contribution to the analysis of discrete event...
TRANSCRIPT
June 6th 2017 – Habilitation Defense
Contribution to the analysisof Discrete Event SystemsHerve MarchandInria Rennes - Bretagne Atlantique
Habilitation defense - June 6th 2017
Formal Analysis of Discrete Event Systems
Control command systems and software are pervasive
More and more complex to design, program and operate safety critical systems w.r.t. devices, people (transportation,
surgery), environment Increase of security/privacy aspects
⇒ Need formal methods to ensure the reliability of such systems
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 2/ 29
Formal Analysis of Discrete Event Systems
Control command systems and software are pervasive
More and more complex to design, program and operate safety critical systems w.r.t. devices, people (transportation,
surgery), environment Increase of security/privacy aspects
⇒ Need formal methods to ensure the reliability of such systems
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 2/ 29
Formal Analysis of Discrete Event Systems
Control command systems and software are pervasive
More and more complex to design, program and operate safety critical systems w.r.t. devices, people (transportation,
surgery), environment Increase of security/privacy aspects
⇒ Need formal methods to ensure the reliability of such systems
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 2/ 29
Formal Analysis of Discrete Event Systems
Model Checking: verifying that a mathematical model of the systemsatisfies its specification
Model G
Property Φ
@Model Checker G |= Φ? YesNo: counter-example
Model-Based Test generation: synthesis of a set of test cases from amodel of the system
Controller Synthesis: enforcing a property Φ on the system (onwhich Φ does not hold) by means of a controller
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 3/ 29
Formal Analysis of Discrete Event Systems
Model Checking: verifying that a mathematical model of the systemsatisfies its specification
Model-Based Test generation: synthesis of a set of test cases from amodel of the system
Model G @Test. Gen. TC
@Tester
Imp I
I ∼ G? −→ YesNo
? Observation
Controller Synthesis: enforcing a property Φ on the system (onwhich Φ does not hold) by means of a controller
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 3/ 29
Formal Analysis of Discrete Event Systems
Model Checking: verifying that a mathematical model of the systemsatisfies its specification
Model-Based Test generation: synthesis of a set of test cases from amodel of the system
Diagnosis: synthesis of a diagnoser which has the ability to detect afault in a system based on the observation
Model G
Fault Φ
Diagnoser@DS
Imp I
Observation
Yes: a fault occurred in INo: no fault occurred in I
=
Controller Synthesis: enforcing a property Φ on the system (onwhich Φ does not hold) by means of a controller
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 3/ 29
Formal Analysis of Discrete Event Systems
Model Checking: verifying that a mathematical model of the systemsatisfies its specification
Model-Based Test generation: synthesis of a set of test cases from amodel of the system
Diagnosis: synthesis of a diagnoser which has the ability to detect afault in a system based on the observation
Controller Synthesis: enforcing a property Φ on the system (onwhich Φ does not hold) by means of a controller
Model G
Property Φ
@DCS
Imp I
Controller C
C‖I |= ΦObs. Decision
=
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 3/ 29
Formal Analysis of Discrete Event Systems
Model Checking: verifying that a mathematical model of the systemsatisfies its specification
Model-Based Test generation: synthesis of a set of test cases from amodel of the system
Diagnosis: synthesis of a diagnoser which has the ability to detect afault in a system based on the observation
Controller Synthesis: enforcing a property Φ on the system (onwhich Φ does not hold) by means of a controller
Enforcement correcting possibly incorrect output sequences of asystem
Imp IDelay Suppr.
Φ
enforcementMechanism E E (σ) |= Φ
σ
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 3/ 29
Contribution to Formal Analysis of Discrete Event Systems Model-Based Test generation: synthesis of a set of test cases for a
system modelled by symbolic transition system using abstractinterpretation technique [IEEE-TSE’07]
Diagnosis:• Unification of various notions of diagnosability [Wodes06,Ifac08]• Diagnosis of transient faults [Wodes16]• Diagnosis of infinite systems [DEDS13a,DEDS15]
Controller Synthesis:• Control of concurrent & distributed systems
B. Gaudin & G. Kalyon’s PhD Thesis• Control of symbolic transition system within the synchronous
paradigm N. Berthier & G. Delaval’s Postdoc• Decentralized or hierarchical control of DES [EJC04,IFAC17]
Enforcement of real-time properties modeled by Timed AutomataS. Pinisetty’s PhD Thesis
Formal analysis of security properties: J. Dubreil’s PhD Thesis
• Integrity, availability and confidentiality• Use of various formal methods
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 4/ 29
Contribution to Formal Analysis of Discrete Event Systems Model-Based Test generation: synthesis of a set of test cases for a
system modelled by symbolic transition system using abstractinterpretation technique [IEEE-TSE’07]
Diagnosis:• Unification of various notions of diagnosability [Wodes06,Ifac08]• Diagnosis of transient faults [Wodes16]• Diagnosis of infinite systems [DEDS13a,DEDS15]
Controller Synthesis:• Control of concurrent & distributed systems
B. Gaudin & G. Kalyon’s PhD Thesis• Control of symbolic transition system within the synchronous
paradigm N. Berthier & G. Delaval’s Postdoc• Decentralized or hierarchical control of DES [EJC04,IFAC17]
Enforcement of real-time properties modeled by Timed AutomataS. Pinisetty’s PhD Thesis
Formal analysis of security properties: J. Dubreil’s PhD Thesis
• Integrity, availability and confidentiality• Use of various formal methodsContribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 4/ 29
Contribution to Formal Analysis of Discrete Event Systems
Model-Based Test generation Diagnosis Controller Synthesis Enforcement Formal analysis of security properties
Common features in a nut-shell:• Model-based approach (system & properties)• Synthesis of components• Partial observation• Model-checking techniques
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 5/ 29
Contribution to Formal Analysis of Discrete Event Systems
Model-Based Test generation Diagnosis Controller Synthesis Enforcement Formal analysis of security properties
Common features in a nut-shell:• Model-based approach (system & properties)• Synthesis of components• Partial observation• Model-checking techniques
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 5/ 29
Contribution to Formal Analysis of Discrete Event Systems
Model-Based Test generation
Model-Based Test generation Diagnosis Controller Synthesis Enforcement Formal analysis of security properties
Common features in a nut-shell:• Model-based approach (system & properties)• Synthesis of components• Partial observation• Model-checking techniques
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 5/ 29
Outline
Model & Notations Diagnosis of Discrete Event Systems
• Diagnosis of general fault patterns• Diagnosis of transient faults
Controller Synthesis• Control of concurrent systems
- Synchronous communication
• Control of distributed systems- Asynchronous communication
Formal analysis of security properties• Focus on confidentiality properties• Use of diagnosis and control
techniques Conclusion & General Perspectives
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 6/ 29
Outline
Model & Notations Diagnosis of Discrete Event Systems
• Diagnosis of general fault patterns• Diagnosis of transient faults
Controller Synthesis• Control of concurrent systems
- Synchronous communication
• Control of distributed systems- Asynchronous communication
Formal analysis of security properties• Focus on confidentiality properties• Use of diagnosis and control
