PRISMgames: verification and strategy synthesis for stochastic multiplayer games with multiple objectives
 792 Downloads
 1 Citations
Abstract
PRISMgames is a tool for modelling, verification and strategy synthesis for stochastic multiplayer games. These allow models to incorporate both probability, to represent uncertainty, unreliability or randomisation, and gametheoretic aspects, for systems where different entities have opposing objectives. Applications include autonomous transport, security protocols, energy management systems and many more. We provide a detailed overview of the PRISMgames tool, including its modelling and property specification formalisms, and its underlying architecture and implementation. In particular, we discuss some of its key features, which include multiobjective and compositional approaches to verification and strategy synthesis. We also discuss the scalability and efficiency of the tool and give an overview of some of the case studies to which it has been applied.
Keywords
Formal verification Quantitative verification Stochastic games1 Introduction
Automatic verification and strategy synthesis are techniques for analysing probabilistic systems. They can be used to produce formal guarantees with respect to quantitative properties such as safety, reliability and efficiency. For example, they can be employed to synthesise controllers in applications such as autonomous vehicles, network protocols and robotic systems. These often operate in uncertain and adverse environments, models of which require both stochasticity, for example, to represent noise, failures or delays, and gametheoretic aspects, to model noncooperative agents or uncontrollable events.
PRISMgames is a tool for verification and strategy synthesis for turnbased stochastic multiplayer games, a model in which each state is controlled by one of a set of players. That player resolves nondeterminism in its states by selecting an action to perform. The resulting behaviour, i.e. to which state the model then evolves, is probabilistic. This allows the model to capture both gametheoretic aspects and stochasticity.
The crucial ingredient for reasoning about stochastic multiplayer games is strategies, which represent the choices made by a given player, based on the execution of the model so far. For a stochastic game comprising just one player (in other words, a Markov decision process), we may choose to consider the behaviour of the player to be adversarial (for example, representing the malicious environment of a security protocol). We can then verify that the model exhibits certain formally specified properties, regardless of the behaviour of the adversary.
Alternatively, we could assume that we are able to control the choices of the single player in this model (imagine, for example, it represents the navigation control system in an autonomous vehicle). In this setting, we can instead use strategy synthesis to generate a strategy (a controller) under which the behaviour of the game satisfies a formally specified property.
The general case, in which there are multiple players, allows us to model situations where there are entities with opposing objectives, for example a controller and a malicious environment. PRISMgames provides strategy synthesis techniques that can generate a strategy for one player of a stochastic game such that it is guaranteed to satisfy a property, regardless of the strategies employed by the other players. Returning to the autonomous vehicle above, we could generate a strategy for the vehicle controller which guarantees that the probability of successfully completing a journey is above a specified threshold, regardless of the behaviour of other, uncontrollable aspects of the system such as other road users.
This paper provides an overview of PRISMgames and the strategy synthesis techniques that it provides. These fall into two categories. The first, singleobjective case, is used to express zerosum properties in which two opposing sets of players aim to minimise and maximise a single objective: either the probability of an event or the expected reward accumulated before it occurs. The second, multiobjective case, enables the exploration of tradeoffs, such as between performance and resource requirements. The tool also performs computation and visualisation of the Pareto sets representing the optimal achievable tradeoffs.
We also discuss the support in PRISMgames for compositional system development. This is done through assumeguarantee strategy synthesis, based on contracts over component interfaces that ensure cooperation between the components to achieve a common goal. For example, if one component satisfies the goal B under an assumption A on its environment (i.e. \(A \rightarrow B\)), while the other component ensures that the assumption A is satisfied, we can compose strategies for the components into a strategy for the full system achieving B. Multiobjective strategy synthesis, e.g. for an implication \(A \rightarrow B\), can be conveniently employed to realise such assumeguarantee contracts. Again, Pareto set computation can be performed to visualise the relationship between properties and across interfaces.
The underlying verification and strategy synthesis techniques developed for PRISMgames have been published elsewhere, in [5, 7, 12, 14, 16, 44]. Existing short tool papers focusing on the functionality added in versions 1.0 and 2.0 of PRISMgames were presented in [13] and [34], respectively. This paper provides a comprehensive overview of the full tool, including detailed examples of the modelling and property specification and summaries of the key theory and algorithms. We also discuss implementation details, the scalability of the tool and the application domains to which it has been applied.
Structure of the paper Section 2 provides basic details of the underlying model of stochastic multiplayer games and explains how these can be described using the PRISMgames modelling language. Section 3 covers the property specification language, giving the formal syntax, semantics and examples of the various classes of quantitative properties that are supported. Section 4 gives an overview of the underlying algorithms used to perform verification and strategy synthesis, and Sect. 5 describes the architecture of the tool and some lowerlevel aspects of its implementation. Section 6 presents some experimental results and discusses the scalability and efficiency of PRISMgames. We conclude, in Sects. 7, 8 and 9, with a discussion of case studies to which the tool has been applied, a survey of related tools and some areas of current and future work.
2 Models and modelling
We begin by explaining the underlying models used by PRISMgames and the means by which they are specified to the tool. We will use \({{ Dist }}(S)\) to denote the set of discrete probability distributions over a set S.
2.1 Stochastic multiplayer games
The primary probabilistic model supported by PRISMgames is stochastic multiplayer games (SMGs). These model systems whose evolution is determined by the decisions of multiple players plus the presence of probabilistic behaviour. We restrict our attention here to turnbased (as opposed to concurrent) stochastic games, in which a single player controls each state of the model.
Definition 1

