Contribution to the analysis of Discrete Event Systemspeople.rennes.inria.fr/Herve.Marchand/hdr.pdfUniﬁcation of various notions of diagnosability[Wodes06,Ifac08] Diagnosis of transient

June 6th 2017 – Habilitation Defense

Contribution to the analysisof Discrete Event SystemsHerve MarchandInria Rennes - Bretagne Atlantique

Habilitation defense - June 6th 2017

Formal Analysis of Discrete Event Systems

Control command systems and software are pervasive

More and more complex to design, program and operate safety critical systems w.r.t. devices, people (transportation,

surgery), environment Increase of security/privacy aspects

⇒ Need formal methods to ensure the reliability of such systems

Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 2/ 29














Model Checking: verifying that a mathematical model of the systemsatisfies its specification

Model G

Property Φ

@Model Checker G |= Φ? YesNo: counter-example

Model-Based Test generation: synthesis of a set of test cases from amodel of the system

Controller Synthesis: enforcing a property Φ on the system (onwhich Φ does not hold) by means of a controller





Model G @Test. Gen. TC

@Tester

Imp I

I ∼ G? −→ YesNo

? Observation






Diagnosis: synthesis of a diagnoser which has the ability to detect afault in a system based on the observation

Model G

Fault Φ

Diagnoser@DS

Imp I

Observation

Yes: a fault occurred in INo: no fault occurred in I

=








Model G

Property Φ

@DCS

Imp I

Controller C

C‖I |= ΦObs. Decision

=







Enforcement correcting possibly incorrect output sequences of asystem

Imp IDelay Suppr.

Φ

enforcementMechanism E E (σ) |= Φ

σ


Contribution to Formal Analysis of Discrete Event Systems Model-Based Test generation: synthesis of a set of test cases for a

system modelled by symbolic transition system using abstractinterpretation technique [IEEE-TSE’07]

Diagnosis:• Unification of various notions of diagnosability [Wodes06,Ifac08]• Diagnosis of transient faults [Wodes16]• Diagnosis of infinite systems [DEDS13a,DEDS15]

Controller Synthesis:• Control of concurrent & distributed systems

B. Gaudin & G. Kalyon’s PhD Thesis• Control of symbolic transition system within the synchronous

paradigm N. Berthier & G. Delaval’s Postdoc• Decentralized or hierarchical control of DES [EJC04,IFAC17]

Enforcement of real-time properties modeled by Timed AutomataS. Pinisetty’s PhD Thesis

Formal analysis of security properties: J. Dubreil’s PhD Thesis

• Integrity, availability and confidentiality• Use of various formal methods


Contribution to Formal Analysis of Discrete Event Systems Model-Based Test generation: synthesis of a set of test cases for a

system modelled by symbolic transition system using abstractinterpretation technique [IEEE-TSE’07]

Diagnosis:• Unification of various notions of diagnosability [Wodes06,Ifac08]• Diagnosis of transient faults [Wodes16]• Diagnosis of infinite systems [DEDS13a,DEDS15]

Controller Synthesis:• Control of concurrent & distributed systems

B. Gaudin & G. Kalyon’s PhD Thesis• Control of symbolic transition system within the synchronous

paradigm N. Berthier & G. Delaval’s Postdoc• Decentralized or hierarchical control of DES [EJC04,IFAC17]

Enforcement of real-time properties modeled by Timed AutomataS. Pinisetty’s PhD Thesis

Formal analysis of security properties: J. Dubreil’s PhD Thesis

• Integrity, availability and confidentiality• Use of various formal methodsContribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 4/ 29

Contribution to Formal Analysis of Discrete Event Systems

Model-Based Test generation Diagnosis Controller Synthesis Enforcement Formal analysis of security properties

Common features in a nut-shell:• Model-based approach (system & properties)• Synthesis of components• Partial observation• Model-checking techniques







Model-Based Test generation




Outline

Model & Notations Diagnosis of Discrete Event Systems

• Diagnosis of general fault patterns• Diagnosis of transient faults

Controller Synthesis• Control of concurrent systems

- Synchronous communication

• Control of distributed systems- Asynchronous communication

Formal analysis of security properties• Focus on confidentiality properties• Use of diagnosis and control

techniques Conclusion & General Perspectives


Outline









Outline







techniques

Conclusion & General Perspectives


Outline









Model & Notations System modelled by LTS G = (Q,Σ,→, q0,QF )

• QF ⊆ Q: set of marked states• Σ : set of actions

Σ = Σo ∪ Σuo : observable& unobservable actions

0 1 2 3

4 5 6 7

b

af

b a

a,b

ab

ab

a,b

Behaviours• L(G) = f , fa, fab, a, ab, aba, · · · : language of the system• LQF (G) = fab, ab, fabab, · · · : marked language

