A Property-Based Abstraction Framework For Sysml Activity Diagrams
A Property-Based Abstraction Framework For Sysml Activity Diagrams
A Property-Based Abstraction Framework For Sysml Activity Diagrams
net/publication/259136902
CITATIONS READS
14 443
3 authors:
Mourad Debbabi
Concordia University Montreal
416 PUBLICATIONS 5,012 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Samir Ouchani on 14 September 2018.
Knowledge-Based Systems
journal homepage: www.elsevier.com/locate/knosys
a r t i c l e i n f o a b s t r a c t
Article history: SysML activity diagrams are OMG/INCOSE standards used for modeling, analyzing and specifying proba-
Received 31 March 2013 bilistic systems. Since they are considered as a de facto systems’ modeling language, it is of a major
Received in revised form 30 October 2013 importance to verify these diagrams. Moreover, it is even more important to reduce the cost of their ver-
Accepted 16 November 2013
ification process. In this paper, we propose a probabilistic abstraction framework to efficiently verify
Available online 27 November 2013
SysML activity diagrams. It is based on reducing the diagram complexity with respect to a system
requirement. For verification, we use our verification approach that relies on PRISM model checker. To
Keywords:
ensure the correctness of our proposed approach, we prove its soundness. This is achieved by finding
Probabilistic model checking
SysML activity diagrams
the adequate pre-order relation between the semantics of the abstract and the concrete diagrams. This
Probabilistic automata relation is shown to preserve the satisfaction of systems requirements. To this end, a calculus to capture
PCTL the underlying semantics of SysML activity diagrams is proposed. Finally, the effectiveness of our
Probabilistic relation approach is demonstrated on two real systems.
Ó 2013 Elsevier B.V. All rights reserved.
⇑ Corresponding author at: Hardware Verification Group, Concordia University, 1.1. Framework
Montreal H3G 1M8, Canada. Tel.: +1 5146237173.
E-mail addresses: s_oucha@encs.concordia.ca (S. Ouchani), ait@ece.concordia.ca In this paper, we are interested in the verification of systems
(O. Aït Mohamed), debbabi@ciise.concordia.ca (M. Debbabi). modeled as SysML activity diagrams. These diagrams can call and
0950-7051/$ - see front matter Ó 2013 Elsevier B.V. All rights reserved.
http://dx.doi.org/10.1016/j.knosys.2013.11.016
S. Ouchani et al. / Knowledge-Based Systems 56 (2014) 328–343 329
communicate with other diagrams and allow for probabilistic in Sub-Figure (c). From the obtained results, we found that our ap-
behavior specification. Then, it is of a major importance to reduce proach preserves the requirement probability value (0.84) in both
the complexity of a diagram while any approach translating the the abstract as well as the concrete diagram. As expected, our ap-
concrete SysML diagrams into the model checker input language proach consumes less time and size memory.
would be limited by the tool’s abstraction mechanism, if exists.
Moreover, abstracting the semantic model instead of the concrete 1.3. Paper organization
diagram can be costly, while the size of the semantic model is
greater than that of the diagram itself (Appendix A.1). The over- The remainder of this paper is organized as follows. Section 2
view of our proposed framework is depicted in Fig. 1. It takes surveys the related work, and, Section 3 describes the background
SysML activity diagrams and Probabilistic Computation Tree Logic needed in our work. Section 4 describes SysML activity diagrams
(PCTL) [6,11] expressions as input, then, it produces the satisfiabil- and Section 5 formalizes them. The proposed abstraction approach
ity of the PCTL property in the diagram. The present framework is detailed in Section 6, then, its soundness is proved in Section 7.
extends the solution proposed in [12]. Section 8 presents the experimental results. Finally, Section 9 con-
Our framework is based on abstracting the irrelevant action cludes this paper and provides hints on the possible future work.
nodes and guards with respect to a specific requirement, then, col-
lapsing nodes that share similar behaviors. To perform verification,
we devise an automatic mapping [4,5] of the resulting abstracted 2. Related work
diagram into the input language of the PRISM probabilistic sym-
bolic model checker [13]. We prove the soundness of our abstrac- In the literature, few works examine the abstraction of SysML
tion approach by comparing the satisfaction relation of PCTL activity diagrams before verification and the majority rely on the
properties on both the abstract and the concrete diagrams. To do implemented abstraction algorithms within the used model check-
so, we extract the adequate semantics model related to each one er. In this section, we survey the existing initiatives that propose
of them by proposing a calculus proper to SysML activity diagrams. abstraction techniques to deal with the verification of probabilistic
Then, we show that the relation between both semantics preserves systems, and, we focus more on that ones expressed as UML
the satisfaction of PCTL properties. In this paper, the main contri- diagrams.
butions are described as follows. The probabilistic abstraction presented by Baier et al. [14] is a
probabilistic version of the partial order reduction technique on
1. Proposing an adequate semantics to capture formally SysML CTL. It extends the four reduction rules of the action-sets ample
activity diagrams. by two new rules to handle non-determinism and probabilistic
2. Providing an efficient probabilistic abstraction approach. decision in Markov Decision Processes (MDPs). The correctness of
3. Proving the soundness of the proposed approach. the extended ample-sets has been proved to preserve PCTLnX . Don-
4. Implementing and showing the effectiveness of the pre- aldson et al. [15] present a symmetric probabilistic specification
sented approach. language (SPSL) similar to PRISM input language. SPSL specifies
MDP symmetric models and a symmetric PCTL formula is satisfied
on isomorphic MDPs. For verification, SPSL specification is mapped
1.2. Motivation example into PRISM. Katoen et al. [16] apply the bisimulation minimization
to preserve PCTL until operator ‘‘U’’ on Discrete Time Markov
An Automated Teller Machine (ATM) is a system that interacts Chains (DTMCs). They use the partition refinement algorithm to
with a potential customer via a specific interface and communi- obtain Markov chain bisimulation quotient. Roy et al. [17] apply
cates with the bank over an appropriate communication protocol. the magnifying lens abstraction algorithm on MDPs. This algorithm
This is modeled as SysML activity diagram that is depicted in is of two steps, the magnified computation is performed on regions
Fig. 2(a). A user that requests a service from the ATM has to insert and the sliding of the magnification in a region is performed sym-
an ATM card (the action InsertCard) and enter a personal identifica- bolically. Kattenbelt et al. [18,19] apply the predicate abstraction
tion number (the action EnterPIN). Both information need to be on MDPs. The proposed abstraction is based on stochastic games
sent to the bank for validation. This operation is represented in that provide distinct lower and upper bounds of probabilistic
Fig. 2(b) by another SysML activity diagram that is called from requirements. The key idea is to separate non-determinism in the
the action CheckCard. If the credentials of the customer are not va- abstract MDPs.
