DeepFault can also synthesize new inputs that are very similar to the original inputs, are highly hostile and increase the activation values of the identified suspect neurons. New input synthesis guided by the identified suspicious neurons ).

Research Questions

## Results and Discussion

Figure 3 shows the distribution of suspect neurons on the MNIST 3 and CIFAR 3 models with k = 10 and k = 50, respectively. This difference in the distribution of suspect neurons explains the inferior inputs synthesized by D* on the CIFAR models (Table 3).

## Threats to Validity

For the MNIST models, DeepFault synthesized inputs that increase the suspicious neuron values with at least 97% success for k, while the average effectiveness for the CIFAR models is 90%. These results demonstrate the effectiveness of our suspicion-driven input synthesis algorithm in generating inputs that increase the firing values of suspicious neurons (see https://DeepFault. github.io).

6 Related Work

7 Conclusion

Hinton, G., Deng, L., Yu, D., Dahl, G.E., et al.: Deep neural networks for acoustic modeling in speech recognition: the shared views of four research groups. Wu, M., Wicker, M., Ruan, W., Huang, X., Kwiatkowska, M.: A game-based approximate verification of deep neural networks with provable guarantees.

## 1 Introduction

One of the most promising approaches to combating the configuration space explosion problem when checking lifted models is abstractions of variability. In this work, we define a new game-based approach for variability-specific abstraction and refinement for increased model control of the full CTL interpreted over 3-valued semantics.

## 2 Background

Player∀ has a winning strategy at the node (s, Φ) if the node is colored by F iﬀΦ does not hold, and Player∃ has a winning strategy at (s, Φ) if the node is colored by T iﬀΦ holds ins. Consider the property Φ2 =E(¬rUr), which describes a situation where in the initial state there exists an execution that eventually reaches 2 that satisfies .

## 3 Abstraction of FTSs

We now show that the 3-valued semantics of the MTS α-compound(F) is designed to be sound in the sense that it both satisfies (tt) and refutes (ﬀ) a formula from the abstract model to the concrete keep one. However, if the truth value of a formula in the abstract model is ⊥, then its value over the concrete model is not known.

## 4 Game-Based Abstract Lifted Model Checking

Player ∃ wins a (maximal) game if in any configuration of the form Ci = (s, EΦ), Player ∃ chooses a move based on the necessary transitions and one of the following holds: (1) the game is finite and ends in a terminal configuration of the formCi = (s, true) orCi = (s, a) kua∈L(s) orCi = (s,¬a) where a∈L(s); (2) the occurrence is infinite and the witness is of the form AVorEV. Using Theorems 1 and 2, given the MTS colored game graph αjoin(F), if all its initial nodes are colored with T then [F |=Φ] =tt, if at least one of them is colored with F then [F |=Φ ] =ﬀ.

## 5 Incremental Refinement Framework

The color game plot for MTSαjoin(VendMach) and Φ1= A(¬rUr) is shown in Fig.4. 7.αjoin(π[[c]](VendMach)) The game-based model control algorithm provides us with a convenient framework to use the results from previous iterations and avoid unnecessary calculations.

## 6 Evaluation

To use our Verify procedure, we manually translated the fNuSMV model into an FTS and then called Verify on it. The properties Φ1 and Φ2 are satisfied by all variants, so Verify achieves speedups of 28 times for Φ1 and 2.7 times for Φ2 compared to the fNuSMV approach.

## 7 Related Work and Conclusion

Dimovski, A.S., Legay, A., Wasowski, A.: Variability abstraction and refinement for game-based lifted model checking of full SOL (extended version). Dimovski, A.S., Wasowski, A.: From transition systems to variability models and from lifted model going back to UPPAAL. etc.).

## Related Timing Constraints for a Cooperative Automotive System

In this paper, we present a formal analysis of S/S-related timing constraints for interconnected automotive systems at the design level: 1. S/S-related timing constraints are specified in PrCcsl and translated into verifiable models Uppaal-SMC in Section 5.

