Learning Mealy Machines with Timers · 2017. 11. 6. · Introduction Mealy machines with timers...

IntroductionMealy machines with timers

Untimed semanticsLearning algorithm

Conclusions and future work

Learning Mealy Machines with Timers

Bengt Jonsson Frits Vaandrager

Uppsala University and Radboud University Nijmegen

IPA Fall Days, Nunspeet, November 2017

Jonsson and Vaandrager Learning Mealy Machines with Timers




Goal active automaton learning





Minimally adequate teacher (Angluin)

Learner Teacher

MQ

input sequences

output sequences

EQ

hypothesis

counterexample





Black box checking (Peled, Vardi & Yannakakis)

TQs

SUL

CT

MQ

EQ

Learner Teacher

Learner: Formulate hypothesesConformance Tester (CT): Test correctness hypotheses





LearnLib





Research method

This talk: THEORY (motivated by earlier applications)





Research method

This talk: THEORY

(motivated by earlier applications)





Research method

This talk: THEORY (motivated by earlier applications)





Bugs in protocol implementations

Standard violations found in implementations of major protocols, e.g.,

TCP (CAV’16, FMICS’17), TLS (Usenix Security’15), SSH (Spin’17).

These findings led to several bug fixes in implementations.





Bugs in protocol implementations

Standard violations found in implementations of major protocols, e.g.,

TCP (CAV’16, FMICS’17), TLS (Usenix Security’15), SSH (Spin’17).

These findings led to several bug fixes in implementations.Jonsson and Vaandrager Learning Mealy Machines with Timers




Learned model for SSH implementation





SSH model checking results





For background and applications see CACM review article





Motivation for work presented today

Timing behavior plays a crucial role in applications of modellearning, but existing algorithms and tools cannot handle it.There is some work on algorithms for learning timed systems:

Grinchtein, Jonsson & Leucker.Learning of event-recording automata. TCS, 2010.

Mens & Maler.Learning Regular Languages over Large Ordered Alphabets.LMCS, 2015.

Caldwel, Cardell-Oliver & French.Learning time delay Mealy machines. IEEE TASE, 2016.

but this is not so practical because of high complexity and/orlimited expressivity.





Timing Behavior in Network Protocols

Sender alternating-bit protocol, adapted from Kurose & Ross,Computer Networking:

q0start q1

q2q3

in/send0start timer(3sec)

ack0/voidstop timer

timeout/send0start timer(3sec)

in/send1start timer(3sec)

ack1/voidstop timer

timeout/send1start timer(3sec)





Idea

Develop learning algorithm for Mealy machines with timers!!!

Occurrence of timing dependent behavior fully determined byprevious behavior





MMTs

Assume an unbounded set X of timers x , x1, x2, etc. For a set I ,write I = I ∪ {to[x ] | x ∈ X}.

Definition

A Mealy machine with timers (MMT) is a tupleM = (I ,O,Q, q0,X , δ, λ, π), where

I and O are finite sets of input and output events

Q is a finite set of states with q0 ∈ Q the initial state

X : Q → Pfin(X ), with X (q0) = ∅δ : Q × I ↪→ Q is a transition function,

λ : Q × I ↪→ O is an output function,

π : Q × I ↪→ (X ↪→ N>0) is a timer update function

(satisfying some natural conditions)





Operations on timers

Write qi/o,ρ−−−→ q′ if δ(q, i) = q′, λ(q, i) = o and π(q, i) = ρ.

Basically, four things can happen:

1 If x ∈ X (q) \ X (q′) then input i stops timer x .

2 If x ∈ X (q′) \ X (q) then i starts timer x with value ρ(x).

3 If x ∈ X (q) ∩ dom(ρ) then i restarts timer x with value ρ(x).

4 Finally, if x ∈ X (q′) \ dom(ρ) then timer x is unaffected by i .





Timed Semantics (1)

A configuration of an MMT is a pair (q, κ) of a state q and avaluation κ : X (q)→ R≥0 of its timers. When time advances, alltimers decrease at the same rate; a timeout occurs when value ofsome timer becomes 0.

