Monitoring Mobile and Spatially Distributed Cyber-Physical Systems
Ezio Bartocci, Luca Bortolussi, Michele Loreti, Laura Nenzi

TL;DR
This paper introduces STREL, a novel spatio-temporal logic for specifying and monitoring requirements in mobile and spatially distributed cyber-physical systems, enabling distributed online monitoring and analysis.
Contribution
The work presents STREL, extending Signal Temporal Logic with new spatial operators, and provides semantics, model transformation properties, and an offline monitoring algorithm with a practical sensor network example.
Findings
STREL enables effective specification of spatial-temporal requirements.
The logic supports distributed online monitoring algorithms.
Application to a simulated sensor network demonstrates feasibility.
Abstract
Cyber-Physical Systems~(CPS) consist of collaborative, networked and tightly intertwined computational (logical) and physical components, each operating at different spatial and temporal scales. Hence, the spatial and temporal requirements play an essential role for their correct and safe execution. Furthermore, the local interactions among the system components result in global spatio-temporal emergent behaviors often impossible to predict at the design time. In this work, we pursue a complementary approach by introducing STREL a novel spatio-temporal logic that enables the specification of spatio-temporal requirements and their monitoring over the execution of mobile and spatially distributed CPS. Our logic extends the Signal Temporal Logic with two novel spatial operators reach and escape from which is possible to derive other spatial modalities such as everywhere, somewhere and…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
\xpatchcmd
Monitoring Mobile and Spatially
Distributed Cyber-Physical Systems
Ezio Bartocci
Technische Universität WienWienAustria
,
Luca Bortolussi
Università di TriesteTriesteItaly
,
Michele Loreti
Università di Firenze FlorenceItaly
and
Laura Nenzi
Technische Universität WienWienAustria
Abstract.
Cyber-Physical Systems (CPS) consist of collaborative, networked and tightly intertwined computational (logical) and physical components, each operating at different spatial and temporal scales. Hence, the spatial and temporal requirements play an essential role for their correct and safe execution. Furthermore, the local interactions among the system components result in global spatio-temporal emergent behaviors often impossible to predict at the design time. In this work, we pursue a complementary approach by introducing STREL a novel spatio-temporal logic that enables the specification of spatio-temporal requirements and their monitoring over the execution of mobile and spatially distributed CPS. Our logic extends the Signal Temporal Logic (Maler and Nickovic, 2013) with two novel spatial operators reach and escape from which is possible to derive other spatial modalities such as everywhere, somewhere and surround. These operators enable a monitoring procedure where the satisfaction of the property at each location depends only on the satisfaction of its neighbours, opening the way to future distributed online monitoring algorithms. We propose both a qualitative and quantitative semantics based on constraint semirings, an algebraic structure suitable for constraint satisfaction and optimisation. We prove that, for a subclass of models, all the spatial properties expressed with reach and escape, using euclidean distance, satisfy all the model transformations using rotation, reflection and translation. Finally, we provide an offline monitoring algorithm for STREL and, to demonstrate the feasibility of our approach, we show its application using the monitoring of a simulated mobile ad-hoc sensor network as running example.
Runtime Verification, Monitoring, Cyber-Physical Systems, Spatio-Temporal Logic.
††copyright: rightsretained††doi: 10.475/123_4††isbn: 123-4567-24-567/08/06††ccs: Computer systems organization Embedded systems††ccs: Computer systems organization Redundancy††ccs: Computer systems organization Robotics††ccs: Networks Network reliability
1. Introduction
From micro- and nano-scale cyber and physical/biological materials to self-driving cars, smart factories and smart cities, cyber-physical systems (CPS) are reshaping the way in which we perceive and interact with our physical world, becoming ubiquitous in our society. CPS consist of collaborative, networked, spatially distributed, and tightly intertwined computational (logical) and physical components, each operating at different spatial and temporal scales. Therefore, the spatial and the temporal requirements are fundamentals for their safe and correct execution.
The openness of CPS with the possibility for new actors to join or to leave the system, the local interactions among the system components and the unknown environment in which they operate may cause undesired spatio-temporal emergent behaviours (i.e., congestion) often impossible to predict at the design-time. Indeed, their complexity restricts the exhaustive verification of their models runtime only to relatively small examples. Here, we pursue a complementary approach by introducing the Spatio-Temporal Reach and Escape Logic (STREL), a novel formal specification language that enables to express in a concise way complex spatio-temporal requirements and to monitor them for the first time (to the best of our knowledge) over the execution of mobile and spatially distributed CPS.
The idea of the proposed framework stems from the attempt to generalise and to overcome some limitations of the Spatio-Signal Temporal Logic (SSTL) previously introduced in (Nenzi et al., 2015). SSTL extends the Signal Temporal Logic (Maler and Nickovic, 2013) with modalities (named somewhere and surround) to express also spatial properties and it is interpreted over a discrete model of the space, represented as a finite undirected graph. Each node represents a location in the space, characterised by a set of signals whose evolution can be observed in time, while each edge of the graph is labelled with a positive weight, that can be used to represent the distance between two nodes. This provides a metric structure to the space in terms of shortest path distances, enabling to monitor also spatial properties. However, since the topology of the graph in SSTL is assumed to be static, one main limitation is the impossibility to monitor nodes changing locations. Furthermore, monitoring of spatial properties is performed on each location by changing the graph so to consider only the locations that satisfy the distance constraint. This means that, the monitoring results of a location cannot be reused in the monitoring of its neighbours. In this work, we decide to completely reformulate the spatial modalities changing the perspective: instead of searching locations satisfying properties within a certain distance using the shortest path, the satisfaction of a location can be obtained by using monitored values obtained from the directly connected locations.
