From Passive to Active FSM Inference via Checking Sequence Construction

. The paper focuses on the problems of passive and active FSM inference as well as checking sequence generation. We consider the setting where an FSM cannot be reset so that its inference is constrained to a single trace either given a priori in passive inference scenario or to be constructed in active inference scenario or aiming at obtaining checking sequence for a given FSM. In each of the last two cases, the expected result is a trace representing a checking sequence for an inferred machine, if it was not given. We demonstrate that this can be achieved by a repetitive use of a procedure that infers an FSM from a given trace (identifying a minimal machine consistent with a trace) avoiding equivalent conjectures. We thus show that FSM inference and checking sequence construction can be seen as two sides of the same coin. Following an existing approach of constructing conjectures by SAT solving, we elaborate first such a procedure and then based on it the methods for obtaining checking sequence for a given FSM and inferring a machine from a black box. The novelty of our approach is that it does not use any state identification facilities. We only assume that we know initially the input set and a bound on the number of states of the machine. Experiments with a prototype implementation of the developed approach using as a backend an existing SAT solver indicate that it scales for FSMs with up to a dozen of states and requires relatively short sequences to identify the machine.


Introduction
Model-based testing from finite state models of systems, when it is only possible to interact with the system through its input/output interfaces, relies on traversing transitions of the model and being able to check that states reached after transitions in the system are consistent with those expected from the model. At the end of the test, the goal is to be able to guarantee that the system under test behaves as expected in the model. So the test must be built as a checking sequence of inputs that can uniquely identify (up to equivalence) a given model machine.
Computing a checking sequence from a finite state model dates back to the very early history of automata in computer science, starting with the work of Moore [15] and many approaches have been proposed to generate checking sequences for various types of models under various assumptions for the machine w.r.t determinism, completeness, and the existence of specific sequences for a machine such as distinguishing sequences [10], signatures [21], state identifiers [17] etc.
More recently, at the turn of the century, model-based approaches have led to an interest in inference techniques. Instead of checking whether a system behaves as specified by a model, it works the other way round: we try to build a model, called a conjecture that will predict as accurately as possible the behaviour of a system. This can be based on a corpus of given observed behaviours of the system (passive inference), or on the ability to submit test sequences (active inference). One key driver for such approaches is that experience in industrial context have shown that building and maintaining accurate and up-to-date models was complicated, and needed specific expertise. Being able to derive models automatically relieves the burden of creating and maintaining them.
Building a checking sequence can be seen as a top-down approach (from model to implementation) and inference as bottom-up approach (from implementation to conjectured model). The two are in fact closely linked: in active inference, if a sequence is built that uniquely identifies a machine, then this sequence is a checking sequence for this machine. The main difference is in the starting point: for checking sequence generation, we assume we know the (specification) machine to be identified. For inference, the machine is unknown.
In this paper, we propose an iterative approach that alternates passive inference with construction of checking experiments. Initially, an input sequence will be too short to uniquely identify a machine. But one can exhibit one of many possible conjectures that would match the observed input/output sequence (the running trace). So the idea is to build a checking experiment that will distinguish among conjectures, and which is appended to the current trace. Following this experiment, the set of potential conjectures is reduced, and the process is iterated until we get to a point where the set is reduced to a singleton, at which point the input projection of the observed trace is a checking sequence.
Interestingly, this theoretical framework had already been envisioned by J. Kella, in one of the early papers on passive inference [14]. Let us quote the end of his introduction (our comments in brackets): "When the machine has no distinguishing sequences the reducing technique can help in minimizing the length of the checking experiment by iterative construction of the experiment. An initial sequence is applied to the machine and the resulting input-output sequence is reduced [by state merging]; the result will indicate a family of machines responding in the same way. An additional sequence which eliminates nondesired machines is then applied and another reduction is performed; by repeated application of the basic iteration the sequence will reduce uniquely to the checked machine [up to the initial state]. This method of checking experiment construction was tried for some examples but there is no proof yet to whether it is more efficient than other methods [10] and whether it will converge in all cases." Our approach shows that it is indeed possible to uniquely identify a non-resettable deterministic complete machine, while building a checking sequence for it, with no priori knowledge apart from a bound on the number of states, and the input set of the machine. Contrary to previous work [9], it does not require a characterization set or another assumption on sequences to distinguish states in the machine. Section 2 will provide precise definitions for our formal framework, while Section 3 will define the inference problems and checking sequence generation in our context, i.e. from a single trace for a non-resettable machine, in relation with the state of the art. Section 4 shows how passive inference, i.e. the computation of a conjecture from a single trace can be encoded into a Boolean formula, so that a SAT solver can be used to efficiently get a conjecture. Sections 5 and 6 present our iterative approaches, showing the two sides of the coin: checking sequence generation and active inference. Section 7 presents experiments that show that the algorithms can work with middle-sized automata. Section 8 concludes. Let also out(s, ) be an output sequence produced by the input sequence   I* in M/s. For input sequence  applied in state s, we let trs() denote the trace with the input projection ; we will omit the subscript when no confusion occurs.