\(\varPi \) is a finite set of players,

S is a finite set of states,

\((S_i)_{i\in \varPi }\) is a partition of S,

\({\overline{s}}\in S\) is an initial state,

\(A\) is a finite set of actions,

\(\delta : S {\times } A\rightarrow {{ Dist }}(S)\) is a (partial) probabilistic transition function,

\(L:S\rightarrow 2^{ AP }\) is a labelling function mapping states to sets of atomic propositions from a set \({ AP }\).
The state of an SMG \(\mathcal {G}\) is initially \({\overline{s}}\), and it then evolves as follows. In any state s, there is a nondeterministic choice between the set of enabled actions \(A(s)\subseteq A\), where Open image in new window . We assume that \(A(s)\) is nonempty for all states s, i.e. that there are no deadlock states in the model. (This is checked and enforced by the tool.) The choice of an action from \(A(s)\) is resolved by the player that controls the state s, i.e. the unique player \(i\in \varPi \) for which \(s\in S_i\). Once this player selects an action \(a\in A\), a transition to a successor state \(s'\) occurs randomly, according to the probability distribution \(\delta (s,a)\), i.e. the probability that a transition to \(s'\) occurs from the current state s is \(\delta (s,a)(s')\).
A path through \(\mathcal {G}\), representing one possible execution of the system that it models, is a (finite or infinite) sequence of states and actions \(\pi =s_0 a_0 s_1 a_1 s_2 \ldots \), where \(s_i\in S\), \(a_i\in A(s_i)\) and \(\delta (s_i,a_i)(s_{i+1}){>}0\) for all \(i \in \mathbb {N}\). We write \( FPath _{\mathcal {G},s}\) and \( IPath _{\mathcal {G},s}\), respectively, for the set of all finite and infinite paths of \(\mathcal {G}\) starting in state s and denote by \( FPath _\mathcal {G}\) and \( IPath _\mathcal {G}\) the sets of all such paths.
To reason about the various possible ways in which the game can behave, we use the notion of strategies, which define the choices of actions made by players in each state, based on the history of the game’s execution so far. Formally, these are defined as follows.
Definition 2
(Strategy) A strategy for player \(i\in \varPi \) in SMG \(\mathcal {G}\) is a function \({\sigma }_i: (SA)^*S_i \rightarrow {{ Dist }}(A)\) which, for each path \(\lambda {\cdot }s\in FPath _{\mathcal {G}}\) where \(s\in S_i\), selects a probability distribution \({\sigma }_i(\lambda {\cdot }s)\) over \(A(s)\). The set of all strategies for player i is denoted \({\varSigma }_i\).
Various important classes of strategies can be identified, by classifying the extent to which they use the history of the game’s execution so far and whether or not they use randomisation. For the latter, a strategy is called deterministic (or pure) if the distribution used to select actions is always a point distribution (i.e. selects a single action with probability 1), and randomised otherwise. Regarding the use of history (i.e. memory), we identify the following important classes.
Definition 3
(Memoryless strategy) A strategy \({\sigma }_i\) is called memoryless if it only considers the current state when resolving nondeterminism, i.e. if \({\sigma }_i(\lambda {\cdot }s)={\sigma }_i(\lambda '{\cdot }s)\) for all paths \(\lambda {\cdot }s,\lambda '{\cdot }s\in FPath _{\mathcal {G}}\).
A finitememory strategy has a mode, which is updated each time a transition is taken in the game and then used to select an action in each state.
Definition 4