Partial observation :• Πo : Σ∗ → Σo natural projection Πo(fab) = ab• Lo(G) = Πo(L(G)): observable trajectories• Π−1

o : Σ∗o → 2Σ∗ inverse projection Π−1o (ab) = fab, ab

• ε-closure: εo(G) & determinization: Deto(G)

0 1 2 3

5 6 7b

a

a

b a a,b

b

a

b a,b

0 1, 5 2, 6 7

3, 5 3, 6 3, 73b

a b

a

b b

b

a

a

a,b

a,b a,b



• QF ⊆ Q: set of marked states• Σ : set of actions

Σ = Σo ∪ Σuo : observable& unobservable actions

0 1 2 3

4 5 6 7

b

af

b a

a,b

ab

ab

a,b





0 1 2 3

5 6 7b

a

a

b a a,b

b

a

b a,b

0 1, 5 2, 6 7

3, 5 3, 6 3, 73b

a b

a

b b

b

a

a

a,b

a,b a,b



• QF ⊆ Q: set of marked states• Σ = Σo ∪ Σuo : observable

& unobservable actions 0 1 2 3

4 5 6 7

b

af

b a

a,b

ab

ab

a,b





0 1 2 3

5 6 7b

a

a

b a a,b

b

a

b a,b

0 1, 5 2, 6 7

3, 5 3, 6 3, 73b

a b

a

b b

b

a

a

a,b

a,b a,b



• QF ⊆ Q: set of marked states• Σ = Σo ∪ Σuo : observable

& unobservable actions 0 1 2 3

4 5 6 7

b

af

b a

a,b

ab

ab

a,b





0 1 2 3

5 6 7b

a

a

b a a,b

b

a

b a,b

0 1, 5 2, 6 7

3, 5 3, 6 3, 73b

a b

a

b b

b

a

a

a,b

a,b a,b


Diagnosis Overview

System G Diagnoser DΣo On-line diagnosis Problem:

• Model of the system G• Partial observation of the system through Σo

Diagnosability: Ability to detect every fault on the basis of the observed trace

Various kind of faults• faulty events, [SSL+95]• faulty states [Lin94]• n occurrences of a fault, 2 different faults occurred, etc...

⇒ Needs for an unification of the notions of diagnosis

Our approachIntroduction of general Fault Patterns [Wodes06]

FNf

ΣΣ \ f N F1 Ff

r

fΣ \ f , r Σ

Σ \ f , r

N,N

F1,N

N,F2

F1,F2f1

f2

f2

f1 Σ

Σ \ f1, f2Σ \ f1

Σ \ f2

[SSL+95] M. Sampath, R. Sengupta, S. Lafortune, K. Sinaamohideen, and D. Teneketzis. Diagnosability of discrete event systems. IEEETransactions on Automatic Control, 40(9):1555-1575, 1995.[Lin94] F. Lin, Diagnosability of discrete event systems and its applications. Discrete Event Dyn Syst 4: 197, 1994


Diagnosis Overview







FNf

ΣΣ \ f N F1 Ff

r

fΣ \ f , r Σ

Σ \ f , r

N,N

F1,N

N,F2

F1,F2f1

f2

f2

f1 Σ

Σ \ f1, f2Σ \ f1

Σ \ f2



Diagnosis Overview







FNf

ΣΣ \ f N F1 Ff

r

fΣ \ f , r Σ

Σ \ f , r

N,N

F1,N

N,F2

F1,F2f1

f2

f2

f1 Σ

Σ \ f1, f2Σ \ f1

Σ \ f2



Diagnosis Overview







FNf

ΣΣ \ f N F1 Ff

r

fΣ \ f , r Σ

Σ \ f , r

N,N

F1,N

N,F2

F1,F2f1

f2

f2

f1 Σ

Σ \ f1, f2Σ \ f1

Σ \ f2



Diagnosis of permament faults System G with Σ = Σuo ∪ Σo and a fault pattern Ω (LΩ)

q0 q1 q2 q3

a

a a

a b

f FNf

ΣΣ \ f

Diagnoser: ∆ : Lo(G)→ N,F ,U where

∆(w) =

F iff a fault occured after wN iff no fault occured after wU otherwise

L(G)

Lo(G)

LΩ

w

Πo Π−1o

Π−o 1(w) Π−o 1(w)Π−o 1(w)

⇒ derived from Deto(G‖Ω)

G‖Ω q0 q1 q2 q3f

a

a a

ba

q0 q0, q2 q0, q2, q3 q3a a b

a b

⇒ Boundedness of the detection delay?



