Combining Paraconsistency and Probability in CTL

Norihiro Kamide

and Daiki Koizumi

Teikyo University, Faculty of Science and Engineering, Department of Human Information Systems,

Toyosatodai 1-1, Utsunomiya-shi, Tochigi 320-8551, Japan

Aoyama Gakuin University, College of Science and Engineering, Department of Electrical Engineering and Electronics,

5-10-1 Fuchinobe, Chuo-ku, Sagamihara-shi, Kanagawa 252-5258, Japan

Keywords:

Computation Tree Logic, Paraconsistent Reasoning, Probabilistic Reasoning, Model Checking.

Abstract:

Computation tree logic (CTL) is known to be one of the most useful temporal logics for verifying concurrent

systems by model checking technologies. However, CTL is not sufﬁcient for handling inconsistency-tolerant

and probabilistic accounts of concurrent systems. In this paper, a paraconsistent (or inconsistency-tolerant)

probabilistic computation tree logic (PpCTL) is derived from an existing probabilistic computation tree logic

(pCTL) by adding a paraconsistent negation connective. A theorem for embedding PpCTL into pCTL is

proven, which indicates that we can reuse existing pCTL-based model checking algorithms. Some illustrative

examples involving the use of PpCTL are also presented.

1 INTRODUCTION

The veriﬁcation of open, large, randomized, and

stochastic concurrent systems is gaining increasing

importance in the ﬁelds of computer science and en-

gineering. On one hand, verifying open and large

concurrent systems, such as web application sys-

tems, requires the handling of inconsistency-tolerant

(or paraconsistent) reasoning because inconsisten-

cies often appear and are inevitable in such systems

(Chen and Wu, 2006). On the other hand, verify-

ing randomized and stochastic concurrent systems,

such as fault-tolerant communication systems over

unreliable channels, requires the handling of proba-

bilistic reasoning because useful notions of reliabil-

ity for such systems require probabilistic characteri-

zation (Bianco and de Alfaro, 1995). Thus, handling

both inconsistency-tolerant and probabilistic reason-

ing by an appropriate logic is a requirement for veri-

fying such complex concurrent systems.

Computation tree logic (CTL) (Clarke and Emer-

son, 1981) is widely accepted as one of the most

useful temporal logics for verifying concurrent sys-

tems by model checking technologies (Clarke et al.,

1999). CTL-based model checking algorithms are

known to be more efﬁcient than model-checking algo-

rithms based on other temporal logics such as linear-

time temporal logic (LTL) (Pnueli, 1977). However,

CTL is not sufﬁcient for handling paraconsistent and

probabilistic accounts of concurrent systems because

it has no operators that can represent paraconsistency

and probability. Thus, the aim of this paper is to con-

struct a paraconsistent and probabilistic extension of

CTL. To achieve this aim, a new logic, paraconsis-

tent probabilistic CTL (PpCTL), is introduced. To

construct PpCTL, the existing useful CTL-variants,

namely paraconsistent CTL (PCTL) (Kamide and

Kaneiwa, 2010; Kaneiwa and Kamide, 2011) and

probabilistic CTL (pCTL) (Aziz et al., 1995; Bianco

and de Alfaro, 1995), are combined on the basis of

a theorem for embedding PpCTL into pCTL. Some

illustrative examples describing an SQL injection at-

tack detection algorithm (Sonoda et al., 2011) that in-

volves the use of PpCTL are also presented in this

paper to highlight the virtues of combining paracon-

sistency (in PCTL) and probability (in pCTL).

Integrating useful reasoning mechanisms is re-

garded as combining and extending some useful non-

classical logics such as modal logics. Combining

and extending useful non-classical logics are also

known to be a very important issue in mathematical

logic (see e.g., (Carnielli et al., 2008)). This paper

is thus also intended to give a solution for this is-

sue, combining and extending the following useful

non-classical logics: temporal logic, paraconsistent

(or inconsistency-tolerant) logic and probabilistic (or

probability) logic. The proposed embedding-based

method is not so technically innovative, but gives a

new simple and useful combination mechanisms for

these logics. By combining and extending these log-

285

Kamide N. and Koizumi D..

Combining Paraconsistency and Probability in CTL.

DOI: 10.5220/0005180402850293

In Proceedings of the International Conference on Agents and Artiﬁcial Intelligence (ICAART-2015), pages 285-293

ISBN: 978-989-758-074-1

 2015 SCITEPRESS (Science and Technology Publications, Lda.)

ics, we can integrate the existing two application areas

concerning PCTL and pCTL, respectively.

PCTL, which was introduced and studied by

Kamide and Kaneiwa in (Kamide and Kaneiwa,

2010; Kaneiwa and Kamide, 2011), is a paracon-

sistent extension of CTL. To appropriately formal-

ize inconsistency-tolerant reasoning, PCTL is based

on Nelson’s four-valued paraconsistent logic N4 (Al-

mukdad and Nelson, 1984; Nelson, 1949), which

includes a paraconsistent negation connective. The

paraconsistent negation connective in PCTL entails

the property of paraconsistency. Roughly, a satis-

faction relation |= is considered to be paraconsistent

with respect to a negation connective ∼ if the follow-

ing condition holds: ∃α,β, not-[M,s |= (α∧∼α)→β],

where s is the state of a Kripke structure M. In con-

trast to PCTL, classical logic has no paraconsistency

because the formula of the form (α∧∼α)→β is valid

in classical logic.

Paraconsistent logics, including PCTL, are known

to be more appropriate for inconsistency-tolerant and

uncertain reasoning than other non-classical logics

(Priest and Routley, 1982; Wansing, 1993; Kamide

and Wansing, 2012). For example, the follow-

ing scenario is undesirable: (s(x) ∧ ∼s(x))→d(x)

is valid for any symptom s and disease d, where

∼s(x) implies that ”a person x does not have a

symptom s” and d(x) implies that ”a person x suf-

fers from a disease d.” An inconsistent scenario ex-

pressed as melancholia( john)∧∼melancholia( john)

will inevitably occur because melancholia is an un-

certain concept and the fact ”John has melancho-

lia” may be determined to be true or false by differ-

ent pathologists with different perspectives. In this

case, the undesirable formula (melancholia( john) ∧

∼melancholia( john))→cancer( john) is valid in

classical logic (i.e., an inconsistency has an undesir-

able consequence), whereas it is not valid in para-

consistent logics (i.e., these logics are inconsistency-

tolerant).