lid, the card will be ejected out (the action EjectCard). More specif- Ober et al. [20,21] propose a framework to map UML behavioral
ically, the main diagram (Fig. 2) calls three diagrams in three diagrams into communicating extended timed automata (CETA)
different actions: Check Card, Authorize, and Transaction. The expressed in an intermediate formal representation (IF format).
property to check is to measure the probability of authorizing a To do verification, the IF validation environment incorporating a
transaction after inserting a card. By applying our abstraction ap- model checker and a simulation tool is used. The former
proach, we verify this property on the abstracted diagram showed implements a set of model reduction techniques including static
Using
Minimizing
analysis, partial order reduction and model minimization. In their transition system. The main limitation of the approaches in
work, the abstraction is performed on CETA instead of UML [27,25,26] is that they are not fully automatic.
diagrams. Yang [28] propose a verification framework for UML behavioral
Westphal [22] proposes to exploit the symmetry of UML models diagrams. The approach is devised to abstract data and events in
on the type of object references. It uses the Rhapsody UML verifi- state chart diagrams. The first one replaces the original access def-
cation environment where the requirements are expressed in Live initions of variables, so the interval of their possible values is min-
Sequence Charts. They propose two reduction techniques: query imized. Next, abstracting events consists of using a single event
and data-type. The query reduction reduces quantified verification name to represent a set of real ones. In their approach, they took
tasks if the model is symmetric in the quantified variable’s type already abstracted models where a mother state encompasses a
whereas data-type reduction interprets the concrete operators in set of states that will be abstracted to just one state by ignoring
an abstract domain. In contrast to our approach, the proposed what’s inside.
abstraction therein focuses on symmetric UML models, which rep- Eshuis [29] and Eshuis and Wieringa [30] propose a translation
resent special cases. of UML activity diagrams to NuSMV code. The proposed data
Prashanth and Shet [23] propose an abstraction technique for abstraction is applied on guards and events. But from our experi-
statechart models. Their approach consists of determining the set ence, some activity diagrams can be poor in these two features be-
of relevant events with respect to the safety property (considering cause the activity diagram is an action-based diagram.
only the events that may lead to a non-safe state) and then con- As a summary, in Table 1 we compare our approach to the exist-
structing the state space accordingly. ing ones by taking into consideration five criterions: Design, Prob-
Daoxi et al. [24] propose an abstraction framework of Promela abilistic, Property, Formalization, and Soundness. The design
models for UML behavioral diagrams. The abstraction is driven feature checks if the studied abstractions deal with the diagram
by the Linear-time Temporal Logic (LTL) properties on the Kripke design or its semantics. The probabilistic feature shows if an
model obtained from the Promela code. Then, the abstract Kripke approach covers the probabilistic systems. The property feature
model is converted to Promela code. The latter can be verified indicates if the approach takes into consideration the property un-
using the SPIN1 model checker. Therein, the proposed abstraction der verification. The formalization feature confirms if the approach
does not show the resulting abstract UML diagram. Moreover presents a semantics and formalize the studied diagrams. The
abstracting the semantics of Promela instead of its code needs more soundness feature shows if the soundness of the studied approach
processing steps. is proved. From the comparison, we observe that few of them
Xie and Browne [25] and Xie et al. [26] propose a verification formalize SysML activity diagrams and prove the soundness of
framework for executable UML (xUML) models. The properties
are also expressed using xUML. Their framework includes a user-
driven state space reduction procedure supporting the decomposi- Table 1
tion and the symmetry reduction. The resulting model is translated Comparison with the related work.
into S/R language to be verified on COSPAN model checker.
Approach Design Probabilistic Property Formalization Soundness
ter Beek et al. present in [27] a framework called (UMC) for the
[20,21]
formal analysis of concurrent systems specified by a collection of
[22] U
UML state machines. The formal model of a system is given by a [23] U U
doubly-labeled transition system ðL2 TS), and the logic used to spec- [24] U
ify its properties is the state-based and event-based logic UCTL. It is [25,26] U
an on-the-fly based analysis with a user-guided abstraction of the [27] U
[28] U
[29,30] U
1
Our U U U U U
http://spinroot.com.
S. Ouchani et al. / Knowledge-Based Systems 56 (2014) 328–343 331
Table 2
NuAC terms of SysML activity diagram artifacts.
l : DðA; p; g; N ; N Þ Decision node with a call behavior A, a convex distribution fp; 1 pg and guarded edges fg; :gg.
l : MðxÞN or l Merge node specifies the continuation and x ¼ fx1 ; x2 g is a set of input flows.
l : FðN 1 ; N 2 Þ Fork node models the concurrency that begins multiple parallel control threads. UML 2.0 activity forks model
unrestricted parallelism.
l : JðxÞN or l Join node presents the synchronization where x ¼ fx1 ; x2 g is a set of input pins
or a probability distribution), a fork node indicates the beginning of SysML activity diagrams by developing a calculus called ‘‘New Activ-
multiple parallel control threads. More especially, UML 2.0 activity ity Calculus (NuAC)’’. In Table 2, each SysML activity diagram artifact
forks model unrestricted parallelism. Thus, a token evolves asyn- is described and represented formally by its related NuAC term.
chronously according to an interleaving semantics. Moreover, a NuAC presented in Fig. 4 optimizes the syntax in [4,12] by elim-
merge node specifies a point from where different incoming control inating the redundant terms. Also, NuAC exploits the commutativ-
paths follow the same path, whereas a join node allows multiple ity and the associativity properties for multi-input/output nodes
parallel control threads to synchronize and rejoin. that are described by Properties 5.2 and 5.3, respectively. These
Initially, when a SysML activity diagram is invoked, its initial properties allow handling multiplicity by considering only two in-
node is activated. Then, the activation of any other node depends puts/outputs. Furthermore, NuAC covers more important behav-
only on the deactivation of its preceded node and the guard satis- iors such as: behavior calls, and communication by sending and
faction of its input edge. In addition, the call behavior action or the receiving signals or objects.
decision node can consume its input tokens and invoke its speci- In NuAC syntax, we can distinguish two main syntactic con-
fied behavior. In this case, the invocation supports both synchro- cepts: marked and unmarked terms. A marked NuAC term corre-
nous and asynchronous calls. In the asynchronous case, the sponds to an activity diagram with tokens. An unmarked NuAC
execution of the invoked behavior proceeds without any further term corresponds to the static structure of the diagram. A marked
dependency on the execution of the activity containing the invok- term is typically used to denote a reachable configuration. A con-
ing artifact. But in the synchronous case, the execution of the call- figuration is characterized by the set of tokens’ locations in a given
ing artifact is blocked until it receives a reply token from the term.