q0 q1 q2 q3

a

a a

a b

f FNf

ΣΣ \ f


∆(w) =


L(G)

Lo(G)

LΩ

w

Πo Π−1o

Π−o 1(w) Π−o 1(w)Π−o 1(w)


G‖Ω q0 q1 q2 q3f

a

a a

ba

q0 q0, q2 q0, q2, q3 q3a a b

a b




q0 q1 q2 q3

a

a a

a b

f FNf

ΣΣ \ f


∆(w) =

F iff a fault occured after w

N iff no fault occured after wU otherwise

L(G)

Lo(G)

LΩ

w

Πo Π−1o

Π−o 1(w)

Π−o 1(w)Π−o 1(w)


G‖Ω q0 q1 q2 q3f

a

a a

ba

q0 q0, q2 q0, q2, q3 q3a a b

a b




q0 q1 q2 q3

a

a a

a b

f FNf

ΣΣ \ f


∆(w) =

F iff a fault occured after wN iff no fault occured after w

U otherwise

L(G)

Lo(G)

LΩ

w

Πo Π−1o

Π−o 1(w)

Π−o 1(w)

Π−o 1(w)


G‖Ω q0 q1 q2 q3f

a

a a

ba

q0 q0, q2 q0, q2, q3 q3a a b

a b




q0 q1 q2 q3

a

a a

a b

f FNf

ΣΣ \ f


∆(w) =


L(G)

Lo(G)

LΩ

w

Πo Π−1o

Π−o 1(w) Π−o 1(w)

Π−o 1(w)


G‖Ω q0 q1 q2 q3f

a

a a

ba

q0 q0, q2 q0, q2, q3 q3a a b

a b




q0 q1 q2 q3

a

a a

a b

f FNf

ΣΣ \ f


∆(w) =


L(G)

Lo(G)

LΩ

w

Πo Π−1o

Π−o 1(w) Π−o 1(w)

Π−o 1(w)


G‖Ω q0 q1 q2 q3f

a

a a

ba

q0 q0, q2 q0, q2, q3 q3a a b

a b




q0 q1 q2 q3

a

a a

a b

f FNf

ΣΣ \ f


∆(w) =


L(G)

Lo(G)

LΩ

w

Πo Π−1o

Π−o 1(w) Π−o 1(w)

Π−o 1(w)


G‖Ω q0 q1 q2 q3f

a

a a

ba

q0 q0, q2 q0, q2, q3 q3a a b

a b

⇒ Boundedness of the detection delay?Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 9/ 29

Diagnosis of permament faults

DiagnosabilityAbility to detect every fault pattern at most n observations after itsoccurrence

• Non-diagnosability: existence of two arbitrary long andobservationally equivalent sequences one faulty, the other non-faulty

• Test of diagnosability on the twin machine ε(GΩ)‖ε(GΩ)

q0

G‖Ω

q1 q2 q3f

a

a a

ba

q0, q0

q0, q2

q0, q3

q2, q3

q2, q2 q3, q3

q2, q0 q3, q0

q3, q2

aa

a

a

a

a

b

a

a a

a

aa

a

⇒ Non diagnosable if there exists a reachable ambiguous cycle Extension to the predictability of fault patterns [Ifac08]


Diagnosis of non-permanent faultsFaults might be repaired

Various notions of Diagnosability O-Diagnosability : a fault occurred in the system [CLT04] P-Diagnosability : the system has been faulty and is now faulty

[CLT04] [1..K]-Diagnosability : at least K faults occurred in the system.

[JKG03]

Our approachAbility to detect every occurrence of a fault before it is repaired and tocount the number of faults

DiagnoserSimilar to the one for permanent faults

[CLT04] O. Contant, S. Lafortune, and D. Teneketzis. Diagnosis of intermittent faults. Discrete Event Dynamic Systems: Theory andApplications, 14(2):171-202, 2004.[JKG03] S. Jiang, R. Kumar, and H.E. Garcia. Diagnosis of repeated/intermittent failures in discrete event systems. IEEE Transactions onRobotics and Automation, 19(2):310-323, Avril 2003.





[JKG03]


DiagnoserSimilar to the one for permanent faults

[CLT04] O. Contant, S. Lafortune, and D. Teneketzis. Diagnosis of intermittent faults. Discrete Event Dynamic Systems: Theory andApplications, 14(2):171-202, 2004.[JKG03] S. Jiang, R. Kumar, and H.E. Garcia. Diagnosis of repeated/intermittent failures in discrete event systems. IEEE Transactions onRobotics and Automation, 19(2):310-323, Avril 2003.