techniques Conclusion & General Perspectives
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 6/ 29
Outline
Model & Notations Diagnosis of Discrete Event Systems
• Diagnosis of general fault patterns• Diagnosis of transient faults
Controller Synthesis• Control of concurrent systems
- Synchronous communication
• Control of distributed systems- Asynchronous communication
Formal analysis of security properties• Focus on confidentiality properties• Use of diagnosis and control
techniques
Conclusion & General Perspectives
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 6/ 29
Outline
Model & Notations Diagnosis of Discrete Event Systems
• Diagnosis of general fault patterns• Diagnosis of transient faults
Controller Synthesis• Control of concurrent systems
- Synchronous communication
• Control of distributed systems- Asynchronous communication
Formal analysis of security properties• Focus on confidentiality properties• Use of diagnosis and control
techniques Conclusion & General Perspectives
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 6/ 29
Model & Notations System modelled by LTS G = (Q,Σ,→, q0,QF )
• QF ⊆ Q: set of marked states• Σ : set of actions
Σ = Σo ∪ Σuo : observable& unobservable actions
0 1 2 3
4 5 6 7
b
af
b a
a,b
ab
ab
a,b
Behaviours• L(G) = f , fa, fab, a, ab, aba, · · · : language of the system• LQF (G) = fab, ab, fabab, · · · : marked language
Partial observation :• Πo : Σ∗ → Σo natural projection Πo(fab) = ab• Lo(G) = Πo(L(G)): observable trajectories• Π−1
o : Σ∗o → 2Σ∗ inverse projection Π−1o (ab) = fab, ab
• ε-closure: εo(G) & determinization: Deto(G)
0 1 2 3
5 6 7b
a
a
b a a,b
b
a
b a,b
0 1, 5 2, 6 7
3, 5 3, 6 3, 73b
a b
a
b b
b
a
a
a,b
a,b a,b
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 7/ 29
Model & Notations System modelled by LTS G = (Q,Σ,→, q0,QF )
• QF ⊆ Q: set of marked states• Σ : set of actions
Σ = Σo ∪ Σuo : observable& unobservable actions
0 1 2 3
4 5 6 7
b
af
b a
a,b
ab
ab
a,b
Behaviours• L(G) = f , fa, fab, a, ab, aba, · · · : language of the system• LQF (G) = fab, ab, fabab, · · · : marked language
Partial observation :• Πo : Σ∗ → Σo natural projection Πo(fab) = ab• Lo(G) = Πo(L(G)): observable trajectories• Π−1
o : Σ∗o → 2Σ∗ inverse projection Π−1o (ab) = fab, ab
• ε-closure: εo(G) & determinization: Deto(G)
0 1 2 3
5 6 7b
a
a
b a a,b
b
a
b a,b
0 1, 5 2, 6 7
3, 5 3, 6 3, 73b
a b
a
b b
b
a
a
a,b
a,b a,b
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 7/ 29
Model & Notations System modelled by LTS G = (Q,Σ,→, q0,QF )
• QF ⊆ Q: set of marked states• Σ = Σo ∪ Σuo : observable
& unobservable actions 0 1 2 3
4 5 6 7
b
af
b a
a,b
ab
ab
a,b
Behaviours• L(G) = f , fa, fab, a, ab, aba, · · · : language of the system• LQF (G) = fab, ab, fabab, · · · : marked language
Partial observation :• Πo : Σ∗ → Σo natural projection Πo(fab) = ab• Lo(G) = Πo(L(G)): observable trajectories• Π−1
o : Σ∗o → 2Σ∗ inverse projection Π−1o (ab) = fab, ab
• ε-closure: εo(G) & determinization: Deto(G)
0 1 2 3
5 6 7b
a
a
b a a,b
b
a
b a,b
0 1, 5 2, 6 7
3, 5 3, 6 3, 73b
a b
a
b b
b
a
a
a,b
a,b a,b
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 7/ 29
Model & Notations System modelled by LTS G = (Q,Σ,→, q0,QF )
• QF ⊆ Q: set of marked states• Σ = Σo ∪ Σuo : observable
& unobservable actions 0 1 2 3
4 5 6 7
b
af
b a
a,b
ab
ab
a,b
Behaviours• L(G) = f , fa, fab, a, ab, aba, · · · : language of the system• LQF (G) = fab, ab, fabab, · · · : marked language
Partial observation :• Πo : Σ∗ → Σo natural projection Πo(fab) = ab• Lo(G) = Πo(L(G)): observable trajectories• Π−1
o : Σ∗o → 2Σ∗ inverse projection Π−1o (ab) = fab, ab
• ε-closure: εo(G) & determinization: Deto(G)
0 1 2 3
5 6 7b
a
a
b a a,b
b
a
b a,b
0 1, 5 2, 6 7
3, 5 3, 6 3, 73b
a b
a
b b
b
a
a
a,b
a,b a,b
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 7/ 29
Diagnosis Overview
System G Diagnoser DΣo On-line diagnosis Problem:
• Model of the system G• Partial observation of the system through Σo
Diagnosability: Ability to detect every fault on the basis of the observed trace
Various kind of faults• faulty events, [SSL+95]• faulty states [Lin94]• n occurrences of a fault, 2 different faults occurred, etc...
⇒ Needs for an unification of the notions of diagnosis
Our approachIntroduction of general Fault Patterns [Wodes06]
FNf
ΣΣ \ f N F1 Ff
r
fΣ \ f , r Σ
Σ \ f , r
N,N
F1,N
N,F2
F1,F2f1
f2
f2
f1 Σ
Σ \ f1, f2Σ \ f1
Σ \ f2
[SSL+95] M. Sampath, R. Sengupta, S. Lafortune, K. Sinaamohideen, and D. Teneketzis. Diagnosability of discrete event systems. IEEETransactions on Automatic Control, 40(9):1555-1575, 1995.[Lin94] F. Lin, Diagnosability of discrete event systems and its applications. Discrete Event Dyn Syst 4: 197, 1994
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 8/ 29
Diagnosis Overview
System G Diagnoser DΣo On-line diagnosis Problem:
• Model of the system G• Partial observation of the system through Σo
Diagnosability: Ability to detect every fault on the basis of the observed trace
Various kind of faults• faulty events, [SSL+95]• faulty states [Lin94]• n occurrences of a fault, 2 different faults occurred, etc...
⇒ Needs for an unification of the notions of diagnosis
Our approachIntroduction of general Fault Patterns [Wodes06]
FNf
ΣΣ \ f N F1 Ff
r
fΣ \ f , r Σ
Σ \ f , r
N,N
F1,N
N,F2
F1,F2f1
f2
f2
f1 Σ
Σ \ f1, f2Σ \ f1
Σ \ f2
[SSL+95] M. Sampath, R. Sengupta, S. Lafortune, K. Sinaamohideen, and D. Teneketzis. Diagnosability of discrete event systems. IEEETransactions on Automatic Control, 40(9):1555-1575, 1995.[Lin94] F. Lin, Diagnosability of discrete event systems and its applications. Discrete Event Dyn Syst 4: 197, 1994
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 8/ 29
Diagnosis Overview
System G Diagnoser DΣo On-line diagnosis Problem:
• Model of the system G• Partial observation of the system through Σo
Diagnosability: Ability to detect every fault on the basis of the observed trace
Various kind of faults• faulty events, [SSL+95]• faulty states [Lin94]• n occurrences of a fault, 2 different faults occurred, etc...
⇒ Needs for an unification of the notions of diagnosis
Our approachIntroduction of general Fault Patterns [Wodes06]
FNf
ΣΣ \ f N F1 Ff
r
fΣ \ f , r Σ
Σ \ f , r
N,N
F1,N
N,F2
F1,F2f1
f2
f2
f1 Σ
Σ \ f1, f2Σ \ f1
Σ \ f2
[SSL+95] M. Sampath, R. Sengupta, S. Lafortune, K. Sinaamohideen, and D. Teneketzis. Diagnosability of discrete event systems. IEEETransactions on Automatic Control, 40(9):1555-1575, 1995.[Lin94] F. Lin, Diagnosability of discrete event systems and its applications. Discrete Event Dyn Syst 4: 197, 1994
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 8/ 29
Diagnosis Overview
System G Diagnoser DΣo On-line diagnosis Problem:
• Model of the system G• Partial observation of the system through Σo
Diagnosability: Ability to detect every fault on the basis of the observed trace
Various kind of faults• faulty events, [SSL+95]• faulty states [Lin94]• n occurrences of a fault, 2 different faults occurred, etc...
⇒ Needs for an unification of the notions of diagnosis
Our approachIntroduction of general Fault Patterns [Wodes06]
FNf
ΣΣ \ f N F1 Ff
r
fΣ \ f , r Σ
Σ \ f , r
N,N
F1,N
N,F2
F1,F2f1
f2
f2
f1 Σ
Σ \ f1, f2Σ \ f1
Σ \ f2
[SSL+95] M. Sampath, R. Sengupta, S. Lafortune, K. Sinaamohideen, and D. Teneketzis. Diagnosability of discrete event systems. IEEETransactions on Automatic Control, 40(9):1555-1575, 1995.[Lin94] F. Lin, Diagnosability of discrete event systems and its applications. Discrete Event Dyn Syst 4: 197, 1994
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 8/ 29
Diagnosis of permament faults System G with Σ = Σuo ∪ Σo and a fault pattern Ω (LΩ)
q0 q1 q2 q3
a
a a
a b
f FNf
ΣΣ \ f
Diagnoser: ∆ : Lo(G)→ N,F ,U where
∆(w) =
F iff a fault occured after wN iff no fault occured after wU otherwise
L(G)
Lo(G)
LΩ
w
Πo Π−1o
Π−o 1(w) Π−o 1(w)Π−o 1(w)
⇒ derived from Deto(G‖Ω)
G‖Ω q0 q1 q2 q3f
a
a a
ba
q0 q0, q2 q0, q2, q3 q3a a b
a b
⇒ Boundedness of the detection delay?
