Learning stochastic timed automata from sample executions Andr´ e de Matos Pedro
Transcription
Learning stochastic timed automata from sample executions Andr´ e de Matos Pedro
Learning stochastic timed automata from sample executions Andr´e de Matos Pedro1 , Paul Andrew Crocker2 and Sim˜ao Melo de Sousa3? 1 2 University of Minho, Braga, Portugal, pg15753@alunos.uminho.pt, IT - Instituto de Telecomunica¸co ˜es, University of Beira Interior, Covilh˜ a, Portugal, crocker@ubi.pt 3 LIACC - Laborat´ orio de Inteligˆencia Artificial e Ciˆencia de Computadores, University of Beira Interior, Covilh˜ a, Portugal, desousa@ubi.pt Abstract. Generalized semi-Markov processes are an important class of stochastic systems which are generated by stochastic timed automata. In this paper we present a novel methodology to learn this type of stochastic timed automata from sample executions of a stochastic discrete event system. Apart from its theoretical interest for machine learning area, our algorithm can be used for quantitative analysis and verification in the context of model checking. We demonstrate that the proposed learning algorithm, in the limit, correctly identifies the generalized semi-Markov process given a structurally complete sample. This paper also presents a Matlab toolbox for our algorithm and a case study of the analysis for a multi-processor system scheduler with uncertainty in task duration. 1 Introduction Stochastic processes are commonly used as an approach to describe and make a quantitative evaluation of more abstract models which may be described by a high-level specification. When a model is evaluated we can use it for the design phase and subsequently make an implementation. However, even if a model is validated this does not imply that the implementation is in conformity with the model. This is normally due to bugs in the implementation, wrong interpretation of the model, or possibly, wrong approximations in the construction of the stochastic model. Unfortunately techniques for discovering these errors such as testing are unlikely to be sufficient due to the difficulty of achieving a complete or total coverage. This paper is concerned with how these models can be derived from sample executions provided by an implementation in order to verify them. There are several learning algorithms for learning probabilistic and stochastic languages [3,13,20], including a learning algorithm for continuous-time Markov processes (CTMP) [19], but there is no algorithm in the case of processes that do not hold ? This work was supported CCO/101904/2008). in part by the FCT CANTE project (Refa PTPC/EIA- the Markov property such as generalized semi-Markov processes (GSMP) [10]. Thus, the learning of stochastic timed automata covered in this paper falls in the category of language identification [2,17,1]. For most of the methods in this category, the identified stochastic languages are inferred from a set of sample executions, i.e., these samples are a particular multi-set of the original language to identify, and the inference has as target the identification of the language in the limit, i.e., if the number of samples tends towards infinity then the learned language will converge to the original language that generated the sample [11]. Learning of stochastic languages essentially follows a common method, firstly establishing an equivalent relation between the states, then constructing a prefix tree from samples provided by the original stochastic language, and lastly describing an algorithm for the merge of equivalent states which is called state merge. In this paper, we address the problem of learning generalized semi-Markov processes that are the most known extensive stochastic processes when lifetimes can be governed by any continuous probabilistic distributions [7]. From classical Markov processes, exponential probability distributions are not sufficient to model the lifetime of a product such as an electronic component [16] or even model a computer process [12]. The use of generalized semi-Markov processes may cover a wider set of problems however they are more complex and analytically intractable. 1.1 Contribution of the paper The learning algorithm we shall present infers a GSMP model from a given set of trajectories and therefore must be capable of inferring the model by running the deployed system in a test phase and of learning trajectories according to the observed distributions. The learned stochastic timed automaton that is generated by a GSMP is a model that can be used by existing statistical model-checkers [15,23,22,5] and by the existing performance evaluation tools for further analysis and thereby ultimately helping to find bugs in the post-implementation phase. Learning algorithm for GSMP may also potentially be used to perform automatic verification for stochastic discrete event systems. In addition we also establish the correctness of our algorithm. We ensure that, in the limit, when the samples grow infinitely the learned model converges to the original model. Thus, a set of conditions like the definition of inclusion of a prefix tree in a GSMP have to be ensured as well as the definition of probability measure of paths. 