Selective monitoring☆
Introduction
Consider an MC (Markov chain) whose transitions are labelled with letters, and a finite automaton that accepts languages of infinite words. Computing the probability that the random word emitted by the MC is accepted by the automaton is a classical problem at the heart of probabilistic verification. A finite prefix may already determine whether the random infinite word is accepted, and computing the probability that such a deciding finite prefix is produced is a nontrivial diagnosability problem. The theoretical problem we study in this paper is how to catch deciding prefixes without observing the whole prefix; i.e., we want to minimize the expected number of observations and still catch all deciding prefixes.
Motivation. In runtime verification a program sends messages to a monitor, which decides if the program run is faulty. Usually, runtime verification is turned off in production code because monitoring overhead is prohibitive. QVM (quality virtual machine) and ARV (adaptive runtime verification) are existing pragmatic solutions to the overhead problem, which perform best-effort monitoring within a specified overhead budget [1], [2]. ARV relies on RVSE (runtime verification with state estimation) to also compute a probability that the program run is faulty [3], [4]. We take the opposite approach: we ask for the smallest overhead achievable without compromising precision at all.
Previous work. Before worrying about the performance of a monitor, one might want to check if faults in a given system can be diagnosed at all. This problem has been studied under the term diagnosability, first for non-stochastic finite discrete event systems [5], which are labelled transition systems. It was shown in [6] that diagnosability can be checked in polynomial time, although the associated monitors may have exponential size. Later the notion of diagnosability was extended to stochastic discrete-event systems, which are labelled Markov chains [7]. Several notions of diagnosability in stochastic systems exist, and some of them have several names, see, e.g., [8], [9] and the references therein. Bertrand et al. [9] also compare the notions. For instance, they show that for one variant of the problem (referred to as A-diagnosability or SS-diagnosability or IF-diagnosability) a previously proposed polynomial-time algorithm is incorrect, and prove that this notion of diagnosability is PSPACE-complete. Indeed, most variants of diagnosability for stochastic systems are PSPACE-complete [9], with the notable exception of AA-diagnosability (where the monitor is allowed to diagnose wrongly with arbitrarily small probability), which can be solved in polynomial time [10].
Selective monitoring. In this paper, we seem to make the problem harder: since observations by a monitor come with a performance overhead, we allow the monitor to skip observations. In order to decide how many observations to skip, the monitor employs an observation policy. Skipping observations might decrease the probability of deciding (whether the current run of the system is faulty or correct). We do not study this tradeoff: we require policies to be feasible, i.e., the probability of deciding must be as high as under the policy that observes everything. We do not require the system to be diagnosable; i.e., the probability of deciding may be less than 1. Checking whether the system is diagnosable is PSPACE-complete ([9], Theorem 8).
The cost of decision in general Markov chains. The cost (of decision) is the number of observations that the policy makes during a run of the system. We are interested in minimizing the expected cost among all feasible policies. We show that if the system is diagnosable then there exists a policy with finite expected cost, i.e., the policy may stop observing after finite expected time. (The converse is not true.) Whether the infimum cost (among feasible policies) is finite is also PSPACE-complete (Theorem 14). Whether there is a feasible policy whose expected cost is smaller than a given threshold is undecidable (Theorem 15), even for diagnosable systems.
Non-hidden Markov chains. We identify a class of MCs, namely non-hidden MCs, where the picture is much brighter. An MC is called non-hidden when each label identifies the state. Non-hidden MCs are always diagnosable. Moreover, we show that maximally procrastinating policies are (almost) optimal (Theorem 27). A policy is called maximally procrastinating when it skips observations up to the point where one further skip would put a decision on the current run in question. We also show that one can construct an (almost) optimal maximally procrastinating policy in polynomial time. This policy does not depend on the exact probabilities in the MC, although the expected cost under that policy does. That is, we efficiently construct a policy that is (almost) optimal regardless of the transition probabilities on the MC transitions. We also show that the infimum cost (among all feasible policies) can be computed in polynomial time (Theorem 28). Underlying these results is a theory based on automata, in particular, checking language equivalence of DFAs.