a finite set of modes (or memory elements) Q;

an initial mode \(q_0\in Q\);

a mode update function \({\sigma }_i^u:Q {\times } S_i \rightarrow { Dist }(Q)\);

an action selection function \({\sigma }_i^s:Q {\times } S_i \rightarrow { Dist }(A)\)
In addition to the distinction mentioned above between randomised and deterministic strategies, finitememory strategies are classified as deterministic memory update strategies if the mode update function \({\sigma }_i^u\) always gives a point distribution over modes, and stochastic memory update strategies otherwise.
Given multiple strategies \({\sigma }_i\in {\varSigma }_i\) for several players \(i\in \varPi \), we can combine them into a single strategy that resolves choices in all the states controlled by those players. For example, for strategies \({\sigma }_1\) and \({\sigma }_2\) for players 1 and 2, we write \({\sigma }=({\sigma }_1,{\sigma }_2)\) to denote the combined strategy \(\sigma \). For a coalition of players \(C\subseteq \varPi \), we use \(\varSigma _C\) to denote the set of all (combined) strategies for players in C. If a strategy \(\sigma \) comprises strategies for all players of the game (sometimes called a strategy profile), we can construct a probability space \({ Pr _{{\mathcal {G}}}^{\sigma }}\) over the infinite paths of \({\mathcal {G}}\). This measure also allows us to define the expectation \(\mathbb {E}_{\mathcal {G}}^{\sigma }[\rho ]\) of a measurable function \(\rho \) over infinite paths. We use \({ Pr _{{\mathcal {G}}}^{\sigma }}\) and \(\mathbb {E}_{\mathcal {G}}^{\sigma }[\rho ]\) to formally define a variety of quantitative properties of a game’s behaviour under a particular strategy, notably the probability of some measurable event, or the expected value of a reward/cost measure, respectively.
As shown in Definition 1, states of SMGs are labelled with atomic propositions, from some set \({ AP }\). These are used to identify particular states of interest when writing temporal logic formulas to describe an event (see Sect. 3). We also augment SMGs with reward structures of the form \(r:S\rightarrow \mathbb {R}_{\geqslant 0}\), which assign nonnegative, realvalued rewards to the states of a game. These can have many different interpretations and are, in fact, often used to capture costs rather than rewards (for example, energy usage or elapsed time).
2.2 Subclasses of SMGs
Next, we identify some useful subclasses of stochastic multiplayer games, which may be simpler to analyse, or be amenable to verification against a wider range of properties than the general model.
Stochastic twoplayer games Firstly, we observe that, when the cardinality of the player set \(\varPi \) of an SMG is 2, the SMG is a (turnbased) stochastic twoplayer game [37], a widely studied class of models, sometimes also known as \(2\frac{1}{2}\)player games.
In practice, these suffice for modelling many reallife scenarios in which there is a natural separation into two competing entities (for example, defender vs. attacker in the context of a security protocol, or controller vs. environment in the context of a control problem). In fact, for the properties currently supported by PRISMgames, the verification of stochastic multiplayer games actually reduces to the problem of solving one or more stochastic twoplayer games.
Markov decision processes It is also worth noting that, when an SMG contains only one player (or, when all but one player has a singleton set of choices in all of their states), the SMG is in fact a Markov decision process (MDP), sometime also called a \(1\frac{1}{2}\)player game. The basic problem of strategy synthesis for MDPs has a lower time complexity than for SMGs (polynomial, rather than NP \(\cap \) coNP), and support for this model is already implemented in the regular version of PRISM.
Stopping games When we discuss multiobjective techniques for SMGs later in the paper, we will refer to two subclasses of models for which additional property classes are available. The first are stopping games. We call states in an SMG from which no other state can be reached under any strategy terminal states. A stopping game is an SMG in which terminal states are reached with probability 1 under any strategy.
Controllable multichain games The second subclass of SMGs relevant for multiobjective properties are controllable multichain games [7]. Intuitively, an SMG is controllable multichain if one player (or set of players) has the ability to control which subset of states the game eventually reaches and remains within. The formal definition relies on a generalisation of the notion of end components for MDPs [20] to irreducible components [7], which are strongly connected fragments of the SMG that, once reached, will never be left. Controllable multichain means that one player can, for each irreducible component H, and starting in any state s of the SMG, ensure that H is reached from s with probability 1. We refer the reader to [7] for a full definition.
2.3 Modelling SMGs in PRISMgames
PRISMgames extends the existing PRISM modelling language to provide a formalism for specifying SMGs to be analysed by the tool. In this section, we explain the language and illustrate it using an example.
Action labels serve several purposes. First, they are used to annotate the transitions in the SMG, i.e. they represent the actions in the set \(A(s)\) for each state s that are chosen by the players. Secondly, they provide a means for multiple modules to execute their updates synchronously. More formally, this is done using a multiway parallel composition of processes, which is based on the definition of parallel composition proposed by Segala for probabilistic automata [36]. Lastly, we also use action labels to specify which parts of the model belong to which player. This is explained below, using an example.
