Traffic systems are multi-agent cyber-physical systems whose performance is closely related to human welfare. They work in open environments and are subject to uncertainties from various sources, making their performance hard to verify by traditional model-based approaches. Alternatively, statistical model checking (SMC) can verify their performance by sequentially drawing sample data until the correctness of a performance specification can be inferred with desired statistical accuracy. This work aims to verify traffic systems with privacy, motivated by the fact that the data used may include personal information (e.g., daily itinerary) and get leaked unintendedly by observing the execution of the SMC algorithm. To formally capture data privacy in SMC, we introduce the concept of expected differential privacy (EDP), which constrains how much the algorithm execution can change in the expectation sense when data change. Accordingly, we introduce an exponential randomization mechanism for the SMC algorithm to achieve the EDP. Our case study on traffic intersections by Vissim simulation shows the high accuracy of SMC in traffic model verification without significantly sacrificing computing efficiency. The case study also shows EDP successfully bounding the algorithm outputs to guarantee privacy.
翻译:交通量系统是多试剂网络物理系统,其性能与人类福祉密切相关,在开放环境中工作,受到各种来源的不确定性的影响,使得其性能难以通过传统的模型方法加以核实;或者,统计模型检查(SMC)可以通过按顺序绘制抽样数据来核查其性能,直到用预期的统计准确性推断出性能规格的正确性;这项工作旨在以保密的方式核查交通系统,其动机是,所使用数据可能包括个人信息(例如,每日行程),而通过观察SMC算法的执行而意外泄漏。为了在SMC中正式获取数据隐私,我们引入了预期的差别隐私概念(EDP),这限制了在数据变化时算法执行在预期意义上的改变。因此,我们引入了一个指数随机化机制,用于SMC算法实现EDP。我们通过Vismim模拟对交通交叉点的案例研究表明,SMC在交通模型核查中具有很高的准确性能,而不会大大降低计算效率。案例研究还表明,EDP成功地将算法产出约束到保证隐私。