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 9/ 29
Diagnosis of permament faults System G with Σ = Σuo ∪ Σo and a fault pattern Ω (LΩ)
q0 q1 q2 q3
a
a a
a b
f FNf
ΣΣ \ f
Diagnoser: ∆ : Lo(G)→ N,F ,U where
∆(w) =
F iff a fault occured after wN iff no fault occured after wU otherwise
L(G)
Lo(G)
LΩ
w
Πo Π−1o
Π−o 1(w) Π−o 1(w)Π−o 1(w)
⇒ derived from Deto(G‖Ω)
G‖Ω q0 q1 q2 q3f
a
a a
ba
q0 q0, q2 q0, q2, q3 q3a a b
a b
⇒ Boundedness of the detection delay?
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 9/ 29
Diagnosis of permament faults System G with Σ = Σuo ∪ Σo and a fault pattern Ω (LΩ)
q0 q1 q2 q3
a
a a
a b
f FNf
ΣΣ \ f
Diagnoser: ∆ : Lo(G)→ N,F ,U where
∆(w) =
F iff a fault occured after w
N iff no fault occured after wU otherwise
L(G)
Lo(G)
LΩ
w
Πo Π−1o
Π−o 1(w)
Π−o 1(w)Π−o 1(w)
⇒ derived from Deto(G‖Ω)
G‖Ω q0 q1 q2 q3f
a
a a
ba
q0 q0, q2 q0, q2, q3 q3a a b
a b
⇒ Boundedness of the detection delay?
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 9/ 29
Diagnosis of permament faults System G with Σ = Σuo ∪ Σo and a fault pattern Ω (LΩ)
q0 q1 q2 q3
a
a a
a b
f FNf
ΣΣ \ f
Diagnoser: ∆ : Lo(G)→ N,F ,U where
∆(w) =
F iff a fault occured after wN iff no fault occured after w
U otherwise
L(G)
Lo(G)
LΩ
w
Πo Π−1o
Π−o 1(w)
Π−o 1(w)
Π−o 1(w)
⇒ derived from Deto(G‖Ω)
G‖Ω q0 q1 q2 q3f
a
a a
ba
q0 q0, q2 q0, q2, q3 q3a a b
a b
⇒ Boundedness of the detection delay?
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 9/ 29
Diagnosis of permament faults System G with Σ = Σuo ∪ Σo and a fault pattern Ω (LΩ)
q0 q1 q2 q3
a
a a
a b
f FNf
ΣΣ \ f
Diagnoser: ∆ : Lo(G)→ N,F ,U where
∆(w) =
F iff a fault occured after wN iff no fault occured after wU otherwise
L(G)
Lo(G)
LΩ
w
Πo Π−1o
Π−o 1(w) Π−o 1(w)
Π−o 1(w)
⇒ derived from Deto(G‖Ω)
G‖Ω q0 q1 q2 q3f
a
a a
ba
q0 q0, q2 q0, q2, q3 q3a a b
a b
⇒ Boundedness of the detection delay?
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 9/ 29
Diagnosis of permament faults System G with Σ = Σuo ∪ Σo and a fault pattern Ω (LΩ)
q0 q1 q2 q3
a
a a
a b
f FNf
ΣΣ \ f
Diagnoser: ∆ : Lo(G)→ N,F ,U where
∆(w) =
F iff a fault occured after wN iff no fault occured after wU otherwise
L(G)
Lo(G)
LΩ
w
Πo Π−1o
Π−o 1(w) Π−o 1(w)
Π−o 1(w)
⇒ derived from Deto(G‖Ω)
G‖Ω q0 q1 q2 q3f
a
a a
ba
q0 q0, q2 q0, q2, q3 q3a a b
a b
⇒ Boundedness of the detection delay?
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 9/ 29
Diagnosis of permament faults System G with Σ = Σuo ∪ Σo and a fault pattern Ω (LΩ)
q0 q1 q2 q3
a
a a
a b
f FNf
ΣΣ \ f
Diagnoser: ∆ : Lo(G)→ N,F ,U where
∆(w) =
F iff a fault occured after wN iff no fault occured after wU otherwise
L(G)
Lo(G)
LΩ
w
Πo Π−1o
Π−o 1(w) Π−o 1(w)
Π−o 1(w)
⇒ derived from Deto(G‖Ω)
G‖Ω q0 q1 q2 q3f
a
a a
ba
q0 q0, q2 q0, q2, q3 q3a a b
a b
⇒ Boundedness of the detection delay?Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 9/ 29
Diagnosis of permament faults
DiagnosabilityAbility to detect every fault pattern at most n observations after itsoccurrence
• Non-diagnosability: existence of two arbitrary long andobservationally equivalent sequences one faulty, the other non-faulty
• Test of diagnosability on the twin machine ε(GΩ)‖ε(GΩ)
q0
G‖Ω
q1 q2 q3f
a
a a
ba
q0, q0
q0, q2
q0, q3
q2, q3
q2, q2 q3, q3
q2, q0 q3, q0
q3, q2
aa
a
a
a
a
b
a
a a
a
aa
a
⇒ Non diagnosable if there exists a reachable ambiguous cycle Extension to the predictability of fault patterns [Ifac08]
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 10/ 29
Diagnosis of non-permanent faultsFaults might be repaired
Various notions of Diagnosability O-Diagnosability : a fault occurred in the system [CLT04] P-Diagnosability : the system has been faulty and is now faulty
[CLT04] [1..K]-Diagnosability : at least K faults occurred in the system.
[JKG03]
Our approachAbility to detect every occurrence of a fault before it is repaired and tocount the number of faults
DiagnoserSimilar to the one for permanent faults
[CLT04] O. Contant, S. Lafortune, and D. Teneketzis. Diagnosis of intermittent faults. Discrete Event Dynamic Systems: Theory andApplications, 14(2):171-202, 2004.[JKG03] S. Jiang, R. Kumar, and H.E. Garcia. Diagnosis of repeated/intermittent failures in discrete event systems. IEEE Transactions onRobotics and Automation, 19(2):310-323, Avril 2003.
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 11/ 29
Diagnosis of non-permanent faultsFaults might be repaired
Various notions of Diagnosability O-Diagnosability : a fault occurred in the system [CLT04] P-Diagnosability : the system has been faulty and is now faulty
[CLT04] [1..K]-Diagnosability : at least K faults occurred in the system.
[JKG03]
Our approachAbility to detect every occurrence of a fault before it is repaired and tocount the number of faults
DiagnoserSimilar to the one for permanent faults
[CLT04] O. Contant, S. Lafortune, and D. Teneketzis. Diagnosis of intermittent faults. Discrete Event Dynamic Systems: Theory andApplications, 14(2):171-202, 2004.[JKG03] S. Jiang, R. Kumar, and H.E. Garcia. Diagnosis of repeated/intermittent failures in discrete event systems. IEEE Transactions onRobotics and Automation, 19(2):310-323, Avril 2003.
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 11/ 29
Diagnosis of non-permanent faultsFaults might be repaired
Various notions of Diagnosability O-Diagnosability : a fault occurred in the system [CLT04] P-Diagnosability : the system has been faulty and is now faulty
[CLT04] [1..K]-Diagnosability : at least K faults occurred in the system.
[JKG03]
Our approachAbility to detect every occurrence of a fault before it is repaired and tocount the number of faults
DiagnoserSimilar to the one for permanent faults[CLT04] O. Contant, S. Lafortune, and D. Teneketzis. Diagnosis of intermittent faults. Discrete Event Dynamic Systems: Theory andApplications, 14(2):171-202, 2004.[JKG03] S. Jiang, R. Kumar, and H.E. Garcia. Diagnosis of repeated/intermittent failures in discrete event systems. IEEE Transactions onRobotics and Automation, 19(2):310-323, Avril 2003.
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 11/ 29
T-diagnosability [Wodes16]
T-diagnosability w.r.t. FAbility to surely detect every fault before its repair in a bounded numberof observations on the basis of the observed trace
q0 q4 q5
q1 q2
q6 q7
q8
b
c
a
a
a
aa
d a
a
s1 s2 s3a a
a
s4 s5 s6a a
a
s7 s8 s9a a
a
s0
b
c
d Verification
• Twin-machine no more sufficient• Need to check G × Det(G)
TheoremDeciding whether G is T-diagnosable w.r.t. F is PSPACE-complete.