We now give a detailed explanation about the use-

fulness of paraconsistent reasoning. We assume a

large medical database MDB of symptoms and dis-

eases. We can also assume that MDB is inconsistent

in the sense that there is a symptom predicate s(x)

such that ∼s(x),s(x) ∈ MDB. This assumption is re-

garded as very realistic, because symptom is an un-

certain concept, which is difﬁcult to determine by any

diagnosis. It may be determined to be true or false by

different doctors with different perspectives. Then,

the database MDB does not derive arbitrary disease

d(x), which means “a person x suffers form a disease

d”, since paraconsistent logics ensures the fact that for

some formulas α and β, the formula ∼α∧α→β is not

valid. The paraconsistent logic-based large MDB is

thus inconsistency-tolerant. In the classical logic, the

formula ∼s(x) ∧s(x)→d(x) is valid for any disease d,

and hence the non-paraconsistent formulation based

on classical logic is regarded as inappropriate to the

application of this medical database. Apart from such

a medical database, large and open concurrent sys-

tems also require the handling of paraconsistent sce-

narios because inconsistencies often appear and are

inevitable in these systems. This is a reason why we

need to combine PCTL and pCTL.

pCTL, which was introduced and studied by Aziz

et al. in (Aziz et al., 1995) and Bianco and de Al-

faro in (Bianco and de Alfaro, 1995), is a proba-

bilistic extension of CTL. To appropriately formal-

ize probabilistic reasoning, pCTL uses a probabilis-

tic or probability operator P

≥x

, where the formula

of the form P

≥x

α is intended to read “the probabil-

ity of α holding in the future evolution of the system

is at least x.” In (Bianco and de Alfaro, 1995), pCTL

and its extension, pCTL

∗

, were introduced for verify-

ing the properties of reliability and the performance

of the systems modeled by discrete Markov chains.

pCTL and pCTL

∗

can appropriately express quantita-

tive bounds on the probability of system evolutions.

In addition, in (Bianco and de Alfaro, 1995), the

complexities of model-checking algorithms for pCTL

and pCTL

∗

were clariﬁed. In (Aziz et al., 1995),

model-checking algorithms for the extensions of the

abovementioned settings of pCTL and pCTL

∗

were

proposed for verifying probabilistic nondeterministic

concurrent systems, in which the probabilistic behav-

ior coexists with nondeterminism. These algorithms

were also shown to exhibit polynomial-time complex-

ity depending on the size of the systems.

The main difference between the pCTL settings

by Aziz et al. (Aziz et al., 1995) and Bianco and de

Alfaro (Bianco and de Alfaro, 1995) is the setting of

the probability measures in the probabilistic Kripke

structures of pCTL. In the present paper, PpCTL is

constructed on the basis of a “probability-measure-

independent” translation of PpCTL into pCTL. By

this translation, a theorem for embedding PpCTL into

pCTL is proven, which entails the relative decidabil-

ity of PpCTL with respect to pCTL, i.e., the decidabil-

ity of pCTL implies that of PpCTL. This fact indicates

that we can reuse the existing pCTL-based veriﬁca-

tion algorithms by Aziz et al. (Aziz et al., 1995) and

Bianco and de Alfaro (Bianco and de Alfaro, 1995)

The structure of this paper is as follows. In Sec-

tion 2, the new logic PpCTL, which is an extension of

both PCTL and pCTL, is introduced on the basis of

a paraconsistent probabilistic Kripke structure with

two types of satisfaction relations. Some remarks on

ICAART2015-InternationalConferenceonAgentsandArtificialIntelligence

286

PpCTL are also provided in this section. In Section 3,

a theorem for embedding PpCTL into pCTL is proven

using a new translation function. As a corollary of

this embedding theorem, a relative decidability the-

orem for PpCTL, wherein the decidability of pCTL

implies that of PpCTL, is obtained. Note that the

proposed translation is regarded as a modiﬁed exten-

sion of the existing translation, which was used by

Gurevich (Gurevich, 1977), Rautenberg (Rautenberg,

1979), and Vorob’ev (Vorob’ev, 1952) to embed Nel-

son’s three-valued constructive logic (Almukdad and

Nelson, 1984; Nelson, 1949) into positive intuition-

istic logic. In Section 4, some illustrative examples

for describing the SQL injection attack detection al-

gorithm proposed by Sonoda et al. (Sonoda et al.,

2011) are presented on the basis of the use of PpCTL-

formulas. In Section 5, this paper is concluded and

some related works are addressed.

2 LOGICS

Formulas of PpCTL are constructed from countably

many atomic formulas, → (implication) ∧ (conjunc-

tion), ∨ (disjunction), ¬ (classical negation), ∼ (para-

consistent negation), P

≤x

(less than or equal proba-

bility), P

≥x

(greater than or equal probability), P

≺x

(less than probability), P

≻x

(greater than probability),

X (next), G (globally), F (eventually), U (until), R (re-

lease), A (all computation paths) and E (some compu-

tation path). The symbols X, G, F, U and R are called

temporal operators, and the symbols A and E are

called path quantiﬁers. The symbols P

≤x

, P

≥x

, P

≺x

and P

≻x

are called probabilistic operators or proba-

bility operators. A formula P

≤x

α is intended to read

“the probability of α is at least x.” The symbol ATOM

is used to denote the set of atomic formulas. An ex-

pression A ≡ B is used to denote the syntactical iden-

tity between A and B. An expression α ↔ β is used to

represent (α→β) ∧ (β→α).

Deﬁnition 2.1. Formulas α are deﬁned by the follow-

ing grammar, assuming p ∈ ATOM and x ∈ [0, 1]:

α ::= p | α→α | α∧ α | α ∨ α | ¬α | ∼α |

≤x

α | P

≥x

α | P

≺x

α | P

≻x

α | AXα |

EXα | AGα | EGα | AFα | EFα |

A(αUα) | E(αUα) | A(αRα) | E(αRα).

