## About

264

Publications

22,630

Reads

**How we measure 'reads'**

A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more

7,456

Citations

Introduction

**Skills and Expertise**

## Publications

Publications (264)

We present a new method for the automated synthesis of digital controllers with formal safety guarantees for systems with nonlinear dynamics, noisy output measurements, and stochastic disturbances.
Our method derives digital controllers such that the corresponding closed-loop system, modeled as a sampled-data stochastic control system, satisfies a...

We show how machine-learning techniques, particularly neural networks, offer a very effective and highly efficient solution to the approximate model-checking problem for continuous and hybrid systems, a solution where the general-purpose model checker is replaced by a model-specific classifier trained by sampling model trajectories. To the best of...

We present a new method for the automated synthesis of safe and robust Proportional-Integral-Derivative (PID) controllers for stochastic hybrid systems. Despite their widespread use in industry, no automated method currently exists for deriving a PID controller (or any other type of controller, for that matter) with safety and performance guarantee...

The popularity of rule-based flocking models, such as Reynolds' classic flocking model, raises the question of whether more declarative flocking models are possible. This question is motivated by the observation that declarative models are generally simpler and easier to design, understand, and analyze than operational models. We introduce a very s...

Inspired by the emerging problem of CPS security, we introduce the concept of controller-attacker games. A controller-attacker game is a two-player stochastic game, where the two players, a controller and an attacker, have antagonistic objectives. A controller-attacker game is formulated in terms of a Markov Decision Process (MDP), with the control...

Motivated by the problem of verifying the correctness of arrhythmia-detection algorithms, we present a formalization of these algorithms in the language of Quantitative Regular Expressions. QREs are a flexible formal language for specifying complex numerical queries over data streams, with provable runtime and memory consumption guarantees. The med...

This paper shows how to use Barrier Certificates (BaCs) to design Simplex Architectures for hybrid systems. The Simplex architecture entails switching control of a plant over to a provably safe Baseline Controller when a safety violation is imminent under the control of an unverified Advanced Controller. A key step of determining the switching cond...

We present a new method for the automated synthesis of safe and robust Proportional-Integral-Derivative (PID) controllers for stochastic hybrid systems. Despite their widespread use in industry, no automated method currently exists for deriving a PID controller (or any other type of controller, for that matter) with safety and performance guarantee...

We introduce LRT, a new Lagrangian-based ReachTube computation algorithm that conservatively approximates the set of reachable states of a nonlinear dynamical system. LRT makes use of the Cauchy-Green stretching factor (SF), which is derived from an over-approximation of the gradient of the solution-flows. The SF measures the discrepancy between tw...

We present a fully closed-loop design for an artificial pancreas (AP) which regulates the delivery of insulin for the control of Type I diabetes. Our AP controller operates in a fully automated fashion, without requiring any manual interaction (e.g. in the form of meal announcements) with the patient. A major obstacle to achieving closed-loop insul...

We present Component-Based Simplex Architecture (CBSA), a new framework for assuring the runtime safety of component-based cyber-physical systems (CPSs). CBSA integrates Assume-Guarantee (A-G) reasoning with the core principles of the Simplex control architecture to allow component-based CPSs to run advanced, uncertified controllers while still pro...

We introduce ARES, an efficient approximation algorithm for generating optimal plans (action sequences) that take an initial state of a Markov Decision Process (MDP) to a state whose cost is below a specified (convergence) threshold. ARES uses Particle Swarm Optimization, with adaptive sizing for both the receding horizon and the particle swarm. In...

We present Component-Based Simplex Architecture (CBSA), a new framework for assuring the runtime safety of component-based cyber-physical systems (CPSs). CBSA integrates Assume-Guarantee (A-G) reasoning with the core principles of the Simplex control architecture to allow component-based CPSs to run advanced, uncertified controllers while still pro...

We present a novel approach to the problem of model checking cyber-physical systems. We transform the model checking problem to an optimization one by designing an objective function that measures how close a state is to a violation of a property. We use particle swarm optimization (PSO) to effectively search for a state that minimizes the objectiv...