Example Figure 1 shows a PRISMgames model of an SMG representing three robots navigating a space that is divided into a \(3\times 2\) grid. The grid, and the movements that can be made around it, is shown in Fig. 2. A robot can select a direction of movement in each grid location (\( north \), \( east \), etc.) but, due to the possibility of obstacles, may with some probability end up remaining in the same location or moving to a different one.
The first module shown in Fig. 1 represents robot 1, whose variable r1 gives its current grid location (using the numbering from Fig. 2). The guarded commands represent the possible actions that can be taken and the resulting probabilistic updates to variable r1. The second and third modules, for robots 2 and 3, are identical to the one for robot 1, except that the states of those robots are represented by different variables (r2 and r3), and the action labels are different (e.g. north2 and north3, rather than north1). So, these modules are defined using PRISM’s module renaming feature.
The actions of the robots are mostly independent; however, no two can be in location 5 simultaneously. Hence, the update corresponding to a move into this location is written as (r1’=(r2=5r3=5)?r1:5), which means that r1 is updated to 5 only if r2 or r3 is not already equal to 5; otherwise it remains unchanged.
We also comment on the use of parallel composition in the model. PRISMgames currently only supports turnbased SMGs. As a simple way of ensuring this is respected for the example model, we make the robots move in sequence, one by one. To enforce this, we make the action labels for modules robot1, robot2 and robot3 disjoint and add a fourth module sched, with a variable t denoting the robot who is next to move and which synchronises with the appropriate module, depending on the current value of t. This is a relatively common approach in PRISMgames models where the concurrency between parallel components is controlled to allow it to be represented by a turnbased SMG.
The specification of the players in the SMG can be seen near the top of Fig. 1. This defines the set of players in the SMG, and their names, and then assigns to each one a set of action names. This effectively associates each transition in the SMG with a particular player. Currently, since PRISMgames only supports turnbased games, it checks each state to ensure that all actions from that state are associated with the same player and then assigns the state to that player. This approach (identifying player states via action names) is taken in order to provide compatibility with models such as concurrent SMGs, for which we plan to add support in future.
Finally, we note that the last part of the PRISMgames model contains some straightforward definitions of labels and rewards, which are done in the same way as for standard PRISM models. Labels are used to identify states of interest, for the purposes of property specification, and are defined by a predicate over state variables; for this example, they are used to identify when each robot is in a location marked as a \( goal \) (either A or B) or a \( hazard \) in Fig. 2. There is also a very simple reward structure \( time \), modelling the elapse of time, defined by assigning a fixed reward of 1 to every state.
Compositional modelling Version 2.0 of the PRISMgames tool added support for compositional strategy synthesis using assumeguarantee proof rules (see Sect. 4.3 for more details). In order to facilitate this, the modelling language also provides a specific compositional modelling approach designed for assumeguarantee strategy synthesis. This works for stochastic twoplayer games, specifically targeting controller synthesis problems modelled with games where player 1 represents a controller and player 2 its environment.
It allows a game to be defined as several subsystems, each of which comprises a set of modules, which are combined using the normal parallel composition of PRISMgames. Subsystems are combined using the game composition operator introduced in [6]; actions controlled by player 1 in subsystems are also controlled by player 1 in the composition, thus enabling composition of the synthesised player 1 strategies. This allows controller synthesis problems to be solved in a compositional fashion. For more details of this aspect of the language, we refer the reader to [44].
3 Property specification
In order to formally specify the desired behaviour of an SMG, we use properties. In PRISMgames, properties are specified as temporal logic formulas. As a basis for this, we use the core part of the existing property specification logic of PRISM [32], which is itself based on the probabilistic temporal logic PCTL [28], extended with operators to reason about rewards [25].
PRISMgames currently supports two main classes of properties: (i) singleobjective and (ii) multiobjective. Although these fit within the same unified property specification language, there are different syntactic restrictions imposed in each case, so we present the two classes separately. In the explanations that follow, we will assume that we are specifying properties for a fixed SMG \(\mathcal {G}= (\varPi ,S,(S_i)_{i\in \varPi },{\overline{s}},A,\delta ,L)\). When giving examples of such properties, we will continue to use the SMG illustrated in the previous section, which has 3 players, \( robot _1\), \( robot _2\) and \( robot _3\). Each label from Fig. 1 (e.g. “goal1A”) corresponds to an atomic proposition (e.g. \( goal_{1A} \)), which can be used in temporal logic properties.
3.1 Singleobjective properties
For singleobjective properties of SMGs, we use a fragment of the property specification language called rPATL (probabilistic alternatingtime temporal logic with rewards), originally proposed in [12]. This adopts the coalition operator \(\langle \!\langle \cdot \rangle \!\rangle \) from the logic ATL [2], used for reasoning about strategies in nonprobabilistic games, and adds the probabilistic operator \({\mathtt P}\) from PCTL and an extension of PRISM’s reward operator \({\mathtt R}\) [25]. The formal definition is as follows.
Definition 5