A timed run of an MMT is a sequence

(q0, κ0)d1−→ (q0, κ

′0)

i1/o1−−−→ (q1, κ1)d2−→ · · · ik/ok−−−→ (qk , κk )

of configurations, nonzero delays, and discrete transitions.





Timed Semantics (2)

A timed word describes an observation we can make on an MMT:

w = d1 i1 o1 d2 i2 o2 · · · dk ik ok ,

where dj ∈ R>0, ij ∈ I ∪ {to}, and oj ∈ O.

To each timed run α we associate a timed word tw(α) byforgetting the configurations and names of timers in timeouts.

Definition

MMTs M and N are timed equivalent, denoted M≈timed N , iffthey have the same timed words.





“Uncontrollable” Nondeterminism

q0start

q1 q3q2

i/o, x := 1, y := 1

to[x]/o′

to[y ]/o′′

Accepts timed words 1 i o 1 to o ′ and 1 i o 1 to o ′′.

⇒ We assume at most one timer can be updated per transition.





“Controllable” Nondeterminism

q0start q1 q2i/o, x := 2 i/o, y := 1

to[x]/o, x := 2 to[x]/o′, x := 1

to[y ]/o′′, y := 1

Accepts timed words 7 i o 1 i o 1 to o ′ and 7 i o 1 i o 1 to o ′′.

⇒ During learning we will simply avoid these race conditions.





A timed MAT framework

A timed input word is a sequence u = d1 i1 · · · dk ik dk+1, with dj ∈ R>0

and ij ∈ I , for j ≤ k , and dk+1 ∈ R≥0. A timed (input) word is

transparent if inputs occur at different fractional times.

LearnerTeacher

(knows M)

MQ

transparent timed input word u

maximal timed word w of M consistent with u

EQ

hypothesis H

yes or no+transparent counterexample w

Main contribution: algorithm allowing learner to construct MMTN that is timed equivalent to M (under mild restrictions).





Plan of attack

Untimed MMT learner

LearnLib Adapter

MQ

EQ

1. Define untimed semantics

2. Prove equivalence with timed semantics

3. Define untimed MAT framework

4. Build untimed learner with LearnLib

5. Build untimed teacher with timed teacher

Untimed MMT teacher

AdapterTimed

Teacher

MQ

EQ

MQ

EQ

Oracle

Lookahead





Timed and Untimed Runs and Behaviors

(q0, κ0)d1−→ (q0, κ

′0)

i1/o1−−−→ (q1, κ1) · · · (qk−1, κ′k−1)

ik/ok−−−→ (qk , κk)

q0i1/o1,ρ1−−−−−→ q1 · · · qk−1

ik/ok ,ρk−−−−−→ qk κ0d1−→ κ′0

i1/o1,ρ1−−−−−→ κ1 · · ·κ′k−1

ik/ok ,ρk−−−−−→ κk

X0i1/o1,ρ1−−−−−→ X1 · · ·Xk−1

ik/ok ,ρk−−−−−→ Xk

untime beh

untimebeh





Timed and Untimed Runs and Behaviors

Diagram commutes and has a pullback:

timedruns ofM

untimedruns ofM

timedbehaviors

untimedbehaviors

timedwords

untime

beh

tw

beh

untime

tw

CAN WE DEFINESEMANTICS MMTsIN TERMS OFUNTIMEDBEHAVIORS??





Feasibility

Definition

An untimed behavior

β = X0i1/o1,ρ1−−−−→ X1

i2/o2,ρ2−−−−→ X2 · · ·ik/ok ,ρk−−−−−→ Xk

is feasible if there is a timed behavior σ such that untime(σ) = β.