We introduce the concept of a V-formation game between a controller and an attacker, where controller's goal is to maneuver the plant (a simple model of flocking dynamics) into a V-formation, and the goal of the attacker is to prevent the controller from doing so. Controllers in V-formation games utilize a new formulation of model-predictive contro...

This paper addresses the problem of safely navigating a mobile robot with limited sensing capability and limited information about stationary and moving obstacles. We consider two sensing limitations: blind spots between sensors and limited sensing range. We study three notions of safety: (1) static safety, which ensures collision-freedom with resp...

Motivated by the desire to verify the correctness of algorithms for arrhythmia discrimination used in cardiac medical devices, we present a general wavelet-based characterization of peaks (local maxima and minima) that occur in cardiac electrograms, along with two peak-detection algorithms based on this characterization. Peak detection (PD) is a co...

We introduce ARES, an efficient approximation algorithm for generating optimal plans (action sequences) that take an initial state of a Markov Decision Process (MDP) to a state whose cost is below a specified (convergence) threshold. ARES uses Particle Swarm Optimization, with adaptive sizing for both the receding horizon and the particle swarm. In...

We present a probabilistic reachability analysis of a (nonlinear ODE) model of a neural circuit in Caeorhabditis
elegans (C. elegans), the common roundworm. In particular, we consider Tap Withdrawal (TW), a reflexive behavior exhibited by a C. elegans worm in response to vibrating the surface on which it is moving. The neural circuit underlying thi...

We introduce feedback-control statistical system checking (FC-SSC), a new approach to statistical model checking that exploits principles of feedback-control for the analysis of cyber-physical systems (CPS). FC-SSC uses stochastic system identification to learn a CPS model, importance sampling to estimate the CPS state, and importance splitting to...

We present a bifurcation analysis of electrical alternans in the two-current Mitchell-Schaeffer (MS) cardiac-cell model using the theory of δ-decidability over the reals. Electrical alternans is a phenomenon characterized by a variation in the successive Action Potential Durations (APDs) generated by a single cardiac cell or tissue. Alternans are k...

We present a bifurcation analysis of electrical alternans in the two-current Mitchell-Schaeffer (MS) cardiac-cell model using the theory of \(\delta \)-decidability over the reals. Electrical alternans is a phenomenon characterized by a variation in the successive Action Potential Durations (APDs) generated by a single cardiac cell or tissue. Alter...

We present BFComp, an automated framework based on Sum-Of-Squares (SOS) optimization and δ-decidability over the reals, to compute Bisimulation Functions (BFs) that characterize Input-to-Output Stability (IOS) of dynamical systems. BFs are Lyapunov-like functions that decay along the trajectories of a given pair of systems, and can be used to estab...

Given a Kripke structure M and CTL formula φ, where M does not satisfy φ, the problem of Model Repair is to obtain a new model M′ such that M′ satisfies φ. Moreover, the changes made to M to derive M′ should be minimal with respect to all such M′. As in model checking, state explosion can make it virtually impossible to carry out model repair on mo...

Collision avoidance is a key factor in enabling the integration of unmanned
aerial vehicle into real life use, whether it is in military or civil
application. For a long time there have been a large number of works to address
this problem; therefore a comparative summary of them would be desirable. This
paper presents a survey on the major collisio...

We introduce feedback-control statistical system checking (FC-SSC), a new
approach to statistical model checking that exploits principles of
feedback-control for the analysis of cyber-physical systems (CPS). FC-SSC uses
stochastic system identification to learn a CPS model, importance sampling to
estimate the CPS state, and importance splitting to...

We present what we believe to be the first formal verification of a biologically realistic (nonlinear ODE) model of a neural circuit in a multicellular organism: Tap Withdrawal (TW) in C. Elegans, the common roundworm. TW is a reflexive behavior exhibited by C. Elegans in response to vibrating the surface on which it is moving; the neural circuit u...