1.2 Structure of the paper In section 2 some preliminary definitions are given in order to establish the learning algorithm detailed in section 3. In section 4 we demonstrate the correctness of our algorithm. In section 5, the tool and a practical application are presented. In the final section 6 we give our conclusions and discuss directions for further work. 2 Preliminaries In order to formulate the next notations we describe the concept of finite path that is established by a prefix, σ≤τ = {s0 , he1 , t1 i , s1 , he2 , t2 i , ..., sk , hek+1 , tk+1 i} based on the infinite sequence σ = {s0 , he1 , t1 i , s1 , he2 , t2 i , · · · } of a GSMP, where sk is a state, ek is an event, tk is the holding time of the event ek , and Pk+1 τ = i=1 ti is the path duration upon k. A set of paths with prefix p is denoted by P ath(p), where p shall be σ≤τ . Some notation will now be introduced to describe the structure of the algorithm. The definitions are based on symbol (’k’) that symbolizes a path with respect to an element of a particular set (of states X , of events E or of holding times G) and brackets (’[’;’]’) a sequential identification, as follows: σkX [s, i] is the ith state of the state sequence that begins in state s, σkE [s, i] is the ith event of the event sequence that begins in state s, σkG [s, i] is the ith holding time of the event sequence (σkE [s, i]) that begin in s state, η(σkE [s, i]) = σkX [s, i − 1] is a function that returns the state associated to an event ei , ε(σkX [s, i]) = σkE [s, i + 1] is a function that given a state of a path returns its associated event, and δ(σkE [s, i]) = σkG [s, i] is a function that given an event σkE [s, i] returns its holding time σkG [s, i]. A sequence of events he1 , e2 , e3 , . . . , ek i produced by the prefix tree that accepts the prefix σ≤τ is denoted by σ≤τ kE . A prefix tree (denoted P t) that has an acceptor P ath(σ≤τ ) (a set of paths with prefix σ≤τ ), is a tree P t(P ath(σ≤τ )) = (F, Q, ρ, %, δ) where F is a set of leaf nodes of the prefix tree (i.e., F = P ath(σ≤τ kE )), Q is the set of nodes of the prefix tree composed by the sequence of events from P ath(σ≤τ kE ) (i.e., Q represents all accepted sequences in the prefix tree), ρ : Q → [0, 1] is the function that associate the expectation value for each node n ∈ Q, % : Q → R≥1 ×...×R≥1 is the function that associate each node with a n-tuple of clock values, and δ : Q → Q ∪ ⊥ is the transition function which have the following definition, δ(s, λ) = s where λ is the empty string and s is the reference point (where all samples are measured), δ(s, e) =⊥ if δ(s, e) is not defined, and δ(s, xe) = δ(δ(s, x), e), where x ∈ Q and e ∈ E, δ(s, xe) =⊥ if δ(s, x) =⊥ or δ(δ(s, x), e) is undefined. A generalized semi-Markov process is a stochastic process {X(t)} with state space X, generated by a stochastic timed automaton (sta, for short), sta = (X , E, Γ , p, p0 , G) where X is a finite state space, E is a finite event set, Γ (x ) is a set of feasible or enabled events, defined for every x ∈ X , with Γ (x ) ⊆ E, p(x0 ; x, e0 ) is a state transition probability (x0 to x given event e0 ) defined for every x, x0 ∈ X and e0 ∈ E such that ∀e0 ∈ / Γ (x )p(x 0 ; x , e 0 ) = 0 , p0 (x) is the probability mass function (pmf ) P r[X0 = x], x ∈ X of the initial state X0 , and finally G = {Gi : i ∈ E} is a stochastic clock structure where Gi is a cumulative distribution function (cdf ) for each event i ∈ E. The probability measure µ for a cylinder set composed by a prefix σ≤τ , C (σ≤τ , hEk , Yk∗ i , Xk , ..., Xn−1 , hEn , Yn∗ i , Xn ) accordingly to [23], can be defined recursively as µ(C(σ≤τ , hEk , Yk∗ i , Xk , ..., hEn , Yn∗ i , Xn )) = Pe (s0 ; σ≤τ ) · He (t; ·, σ≤τ ) · ∗ µ(C(σ≤τ ⊕ (he, ti , s0 ) , Ek+1 , Yk+1 , Xk+1 , ..., Xn−1 , hEn , Yn∗ i , Xn )) where the recursive base case is µ(C(s0 , hE1 , Y1∗ i , X1 , ..., hEn , Yn∗ i , Xn )) = 1, Pe (s0 ; σ≤τ ) is the next-state probability transition matrix given an event e, and He (t; ·, σ≤τ ) is the density function of triggering the event e upon t time units. The enabled events in a state race to trigger first, the event that triggers first causes a transition to a state s0 ∈ X according to the next-state probability matrix for the triggering event. The GSMP is considered as analytically intractable and the probability measure formulation is not at all intuitive. 3 Learning stochastic timed automata We shall now present a novel algorithm for learning GSMP from sample executions (fully detailed in [6,7]), where the GSMP are processes generated by stochastic timed automata. In order to ensure the correctness of our algorithm, we define first an inclusion relation between the prefix tree and the sta. Next, we define the similarity relation between the states, and lastly we describe the algorithm for the merge of compatible states which is commonly called state merge. 3.1 The inclusion relation and the state relation Before introducing the definitions (1) and (2), we need to define two auxiliary functions to simplify the notation of the relation between paths and the prefix tree, as follows: – τ (s, x) gives the set of feasible events of a given event sequence x from a prefix tree P t(P ath(σ≤τ )), {y ∈ E | δ(δ(s, x), y) 6=⊥}, for instance, from a set of sequences {x a, x b, ...} we get {a, b, ...