Definitions
Given  Given a trace   (IO)* of length ||, let Pref() be the set of all prefixes of . We define a linear FSMW = (X, x0, I, D), where D is a transition relation, such that |X| = || + 1, and there exists a bijection f: While Given an -conjecture C with the partition C, let D be an -conjecture with the partition D, such that   Pref(), we say that the partition C is an expansion of the partition D, if its projection to  coincides with the partition An input sequence   I*is a checking sequence for a complete FSM M with n states where  is a checking sequence, is called a checking trace of M. In this definition, we allow uncertainty in the initial state of M since it may have other states which converge with the initial state on a checking trace (an example of such an FSM can be found in Section 5).
Checking sequence is a special type of checking experiments for FSM, it is usually considered for FSM based testing when a reset operation in FSM implementations is unavailable or formidably costly to execute.

Problem Statement and Related Work
We consider the following closely related problems, passive and active FSM inference as well as checking sequence construction. Significantly, we restrict our setting to the case where a FSM may not be reset, so that the definitions we give here refer to a single trace. Actually, if a FSM can be reliably reset, the reset sequences can be included in the trace, so the definitions below can cover the general case. We state the problems using the definitions given above.
Passive inference is a classical problem whereby given a trace  we need to build an -conjecture with a minimal number of states [14][6] [2].
Active inference, aka active automata learning, is another problem addressed in the literature [5]. Restated in our FSM context, given a black box, which behaves as an unknown minimal complete strongly connected FSM with the input alphabet I and the number of states equal to n, infer the FSM, i.e. build an -conjecture equivalent to the FSM and its checking trace .
The checking sequence problem differs from active inference in assuming that the expected behavior of a black box with at most n states submitted for testing is given as a strongly connected FSM M called a specification machine (which is unknown in active inference) and we need to determine its checking trace . The relation to passive inference is direct, once  is constructed, any -conjecture must be equivalent to M.
In this section, we briefly discuss the existing approaches addressing these problems which do not rely on the existence of a reset operation.

Passive Inference from a Single Trace
Passive FSM inference problem is stated by Kella in 1971 [14] as sequential machine identification and later as system/automaton identification problem by Gold [6]. The problem has been studied ever since. The problem is known to be computationally very hard, nevertheless, numerous proposals have been made, mainly on developing state merging techniques to transform an -machine into an -conjecture as small as possible, see, e.g., [14] [27] etc. The most recent approaches are based on satisfiability (SAT) solvers [1] [11].
In Section 4, we propose an approach to build an -conjecture within a bound on the number of states using a SAT solver that avoids obtaining conjectures which were already considered.