[JKG03]


DiagnoserSimilar to the one for permanent faults[CLT04] O. Contant, S. Lafortune, and D. Teneketzis. Diagnosis of intermittent faults. Discrete Event Dynamic Systems: Theory andApplications, 14(2):171-202, 2004.[JKG03] S. Jiang, R. Kumar, and H.E. Garcia. Diagnosis of repeated/intermittent failures in discrete event systems. IEEE Transactions onRobotics and Automation, 19(2):310-323, Avril 2003.


T-diagnosability [Wodes16]

T-diagnosability w.r.t. FAbility to surely detect every fault before its repair in a bounded numberof observations on the basis of the observed trace

q0 q4 q5

q1 q2

q6 q7

q8

b

c

a

a

a

aa

d a

a

s1 s2 s3a a

a

s4 s5 s6a a

a

s7 s8 s9a a

a

s0

b

c

d Verification

• Twin-machine no more sufficient• Need to check G × Det(G)

TheoremDeciding whether G is T-diagnosable w.r.t. F is PSPACE-complete.




q0 q4 q5

q1 q2

q6 q7

q8

b

c

a

a

a

aa

d a

a

s1 s2 s3a a

a

s4 s5 s6a a

a

s7 s8 s9a a

a

s0

b

c

d Verification






q0 q4 q5

q1 q2

q6 q7

q8

b

c

a

a

a

aa

d a

a s1 s2 s3a a

a

s4 s5 s6a a

a

s7 s8 s9a a

a

s0

b

c

d Verification

• Twin-machine no more sufficient

• Need to check G × Det(G)





q0 q4 q5

q1 q2

q6 q7

q8

b

c

a

a

a

aa

d a

a s1 s2 s3a a

a

s4 s5 s6a a

a

s7 s8 s9a a

a

s0

b

c

d Verification




T-diagnosability & Counting

u1

u2

u3

⇒ Also need to detect all the repairs

PropositionIf G is T-Diagnosable w.r.t. F and T-Diagnosable w.r.t. N, then one canexactly count the number of faults that occurred in the system



u1

u2

u3





u1

u2

u3




Conclusion & Perspectives Summary

• General fault patterns for diagnosability and predictability• New framework for non-permanent faults

- Introduction of the notion of T-Diagnosability- Ability to count the number of faults- P-Diagnosability ([CLT04]) is also PSPACE-Complete

Perspectives• Active Diagnosis (on-going work with L. Helouet)⇒ Ability to perform tests allowing to partially disambiguate the set of

configurations with energy constraints• Modular systems G1‖G2

- Few results [CLT06], [YD10] (fault events local to a singlecomponent)

- General Fault Pattern?- Know-how of the modular control synthesis- Add communication between diagnosers

• Diagnosis of LTS handling data[CLT06] O. Contant, S. Lafortune, and D. Teneketzis. Diagnosability of discrete event systems with modular structure. Discrete EventDynamic Systems, 16(1):9-37, 2006.[YD10] L. Ye and P, Dague. An optimized algorithm for diagnosability of component-based systems. In 10th IFAC WODES, pages143-148, Berlin, Germany, 2010.


Outline

Model & Notations

Diagnosis of Discrete Event Systems• Diagnosis of general fault patterns• Diagnosis of transient faults

Model G

Fault Pattern Φ

Diagnoser

Imp I

Π

YesNo?

Assuming G ∼ I







Overview & Problematic

C G

C(s)

s ∈ Σ∗

Controller Synthesis Problem [RW89]• model of the system G• a safety property K ⊆ Σ∗

• Σ = Σc ∪ Σuc (controllable & uncontrollable events)

Compute a maximal controller such that L(C/G) ⊆ K

Controllability [RW89]: K is controllable fora controller C is no uncontrollable action hasto be forbidden in L(G) to respect K. L(G)K

sσuc

σc

⇒ if K not controllable, existence of a maximal language :SupCK = L(C/G) = K \ [(L(G) \ K)/Σ∗uc ]Σ∗

Problematic:• Large systems are often composed of several subsystems

G = G1‖ · · · ‖Gn ⇒ State space explosion !

• Given a property K ⊆ Σ∗, how to compute a (set of) controller(s)ensuring K without building G.