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 12/ 29
T-diagnosability [Wodes16]
T-diagnosability w.r.t. FAbility to surely detect every fault before its repair in a bounded numberof observations on the basis of the observed trace
q0 q4 q5
q1 q2
q6 q7
q8
b
c
a
a
a
aa
d a
a
s1 s2 s3a a
a
s4 s5 s6a a
a
s7 s8 s9a a
a
s0
b
c
d Verification
• Twin-machine no more sufficient• Need to check G × Det(G)
TheoremDeciding whether G is T-diagnosable w.r.t. F is PSPACE-complete.
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 12/ 29
T-diagnosability [Wodes16]
T-diagnosability w.r.t. FAbility to surely detect every fault before its repair in a bounded numberof observations on the basis of the observed trace
q0 q4 q5
q1 q2
q6 q7
q8
b
c
a
a
a
aa
d a
a s1 s2 s3a a
a
s4 s5 s6a a
a
s7 s8 s9a a
a
s0
b
c
d Verification
• Twin-machine no more sufficient
• Need to check G × Det(G)
TheoremDeciding whether G is T-diagnosable w.r.t. F is PSPACE-complete.
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 12/ 29
T-diagnosability [Wodes16]
T-diagnosability w.r.t. FAbility to surely detect every fault before its repair in a bounded numberof observations on the basis of the observed trace
q0 q4 q5
q1 q2
q6 q7
q8
b
c
a
a
a
aa
d a
a s1 s2 s3a a
a
s4 s5 s6a a
a
s7 s8 s9a a
a
s0
b
c
d Verification
• Twin-machine no more sufficient• Need to check G × Det(G)
TheoremDeciding whether G is T-diagnosable w.r.t. F is PSPACE-complete.
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 12/ 29
T-diagnosability & Counting
u1
u2
u3
⇒ Also need to detect all the repairs
PropositionIf G is T-Diagnosable w.r.t. F and T-Diagnosable w.r.t. N, then one canexactly count the number of faults that occurred in the system
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 13/ 29
T-diagnosability & Counting
u1
u2
u3
⇒ Also need to detect all the repairs
PropositionIf G is T-Diagnosable w.r.t. F and T-Diagnosable w.r.t. N, then one canexactly count the number of faults that occurred in the system
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 13/ 29
T-diagnosability & Counting
u1
u2
u3
⇒ Also need to detect all the repairs
PropositionIf G is T-Diagnosable w.r.t. F and T-Diagnosable w.r.t. N, then one canexactly count the number of faults that occurred in the system
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 13/ 29
Conclusion & Perspectives Summary
• General fault patterns for diagnosability and predictability• New framework for non-permanent faults
- Introduction of the notion of T-Diagnosability- Ability to count the number of faults- P-Diagnosability ([CLT04]) is also PSPACE-Complete
Perspectives• Active Diagnosis (on-going work with L. Helouet)⇒ Ability to perform tests allowing to partially disambiguate the set of
configurations with energy constraints• Modular systems G1‖G2
- Few results [CLT06], [YD10] (fault events local to a singlecomponent)
- General Fault Pattern?- Know-how of the modular control synthesis- Add communication between diagnosers
• Diagnosis of LTS handling data[CLT06] O. Contant, S. Lafortune, and D. Teneketzis. Diagnosability of discrete event systems with modular structure. Discrete EventDynamic Systems, 16(1):9-37, 2006.[YD10] L. Ye and P, Dague. An optimized algorithm for diagnosability of component-based systems. In 10th IFAC WODES, pages143-148, Berlin, Germany, 2010.
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 14/ 29
Outline
Model & Notations
Diagnosis of Discrete Event Systems• Diagnosis of general fault patterns• Diagnosis of transient faults
Model G
Fault Pattern Φ
Diagnoser
Imp I
Π
YesNo?
Assuming G ∼ I
Controller Synthesis• Control of concurrent systems
- Synchronous communication
• Control of distributed systems- Asynchronous communication
Formal analysis of security properties• Focus on confidentiality properties• Use of diagnosis and control
techniques Conclusion & General Perspectives
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 15/ 29
Overview & Problematic
C G
C(s)
s ∈ Σ∗
Controller Synthesis Problem [RW89]• model of the system G• a safety property K ⊆ Σ∗
• Σ = Σc ∪ Σuc (controllable & uncontrollable events)
Compute a maximal controller such that L(C/G) ⊆ K
Controllability [RW89]: K is controllable fora controller C is no uncontrollable action hasto be forbidden in L(G) to respect K. L(G)K
sσuc
σc
⇒ if K not controllable, existence of a maximal language :SupCK = L(C/G) = K \ [(L(G) \ K)/Σ∗uc ]Σ∗
Problematic:• Large systems are often composed of several subsystems
G = G1‖ · · · ‖Gn ⇒ State space explosion !
• Given a property K ⊆ Σ∗, how to compute a (set of) controller(s)ensuring K without building G.
[RW89] P.J. Ramadge andW.M.Wonham. The control of discrete event systems. Proceedings of the IEEE; Special issue on Dynamics ofDiscrete Event Systems, 77(1):81-98, 1989
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 16/ 29
Overview & Problematic
C G
C(s)
s ∈ Σ∗
Controller Synthesis Problem [RW89]• model of the system G• a safety property K ⊆ Σ∗
• Σ = Σc ∪ Σuc (controllable & uncontrollable events)
Compute a maximal controller such that L(C/G) ⊆ K
Controllability [RW89]: K is controllable fora controller C is no uncontrollable action hasto be forbidden in L(G) to respect K. L(G)K
sσuc
σc
⇒ if K not controllable, existence of a maximal language :SupCK = L(C/G) = K \ [(L(G) \ K)/Σ∗uc ]Σ∗
Problematic:• Large systems are often composed of several subsystems
G = G1‖ · · · ‖Gn ⇒ State space explosion !
• Given a property K ⊆ Σ∗, how to compute a (set of) controller(s)ensuring K without building G.
[RW89] P.J. Ramadge andW.M.Wonham. The control of discrete event systems. Proceedings of the IEEE; Special issue on Dynamics ofDiscrete Event Systems, 77(1):81-98, 1989
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 16/ 29
Overview & Problematic
C G
C(s)
s ∈ Σ∗
Controller Synthesis Problem [RW89]• model of the system G• a safety property K ⊆ Σ∗
• Σ = Σc ∪ Σuc (controllable & uncontrollable events)
Compute a maximal controller such that L(C/G) ⊆ K
Controllability [RW89]: K is controllable fora controller C is no uncontrollable action hasto be forbidden in L(G) to respect K. L(G)K
sσuc
σc
⇒ if K not controllable, existence of a maximal language :SupCK = L(C/G) = K \ [(L(G) \ K)/Σ∗uc ]Σ∗
Problematic:• Large systems are often composed of several subsystems
G = G1‖ · · · ‖Gn ⇒ State space explosion !
• Given a property K ⊆ Σ∗, how to compute a (set of) controller(s)ensuring K without building G.
[RW89] P.J. Ramadge andW.M.Wonham. The control of discrete event systems. Proceedings of the IEEE; Special issue on Dynamics ofDiscrete Event Systems, 77(1):81-98, 1989
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 16/ 29
Overview & Problematic
C G
C(s)
s ∈ Σ∗
Controller Synthesis Problem [RW89]• model of the system G• a safety property K ⊆ Σ∗
• Σ = Σc ∪ Σuc (controllable & uncontrollable events)
Compute a maximal controller such that L(C/G) ⊆ K
Controllability [RW89]: K is controllable fora controller C is no uncontrollable action hasto be forbidden in L(G) to respect K. L(G)K
sσuc
σc
⇒ if K not controllable, existence of a maximal language :SupCK = L(C/G) = K \ [(L(G) \ K)/Σ∗uc ]Σ∗
Problematic:• Large systems are often composed of several subsystems
G = G1‖ · · · ‖Gn ⇒ State space explosion !
• Given a property K ⊆ Σ∗, how to compute a (set of) controller(s)ensuring K without building G.