}, and – ν(σkX [s, i]) maps a state σkX [s, i] to u, where u ∈ Q is a sequence of events accepted by the prefix tree P t(P ath(σ≤τ )). One says that a prefix tree P t(P ath(σ≤τ )) is a particular case of a GSMP, or in other words a sta. However, only the relation between the data structures is ensured with this definition, we shall need to establish a correction of the state merge algorithm as well (as we will see later). Definition 1. The prefix tree P t(P ath(σ≤τ )) = (F, Q, ρ, %, δ), denoted P tsta, for a set of multiple paths P ath(σ≤τ ) is a particular sta, P tsta(P ath(σ≤τ )) = (X , E, Γ , p, p0 , G) where X = Q; E is the set of single and unique events in the F set; Γ (si ) = τ (s, ν(si )); p(s0 ; s, e∗ ) = 1 if δ(ν(s), e∗ ) 6=⊥ and ν(s0 ) 6=⊥, otherwise p(s0 ; s, e∗ ) = 0; p0 (s) = 1; and G is a set of distributions estimated by sample clocks associated on each event, given by the function %. The P tsta(P ath(σ≤τ )) is a GSMP consistent with the sample in P ath(σ≤τ ). For all paths with prefix σ≤τ there exists a corresponding execution in the GSMP that produces the same path. Now, we introduce the notion of a stable equivalence relation that establishes the similarity between states. This relation, that is applied statistically, allows the creation of a more abstract model from a set of paths P ath(σ≤τ ). The size of the model at each equivalence between states is reduced. Definition 2. Let M = (X , E, Γ , p, p0 , G) be a sta, a relation R ⊆ X × X is said to be a stable relation if and only if any s, s0 have the following three properties, |Γ (s)| = |Γ (s 0 )| (1) there is a one to one correspondence f between Γ (s) and Γ (s 0 ), if ∃e ∈ E and ∃ n ∈ X such that p(n; s, e) > 0, then 0 0 0 0 (2) 0 ∃ n ∈ X such that p(n ; s , f (e)) > 0, G(s, e) ∼ G(s , f (e)), and (n, n ) ∈ R and if ∃e ∈ E and ∃n, n0 ∈ X such that n 6= n0 , p(n; s, e) > 0 and p(n0 ; s, e) > 0 then p(n; s, e) ≈ p(n; s0 , e) and p(n0 ; s, e) ≈ p(n0 ; s0 , e) (3) where |Γ (s)| is the number of active events in the state s, p is a probabilistic transition function, G is a probability distribution function, and the tilde (∼) and double tilde (≈) notations denote ”with same distribution” and ”with same probability” respectively. Two states s and s0 of M are said equivalent s ≡ s0 if and only if there is a stable relation R such that (s, s0 ) ∈ R. A concrete example is now described for the application of the definition (2). For instance, suppose that we have |Γ (s)| = |Γ (s 0 )| = 2, Γ (s) = {a, b}, and Γ (s 0 ) = {c, d }. The equation (1) is trivially satisfied, i.e., the feasible event set have the same size. However, the equation (2) and (3) are not trivially satisfied. To be satisfied we need to conclude that G(s, a) ∼ G(s0 , c) and G(s, b) ∼ G(s0 , d), or G(s, a) ∼ G(s0 , d) and G(s, b) ∼ G(s0 , c) is true, if G(s, a) ∼ G(s, b), G(s, a) ∼ G(s0 , c) or G(s, a) ∼ G(s0 , d) then p(n; s, a) ≈ p(n0 ; s0 , b), p(n; s, a) ≈ p(n0 ; s0 , c), p(n000 ; s, a) ≈ p(n000 ; s0 , d) respectively, otherwise a test for two Bernoulli distributions p is not necessary [3], and all states reachable by s and all states reachable by s0 must also form a stable relation, i.e., the next states of (s, s0 ) also have to satisfy these three properties.4 3.2 Testing statistically the similarity of states The similarity test follows the same scheme of algorithms RPNI [17] and ALERGIA [3], except for: the compatible function which incorporates a different statistical test structure, there is an estimator for unknown new clocks, and there is an event distribution estimator. 4 In the definition (2) the real event identifiers are not necessary but we need to know that the sets of feasible events have associated for each event the same distribution. Algorithm 1: Testing statistically the similarity of states (T3S) input : A set of paths with prefix σ≤τ , P ath(σ≤τ ), and a type I error α between [0; 1]. output: A sta M. M = Ptsta (scheduler estimator(P ath(σ≤τ ), P t(P ath(σ≤τ )))) ; attempt ← 1; while attempt > 0 do attempt ← 0; C ← clusterize(M); for n ← 1 to |C| do for k ← 1 to |C n | do x ← k + 1; n while C n,x 6= C n,|C | do if is active(C n,x ) then if similar(C n,k , C n,x , α) then dmerge(M, C n,k , C n,x , ·, ·); inactivate(C n,x ); attempt ← attempt + 1; // See definition (1) x ← x + 1; M = infer distributions(M); The algorithm 1 together with the auxiliary functions scheduler estimator, similar, and infer distributions establish a new methodology to learn GSMP, which are processes that hold a semi-Markov property. We call the presented solution model identification in the limit. The algorithm 1 has notations associated to the ordered set of clusters and also between these cluster elements, as follows: – the set of n ordered clusters C, classified by events, are denoted by C n , and – C n,k is the k th element of cluster C n , for each 1 ≤ n ≤ |C| and 1 ≤ k ≤ |C n |. The clustering function clusterize produces groups of elements C with a selection based on the feasible event set τ (s. ) for each state s. of M, where M at first attempt is equal to Ptsta (P t(P ath(σ≤τ ))). The is active and inactivate functions allow that only the prefix tree nodes that were not merged are used, and the function similar tests the similarity between two feasible event sets τ (C n,k ) and τ (C n,x ). The testing statistically the similarity of states (T3S) algorithm is subdivided