This paper addresses the problem of safely navigating a mobile robot with limited sensing capability and limited information about stationary obstacles. We consider two sensing limitations: blind spots between sensors and limited sensing range. We identify a set of constraints on the sensors’ readings whose satisfaction at time t guarantees collisi...

The design of bug-free and safe medical device software is challenging, especially in complex implantable devices that control and actuate organs who’s response is not fully understood. Safety recalls of pacemakers and implantable cardioverter defibrillators between 1990 and 2000 affected over 600,000 devices. Of these, 200,000 or 41%, were due to...

State spaces represent the way a system evolves through its different possible executions. Automatic verification techniques are used to check whether the system satisfies certain properties, expressed using automata or logic-based formalisms. This provides a Boolean indication of the system’s fitness. It is sometimes desirable to obtain other indi...

Rapid progress in modern medical technologies has led to a new generation of healthcare devices and treatment strategies. Examples include electro-anatomical mapping and intervention, bio-compatible and implantable devices, minimally invasive embedded devices, and robotic prosthetics.

As General-Purpose Graphics Processing Units (GPGPUs)become more powerful, they are being used increasingly often in high-performance computing applications. State space exploration, as employed in model-checking and other verification techniques, is a large, complex problem that has successfully been ported to a variety of parallel architectures....

The Domain Name System (DNS) is an Internet-wide, hierarchical naming system used to translate domain names into numeric IP addresses. Any disruption of DNS service can have serious consequences. We present a formal game-theoretic analysis of a notable threat to DNS, namely the bandwidth amplification attack (BAA), and the countermeasures designed...

By appealing to the small-gain theorem of one of the authors (Girard), we show that the 13-variable sodium-channel component of the 67-variable IMW cardiac-cell model (Iyer-Mazhari-Winslow) can be replaced by an approximately bi-similar, 2-variable HH-type (Hodgkin-Huxley) abstraction. We show that this substitution of (approximately) equals for eq...

Formal methods are used to increase the reliability of software and hardware systems. Methods such as model checking, verification and testing are used to search for design and coding errors, integrated in the process of system design. Beyond checking whether a system satisfies a particular specification, we may want to measure some of its quantita...

We show that in the context of the Iyer et al. (IMW) 67-variable cardiac myocycte model, it is possible to replace the detailed 13-state probabilistic subsystem of the sodium channel dynamics with a much simpler Hodgkin-Huxley (HH)-like two-state abstraction, while only incurring a bounded approximation error. We then extend our technique to the 10...

We introduce Runtime Verification with Particle Filtering (RVPF), a powerful and versatile method for controlling the tradeoff between uncertainty and overhead in runtime verification. Overhead and accuracy are controlled by adjusting the frequency and duration of observation gaps, during which program events are not monitored, and by adjusting the...

We present Adaptive Runtime Verification (ARV), a new approach to runtime verification in which overhead control, runtime verification with state es-timation, and predictive analysis are synergistically combined. Overhead control maintains the overhead of runtime verification at a specified target level, by en-abling and disabling monitoring of eve...

We present Time-Frequency Logic (TFL), a new specification formalism for real-valued signals that combines temporal logic proper-ties in the time domain with frequency-domain properties. We provide a property checking framework for this formalism and demonstrate its ex-pressive power to the recognition of musical pieces. Like hybrid automata and th...

We show that in the context of the Iyer et al. 67-variable cardiac myocycte model (IMW), it is possible to replace the detailed 13-state probabilistic model of the sodium channel dynamics with a much simpler Hodgkin-Huxley (HH)-like two-state sodium channel model, while only incurring a bounded approximation error. The technical basis for this resu...

We present the Spiral Classification Algorithm (SCA), a fast and accurate algorithm for classifying electrical spiral waves and their associated breakup in cardiac tissues. The classification performed by SCA is an essential component of the detection and analysis of various cardiac arrhythmic disorders, including ventricular tachycardia and fibril...

We introduce the technique of software monitoring with controllable overhead (SMCO), which is based on a novel combination
of supervisory control theory of discrete event systems and PID-control theory of discrete time systems. SMCO controls monitoring
overhead by temporarily disabling monitoring of selected events for as short a time as possible u...