[RW89] P.J. Ramadge andW.M.Wonham. The control of discrete event systems. Proceedings of the IEEE; Special issue on Dynamics ofDiscrete Event Systems, 77(1):81-98, 1989
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 16/ 29
Control of concurrent systemsBenoit Gaudin’s PhD Thesis
G = G1‖ · · · ‖Gn with L(Gi ) ⊆ Σ∗i and a safety property K ⊆ Σ∗.• Σi = Σi,c ∪ Σi,uc• Σs : Shared events
Related work• WH91 : Separable specification• DC00 : Σs = ∅• RL03 : Identical components
C1 G1 G2 C2
C1(s)
s1 ∈ Σ∗1
C2(s)
s2 ∈ Σ∗2
G
Σs
Our approach [JDEDS07], [Automatica08]• Abstract systems Π−1
i (Gi ) = G−1i
• Ki = K ∩ L(G−1i )
Ci P−1i (Gi )
Ci (s)
s ∈ Σ∗
G1 G2
C2C1
∧
s ∈ Σ∗
C(s)
GC1(s) C2(s)
L(C1/G−11 ) ∩ L(C2/G−1
2 ) = L(C/G)
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 17/ 29
Control of concurrent systemsBenoit Gaudin’s PhD Thesis
G = G1‖ · · · ‖Gn with L(Gi ) ⊆ Σ∗i and a safety property K ⊆ Σ∗.• Σi = Σi,c ∪ Σi,uc• Σs : Shared events
Related work• WH91 : Separable specification• DC00 : Σs = ∅• RL03 : Identical components
C1 G1 G2 C2
C1(s)
s1 ∈ Σ∗1
C2(s)
s2 ∈ Σ∗2
G
Σs
WH91 Y.Willner and M. Heymann. Supervisory control of concurrent DES. Int. Journal of Control, 54(5):1143-1169, 1991.DC00 M. H. De Queiroz and J. Cury. Modular control of composed systems. ACC , pages 4051- 4055 2000.RL03 K. Rohloff and S. Lafortune. The control and verification of similar agents operating in a broadcast network environment. In 42ndIEEE CDC, 2003.
Our approach [JDEDS07], [Automatica08]• Abstract systems Π−1
i (Gi ) = G−1i
• Ki = K ∩ L(G−1i )
Ci P−1i (Gi )
Ci (s)
s ∈ Σ∗
G1 G2
C2C1
∧
s ∈ Σ∗
C(s)
GC1(s) C2(s)
L(C1/G−11 ) ∩ L(C2/G
−12 ) = L(C/G)
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 17/ 29
Control of concurrent systemsBenoit Gaudin’s PhD Thesis
G = G1‖ · · · ‖Gn with L(Gi ) ⊆ Σ∗i and a safety property K ⊆ Σ∗.• Σi = Σi,c ∪ Σi,uc• Σs : Shared events
Related work• WH91 : Separable specification• DC00 : Σs = ∅• RL03 : Identical components
C1 G1 G2 C2
C1(s)
s1 ∈ Σ∗1
C2(s)
s2 ∈ Σ∗2
G
Σs
Our approach [JDEDS07], [Automatica08]• Abstract systems Π−1
i (Gi ) = G−1i
• Ki = K ∩ L(G−1i )
Ci P−1i (Gi )
Ci (s)
s ∈ Σ∗
G1 G2
C2C1
∧
s ∈ Σ∗
C(s)
GC1(s) C2(s)
L(C1/G−11 ) ∩ L(C2/G−1
2 ) = L(C/G)Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 17/ 29
Control of concurrent systems (cont’d)
K′ ⊆ Ki is partially controllable w.r.t. Σi,uc ,Σuc , L(G−1i ) if
(i) K′ is controllable w.r.t Σi,uc and L(G−1i ).
(ii) K′ is controllable w.r.t Σuc and Ki . L(G−1i )Ki
K′ Σuc
Σi,uc
There exists a unique supremal sub-language of Kithat is partially controllable : SupPCi
Theorem⋂i≤n SupPCi is controllable w.r.t. Σuc and L(G)
L(Ci/G−1i ) = SupPCi
G1 G2
C2C1
∧
s ∈ Σ∗
C(s)
GC1(s) C2(s)
Maximality?
: Σs ⊆ Σc and (K ⊆ L(G) or K locally consistent)
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 18/ 29
Control of concurrent systems (cont’d)
K′ ⊆ Ki is partially controllable w.r.t. Σi,uc ,Σuc , L(G−1i ) if
(i) K′ is controllable w.r.t Σi,uc and L(G−1i ).
(ii) K′ is controllable w.r.t Σuc and Ki . L(G−1i )Ki
K′ Σuc
Σi,uc
There exists a unique supremal sub-language of Kithat is partially controllable : SupPCi
Theorem⋂i≤n SupPCi is controllable w.r.t. Σuc and L(G)
L(Ci/G−1i ) = SupPCi
G1 G2
C2C1
∧
s ∈ Σ∗
C(s)
GC1(s) C2(s)
Maximality?
: Σs ⊆ Σc and (K ⊆ L(G) or K locally consistent)
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 18/ 29
Control of concurrent systems (cont’d)
K′ ⊆ Ki is partially controllable w.r.t. Σi,uc ,Σuc , L(G−1i ) if
(i) K′ is controllable w.r.t Σi,uc and L(G−1i ).
(ii) K′ is controllable w.r.t Σuc and Ki . L(G−1i )Ki
K′ Σuc
Σi,uc
There exists a unique supremal sub-language of Kithat is partially controllable : SupPCi
Theorem⋂i≤n SupPCi is controllable w.r.t. Σuc and L(G)
L(Ci/G−1i ) = SupPCi
G1 G2
C2C1
∧
s ∈ Σ∗
C(s)
GC1(s) C2(s)
Maximality?
: Σs ⊆ Σc and (K ⊆ L(G) or K locally consistent)
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 18/ 29
Control of concurrent systems (cont’d)
K′ ⊆ Ki is partially controllable w.r.t. Σi,uc ,Σuc , L(G−1i ) if
(i) K′ is controllable w.r.t Σi,uc and L(G−1i ).
(ii) K′ is controllable w.r.t Σuc and Ki . L(G−1i )Ki
K′ Σuc
Σi,uc
There exists a unique supremal sub-language of Kithat is partially controllable : SupPCi
Theorem⋂i≤n SupPCi is controllable w.r.t. Σuc and L(G)
L(Ci/G−1i ) = SupPCi
G1 G2
C2C1
∧
s ∈ Σ∗
C(s)
GC1(s) C2(s)
Maximality?
: Σs ⊆ Σc and (K ⊆ L(G) or K locally consistent)
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 18/ 29
Control of concurrent systems (cont’d)
K′ ⊆ Ki is partially controllable w.r.t. Σi,uc ,Σuc , L(G−1i ) if
(i) K′ is controllable w.r.t Σi,uc and L(G−1i ).
(ii) K′ is controllable w.r.t Σuc and Ki . L(G−1i )Ki
K′ Σuc
Σi,uc
There exists a unique supremal sub-language of Kithat is partially controllable : SupPCi
Theorem⋂i≤n SupPCi is controllable w.r.t. Σuc and L(G)
L(Ci/G−1i ) = SupPCi
G1 G2
C2C1
∧
s ∈ Σ∗
C(s)
GC1(s) C2(s)
Maximality?
: Σs ⊆ Σc and (K ⊆ L(G) or K locally consistent)
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 18/ 29
Control of concurrent systems (cont’d)
K′ ⊆ Ki is partially controllable w.r.t. Σi,uc ,Σuc , L(G−1i ) if
(i) K′ is controllable w.r.t Σi,uc and L(G−1i ).
(ii) K′ is controllable w.r.t Σuc and Ki . L(G−1i )Ki
K′ Σuc
Σi,uc
There exists a unique supremal sub-language of Kithat is partially controllable : SupPCi
Theorem⋂i≤n SupPCi is controllable w.r.t. Σuc and L(G)
L(Ci/G−1i ) = SupPCi
G1 G2
C2C1
∧
s ∈ Σ∗
C(s)
GC1(s) C2(s)
Maximality? : Σs ⊆ Σc and (K ⊆ L(G) or K locally consistent)
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 18/ 29
Outline
Model & Notations
Diagnosis of Discrete Event Systems• Diagnosis of general fault patterns• Diagnosis of transient faults
Model G
Fault Pattern Φ
Diagnoser
Imp I
Π
YesNo?