in three blocks. The first block is composed by a clusterize function that clusters the states with an equal active event set (the function τ ). The clusterize function establishes a plain static equivalence between states, nevertheless we need to establish a while cycle with attempt > 0 to cover the other cases such as when dmerge changes the clock samples of the similar states. With this clusterize function we guarantee equation 1, which says that only states with event sets of the same size can be merged. In the second block we use the similar function to test when two states are similar. This function is defined as similar and it uses the Kolmogorov-Smirnov test [8, p. 552] to decide if two empirical probabilistic distributions are equal. It verifies whether there exists a one to one correspondence of events between two active event sets through a statistical equivalence. If there is a correspondence for all events of an active event set, the equation 2 is satisfied. Lastly, the algorithm 1 merges the equal states by the function composed by equation 7. It initializes Function scheduler estimator(P ath(σ≤τ ), P t(P ath(σ≤τ ))) input : A P ath(σ≤τ ) with initial state s, and a P t(P ath(σ≤τ )). output: The P t(P ath(σ≤τ )) with replaced old clocks by original values of clocks. for n ← 1 to |P ath(σ≤τ )| do for l ← 2 to |σ n | do for x ← 0 to l − 1 do // Decrement p p ← l − x; if σ n kE [s, l] 6∈ τ (ν(σ n kX [s, p])) and |τ (ν(σ n kX [s, p]))| ≤ 1 and σ n kE [s, p] = σ n kE [s, l] then break; if p > 1 then p ← p + 1; if σ n kX [s, p] 6= σ n kX [s, l] then Val ← 0; for t ← p to l do // Estimating Val ← Val + σ n kG [s, t]; n n if σ kX [s, t] = σ kX [s, l then break; replace(P t(P ath(σ≤τ )), ν(σ n kX [s, l]), Val); the construction of the sta. This function defined according to the equation 7 solves the problem of non-deterministic merge of states when two states have the same set of events. Inferring the state age structure. The considered stochastic process, the GSMP, requires a state age memory [4,10]. This state age structure, normally identified as a scheduler, allows the use of different continuous distributions for each inter-event time, i.e., the inter-event times between events of a GSMP are not equal. This is not true in CTMP where all inter-event times follow an exponential distribution. The scheduling of events is a data structure that allows the calculation of the next event to be triggered. We introduce the notion of scheduler estimation in order to calculate the history of clock values for each event. Thus, we reconstruct values sampled from new clocks to estimate the events distribution of the model that produces those executions. For instance, suppose that we have two events a and b that can be triggered in a state s0 , where s0 is the initial state of the model, and there are two random variables Xa ∼ E(0.2) and Xb ∼ W (1, 0.1) associated to each event. The events a and b begin labeled as new clock and therefore two samples are given by random variables, respectively, Xa and Xb . Given the samples xa = 1.2 and xb = 0.5 from their respective distributions, the event b wins. Next, the clock value of event b is subtracted and is stored with value 1.2 − 0.5 = 0.7 and a new clock is sampled to b. Then, the event a wins with value 0.7 versus the event b with new clock 1.4. Therefore we can calculate the original value of the event a from the produced sample execution {s0 , (b, 0.5), s1 , (a, 0.7), ·} adding inter-event times between a and b, 0.5 + 0.7 = 1.2. So, we can say that the value sampled in state s0 to the event a has the value 1.2, which is true. Although this scheme can be extended recursively to any finite sample execution, we need to clearly identify the new and old clocks for any path. In order to check the definition (2), only the new clock samples are suitable to predict the distributions associated to each event i. The estimation process happens essentially due to the existence of the map function ν (defined in 3.1). The function scheduler estimator has a particular notation of order in a set of paths P ath(σ≤τ ) with prefix σ≤τ that is described, as follows: σ n is the nth path P ath(σ≤τ ), where 0 < n ≤ |P ath(σ≤τ )|, and σ n,l is the lth piecewise of path n, where 0 < l ≤ |σ n |, where symbols (’|’) denotes the size of a variable that is between these symbols. We explain in the following how function scheduler estimator estimates original sample clock values. First, the algorithm begins by traversing each path of sample executions set in a bottom-up order to know if the current event can be triggered by a clock with a label ”new clock” or an ”old clock”. In this step, we know that an old clock is valid when the successor nodes have this event activated, otherwise it is as ”inactive clock”. The algorithm goes to the predecessor node of the current node recursively, always in one sample execution, until we have found a possible inactive clock. When an inactive clock is found for the current event, in state s. , this implies that this event e cannot be in τ (s. ), which is an active event set for a state s. . Therefore, even in the worst case, the first state (s0 ) of the sample execution can always be found. Given this element we can reconstruct the original clock value by the sum of the