Note that pairs of symbols like AG and EU are in-

divisible, and that the symbols X,G,F,U and R can-

not occur without being preceded by an A or an E.

Similarly, every A or E must have one of X, G, F,

U and R to accompany it. It is remarked that all the

connectives displayed above are required to obtain a

theorem for embedding PpCTL into pCTL.

Deﬁnition 2.2. A paraconsistent probabilistic Kripke

structure (ppk-structurefor short) is a structure hS, S

R, µ

, L

−

i such that

1. S is the set of states,

2. S

is a set of initial states and S

⊆ S,

3. R is a binary relation on S which satisﬁes the con-

dition: ∀s ∈ S ∃s

′

∈ S [(s, s

′

) ∈ R],

4. µ

is a certain probability measure (or probability

distribution) concerning s ∈ S: a set of paths be-

ginning at s is mapped into a real number in [0, 1],

5. L

and L

−

are mappings from S to the power set

of a nonempty subset AT of ATOM.

A path in a ppk-structure is an inﬁnite sequence of

states, π = s

,... such that ∀i ≥ 0 [(s

i+1

) ∈ R].

The symbol Ω

is used to denote the set of all paths

beginning at s.

Some remarks on the ppk-structure deﬁned above

are given as follows.

1. The deﬁnition of µ

is not precisely and explicitly

given in this paper since the proposed translation

from PpCTL into pCTL is independent of the set-

ting of µ

2. There are many possibilities for deﬁning a proba-

bility measure µ

. Some typical examples of prob-

ability measures are addressed as follows.

(a) In (Bianco and de Alfaro, 1995), two probabil-

ity measures µ

and µ

−

, called minimal proba-

bility and maximal probability, respectively, are

adopted in pCTL.

(b) In (Aziz et al., 1995), a probability measure

concerning some discrete Markov processes

and discrete generalized Markov processes is

adopted in pCTL.

3. The probability measures µ

and µ

−

used in

(Bianco and de Alfaro, 1995) are deﬁned on

a Borel σ-algebra B

(⊆ 2

Ω

) as follows: for

any ∆ ∈ B

, µ

(∆) = sup µ

s,η

(∆) and µ

−

(∆) =

inf µ

s,η

(∆) where µ

s,η

with a strategy η concern-

ing nondeterminism is a unique probability mea-

sure on B

4. The probability measure µ

used in (Aziz et al.,

1995) is deﬁned as a mapping from C

into [0,1]

where C

is a Borel sigma ﬁeld, which is the class

of subsets of the set of all inﬁnite state sequences

starting at s.

Deﬁnition 2.3 (PpCTL). Let AT be a nonempty sub-

set of ATOM. Satisfaction relations |=

and |=

−

a ppk-structure M = hS,S

,R, µ

−

i are deﬁned

inductively as follows (s represents a state in S):