## 2 Preliminary

### Probabilistic Extension of Clock Constraint Specification Language (PrCCSL)

The applicability of our approach is demonstrated by performing a verification on the CAS case study in Section 6. A probability relation in PrCcslis is satisfied if and only if the probability that the relational constraint is satisfied is greater than or equal to the probability threshold p∈[0, 1].

### UPPAAL-SMC

Probability estimation estimates the probability that a requirement property φ for a given STA model will be satisfied within the time constraint: P r[bound] φ;. 2. Hypothesis testing checks whether the probability ofφ is satisfied within a certain probabilityP0:P r[bound]φ≥P0; 3.Simulations: Uppaal-SMC performs multiple simulations on the STA model and the k (state-based) properties/expressions φ1, .., φk are monitored and visualized alongside the simulations: simulate N [≤ bound]{φ1, .. , φk}.

## 3 Running Example

Integrity: The content of messages must not be modified during transmission, i.e. the protocol must be resistant to message forgery attacks. Therefore, S/S properties can be interpreted as logical time constraints, ie. the time and causality clock relations in PrCcsl.

## 4 Modeling and Refinement of CAS in UPPAAL-SMC

### Modeling of RAISE Protocol in UPPAAL-SMC

In addition, to guarantee the consistency of the message, vi+1 itself also calculates the hash code of msgi (step 7). The SKA (or IT) succeeds if each step of the SKA (IT) is completed correctly within a certain time interval, modeled by invariant "t≤d" (the value of d varies in several steps).

### Modeling of Attacks in UPPAAL-SMC

In our setting, MFA modifies the speedi field in the message to a random value and changes the direction if directioni = 4, indicating that the vi runs in the positive direction on the y-axis.

## 5 Representation of S/S Related Timing Constraints in UPPAAL-SMC

### Specifications of S/S Related Timing Constraints in PrCCSL The speciﬁcations of R1–R11 are presented in Table 1, where ac is a clock that

For R10, startSKA(finSKA) represents the starting (finishing) of SKA. startSKAThe is a clock built by delaying startSKA by 600 ms. In R11's specification, fclk is a clock generated by filtering out the first checkmark of msgSent. SentDe1 and sentDe2 are two clocks generated by delaying msgSent by 100 ms and 300 ms.

### Translation of PrCCSL into STA

R11 can be interpreted as:∀i ∈N+, ith tick fclk must appear later than ith ticksentDe1 but before ith ticksentDe2. In the previous work [14], the semantics of PrCcsloperators is translated into STA based on discrete time, i.e. the continuous physical time is discretized into a series of equal steps.

## 6 Experiment

When CAS is attached by STA MSA or MFA, the secrecy of the symmetric key is violated. Therefore, V1 continues to decrease its speed even if the distance between V0 and V1 becomes greater than 100 m, which violates R4.

## 7 Related Work

With the obtained symmetric key, MSA can impersonate messages as legitimate vehicles and MFA can tamper with the content of messages without being detected, leading to the violations of authenticity (R6) and integrity (R7) respectively. On the other hand, our work is based on the probabilistic extension of S/S-related time constraints with the focus on probabilistic verification of the extended constraints.

## 8 Conclusion

Kang, E.Y., Huang, L., Mu, D.: Formal verification of energy and time requirements for a cooperative automotive system. In: New Technologies of Distributed Systems (NOTERE), pp. ProTL.https://sites.google.com/view/protl.

After the first call of the onward procedure, g stores the return value of the most recent call, and lastN stores the argument of the most recent call. The proposed approach. Our approach is based on Floyd-Hoare logic, which typically requires that a procedure specification be provided.

## 2 Language Syntax

A return statement is required in every procedure and is only allowed as the last statement of a procedure. In addition to the code of the procedure, the library also contains a sequence of initialization declarations of global variables used in the procedure, in the form “g1 := c1;.