Checking Sequence Problem
The problem of checking sequence generation from an FSM has a long history starting from work of Moore [15] and Hennie [10]. Almost all existing methods require a machine be complete and minimal. Moreover, the vast majority of the proposed methods only apply to FSMs which have distinguishing sequences or distinguishing sets, see, e.g. [4][7][12] [22][23] [26]. Not all FSMs possess these sequences and their construction is a non-trivial problem. Only few methods can generate checking sequence from complete and minimal FSM which has just characterization set and no other distinguishing sets, see [10][19] [18]. Moreover, they cannot be called efficient, since the size of a checking sequence generated by using characterization set grows exponentially with the length and number of sequences in characterization set [25].
The problem of checking sequence generation without even checking the existence of distinguishing sequences or finding an "optimal" or any other characterization set remains open, to the best our knowledge. In Section 5 we propose an approach that does not assume any distinguishing or characterization set computation.

Active Inference without Reset
Active inference has most often been addressed in the context of learning from samples and queries [5] [8], so that the problem of dealing with a single trace has not received a lot of attention. An early attempt was proposed by [20], as an adaptation to Angluin's L* algorithm. It assumes that an external oracle can be queried to provide a counterexample (hence an input sequence to distinguish the black box and the conjecture), and starts with the knowledge of a homing sequence. More recently an approach was proposed that does not require an external oracle, but still assumes knowledge of a characterization set [9].
However, the assumptions about the existence of an external oracle, knowledge of homing or state characterizing sequences, such as distinguishing sequences and characterization sets, are not easy to justify in practice, therefore the problem of active inference of FSMs with neither reset operation nor strong assumptions about a given back box remains open. In Section 6 we propose an approach that does not require such assumptions.

Passive Inference with SAT solving
Since an -machine is itself an -conjecture, the minimization problem boils down to merging states of the -machine without introducing traces that would contradict the trace . Therefore by encoding a trace into a Boolean formula, and expressing state merging possibilities in that formula, we may use a SAT solver to determine acceptable mergers.

Problem Encoding
Here we present a procedure for encoding a trace into a Boolean formula, and at the same time express a constraint on the number of states.
Let W = (X, x0, I, D) be an -machine. To find an -conjecture with at most n states amounts to determine a partition  on the set of states X such that the number of blocks does not exceed n. This problem can be casted as a constraint satisfaction problem (CSP) [3]. Let X be {x0, …, x||}, so each integer variable represents a state of the machine. Since the -machine is deterministic, the state variables satisfy the following constraint: xi  (1) is satisfied defines a mapping : X  S, where S is the set of states of an -conjecture, i.e., the mapping  defines a partition of X into n blocks.
These formulas can be translated to SAT using unary coding for each integer variable x  X, such that x is represented by n Boolean variables vx,0, …, vx,n-1. For each x  X, we have the clause: vx,0 …  vx,n-1 (2) These clauses mean that each state of the -machine W should be in at least one block.
For each state x  X and all i, j  {0, …, n -1} such that i  j, we have the clauses:  vx,i   vx,j (3) The clauses mean that each state of the -machine W should be in at most one block. Since a sought-after -conjecture must be deterministic, the formula (1) is encoded into the following clauses. First, distinguishable states of W should be in different blocks, so for every x, y  X such that x ≇ y and all i  {0, …, n -1} vx,i  vy,i (4) Second, states of W equivalent w.r.t. to some input if placed in the same block must have their successors also in one block. Hence for all xi, xj X such that out(xi, a) = out(xj, a) = o and all i, j  {0, …, n -1} we have a formula which can directly be translated into clauses (vx,i  vx,i) ⇒ (v(x-after-ao),i ⇒ v(x-after-ao),i) (5) To simplify learning that x = y for some x, y X we further rewrite the clauses (4) and (5) using auxiliary variables ex,y modeling the fact that x = y. For every x, y X such that x ≇ y we have ex,y (6) For all x, y X such that out(x, a) = out(x, a) = o, we have ex,y ⇒ ex-after-ao,y-after-ao (7) The relation between auxiliary state variables is expressed in the following clauses. For every x, y X and all i  {0, …, n -1} ex,y  vx,i ⇒ vy,i (8) ex,y  vx,i ⇒ vy,i (9) The resulting Boolean formula is the conjunction of clauses (2), (3), (6), (7), (8) and (9). To check its satisfiability one can use any of the existing solvers. If a solution exists then we have an -conjecture with n or fewer states. The latter is obtained from the determined partition on X. In the context of passive inference, we are usually interested in finding an -conjecture as small as possible. This requires several trials with varying values of n.

