Filters








40 Hits in 1.2 sec

Input Prioritization for Testing Neural Networks [article]

Taejoon Byun, Vaibhav Sharma, Abhishek Vijayakumar, Sanjai Rayadurgam, Darren Cofer
2019 arXiv   pre-print
Deep neural networks (DNNs) are increasingly being adopted for sensing and control functions in a variety of safety and mission-critical systems such as self-driving cars, autonomous air vehicles, medical diagnostics, and industrial robotics. Failures of such systems can lead to loss of life or property, which necessitates stringent verification and validation for providing high assurance. Though formal verification approaches are being investigated, testing remains the primary technique for
more » ... essing the dependability of such systems. Due to the nature of the tasks handled by DNNs, the cost of obtaining test oracle data---the expected output, a.k.a. label, for a given input---is high, which significantly impacts the amount and quality of testing that can be performed. Thus, prioritizing input data for testing DNNs in meaningful ways to reduce the cost of labeling can go a long way in increasing testing efficacy. This paper proposes using gauges of the DNN's sentiment derived from the computation performed by the model, as a means to identify inputs that are likely to reveal weaknesses. We empirically assessed the efficacy of three such sentiment measures for prioritization---confidence, uncertainty, and surprise---and compare their effectiveness in terms of their fault-revealing capability and retraining effectiveness. The results indicate that sentiment measures can effectively flag inputs that expose unacceptable DNN behavior. For MNIST models, the average percentage of inputs correctly flagged ranged from 88% to 94.8%.
arXiv:1901.03768v1 fatcat:7oyymy7scbc5rcjrwexhwje5oy

Manifold-based Test Generation for Image Classifiers [article]

Taejoon Byun, Abhishek Vijayakumar, Sanjai Rayadurgam, Darren Cofer
2020 arXiv   pre-print
Neural networks used for image classification tasks in critical applications must be tested with sufficient realistic data to assure their correctness. To effectively test an image classification neural network, one must obtain realistic test data adequate enough to inspire confidence that differences between the implicit requirements and the learned model would be exposed. This raises two challenges: first, an adequate subset of the data points must be carefully chosen to inspire confidence,
more » ... d second, the implicit requirements must be meaningfully extrapolated to data points beyond those in the explicit training set. This paper proposes a novel framework to address these challenges. Our approach is based on the premise that patterns in a large input data space can be effectively captured in a smaller manifold space, from which similar yet novel test cases---both the input and the label---can be sampled and generated. A variant of Conditional Variational Autoencoder (CVAE) is used for capturing this manifold with a generative function, and a search technique is applied on this manifold space to efficiently find fault-revealing inputs. Experiments show that this approach enables generation of thousands of realistic yet fault-revealing test cases efficiently even for well-trained models.
arXiv:2002.06337v1 fatcat:l7bujunb7vclphnxg4rvdup2hi

Scheduling Storms and Streams in the Cloud

Javad Ghaderi, Sanjay Shakkottai, Rayadurgam Srikant
2015 Performance Evaluation Review  
Motivated by emerging big streaming data processing paradigms (e.g., Twitter Storm, Streaming MapReduce), we investigate the problem of scheduling graphs over a large cluster of servers. Each graph is a job, where nodes represent compute tasks and edges indicate data-flows between these compute tasks. Jobs (graphs) arrive randomly over time, and upon completion, leave the system. When a job arrives, the scheduler needs to partition the graph and distribute it over the servers to satisfy load
more » ... ancing and cost considerations. Specifically, neighboring compute tasks in the graph that are mapped to different servers incur load on the network; thus a mapping of the jobs among the servers incurs a cost that is proportional to the number of "broken edges". We propose a low complexity randomized scheduling algorithm that, without service preemptions, stabilizes the system with graph arrivals/departures; more importantly, it allows a smooth trade-off between minimizing average partitioning cost and average queue lengths. Interestingly, to avoid service preemptions, our approach does not rely on a Gibb's sampler; instead, we show that the corresponding limiting invariant measure has an interpretation stemming from a loss system.
doi:10.1145/2796314.2745882 fatcat:cmkjnpcmf5cuzkxnsm3nvnupyy

Representing Confidence in Assurance Case Evidence [chapter]