Experiments. We evaluated the algorithms presented in this paper by implementing them in Facebook Infer, and trying them on 11 of the most forked Java projects on GitHub. We found that, on average, selective monitoring can reduce the number of observations to a half.
Section snippets
Preliminaries
Let S be a finite set. We view elements of as vectors, more specifically as row vectors. We write 1 for the all-1 vector, i.e., the element of . For a vector , we denote by its transpose, a column vector. A vector is a distribution over S if . For we write for the (Dirac) distribution over S with and for . We view elements of as matrices. A matrix is called stochastic if each row sums up to one, i.e., .
For a finite
Qualitative analysis of observation policies
In this section we study properties of observation policies that are qualitative, i.e., not directly related to the cost of decision. We focus on properties of observation prefixes that a policy may produce.
Observation prefixes. We have already defined deciding observation prefixes. We now define several other types of prefixes: enabled, confused, very confused, and finitary. A prefix υ is enabled if it occurs with positive probability, . Intuitively, the other types of prefixes υ
Analyzing the cost of decision
In this section we study the computational complexity of finding feasible policies that minimize the expected cost of decision. We focus on the decision version of the problem: Is there a feasible policy whose expected cost is smaller than a given threshold? Define: Since the see-all policy • never stops observing, we have , so . However, once an observation prefix υ is deciding or very confused, there is no point in continuing observation. Hence, we
The non-hidden case
Now we turn to positive results. In the rest of the paper we assume that the MC is non-hidden, i.e., there exists a function such that implies . We extend to finite nonempty words so that . We write to indicate that there is with .
Example 16 Consider the following non-hidden MC and DFA: is the initial belief. The beliefs and are not confused:
Empirical evaluation of the expected optimal cost
We have shown that maximal procrastination is optimal in the non-hidden case (Theorem 27). However, we have not shown how much better the optimal policy is than the see-all baseline. It appears difficult to answer this question analytically, so we address it empirically. We implemented our algorithms in a fork of the Facebook Infer static analyzer [13], and applied them to 10 open-source projects, totaling 120 thousand Java methods. We found that in of cases the maximally procrastinating
Future work
In this paper we required policies to be feasible, which means that our selective monitors are as precise as non-selective monitors. One may relax this and study the tradeoff between efficiency (skipping even more observations) and precision (probability of making a decision). Further, one could replace the diagnosability notion of this paper by other notions from the literature; one could investigate how to compute for other classes of MCs, such as acyclic MCs; one could study the
CRediT authorship contribution statement
Radu Grigore: Conceptualization, Data curation, Investigation, Methodology, Software, Writing – original draft, Writing – review & editing. Stefan Kiefer: Conceptualization, Investigation, Methodology, Writing – original draft, Writing – review & editing.
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
References (23)
- et al.
On NFAs where all states are final, initial, or both
Theor. Comput. Sci.
(2009) Maximum-likelihood estimation for hidden Markov models
Stoch. Process. Appl.
(1992)- et al.
Monitoring networks through multiparty session types
Theor. Comput. Sci.
(2017) - et al.
QVM: an efficient runtime for detecting defects in deployed systems
ACM Trans. Softw. Eng. Methodol.
(2011) - et al.
Adaptive runtime verification
- et al.
Runtime verification with state estimation
- et al.
Runtime verification with particle filtering
- et al.
Diagnosability of discrete-event systems
IEEE Trans. Autom. Control
(1995) - et al.
A polynomial algorithm for testing diagnosability of discrete-event systems
IEEE Trans. Autom. Control
(2001) - et al.
Diagnosability of stochastic discrete-event systems
IEEE Trans. Autom. Control
(2005)
Monitorability of stochastic dynamical systems
Cited by (0)
- ☆
A preliminary version of this paper appeared under the same title at Concur 2018.
- 1
Supported by EPSRC grant EP/R012261/1.
- 2
Supported by a Royal Society University Research Fellowship.