Passive Inference of Different (new) Conjectures
In the context of active inference as well as checking sequence construction we aim at obtaining a single -conjecture while avoiding constructing isomorphic conjectures.
A key building block will be provided by the following procedure to infer a conjecture that differs from already considered conjectures. We identify isomorphic conjectures by their common partition, hence we add as a constraint that we look for an -conjecture that does not expand a set of "forbidden" partitions. If such -conjectures are found they will be used in Sections 5 and 6 to augment the trace  by adding suffixes that eliminate distinguishable conjectures until only one remains.

Algorithm 1. Infer_conjecture(, n, )
Input: A trace , an integer n, and a set of partitions  Output: An -conjecture with at most n states such that its partition does not expand any partition in , or False.
for all x, ysuch that x = y do 5. clause = clause  ex,y 6. end for 7. formula = formula  clause 8. end for 9. return call-solver(formula)

Checking Sequence Construction
The idea of the proposed method for checking sequence (trace) generation is to find an FSM that reacts as the given specification FSM to a current input sequence using passive inference and eliminate it by extending the sequence with a suffix distinguishing the two machines or forbidding the passive inference from further regeneration if they cannot be distinguished any further. This process iterates until no more conjectures distinguishable from the given FSM can be found. The procedure is implemented in Algorithm 2. end if 10. end while 11. return  Algorithm 2 calls Infer_conjecture(, n, ), which in turn calls a SAT solver constraining it to avoid solutions of already considered conjectures.
Note that the Boolean formula used by the SAT solver is built incrementally by saving a current formula and adding only new clauses each time a trace  or a set of partitions  is augmented. Example. Consider the FSM in Fig.1, it has no distinguishing sequence, its characterization set is {a, b}.

Fig.1. The FSM M
This example is used in [18], where a method for checking sequence generation from a minimal FSM without distinguishing sequence is proposed. Using this example the authors of [18] compare their method with those of [10] [19] and report that the length of checking sequence obtained by their method is 120, while that of [10] is 171 and 248 of [19].
Algorithm 1 implemented in a prototype tool presented in Section 6 returns the checking sequence  = a0a1a0a1b0b1b0a0b0b1a0a1b0a0a1 of length 15. Fig. 2 shows intermediate complete -conjectures obtained executing Algorithm 1. Notice that the last but one conjecture is actually the FSM M, though, the same trace is also accepted by another conjecture, which is eliminated using the suffix b0a0a1. Note that the algorithm does not require the FSM to be minimal, moreover, it can be adapted to accept even a partial FSM. We are not aware of any method for checking sequence construction for FSMs which are partially defined and have compatible states, i.e., machines without characterization set. The only existing method which deals with such machines is [17], but it relies on the usage of the reset operation, as opposed to the approach proposed here.

Active Inference Approach
The iterative approach of Algorithm 2, which relied on computing a checking experiment for an -conjecture that was consistent with the current prefix trace can be adapted to active inference. The trick is to find a checking experiment not between the reference 0 1 2 FSM M and the -conjecture, but between two possible -conjectures and retain the one that is consistent with the observations on the black box.
Given a black box BB, which behaves as an unknown minimal complete strongly connected FSM with the input alphabet I and a number of states equal to n, Algorithm 3 infers the FSM and constructs its checking trace. Sketch of the proof. Algorithm 3 follows the steps of Algorithm 2, just replacing the FSM M by a current conjecture. This does not influence its termination since it only occurs when no more distinguishable conjecture can be found. And at some point, because the black box behaves as a FSM with n states, it will be returned by Infer_conjecture, so that the remaining conjecture is equivalent to the FSM of the black box initialized in some state. The resulting trace accepted by that state is a checking one, as in Theorem 1. Fig.1   The expected complexity of the proposed approach could be estimated by viewing it as a mutation-based technique which kills mutants. In our approach at each iteration only a mutant surviving a current trace can be generated and then killed, drastically reducing the complexity of mutation-based techniques. A naive worst-case estimation based on number of (potential) mutants would be grossly overestimated. This explains why we provide in the next section experimental results on the observed complexity with random machines.