1. for any p ∈ AT, M,s |=

p iff p ∈ L

(s),

CombiningParaconsistencyandProbabilityinCTL

287

2. M,s |=

→α

iff M, s |=

implies M,s |=

3. M,s |=

∧ α

iff M,s |=

and M, s |=

4. M,s |=

∨ α

iff M,s |=

or M,s |=

5. M,s |=

¬α

iff not-[M, s |=

6. M,s |=

∼α iff M,s |=

−

α,

7. for any x ∈ [0,1], M, s |=

≤x

α iff µ

({w ∈

Ω

| M, s |=

α}) ≤ x,

8. for any x ∈ [0,1], M, s |=

≥x

α iff µ

({w ∈

Ω

| M, s |=

α}) ≥ x,

9. for any x ∈ [0,1], M, s |=

≺x

α iff µ

({w ∈

Ω

| M, s |=

α}) < x,

10. for any x ∈ [0,1], M,s |=

≻x

α iff µ

({w ∈

Ω

| M, s |=

α}) > x,

11. M,s |=

AXα iff ∀s

∈ S [(s,s

) ∈ R implies

M,s

α],

12. M,s |=

EXα iff ∃s

∈ S [(s,s

) ∈ R and

M,s

α],

13. M,s |=

AGα iff for all paths π ≡ s

,...,

where s ≡ s

, and all states s

along π, we have

M,s

α,

14. M,s |=

EGα iff there is a path π ≡ s

,...,

where s ≡ s

, and for all states s

along π, we have

M,s

α,

15. M,s |=

AFα iff for all paths π ≡ s

,...,

where s ≡ s

, there is a state s

along π such that

M,s

α,

16. M,s |=

EFα iff there is a path π ≡ s

,...,

where s ≡ s

, and for some state s

along π, we

have M,s

α,

17. M,s |=

A(α

Uα

) iff for all paths π ≡

,..., where s ≡ s

, there is a state s

along

π such that [(M, s

) and ∀ j (0 ≤ j < k im-

plies M,s

)],

18. M,s |=

E(α

Uα

) iff there is a path π ≡

,..., where s ≡ s

, and for some state s

along π, we have [(M,s

) and ∀ j (0 ≤ j <

k implies M, s

)],

19. M,s |=

A(α

Rα

) iff for all paths π ≡

,..., where s ≡ s

, and all states s

along

π, we have [∀i < j not-[M,s

] implies

M,s

20. M,s |=

E(α

Rα

) iff there is a path π ≡

,..., where s ≡ s

, and for all states s

along π, we have [∀i < j not-[M,s

] im-

plies M,s

21. for any p ∈ AT, M, s |=

−

p iff p ∈ L

−

(s),

22. M,s |=

−

→α

iff M, s |=

and M, s |=

−

23. M,s |=

−

∧ α

iff M,s |=

−

or M,s |=

−

24. M,s |=

−

∨ α

iff M,s |=

−

and M, s |=

−

25. M,s |=

−

¬α

iff M,s |=

26. M,s |=

−

∼α

iff M,s |=

27. for any x ∈ [0,1], M,s |=

−

≤x

α iff µ

({w ∈

Ω

| M, s |=

−

α}) > x,

28. for any x ∈ [0,1], M,s |=

−

≥x

α iff µ

({w ∈

Ω

| M, s |=

−

α}) < x,

29. for any x ∈ [0,1], M,s |=

−

≺x

α iff µ

({w ∈

Ω

| M, s |=

−

α}) ≥ x,

30. for any x ∈ [0,1], M,s |=

−

≻x

α iff µ

({w ∈

Ω

| M, s |=

−

α}) ≤ x,

31. M,s |=

−

AXα iff ∃s

∈ S [(s,s

) ∈ R and

M,s

−

α],

32. M,s |=

−

EXα iff ∀s

∈ S [(s,s

) ∈ R implies

M,s

−

α],

33. M,s |=

−

AGα iff there is a path π ≡ s

,...,

where s ≡ s

, and for some state s

along π, we

have M,s

−

α,

34. M,s |=

−

EGα iff for all paths π ≡ s

,...,

where s ≡ s

, there is a state s

along π such that

M,s

−

α,

35. M,s |=

−

AFα iff there is a path π ≡ s

,...,

where s≡ s

, and for all states s

along π, we have

M,s

−

α,

36. M,s |=

−

EFα iff for all paths π ≡ s

,...,

where s ≡ s

, and all states s

along π, we have

M,s

−

α,

37. M,s |=

−

A(α

Uα

) iff there is a path π ≡

,..., where s ≡ s

, and for all states s

along π, we have [∀i < j not-[M,s

−

] im-

plies M,s

−

38. M,s |=

−

E(α

Uα

) iff for all paths π ≡

,..., where s ≡ s

, and for all states s

along π, we have [∀i < j not-[M,s

−

] im-

plies M,s

−

39. M,s |=

−

A(α

Rα

) iff there is a path π ≡

,..., where s ≡ s

, and for some state s

along π, we have [(M,s

−

) and ∀ j (0 ≤ j <

k implies M,s

−

)],

40. M,s |=

−

E(α

Rα

) iff for all paths π ≡

,..., where s ≡ s

, there is a state s

along

π such that [(M, s

−

) and ∀ j (0 ≤ j < k im-

plies M,s

−

)].

Deﬁnition 2.4. A formula α is valid (satisﬁable)

in PpCTL if M,s |=

α holds for any (some) ppk-

structure M = hS,S

,R,µ

, L

−

i, any (some) s ∈ S,

and any (some) satisfaction relations |=

and |=

−

Deﬁnition 2.5. Let M be a ppk-structure hS,S

,R,µ

−

i for PpCTL, and |=

and |=

−

be satisfac-

tion relations on M. Then, the positive and nega-

tive model checking problems for PpCTL are respec-

tively deﬁned by: for any formula α, ﬁnd the sets

{s ∈ S | M,s |=

α} and {s ∈ S | M,s |=

−

α}.

ICAART2015-InternationalConferenceonAgentsandArtificialIntelligence

288

Some remarks on PpCTL are given as follows.

1. The intuitive meanings of |=

and |=

−

in PpCTL

are “veriﬁcation (or justiﬁcation)” and “refutation

(or falsiﬁcation)”, respectively (Wansing, 1993;

Kamide and Wansing, 2012).

2. PpCTL is regarded as a paraconsistent logic. This

is explained as follows. Assume a ppk-structure

M = hS,S

,R,µ

−

i such that p ∈ L

(s),

p ∈ L

−

(s) and q /∈ L

(s) for any distinct atomic

formulas p and q. Then, M, s |=

(p ∧ ∼p)→q

does not hold, and hence |=

in PpCTL is para-

consistent with respect to ∼. For more informa-

tion on paraconsistency, see e.g., (Priest and Rout-

ley, 1982).

3. The positive model checking problem for PpCTL

corresponds to the standard “veriﬁcation-based”

model checking problem for pCTL. The negative

model checking problem for PpCTL corresponds

to the dual of positive one. i.e., it is regarded

as a “refutation-based” model checking problem.

Both the positive and negative model checking

should simultaneously be performed, i.e., only

one of them cannot be performed.

Proposition 2.6. The following formulas concerning

probabilistic operators are valid in PpCTL: for any

formula α,

1. ∼P

≤x

α ↔ P

≻x

∼α,

2. ∼P

≥x

α ↔ P

≺x

∼α,

3. ∼P

≺x

α ↔ P

≥x

∼α,

4. ∼P

≻x

α ↔ P

≤x

∼α,

Proof. Suppose that M = hS,S

,R, µ

−

i is

an arbitrary ppk-structure, and that |=

and |=

−

are

any satisfaction relations on M. We only show the

following case.

(1): We show only that ∼P

≤x

α→P

≻x

∼α is valid

in PpCTL. Let s be an arbitrary element of S. Then,

we show M, s |=

∼P

≤x

α→P

≻x

∼α. To show this, we

show that M,s |=

∼P

≤x

α implies M,s |=

≻x

∼α.

Suppose M, |=

∼P

≤x

α. Then, we obtain the re-

quired fact as follows: M,|=

∼P

≤x

α iff M, |=

−

≤x

α iff µ

({w ∈ Ω

| M, w |=

−

α}) > x iff µ

({w ∈

Ω

| M, w |=

∼α}) > x iff M,s |=

≻x

∼α. Q.E.D.

Deﬁnition 2.7 (pCTL). A probabilistic Kripke struc-

ture (pk-structure for short) for pCTL is a structure

hS,S

,R, µ

,Li such that

1. S, S

,R and µ

are the same as those in Deﬁnition

2.2,

2. L is a mapping from S to the power set of a

nonempty subset AT of ATOM.

A satisfaction relation |= on a pk-structure M =

hS, S

,R, µ,Li for pCTL is deﬁned by the same condi-

tions for |=

(except the condition 6) as in Deﬁnition

2.3 (by deleting the superscript +). The validity, sat-

isﬁability and model-checking problems for pCTL are

deﬁned similarly as those for PpCTL.