## 3 A Semantic Definition of Purity

We use a local continuation to represent the part of the procedure body that remains to be executed. We write (S, ρ)γ to denote a stack where the highest entry is (S, ρ) and γ represents the remainder of the stack.

## 4 Checking Purity Using a Theorem Prover

### Verification Condition Generation

For each procedure call "x := p(y)", we first ensure that it is a local variable (by introducing a temporary if necessary). 4. The various formulas calculated based on the procedure in Listing 1.2 for our post-condition and verification-condition calculation.

Approach 1: Existential Approach

### Approach 2: Impurity Witness Approach

For 2, we use a “minimal” feasible implementationπ that does not highly satisfy ϕinv to construct a satisfactory assignment to¬ϕvc.

## 5 Generating the Invariant

Furthermore, technically our approach is different because we use an invariant that refers to a function symbol representing the procedure being checked, which is not a property of their invariants. 9] solves a similar problem as checking differential assertions, but using abstract interpretation instead of logical reasoning.

## Clone Detection

To make this problem more concrete, consider Fig.1, which shows a real case (found during our evaluation described in Section 6) of code clones involving C++ and JavaScript source code from the ANTLR parser generator [ 3]. We begin by describing the relevant work and background information in Section 2 and give a high-level overview of our technique in Section 3.

## 2 Background and Related Work

*What Exactly Is a Cross-Language Clone?**Structural Program Similarity**Nominal Program Similarity**Hybrid Program Similarity**CLCMiner*

We do not consider semantic clones (type IV) that implement the same functionality in a different way (eg, quicksort vs. selection sort). The original CLCMiner algorithm works on their differences and lexicalizations, while our version works on feature analysis trees.

## 3 Overview

Since we adapted CLCMiner's algorithm to work on functions instead of differences, it relies on having a parser to extract functions and does not rely on a version control system. We refer to our only nominal adaptation of the CLCMiner algorithm as “Nominal” for the rest of the paper.

## 4 Structural Clone Detection

### Precedence Woes

Direct encoding of precedence causes spurious chains of non-terminals in the resulting parse tree, which would be removed when the parse tree is converted to an AST. If precedence is handled indirectly through the parser generator, the resulting parse tree is much closer to an AST.

### Abstracting Parse Tree Nonterminals

We define the abstraction algorithm in two parts: EqClassMapOf(C) produces a map of each node to a symbol corresponding to its equivalence class. When the abstraction algorithm deletes a node, it connects all the children of the deleted node to the parent node of the deleted node.

### Sequence Alignment for Clone Detection

Abstract(tree, map) makes the abstraction by traversing the given tree from bottom to top and applying the map.

## 5 Hybrid Algorithm

*Our Nominal Algorithm**Full Algorithm**Implementation and Environment**Methodology**Results*

We chose a cutoff for each clone detector based on the drops of these graphs (eg, we chose the cutoff of 0.4 for Fett's Java/Java case). Overall Results We observe that the Fett's hybrid algorithm, in terms of F-measure, consistently outperforms both the Nominal algorithm and the Structural algorithm in our large test set experiments.

## 2 Background: Modelling Systems and Their Combinations

### Mealy Machines: Modelling Stateful Systems

Then, the elements of the state diagrams (states, transitions) are identified by reconfiguring the combination tables into a form similar to the state diagrams. A method for translating Simulink block diagrams into Stateﬂow diagrams via tabular expressions. ii).

Tabular Expressions: Representing Conditional Behaviours Both block diagrams and state charts can specify decision logic, but in rather dis-

### Categorical Framework: Combining Systems

Combined functions in parallel have domains/codomains which are the Cartesian products of the domain/codomain of the constituent functions. In monoidal categories this operation is generalized as themonoidal product over morphisms, where the domain/codomain of a product morphism is given by the monoid product of the domain/codomain objects of the constituent morphisms.

