Model Checking of Restricted CTL* formulas using ALCK

(1)

Model Checking of Restricted CTL* formulas using ALCK

_R⁺

Taufiq Rochaeli and Claudia Eckert

Department of Computer Science Technische Universitt Darmstadt

{rochaeli,eckert}@sec.informatik.tu-darmstadt.de

Introduction The purpose of model checking technique is to verify whether the im- plemented computer program (the model) satisfies the specified requirements (the formulas). Now letKbe the Kripke model representing the behavior of the system andR be the set of formulas. The model checking process verifies whether every formula in Ris satisfied by the model, which hasIas the set of initial states. Formally, it checks whether∀f ∈ R,∀s ∈ I : K, s f is true or not. We propose an approach to perform model checking of the restricted CTL* formula based on the top of description logics reasoning services. This approach allows us to build the ontology of the atomic propositions used both in the model and in the formula.

We realize our approach by performing the following steps: (i) representing the model in the assertion box (ABox) of the description-logic based knowledge base, (ii) defining the ontology of atomic propositions in the terminology box (TBox) of the knowledge base, (iii) defining a part of the formal semantics of CTL* logic on top of the DL semantics, (iv) defining the translation rules for the formula.

Representation of the Kripke Model and the Ontology of Atomic Propositions The Kripke model is represented as a set of axiomsAM. There are three types of axiom in AM. The first type of the axiom, State(x), defines the state s of Kripke modelK, wherexis a unique individual name representing states. The second type of the axiom, next(xi, x_j),defines the state transition betweens_i ands_j. The last kind of axiom, V_i(x), is created for eachp_i ∈L(s). The conceptV_irepresents the atomic proposition p_i. For each statesof the Kripke modelK, an assertion is created in A_M, wherex is a unique individual name representing the states. The state transitions(si, sj)are defined by the assertions in form ofnext(xi, xj). The set of atomic propositions that label a state are represented as an assertion about instance membership. That is, for each pi ∈ L(s)an assertionVi(x)is created inAM. The conceptVirepresents the atomic propositionpi. The ontology of atomic propositions is defined inTAP, which has the purpose as the common vocabulary.

Formal Semantics of CTL* Logic in Description Logics The basic idea inemulating the formal semantics of CTL* temporal logic on top of the description logic semantics is to construct the Kripke model in the ABox. Furthermore, we require the epistemic operatorK, which is presented in [1], to fix the interpretation of the Kripke model represented in the ABox. Therefore, the epistemic operatorKimmediately appears in the concepts representing atomic propositions and the roles representing state transitions.

(see equations 1, 7 - 10.)

(2)

spi⇔ KBKVi(x) (1)

sE(g₁)⇔ KBD₁(x) (2)

πg1⇔ KBD1(σ1) (3)

π¬g₁⇔ KB¬D₁(σ₁) (4)

πg₁∨g₂⇔ KB(D₁tD₂)(σ₁) (5) πg1∧g2⇔ KB(D1uD2)(σ1) (6)

πXg₁⇔ KB(∃Knext.D1)(σ₁) (7)

πGg1⇔ hTM∪ {Daux≡D1u ∃Knext.Daux},AMiDaux(σ1) (8) πFg1⇔ KB(D1t ∃Knext⁺.D1) (σ1) (9) πg₁Ug₂⇔ hT_M∪ {D_aux≡D₂t(D₁u ∃Knext.D_aux)},A_Mi (10)

D_aux(σ₁)

Fig. 1.Formal semantics of a subset of CTL* logic inALCK.

Translating CTL* Formulas into TBox Concepts The restricted CTL* formulas has the form ofE[φ], whereφis the LTL formula enclosed in aE path quantifier. The first step is to decomposeφinto a parse tree. Now we can perform the translation of the LTL formulaφ, by visiting the nodes in the parse tree starting from the leaf nodes and toward the root node. Suppose that we have a counteridx, which has the initial value 0.

For each visit in the node, we create a new axiom in the TBoxT_f according to the rules in Fig. 2 and increase the counteridx. The conceptsD_iandD_j refer to the concepts created after translating the previous sub formulasg_iandg_j, respectively.

LTL formula concepts added toTf

p_i D_idx≡KV_i

¬gi Didx≡ ¬Di

g_i∨g_j D_idx≡D_itD_j gi∧gj Didx≡DiuDj

Xg_i D_idx≡ ∃Knext.D_i Ggi Didx≡Diu ∃Knext.Didx

Fg_i D_idx≡D_it ∃Knext⁺.D_i g_iUg_j D_idx≡D_jt(D_iu ∃Knext.D_idx)

Fig. 2.Translation table of a subset of CTL* sub formulas intoALCKconcepts.

Performing the Model Checking LetKandsbe the Kripke model representing the dynamic behavior of a system and the initial state of the model. The formula f rep- resents the desired property. The model checking K, s f can be performed as an instance checkingKB_M C(x), whereasKB_M :hT_AP∪ T_f,A_Mi.

References

1. Donini, F.M., Nardi, D., Rosati, R.: Description logics of minimal knowledge and negation as failure. ACM Trans. Comput. Logic3(2002) 177–225