values between the found state (s. or s0 ) and the current state. Lastly, we replace the old clock value by the estimated original clock value. Establish the similarity test of states. The similarity between two active event sets Γ1 and Γ2 within the type I error α is solved by the function similar. Thus, the Kolmogorov-Smirnov test (K-S test) [8, p. 552] is applied to test if two distributions are or are not the same (i.e., compare two empirical cumulative distribution functions). Let {Xn }n≥1 and {Yn }n≥1 be two independent successions of independent real random variables with common distribution functions, respectively F1 and F2 . The K-S test allows testing two hypothesis, H0 : F1 (x) = F2 (x), for all x ∈ R against (4) H1 : F1 (x) 6= F2 (x), for some x ∈ R using the statistical test, r Tn1 ,n2 = n1 n2 sup |Fn1 (x) − Fn2 (x)| n1 + n2 x∈R (5) where Fn1 and Fn2 denotes respectively the empirical distribution functions associated to the samples (X1 , ..., Xn1 ) and (Y1 , ..., Yn2 ). The random variable Tn1 ,n2 converges to the Kolmogorov distribution whose values are tabled in [8, p. 555]. For a significance level α we reject H0 when the observed value Tbn1 ,n2 of the test statistic for the particular samples (x1 , ..., xn1 ) and (y1 , ..., yn2 ) exceeds the value Kα , with G(kα ) = 1 − α. The two empirical cumulative distributions Fn1 and Fn2 are estimated using the function T . This function estimates the distribution from a set of sample clocks and is defined, as follows: clock value of z1 , z2 , ..., zn that are ≤ x (6) Tn (x) = N where x is the threshold of the cumulative function, and zi for all events i ∈ D and D ⊆ E are the sample clock values. Function similar(s0 ,s00 ,α) input : Two states s1 and s2 , and a type I error α. output: Boolean, true if it is similar, or otherwise false. Γ1 ← τ (s1 ); Γ2 ← τ (s2 ); if |Γ1 | 6= |Γ2 | then return false; for each e1 in Γ1 do while |Γ2 | > 0 do e2 ← get(Γ2 ); Fn1 = T (%(s1 e1 )); Fn2 = T (%(s2 e2 )); if q n1 n2 n1 +n2 sup |Fn1 (x) − Fn2 (x)| > Kα then x if similar(δ(s1 e1 ), δ(s2 e2 ), α) 6= true then return false; continue; put(Γ2 , e2 ); for each e1 , e2 in Γ1 such that q s1 e1 ∼ s1 e2 do 1 2 √1 √1 if |%(s1 e1 ) − %(s1 e2 )| > then 2 log α n1 + n2 return false; if |Γ2 | < 1 then return true; else return false; The function similar begins by comparing two feasible event sets Γ1 and Γ2 . The comparison is made by establishing a one to one relation between events in feasible sets. If the relationship between events is complete then the states are similar and so it allows equation 2 to be checked. Another particularity in this algorithm is when two events have the same ’id’ in the feasible event set, for two states respectively. This indicates that the event is triggered as e but there are different probabilities in the transition probability matrix. To solve this, we construct a hypothesis test for two Bernoulli distributions using Hoeffding bounds [3] in order to know if the occurrence probabilities are the same (i.e., satisfies equation 3). This method is similar to the one described in [13]. The method checks if the means %(s1 e1 ) and %(s1 e2 ) of two Bernoulli distributions are statistically different or not. The deterministic merge function. The existence of equal feasible event sets (Γ (s) = Γ (s 0 )) creates a non deterministic choice when merged. This problem can be solved applying a deterministic merge function, as follows: While ∃s, x ∈ Q and ∃e ∈ E such as s0 , s00 ∈ σ(s, x e), merge(s0 , s00 ) (7) The merge shall be made recursively until no more non-deterministic event transitions occur. In the T3S algorithm this is named as dmerge function. We describe with a brief example the application of the equation 7. Let two non-deterministic transitions from s1 and s2 labeled with same event e, τ (s, x ν(s0 )) = {e} and τ (s, x ν(s00 )) = {e} respectively. Supposing that we merge s0 in s00 we get a new non-deterministic choice between s1 and s01 until to the end of the paths. Therefore, we need to apply the merge recursively until there are only deterministic choices. Inferring event distributions using maximum likelihood. And now, to conclude the learning method, we need to introduce the concept of distribution discriminant and its selection criteria. Given a prefix tree with all the similar states merged, we need to estimate the parameters of each empirical distribution Function infer distributions(M) input : A deterministic sta M. output: A deterministic sta M with associated random variables and those distributions. for each n in Q such that removed[n] = 0 do for each eRin τ (s, n) do Ge ← 0∞ arg max {ln [Ld (%[n e])]}; fd ∈D of each event that best fits the sample data. For this, the maximum likelihood estimator (MLE) and selection criteria, such as maximum log likelihood, are needed [9]. In order to test the validity of the selection model, a goodness of fit test could be applied (e.g., X 2 ). We present the function infer distributions that estimates the distribution parameters using the maximum likelihood estimator (MLE) for continuous distributions such as: Exponential, Weibull and Log-Normal. However, there are other continuous distributions, such as: Rayleigh, Normal (with non negative part), that we have not described in detail in this paper, but that can