invoked behavior. In the case of a decision node, when the invoked To support multiple tokens, we augment the ‘‘overbar’’ operator
behavior enables more than one guard; the non-determinism with an integer n such that N n denotes a term marked with n to-
mechanism is adopted. kens with the convention that N 1 ¼ N and N 0 ¼ N . Multiple to-
kens are needed when there are loops that encompass in their
5. SysML activity diagrams formalization body a fork node. Furthermore, we use a prefix label ‘‘l :’’ for each
node to uniquely reference it in the case of a backward flow con-
In this section, we formalize SysML activity diagrams by provid- nection. Particularly, labels are useful for connecting multiple
ing an adequate calculus that helps to formalize and to prove the incoming flows towards merge and join nodes. Let L be a collection
soundness of our abstraction approach. of labels ranged over by l; l0 ; l1 ; . . . and N be any node (except ini-
tial) in the activity diagram. We write l : N to denote a l-labeled
5.1. Syntax of SysML activity diagrams activity node N . It is important to note that nodes with multiple
incoming edges (e.g. join and merge) are visited as many times
Based on the textual specification in the UML superstructure as they have incoming edges. Thus, as a syntactic convention we
standard [2] and the SysML specification standard [1], we formalize use only a label (i.e. l) to express a NuAC term if its related node
S. Ouchani et al. / Knowledge-Based Systems 56 (2014) 328–343 333
a 0
N !p N 8n P 0
is encountered already. We denote by Dðg; N ; N Þ and Dðp; g; N ; N Þ BEH-4 a 0
to express a non-probabilistic and a probabilistic decisions without l : a " An N !p l : a " An N
any behavior invocation, respectively. For multiplicity, we denote a The BEH-1 axiom introduces the execution of the
decision with multi-output by DðA; p1 ; g 1 ; N 1 ; . . . ; pn ; g n ; N n Þ and a behavior A related to a. The derivation rule BEH-2 fin-
fork with more than two outputs by FðN 1 ; . . . ; N n Þ. Further, for ishes the execution of a call behavior and moves the
multi-input nodes we denote by Jðx1 ; . . . ; xn Þ and Mðx1 ; . . . ; xn Þ join token to the succeeding term N . The derivation rules
and merge nodes, respectively. BEH-3 and BEH-4 present the effect on a " An N
when A or N executes an action a with a probability p.
l
5.2. Semantics of SysML activity diagrams FRK-1 l : FðN 1 ; N 2 Þn !1 l : FðN 1 ; N 2 Þn1 8n > 0
a 0
N 1 !q N 1 8n P 0
To give a meaning to the execution of SysML activity diagrams, FRK-2 a 0
we use structural operational semantics [31] to formally describe l: FðN 1 ; N 2 Þn !q l : FðN 1 ; N 2 Þn
how the computation steps of NuAC atomic terms take place. NuAC The FRK-1 axiom shows the multiplicity of the arriving
derivation rules are based on the informally specified locus of con- tokens according to the outgoing sub-terms. The FRK-2
trol rules defined in the standard [2]. derivation rule illustrates the changes on a fork term
We define R as the set of non-empty actions labeling the tran- when its outgoing execute an action.
sitions (i.e. the alphabet of NuAC, to be distinguished from action l;g
DEC-1 8n > 0, l : Dðg; N 1 ; N 2 Þn !1 l : Dðg; N 1 ; N 2 Þn1
nodes in activity diagrams). An element a 2 R is the label of the
DEC-2 8n > 0,
executing active node. Let R include the empty action denoted l;g
l : Dðp; g; N 1 ; N 2 Þn !p l : Dðp; g; N 1 ; N 2 Þn1
by and p be probability values such that p 20; 1. The general
a 0 0
form of a transition is A!p A0 . The probability value specifies the A ¼ l : iN A0 ¼ l : iN 8n > 0
DEC-3 l
likelihood of a given transition to occur and it is denoted by l : DðA; p; g; N 1 ; N 2 Þn !1 l : DðA0 ; p; g; N 1 ; N 2 Þn1
PðA; a; A0 Þ. The case of p ¼ 1 presents a non-probabilistic transition 0 l0
a
and it is denoted simply by A ! A0 . For simplicity, we denote by A½l : !1 jAj 8 n > 0
DEC-4
0
A½N to specify N as a sub-term of A and by jAj to denote a term l : DðA; p; g; N 1 ; N 2 Þn ! l ; g p l : DðjAj; p; g; N 1 ; N 2 Þn
0 a
A without tokens. For the call behavior case of a " N , we denote N 1 !q N 1 8n>0
A½a " N by A"a N . In the sequel, we describe the operational DEC-5 a 0
l : DðA; p; g; N 1 ; N 2 Þn1 !q l : DðA; p; g; N 1 ; N 2 Þn1
semantic rules of the NuAC calculus.
The axiom DEC-1 describes a non-probabilistic deci-
INT-1 l : iN !1 l : iN
sion where a token flows through the edge satisfying
This axiom introduces the execution of A by putting a its guard. Contrary, DEC-2 describes a probabilistic
token on i. decision where a token flows with a probability p
l
INT-2 l : iN !1 l : iN through the edge satisfying its related guard g. DEC-3
This axiom propagates the token in the marked term i axiom shows a transition of probability one to initiate
into its outgoing N . an invoked behavior. DEC-4 derivation rule shows the
ACT-1 8n > 0; m P 0, termination of a behavior with a transition of probabil-
l:a
l
m N n !1 l : a
mþ1 N n1 ity one and how a token can flow from a behavior call
ACT-2 8n; m P 0, execution to a guarded path (or not guarded) with a
l:a
l
mþ1 N n !1 l : a
m N n probability value (or without probability value). DEC-
a 0 5 shows the evolution of a decision term when one
N !p N
ACT-3 a of its behavior has been changed.
l:a m N 0 n 8n; m P 0
m N n !p l : a
0 l 0
The ACT-1 axiom introduces the execution of an action MRG-1 8n P 0, l : N l : Mðx; yÞn !1 l : N l : Mð
x; yÞn
a and ACT-2 shows its execution propagation to the l
MRG-2 l : Mð ÞN !1 l : Mðx; y
x; y ÞN
succeeding behavior N . The derivation rule ACT-3
o
m N n when
illustrates the evolution of the term l : a MRG-3 A½l : Mðx; yÞN ; lx !1 A½l : Mð
x; yÞN ; lx
a 0
the action a is executed with a probability p in the N !p N
MRG-4 a
term N . l : Mðx; yÞN !p l : Mðx; yÞN
0
l
BEH-0 8n > 0, l : a " An N !1 l : a
" An1 N
0 0 0
MRG-1 is a transition with a probability of value 1 to
A ¼ l : iNA ¼ l : iN 8n > 0 put a token coming from the sub-term N on a merge
BEH-1 l
" An N !1 l : a " A0 n N
l:a labeled by l. MRG-2 is a transition with a probability
0 l0 of value 1 to present a token flowing from a merge
A½l : !1 jAj 8n P 0
BEH-2 labeled by l to the sub-term N . MRG-2 fuses labels
l0
l : a " An N !1 l : a " jAjn N referring to the same merge. The derivation rules
a
A!p A0 8n > 0 MRG-3 presents the subsequence of l : Mðx; yÞN
BEH-3 a
l : a " An N !p l : a " A0 n N when N executes an action a with a probability p.