3 EMBEDDABILITY AND

RELATIVE DECIDABILITY

Deﬁnition 3.1. Let AT be a non-empty subset of

ATOM, and AT

′

be the set {p

′

| p ∈ AT} of atomic

formulas. The language L

∼

(the set of formu-

las) of PpCTL is deﬁned using AT, ∼, →,∧, ∨,¬,

≤x

≥x

≺x

≻x

, X, F, G, U, R, A and E. The lan-

guage L of pCTL is obtained from L

∼

by adding AT

′

and deleting ∼.

A mapping f from L

∼

to L is deﬁned inductively

by:

1. for any p ∈ AT, f(p) := p and f(∼p) := p

′

∈ AT

′

2. f(α ♯ β) := f(α) ♯ f(β) where ♯ ∈ {∧,∨,→},

3. f(♯α) := ♯ f(α) where ♯ ∈ {¬, P

≤x

≥x

, P

≺x

≻x

AX,EX, AG, EG, AF,EF},

4. f(A(αUβ))) := A( f(α)Uf(β)),

5. f(E(αUβ))) := E( f(α)Uf(β)),

6. f(A(αRβ))) := A( f(α)Rf (β)),

7. f(E(αRβ))) := E( f(α)Rf(β)),

8. f(∼∼α) := f(α),

9. f(∼(α→β)) := f(α) ∧ f(∼β),

10. f(∼(α ∧ β)) := f(∼α) ∨ f(∼β),

11. f(∼(α ∨ β)) := f(∼α) ∧ f(∼β),

12. f(∼¬α) := f(α),

13. f(∼P

≤x

α) := P

≻x

f(∼α),

14. f(∼P

≥x

α) := P

≺x

f(∼α),

15. f(∼P

≺x

α) := P

≥x

f(∼α),

16. f(∼P

≻x

α) := P

≤x

f(∼α),

17. f(∼AXα) := EXf(∼α),

18. f(∼EXα) := AXf(∼α),

19. f(∼AGα) := EFf(∼α),

20. f(∼EGα) := AFf(∼α),

21. f(∼AFα) := EGf(∼α),

22. f(∼EFα) := AGf(∼α),

23. f(∼(A(αUβ))) := E( f(∼α)Rf(∼β)),

24. f(∼(E(αUβ))) := A( f(∼α)Rf(∼β)),

25. f(∼(A(αRβ))) := E( f(∼α)Uf(∼β)),

26. f(∼(E(αRβ))) := A( f(∼α)Uf(∼β)).

Lemma 3.2. Let f be the mapping deﬁned in

Deﬁnition 3.1. For any ppk-structure M :=

hS,S

,R,µ

−

i for PpCTL, and any satisfaction

CombiningParaconsistencyandProbabilityinCTL

289

relations |=

and |=

−

on M, we can construct a pk-

structure N := hS,S

,R,µ

,Li for CTL and a satisfac-

tion relation |= on N such that for any formula α in

∼

and any state s in S,

1. M,s |=

α iff N,s |= f(α),

2. M,s |=

−

α iff N,s |= f(∼α).

Proof. Let AT be a nonempty subset of ATOM,

and AT

′

be the set {p

′

| p ∈ AT} of atomic formulas.

Suppose that M is a ppk-structurehS, S

,R,µ

−

such that L

and L

−

are mappings from S to the power

set of AT. Suppose that N is a pk-structure M :=

hS,S

,R,µ

,Li such that L is a mapping from S to the

power set of AT∪AT

′

. Suppose moreover that for any

s ∈ S and any p ∈ AT,

1. p ∈ L

(s) iff p ∈ L(s),

2. p ∈ L

−

(s) iff p

′

∈ L(s).

The lemma is then proved by (simultaneous) in-

duction on the complexity of α.

• Base step:

Case α ≡ p ∈ AT: For (1), we obtain: M, s |=

iff p ∈ L

(s) iff p ∈ L(s) iff N,s |= p iff N,s |= f(p)

(by the deﬁnition of f). For (2), we obtain: M,s |=

−

p iff p ∈ L

−

(s) iff p

′

∈ L(s) iff N, s |= p

′

iff N, s |=

f(∼p) (by the deﬁnition of f).

• Induction step: We show some cases.

Case α ≡ β→γ: For (1), we obtain: M,s |=

β→γ

iff M,s |=

β implies M,s |=

γ iff N,s |= f(β) im-

plies N, s |= f(γ) (by induction hypothesis for 1) iff

N,s |= f(β)→ f(γ) iff N,s |= f(β→γ) (by the def-

inition of f). For (2), we obtain: M, s |=

−

β→γ

iff M, s |=

β and M, s |=

−

γ iff N, s |= f(β) and

N,s |= f(∼γ) (by induction hypothesis for 1 and 2)

iff N,s |= f(β) ∧ f(∼γ) iff N,s |= f (∼(β→γ)) (by the

deﬁnition of f).

Case α ≡ ¬β: For (1), we obtain: M, s |=

¬β iff

not-[M, s |=

β] iff not-[N, s|= f(β)] (by induction hy-

pothesis fotr 1) iff N,s |= ¬ f(β) iff N,s |= f(¬β) (by

the deﬁnition of f). For (2), we obtain: M,s |=

−

¬β

iff M,s |=

β iff N,s |= f(β) (by induction hypothesis

for 1) iff N,s |= f (∼¬β) (by the deﬁnition of f ).

Case α ≡ ∼β: For (1), we obtain: M,s |=

∼β iff

M,s |=

−

β iff N,s |= f(∼β) (by induction hypothesis

for 2). For (2), we obtain: M, s |=

−

∼β iff M, s |=

β iff N,s |= f(β) (by induction hypothesis for 1) iff

N,s |= f(∼∼β) (by the deﬁnition of f).

Case α ≡ AXβ: For (1), we obtain: M,s |=

AXβ iff ∀s

∈ S [(s,s

) ∈ R implies M, s

β] iff

∀s

∈ S [(s,s

) ∈ R implies N,s

|= f(β)] (by induc-

tion hypothesis for 1) iff N,s |= AXf(β) iff N,s |=

f(AXβ) (by the deﬁnition of f). For (2), we obtain:

M,s |=

−

AXβ iff ∃s

∈ S [(s,s

) ∈ R and M,s

−

β]

iff ∃s

∈ S [(s,s

) ∈ R and N,s

|= f(∼β)] (by induc-

tion hypothesis for 2) iff N,s |= EX f(∼β) iff N, s |=

f(∼AXβ) (by the deﬁnition of f).

