Results 1  10
of
28
Modelbased evaluation: From dependability to security
 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING
, 2004
"... The development of techniques for quantitative, modelbased evaluation of computer system dependability has a long and rich history. A wide array of modelbased evaluation techniques are now available, ranging from combinatorial methods, which are useful for quick, roughcut analyses, to statebased ..."
Abstract

Cited by 56 (2 self)
 Add to MetaCart
The development of techniques for quantitative, modelbased evaluation of computer system dependability has a long and rich history. A wide array of modelbased evaluation techniques are now available, ranging from combinatorial methods, which are useful for quick, roughcut analyses, to statebased methods, such as Markov reward models, and detailed, discreteevent simulation. The use of quantitative techniques for security evaluation is much less common, and has typically taken the form of formal analysis of small parts of an overall design, or experimental red teambased approaches. Alone, neither of these approaches is fully satisfactory, and we argue that there is much to be gained through the development of a sound modelbased methodology for quantifying the security one can expect from a particular design. In this work, we survey existing modelbased techniques for evaluating system dependability, and summarize how they are now being extended to evaluate system security. We find that many techniques from dependability evaluation can be applied in the security domain, but that significant challenges remain, largely due to fundamental differences between the accidental nature of the faults commonly assumed in dependability evaluation, and the intentional, human nature of cyber attacks.
Logical and stochastic modeling with SMART
, 2003
"... We describe the main features of SmArT, a software package providing a seamless environment for the logic and probabilistic analysis of complex systems. SmArT can combine dierent formalisms in the same modeling study. For the analysis of logical behavior, both explicit and symbolic statespace g ..."
Abstract

Cited by 23 (13 self)
 Add to MetaCart
We describe the main features of SmArT, a software package providing a seamless environment for the logic and probabilistic analysis of complex systems. SmArT can combine dierent formalisms in the same modeling study. For the analysis of logical behavior, both explicit and symbolic statespace generation techniques, as well as symbolic CTL modelchecking algorithms, are available. For the study of stochastic and timing behavior, both sparsestorage and Kronecker numerical solution approaches are available when the underlying process is a Markov chain. In addition,
Structural symbolic CTL model checking of asynchronous systems
 Computer Aided Verification (CAV’03), LNCS 2725
, 2003
"... Abstract. In previous work, we showed how structural information can be used to efficiently generate the statespace of asynchronous systems. Here, we apply these ideas to symbolic CTL model checking. Thanks to a Kronecker encoding of the transition relation, we detect and exploit event locality and ..."
Abstract

Cited by 16 (10 self)
 Add to MetaCart
Abstract. In previous work, we showed how structural information can be used to efficiently generate the statespace of asynchronous systems. Here, we apply these ideas to symbolic CTL model checking. Thanks to a Kronecker encoding of the transition relation, we detect and exploit event locality and apply better fixedpoint iteration strategies, resulting in ordersofmagnitude reductions for both execution times and memory consumption in comparison to wellestablished tools such as NuSMV. 1
Symbolic Statespace Exploration and Numerical Analysis of Statesharing Composed Models
 IN PROCEEDINGS OF NSMC ’03: THE FOURTH INTERNATIONAL CONFERENCE ON THE NUMERICAL SOLUTION OF MARKOV CHAINS
, 2004
"... The complexity of stochastic models of realworld systems is usually managed by abstracting details and structuring models in a hierarchical manner. Systems are often built by replicating and joining subsystems, making possible the creation of a model structure that yields lumpable state spaces. Thi ..."
Abstract

Cited by 14 (5 self)
 Add to MetaCart
The complexity of stochastic models of realworld systems is usually managed by abstracting details and structuring models in a hierarchical manner. Systems are often built by replicating and joining subsystems, making possible the creation of a model structure that yields lumpable state spaces. This fact has been exploited to facilitate modelbased numerical analysis. Likewise, recent results on model construction suggest that decision diagrams can be used to compactly represent large Continuous Time Markov Chains (CTMCs). In this paper, we present an approach that combines and extends these two approaches. In particular, we propose methods that apply to hierarchically structured models with hierarchies based on sharing state variables. The hierarchy is constructed in a way that exposes structural symmetries in the constructed model, thus facilitating lumping. In addition, the methods allow one to derive a symbolic representation of the associated CTMC directly from the given model without the need to compute and store the overall state space or CTMC explicitly. The resulting representation of a generator matrix allows the analysis of large CTMCs in lumped form. The efficiency of the approach is demonstrated with the help of two example models.
Saturationbased symbolic reachability analysis using conjunctive and disjunctive partitioning
 Proc. CHARME, LNCS 3725
, 2005
"... Abstract. We propose a new saturationbased symbolic statespace generation algorithm for finite discretestate systems. Based on the structure of the highlevel model specification, we first disjunctively partition the transition relation of the system, then conjunctively partition each disjunct. O ..."
Abstract