We present a formulation of the problem of probabilistic model checking as
one of query evaluation over probabilistic logic programs. To the best of our
knowledge, our formulation is the first of its kind, and it covers a rich class
of probabilistic models and probabilistic temporal logics. The inference
algorithms of existing probabilistic logic-p...

Given a Kripke structure M and CTL formula φ, where M violates φ, the problem of Model Repair is to obtain a new model M' such that Μ' satisfies φ. Moreover, the changes made to M to derive M' should be minimal with respect to all such M'. As in model checking, state explosion can make it virtually impossible to carry out model repair on models wit...

As part of a 3-wk intersession workshop funded by a National Science Foundation Expeditions in Computing award, 15 undergraduate students from the City University of New York(1) collaborated on a study aimed at characterizing the voltage dynamics and arrhythmogenic behavior of cardiac cells for a broad range of physiologically relevant conditions u...

The DNS Bandwidth Amplification Attack (BAA) is a distributed denial-of-service attack in which a network of computers floods a DNS server with responses to requests that have never been made. Amplification enters into the attack by virtue of the fact that a small 60-byte request can be answered by a substantially larger response of 4,000 bytes or...

We introduce the concept of Runtime Verification with State Estimation and show how this concept can be applied to estimate the probability that a temporal property is satisfied by a run of a program when monitoring overhead is reduced by sampling. In such situations, there may be gaps in the observed program executions, thus making accurate estima...

We show that through careful and model-specific optimizations of their GPU implementations, simulations of realistic, detailed cardiac-cell models now can be performed in 2D and 3D in times that are close to real time using a desktop computer. Previously, large-scale simulations of detailed mathematical models of cardiac cells were possible only us...

We present the Spiral Classification Algorithm (SCA), a fast and accurate algorithm for classifying electrical spiral waves and their associated breakup in cardiac tissues. The classification performed by SCA is an essential component of the detection and analysis of various cardiac arrhythmic disorders, including ventricular tachycardia and fibril...

A fundamental question in the treatment of cardiac disorders, such as tachycardia and fibrillation, is under what circumstances
does such a disorder arise? To answer to this question, we develop a multiaffine hybrid automaton (MHA) cardiac-cell model,
and restate the original question as one of identification of the parameter ranges under which the...

We present a model-discovery methodology for energy-aware computing systems that achieves high prediction accuracy. Model discovery, or system identification, is a critical first step in designing advanced controllers that can dynamically manage the energy-performance trade-off in an optimal manner. Our methodology favors Multiple-InputsMultiple-Ou...

We use the Uppaal model checker for timed automata to verify the Timing-Sync time-synchronization protocol for sensor networks (TPSN), the
clock-synchronization algorithm of Lenzen, Locher and Wattenhofer (LLW) for general distributed systems, and the clock-thread
technique of the software monitoring with controllable overhead algorithm (SMCO). Clo...

In this paper we argue that a judicious use of models in science and engineering can considerably simplify the design and analysis of complex dynamic systems. To substantiate this claim, we first review the mathematical form and the role played by models in science and engineering, respectively. We then show that a change in perspective on the purp...

We introduce the problem of Model Repair for Probabilistic Systems as follows. Given a probabilistic system M and a probabilistic temporal logic formula φ such that M fails to satisfy φ, the Model Repair problem is to find an M′ that satisfies φ and differs from M only in the transition flows of those states in M that are deemed controllable. Moreo...

Models of energy consumption and performance are necessary to understand and identify system behavior, prior to designing advanced controls that can balance out performance and energy use. This paper consid-ers the energy consumption and performance of servers running a relatively simple file-compression workload. We found that standard techniques...

We present the InterAspect instrumentation framework for GCC, a widely used compiler infrastructure. The addition of plug-in support in the latest release
of GCC makes it an attractive platform for runtime instrumentation, as GCC plug-ins can directly add instrumentation by transforming
the compiler’s intermediate representation. Such transformatio...