3 Translation Strategy

## 4 Block Diagrams to HCTs: Mealy Composition

### Mealy Machines and Their Combinations via Functions

While the cascade/parallel composition of Mealy machines is well understood (see e.g. [13]), we introduce a definition for the update functions of the composite machines that binds the update functions of the individual machines together. For Mealy machines, the string diagrams use black boxes to indicate component Mealy machines (eg Fig.5a).

### Functional Embedding and Wiring Morphisms

This explains how the functional aspects of Simulink block diagrams can be modeled with Mealy machines. This specifies how to model wiring and functional blocks in Simulink block diagrams as Mealy machines.

### Block Diagrams to Horizontal Condition Tables

For example, the block labeled Mode in Fig.1a can be modeled with the Mealy MswR machine. In this way, the update function of the block diagram in Fig.1a can be described as.

## 5 HCTs to STTs: Modes via Tables

### Defining Modes

For example, the conditions in fig. 2a is rearranged via the methods of [4] to obtain fig. 8a. This is the final step in rearranging the HCT from Fig. 8c to the STT in fig. 2b.

### Converting to State Charts and Simplifying

This improved Mealy machine operates within a subset of the state space S× M where the aforementioned invariant holds. The validity of any state condition can now be inferred from the value of the mode variable (eg

## 6 Prototype, Evaluation, and Future Work

For the completion of a MTGC of the form ∃(a : H −→ H, φ), where the existing operator is inherited from GCs, it is still required that the pattern found so far (given by some mono m:G −→GH ) in the host graph GH can be expanded to a larger model (given by some monomial :G−→GH). Note that the reasoning for fulfilling MTGC ψ from Fig.3 by GH =Fold(π) from Fig.4 proceeds analogously to Example 1.

To alleviate the above difficulties, we present a formal tool called KupC for modeling and verifying the dynamic update of C programs in this paper. From the formalization, K automatically generates several tools that can be used for formal dynamic update analysis of C programs.

Formalization of dynamic update strategy inK. The basic idea of formalizing a dynamic update mechanism using Kis to formalize the mechanism's functionalities based on the operational semantics of the target programming language that the mechanism supports. We tested the correctness of the rules using the dynamic update tools in Ginseng.

Dynamic update is a transient behavior in that the properties before and after the update can be different. It can be defined as an LTL formula__update->(<>(x==7)), where variable x stores the value of the shortest path.

## 4 Concluding Remarks and Ongoing Work

As an example, we verify whether update in the GPS example can be finally deployed or not. Hayden, C.M., Magill, S., Hicks, M., Foster, N., Foster, J.S.: Specifying and verifying the correctness of dynamic software updates.

The purpose of the process is to allocate a port and a berth for the vessel, but not to reveal information about vessels unable to assist or port parameters. MPC allows participants to perform joint calculations so that neither party gets to see the other party's data, but can learn the result depending on private inputs.

## 2 PE-BPMN Editor and Simple Disclosure Analysis

Leaks-When analysis) nor to what extent the data in O2 extract information from O1 (cf. sensitivity and guesswork advantage analysis). The "shared" line refers to the network service provider, which can also view some of the data (eg unencrypted data objects).

## 3 Qualitative Leaks-When Analysis

For example, that: (1) when a task has an MPC stereotype, there is at least one other “twin” task with the same label in another pool, since the MPC calculation involves at least two sides; (2) when one of these tasks is enabled, the other dual tasks are eventually enabled;. In the report, "V" indicates that the data object (in columns) is visible to the stakeholder (in rows).

## 4 Sensitivity Analysis and Diﬀerential Privacy

For this purpose, we should add an amount of (Laplacian) noise so that the relative error of the output is 74%. A tutorial on sensitivity analyzer can be found at https://pleak.io/wiki/sql-derive-sensitivity-analyser.

5 Attacker’s Guessing Advantage