Experiments
The prototype was developed on C++ depending only on a SAT Solver Cryptominisat [24], as a backend. All the experiments were performed on a virtual machine (VirtualBox) with 8 GiB of RAM and one CPU used. The computer has the processor 7-3770 and 16 GiB of RAM. Table 1 presents experimental results on randomly generated FSMs. The numbers of inputs as well as outputs are fixed to two, while the number of state is varied. For each state number, 101 complete strongly connected machines are generated; they are not necessarily minimal, since the approach does not require any state distinguishability. Each generated machine playing role of a specification FSM is used to construct checking sequence, and acting as a black box system is used for inference. Median values are collected for the length of resulting checking sequences ||, the number of times the solver is called (#solver), and execution time in seconds. The prototype scales for up to a dozen of states. This matches the state-of-the-art, see, e.g., [16]. To assess the performance of the prototype to various numbers of inputs and outputs, another series of experiments reported in Table 2 were performed for machines with five states. Our experiments by varying their numbers separately show, unsurprisingly, that increasing number of inputs or outputs have opposite effects on the effectiveness, the more inputs the more complex the solutions (the search space is larger) but the more outputs the easier the solutions (more outputs increase distinguishability).
In addition, we performed another series of experiments using randomly generated lock machines (Table 3). A lock FSM (aka Moore lock, defined by him) with n states has a unique "unlocking" input sequence of length n which executes the "remotest" transition, the transitions not covered by this sequence all lead to the initial state resetting the lock. We consider lock machines as ultimate test for active inference and checking sequence generation methods. As before for each number of states we generate 101 random locks with two inputs and two outputs and collect the same parameters as above. Clearly, for a fixed number of states, locks differ only in labelling of unlocking sequences, which effects the performance of the prototype, since it chooses inputs completing and distinguishing conjectures following the lexicographical order.  Table 3. Experimental results with randomly generated lock FSMs.

RANDOM FSMs
It is interesting to notice that active inference and checking sequence construction have comparable lengths of the resulting input sequences. After all, in both cases a checking sequence for the same machine is generated.
We observe that the length of resulting sequences grows polynomially, the number of times the solver is called linearly and time exponentially with the number of states.

Conclusions
We have presented a method that can infer a model of a non-resettable black box FSM for which we only know an upper bound n on the number of states. It produces the model along with the input sequence that was used for inferring it. The algorithm terminates on a final model that is equivalent to the black-box FSM up to initialization, and since it identifies a unique machine such that the input sequence is a checking sequence for this FSM.
The main benefit of this approach is that it only requires a bound on the number of states, no other assumption is needed, and the system does not have to be reset. This implies that it may have a wide spectrum of applications. The performance of active inference methods is usually assessed through the number of interactions with a system that are needed to infer it. Experiments have shown that the length of the input sequence implied by our approach is quite good. Another issue comes from the internal computations needed by the inference algorithm to build the model of the system. The method relies on a SAT solver to propose conjecture FSMs that are consistent with an observed trace. Unfortunately, this induces an exponential growth in the number of states, and this has been the limiting factor in our experiments. However, being able to infer state machines of up to a dozen states is in itself interesting for a large range of applications (many systems have relatively small state-space for the control part of their computations).
The approach seems promising, and can be improved in several directions. First, we have encoded the constraints for passive inference in a straightforward way, which puts a high burden on the constraint solver. It should be possible to encode the problem with more elements from the trace and FSM-structure to help the solver, with some guidance. Another direction we are investigating is to extract more information from previous conjectures and observations so as to reduce the number of calls to the solver to a minimum. In many cases, the calls to the solver can be avoided because it is possible to derive further checking experiments from the structure of the past conjecture(s). Instead of calling the solver to identify a new conjecture, it could be possible to refine the current conjecture.