Assuming G ∼ I
Controller Synthesis• Control of concurrent systems
- Synchronous communication
• Control of distributed systems- Asynchronous communication
Formal analysis of security properties• Focus on confidentiality properties• Use of diagnosis and control
techniques Conclusion & General Perspectives
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 19/ 29
Control of distributed systemsGabriel Kalyon’s PhD Thesis
[Forte11], [CDC’11], [IEEE-TAC’14]
Distributed control of distributed systems (Ti)i
Embedded systems, protocols Asynchronous communication CFSM = LTSs + FIFO channels
Q2,1
A0
2?a
A1
Aerror
A2
CFSM T1
1!c
2?b
2?a
4?d2?a
2?b
1!d
2?b
CFSM T2
B0
B1
B2
B3
1?c
2!a 3!d
CFSM T3
D0 D1
4!d
3?d
2!b
1?d
3!d
Q1,2
Q3,1
Q1,3
Q2,3
Q3,2
Q2,1
A0
2?a
A1
Aerror
A2
T1
1!c
2?b
2?a
4?d2?a
2?b
1!d
2?b T2
B0
B1
B2
B3
1?c
2!a 3!d
T3
D0 D1
4!d
3?d
2!b
1?d
3!d
Q1,2
Q3,1
Q1,3
Q2,3
Q3,2
C1 C2
C3
Problem : computing (Ci )i s.t. (Ti‖Ci )i |= Φ (safety)
Bad ⊆ Q1 × · · · × Qn × Contents of the channels Control mechanism for Ci
• Σi,c = set of local outputs• Local control decisions based on a state estimate Ei⇒ Refinement of Ei by piggybacking information to the sent messages
(logical clock + peer state estimate)
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 20/ 29
Control of distributed systemsGabriel Kalyon’s PhD Thesis
[Forte11], [CDC’11], [IEEE-TAC’14]
Distributed control of distributed systems (Ti)i
Embedded systems, protocols Asynchronous communication CFSM = LTSs + FIFO channels
Q2,1
A0
2?a
A1
Aerror
A2
T1
1!c
2?b
2?a
4?d2?a
2?b
1!d
2?b T2
B0
B1
B2
B3
1?c
2!a 3!d
T3
D0 D1
4!d
3?d
2!b
1?d
3!d
Q1,2
Q3,1
Q1,3
Q2,3
Q3,2
C1 C2
C3
Problem : computing (Ci )i s.t. (Ti‖Ci )i |= Φ (safety)
Bad ⊆ Q1 × · · · × Qn × Contents of the channels Control mechanism for Ci
• Σi,c = set of local outputs• Local control decisions based on a state estimate Ei⇒ Refinement of Ei by piggybacking information to the sent messages
(logical clock + peer state estimate)
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 20/ 29
Control of distributed systemsGabriel Kalyon’s PhD Thesis
[Forte11], [CDC’11], [IEEE-TAC’14]
Distributed control of distributed systems (Ti)i
Embedded systems, protocols Asynchronous communication CFSM = LTSs + FIFO channels
Q2,1
A0
2?a
A1
Aerror
A2
T1
1!c
2?b
2?a
4?d2?a
2?b
1!d
2?b T2
B0
B1
B2
B3
1?c
2!a 3!d
T3
D0 D1
4!d
3?d
2!b
1?d
3!d
Q1,2
Q3,1
Q1,3
Q2,3
Q3,2
C1 C2
C3
Problem : computing (Ci )i s.t. (Ti‖Ci )i |= Φ (safety)
Bad ⊆ Q1 × · · · × Qn × Contents of the channels
Control mechanism for Ci
• Σi,c = set of local outputs• Local control decisions based on a state estimate Ei⇒ Refinement of Ei by piggybacking information to the sent messages
(logical clock + peer state estimate)
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 20/ 29
Control of distributed systemsGabriel Kalyon’s PhD Thesis
[Forte11], [CDC’11], [IEEE-TAC’14]
Distributed control of distributed systems (Ti)i
Embedded systems, protocols Asynchronous communication CFSM = LTSs + FIFO channels
Q2,1
A0
2?a
A1
Aerror
A2
T1
1!c
2?b
2?a
4?d2?a
2?b
1!d
2?b T2
B0
B1
B2
B3
1?c
2!a 3!d
T3
D0 D1
4!d
3?d
2!b
1?d
3!d
Q1,2
Q3,1
Q1,3
Q2,3
Q3,2
C1 C2
C3
Problem : computing (Ci )i s.t. (Ti‖Ci )i |= Φ (safety)
Bad ⊆ Q1 × · · · × Qn × Contents of the channels Control mechanism for Ci
• Σi,c = set of local outputs• Local control decisions based on a state estimate Ei
⇒ Refinement of Ei by piggybacking information to the sent messages(logical clock + peer state estimate)
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 20/ 29
Control of distributed systemsGabriel Kalyon’s PhD Thesis
[Forte11], [CDC’11], [IEEE-TAC’14]
Distributed control of distributed systems (Ti)i
Embedded systems, protocols Asynchronous communication CFSM = LTSs + FIFO channels
Q2,1
A0
2?a
A1
Aerror
A2
T1
1!c
2?b
2?a
4?d2?a
2?b
1!d
2?b T2
B0
B1
B2
B3
1?c
2!a 3!d
T3
D0 D1
4!d
3?d
2!b
1?d
3!d
Q1,2
Q3,1
Q1,3
Q2,3
Q3,2
C1 C2
C3
Problem : computing (Ci )i s.t. (Ti‖Ci )i |= Φ (safety)
Bad ⊆ Q1 × · · · × Qn × Contents of the channels Control mechanism for Ci
• Σi,c = set of local outputs• Local control decisions based on a state estimate Ei⇒ Refinement of Ei by piggybacking information to the sent messages
(logical clock + peer state estimate)Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 20/ 29
Control of distributed systems (Cont’d)
Off-Line computation• Approximation of the set of states
reaching Bad by uncontrollable events.• Adaptation of approximate verification
for CFSMs [LGJJ06]⇒ Over-approximation of the contents of
the queues by regular languages
DV
Bad
α
γ
Λ
On-Line computation for Ci• Reception of a message from site j : E ′i = Posta(Ei ) ∩ f (Vj ,Ej )• Transmission of a message (a,V ′i ,E ′i ) : E ′i = Reach∆\∆i (Posta(Ei ))
⇒ Computation of the new set of forbidden events w.r.t. E ′i
With the above computations, the controlled system avoids bad and issound
[LGJJ06]: T. Le Gall, B. Jeannet, and T. Jeron. Verification of communication protocols using abstract interpretation of FIFO queues.AMAST’06, July 2006.
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 21/ 29
Control of distributed systems (Cont’d)
Off-Line computation• Approximation of the set of states
reaching Bad by uncontrollable events.• Adaptation of approximate verification
for CFSMs [LGJJ06]⇒ Over-approximation of the contents of
the queues by regular languages
DV
Bad
α
γ
Λ
Bad!
On-Line computation for Ci• Reception of a message from site j : E ′i = Posta(Ei ) ∩ f (Vj ,Ej )• Transmission of a message (a,V ′i ,E ′i ) : E ′i = Reach∆\∆i (Posta(Ei ))
⇒ Computation of the new set of forbidden events w.r.t. E ′i
With the above computations, the controlled system avoids bad and issound
[LGJJ06]: T. Le Gall, B. Jeannet, and T. Jeron. Verification of communication protocols using abstract interpretation of FIFO queues.AMAST’06, July 2006.
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 21/ 29
Control of distributed systems (Cont’d)
Off-Line computation• Approximation of the set of states
reaching Bad by uncontrollable events.• Adaptation of approximate verification
for CFSMs [LGJJ06]⇒ Over-approximation of the contents of
the queues by regular languages
DV
Bad
α
γ
Λ
Bad!
I!(Bad!)
I(Bad)
I ′(Bad)
On-Line computation for Ci• Reception of a message from site j : E ′i = Posta(Ei ) ∩ f (Vj ,Ej )• Transmission of a message (a,V ′i ,E ′i ) : E ′i = Reach∆\∆i (Posta(Ei ))
⇒ Computation of the new set of forbidden events w.r.t. E ′i
With the above computations, the controlled system avoids bad and issound
[LGJJ06]: T. Le Gall, B. Jeannet, and T. Jeron. Verification of communication protocols using abstract interpretation of FIFO queues.AMAST’06, July 2006.
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 21/ 29
Control of distributed systems (Cont’d)
Off-Line computation• Approximation of the set of states
reaching Bad by uncontrollable events.• Adaptation of approximate verification
for CFSMs [LGJJ06]⇒ Over-approximation of the contents of
the queues by regular languages
DV
Bad
α
γ
Λ
Bad!
I!(Bad!)