In particular, STREL generalizes SSTL by considering two new operators, named reach and escape. These new operators simplify the monitoring procedure that can be computed locally: the satisfaction of the property at each location depends only on the satisfaction of its neighbours††We will see in Section 5 that this feature is very important to define distributed and online monitor algorithms.. Furthermore, while SSTL operates on spatio-temporal models that are static (the locations do not change their positions), STREL can handle also mobile/dynamic CPS. We also prove that, for a subclass of models, all the spatial properties expressed with reach and escape, using euclidean distance, satisfy all the transformed models through rotation, reflection and translation.
Another important feature of our logic considered in this paper is that, following an approach similar to the one considered in (Lluch-Lafuente and Montanari, 2005), we do not rely on a specific domain for interpreting logical properties. Indeed, STL/SSTL semantics can be either qualitative, ranging over boolean values, or quantitative, ranging over real values. In this paper, we propose both qualitative and quantitative semantics based on Constraint Semirings. These are algebraic structures that consist of a domain and two operations named choose and combine. Constraint semirings have been shown to be very flexible, expressive and convenient for a wide range of problems, in particular for optimization and solving problems with soft constraints and multiple criteria (Bistarelli et al., 1997). The use of semirings allows the definition of a single monitoring procedure that, being parametric with respect to the class of data collected from devices and values produced as results, can be used with different purposes. We then provide an offline monitoring algorithm for STREL, and, to illustrate the main features of the proposed formal framework, we show its application using the monitoring of a simulated Mobile Ad-hoc sensor NETwork (MANET) as our running example.
We want to stress that STREL is a flexible framework to formulate properties of CPS: the ability of freely mixing spatial and temporal operators to build complex queries, and to automatically construct monitoring algorithms, marks a neat difference from other related approaches, like the development of ad hoc solutions for specific properties.
The rest of this paper is organized as follows. Section 2 discusses the related work. Section 3 introduces the model we consider to represent the spatio-temporal signals, while section 4 provides the syntax and the semantics of STREL. An offline monitoring algorithm and its implementation is then discussed in section 5. In section 6, we show the logic at work on some examples, in particular we consider a MANET as case study. Section 7 draws our conclusions and discusses future works.
2. Related Work
Monitoring spatial-temporal properties over CPS executions was first proposed in (Talcott, 2008) where the author has introduced the notion of spatial-temporal event-based model for CPS. Events are triggered by the execution of actions, by the exchange of messages and by physical changes. Each generated event is labeled with time and space stamps and processed by a monitor. In (Tan et al., 2009), this concept is further elaborated, developing a spatial-temporal event-based model where the space is represented as a 2D Cartesian coordinate system with location points and location fields.
The approaches described in (Talcott, 2008; Tan et al., 2009) provide an algorithmic framework enabling a user to develop manually a monitor. However, they do not provide any spatio-temporal logic language enabling the specification and the automatic monitoring generation.
In the field of collective adaptive systems (Ciancia et al., 2016), other mathematical structures, such as topological spaces, closure spaces, quasi-discrete closure spaces and finite graphs (Nenzi et al., 2015), have been considered to reason about spatial relations, such as closeness and neighborhood. Despite these models are suitable for offline and centralised monitoring of model-based simulations, they do not scale well for the runtime monitoring of spatially distributed CPS.
Several logic-based formalisms have been proposed to specify the behavior and the spatial structure of concurrent systems (Caires and Cardelli, 2003) and for reasoning about the topological (Bennett et al., 2002) or directional (Bresolin et al., 2010) aspects of the interacting entities. In topological reasoning (Bennett et al., 2002), the spatial objects are sets of points and the relation between them is preserved under translation, scaling and rotation. In directional reasoning, the relation between objects depends on their relative position. These logics are usually highly computationally complex (Bresolin et al., 2010) or even undecidable (Marx and Reynolds, 1999).
Monitoring spatial-temporal behaviors has started to receive more attention only recently with SpaTeL (Haghighi et al., 2015) and SSTL (Nenzi et al., 2015). The Spatial-Temporal Logic (SpaTeL) (Haghighi et al., 2015) is the unification of Signal Temporal Logic (Maler and Nickovic, 2013) (STL) and Tree Spatial Superposition Logic (TSSL) introduced in (Aydin-Gol et al., 2014; Bartocci et al., 2016) to classify and detect spatial patterns. TSSL reasons over quad trees, spatial data structures that are constructed by recursively partitioning the space into uniform quadrants. The notion of superposition in TSSL provides a way to describe statistically the distribution of discrete states in a particular partition of the space and the spatial operators corresponding to zooming in and out in a particular region of the space. By nesting these operators, it is possible to specify self-similar and fractal-like structures (Grosu et al., 2009) that generally characterize the patterns emerging in nature. The procedure allows one to capture very complex spatial structures, but at the price of a complex formulation of spatial properties, which are in practice only learned from some template image.