be applied in this estimator. The log likelihood Ld of a distribution fd is defined by n X ln [fd (xi | θ)] (8) ln [Ld (θ | x1 , ..., xn )] = i=0 where θ is the set of parameters for a distribution fd , and x1 , ..., xn are samples to be measured. MLE of fd is composed by the maximization of likelihood function Ld with respect to the set of parameters θ which are parameters used in the following criterion. The maximum log likelihood criterion selects the model that best fits the data from the different estimations of distributions with maximum likelihood [9]. This selection criteria is defined by the maximum value of the calculated log likelihood, i.e., ln [Ldm ] > max {∀d ∈ D s.t. d 6= dm then ln [Ld ]} (9) where D is a set of distributions in analysis, and ln [Ld ] the log likelihood of distribution d. The distribution with maximum likelihood is denoted by dm ∈ D. So, we need two or more distributions to make a decision. Note that distributions of set D are distributions with a parameter or a set of parameters estimated by using the MLE method. By this means we estimate the distribution that, in the limit, is more similar to the distribution that produce these samples to learn. 4 Model identification in the limit The correctness argument for the proposed learning algorithm can be defined in terms of correct model identification. For such, we need to show that the produced GSMP is similar to the model that was used to generate the samples. There are therefore three conditions or clauses for correct model identification: 1. the prefix tree constructed by sample executions provided by a GSMP, P t(P ath(σ≤τ )), is also a GSMP. 2. the sample executions to learn have the minimal information necessary to form the model. 3. the P t(P ath(σ≤τ )) with state merge, in the limit, converges to one similar model that identifies P ath(σ≤τ ). Since the definition 1 is correct by construction and assuming a structurally complete sample, the correctness of the learning algorithm depends essentially on the correctness of the state merge procedure. From definition 1 the first clause is ensured and therefore only the other two clauses need to be guaranteed. For the second clause, we need to ensure that the sample executions to learn form a structurally complete sample (SCS). This is known as the problem of insufficient data training and when this occurs it is obviously impossible to learn the model that produces an incomplete set of sample executions. For the third clause, we need to ensure that, in the limit, the error of merging two non equivalent states tends to zero. Note that the error of merging two non equivalent states is guaranteed by the K-S test. With these three clauses satisfied, we can prove that the model that is learned by the algorithm, in the limit, and behaves as the original. Ensuring a structurally complete sample. Commonly used methods to achieve a structurally complete sample, like reachability analysis, are not enough when the model is not known. In this case acquiring a SCS is a big challenge. The selection of termination probability for a sample execution can be used as a method to achieve a SCS in known and unknown models. However, the probability measure of a path from an unknown model is not trivially assured. A SCS is a sample composed by a set of paths that explores every possible transition and every reachable state. This structure solves a common problem known as insufficient data training to learn a model, i.e., only with paths of infinite size can one guarantee that for any model, the learned model eventually converges to an equivalent. With a SCS, we ensure that the minimum information needed to learn a model from sample executions is achieved. In order to ensure that a set of paths relying on SCS, we introduce a termination probability pt as a solution. The simulation technique is described, as follows: 1) simulate the SDES M , 2) terminate when probability measure of a path σ≤τ of execution is less than pt , i.e., µ(C(σ≤τ , hEk , Yk∗ i , Xk , ..., hEn , Yn∗ i , Xn )) < pt , and 3) apply recursively the steps 1 and 2 to generate more sample executions. We simply note that the solution method based on termination probability has weaker correctness guarantees than reachability analysis. It also places a greater responsibility on the user, who has to choose a good value for pt . The automatic achievement of pt is not trivial. The state merge error, in the limit, converges to zero. Assuming that the first two correctness clauses are satisfied then the learning algorithm can only make errors when testing the similarity between two states. In addition, the errors α and β between two event distributions of the K-S test are defined, as follows: . α is the type I error of H0 be rejected, where in fact H0 should not be rejected, and . β is the type II error of H1 be accepted, where in fact H1 should be rejected. Hence this means that the state merge errors αs and βs are defined by the multiplication of the errorsQmade in the comparison of each event distribution Qk k αs = i=1 αi and βs = i=1 βi , where k is the number of similar events. ∗ Moreover, the model errors α and β ∗ are equal Qn to the multiplication Qn of the error αs and βs used for each state merged α∗ = i=1 αs [i] and β ∗ = i=1 βs [i], where n is