Example of untimed behavior that is not feasible:

∅ i1/o1,x :=1−−−−−−→ {x} i2/o2,y :=100−−−−−−−→ {x , y} to[y ]/o3−−−−−→ ∅





Isomorphism

An isomorphism between untimed behaviors β and β′ is aconsistent renaming of timers:

∅ i1/o1,x :=2−−−−−−→ {x} i2/o2,y :=1−−−−−−→ {x , y} to[y ]/o3,y :=100−−−−−−−−−→ {x , y}

∅ i1/o1,x1:=2−−−−−−→ {x1}i2/o2,x2:=1−−−−−−→ {x1, x2}

to[x2]/o3,x3:=100−−−−−−−−−−→ {x1, x3}

An untimed behavior is in canonical form if, for each j , the timerthat is updated in the j-th event (if any) is equal to xj .Each untimed behavior is isomorphic to a unique untimed behaviorin canonical form.





Untimed semantics

Definition

MMTs M and N are untimed equivalent, M≈untimed N , iff theirsets of feasible untimed behaviors are isomorphic.

Theorem

M≈untimed N implies M≈timed N .

Converse implication does not hold in general.





Ghost timers

q0start q1 q2 q3

q4

i/o, x := 1 i/o, y := 60 to[x]/o′′

to[x]/o′





Equivalence of Timed and Untimed Semantics

Theorem

Suppose that M and N are MMTs without ghost timers in whichat most one timer is started on each transition.Then M≈timed N implies M≈untimed N .

Main proof technique: wiggling of timed behaviors to ensure thatfractional starting times of different inputs are different.





An untimed MAT framework

An untimed input word is a sequence u = i1 · · · ik over I such thatij = to[xl ] implies l < j , and each timer expires at most once.

Learner Teacher

MQs

untimed input word u

canonical feasible behavior β consistent with u, or ⊥

EQ

hypothesis H

yes or no+canonical counterexample β





Nerode congruence

Definition

Let S be a set of feasible untimed behaviors. Behaviors β, β′ ∈ Sare equivalent, notation β ≡S β

′, iff for any untimed behavior γ,β · γ ∈ S ⇔ β′ · γ ∈ S .





Myhill-Nerode theorem

Theorem

Let S be a set of feasible untimed behaviors over finite sets ofinputs I and outputs O. Then S is the set of feasible untimedbehaviors of an MMT M iff

1 S is nonempty,

2 all behaviors in S start with the empty set of timers,

3 the set of timers that occur in S is finite,

4 S is prefix closed,

5 S is behavior deterministic,

6 S is input complete,

7 S is timeout complete, and

8 ≡S has only finitely many equivalence classes (finite index).





Building untimed MMT learner with Mealy machine learner

Untimed MMT learner

LearnLib Adapter

MQ

EQ

We assume learner knows bound n on the number of timers thatcan be active in a state. Adapter uses function uncan to translatecanonical behaviors to behaviors involving at most n clocks.





Building an untimed MMT teacher with a timed teacher

Untimed MMT teacher

AdapterTimed

Teacher

MQ

EQ

Oracle

Lookahead

no or yes+timeout value untimed input word u + index j





Query complexity

Number of queries polynomial in size canonical MMT N producedby Myhill-Nerode construction.

This MMT may be exponentially bigger (in the number of clocks)than original MMT M of the teacher (cf register automata).

For MMTs with single timer, learning is easy: all untimedbehaviors are feasible, lookahead oracle is trivial if we assumelearner knows bound on maximal timer value (just wait), andcomplexity is the same as for Mealy machine with the same size.





Conclusions

Our work consitutes a major step towards a practical approach foractive learning of timed systems.

Just like timed automata paved the way to extend model checkingto a timed setting, we expect that MMTs will make it possible tolift model learning to a timed setting.





Future Work

1 Implement equivalence oracle

2 Implement lookahead oracle (inspired by Tomte tool)

3 Handle non transparent counterexamples

4 Deal with timing uncertainty in real applications

5 Implement our algorithm and apply to practical case studies

6 Many theoretical questions left!


Learning Mealy Machines with Timers · 2017. 11. 6. · Introduction Mealy machines with timers...

Documents

Transcript of Learning Mealy Machines with Timers · 2017. 11. 6. · Introduction Mealy machines with timers...