Lian Duan, Sanjai Rayadurgam, Mats P. E. Heimdahl, Oleg Sokolsky, Insup Lee
2015 Lecture Notes in Computer Science  
When evaluating assurance cases, being able to capture the confidence one has in the individual evidence nodes is crucial, as these values form the foundation for determining the confidence one has in the assurance case as a whole. Human opinions are subjective, oftentimes with uncertainty-it is difficult to capture an opinion with a single probability value. Thus, we believe that a distribution best captures a human opinion such as confidence. Previous work used a doubly-truncated normal
more » ... bution or a Dempster-Shafer theory-based belief mass to represent confidence in the evidence nodes, but we argue that a beta distribution is more appropriate. The beta distribution models a variety of shapes and we believe it provides an intuitive way to represent confidence. Furthermore, there exists a duality between the beta distribution and subjective logic, which can be exploited to simplify mathematical calculations. This paper is the first to apply this duality to assurance cases.
doi:10.1007/978-3-319-24249-1_2 fatcat:zmd7lrnvfnd6balf47tudulbxm

Compositional verification of a medical device system

Anitha Murugesan, Michael W. Whalen, Sanjai Rayadurgam, Mats P.E. Heimdahl
2013 ACM SIGAda Ada Letters  
Complex systems are by necessity hierarchically organized. Decomposition into subsystems allows for intellectual control, as well as enabling different subsystems to be created by distinct teams. This decomposition affects both requirements and architecture. The architecture describes the structure and this affects how requirements "flow down" to each subsystem. Moreover, discoveries in the design process may affect the requirements. Demonstrating that a complex system satisfies its
more » ... when the subsystems are composed is a challenging problem. In this paper, we present a medical device case example where we apply an iterative approach to architecture and verification based on software architectural models. We represent the hierarchical composition of the system in the Architecture Analysis & Design Language (AADL), and use an extension to the AADL language to describe the requirements at different levels of abstraction for compositional verification. The component-level behavior for the model is described in Simulink/Stateflow. We assemble proofs of system level properties by using the Simulink Design Verifier to establish component-level properties and an open-source plug-in for the OSATE AADL environment to perform the compositional verification of the architecture. This combination of verification tools allows us to iteratively explore design and verification of detailed behavioral models, and to scale formal analysis to large software systems.
doi:10.1145/2658982.2527272 fatcat:37yhhmiku5hjpfmawb5infsafy

Automatic abstraction for model checking software systems with interrelated numeric constraints

Yunja Choi, Sanjai Rayadurgam, Mats P.E. Heimdahl
2001 Software engineering notes  
Verification and Validation (V&V) of software for critical embedded control systems often consumes upto 70% of the development resources. Testing is one of the most frequently used V&V technique for verifying such systems. Many regulatory agencies that certify control systems for use require that the software be tested to certain specified levels of coverage. Currently, developing test cases to meet these requirements takes a major portion of the resources. Automating this task would result in
more » ... ignificant time and cost savings. The objective of this dissertation is to automate the generation of such test cases. We propose an approach [2] where we rely on a formal model of the required software behavior for test-case generation, as well as, an oracle to determine if the implementation produced the correct output during testing. A key hypothesis of this approach is that model checking can be effectively used to automatically generate test cases [3] . It is a technique for exploring the reachable state-space of a system model to verify properties of interest. When a property violation is detected, a model-checker will produce a counter-example as a witness, which is a sequence of states from the initial system state to the violating state, where each state is an assignment of values to system variables. Such a counter-example can be viewed as a test sequence. For example, we can assert to the model checker that a certain transition in a specification cannot be taken. If this transition in fact can be taken, the model checker will generate a sequence of inputs (with associated outputs) that forces the model to take this transition -we have found a test case that exercises this transition. One could systematically generate such "challenges" to the model-checker based on some user-defined levels of coverage of the software artifact and obtain a set of test sequences that achieves the desired coverage. The research challenges that must be addressed in order to realize this test generation approach form the focus of this work: Formalism and criteria. We need a suitable formalism for expressing the behavior of the software for critical control systems. It should have enough structure in terms of which meaningful test criteria can be expressed [3] . It should also be general enough to capture various software artifacts of interest, like requirement models [4] and program code. Abstraction and test data instantiation. To make model checking feasible one may have to abstract away details. Software models pose serious challenges since they typically include integer and real valued variables leading to large or infinite state spaces. Abstraction will give rise to test-cases that have abstract data which should then be instantiated with concrete values. One may use constraint solving techniques to achieve this. Also, certain abstraction methods may reduce the size of the input domains without introducing abstract data [1]. Reducing test set size. A straightforward generation of test cases will inevitably lead to a large number of redundant test cases. For example, a test case devised to test one specific transition in a specification will also exercise many other transitions. One could leverage this fact and develop techniques to eliminate redundant tests. Measuring effectiveness. The usefulness of the techniques and the test criteria must be empirically validated through case studies and experiments. Of particular interest are the scalability of these techniques to realistic models and the actual coverage of the program code achieved by the generated test suites.
doi:10.1145/503271.503232 fatcat:n43lrnp57fd7foaudfa6w7r7fu