Another important work to mention is Voltron (Mottola et al., 2014), an open-source team-level programming system for drone’s collaborative sensing. Voltron provides special programming constructs to reason about time and space and allows users to express sophisticated collaborative tasks without exposing them to the complexity of concurrent programming, parallel execution, scaling, and failure recovery. The spatial constructs are limited to operate on a set of locations of a given geometry (that the user needs to specify). The system is suitable more for programming than for monitoring. For example, it does not allow to quantify how much the current CPS execution is close to violate a given requirement.
3. Spatial Models, Signals and Traces
In this section, we introduce the model of space we consider, and the type of signals that the logic specifies.
3.1. Constraint Semirings
An elegant and general way to represent the result of monitoring is based on constraint semiring. This is an algebraic structure that consists of a domain and two operations named choose and combine. Constraint semirings are subclass of semirings which have been shown to be very flexible, expressive and convenient for a wide range of problems, in particular for optimisation and solving problems with soft constraints and multiple criteria (Bistarelli et al., 1997), and in model checking (Lluch-Lafuente and Montanari, 2005).
Definition 3.1 (semiring).
A constraint semiring (just semiring in the following) is a tuple composed by a set , two operators , and two constants , such that:
- •
is an associative, commutative, idempotent operator to “choose” among values††We let to denote ., with ;
- •
is an associative, commutative operator to “combine” values;
- •
distributes over ;
- •
, , , for all ;
- •
, which is defined as iff , provides a complete lattice .
We say that a semiring is idempotent if and only if for any . Moreover, we say that a semiring is total when is a total order.
With an abuse of notation we sometimes refer to a semiring with the carrier and to its components by subscripting them with the carrier, i.e., , , and . For the sake of a lighter notation we drop the subscripts if clear from the context.
Example 3.2.
Typical examples of semirings that we will use in this paper are††We use (resp. ) to denote (resp. ).:
- •
the Boolean semiring ;
- •
the tropical semiring ;
- •
the max/min semiring: ;
- •
the integer semiring: .
Boolean, max/min and integer semirings are idempotent while tropical semiring is not. All the above semirings are total.
One of the advantages of semirings is that these can be easily composed. For instance, if and are two semirings, one can consider the cartesian product where operations are applied elementwise.
3.2. Spatial model
Space is represented via a graph with edges having a weight from a given semiring.
Definition 3.3.
Let be a semiring, a spatial model is a pair where:
- •
is a set of locations, also named space universe;
- •
is a proximity function associating at most one label with each distinct pair .
We will use to denote the set of -spatial models, while indicates the set of -spatial models having as a set of locations. In the following, we will equivalently write as or , saying that is next to with weight .
A special class of spatial models are the ones based on Euclidean spaces.
Definition 3.4 (Euclidean spatial model).
Let be a set of locations, a (reflexive) relation and a function mapping each location to a point in , we let be the -spatial model†† is the min/max semiring considered in Example 3.2. such that:
[TABLE]
Note that we label edges with a 2-dimensional vector describing how to reach from , i.e., . This obviously allows us to compute the euclidean distance between and as , but, as we will see, allows us to compute the euclidean distance of any pair of locations connected by any path, not necessarily by a line in the plane.
Example 3.5 (Mobile Ad hoc sensor NETwork).
A Mobile Ad-hoc sensor NETwork (MANET) is a sensor network that can consist of up ten thousands of mobile devices connected wirelessly. The devices are usually deployed to monitor environmental changes such as pollution, humidity, light and temperature. Each sensor node can be equipped with a sensing transducer, data processor, a radio transceiver and an embedded battery. It can move independently in any direction and change its links to other devices. Two nodes can communicate each other if their Euclidean distance is at most their communication range as depicted in Fig. 1 (right) . Moreover, the nodes can be of different type and their behaviour and communication can depend on their types.
When considering a MANET, we can easily define different proximity functions for the same set of locations, where each location represents a mobile device. Given a set of reference points in a two-dimensional Euclidean plane, a Voronoi diagram (Aurenhammer, 1991) partitions the plane into set of regions, one per reference point, assigning each point of the plane to the region corresponding to the closest reference point. The dual of the Voronoi diagram is the proximity graph or Delaunay triangulation (Delaunay, 1934). In Figure 1 (left), we can see an example of Voronoi diagram (in blue) and proximity graph (in red). The proximity function can then be defined with respect to the Cartesian coordinates, as in Definition 3.4: , where are the plane coordinates of the location .
The proximity function can be also equal to a value that depends of other specific characteristics or behaviours of our nodes. For instance, Fig. 1 (right) represents the connectivity graph of MANET. In this case a location is next to a location if and only if they are within their communication range.
Given an -spatial model we can define routes.
Definition 3.6.
Let , a route is an infinite sequence in such that for any , .
Let be a route, and , we use:
- •
to denote the -th node in ;
- •
to indicate the suffix route ;
- •
when there exists an index such that , while we use if this index does not exist;
- •
to denote the first occurrence of in :
[TABLE]
We also use to denote the set of routes in , while denotes the set of routes starting from . We can use routes to define the distance among two locations in a spatial model. This distance is computed via an appropriate function that combines all the weights in a route into a value taken from an appropriate semiring .
Definition 3.7.
Let be an -spatial model, a route in , a complete semiring and a distance monotone function such that , or , for any and . The distance up-to index is:
[TABLE]
Given a locations , the distance over up-to is then if , or otherwise.
Example 3.8.
Considering again a MANET, one could be interested in different types of distances, e.g., counting the number of hops, or distances induced by the weights of the Euclidean space structure.