the number of merged states. We present, in the following, two propositions about the bounds of type II error. Proposition 1. Suppose the Kolmogorov-Smirnov test for two samples with size n1 e n2 respectively, and a significance level α. For sufficiently large samples, i.e., when n1 → ∞ and n2 → ∞, β tends to zero. In the following we present a sketch of the proof. The proof of this proposition is based on the following facts: by the theorem of Glivenko-Cantelli when H0 is true and n1 and n2 tend to infinity, sup |Fn1 (x) − Fn2 (x)| converges certainly x∈R to zero. So, from the uniqueness of the limit, when H0 is true and n1 → ∞, q n2 sup |Fn1 (x) − Fn2 (x)| tends certainly to +∞. n2 → ∞, we have that nn11+n 2 x∈R Therefore, in the validity of H1 , the probability of rejecting H0 tends to 1, which was to be demonstrated. It is known that the convergence of k-S test is exponential [24]. Moreover, the reader can find a detailed account to β error boundaries and correctness arguments as presented here in [14]. Proposition 2. If the type II error β, in the Qklimit, for the K-S test converges to zero, a multiplication of the type II error i=1 βi , in the limit, also tends to zero. This proposition is trivially satisfied. Given the limit law of multiplication, we know that the limx→a f (x) · g(x) = limx→a f (x) · limx→a g(x). Then, because f (x) = g(x), the limit is maintained. 5 Tool and proof of concept The implementation of the learning algorithm is the basis of the SDES toolbox, that allows the learning and analysis of a set of case studies, such as: task schedulers, land mobile satellite communication systems, and network traffic model estimation. In order to illustrate the learning process, we use as an example a scheduler for a multi-processor system and show how the proposed method can learn a model that can be used for further analysis. SDES Toolbox. We have developed a SDES toolbox5 in C and C++ language that implements the presented learning approach. The toolbox was developed to analyze and learn generalized semi-Markov processes. It also supports the model description by an event-driven language that can be directly used as the input model language to a GSMP model checker [21]. 5 Available from http://desframework.sourceforge.net/ a , ab, c b A, bc, a AB, c, b c c init; 1/3 start , , abc , ac, b , bc, a b AC, b, init; 1/3 init; 1/3 c c ABC, , b a a b C, ab, a B, ac, c BC, a, Convergence analysis Performance analysis Number of states Time (s) 6 4 2 0 102 103 Number of samples 104 10 5 0 0 200 400 600 800 Number of samples 1,000 Fig. 1. Learning GSMP of a multi-processor system scheduler with uncertainty Stochastic analysis of a scheduler for a multi-processor system. An optimal scheduler design for a multi-processor system with uncertainty in task duration is difficult to achieve and a significant challenge [18]. In figure 1, we present the model from which it is possible to derive, statistically, answers about the worst case sequence and the optimal case sequence of a two-processor scheduler system. In this system there are two processors that can run two tasks at the same time. Supposing that there are three tasks {a, b, c}, only two tasks can be run at the same time and the other one only when one of the tasks is finished. The model of this system has eleven states which describe the state of the two processors and tasks at any given time. The scheduler can initially make three choices, (a, b), (a, c), or (b, c). The event init of the model, representing these choices is: p([, ab, c]; [, , abc], init) = 13 , p([, ac, b]; [, , abc], init) = 13 , and p([, bc, a]; [, , abc], init) = 13 respectively. These choices bind the time (i.e., worst and optimal) of the execution for these three tasks. If we have a scheduler that is completely random (i.e., the probability of events {ab, ac, bc} are equiprobable) then we select the path with maximum probability which means that it is the better sequence. Thus, if we have a scheduler that begins with the optimal tasks then we will have an optimal scheduler for these tasks. However, we need to distinguish two situations, as follows: if only exponential distributions are used then the choice is easy, the rate of distribution identifies the order (the lower expected value is the more probable), but if on the other hand we have different continuous distributions then the ordering selection is not so trivial. This will be the case for this example that our method will solve. Namely using the distributions init : Tinit ∼ Exponential(1), a : Ta ∼ W eibull(0.1, 1), b : Tb ∼ Exponential(0.4), and c : Tc ∼ Log-N ormal(0, 0.25), respectively. Given the sample executions that form a SCS, we have compared the performance and convergence of our algorithm given an increasing number of sample executions, see figure 1. We can see in the convergence graph that for one thousand sample executions, the model converges into a model with same number of states. According to the correctness of our learning algorithm, we have guaranteed that if the umber of samples grows infinitely then the model converges to the original model. Notice that in fact in this example we verify that the model learnt by our algorithm with approximately nine hundred sample executions has the same event language of the original model. This experiment was made on a machine with an Intel Core 2 Duo CPU T7500 @ 2.2Ghz processor with 4Gb of memory. An interesting point in this model is that the path with the greatest probability to occur is the optimal case execution and the path with the lowest probability is the worst case execution, when we have a random scheduler. 