On distributed monitoring of asynchronous systems

Distributed systems are notoriously difficult to understand and analyze in order to assert their correction w.r.t. given properties. They often exhibit a huge number of different behaviors, as soon as the active entities (peers, agents, processes, etc) behave in an asynchronous manner. Already the modelization of such systems is a non-trivial task, let alone their formal verification. The purpose of this paper is to discuss the problem of distributed monitoring on a simple model of finite-state distributed automata based on shared actions, called asynchronous automata. Monitoring is a question related to runtime verification: assume that we have to check a property $L$ against an unknown or very complex system $A$, so that classical static analysis is not possible. Therefore instead of model-checking a monitor is used, that checks the property on the underlying system at runtime. We are interested here in monitoring distributed systems modeled as asynchronous automata. It is natural to require that monitors should be of the same kind as the underlying system, so we consider here distributed monitoring. A distributed monitor does not have a global view of the system, therefore we propose the notion of locally monitorable trace language. Our main result shows that if the distributed alphabet of actions is connected and if $L$ is a set of infinite traces such that both $L$ and its complement $L^c$ are countable unions of locally safety languages, then $L$ is locally monitorable. We also show that over infinite traces, recognizable countable unions of locally safety languages are precisely the complements of deterministic languages.

💡 Research Summary

The paper tackles the problem of runtime verification for distributed asynchronous systems by introducing a formal framework for distributed monitoring that mirrors the structure of the monitored system itself. It begins by modeling asynchronous systems as finite‑state distributed automata whose transitions are triggered by shared actions; each action synchronizes a specific subset of processes, and executions are represented as partially ordered traces rather than linear sequences. Because such systems lack a global clock, traditional model‑checking is often infeasible, motivating the use of monitors that operate at runtime.
A key requirement is that the monitor must also be a distributed automaton, i.e., each local component observes only its own projection of the global trace and cannot rely on a global view. To capture this constraint the authors define “locally monitorable” trace languages: a language L ⊆ Σ^∞ is locally monitorable if there exists a distributed monitor that, after observing any finite prefix of a run, can eventually decide whether the full infinite trace belongs to L or to its complement.
The central technical contribution is a sufficient condition for local monitorability. First, the action alphabet Σ is assumed to form a connected communication graph: any two actions are linked through a chain of shared processes, guaranteeing that information can propagate throughout the system. Second, both L and its complement L^c must be expressible as countable unions of “locally safety” languages. A locally safety language is one for which a violation can be detected by a single process solely from its local view; thus each component can raise an alarm without coordination. Under these hypotheses the authors construct, for each constituent safety language, a local monitor and then combine them using a countable‑union construction that respects the asynchronous semantics. The connectivity of Σ ensures that the combined monitor’s decisions are globally consistent despite the lack of a central observer.
The paper further investigates the landscape of infinite‑trace languages. It proves that over ω‑traces, the class of languages that are countable unions of locally safety languages coincides exactly with the complements of deterministic languages (languages recognized by deterministic asynchronous automata). This equivalence reveals a deep connection between safety‑type properties and determinism in the asynchronous setting, and it shows that any property whose complement is deterministic can be monitored in a distributed fashion using the proposed framework.
In the related‑work discussion, the authors contrast their approach with traditional centralized monitoring, which requires a global snapshot of the system and is therefore unsuitable for highly asynchronous or large‑scale deployments. By staying within the same distributed automaton model, the proposed monitors are lightweight, scalable, and naturally aligned with the communication constraints of the underlying system. Potential applications include micro‑service architectures, distributed databases, and Internet‑of‑Things networks where each node can only see its own events.
The conclusion acknowledges limitations: the connectivity assumption excludes systems whose action graph is fragmented, and dynamic creation of processes is not covered. Future work is outlined to relax these constraints, develop efficient algorithms for synthesizing the combined monitor, and validate the theory on real‑world distributed platforms. Overall, the paper provides a rigorous foundation for when and how distributed runtime verification is feasible in asynchronous environments, extending the frontier of both theoretical understanding and practical applicability.