To count the number of hops, we can simply use the function , taking values in the tropical semiring on :
[TABLE]
and in this case .
Considering the proximity function computed from the Cartesian coordinates, we can use the distance induced by the function defined as follow
[TABLE]
where are the coordinates of the vectors returned by while is the distance incrementally computed by . It is easy to see that for any route and for any location in , the function yields the sum of lengths of the edges in connecting to .
Both the functions and are monotone and satisfy the constraints:
[TABLE]
The distance between two locations and is obtained by choosing the distance values along all possible routes starting from and ending in , according to the operation of the semiring :
[TABLE]
Example 3.9.
Consider again the distance functions defined for a MANETS. For hops, we are taking the minimum hop-length over all paths connecting and , resulting in the shortest path distance. In the Euclidean case, the function returns the same result along any path, which will also be our distance, due to idempotence of .
3.3. Spatio-Temporal Signals
Definition 3.10.
A signal domain is a tuple where:
- •
, is an idempotent semiring;
- •
, is a negation function such that:
- –
;
- –
;
- –
- –
- –
for any , .
In this paper, we will consider two signal domains:
- •
Boolean signal domain for qualitative monitoring;
- •
Max/min signal domain for quantitative monitoring.
For signal domains we will use the same notation and notational conventions introduced for semirings.
Definition 3.11.
Let a time domain and a signal domain, a temporal -signal is a function .
Consider a finite sequence:
[TABLE]
such that, for any , and . Usually, . We let denote a piecewise constant temporal -signal in , that is
[TABLE]
Given a piecewise constant temporal signal we will use to denote the set of time steps in ; to denote ; while we will say that is minimal if and only if for any , . We will also let to denote the signal obtained from by adding the element . Finally, if and are two -temporal signals, and , denotes the signal associating with each time the value . Similarly, if , denotes the signal associating with the value .
Definition 3.12.
Let be a space universe, and a signal domain. A spatial -signal is a function .
Definition 3.13 (Spatio-temporal -signal).
Let be a space universe, a time domain, and a signal domain, a spatio-temporal -signal is a function
[TABLE]
such that is a temporal signal that returns a value for each time . We say that is piecewise constant when for any , is a piecewise constant temporal signal. Piecewise constants spatio-temporal signal are denoted by .
Given a spatio-temporal signal , we will use to denote the spatial signal at time , i.e. the signal such that , for any . Different kinds of signals can be considered while the signal domain is changed. Signals with are called boolean signals; with are called real-valued or quantitative signals.
Definition 3.14 (-Trace).
Let be a space universe, a spatio-temporal -trace is a function
[TABLE]
such that for any yields a vector of temporal signals . In the rest of the paper we will use to denote .
We plan to work with spatial models that can dynamically change their configurations. For this reason, we need to define a function that returns the spatial configuration at each time.
Definition 3.15 (Location service).
Let be a spatial universe, a location service is a function associating each element in the time domain with a spatial model that describes the spatial configuration of locations.
Example 3.16.
Let us considering a MANET with a proximity graph. A spatio temporal signal associates a temporal signal of real-values at each location ; instead corresponds to the spatial signal at time , i.e. it is a function that returns a value for each location at time t. We can see the use of the location service in the figure below. The plot shows two different spatial configurations of the model for time and . We can see that locations and change their position, this changes also the Voronoi diagram and the proximity graph. We have then two different proximity functions on the same space universe , i.e. , .
4. Spatio-temporal Reach and Escape Logic
In this section, we present the Spatio-Temporal Reach and Escape Logic (STREL), an extension of the Signal Temporal Logic. We define the syntax and the semantics of STREL, describing in detail the spatial operators and their expressiveness.
4.1. Syntax
The syntax of STREL is given by
[TABLE]
where is an atomic predicate (), negation and conjunction are the standard Boolean connectives, and are the Until and the Since temporal modalities, with a real positive closed interval. These are the standard temporal operators of STL, and we refer the reader to (Maler and Nickovic, 2013; Donzé et al., 2013) for more details. The spatial modalities are the reachability and the escape operators, with a Distance Function, (we call their collection), described in the previous section, and a Distance Predicate (from a set of predicates), e.g., inequalities††With an abuse of notation, we will denote by the predicate that complements .. The exact meaning of and depends on specific interpretation functions. This because, the monitored value associated with a formula depends on the considered domain. We impose that any occurring in a operator is , i.e., if satisfies and then satisfies . This because predicate represents an upper bound on a distance.
The reachability operator describes the behavior of reaching a location satisfying property passing only through locations that satisfy , through nodes whose distance from the initial location satisfy the predicate . The escape operator , instead, describes the possibility of escaping from a certain region passing only through locations that satisfy , via a route with distance satisfying the predicate . Differently from , in the predicate represents a lower bound. For this reason we assume that any interpretation of is , i.e., if satisfies and then satisfies †† is if and only if is ..
As customary, we can derive the disjunction operator and the future eventually and always operators from the until temporal modality, and the corresponding past variants from the since temporal modality, see (Maler and Nickovic, 2013) for details. We can define also other three derived spatial operators: the somewhere and the everywhere that describe behaviors of some or of all locations at a certain distance from a specific point, and the surround that expresses the topological notion of being surrounded by a -region, while being in a -region, with additional metric constraints. A more thorough discussion of the spatial operators will be given after introducing the semantics.