Case α ≡ P

≤x

β: For (1), we obtain: M, s |=

≤x

β iff µ

({w ∈ Ω

| M,w |=

β}) ≤ x iff µ

({w ∈

Ω

| N, w |= f(β)}) ≤ x (by induction hypothesis for

1) iff N,s |= P

≤x

f(β) iff N,s |= f(P

≤x

β) (by the def-

inition of f). For (2), we obtain: M,s |=

−

≤x

β iff

({w ∈ Ω

| M,w |=

−

β}) > x iff µ

({w ∈ Ω

| N,w |=

f(∼β)}) > x (byinduction hypothesis for 2) iffN,s |=

≻x

f(∼β) iff N, s |= f(∼P

≤x

β) (by the deﬁnition of

f).

Case α ≡ P

≺x

β: For (1), we obtain: M, s |=

≺x

β iff µ

({w ∈ Ω

| M,w |=

β}) < x iff µ

({w ∈

Ω

| N, w |= f(β)}) < x (by induction hypothesis for

1) iff N,s |= P

≺x

f(β) iff N,s |= f(P

≺x

β) (by the def-

inition of f). For (2), we obtain: M,s |=

−

≺x

β iff

({w ∈ Ω

| M,w |=

−

β}) ≥ x iff µ

({w ∈ Ω

| N,w |=

f(∼β)}) ≥ x (byinduction hypothesis for 2) iffN,s |=

≥x

f(∼β) iff N, s |= f(∼P

≺x

β) (by the deﬁnition of

f). Q.E.D.

Lemma 3.3. Let f be the mapping deﬁned in Deﬁni-

tion 3.1. For any pk-structure N := hS,S

,R,µ

,Li for

pCTL, and any satisfaction relation |= on N, we can

construct a ppk-structure M := hS,S

,R,µ

−

for PpCTL and satisfaction relations |=

and |=

−

M such that for any formula α in L

∼

and any state s

in S,

1. N, s |= f(α) iff M, s |=

α,

2. N, s |= f(∼α) iff M,s |=

−

α.

Proof. Similar to the proof of Lemma 3.2. Q.E.D.

Theorem 3.4 (Embeddability). Let f be the mapping

deﬁned in Deﬁnition 3.1. For any formula α,

α is valid (satisﬁable) in PpCTL iff f(α) is

valid (satisﬁable, resp.) in pCTL.

Proof. By Lemmas 3.2 and 3.3. Q.E.D.

Corollary 3.5 (Relative decidability). If the model-

checking, validity and satisﬁability problems for

pCTL with a probability measure are decidable, then

the model-checking, validity and satisﬁability prob-

lems for PpCTL with the same probability measure

as that of pCTL are also decidable.

Proof. Suppose that the probability measure µ

in the underlying ppk-structure hS, S

,R, µ

, L

−

of PpCTL is the same as the underlying pk-structure

hS,S

,R, µ

, Li of pCTL. Suppose also that pCTL

with µ

is decidable. Then, by the mapping f deﬁned

in Deﬁnition 3.1, a formula α of PpCTL can be

transformed into the corresponding formula f(α) of

pCTL. By Lemmas 3.2 and 3.3 and Theorem 3.4, the

model checking, validity and satisﬁability problems

for PpCTL can be transformed into those of pCTL.

Since the model checking, validity and satisﬁability

ICAART2015-InternationalConferenceonAgentsandArtificialIntelligence

290

problems for pCTL with µ

are decidable by the

assumption, the problems for PpCTL with µ

are also

decidable. Q.E.D.

Some remarks on the decidability are given:

1. The logic pCTL with two probability measures

and µ

−

by Bianco and de Alfaro is decidable

(Bianco and de Alfaro, 1995). The logic pCTL

with a probability measure µ

by Aziz et al. is also

decidable (Aziz et al., 1995). Thus, the extended

PpCTLs based on the above pCTLs are also de-

cidable by Corollary 3.5.

2. Since the mapping f from PpCTL into pCTL is a

polynomial-time reduction, the complexity results

for PpCTL becomes the same results as those for

pCTL., e.g., if the model-checking problem for

pCTL is deterministic PTIME-complete, then so

is PpCTL.

3. The model-checking, validity and satisﬁability

problems for both CTL and its paraconsistent ex-

tension PCTL (Kaneiwa and Kamide, 2011) are

known to be EXPTIME-complete, deterministic

EXPTIME-complete and deterministic PTIME-

complete, respectively.

4 ILLUSTRATIVE EXAMPLES

4.1 SQL Injection Attack Detection

SQL injection (Clarke, 2009) is one of the numer-

ous malicious attack methods used to exploit security

vulnerabilities on SQL database servers. An attacker

sends injection codes through a network to illegally

obtain stored information from the SQL database

servers. An automatic detection method for SQL in-

jection attacks is explained here on the basis of the

studies reported by (Sonoda et al., 2011; Matsuda

et al., 2011; Koizumi et al., 2012). They utilized

the contained rate of suspicious characters over the

length of an input string. Consider that an automatic

detection program attempts to determine if the ith in-

put string l

(i = 1,2,...) to an SQL database server is

obtained as a result of an SQL injection attack. Then,

the contained rate p

can be deﬁned as:

, (1)

where #S is the number of suspicious characters and

| is the length of the ith input string. Automatic

detection with p

is executed on the basis of the fol-

lowing rule:

h(p

) =

(

1 if p

> α;

0 otherwise,

(2)

where h(p

) = 1 indicates that the detected result is

an attack string, h(p

) = 0 implies that it is a normal

string, and α is a predeterminedthreshold value. A set

S contains some suspicious characters (e.g., a space,

semi-colon, single quotation, etc.) in the input string

of some SQL injection attacks.