[RW89] P.J. Ramadge andW.M.Wonham. The control of discrete event systems. Proceedings of the IEEE; Special issue on Dynamics ofDiscrete Event Systems, 77(1):81-98, 1989



C G

C(s)

s ∈ Σ∗





sσuc

σc








C G

C(s)

s ∈ Σ∗





sσuc

σc








C G

C(s)

s ∈ Σ∗





sσuc

σc







Control of concurrent systemsBenoit Gaudin’s PhD Thesis

G = G1‖ · · · ‖Gn with L(Gi ) ⊆ Σ∗i and a safety property K ⊆ Σ∗.• Σi = Σi,c ∪ Σi,uc• Σs : Shared events

Related work• WH91 : Separable specification• DC00 : Σs = ∅• RL03 : Identical components

C1 G1 G2 C2

C1(s)

s1 ∈ Σ∗1

C2(s)

s2 ∈ Σ∗2

G

Σs

Our approach [JDEDS07], [Automatica08]• Abstract systems Π−1

i (Gi ) = G−1i

• Ki = K ∩ L(G−1i )

Ci P−1i (Gi )

Ci (s)

s ∈ Σ∗

G1 G2

C2C1

∧

s ∈ Σ∗

C(s)

GC1(s) C2(s)

L(C1/G−11 ) ∩ L(C2/G−1

2 ) = L(C/G)





C1 G1 G2 C2

C1(s)

s1 ∈ Σ∗1

C2(s)

s2 ∈ Σ∗2

G

Σs

WH91 Y.Willner and M. Heymann. Supervisory control of concurrent DES. Int. Journal of Control, 54(5):1143-1169, 1991.DC00 M. H. De Queiroz and J. Cury. Modular control of composed systems. ACC , pages 4051- 4055 2000.RL03 K. Rohloff and S. Lafortune. The control and verification of similar agents operating in a broadcast network environment. In 42ndIEEE CDC, 2003.


i (Gi ) = G−1i

• Ki = K ∩ L(G−1i )

Ci P−1i (Gi )

Ci (s)

s ∈ Σ∗

G1 G2

C2C1

∧

s ∈ Σ∗

C(s)

GC1(s) C2(s)

L(C1/G−11 ) ∩ L(C2/G

−12 ) = L(C/G)





C1 G1 G2 C2

C1(s)

s1 ∈ Σ∗1

C2(s)

s2 ∈ Σ∗2

G

Σs


i (Gi ) = G−1i

• Ki = K ∩ L(G−1i )

Ci P−1i (Gi )

Ci (s)

s ∈ Σ∗

G1 G2

C2C1

∧

s ∈ Σ∗

C(s)

GC1(s) C2(s)

L(C1/G−11 ) ∩ L(C2/G−1

2 ) = L(C/G)Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 17/ 29

Control of concurrent systems (cont’d)

K′ ⊆ Ki is partially controllable w.r.t. Σi,uc ,Σuc , L(G−1i ) if

(i) K′ is controllable w.r.t Σi,uc and L(G−1i ).

(ii) K′ is controllable w.r.t Σuc and Ki . L(G−1i )Ki

K′ Σuc

Σi,uc

There exists a unique supremal sub-language of Kithat is partially controllable : SupPCi

Theorem⋂i≤n SupPCi is controllable w.r.t. Σuc and L(G)

L(Ci/G−1i ) = SupPCi

G1 G2

C2C1

∧

s ∈ Σ∗

C(s)

GC1(s) C2(s)

Maximality?

: Σs ⊆ Σc and (K ⊆ L(G) or K locally consistent)






K′ Σuc

Σi,uc




G1 G2

C2C1

∧

s ∈ Σ∗

C(s)

GC1(s) C2(s)

Maximality?







K′ Σuc

Σi,uc




G1 G2

C2C1

∧

s ∈ Σ∗

C(s)

GC1(s) C2(s)

Maximality?







K′ Σuc

Σi,uc




G1 G2

C2C1

∧

s ∈ Σ∗

C(s)

GC1(s) C2(s)

Maximality?







K′ Σuc

Σi,uc




G1 G2

C2C1

∧

s ∈ Σ∗

C(s)

GC1(s) C2(s)

Maximality?







K′ Σuc

Σi,uc




G1 G2

C2C1

∧

s ∈ Σ∗

C(s)

GC1(s) C2(s)

Maximality? : Σs ⊆ Σc and (K ⊆ L(G) or K locally consistent)


Outline

Model & Notations

Diagnosis of Discrete Event Systems• Diagnosis of general fault patterns• Diagnosis of transient faults

Model G

Fault Pattern Φ

Diagnoser

Imp I

Π

YesNo?