4.2. Semantics
The semantics of STREL is evaluated point-wise at each time and each location. We stress that each STREL formula abstracts from the specific domain used to express the satisfaction value of as well as there is not explicit reference to the semiring used in the spatial model to express weights associated with edges. These, of course, are needed to define the semantics. In the following, we assume that is the domain of the spatio-temporal traces, while is the semiring where the logic is evaluated. Furthermore, is the semiring of weights, and is the semiring in which distance functions take values. To define the semantics, we also need three auxiliary functions. The signal interpretation function permits to translate the input trace in a different -spatio temporal signal, for each atomic proposition in , which will be the input of the monitoring procedure. The function is used to interpret function symbols as proper distance functions, while maps distance predicate symbols into proper predicates.
Definition 4.1 (Semantics).
Let and B be two semirings, and and two signal domains. Let be a space universe, be a spatio-temporal -trace for and the location service associating an A-spatial model at each time in Let , , and be the functions introduced above. The -monitoring function of is recursively defined in Table 1.
Given a formula , the function corresponds to the evaluation of the formula at time in the location . The choice of and produces different types of semantics. As described in Section 3, we consider two signal domains: and , giving rise to qualitative and quantitative monitoring, correspond respectively to a Boolean answer value and real satisfaction value. We describe the semantics for the Boolean signal domain ( ). We say that satisfies a formula if . The procedure will be exactly the same for different choices of the formula evaluation domain, just operators have to be interpreted according to the chosen semirings and signal domains. We use the following example as the system on which we specify our properties, in particular we will use the graph in Figure 3 to describe the spatial operators.
Example 4.2 (ZigBee protocol).
In Fig. 3, the graph represents a MANET. In particular, we consider the nodes with three different roles such as the ones implemented in the ZigBee protocol: coordinator, router and EndDevice. The Coordinator node ({\color[rgb]{0.3,0.615,0.3}\definecolor[named]{pgfstrokecolor}{rgb}{0.3,0.615,0.3}coord}), represented in green color in the graph, is unique in each network and is responsible to initialize the network. After the initialisation, the coordinator behaves as a router. The Router node ({\color[rgb]{0.65,0.3,0.3}\definecolor[named]{pgfstrokecolor}{rgb}{0.65,0.3,0.3}router}), represented in red color in the graph, acts as a intermediate router, passing on data from other devices. The EndDevice node ({\color[rgb]{0.3,0.3,0.615}\definecolor[named]{pgfstrokecolor}{rgb}{0.3,0.3,0.615}end\_dev}), represented in blue, can communicate only with a parent node (either the Coordinator or a Router) and it is unable to relay data from other devices. Nodes move in space and the figure corresponds to the spatial configuration at a fixed time . As trace and location service, let us consider a -spatial model as the proximity graph presented in Example 3.5 and a -trace over this graph denoting the kind of node, i.e. if is a coordinator, if is a router, and if is an end node.
Atomic Proposition. Different types of atomic propositions and signal interpretations are admissible. We can simply consider a finite set and an interpretation function iff . E.g., in Fig. 3, we can consider atomic propositions describing the type of node, i.e., the boolean propositions \{{\color[rgb]{0.3,0.615,0.3}\definecolor[named]{pgfstrokecolor}{rgb}{0.3,0.615,0.3}coord},{\color[rgb]{0.65,0.3,0.3}\definecolor[named]{pgfstrokecolor}{rgb}{0.65,0.3,0.3}router},{\color[rgb]{0.3,0.3,0.615}\definecolor[named]{pgfstrokecolor}{rgb}{0.3,0.3,0.615}end\_dev}\} are true if the node is of the corresponding type. In case of real valued signals and of a quantitative interpretation of the logic ( being in this case the real valued max/min semiring), we can consider inequalities for some real function and define .
Negation.
Conjunction.
Until. \mathbf{m}(\lambda,\vec{x},\varphi_{1}\mathrm{U}_{[t_{1},t_{2}]}\varphi_{2},t,\ell)=\bigvee_{t^{\prime}\in t+[t_{1},t_{2}]}(\mathbf{m}(\lambda,\vec{x},\varphi_{2},t^{\prime},\ell)\wedge\bigwedge_{t^{\prime\prime}\in[t,t^{\prime}]}\mathbf{m}(\lambda,\vec{x},\varphi_{1},t^{\prime\prime},\ell)\big{)}. As customary, satisfies
iff it satisfies from until, in a time between and time units in the future, becomes true. Note how the temporal operators are evaluated in each location separately. Since. \mathbf{m}(\lambda,\vec{x},\varphi_{1}\>\mathrm{S}_{[t_{1},t_{2}]}\>\varphi_{2},t,\ell)=\bigvee_{t^{\prime}\in t-[-t_{2},-t_{1}]}\linebreak\big{(}\mathbf{m}(\lambda,\vec{x},\varphi_{2},t^{\prime},\ell)\wedge\bigwedge_{t^{\prime\prime}\in[t^{\prime},t]}\mathbf{m}(\lambda,\vec{x},\varphi_{1},t^{\prime\prime},\ell)\big{)}. satisfies iff it satisfies from now since, in a time between and time units in the past, was true. Except for the interpretation function, the semantics of the boolean and the temporal operators is directly derived from and coincident with that of STL (qualitative for Boolean signal domain and quantitative for an signal domain), see (Donzé et al., 2013) for details. Reachability. satisfies iff it satisfies in a location reachable from through a route , with a length satisfying the predicate , and such that and all its elements with index less than satisfy . In Figure 3, we report an example of reachability property, considering f as the function described in Example 3.9. In the graph, the location (meaning the trajectory at time t in position ) satisfies {\color[rgb]{0.3,0.3,0.615}\definecolor[named]{pgfstrokecolor}{rgb}{0.3,0.3,0.615}end\_dev}\>\mathcal{R}_{m\leq 1}^{hops}\>{\color[rgb]{0.65,0.3,0.3}\definecolor[named]{pgfstrokecolor}{rgb}{0.65,0.3,0.3}router}, with distance predicate being true if the distance is less than or equal to 1 units. Indeed, there exists a route such that , where , , satisfies the red property (it is a router) and all the other elements of the route satisfy the blue property (they are end-devices). Instead, for example, the location does not satisfy the property because it does not satisfies the blue (end-device) property. Escape. satisfies if and only if there exists a route and a location such that and satisfies the predicate , while and all the elements (with ) satisfy . In Fig 3, we report an example of escape property. In the graph, the location satisfies \mathcal{E}_{m\geq 2}^{hops}\>\neg{\color[rgb]{0.3,0.3,0.615}\definecolor[named]{pgfstrokecolor}{rgb}{0.3,0.3,0.615}end\_dev}. Indeed, there exists a route such that , , and , and do not satisfy the blue property, i.e. they are not end-devices. Note that the route is not a good route to satisfy the property because the distance .