Design Considerations for Modeling Modes in Cyber–Physical Systems

Anitha Murugesan, Sanjai Rayadurgam, Michael W. Whalen, Mats P. E. Heimdahl
2015 IEEE design & test  
doi:10.1109/mdat.2015.2462112 fatcat:yelzg67uxzdkvmn4rftokwnwkq

Auto-generating Test Sequences Using Model Checkers: A Case Study [chapter]

Mats P. E. Heimdahl, Sanjai Rayadurgam, Willem Visser, George Devaraj, Jimin Gao
2004 Lecture Notes in Computer Science  
Rayadurgam, et al.  ... 
doi:10.1007/978-3-540-24617-6_4 fatcat:b6b3mxamdfdtdlikwgscayxr4y

Your "What" Is My "How": Iteration and Hierarchy in System Design

Michael W. Whalen, Andrew Gacek, Darren Cofer, Anitha Murugesan, Mats P.E. Heimdahl, Sanjai Rayadurgam
2013 IEEE Software  
Systems are naturally constructed in hierarchies in which design choices made at higher levels of abstraction levy requirements on system components at lower levels of abstraction. Thus, whether an aspect of the system is a design choice or a requirement depends largely on one's vantage point within the hierarchy of system components. Furthermore, systems are often constructed middle-out rather than top-down; compatibility with existing systems and architectures, or availability of specific
more » ... onents influences high-level requirements. We argue that requirements and architectural design should be more closely aligned: that requirements models must account for hierarchical system construction, and that architectural design notations must better support specification of requirements for system components. We briefly describe work to this end that was performed on the META II project and describe the gaps in this work that need to be addressed to meet practitioner needs.
doi:10.1109/ms.2012.173 fatcat:s65pnrvujvdnvnqumhx4k6kvoy

Modes, features, and state-based modeling for clarity and flexibility

Anitha Murugesan, Sanjai Rayadurgam, Mats P. E. Heimdahl
2013 2013 5th International Workshop on Modeling in Software Engineering (MiSE)  
The behavior of a complex system is frequently defined in terms of operational modes-mutually exclusive sets of the system behaviors. Within the operational modes, collections of features define the behavior of the system. Lucent and understandable modeling of operational modes and features using common state-based notations such as Statecharts or Stateflow can be challenging. In this paper we share some of our experiences from modeling modes and features in the medical device domain. We
more » ... the challenges and present a generic approach to structuring the modes and features of a generic Patient-Controlled Analgesia infusion pump.
doi:10.1109/mise.2013.6595290 dblp:conf/icse/MurugesanRH13 fatcat:jmsipmtdffebnnx2zbvqjyyak4

Scheduling Storms and Streams in the Cloud

Javad Ghaderi, Sanjay Shakkottai, Rayadurgam Srikant
2015 Proceedings of the 2015 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems - SIGMETRICS '15  
Motivated by emerging big streaming data processing paradigms (e.g., Twitter Storm, Streaming MapReduce), we investigate the problem of scheduling graphs over a large cluster of servers. Each graph is a job, where nodes represent compute tasks and edges indicate data-flows between these compute tasks. Jobs (graphs) arrive randomly over time, and upon completion, leave the system. When a job arrives, the scheduler needs to partition the graph and distribute it over the servers to satisfy load
more » ... ancing and cost considerations. Specifically, neighboring compute tasks in the graph that are mapped to different servers incur load on the network; thus a mapping of the jobs among the servers incurs a cost that is proportional to the number of "broken edges". We propose a low complexity randomized scheduling algorithm that, without service preemptions, stabilizes the system with graph arrivals/departures; more importantly, it allows a smooth trade-off between minimizing average partitioning cost and average queue lengths. Interestingly, to avoid service preemptions, our approach does not rely on a Gibb's sampler; instead, we show that the corresponding limiting invariant measure has an interpretation stemming from a loss system.
doi:10.1145/2745844.2745882 dblp:conf/sigmetrics/GhaderiSS15 fatcat:kn5rxxdit5dhnok2wxjcgbovoa