Assuming G ∼ I







Control of distributed systemsGabriel Kalyon’s PhD Thesis

[Forte11], [CDC’11], [IEEE-TAC’14]

Distributed control of distributed systems (Ti)i

Embedded systems, protocols Asynchronous communication CFSM = LTSs + FIFO channels

Q2,1

A0

2?a

A1

Aerror

A2

CFSM T1

1!c

2?b

2?a

4?d2?a

2?b

1!d

2?b

CFSM T2

B0

B1

B2

B3

1?c

2!a 3!d

CFSM T3

D0 D1

4!d

3?d

2!b

1?d

3!d

Q1,2

Q3,1

Q1,3

Q2,3

Q3,2

Q2,1

A0

2?a

A1

Aerror

A2

T1

1!c

2?b

2?a

4?d2?a

2?b

1!d

2?b T2

B0

B1

B2

B3

1?c

2!a 3!d

T3

D0 D1

4!d

3?d

2!b

1?d

3!d

Q1,2

Q3,1

Q1,3

Q2,3

Q3,2

C1 C2

C3

Problem : computing (Ci )i s.t. (Ti‖Ci )i |= Φ (safety)

Bad ⊆ Q1 × · · · × Qn × Contents of the channels Control mechanism for Ci

• Σi,c = set of local outputs• Local control decisions based on a state estimate Ei⇒ Refinement of Ei by piggybacking information to the sent messages

(logical clock + peer state estimate)






Q2,1

A0

2?a

A1

Aerror

A2

T1

1!c

2?b

2?a

4?d2?a

2?b

1!d

2?b T2

B0

B1

B2

B3

1?c

2!a 3!d

T3

D0 D1

4!d

3?d

2!b

1?d

3!d

Q1,2

Q3,1

Q1,3

Q2,3

Q3,2

C1 C2

C3










Q2,1

A0

2?a

A1

Aerror

A2

T1

1!c

2?b

2?a

4?d2?a

2?b

1!d

2?b T2

B0

B1

B2

B3

1?c

2!a 3!d

T3

D0 D1

4!d

3?d

2!b

1?d

3!d

Q1,2

Q3,1

Q1,3

Q2,3

Q3,2

C1 C2

C3


Bad ⊆ Q1 × · · · × Qn × Contents of the channels

Control mechanism for Ci








Q2,1

A0

2?a

A1

Aerror

A2

T1

1!c

2?b

2?a

4?d2?a

2?b

1!d

2?b T2

B0

B1

B2

B3

1?c

2!a 3!d

T3

D0 D1

4!d

3?d

2!b

1?d

3!d

Q1,2

Q3,1

Q1,3

Q2,3

Q3,2

C1 C2

C3



• Σi,c = set of local outputs• Local control decisions based on a state estimate Ei

⇒ Refinement of Ei by piggybacking information to the sent messages(logical clock + peer state estimate)






Q2,1

A0

2?a

A1

Aerror

A2

T1

1!c

2?b

2?a

4?d2?a

2?b

1!d

2?b T2

B0

B1

B2

B3

1?c

2!a 3!d

T3

D0 D1

4!d

3?d

2!b

1?d

3!d

Q1,2

Q3,1

Q1,3

Q2,3

Q3,2

C1 C2

C3




(logical clock + peer state estimate)Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 20/ 29

Control of distributed systems (Cont’d)

Off-Line computation• Approximation of the set of states

reaching Bad by uncontrollable events.• Adaptation of approximate verification

for CFSMs [LGJJ06]⇒ Over-approximation of the contents of

the queues by regular languages

DV

Bad

α

γ

Λ

On-Line computation for Ci• Reception of a message from site j : E ′i = Posta(Ei ) ∩ f (Vj ,Ej )• Transmission of a message (a,V ′i ,E ′i ) : E ′i = Reach∆\∆i (Posta(Ei ))

⇒ Computation of the new set of forbidden events w.r.t. E ′i

With the above computations, the controlled system avoids bad and issound

[LGJJ06]: T. Le Gall, B. Jeannet, and T. Jeron. Verification of communication protocols using abstract interpretation of FIFO queues.AMAST’06, July 2006.







DV

Bad

α

γ

Λ

Bad!











DV

Bad

α

γ

Λ

Bad!

I!(Bad!)

I(Bad)

I ′(Bad)











DV

Bad

α

γ

Λ

Bad!

I!(Bad!)

I(Bad)

I ′(Bad)



With the above computations, the controlled system avoids bad and issound[LGJJ06]: T. Le Gall, B. Jeannet, and T. Jeron. Verification of communication protocols using abstract interpretation of FIFO queues.AMAST’06, July 2006.


Conclusion & Perspectives

Summary• Control of concurrent systems

- Computation of local controllers w.r.t. abstract sub-systems- Specialisation to a state-based approach ECC03-05

• Control of distributed systems- Use of abstract interpretation to techniques.

Perspectives• Concurrent & distributed systems :

- Non-blocking properties (liveness, etc)- Minimizing the exchanged information

• Quantitative propertiesWork with N. Berthier, G. Delaval & E. Rutten


Outline

Model & Notations

Diagnosis of Discrete Event Systems• Diagnosis of general fault Patterns• Diagnosis of transient faults

Model G

Fault Pattern Φ

Diagnoser

Imp I

Π

YesNo?