0 l 0
JON-1 8n P 0; l : N l : Jðx; yÞn !1 l : N l : Jð
x; yÞn
l
JON-2 l : Jðx; yÞN !1 l : Jðx; yÞN
l
JON-3 A½l : Jðx; yÞN ; lx !1 A½l : Jð
x; yÞN ; lx
a 0
N !p N
JON-4 a 0
l : Jðx; yÞN !p l : Jðx; yÞN
JON-1 and JON-2 are axioms representing a transition
with a probability of value 1 to activate the pin x in a
join labeled by l and to move a token in join to the
Fig. 4. Syntax of New Activity Calculus (NuAC).
334 S. Ouchani et al. / Knowledge-Based Systems 56 (2014) 328–343
sub-term N , respectively. JON-3 fuses labels referring the associativity properties for fork, join, decision, and merge
to the same join. The derivation rule JON-4 presents nodes.
the subsequence of l : Jðx; yÞN when N executes an
action a with a probability p. Property 5.2 (Commutativity). In a SysML activity diagram A; fork,
l join, decision, and merge nodes are commutative.
SND l : a!v N !1 l : a!v N 8n > 0
n n1
Definition 5.1 (NuAC-PA). A probabilistic automata of a NuAC 6.1. The abstraction algorithm
term A is the tuple M A ¼ ðs; L; S; Ro ; dÞ, where:
The abstraction of a SysML activity diagram A is based on
both structures of A and the PCTL property / to be verified.
The abstraction algorithm d illustrated in Algorithm 1 takes A
s is an initial state, such that LðsÞ ¼ fl : iN g,
and / as input and returns a reduced SysML activity diagram
L : S ! 2sLt is a labeling function where:sLt : L ! f>; ?g, b The diagram A is visited using a depth-first
denoted by A.
S is a finite set of states reachable from s, such that,
search procedure that is described as follows. First, the initial
S ¼ fsi:06i6n jLðsi Þ 2 fN gg,
node is pushed into the stack of nodes denoted by nodes (line
Ro is a finite set of actions corresponding to labels in A includ-
5). While the stack is not empty (line 6–18), the algorithm pops
ing the empty action ‘‘o’’,
a node from the stack into the current node denoted by cNode
d : S Ro ! DistðSÞ is a partial probabilistic transition function
(line 7). The current node is added into the list vNode of visited
such that, for each s 2 S and a 2 Ro assigns a probabilistic distri- b
nodes (line 9) if it is not already visited (line 8). The diagram A
bution l, where:
a is constructed by calling the function first, then the function
– For S0 # S such that S0 ¼ fsi:06i6n : s!pi si g, each transition
a W. The function has the current node along with / as argu-
s!pi si satisfies one NuAC semantic rule and
P P ments (line 10). It forbids A behaviors and represents symboli-
lðS0 Þ ¼ ni¼0 pi ¼ ni¼0 lðsi Þ ¼ 1.
a cally decision guards. The function W has two arguments that
– For each transition s!1 s00 satisfying a NuAC semantic rule, l
are the current node and its successors (line 13). It merges
is defined such that lðs00 Þ ¼ 1.
the current node and its successors that share specific proper-
ties. The successor nodes are pushed into the stack nodes (line
Finally, based on NuAC term structures and their semantics we 14) to be explored later. The algorithm terminates when all
propose Properties 5.2 and 5.3 that show the commutativity and nodes are visited.
S. Ouchani et al. / Knowledge-Based Systems 56 (2014) 328–343 335
Algorithm 1. The abstraction algorithm d of SysML Activity their control paths too. This is achieved by preventing the modifi-
Diagrams cation of guarded and probabilistic choices and the modification in
multi-input/output nodes. The function W implements eleven min-
Input: SysML activity diagram A, and a PCTL property /. imization rules (MIN-1, . . . , MIN-11). The rules MIN-1, . . . , MIN-5
b are based on the commutativity described in Property 5.3. These
Output: SysML activity diagram A.
rules aim at merging consecutive control nodes of the same type.
1: nodes as Stack; . A stack of nodes which is initially
The rules MIN-6, . . . , MIN-9 merge parallel paths that have similar
empty.
destination. The rules MIN-10 and MIN-11 eliminate the useless
2: cNode as Node; . The current node which is initially
nodes resulting from the application of ABS and MIN rules. Hence,
empty.
the minimization rules are explained as follows.
3: nNode; v Node as list of Node; . List of nodes that are
initially empty.
MIN-1 Rule consolidates two consecutive fork nodes to produce
4: procedure dðA; /Þ
an equivalent one.
5: nodes:push(in); . Read the initial node.
l : FðN 1 ; N 2 Þ N 1 ¼ l1 : FðN 11 ; N 12 Þ
6: while not nodes:empty() do
l : FðN 1 ; N 12 ; N 22 Þ
7: cNode :¼ nodes:pop(); . Pop the current node.
MIN-2 Rule merges two consecutive join nodes in only one join
8: if cNode not in vNode then
node.
9: v Node:addðcNodeÞ; . Consider the current node 0 0
l : Jðx1 ; x2 ÞN N ¼ l : Jðx3 ; x4 ÞN
as a visited node. 0
l : Jðx1 ; x2 ; x3 ; x4 ÞN
10: ðcNode; /Þ; . Call the function .
MIN-3 Rule incorporates two successive merge nodes in one.