We can also derive other three spatial operators: somewhere, everywhere and surround. Somewhere. is satisfied by iff there exists a location that satisfies reachable from via a route with a distance satisfying the predicate . This length is computed via the function . In Fig. 3, all the locations satisfy the property \Diamonddot_{m\leq 4}^{hops}{\color[rgb]{0.3,0.615,0.3}\definecolor[named]{pgfstrokecolor}{rgb}{0.3,0.615,0.3}coord} because, for all , there is always a path with a length , where , , and satisfies the green property, i.e. it is a coordinator node. Everywhere. is satisfied by iff all the locations reachable from via a path, with length satisfying the predicate , satisfy . In Fig. 3, there are no locations that satisfy the property \boxbox_{m\leq 2}^{hops}{\color[rgb]{0.65,0.3,0.3}\definecolor[named]{pgfstrokecolor}{rgb}{0.65,0.3,0.3}router} because for all the locations there is a path s.t. is not a router. Surround. expresses the topological notion of being surrounded by a -region, while being in a -region, with an additional metric constraint. The operator has been introduced in (Ciancia et al., 2016) as a basic operator, while here it is a derived one. The idea is that one cannot escape from a -region without passing from a location that satisfies and, in any case, one has to reach a -location via a path with a length satisfying the predicate . In Fig. 3, the location satisfies the property ({\color[rgb]{0.3,0.615,0.3}\definecolor[named]{pgfstrokecolor}{rgb}{0.3,0.615,0.3}coord}\>\vee\>{\color[rgb]{0.65,0.3,0.3}\definecolor[named]{pgfstrokecolor}{rgb}{0.65,0.3,0.3}router})\circledcirc_{\leq 3}^{hops}\>{\color[rgb]{0.3,0.3,0.615}\definecolor[named]{pgfstrokecolor}{rgb}{0.3,0.3,0.615}end\_dev}. In fact, it is coordinator, it cannot reach a location that does not satisfy the the {\color[rgb]{0.3,0.615,0.3}\definecolor[named]{pgfstrokecolor}{rgb}{0.3,0.615,0.3}coord}\>\vee\>{\color[rgb]{0.65,0.3,0.3}\definecolor[named]{pgfstrokecolor}{rgb}{0.65,0.3,0.3}router} or the {\color[rgb]{0.3,0.3,0.615}\definecolor[named]{pgfstrokecolor}{rgb}{0.3,0.3,0.615}end\_dev} property via a path with length lesser or equal to 3 and it cannot escape through a path satisfying the {\color[rgb]{0.3,0.615,0.3}\definecolor[named]{pgfstrokecolor}{rgb}{0.3,0.615,0.3}coord}\>\vee\>{\color[rgb]{0.65,0.3,0.3}\definecolor[named]{pgfstrokecolor}{rgb}{0.65,0.3,0.3}router} property at a distance more than 3. The operators can be arbitrarily composed to specify complex properties as we will see in Section 6. Furthermore, they can be evaluated both on indirect and on direct graphs.
5. Monitoring STREL
In this section, we present a monitoring algorithm that can be used to check if a given signal satisfies or not a STREL property. The proposed algorithm follows an offline approach. Indeed, it takes as input the complete spatio-temporal signal together with the property we want to monitor. At the end of this section, we will also briefly discuss a possible alternative approach that can lead to a distributed and online monitoring procedure. In this case, the spatio-temporal signal is not known at the beginning, it is discovered while data are collected from the system during its execution.
5.1. Offline monitor
Offline monitoring is performed via the function that takes as inputs a location service , a trace and a formula and returns the piecewise constant spatio-temporal signal representing the monitoring of . The function also relies on parametrised with respect to functions , and , used to interpret symbols in formulas, and operators , and of signal domain, used to represent satisfaction values.