Assuming G ∼ I





techniques

Conclusion & General Perspectives


Confidential informationJeremy Dubreil PhD ThesisSystem G Attacker A

Σo

Confidential information: secret properties• State configurations (values of secret variables)• Occurrence of an event (e.g. password file is unlocked), Trajectories

Information flow: an attacker is able to infer confidential informationbased on his observation and its knowledge of the system.

The secret S is opaque w.r.t. G and Σo if [BKMR08]

∀t ∈ LS(G),∃s ∈ L(G) \ LS(G) : Π−1o (s) = Π−1

o (t)

0

1

2

3

4

5

p

h

a

a

b

Σ = h, p, a, b, Σo = a, b

S = 2, 4, 5, LS = Σ∗.h.Σ∗

[BKMR08]J. Bryans, M. Koutny, L. Mazare, and P. Ryan. Opacity generalised to transition systems. International Journal of InformationSecurity, 7(6):421-435, 2008



Σo




∀t ∈ LS(G),∃s ∈ L(G) \ LS(G) : Π−1o (s) = Π−1

o (t)

0

1

2

3

4

5

p

h

a

a

b

Σ = h, p, a, b, Σo = a, b

S = 2, 4, 5, LS = Σ∗.h.Σ∗




Σo




∀t ∈ LS(G),∃s ∈ L(G) \ LS(G) : Π−1o (s) = Π−1

o (t)

0

1

2

3

4

5

p

h

a

a

b

Σ = h, p, a, b, Σo = a, b

S = 2, 4, 5, LS = Σ∗.h.Σ∗




Σo




∀t ∈ LS(G),∃s ∈ L(G) \ LS(G) : Π−1o (s) = Π−1

o (t)

0

1

2

3

4

5

p

h

a

a

b

Σ = h, p, a, b, Σo = a, b

S = 2, 4, 5, LS = Σ∗.h.Σ∗



Verification of Opacity

Algorithm1 Determinization of G2 check whether a macro-state F ⊆ S is reachable

0 1 2 3

4 5 6b

a

a

b a a,b

b

a

b a,b

0 1, 4 2, 5 6

3, 4 3, 5 3, 63b

a b

a

b b

b

a

a

a,b

a,b a,b

TheoremChecking opacity is PSPACE complete [Amast08]

⇒ Reduction from universality problem


Monitoring an information flow[ECC2009]

G AMΣo

Σm

F = L2S (DetΣo (G)): observations leading to an information flow

1 2 3 4 Σo = a, bf

a, c

a a

b, c

1 1,3 1,3,4 4

DetΣo (G)

a a b

a b

M should diagnose/predict the occurrence of the trajectories

I = L(G) ∩ P−1Σo

(F).Σ∗

by observing Σm.

1 1,3 1,3,4 1,4

!

No

Σm = a, c

M

s = aabc ⇒

PΣo (s) = aabPΣm (s) = aac

a a c

c

c a c

⇒ Every information flow is detectable iff I is diagnosable w.r.t. Σm.



G AMΣo

Σm


1 2 3 4 Σo = a, bf

a, c

a a

b, c

1 1,3 1,3,4 4

DetΣo (G)

a a b

a b


I = L(G) ∩ P−1Σo

(F).Σ∗

by observing Σm.

1 1,3 1,3,4 1,4

!

No

Σm = a, c

M

s = aabc ⇒


a a c

c

c a c




G AMΣo

Σm


1 2 3 4 Σo = a, bf

a, c

a a

b, c

1 1,3 1,3,4 4

DetΣo (G)

a a b

a b


I = L(G) ∩ P−1Σo

(F).Σ∗

by observing Σm.

1 1,3 1,3,4 1,4

!

No

Σm = a, c

M

s = aabc ⇒


a a c

c

c a c




G AMΣo

Σm


1 2 3 4 Σo = a, bf

a, c

a a

b, c

1 1,3 1,3,4 4

DetΣo (G)

a a b

a b


I = L(G) ∩ P−1Σo

(F).Σ∗

by observing Σm.

1 1,3 1,3,4 1,4

!

No

Σm = a, c

M

s = aabc ⇒


a a c

c

c a c

⇒ Every information flow is detectable iff I is diagnosable w.r.t. Σm.Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 26/ 29

Supervisory Control for opacity[Wodes08], [IEEE-TAC10]

G ACΣo

Σm

Control problem (Language-Based)

Compute a maximally permissive controller C observing Σm andcontrolling Σc ⊆ Σm s.t. Lϕ is opaque w.r.t. G × C and Σo .