11: nNode :¼ cNode:successorsðÞ; . Get the 0 0
successors of the current node. l : Mðx1 ; x2 ÞN N ¼ l : Mðx3 ; x4 ÞN
0
12: for all n in nNode do . Stores all newly l : Mðx1 ; x2 ; x3 ; x4 ÞN
discovered nodes in the stack. MIN-4 Rule collapses two successive probabilistic decision
13: WðcNode; nÞ; . Call the function W. nodes to form one equivalent probabilistic decision
14: nodes:push(n); . Stores all newly discovered node.
nodes in the stack. l : DðA; p; g; N 1 ; N 2 Þ
15: end for N 1 ¼ l1 : DðA1 ; p1 ; g 1 ; N 11 ; N 12 Þ
16: nNode:clearðÞ; . Empty the list nNode.
l : DðFðA; A1 Þ; p p1 ; g ^ g 1 ; N 11 ;
17: end if
18: end while
p ð1 p1 Þ; g ^ :g 1 ; N 12 ; 1 p; :g; N 2 Þ
19: end procedure MIN-5 Rule constructs a deterministic decision node starting
from two consecutive deterministic decision nodes.
l : DðA; g; N 1 ; N 2 Þ N 1 ¼ l1 : DðA1 ; g 1 ; N 11 ; N 12 Þ
The function uses the atomic propositions of the PCTL prop- l : DðFðA; A1 Þ; g ^ g 1 ; N 11 ; g ^ :g 1 ; N 12 ; :g; N 1 Þ
erty /. These are principally formed from actions and guards labels
while the other nodes are used to control the execution of these ac- MIN-6 Rule minimizes outputs of a decision node that have the
tions. Let R/ be a set of independent atomic propositions such that same join successor to only one output. This also results
R/ # fai : i 6 ng [ fg i : i 6 mg where ai is a label corresponding to in the minimization of input pins of the join node.
an action, g i is a guard label, n and m are the number of actions l : DðA; p1 ; g 1 ; N 1 ; p2 ; :g 1 N 2 ; p3 ; :g 1 ; N 3 Þ
and guards in A, respectively. The function hides the action 0 0
N i ¼ l : Jðxi ÞN i ¼ 2; 3
nodes and guards of the SysML activity diagram that are not part
l : DðA; p1 ; g 1 ; N 1 ; N 2 Þ x ¼ x n fx3 g
of the atomic propositions of the PCTL property to be verified. It
takes as input a NuAC term N along with R/ to generate an ab- MIN-7 Rule replaces a decision node outputs that have the
stract term cN such that ðN ; R/ Þ ¼ c N . The function implements same merge successor with only one output.
six inference rules: ABS-1, . . . , ABS-6. They are stipulated in Fig. 5 0 0
l : DðA; p; g; N ; N 1 ; N 2 ÞN i ¼ l : Mðxi ÞN i ¼ 1; 2
and explained as follows.
l : DðA; p; g; N ; N 1 Þ x ¼ x n fx2 g
ABS-1 Rule preserves an action label when it appears in / MIN-8 Rule reduces outputs of a fork node followed by a join.
propositions set. 0 0
ABS-2 Rule hides an action label when it does not appear in / l : FðN ; N 1 ; N 2 Þ N i ¼ l : Jðxi ÞN i ¼ 1; 2
propositions set. The produced result is that its prede- l : FðN ; N 1 Þ x ¼ x n fx2 g
cessor will be connected directly with its successor after MIN-9 Rule reduces outputs of a fork node followed by a merge
applying the rule ABS-5. node.
ABS-3 Rule preserves the guard label in an edge when it 0 0
belongs to the set of / propositions. l : FðN ; N 1 ; N 2 Þ N i ¼ l : Mðxi ÞN i ¼ 1; 2
ABS-4 Rule empties a guarded edge when its guard g is not a l : FðN ; N 1 Þ x ¼ x n fx2 g
part of / propositions.
MIN-10 Rule eliminates a merge node when it has only one
ABS-6 Rule modifies decision guarded edges by replacing
input.
guards of the unconcerned edges by the negation of
the other guards. Similarly, ABS-6 can be applied on l : MðxÞN jxj ¼ 1
the extended versions of decision nodes rich in probabil- !N
ities and/or behavior calls. MIN-11 Rule eliminates a join node when it has only one input.
7. Soundness
Proof. The proof is based on the call behavior semantic rules by
following five steps are: (1) constructing M 1 ¼ A1 "a1 A2 , (2) con- In this section, we prove the soundness of our proposed abstrac-
structing M ¼ M1 "a2 A3 , (3) constructing N 1 ¼ A2 "a2 A3 , (4) con- tion algorithm. More precisely, we prove that our algorithm pre-
structing N ¼ A1 "a1 N 1 , and (5) comparing M and N. h serves the satisfaction of PCTL properties.
Based on Property 6.1, we have proved Proposition 6.2 to handle Let A be a NuAC term and M A be its corresponding PA con-
the verification of the diagram A of k associated behaviors with re- structed by NuAC operational semantics S presented in Section 5
spect to a PCTL property /. It takes into consideration a set of call such that SðAÞ M A . The abstraction algorithm d calls both proce-
behaviors of size less than k. The call behavior composition is built dures and W such that dðA; /Þ ¼ A, b where A b denotes the ab-
upon the fact that the property / holds on the constructed stracted term of A with respect to the PCTL property /. Let M b
A
diagram. be its corresponding PA defined using NuAC operational semantics
b
S such that Sð AÞ M b . Proving the soundness of the algorithm d is
A
Proposition 6.2. Let A ¼ A0 "a1 . . . "ak Ak be a SysML activity diagram to find a pre-order relation R between M A and M b . This relation
A
with k call behaviors and / be a PCTL property, we have: represents the degree of precision of M A in M b . As illustrated in
A
8i 6 k : A0 "a1 . . . "ai Ai / ) A /. Fig. 6, the relation R is composed of two relations which are R
and RW to specify both functions and W.
To define the relation M A R M b , we introduce the notion of
Proof. The proof of Proposition 6.2 is in Appendix A.2. h A
weakness [33] while stutters action nodes and guarded edges.
To further improve Proposition 6.2, we define the identity ele- The probabilistic version of a weak transition is denoted by
a
ment associated to the operator " and denote it by Aid such that: ðs ) lÞ where l is the distribution over states reached from s
A"a Aid A and Aid ¼ . through a sequence of mimicked steps. The probabilistic weak simu-
By using the identity element, we focus more on behaviors lation relation is formally described in Definition 7.1.
influenced by the property /. This is achieved by replacing the
unconcerned behaviors in Proposition 6.2 by Aid . In Proposition Definition 7.1 (Probabilistic Weak Simulation). A probabilistic
6.3, we use RA and R/ to denote the set of action labels of the dia- weak simulation between two probabilistic automata M 1 and M2
gram A and the set of atomic propositions of the property /, is a relation R v S1 S2 , such that:
respectively.