Example 4.1. Suppose the unknown input string l

“

DROP sampletable;--

” to the SQL server. Let the

elements of S be a space, semi-colon, and right paren-

thesis, and let the threshold value α be 0.08. Then,

this input l

is detected as attack string because the

length |l

| is 19 and the suspicious characters con-

tained in S is 2, the contained rate p

= 2/19 = 0.105,

and hence p

is greater than α.

In the experiment by (Sonoda et al., 2011), each

attack detection rate µ

and normal detection rate

for the underlying characters was calculated by

changing the threshold α. An overall detection rate

µ is deﬁned as the weighted average of µ

and µ

µ = (1 − β) × µ

+ β× µ

, (3)

where a real number β, which satisﬁes 0 ≤ β ≤ 1, is

the weight of the normal string over the input strings.

The use of the SQL injection attack detection algo-

rithm explained above is assumed in the following

discussion.

4.2 Representing Paraconsistency

Now, we consider some example formulas for SQL

injection attacks. The paraconsistent negation con-

nective ∼α in PpCTL is used to represent the nega-

tion of an uncertain or ambiguous concept “attack”.

If we cannot determine whether an input string is ob-

tained by an SQL injection attack, then this concept is

regarded as uncertain. The uncertain concept attack

can be represented by asserting the inconsistent for-

mula of the form: attack∧ ∼attack where ∼attack

represents the uncertain negation information that can

be true at the same time as attack, which represents

positive information. This is well-formalized because

the formula of the form: (attack∧∼attack)→⊥ is not

valid in PpCTL.

We can also present the following formula:

EF(attack ∧ ∼attack) which implies: “There exists

a situation in which a string input is considered to

be obtained as both an SQL injection attack and a

non-SQL injection attack, i.e., we cannot determine

by the algorithm whether a string was obtained from

CombiningParaconsistencyandProbabilityinCTL

291

an attack.” In addition, we can present the following

formula: EF(crashed ∧ AG crashed) which implies:

“There is a situation in which a crashed database

caused by an SQL injection attack will not function

again.”

4.3 Representing Probability

We can express Example 4.1 as the following for-

mula: AG(P

≤0.08

α ∧ (p

< α) → ∼attack) which im-

plies: “If the threshold value α is at the most 8 percent

and the contained rate p

is greater than α, then the

string was probably not obtained by an SQL injection

attack, i.e., it can be regarded as a normal string.”

Let µ

and µ

be an attack detection rate and

a normal detection rate, respectively. Then, we

can present the following formula: AG(P

≥0.08

∧

≥0.02

→ attack) which implies: “If the attack de-

tection rate µ

and the normal detection rate µ

with

respect to some ﬁxed characters in the underlying

string are at least 8 percent and at least 2 percent, re-

spectively, then the string is obtained by an SQL in-

jection attack, i.e., it is regarded as a malicious attack

string.”

Similarly, we can present the following formula:

AG (P

≺0.08

∧ P

≺0.02

→ ∼attack) which im-

plies: “The string entered by someone is probably

not obtained by an SQL injection attack.” In addition,

we present the following formula with the classical

negation connective ¬: AG (P

≺0.02

∧ P

≺0.01

→

¬attack) which implies: “The string entered by some-

one is clearly not obtained by an SQL injection attack,

i.e., it is just a normal string.”

4.4 Representing Experimental Facts

The single quotation mark “

’

” forms a set with the

previous single quotation. A pair of single quota-

tion marks appears, for instance, as “

uid=’user01’

”

which implies: “the user ID is user01.” We

can present this situation as the following for-

mula: AG(singleQuotation ∧ EF singleQuotation →

∼attack) which implies: “At any time, if a single quo-

tation “

’

” appears in the string described in a web

form, and the corresponding (closed) single quotation

“

’

” eventually appears in the same string, then such

an input string is probably not obtained as an SQL

injection attack.”

The statement “

OR 1=1

” is sometimes used in an

attack string. Then, we present this situation as the

following formula: AG(EF or1=1 → attack) which

implies: “At any time, if the statement “

OR 1=1

”

eventually appears, then such an input string was

probably obtained as an SQL injection attack.”

5 CONCLUSIONS AND RELATED

WORKS

In this paper, the paraconsistent probabilistic compu-

tation tree logic (PpCTL) was introduced and stud-

ied. PpCTL was constructed by combining two ex-

isting extended temporal logics: paraconsistent com-

putation tree logic (PCTL) and probabilistic compu-

tation tree logic (pCTL). Then, a theorem for em-

bedding PpCTL into pCTL was proven using transla-

tion, which is independent of the probability measure

setting. A relative decidability theorem for PpCTL,

which states that the decidability of pCTL implies that

of PpCTL, was also obtained as a corollary of this

embedding theorem. This relative decidability theo-

rem indicates that we can reuse some existing pCTL-

based veriﬁcation algorithms. Some illustrative ex-

amples for describing an SQL injection attack detec-

tion algorithm, involving the use of PpCTL, were also

presented to highlight the virtues of combining para-

consistency (in PCTL) and probability (in pCTL).

Some remarks are given as follows. A transla-

tion from PpCTL into PCTL was not given in this

paper, although a translation from PpCTL into pCTL

was given. The issue for obtaining a translation from

PpCTL (pCTL) into PCTL (CTL, resp) has not been

solved yet, because a formula with the probabilistic

operators which have the probability measures is dif-

ﬁcult to translate into a non-probabilistic formula of

PCTL or CTL. In the meantime, we would like to

extend the proposed embedding-based method for an

extended PpCTL with the sequence modal operator

which was introduced for expressing ontological or

hierarchical information (see e.g, (Kamide, 2013)).

This issue is remained as a future work.

The rest of this paper addresses some closely re-

lated works. While the idea of combining paracon-

sistency and probability within a temporal logic is

new, the idea of introducing a paraconsistent compu-

tation tree logic is not. In this study, PCTL (Kamide

and Kaneiwa, 2010; Kaneiwa and Kamide, 2011)

was used as a base logic for constructing PpCTL.