I(Bad)
I ′(Bad)
On-Line computation for Ci• Reception of a message from site j : E ′i = Posta(Ei ) ∩ f (Vj ,Ej )• Transmission of a message (a,V ′i ,E ′i ) : E ′i = Reach∆\∆i (Posta(Ei ))
⇒ Computation of the new set of forbidden events w.r.t. E ′i
With the above computations, the controlled system avoids bad and issound[LGJJ06]: T. Le Gall, B. Jeannet, and T. Jeron. Verification of communication protocols using abstract interpretation of FIFO queues.AMAST’06, July 2006.
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 21/ 29
Conclusion & Perspectives
Summary• Control of concurrent systems
- Computation of local controllers w.r.t. abstract sub-systems- Specialisation to a state-based approach ECC03-05
• Control of distributed systems- Use of abstract interpretation to techniques.
Perspectives• Concurrent & distributed systems :
- Non-blocking properties (liveness, etc)- Minimizing the exchanged information
• Quantitative propertiesWork with N. Berthier, G. Delaval & E. Rutten
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 22/ 29
Outline
Model & Notations
Diagnosis of Discrete Event Systems• Diagnosis of general fault Patterns• Diagnosis of transient faults
Model G
Fault Pattern Φ
Diagnoser
Imp I
Π
YesNo?
Assuming G ∼ I
Controller Synthesis• Control of concurrent systems
- Synchronous communication
• Control of distributed systems- Asynchronous communication
Formal analysis of security properties• Focus on confidentiality properties• Use of diagnosis and control
techniques
Conclusion & General Perspectives
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 23/ 29
Confidential informationJeremy Dubreil PhD ThesisSystem G Attacker A
Σo
Confidential information: secret properties• State configurations (values of secret variables)• Occurrence of an event (e.g. password file is unlocked), Trajectories
Information flow: an attacker is able to infer confidential informationbased on his observation and its knowledge of the system.
The secret S is opaque w.r.t. G and Σo if [BKMR08]
∀t ∈ LS(G),∃s ∈ L(G) \ LS(G) : Π−1o (s) = Π−1
o (t)
0
1
2
3
4
5
p
h
a
a
b
Σ = h, p, a, b, Σo = a, b
S = 2, 4, 5, LS = Σ∗.h.Σ∗
[BKMR08]J. Bryans, M. Koutny, L. Mazare, and P. Ryan. Opacity generalised to transition systems. International Journal of InformationSecurity, 7(6):421-435, 2008
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 24/ 29
Confidential informationJeremy Dubreil PhD ThesisSystem G Attacker A
Σo
Confidential information: secret properties• State configurations (values of secret variables)• Occurrence of an event (e.g. password file is unlocked), Trajectories
Information flow: an attacker is able to infer confidential informationbased on his observation and its knowledge of the system.
The secret S is opaque w.r.t. G and Σo if [BKMR08]
∀t ∈ LS(G),∃s ∈ L(G) \ LS(G) : Π−1o (s) = Π−1
o (t)
0
1
2
3
4
5
p
h
a
a
b
Σ = h, p, a, b, Σo = a, b
S = 2, 4, 5, LS = Σ∗.h.Σ∗
[BKMR08]J. Bryans, M. Koutny, L. Mazare, and P. Ryan. Opacity generalised to transition systems. International Journal of InformationSecurity, 7(6):421-435, 2008
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 24/ 29
Confidential informationJeremy Dubreil PhD ThesisSystem G Attacker A
Σo
Confidential information: secret properties• State configurations (values of secret variables)• Occurrence of an event (e.g. password file is unlocked), Trajectories
Information flow: an attacker is able to infer confidential informationbased on his observation and its knowledge of the system.
The secret S is opaque w.r.t. G and Σo if [BKMR08]
∀t ∈ LS(G),∃s ∈ L(G) \ LS(G) : Π−1o (s) = Π−1
o (t)
0
1
2
3
4
5
p
h
a
a
b
Σ = h, p, a, b, Σo = a, b
S = 2, 4, 5, LS = Σ∗.h.Σ∗
[BKMR08]J. Bryans, M. Koutny, L. Mazare, and P. Ryan. Opacity generalised to transition systems. International Journal of InformationSecurity, 7(6):421-435, 2008
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 24/ 29
Confidential informationJeremy Dubreil PhD ThesisSystem G Attacker A
Σo
Confidential information: secret properties• State configurations (values of secret variables)• Occurrence of an event (e.g. password file is unlocked), Trajectories
Information flow: an attacker is able to infer confidential informationbased on his observation and its knowledge of the system.
The secret S is opaque w.r.t. G and Σo if [BKMR08]
∀t ∈ LS(G),∃s ∈ L(G) \ LS(G) : Π−1o (s) = Π−1
o (t)
0
1
2
3
4
5
p
h
a
a
b
Σ = h, p, a, b, Σo = a, b
S = 2, 4, 5, LS = Σ∗.h.Σ∗
[BKMR08]J. Bryans, M. Koutny, L. Mazare, and P. Ryan. Opacity generalised to transition systems. International Journal of InformationSecurity, 7(6):421-435, 2008
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 24/ 29
Verification of Opacity
Algorithm1 Determinization of G2 check whether a macro-state F ⊆ S is reachable
0 1 2 3
4 5 6b
a
a
b a a,b
b
a
b a,b
0 1, 4 2, 5 6
3, 4 3, 5 3, 63b
a b
a
b b
b
a
a
a,b
a,b a,b
TheoremChecking opacity is PSPACE complete [Amast08]
⇒ Reduction from universality problem
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 25/ 29
Monitoring an information flow[ECC2009]
G AMΣo
Σm
F = L2S (DetΣo (G)): observations leading to an information flow
1 2 3 4 Σo = a, bf
a, c
a a
b, c
1 1,3 1,3,4 4
DetΣo (G)
a a b
a b
M should diagnose/predict the occurrence of the trajectories
I = L(G) ∩ P−1Σo
(F).Σ∗
by observing Σm.
1 1,3 1,3,4 1,4
!
No
Σm = a, c
M
s = aabc ⇒
PΣo (s) = aabPΣm (s) = aac
a a c
c
c a c
⇒ Every information flow is detectable iff I is diagnosable w.r.t. Σm.
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 26/ 29
Monitoring an information flow[ECC2009]
G AMΣo
Σm
F = L2S (DetΣo (G)): observations leading to an information flow
1 2 3 4 Σo = a, bf
a, c
a a
b, c
1 1,3 1,3,4 4
DetΣo (G)
a a b
a b
M should diagnose/predict the occurrence of the trajectories
I = L(G) ∩ P−1Σo
(F).Σ∗
by observing Σm.
1 1,3 1,3,4 1,4
!
No
Σm = a, c
M
s = aabc ⇒
PΣo (s) = aabPΣm (s) = aac
a a c
c
c a c
⇒ Every information flow is detectable iff I is diagnosable w.r.t. Σm.
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 26/ 29
Monitoring an information flow[ECC2009]
G AMΣo
Σm
F = L2S (DetΣo (G)): observations leading to an information flow
1 2 3 4 Σo = a, bf
a, c
a a
b, c
1 1,3 1,3,4 4
DetΣo (G)
a a b
a b
M should diagnose/predict the occurrence of the trajectories
I = L(G) ∩ P−1Σo
(F).Σ∗
by observing Σm.
1 1,3 1,3,4 1,4
!
No
Σm = a, c
M
s = aabc ⇒
PΣo (s) = aabPΣm (s) = aac
a a c
c
c a c
⇒ Every information flow is detectable iff I is diagnosable w.r.t. Σm.
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 26/ 29
Monitoring an information flow[ECC2009]
G AMΣo
Σm
F = L2S (DetΣo (G)): observations leading to an information flow
1 2 3 4 Σo = a, bf
a, c
a a
b, c
1 1,3 1,3,4 4
DetΣo (G)
a a b
a b
M should diagnose/predict the occurrence of the trajectories
I = L(G) ∩ P−1Σo
(F).Σ∗
by observing Σm.
1 1,3 1,3,4 1,4
!
No
Σm = a, c
M
s = aabc ⇒
PΣo (s) = aabPΣm (s) = aac
a a c
c
c a c
⇒ Every information flow is detectable iff I is diagnosable w.r.t. Σm.Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 26/ 29
Supervisory Control for opacity[Wodes08], [IEEE-TAC10]
G ACΣo
Σm
Control problem (Language-Based)
Compute a maximally permissive controller C observing Σm andcontrolling Σc ⊆ Σm s.t. Lϕ is opaque w.r.t. G × C and Σo .