1. Each initial state of M 1 is related to at least one initial state of M 2 ,
a
Proposition 6.3. Let A ¼ A0 "a1 . . . "ak Ak be a SysML activity diagram 2. For each pair of states s1 Rs2 and each transition s1 ! l1 of M 1 ,
a
with k call behaviors, Aid is the identity element for ‘‘"’’ operator and / there exists a weak combined transition s2 ) l2 of M 2 such that
be a PCTL property. For a proposition a, we have the following: l1 vR l2 .
!
X X
81 6 i 6 k; a R \ : ½Ai ¼ Aid ^ ðA0 "a1 . .."ak Ak Þ / ) ½A /:
/ Ai Here, vR is the lifting of R to a probability space. It is achieved
by finding a weight function [33] that associates each state of M 1
with others in M 2 by a certain probability value. Definition 7.2 de-
Proof. The proof follows the structural induction on PCTL syntax fines the weight function.
and it is provided in Appendix A.2. h
Definition 7.2 (Weight Function). A function M : S S0 ! ½0; 1 is a
6.3. The complexity measure weight function for the two distributions l1 ; l2 2 DistðSÞ w.r.t.
R v S S0 , iff:
The function produces a new model that includes mainly the
specified actions and guards in the property / where other actions 1. 8s1 2 S : Rs2 2S Mðs1 ; s2 Þ ¼ l1 ðs1 Þ,
are considered as silent action. Thus, the resulting diagram has a 2. 8s2 2 S : Rs1 2S Mðs1 ; s2 Þ ¼ l2 ðs2 Þ,
reduced number of actions, which increases the occurrence of con- 3. 8s1 ; s2 2 S : Mðs1 ; s2 Þ > 0.
S. Ouchani et al. / Knowledge-Based Systems 56 (2014) 328–343 337
For our proof, we stipulate herein Definition 7.3 for -abstrac- Proposition 7.8 (W-Preservation). For two PAs M A and M b such
A
tion relation between MA and M b that is denoted by M A R M b that M A vRW M b . If / is a PCTL property, then we have:
A A A
where M b MA . ðM b /Þ ) ðM A /Þ.
A A
Definition 7.3 ( -Abstraction Relation). An abstraction relation Proof. The proof of Proposition 7.8 is provided in Appendix A.4.
is a weak probabilistic simulation relation between a term A and h
its abstracted term A after applying algorithm.
In the following, we present the soundness of algorithm. Let 8. Implementation and experimental results
M A be a PA representing the semantics of the NuAC term A, and
M b is the PA representing the semantics of A b such that In this section, we apply our abstraction approach on an online
b A¼ ðA; /Þ. Proving that is sound means proving there exists
A shopping system and the real time streaming protocol. In the
a weak probabilistic simulation between M A and M b . purpose of providing experimental results demonstrating the
A
efficiency and the validity of our abstraction, we verify PCTL
properties on both: the concrete and the abstract diagrams. These
Lemma 7.4 ( -Soundness). The abstraction algorithm is sound, i.e.
diagrams are modeled on Topcased.2 then abstracted via our Java
M A vR M b .
A implementation [5,34] to be mapped automatically into Prism code.
To this end, we compare the results perspective of the verifica-
Proof. Our abstraction is sound and the proof is provided in tion cost (b) and the abstraction efficiency (g) [10]. To evaluate the
Appendix A.4. h verification cost, we measure the time required for verifying a
given property, denoted by T v . And, to evaluate the abstraction
Now, we show that -abstraction relation preserves PCTL prop- efficiency, we measure the time required to construct the model,
erties. To achieve that, we prove by induction on the structure of b Þj
the PCTL syntax to check PCTL preservation in both abstract and denoted by T c . The verification cost is given by b ¼ 1 jTjTvvððMÞj
M
and
concrete models. We found that, except for the neXt operator b Þj
M
the abstraction efficiency by g ¼ 1 jTcð
jTcðMÞj
. Concerning the abstrac-
(PCTLnX ), such a formula (/) holds in the concrete model if it holds
tion efficiency, we measure the number of states (#s) and transi-
in the abstracted model as stated in Proposition 7.5.
tions (#t) for both concrete and abstract diagrams. The result of
the verification of a property is denoted by (Res).
Proposition 7.5 ( -Preservation). For two PAs M A and M b such that
A
MA vR M b . If / is a PCTLnX property, then we have:
A 8.1. Online shopping system
ðM b /Þ ) ðM A /Þ.
A
2
http://www.topcased.org Toolkit in OPen source for Critical Applications &
SystEms Development.
3
This diagram is not symmetric which means that we cannot benefit from the
symmetry reduction built within PRISM.
4
Fig. 6. Abstraction soundness. Each call-behavior action is represented by its proper SysML activity diagram.
338 S. Ouchani et al. / Knowledge-Based Systems 56 (2014) 328–343
3. Evaluate the maximum probability to successfully hijack a ses- 8.2.2. Verification results
sion. The results obtained from the verification of the above prop-
Pmax=? [Client?RTP &Attack?RTP]. erties with and without abstraction show that Property 1
4. Find the minimum probability that a client fails to connect. achieves a maximum probability of 0.82 and at least a probabil-
Pmin=?[Client.start )(F (Client.start))]. ity value of 0.63 for Property 2. Furthermore, the maximum
act RTSPServer
error
Describe Validate
success
DescribeOK
error
Setup Validate
success
SetupOK
error
Play Validate
success
Validate Validate
<<continuous>>
Rtp Prepare RTP
error error
success success
TeardownOk
<<Control Operator>> Pauseok
Disable if paused
Critical Resource disable or teardown
probability of the third property is 0.974 and the minimum efficiency of the verification of these properties, Fig. 11 illus-
probability for Property 4 is 0.099. To show the abstraction trates their abstraction rates in terms of the model size and
Table 3
Verification results for Property 1.
!
X X
81 6 i 6 k; a R \ : ½Ai ¼ Aid ^ ðA0 "a1 . . . "ak Ak Þ
1. / Ai
/1 U 6l /2 ) A /1 U/2 :
!
X X
2. 81 6 i 6 k; a R \ : ½Ai ¼ Aid ^ ðA0 "a1 . . . "ak Ak Þ
/ Ai
0
0
/1 U 6l /2 ) 9l P l : A /1 U 6l /2 :
A.3. Complexity
Proof of Proposition 6.4. Let M 1 ¼ WðAÞ; M 2 ¼ ðM 1 ; /Þ and
M 3 ¼ WðM 2 Þ, we have:
1. M 1 ¼ WðAÞ () if 9l : N k N m 2 A, then l : N k N m is
replaced by l : N km if one of the control merging rules is
satisfied.
2. M 2 ¼ ðM 1 ; /Þ () 8a R R/ : ðl : an N ; /Þ ¼ l : n N . In
fact, produces new consecutive control nodes and preserves
the diagram structure.