0 1

6 7

11

a

e

aτe

he

2 3

4 5

c1h

d a

b a

8 9 10h b a

c2

Σo = a, b, d , eΣm = a, c1, c2, b, d , eΣc = b, c1, c2, e

Secret: Lϕ = Σ∗.h.Σ∗

TheoremIf Σc ⊆ Σm and Σm ⊆ Σo , or Σo ⊆ Σm, there exists a maximal controllerC s.t. Lϕ is opaque w.r.t. G × C and Σo



G ACΣo

Σm



0 1

6 7

11

a

e

aτe

he

2 3

4 5

c1h

d a

b a

8 9 10h b a

c2






G ACΣo

Σm



0 1

6 7

11

a

e

aτe

he

2 3

4 5

c1h

d a

b a

8 9 10h b a

c2






G ACΣo

Σm



0 1

6 7

11

a

e

aτe

he

2 3

4 5

c1h

d a

b a

8 9 10h b a

c2





Conclusion & Perspectives Summary

• Monitoring information flows• Ensuring Opacity by control• Ensuring Opacity Dynamic Filtering [Amast08][FMSD12]

Perspectives• Opacity control problem

- Remove the assumption Σm ⊆ Σo , or Σo ⊆ Σm [TML+16]- Distributed control of Concurrent secrets

preliminary work in [BBB+07]• Active Attacker

- Ability to change the observable status of events (c.f. [KWKL16])• Opacity of systems handling data

[TML+16] Y. Tong, Z. Ma, Z. Li, C. Seatzu, and A. Giua. Supervisory enforcement of current-state opacity with uncomparableobservations. In Proc of 13th Workshop on Discrete Event Systems, WODES’16, 2016.[BBB+07] E. Badouel, M. Bednarczyk, A. Borzyszkowski, B. Caillaud, and P. Darondeau. Concurrent secrets. Discrete Event DynamicSystems, 17(4):425-446, December 2007.[KWKL16] C. Kawakami, Y.Wu, R. Kwong, and S. Lafortune. Detection and prevention of actuator enablement attacks in supervisorycontrol systems. In Proc of 13th Workshop on Discrete Event Systems, WODES’16, 2016.


General perspectivesTowards more flexible systems and requirements

off-the shelf components Adaptive controllers valid for a

set of ”similar” devices⇒ Modal transition systems ?

Control under failures switch between controllers

reacting to diagnosed failures⇒ Needs for a coordinator

Reconfigurable systems: IoT, Cloud Center, Automotive, etc Components can leave or join the system (highly distributed)⇒ Detect and learn the specification of this component Adaptation of the requirements (safety, privacy, etc)⇒ on-line computation and deployment of new controllers

Revisit the Control and Diagnosis theory























Reconfigurable systems: IoT, Cloud Center, Automotive, etc

Components can leave or join the system (highly distributed)⇒ Detect and learn the specification of this component Adaptation of the requirements (safety, privacy, etc)⇒ on-line computation and deployment of new controllers











Ensuring opacity by Dynamic filtering[Amast08][FMSD12]

System G Filter D Attacker Au ∈ Σ∗o D(u)

q0 q1 q2 q3

q4 q5 q6

b

a

a

b a a,b

b

a

b a,b

1 2 3

b/b b/ε a, b/a, b

a/a a/a

Static Filter: Σo = a or Σo = b ⇒ S is opaqueDynamic Filter: Hide“b” after the observation of an ”a” and keepeverything observable after the observation of an ”a”

ProblemComputing a Dynamic filter so that S is opaque w.r.t. G × D and Σo

[TC08] F. Cassez and S. Tripakis. Fault diagnosis with static and dynamic diagnosers. Fundamenta Informaticae, 88(4):497-540,November 2008.


Ensuring opacity by Dynamic filtering Reduction to a safety 2-player game

1

1.a1.b 12

12.a

12.b

12.ab

2.a 2.b

1.ab 22.ab

(b): The game LTS

21

(a): the LTS G

a

a, ba

b

a, b

aba

a, b

a b

a, b

a

b

b

a, b

a, b

b

b

a, b

a, bb

a

b

a

b

⇒ Solving the Dynamic filter problem is EXPTIME


Ensuring opacity by Dynamic filtering Reduction to a safety 2-player game

1

1.a1.b 12

12.a

12.b

12.ab

2.a 2.b

1.ab 22.ab

(b): The game LTS

21

(a): the LTS G

a

a, ba

b

a, b

aba

a, b

a b

a, b

a

b

b

a, b

a, bb

a

b

a

b

⇒ Solving the Dynamic filter problem is EXPTIME


Documents

Contribution to the analysis of Discrete Event Systemspeople.rennes.inria.fr/Herve.Marchand/hdr.pdfUniﬁcation of various notions of diagnosability[Wodes06,Ifac08] Diagnosis of transient