0 1
6 7
11
a
e
aτe
he
2 3
4 5
c1h
d a
b a
8 9 10h b a
c2
Σo = a, b, d , eΣm = a, c1, c2, b, d , eΣc = b, c1, c2, e
Secret: Lϕ = Σ∗.h.Σ∗
TheoremIf Σc ⊆ Σm and Σm ⊆ Σo , or Σo ⊆ Σm, there exists a maximal controllerC s.t. Lϕ is opaque w.r.t. G × C and Σo
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 27/ 29
Supervisory Control for opacity[Wodes08], [IEEE-TAC10]
G ACΣo
Σm
Control problem (Language-Based)
Compute a maximally permissive controller C observing Σm andcontrolling Σc ⊆ Σm s.t. Lϕ is opaque w.r.t. G × C and Σo .
0 1
6 7
11
a
e
aτe
he
2 3
4 5
c1h
d a
b a
8 9 10h b a
c2
Σo = a, b, d , eΣm = a, c1, c2, b, d , eΣc = b, c1, c2, e
Secret: Lϕ = Σ∗.h.Σ∗
TheoremIf Σc ⊆ Σm and Σm ⊆ Σo , or Σo ⊆ Σm, there exists a maximal controllerC s.t. Lϕ is opaque w.r.t. G × C and Σo
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 27/ 29
Supervisory Control for opacity[Wodes08], [IEEE-TAC10]
G ACΣo
Σm
Control problem (Language-Based)
Compute a maximally permissive controller C observing Σm andcontrolling Σc ⊆ Σm s.t. Lϕ is opaque w.r.t. G × C and Σo .
0 1
6 7
11
a
e
aτe
he
2 3
4 5
c1h
d a
b a
8 9 10h b a
c2
Σo = a, b, d , eΣm = a, c1, c2, b, d , eΣc = b, c1, c2, e
Secret: Lϕ = Σ∗.h.Σ∗
TheoremIf Σc ⊆ Σm and Σm ⊆ Σo , or Σo ⊆ Σm, there exists a maximal controllerC s.t. Lϕ is opaque w.r.t. G × C and Σo
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 27/ 29
Supervisory Control for opacity[Wodes08], [IEEE-TAC10]
G ACΣo
Σm
Control problem (Language-Based)
Compute a maximally permissive controller C observing Σm andcontrolling Σc ⊆ Σm s.t. Lϕ is opaque w.r.t. G × C and Σo .
0 1
6 7
11
a
e
aτe
he
2 3
4 5
c1h
d a
b a
8 9 10h b a
c2
Σo = a, b, d , eΣm = a, c1, c2, b, d , eΣc = b, c1, c2, e
Secret: Lϕ = Σ∗.h.Σ∗
TheoremIf Σc ⊆ Σm and Σm ⊆ Σo , or Σo ⊆ Σm, there exists a maximal controllerC s.t. Lϕ is opaque w.r.t. G × C and Σo
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 27/ 29
Conclusion & Perspectives Summary
• Monitoring information flows• Ensuring Opacity by control• Ensuring Opacity Dynamic Filtering [Amast08][FMSD12]
Perspectives• Opacity control problem
- Remove the assumption Σm ⊆ Σo , or Σo ⊆ Σm [TML+16]- Distributed control of Concurrent secrets
preliminary work in [BBB+07]• Active Attacker
- Ability to change the observable status of events (c.f. [KWKL16])• Opacity of systems handling data
[TML+16] Y. Tong, Z. Ma, Z. Li, C. Seatzu, and A. Giua. Supervisory enforcement of current-state opacity with uncomparableobservations. In Proc of 13th Workshop on Discrete Event Systems, WODES’16, 2016.[BBB+07] E. Badouel, M. Bednarczyk, A. Borzyszkowski, B. Caillaud, and P. Darondeau. Concurrent secrets. Discrete Event DynamicSystems, 17(4):425-446, December 2007.[KWKL16] C. Kawakami, Y.Wu, R. Kwong, and S. Lafortune. Detection and prevention of actuator enablement attacks in supervisorycontrol systems. In Proc of 13th Workshop on Discrete Event Systems, WODES’16, 2016.
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 28/ 29
General perspectivesTowards more flexible systems and requirements
off-the shelf components Adaptive controllers valid for a
set of ”similar” devices⇒ Modal transition systems ?
Control under failures switch between controllers
reacting to diagnosed failures⇒ Needs for a coordinator
Reconfigurable systems: IoT, Cloud Center, Automotive, etc Components can leave or join the system (highly distributed)⇒ Detect and learn the specification of this component Adaptation of the requirements (safety, privacy, etc)⇒ on-line computation and deployment of new controllers
Revisit the Control and Diagnosis theory
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 29/ 29
General perspectivesTowards more flexible systems and requirements
off-the shelf components Adaptive controllers valid for a
set of ”similar” devices⇒ Modal transition systems ?
Control under failures switch between controllers
reacting to diagnosed failures⇒ Needs for a coordinator
Reconfigurable systems: IoT, Cloud Center, Automotive, etc Components can leave or join the system (highly distributed)⇒ Detect and learn the specification of this component Adaptation of the requirements (safety, privacy, etc)⇒ on-line computation and deployment of new controllers
Revisit the Control and Diagnosis theory
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 29/ 29
General perspectivesTowards more flexible systems and requirements
off-the shelf components Adaptive controllers valid for a
set of ”similar” devices⇒ Modal transition systems ?
Control under failures switch between controllers
reacting to diagnosed failures⇒ Needs for a coordinator
Reconfigurable systems: IoT, Cloud Center, Automotive, etc Components can leave or join the system (highly distributed)⇒ Detect and learn the specification of this component Adaptation of the requirements (safety, privacy, etc)⇒ on-line computation and deployment of new controllers
Revisit the Control and Diagnosis theory
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 29/ 29
General perspectivesTowards more flexible systems and requirements
off-the shelf components Adaptive controllers valid for a
set of ”similar” devices⇒ Modal transition systems ?
Control under failures switch between controllers
reacting to diagnosed failures⇒ Needs for a coordinator
Reconfigurable systems: IoT, Cloud Center, Automotive, etc
Components can leave or join the system (highly distributed)⇒ Detect and learn the specification of this component Adaptation of the requirements (safety, privacy, etc)⇒ on-line computation and deployment of new controllers
Revisit the Control and Diagnosis theory
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 29/ 29
General perspectivesTowards more flexible systems and requirements
off-the shelf components Adaptive controllers valid for a
set of ”similar” devices⇒ Modal transition systems ?
Control under failures switch between controllers
reacting to diagnosed failures⇒ Needs for a coordinator
Reconfigurable systems: IoT, Cloud Center, Automotive, etc Components can leave or join the system (highly distributed)⇒ Detect and learn the specification of this component Adaptation of the requirements (safety, privacy, etc)⇒ on-line computation and deployment of new controllers
Revisit the Control and Diagnosis theory
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 29/ 29
Ensuring opacity by Dynamic filtering[Amast08][FMSD12]
System G Filter D Attacker Au ∈ Σ∗o D(u)
q0 q1 q2 q3
q4 q5 q6
b
a
a
b a a,b
b
a
b a,b
1 2 3
b/b b/ε a, b/a, b
a/a a/a
Static Filter: Σo = a or Σo = b ⇒ S is opaqueDynamic Filter: Hide“b” after the observation of an ”a” and keepeverything observable after the observation of an ”a”
ProblemComputing a Dynamic filter so that S is opaque w.r.t. G × D and Σo
[TC08] F. Cassez and S. Tripakis. Fault diagnosis with static and dynamic diagnosers. Fundamenta Informaticae, 88(4):497-540,November 2008.
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 30/ 29
Ensuring opacity by Dynamic filtering Reduction to a safety 2-player game
1
1.a1.b 12
12.a
12.b
12.ab
2.a 2.b
1.ab 22.ab
(b): The game LTS
21
(a): the LTS G
a
a, ba
b
a, b
aba
a, b
a b
a, b
a
b
b
a, b
a, b
b
b
a, b
a, bb
a
b
a
b
⇒ Solving the Dynamic filter problem is EXPTIME
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 31/ 29
Ensuring opacity by Dynamic filtering Reduction to a safety 2-player game
1
1.a1.b 12
12.a
12.b
12.ab
2.a 2.b
1.ab 22.ab
(b): The game LTS
21
(a): the LTS G
a
a, ba
b
a, b
aba
a, b
a b
a, b
a
b
b
a, b
a, bb
a
b
a
b
⇒ Solving the Dynamic filter problem is EXPTIME
Contribution to the analysis of Discrete Event Systems – Herve Marchand June 6th 2017 – Habilitation Defense – 31/ 29