3. M3 ¼ WðM 2 Þ () if 9l : N i N j 2 A, then l : N i N j is replaced
by l : N ij . The minimization rules are applied on the initial and
the produced one by W function.
It is clear that the first step has no effect on the second one. In
addition, applying W two times successively is equivalent to
applying it once. Thus, the proposition holds. h
A.4. Abstraction soundness proof
Mðs0 ; t0 Þ ¼ 1 ) ls ðs0 Þ ¼ Mðs0 ; t0 Þ and Mðt 0 ; s0 Þ ¼ 1 ) lt ðt0 Þ ¼ 1; L su ¼ /1 and L sr ¼ /2 . Similarly, p /1 U/2 () 9r
0 0
It is clear that, the marked NuAC term A is the unique initial ðM b Pfflp ½/Þ ) ðM A Pfflp ½/Þ:
A
state of MA corresponding to the unique initial state in M b .
A
By following the same style of proof, we find: M A vR M b , which
A
confirms that Proposition 7.4 holds. h Proof of Lemma 7.7. To prove M A vRW M b , we follow a structural
A
induction reasoning on NuAC terms by comparing each term
before and after applying W rules. Let s0 ; s1 ; s2 ; s3 ; s4 2 SðM A Þ and
t0 ; t1 ; t2 ; t3 2 SðM b Þ. We distinguish the following cases where
A
7
SðMÞ is the set of states of M. Lðs0 Þ takes different values:
S. Ouchani et al. / Knowledge-Based Systems 56 (2014) 328–343 343
0 0
Case Dðp; g; N ; N Þ: Let Lðs0 Þ ¼ D p1 ; g 1 ; N 1 ; N 1 , by applying [6] C. Baier, J.P. Katoen, Principles of Model Checking, MIT Press, New York, 2008.
[7] B. Bérard, M. Bidoit, A. Finkel, F. Laroussinie, A. Petit, L. Petrucci, Ph.
DEC-1 rule, we will have: s0 ! l0 ðs1 ; s2 Þ such that:
Schnoebelen, Systems and Software Verification: Model-Checking
0
– Lðs1 Þ ¼ D p1 ; g 1 ; N 1 ; N 1 such as l0 ðs1 Þ ¼ p1 , Techniques and Tools, first ed., Springer Publishing Company, Incorporated,
2010.
0 [8] E.M. Clarke, O. Grumberg, D.A. Peled, Model Checking, The MIT Press, 1999.
– Lðs2 Þ ¼ D p1 ; g 1 ; N 1 ; N 1 such as l0 ðs2 Þ ¼ 1 p1 .
[9] S. Ray, Scalable Techniques for Formal Verification, Springer, 2010.
[10] C. Wang, G. Hachtel, F. Somenzi, Abstraction Refinement for Large Scale Model
0
By considering N 1 ¼ Dðp2 ; g 2 ; N 2 ; N 2 Þ, let t 0 be the merged state of Checking, Series on Integrated Circuits and Systems, Springer, 2006.
s0 with s1 by applying the MIN-4 rule, we will have: [11] V. Forejt, M. Kwiatkowska, G. Norman, D. Parker, Automated verification
0 0 techniques for probabilistic systems, in: M. Bernardo, V. Issarny (Eds.), Formal
Lðt0 Þ ¼ D p1 p2 ; g 1 ^ g 2 ; N 2 ; N 2 ; 1 p1 ; N 1 ) 9t 1 ; t 2 ; t3 : t 0 ! l0 Methods for Eternal Networked Software Systems (SFM’11), LNCS, Springer,
ðt1 ; t2 ; t 3 Þ. By applying DEC-1 rule, we have: 2011, pp. 53–113.
[12] S. Ouchani, O. Aït-Mohamed, M. Debbabi, A probabilistic verification
0 0 framework for SysML activity diagrams, in: New Trends in Software
– Lðt1 Þ ¼ D p1 p2 ; g 1 ^ g 2 ; N 2 ; N 2 ; 1 p1 ; :g 1 ; N 1 ) l0 ðt 1 Þ
Methodologies, Tools and Techniques – Proceedings of the Eleventh SoMeT
¼ p1 p2. ’12, Frontiers in Artificial Intelligence and Applications, IOS Press, 2012, pp.
0 0
– Lðt2 Þ ¼ D p1 p2 ; g 1 ^ g 2 ; N 2 ; N 2 ; 1 p1 ; :g 1 ; N 1 ) l0 ðt 2 Þ 108–123.
¼ p1 ð1 p2 Þ. [13] M. Kwiatkowska, G. Norman, D. Parker, PRISM 4.0: verification of probabilistic
0 0 real-time systems, Proceedings of the 23rd International Conference on
– Lðt3 Þ ¼ D p1 p2 ; g 1 ^ g 2 ; N 2 ; N 2 ; 1 p1 ; :g 1 ; N 1 ) l0 ðt 3 Þ Computer Aided Verification, CAV’11, Springer-Verlag, 2011, pp. 585–591.
¼ 1 p1 . [14] C. Baier, P.R. D’Argenio, M. Größer, Partial order reduction for probabilistic
branching time, Electron. Notes Theor. Comput. Sci. 153 (2) (2006) 97–116.
[15] A.F. Donaldson, A. Miller, D. Parker, Language-level symmetry reduction for
It exists a weight function M for RW ¼ fðs0 ; t0 Þ; ðs3 ; t1 Þ; ðs4 ; t2 Þ;
probabilistic model checking, in: Sixth International Conference on the
ðs2 ; t3 Þg such that: Quantitative Evaluation of Systems, 2009. QEST ’09, IEEE Computer Society,
2009, pp. 289–298, http://dx.doi.org/10.1109/QEST.2009.21.
1. Mðs3 ; t 1 Þ ¼ p1 ) Mðs3 ; t 1 Þ ¼ l0 ðt 1 Þ [16] J.-P. Katoen, T. Kemna, I. Zapreev, D.N. Jansen, Bisimulation minimisation
2. Mðs4 ; t 2 Þ ¼ p1 ð1 p2 Þ ) Mðs4 ; t 2 Þ ¼ l0 ðt 2 Þ mostly speeds up probabilistic model checking, in: Proceedings of the 13th
International Conference on Tools and Algorithms for the Construction and
3. Mðs2 ; t 3 Þ ¼ 1 p1 ) Mðs2 ; t 3 Þ ¼ l0 ðt 3 Þ
Analysis of Systems, TACAS’07, Springer-Verlag, 2007, pp. 87–101.