However, there are some other paraconsistent vari-

ants of CTL. For example, a multi-valued computa-

tion tree logic, χCTL, was introduced by Easterbrook

and Chechik (Easterbrook and Chechik, 2001), and a

quasi-classical temporal logic, QCTL, was proposed

by Chen and Wu (Chen and Wu, 2006). PCTL was in-

troduced as an alternative to these logics. In addition,

an extension PCTL

∗

of PCTL has also been studied

from the viewpoint of bisimulations for paraconsis-

tent Kripke structures in paraconsistent model check-

ing (Kamide, 2006). Another extension of PCTL was

also studied in (Kamide, 2013) for verifying student

ICAART2015-InternationalConferenceonAgentsandArtificialIntelligence

292

learning processes in learning support systems.

Compared with paraconsistent CTLs, several

studies have been reported on probabilistic temporal

logics, including probabilistic CTLs. The study in

(Hansson and Jonsson, 1994) is a typical example of

such a study. In (Hansson and Jonsson, 1994), a prob-

abilistic and real-time extension of CTL, also called

PCTL, was introduced and investigated on the basis

of an interpretation of discrete time Markov chains. In

contrast to the probabilistic frameworks of pCTL and

PpCTL, the notion of probability in PCTL is assigned

to all the temporal operators in PCTL. For example,

a PCTL formula with the form G

≤t

≥p

α implies “the

formula α holds continuously for t time units with a

probability of at least p.”

REFERENCES

Almukdad, A. and Nelson, D. (1984). Constructible falsity

and inexact predicates. Journal of Symbolic Logic,

49:231–233.

Aziz, A., Singhal, V., and Balarin, F. (1995). It usually

works: The temporal logic of stochastic systems. In

Proceedings of the 7th Int. Conf. on Computer Aided

Veriﬁcation (CAV 1995), Lecture Notes in Computer

Science 939, pages 155–165.

Bianco, A. and de Alfaro, L. (1995). Model checking of

probabilistic and nondeterministic systems. In Pro-

ceedings of the 15th Conf. on Foundations of Soft-

ware Technology and Theoretical Computer Science

(FSTTCS 1995), Lecture Notes in Computer Science

1026, pages 499–513.

Carnielli, W., Coniglio, M., Gabbay, D., Gouveia, P., and

Sernadas, C. (2008). Analysis and synthesis of log-

ics: How to cut and paste reasoning systems, Applied

Logic Series, Vol. 35. Springer.

Chen, D. and Wu, J. (2006). Reasoning about inconsistent

concurrent systems: A non-classical temporal logic.

In Lecture Notes in Computer Science, volume 3831,

pages 207–217.

Clarke, E. and Emerson, E. (1981). Design and synthesis of

synchronization skeletons using branching time tem-

poral logic. In Lecture Notes in Computer Science,

volume 131, pages 52–71.

Clarke, E., Grumberg, O., and Peled, D. (1999). Model

checking. The MIT Press.

Clarke, J. (2009). SQL injection attacks and defense, 2nd

Edition. Syngress Publishing.

Easterbrook, S. and Chechik, M. (2001). A framework for

multi-valued reasoning over inconsistent viewpoints.

In Proceedings of the 23rd International Conference

on Software Engineering, pages 411–420.

Gurevich, Y. (1977). Intuitionistic logic with strong nega-

tion. Studia Logica, 36:49–59.

Hansson, H. and Jonsson, B. (1994). A logic for reasoning

about time and reliability. Formal Aspects of Comput-

ing, 6 (5):512–535.

Kamide, N. (2006). Extended full computation tree logics

for paraconsistent model checking. Logic and Logical

Philosophy, 15 (3):251–276.

Kamide, N. (2013). Modeling and verifying inconsistency-

tolerant temporal reasoning with hierarchical informa-

tion: Dealing with students’ learning processes. In

Proceedings of the IEEE International Conference on

Systems, Man, and Cybernetics (SMC 2013), pages

1859–1864.

Kamide, N. and Kaneiwa, K. (2010). Paraconsistent nega-

tion and classical negation in computation tree logic.

In Proceedings of the 2nd International Conference

on Agents and Artiﬁcial Intelligence (ICAART 2010),

Vol.1, pages 464–469.

Kamide, N. and Wansing, H. (2012). Proof theory of nel-

son’s paraconsistent logic: A uniform perspective.

Theoretical Computer Science, 415:1–38.

Kaneiwa, K. and Kamide, N. (2011). Paraconsistent com-

putation tree logic. New Generation Computing, 29

(4):391–408.

Koizumi, D., Matsuda, T., Sonoda, M., and Hirasawa, S.

(2012). A learning algorithm of threshold value on the

automatic detection of SQL injection attack. In Pro-

ceedings of the International Conference on Parallel

and Distributed Processing Techniques and Applica-

tions (PDPTA 2012), Vol.II, pages 933–937.

Matsuda, T., Koizumi, D., Sonoda, M., and Hirasawa, S.

(2011). On predictive errors of SQL injection attack

detection by the feature of the single character. In

Proceedings of the IEEE International Conference on

Systems, Man and Cybernetics, (SMC 2011), pages

1722–1727.

Nelson, D. (1949). Constructible falsity. Journal of Sym-

bolic Logic, 14:16–26.

Pnueli, A. (1977). The temporal logic of programs. In Pro-

ceedings of the 18th IEEE Symposium on Foundations

of Computer Science, pages 46–57.

Priest, G. and Routley, R. (1982). Introduction: paraconsis-

tent logics. Studia Logica, 43:3–16.

Rautenberg, W. (1979). Klassische und nicht-klassische

Aussagenlogik. Vieweg, Braunschweig.

Sonoda, M., Matsuda, T., Koizumi, D., and Hirasawa, S.

(2011). On automatic detection of SQL injection at-

tacks by the feature extraction of the single charac-

ter. In Proceedings of the 4th International Confer-

ence on Security of Information and Networks (SIN

2011), pages 81–86.

Vorob’ev, N. (1952). A constructive propositional calculus

with strong negation (in Russian). Doklady Akademii

Nauk SSR, 85:465–468.

Wansing, H. (1993). The logic of information structures.

In Lecture Notes in Computer Science, volume 681,

pages 1–163.

CombiningParaconsistencyandProbabilityinCTL

293