The function is defined by induction on the syntax of the formula††This definition is straightforward and, for the sake of readability, we only report it in Appendix, available in the extend version of this article at https://github.com/Quanticol/strel. The spatio-temporal signal resulting from the monitoring of atomic proposition is just obtained by applying function to the trace . The spatio-temporal signals associated with and are obtained by applying operators and to the signals resulting from the monitoring of and from the monitoring of and .
Monitoring of temporal properties, namely and , can be done by using the same approach used in (Donzé et al., 2013) and (Maler and Nickovic, 2013). However, while their monitoring relies on classical boolean and arithmetic operators, here the procedure is parametrised with respect to operators and of the considered semiring.
To monitor first the signals and resulting from the monitoring of and are computed. After that, the final result is computed by aggregating the spatial signals and at each time with function , defined in Algoritm 1. This function also takes as parameters the spatial model at time (obtained from the location service), the function used to compute the distances over paths, and the predicate describing the reachability bound. In function , the data structure is iteratively computed. This data structure associates each location with a set of triples . Intuitively, is in after iterations if and only if: can reach with at most -steps with a distance at least ( satisfying ) and a monitored value . At the beginning is initialised to . Moreover, at each iteration, the values in are updated by considering the elements in , for any next to . The loop continues until a fix point is reached. Note that, termination of the algorithm is guaranteed by the fact that is an idempotent semiring and from the fact that, for any , if and then . The result spatial signal associates each location with the value .
Monitoring algorithm for is reported in Algorithm 2, where function is defined. Given a space model at time , a distance function , a distance predicate and a spatial signal, it computes the spatial signal representing the monitoring value of at time . Function iteratively computes the data structure obtained by that associates each location with a set of triples of the form representing the fact that can escape in with a distance and a total value . At each iteration, these values are updated by considering the values in the neighbours in each location. Similarly to function , this computation continues until a fixpoint is reached. After that, the monitored value associated with each location is computed as .
Remark. The offline monitoring iteratively computes the monitor value at a location by considering the values of monitoring in the previous iteration. This approach easily enables the definition of a parallel monitoring algorithm. Indeed, both the functions defined in Algorithm 1 and Algorithm 2 can be parallel executed for each location. The different monitoring instances must communicate to exchange the values computed at iteration . Another possible improvement of this algorithm is based on an online computation of the monitoring. Following an approach similar to the one considered in (Deshmukh et al., 2015), each location can identify its monitoring value by using only partial informations. Early termination of the monitor procedure is then possible when the satisfaction or violation of a property is found.
6. Examples
In this section we present some example of the expressibility and potentiality of STREL.
6.1. ZigBee protocol monitoring
Given a MANET with a ZigBee protocol (Example 4.2), we consider as spatial models both its proximity and connectivity graphs, computed with respect to the Cartesian coordinates. The Nodes have three kinds of roles: coordinator, router and EndDevice, as described in Example 4.2. Moreover, each device is also equipped with a sensor to monitor its battery level (), the humidity () and the pollution () in its position. The semiring is the union between the max/min semiring (for the proximity graph) and the integer semiring (for the connectivity graph). We will use also two types of distances: and the distances described in Example 3.9. As in the Example 4.2, atomic propositions \{{\color[rgb]{0.3,0.615,0.3}\definecolor[named]{pgfstrokecolor}{rgb}{0.3,0.615,0.3}coord},{\color[rgb]{0.65,0.3,0.3}\definecolor[named]{pgfstrokecolor}{rgb}{0.65,0.3,0.3}router},{\color[rgb]{0.3,0.3,0.615}\definecolor[named]{pgfstrokecolor}{rgb}{0.3,0.3,0.615}end\_dev}\} describe the type of nodes. We also consider inequalities on the values that are read from sensors, plus special propositions which encode the address of a specific location, i.e. they are true only in the location .
In the following, we describe several properties of these ZigBee MANET networks that are easily captured by STREL logic, to exemplify its expressive power.
A class of properties naturally encoded in STREL related to the connectivity of the network. First, we can be interested to know if a node is properly connected, meaning that it can reach the coordinator through a path of routers:
[TABLE]
The meaning of this property is that an end node reaches in a step a node which is a router and that is connected to the coordinator via a path of routers.
We may also want to know if there is a path to the router which is reliable in terms of battery levels, for instance such that all routers have a battery level above 30%:
[TABLE]
The properties focus on spatial connectivity at a fixed time. We can add also temporal requirements, for instance asking that a broken connection is restored within time units:
[TABLE]
Another class of properties of interest is the acyclicity of transmissions. To this end, we need to force the connectivity graph to be direct, with edges pointing in the direction of the coordinator (i.e. transmission reduces the distance from the coordinator). With STREL, we can easily detect the absence of a cycle locally, i.e. for a fixed location . This is captured by , where
[TABLE]
In order to characterize the whole network as acyclic, we need to take the conjunction of the previous formulae for all locations (or at least for routers, enforcing end devices to be connected only with routers). This is necessary as STREL is interpreted locally, on each location, and this forbids us to express properties of the whole network with location unaware formulae. This is a price for an efficient monitoring, as global properties of networks require more expressive and computationally expensive logics. However, we can use the parametrization of STREL and the property of a Voronoi diagram to specify the global connection or the acyclicity of the graph. Indeed, the proximity graph connects always all the locations of the system, then the property , verified on the proximity graph, holds iff holds in all the location of the system.