6 Conclusion and Future Work To the best of our knowledge, this is the first learning algorithm that is able to cope with GSMP learning of deployed stochastic discrete event systems for which we do not know the model before-hand. The learning algorithm can be used to verify the deployed systems using existing probabilistic model-checking tools. We also have developed a toolbox for Matlab that applies the techniques described in this paper. We have shown with our experiment that this type of model is really capable and scalable. We can use it not only for the analysis of a computer system but also to verify or test it. However, one of the limitations of our work is that it may not scale up for systems having large stochastic timed automata. Development of techniques that allow the approximate verification while the model is learned may be the solution. Acknowledgments We would like to thank to Ana Paula Martins for the very constructive discussions about the statistical properties of the proposed T3S algorithm. References 1. Benedikt Bollig, Peter Habermehl, Carsten Kern, and Martin Leucker. Angluinstyle learning of nfa. In Proceedings of the 21st international jont conference on Artifical intelligence, IJCAI’09, pages 1004–1009, San Francisco, CA, USA, 2009. Morgan Kaufmann Publishers Inc. 2. Benedikt Bollig, Joost-Pieter Katoen, Carsten Kern, Martin Leucker, Daniel Neider, and David R. Piegdon. libalf: The automata learning framework. In CAV, pages 360–364, 2010. 3. Rafael C. Carrasco and Jose Oncina. Learning deterministic regular grammars from stochastic samples in polynomial time. RAIRO (Theoretical Informatics and Applications, 33:1–20, 1999. 4. Christos G. Cassandras and Stephane Lafortune. Introduction to Discrete Event Systems. Springer-Verlag New York, Inc., Secaucus, NJ, USA, 2006. 5. Alexandre David, Kim G. Larsen, Axel Legay, Marius Mikucionis, and Zheng Wang. Time for statistical model checking of real-time systems. In CAV, pages 349–355, 2011. 6. Andr´e de Matos Pedro. Learning and testing stochastic discrete event systems. Master’s thesis, Universidade do Minho, Portugal, December 2011. 7. Andr´e de Matos Pedro and Sim˜ ao Melo de Sousa. Learning generalized semimarkov processes: From stochastic discrete event systems to testing and verification. Technical Report DCC-2012-01, Department of Computer Science, University of Porto. 8. Morris H. DeGroot. Probability and Statistics. Addison Wesley, 2nd edition, 1989. 9. Arabin Kumar Dey and Debasis Kundu. Discriminating among the log-normal, weibull, and generalized exponential distributions. IEEE Transactions on Reliability, 58(3):416–424, 2009. 10. P. W. Glynn. A gsmp formalism for discrete event systems. Proceedings of The IEEE, 77:14–23, 1989. 11. E. Mark Gold. Language identification in the limit. Information and Control, 10(5):447–474, 1967. 12. Mor Harchol-Balter and Allen B. Downey. Exploiting process lifetime distributions for dynamic load balancing. ACM Trans. Comput. Syst., 15:253–285, August 1997. 13. Christopher Kermorvant and Pierre Dupont. Stochastic grammatical inference with multinomial tests. In Proceedings of the 6th International Colloquium on Grammatical Inference: Algorithms and Applications, ICGI ’02, pages 149–160, London, UK, UK, 2002. Springer-Verlag. 14. Jerome Klotz. Asymptotic efficiency of the two sample Kolmogorov-Smirnov test. Journal of the American Statistical Association, 62(319):932–938, 1967. 15. Axel Legay, Benoˆıt Delahaye, and Saddek Bensalem. Statistical model checking: An overview. In RV, pages 122–135, 2010. 16. Ming-Wei Lu and Cheng Julius Wang. Weibull data analysis with few or no failures. In Hoang Pham, editor, Recent Advances in Reliability and Quality in Design, pages 201–210. Springer London, 2008. 17. Rajesh Parekh and Vasant Honavar. Learning dfa from simple examples. Machine Learning, 44(1/2):9–35, 2001. 18. Michael L. Pinedo. Scheduling: Theory, Algorithms, and Systems. Springer Publishing Company, Incorporated, 3rd edition, 2008. 19. Koushik Sen, Mahesh Viswanathan, and Gul Agha. Learning continuous time markov chains from sample executions. In Proceedings of the The Quantitative Evaluation of Systems, First International Conference, pages 146–155, Washington, DC, USA, 2004. IEEE Computer Society. 20. Wei Wei, Bing Wang, and Don Towsley. Continuous-time hidden Markov models for network performance evaluation. Perform. Eval., 49:129–146, September 2002. 21. H˚ akan L. S. Younes. Ymer: A statistical model checker. In CAV, pages 429–433, 2005. 22. H˚ akan L. S. Younes, Edmund M. Clarke, and Paolo Zuliani. Statistical verification of probabilistic properties with unbounded until. In SBMF, pages 144–160, 2010. 23. Hakan Lorens Samir Younes. Verification and planning for stochastic processes with asynchronous events. PhD thesis, Pittsburgh, PA, USA, 2004. 24. C. S. Yu. Pitman efficiencies of Kolmogorov-Smirnov test. The Annals of Mathematical Statistics, 42(5):1595–1605, 1971.