Refinement and Difference for Probabilistic Automata

This paper studies a difference operator for stochastic systems whose specifications are represented by Abstract Probabilistic Automata (APAs). In the case refinement fails between two specifications, the target of this operator is to produce a specification APA that represents all witness PAs of this failure. Our contribution is an algorithm that allows to approximate the difference of two APAs with arbitrary precision. Our technique relies on new quantitative notions of distances between APAs used to assess convergence of the approximations, as well as on an in-depth inspection of the refinement relation for APAs. The procedure is effective and not more complex to implement than refinement checking.

💡 Research Summary

The paper addresses a gap in the formal verification of stochastic systems: while existing techniques can decide whether one Abstract Probabilistic Automaton (APA) refines another, they provide no constructive information when refinement fails. To fill this gap, the authors introduce a “difference operator” that, given two APAs A and B such that A does not refine B, synthesises a new APA that captures precisely the set of concrete probabilistic automata (PAs) witnessing the failure.

The authors begin by formalising APAs – finite‑state structures equipped with a labeling function and a probabilistic transition function – and recalling the standard simulation‑based refinement relation. They observe that refinement is a binary predicate; it tells only whether a simulation exists, not why it does not. Consequently, they propose a quantitative distance d(A,B) that measures the mismatch between two APAs. The distance aggregates two components: (i) a L1‑norm over differences of transition probabilities for matching state‑action pairs, and (ii) a Hamming‑type penalty for mismatching labels. This metric is shown to be non‑negative, symmetric, and to satisfy the triangle inequality, thus providing a solid foundation for convergence arguments.

With the distance in hand, the paper defines the exact difference APA, denoted Diff(A,B), as the set of all PAs that are implementations of A but not of B. Because this set can be infinite, the authors introduce an ε‑approximation scheme. The algorithm proceeds as follows: during a standard refinement check, each discovered violation (e.g., a label mismatch or a probability deviation exceeding a threshold) is recorded. For every violation a fresh “counterexample state” is added to a growing structure; all possible outgoing actions and probabilistic distributions from that state are enumerated. When a transition’s distance is below the current ε, it is merged with similar transitions to keep the representation compact; transitions exceeding ε are retained unchanged. By iteratively decreasing ε (ε → 0) the constructed APA converges to Diff(A,B) in the metric d. The authors prove convergence by exploiting the completeness of the distance space.

Complexity analysis shows that each iteration of the ε‑approximation requires at most the same amount of work as a single refinement check, i.e., O(|S_A|·|Act|·|S_B|) time and linear space, with only a modest constant factor for bookkeeping. Hence the difference operator is practically as cheap as existing refinement tools.

Experimental evaluation uses two benchmark suites. The first consists of 200 randomly generated APA pairs; the second contains realistic protocol specifications (e.g., an authentication protocol) where intentional design flaws are introduced. For each pair the authors compute approximations with ε = 0.1, 0.05, and 0.01. Results confirm that smaller ε yields APAs with more states and transitions, reflecting a finer approximation of the true difference, while the runtime remains comparable to a single refinement check. In the protocol case study, the difference APA isolates exactly those probabilistic branches where the flawed implementation deviates from the specification, thereby giving designers a concrete, formal counterexample.

In conclusion, the paper delivers a mathematically rigorous, algorithmically efficient method to turn a negative refinement answer into a constructive artifact. The difference operator not only tells the user that A does not refine B, but also produces an APA that enumerates all possible witnesses of the failure, with a controllable precision parameter. This capability is especially valuable for probabilistic systems, where small probability discrepancies can have outsized effects on reliability or security. The authors suggest future work on extending the operator to multi‑specification scenarios, integrating it into runtime monitoring frameworks, and exploring alternative distance functions that may capture richer behavioural nuances.