhance the efficiencyLength offormulas,i.e., L Average runningtime ( t ) of LTLmodel checking forone pair of Kripkestructure and formula Average predictivetime ( t ) ofthe new methodbased on BTfor one record t /t t /t L=25 0.015s 0.000038s 0.25% 395L=500 227.28s 0.0000275s 0.000012% 8264727results of LTL model checking is 98.0% and the average time for prediction is0.0000275 second, as shown in the Figure 5(b). In comparison, the average timeconsumed by one of 400 groups of NuSMV experiments is 227.28 seconds. Thus,the efficiency of BT algorithm is . / . times higher thanthat of the LTL model checking algorithm, if the length of each formula is 500.According to the above results, we can generate a histogram, as shown inFigure 6. Now, NuXMV instead of NuSMV is employed by our experiments.Figure 7 gives an example on the result of model checking between the Kripkestructure K and a LTL formula f , using NuXMV. As shown in the figure, themodel checking result is false, and the running time is 180.933 seconds.In our experiments, the average running time via NuXMV for 625 groupsof model checking is 0.017 seconds, if the length of each of LTL formulas is 25.And the average running time via NuXMV for 500 groups of model checking is258.7 seconds, if the length of each of LTL formulas is 500.Figure 5 gives the running time via the new method. In other words,10able 4: compared with NuXMV, the new method enhance the efficiencyLength offormulas,i.e., L Average runningtime ( t ) of LTLmodel checking forone pair of Kripkestructure and formula Average predictivetime ( t ) ofthe new methodbased on BTfor one record t /t t /t L=25 0.017s 0.000038s 0.22% 447L=500 258.7s 0.0000275s 0.00001063% 9407273Figure 7: an example on model checking, K doesn’t satisfy the LTL formula f ,where length of f is 500the average running time of NuXMV-based LTL model checking algorithmis . / . ≈ times as much as the new method, if the length of eachof LTL formulas is 25, whereas the average running time of NuXMV-based LTLmodel checking algorithm is 258.7/0.0000275=9407273 times as much as the newmethod, if the length of each of LTL formulas is 500. First, 130 groups of results are "yes", and other 275 groups of results are "no",for 405 groups of model checking experiments in which the length of each LTLformula is 25. And 141 groups of results are "yes", and other 259 groups ofresults are "no", for 400 groups of model checking experiments in which thelength of each LTL formula is 500. These results provide abundant positiveexamples and negative ones, which can guarantee the generalization ability ofML model.Second, as shown in the Figure 6(a), the predictive accurate of BT algorithmis 98.4% if the length of the formula is 25, and the predictive accurate of this11lgorithm is also 98.0% if the length of the formula is 500. It indicates that thepredictions are accurate using the new method based on BT to simulate LTLmodel checking, regardless of the length of the LTL formula. The LTL modelchecking is a strongly learnable problem. Therefore, the new method based onBT has a good learning result.As shown in the Figure 6(b), the average running time of BT algorithm forpredicting one record is less than 0.00005 seconds no matter the length of theformula is 25 or 500. It indicates that the predictions are fast using the newmethod based on BT to simulate LTL model checking, regardless of the lengthof the LTL formula. The LTL model checking is a strongly learnable problem, sothat it can be simulated in polynomial times. By contrast, the average runningtime of LTL model checking algorithm is 258.7 seconds, which is more than 9.4million times as much as the new method. The reason is that the LTL modelchecking algorithm has an exponential complexity, while the new method basedon BT algorithm has a polynomial complexity.Third, as shown in Table 4, compared with the LTL model checking algorithm,the new method will enhance the efficiency 447 times if the length of all formulasis 25, whereas the new method will enhance the efficiency 9.4 million times ifthe length of all formulas is 500. This phenomenon prompts us that the longerthe length of the formula, the higher the efficiency of the new method is, due tothe advantage of the polynomial algorithm over the exponential algorithm.Final, as shown in the Figure 6(a), the accurate rates of the new methodfor predicting the results of LTL model checking are more than 98.0%. Thisphenomenon suggests that the cost of using the new method is acceptable,compared to the significant benefits of using the new method, since the advantagein using the new method is that the max analyzing efficiency is improved morethan 9.4 million times, whereas the disadvantage in using the new method isthat the analyzing accuracy will go down by only 2 percent, if the length of theformula is 500.
In this paper, the machine learning technique is introduced to predict results ofmodel checking. On the basis of it, an approximate model checking method isformed. To the best of our knowledge, this is the first ML-based approximatemodel checking approach. The core of the existing model checking methodsis to explore exhaustively all the states. By contrast, our new method basedon BT algorithm does not search state space. As a result, the state explosionproblem and the exponential complexity are avoided. Furthermore, the newmethod based on BT complements the existing ones. The new method has anacceptable accuracy of approximate model checking which has declined slightlyfrom that of actual model checking, in exchange for a substantial increase inefficiency of model checking. As a result, the longer the LTL formula, the moreobvious the comparative advantage of the new methods is. This is the benefit ofusing the new method. 12 cknowledgements
This work has been supported by the National Natural Science Foundation ofChina (No.U1204608).
References [1] Clarke E, et a1. Model Checking. Massachusetts: MITPress, 1999.[2] Barnat J, Bauch P, Brim L, et a1. Designing fast LTL model checking algorithmsfor many-core GPUs.
Journal of Paralleland Distributed Computing , 2012, (9): 1083-1097.[3] Carbone R. LTL model-checking for security protocols. AI Communications ,2011, (4): 281-283.[4] C Song F, Touili T. Model-Checking for Android Malware Detection, Program-ming Languages and Systems
Proceedings of the 18th AnnualSymposium on Foundations of Computer Science . Washington, USA, 1977: 46-57.[7] Benari M, Pnueli A, Manna Z. The temporal logic of branching time.
ActaInformatica , 1983, (3): 207-226.[8] Emerson E, Clarke E. Using branching time temporal logic to synthesize syn-chronization skeletons. Science of Computer Programming , 1982, (3): 241-266.[9] Burch J R, Clarke E M, Long D E, et al. Symbolic Model Checking for SequentialCircuit Verification. IEEE Trans. Comput. -Aided Des . Integrated Circuits & Syst.1994,
Pattern RecognitionLetters , v 33, n 7, p 943-950, May 1, 2012.[12] Demirkir Cem, Sankur Bülent, Face detection using boosted tree classifier stages,
Proceedings of the IEEE 12th Signal Processing and Communications ApplicationsConference , SIU 2004, p 575-578, 2004.[13] Parag Toufiq, Elgammal Ahmed, Unsupervised learning of boosted tree classifierusing graph cuts for hand pose recognition,
Proceedings of the British Machine VisionConference 2006 , p 1259-1268, 2006, BMVC 2006.[14] Wu Bo, Nevatia Ram, Cluster boosted tree classifier for multi-view multi-poseobject detection,
Proceedings of the IEEE International Conference on ComputerVision, 2007 .[15] Day Matthew, Emotion recognition with boosted tree classifiers,
Proceedings ofthe 2013 ACM International Conference on Multimodal Interaction, p 531-534, 2013 .[16] Friedman JH. Greedy function approximation: a gradient boosting machine.
Annal of Statistics , 2001, (29): 1189–1232[17] http://scikit-learn.org/stable/modules/ensemble.html, 2001, (29): 1189–1232[17] http://scikit-learn.org/stable/modules/ensemble.html