Toward Rigorous Object-Code Coverage Criteria

Taejoon Byun, Vaibhav Sharma, Sanjai Rayadurgam, Stephen McCamant, Mats P. E. Heimdahl
2017 2017 IEEE 28th International Symposium on Software Reliability Engineering (ISSRE)  
Object-branch coverage (OBC) is often used as a measure of the thoroughness of tests suites, augmenting or substituting source-code based structural criteria such as branch coverage and modified condition/decision coverage (MC/DC). In addition, with the increasing use of third-party components for which source-code access may be unavailable, robust object-code coverage criteria are essential to assess how well the components are exercised during testing. While OBC has the advantage of being
more » ... ramming language independent and is amenable to non-intrusive coverage measurement techniques, variations in compilers, and the optimizations they perform can substantially change what is seen as an object branch, which itself appears to be an informally understood concept. To address the need for a robust object coverage criterion, this paper proposes a rigorous definition of OBC such that it captures well the semantic of source code branches for a given instruction set architecture. We report an empirical assessment of these criteria for the Intel x86 instruction set on several examples from embedded control systems software. Preliminary results indicate that object-code coverage can be made robust to compilation variations and is comparable in its bug-finding efficacy to source level MC/DC.
doi:10.1109/issre.2017.33 dblp:conf/issre/ByunSRMH17 fatcat:mb7ldrca4narhlcdrhxrn2xulu

Structuring simulink models for verification and reuse

Michael W. Whalen, Anitha Murugesan, Sanjai Rayadurgam, Mats P. E. Heimdahl
2014 Proceedings of the 6th International Workshop on Modeling in Software Engineering - MiSE 2014  
Model-based development (MBD) tool suites such as Simulink and Stateflow offer powerful tools for design, development, and analysis of models. These models can be used for several purposes: for code generation, for prototyping, as descriptions of an environment (plant) that will be controlled by software, as oracles for a testing process, and many other aspects of software development. In addition, a goal of modelbased development is to develop reusable models that can be easily managed in a
more » ... sion-controlled continuous integration process. Although significant guidance exists for proper structuring of source code for these purposes, considerably less guidance exists for MBD approaches. In this paper, we discuss structuring issues in constructing models to support use (and reuse) of models for design and verification in critical software development projects. We illustrate our approach using a generic patient-controlled analgesia infusion pump (GPCA), a medical cyber-physical system.
doi:10.1145/2593770.2593776 dblp:conf/icse/WhalenMRH14 fatcat:7hm65robmrgl5ht2i42kbsskky

Domain modeling for development process simulation

Ian J. De Silva, Sanjai Rayadurgam, Mats P. E. Heimdahl
2017 Proceedings of the 2017 International Conference on Software and System Process - ICSSP 2017  
Simulating agile processes prior to adoption can reduce the risk of enacting an ill-tting process. Agent-based simulation is wellsuited to capture the individual decision-making valued in agile. Yet, agile's lightweight nature creates simulation di culties as agents must ll-in gaps within the speci ed process. Deliberative agents can do this given a suitable planning domain model. However, no such model, nor guidance for creating one, currently exists. In this work, we propose a means for
more » ... ucting an agile planning domain model suitable for agent-based simulation. As such, the domain model must ensure that all activity sequences derived from the model are executable by a software agent. We prescribe iterative elaboration and decomposition of an existing process to generate successive internally-complete and -consistent domain models, thereby ensuring plans derived from the model are valid. We then demonstrate how to generate a domain model and exemplify its use in planning the actions of a single agent.
doi:10.1145/3084100.3084111 dblp:conf/ispw/SilvaRH17 fatcat:gv2fwcjhwrgvbds2jbvn6tufwu

Reasoning About Confidence and Uncertainty in Assurance Cases: A Survey [chapter]

Lian Duan, Sanjai Rayadurgam, Mats P. E. Heimdahl, Anaheed Ayoub, Oleg Sokolsky, Insup Lee
2017 Lecture Notes in Computer Science  
Assurance cases are structured logical arguments supported by evidence that explain how systems, possibly software systems, satisfy desirable properties for safety, security or reliability. The confidence in both the logical reasoning and the underlying evidence is a factor that must be considered carefully when evaluating an assurance case; the developers must have confidence in their case before the system is delivered and the assurance case reviewer, such as a regulatory body, must have
more » ... ate confidence in the case before approving the system for use. A necessary aspect of gaining confidence in the assurance case is dealing with uncertainty, which may have several sources. Uncertainty, often impossible to eliminate, nevertheless undermines confidence and must therefore be sufficiently bounded. It can be broadly classified into two types, aleatory (statistical) and epistemic (systematic). This paper surveys how researchers have reasoned about uncertainty in assurance cases. We analyze existing literature to identify the type of uncertainty addressed and distinguish between qualitative and quantitative approaches for dealing with uncertainty.
doi:10.1007/978-3-319-63194-3_5 fatcat:qq4hh6r4fngdvjtrmoja4le7um
« Previous Showing results 1 — 15 out of 40 results