Cited by 14 (12 self)
 Add to MetaCart
Abstract. We propose a new saturationbased symbolic statespace generation algorithm for finite discretestate systems. Based on the structure of the highlevel model specification, we first disjunctively partition the transition relation of the system, then conjunctively partition each disjunct. Our new encoding recognizes identity transformations of state variables and exploits event locality, enabling us to apply a recursive fixedpoint image computation strategy completely different from the standard breadthfirst approach employing a global fixpoint image computation. Compared to breadthfirst symbolic methods, saturation has already been empirically shown to be several orders more efficient in terms of runtime and peak memory requirements for asynchronous concurrent systems. With the new partitioning, the saturation algorithm can now be applied to completely general asynchronous systems, while requiring similar or better runtimes and peak memory than previous saturation algorithms. 1
Saturation for a General Class of Models
, 2004
"... Implicit techniques for construction and representation of the reachability set of a highlevel model have become quite efficient for certain types of models. In particular, previous work developed a “saturation” algorithm that exploits asynchronous behavior to efficiently construct the reachability ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
Implicit techniques for construction and representation of the reachability set of a highlevel model have become quite efficient for certain types of models. In particular, previous work developed a “saturation” algorithm that exploits asynchronous behavior to efficiently construct the reachability set using multiway decision diagrams, but requires each model event to be expressible as a Kronecker product. In this paper, we develop a new version of the saturation algorithm that works for a general class of models: models whose events are not necessarily expressible as Kronecker products, models containing events with complex priority structures, and models whose state variables have unknown bounds. We apply our algorithm to several examples and give detailed experimental results.
Exploiting interleaving semantics in symbolic statespace generation
 Formal Methods in System Design
"... Abstract. Symbolic techniques based on Binary Decision Diagrams (BDDs) are widely employed for reasoning about temporal properties of hardware circuits and synchronous controllers. However, they often perform poorly when dealing with the huge state spaces underlying systems based on interleaving sem ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
Abstract. Symbolic techniques based on Binary Decision Diagrams (BDDs) are widely employed for reasoning about temporal properties of hardware circuits and synchronous controllers. However, they often perform poorly when dealing with the huge state spaces underlying systems based on interleaving semantics, such as communications protocols and distributed software, which are composed of independently acting subsystems that communicate via shared events. This article shows that the efficiency of state–space exploration techniques using decision diagrams can be drastically improved by exploiting the interleaving semantics underlying many event–based and component–based system models. A new algorithm for symbolically generating state spaces is presented that (i) encodes a model’s state vectors with Multi–valued Decision Diagrams (MDDs) rather than flattening them into BDDs and (ii) partitions the model’s Kronecker–consistent next–state function by event and subsystem, thus enabling multiple lightweight next–state transformations rather than a single heavyweight one. Together, this paves the way for a novel iteration order, called saturation, which replaces the breadth–first search order of traditional algorithms. The resulting saturation algorithm is implemented in the tool SMART, and experimental studies show that it is often several orders of magnitude better in terms of time efficiency, final memory consumption, and peak memory consumption than existing symbolic algorithms.
A pattern recognition approach for speculative firing prediction in distributed saturation statespace generation
 Proc. PDMC, pp.65– 79
, 2005
"... The saturation strategy for symbolic statespace generation is particularly effective for globallyasynchronous locallysynchronous systems. A distributed version of saturation, SaturationNOW, uses the overall memory available on a network of workstations to effectively spread the memory load, but i ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
The saturation strategy for symbolic statespace generation is particularly effective for globallyasynchronous locallysynchronous systems. A distributed version of saturation, SaturationNOW, uses the overall memory available on a network of workstations to effectively spread the memory load, but its execution is essentially sequential. To achieve true parallelism, we explore a speculative firing prediction, where idle workstations work on predicted future event firing requests. A naïve approach where all possible firings may be explored a priori, given enough idle time, can result in excessive memory requirements. Thus, we introduce a historybased approach for firing prediction that recognizes firing patterns and explores only firings conforming to these patterns. Experiments show that our heuristic improves the runtime and has a small memory overhead.
Implicit GSPN reachability set generation using decision diagrams. Performance Evaluation
 Perf. Eval
, 2004
"... Implicit techniques for representing and generating the reachability set of a highlevel model have become quite efficient. However, such techniques are usually restricted to models whose events have equal priority. Models containing events with differing classes of priority or complex priority stru ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
Implicit techniques for representing and generating the reachability set of a highlevel model have become quite efficient. However, such techniques are usually restricted to models whose events have equal priority. Models containing events with differing classes of priority or complex priority structure, in particular models with immediate events, have thus been required to use lessefficient explicit reachability set generation techniques. In this paper, we present an efficient implicit technique, based on multivalued decision diagram representations for sets of states and matrix diagram representations for nextstate functions, that can handle models with complex priority structure. We adapt an efficient Kroneckerbased reachability set generation algorithm to work with matrix diagrams. If the model contains immediate events, the vanishing states can be eliminated either during generation, by manipulating the matrix diagram, or after generation, by manipulating the multivalued decision diagram. We apply both techniques to several models and give detailed experimental results. 1.
Lumping matrix diagram representations of markov models
 In Proc. of the 2005 Int. Conf. on Dependable Systems and Networks
, 2005
"... Continuoustime Markov chains (CTMCs) have been used successfully to model the dependability and performability of many systems. Matrix diagrams (MDs) are known to be a spaceefficient, symbolic representation of large CTMCs. In this paper, we identify local conditions for exact and ordinary lumping ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
Continuoustime Markov chains (CTMCs) have been used successfully to model the dependability and performability of many systems. Matrix diagrams (MDs) are known to be a spaceefficient, symbolic representation of large CTMCs. In this paper, we identify local conditions for exact and ordinary lumpings that allow us to lump MD representations of Markov models in a compositional manner. We propose a lumping algorithm for CTMCs that are represented as MDs that is based on partition refinement, is applied to each level of an MD directly, and results in an MD representation of the lumped CTMC. Our compositional lumping approach is complementary to other known modellevel lumping approaches for matrix diagrams. The approach has been implemented, and we demonstrate its efficiency and benefits by evaluating an example model of a tandem multiprocessor system with load balancing and failure and repair operations. 1