We have: ðMðs3 ; t 1 Þ > 0 ^ Mðs2 ; t 3 Þ > 0Þ ^ Mðs4 ; t 2 Þ > 0Þ ) lvRW l0 . [17] P. Roy, D. Parker, G. Norman, L.d. Alfaro, Symbolic magnifying lens abstraction
in markov decision processes, in: Proceedings of the 2008 Fifth International
It is clear that, the marked NuAC term A is the unique initial Conference on Quantitative Evaluation of Systems, QEST ’08, IEEE Computer
Society, Washington, DC, USA, 2008, pp. 103–112, http://dx.doi.org/10.1109/
state of MA corresponding to the unique initial state in M b . By QEST.2008.41.
A
following the same style of proof, we find: [18] M. Kattenbelt, M. Kwiatkowska, G. Norman, D. Parker, Game-based
MA vRW M b , which confirms that Proposition 7.4 holds. h probabilistic predicate abstraction in prism, Electron. Notes Theor. Comput.
A Sci. 220 (3) (2008) 5–21, http://dx.doi.org/10.1016/j.entcs.2008.11.016.
[19] M. Kattenbelt, M. Kwiatkowska, G. Norman, D. Parker, A game-based
Proof of Proposition 7.8. To prove the preservation of PCTL prop-
abstraction-refinement framework for markov decision processes, Formal
erties by RW , we follow an inductive reasoning on PCTL structure Methods Syst. Des. 36 (2010) 246–280, http://dx.doi.org/10.1007/s10703-010-
for each -abstraction rule. 0097-6.
b with
Let p 2 M with p ¼ ðs0
si
sj
sn Þ and p0 2 M [20] I. Ober, S. Graf, I. Ober, Model checking of UML models via a mapping to
0
communicating extended timed automata, in: 11th International SPIN
p ¼ ðt0
tk
tl
tm Þ are two finite paths such that; Workshop on Model Checking of Software, LNCS, vol. 2989, 2004.
8s 2 p : 9s0 2 p0 ; svRW s0 . For PCTL expression satisfaction, we dis- [21] I. Ober, S. Graf, I. Ober, Validating timed UML models by simulation and
tinguish these cases: verification, in: Workshop SVERTS, San Francisco, 2003.
[22] B. Westphal, LSC verification for UML models with unbounded creation and
destruction, Electron. Notes Theor. Comput. Sci. 144 (2006) 133–145, http://
Case /1 U/2 : dx.doi.org/10.1016/j.entcs.2006.01.009.
For p and p0 such that: p0 /1 U/2 () 9r0 6 m : 8u [23] C.M. Prashanth, K.C. Shet, Efficient algorithms for verification of UML
statechart models, J. Softw. 4 (2009) 175–182.
6 r0 1; Lðs0u Þ ¼ /1 and Lðs0r Þ ¼ /2 . Similarly, p /1 U/2 [24] C. Daoxi, Z. Guangquan, F. Jianxi, Abstraction framework and complexity of
() 9r 6 n : 8w 6 r 1; Lðsw Þ ¼ /1 and Lðsr Þ ¼ /2 . model checking based on the Promela models, in: ICCSE ’09. 4th International
By applying MIN rules, some states in p are merged. Conference on Computer Science Education, 2009, pp. 857–861.
[25] F. Xie, J.C. Browne, Integrated state space reduction for model checking
Consequently, p0 /1 U/2 ) p /1 ) F/2 . executable object-oriented software system designs, in: Proc. of FASE 2002,
Case P fflp ½/1 U/2 : Springer-Verlag, 2002.
We have p0 /1 U/2 ) p /1 ) F/2 and the merged [26] F. Xie, V. Levin, J.C. Browne, ObjectCheck: a model checking tool for executable
object-oriented software system designs, in: Fundamental Approaches to
states with MIN rules accumulate the probabilistic distri-
Software Engineering, 2002, pp. 331–335.
bution, then: p0 Pfflp ½/1 U/2 ) p P fflp ½/1 ) F/2 . [27] M.H. ter Beek, A. Fantechi, S. Gnesi, F. Mazzanti, A state/event-based model-
checking approach for the analysis of abstract system properties, Sci. Comput.
Program. 76 (2011) 119–135.
By following the same proof style on PCTL structure, we
[28] H. Yang, Software Evolution with UML and XML, IGI Publishing, Hershey, PA,
conclude that: USA, 2005. pp. 296–320 (Chapter Abstracting UML Behavior Diagrams for
ðM b /Þ ) ðMA /Þ: Verification).
A [29] R. Eshuis, Symbolic model checking of UML activity diagrams, ACM Trans.
Softw. Eng. Methodol. 15 (2006) 2006, http://dx.doi.org/10.1145/
1125808.1125809.
References [30] R. Eshuis, R. Wieringa, Tool support for verifying UML activity diagrams, IEEE
Trans. Softw. Eng. 30 (2004) 2004.
[1] OMG, OMG Systems Modeling Language (OMG SysML) Specification, Object [31] R. Milner, Communicating and Mobile Systems – the Pi-Calculus.
Management Group, oMG Available Specification, September 2007. [32] S. Ouchani, A Security Verification Framework for SysML Activity Diagrams,
[2] OMG, OMG Unified Modeling Language: Superstructure 2.1.2, Object Ph.D. Thesis, Concordia University, September 2013.
Management Group, November 2007. [33] R. Segala, A compositional trace-based semantics for probabilistic automata,
[3] J. Holt, S. Perry, SysML for Systems Engineering, Institution of Engineering and in: I. Lee, S. Smolka (Eds.), CONCUR ’95: Concurrency Theory, Lecture Notes in
Technology Press, 2007. Computer Science, vol. 962, Springer, Berlin/Heidelberg, 1995, pp. 234–248.
[4] M. Debbabi, F. Hassanne, Y. Jarraya, A. Soeanu, L. Alawneh, Verification and [34] S. Ouchani, O. Aït-Mohamed, M. Debbabi, An efficient probabilistic verification
Validation in Systems Engineering – Assessing UML/SysML Design Models, framework for sysml activity diagrams, in: 12th IEEE International Conference
Springer, 2010, http://dx.doi.org/10.1007/978-3-642-15228-3. on Intelligent Software Methodologies, Tools and Techniques, Budapest,
[5] S. Ouchani, Y. Jarraya, O. Aït-Mohamed, Model-based systems security Hungary, 2013, pp. 165–170, doi: http://dx.doi.org/10.1109/SoMeT.2013.
quantification, in: 2011 Ninth Annual International Conference on Privacy, 6645657. ISBN-978-1-4799-0419-8.
Security and Trust (PST), 2011, pp. 142–149, http://dx.doi.org/10.1109/ [35] H. Gomaa, Software Modeling and Design: UML, Use Cases, Patterns, and
PST.2011.5971976. Software Architectures, Cambridge University Press, 2011.