Up to now we have presented qualitative properties, depending on the type of node. If we express properties of sensor measurements, we can also consider a quantitative semantics, returning a measure of robustness of (dis)satisfaction. As an example, we can monitor (5) if in each location an high value of pollution eventually implies, within time units, an high value of humidity, or (6) in which locations it is possible to find a ‘safe’ route, where both the humidity and the pollution are below a certain threshold. We can also check (7) if a location, which is not safe, is at distance at most from a location which is safe. Finally (8), we can check if a target device (identified by ) is reachable from all the locations in less than 10 hops.
[TABLE]
6.2. Invariance properties of the Euclidean spatial model
The properties we consider with respect to the Euclidean spatial model are typically local and depend on the relative distance and position among nodes in the plane. As such, they should be invariant with respect to change of coordinates, i.e. with respect to isometric transformations of the plane. This class of transformations includes translations, rotations, and reflections, and can be described by matrix multiplications of the form
[TABLE]
Invariance of satisfaction of spatial properties holds in STREL logic, for the Euclidean space model of Definition 3.4. Consider more specifically an Euclidean space model and , obtained by applying an isometric transformation : . For invariance to hold, we need to further require that distance predicates, used in spatial operators, are invariant for isometric transformations. More specifically, for any isometry , we require a distance predicate on the semiring to satisfy . This is the case for the norm-based predicates used in the examples, of the form .
Notice that, the path structure is preserved (the edges given by is the same), and the truth of isometry-invariant distance predicates along paths in and is also the same. This straightforwardly implies that the truth value of spatial operators will be unchanged by isometry.
Proposition 6.1 (Equisatisfiability under isometry).
Let be an euclidean spatial model and an isometric transformation of the former. Consider a spatial formula or , where is an isometry preserving predicate. Assume , , where and are the monitoring functions for the two spatial models. Then it holds that and , for all and .
7. Conclusion and Future Work
The rise of mobile and spatially distributed CPS demands for novel efficient and effective spatio-temporal formal frameworks to specify concisely spatio-temporal requirements and to enable the qualitative and quantitative spatio-temporal monitoring of such properties over spatially distributed CPS. STREL provides an intuitive formal framework that enable to express formally spatio-temporal requirements and to monitor them automatically over the execution of mobile and spatially distributed CPS. We have demonstrated the feasibility of our approach showing an application of STREL to monitor a simulated mobile ad hoc sensor network. While in this paper we define the logic and provide an offline monitoring algorithm, future research includes the design of distributed monitoring algorithms, a thorough investigation of the expressiveness, learning STREL requirements directly from data and synthesizing control policies to ensure a given requirement. A set of API that implements the algorithms considered in this paper is currently under development††STREL API are public available at https://github.com/Quanticol/strel.
Acknowledgment
L.B. L.N. and M.L. acknowledge partial support from the EU-FET project QUANTICOL (nr. 600708). E.B. and L.N. acknowledge the partial support of the Austrian National Research Network S 11405-N23 (RiSE/SHiNE) of the Austrian Science Fund (FWF), the ICT COST Action IC1402 Runtime Verification beyond Monitoring (ARVI).
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1(1)
- 2Aurenhammer (1991) F. Aurenhammer. 1991. Voronoi Diagrams; a Survey of a Fundamental Geometric Data Structure. ACM Comput. Surv. 23, 3 (1991), 345–405. https://doi.org/10.1145/116873.116880 · doi ↗
- 3Aydin-Gol et al . (2014) A. Aydin-Gol, E. Bartocci, and C. Belta. 2014. A Formal Methods Approach to Pattern Synthesis in Reaction Diffusion Systems. In Proc. of CDC: the 53rd IEEE Conference on Decision and Control . IEEE, 108–113. https://doi.org/10.1109/CDC.2014.7039367 · doi ↗
- 4Bartocci et al . (2016) E. Bartocci, E. Aydin-Gol, I. Haghighi, and C. Belta. 2016. A Formal Methods Approach to Pattern Recognition and Synthesis in Reaction Diffusion Networks. IEEE Transactions on Control of Network Systems PP, 99 (2016), 1–1. https://doi.org/10.1109/TCNS.2016.2609138 · doi ↗
- 5Bennett et al . (2002) B. Bennett, A. G. Cohn, F. Wolter, and M. Zakharyaschev. 2002. Multi-Dimensional Modal Logic As a Framework for Spatio-Temporal Reasoning. Applied Intelligence 17, 3 (Sept. 2002), 239–251. https://doi.org/10.1023/A:1020083231504 · doi ↗
- 6Bistarelli et al . (1997) S. Bistarelli, U. Montanari, and F. Rossi. 1997. Semiring-based constraint satisfaction and optimization. J. ACM 44, 2 (1997), 201–236. https://doi.org/10.1145/256303.256306 · doi ↗
- 7Bresolin et al . (2010) D. Bresolin, P. Sala, D. Della Monica, A. Montanari, and G. Sciavicco. 2010. A Decidable Spatial Generalization of Metric Interval Temporal Logic. In Proc. of TIME 2010: the 17th International Symposium on Temporal Representation and Reasoning . 95–102. https://doi.org/10.1109/TIME.2010.22 · doi ↗
- 8Caires and Cardelli (2003) L. Caires and L. Cardelli. 2003. A spatial logic for concurrency (part I). Information and Computation 186, 2 (2003), 194–235. https://doi.org/10.1016/S 0890-5401(03)00137-8 · doi ↗