\(\langle \!\langle \{ robot _1, robot _2\} \rangle \!\rangle {\mathtt P}_{\geqslant 0.9}[\,{{{{\mathtt {F}}}\ }( goal _{1B}{\wedge } goal _{2B})}\,]\) —robots 1 and 2 have strategies which ensure that, with probability at least 0.9, they are eventually both in a goal B state simultaneously, regardless of the actions taken by robot 3.

\(\langle \!\langle \{ robot _1\} \rangle \!\rangle {\mathtt R}^{ time }_{\,\leqslant 10}[\,{{{{\mathtt {F}}}\ }\!\!^{\infty } goal _{1A}}\,]\) —it is possible for robot 1 to ensure that the expected time taken to reach goal A is at most 10.

\(\langle \!\langle \{ robot _1\} \rangle \!\rangle {\mathtt P}_{\geqslant 1}[\,{{{{\mathtt {F}}}\ } goal_{1B} }\,] \vee \langle \!\langle \{ robot _2\} \rangle \!\rangle {\mathtt P}_{\geqslant 1}[\,{{{{\mathtt {F}}}\ } goal_{2B} }\,]\) —at least one of robot 1 and robot 2 has a strategy to ensure it reaches goal B with probability 1;

\(\langle \!\langle \{ robot _1\} \rangle \!\rangle {\mathtt P}_{<0.01}[\,{{{{\mathtt {F}}}\ }\lnot \langle \!\langle \{ robot _3\} \rangle \!\rangle {\mathtt P}_{\geqslant 0.95}[\,{{{{\mathtt G}}\ }\lnot hazard_{3} }\,]}\,]\) —it is possible for robot 1 to ensure that, with probability less than 0.01, a state is reached from which robot 3 is unable to guarantee that it avoids hazard states with probability at least 0.95.

\(\langle \!\langle \{ robot _1\} \rangle \!\rangle {\mathtt P}_{\max =?}[\,{{{{\mathtt G}}\ }\lnot hazard_1 }\,]\) —what is the maximum probability with which robot 1 can guarantee that it avoids \( hazard \) states?

\(\langle \!\langle \{ robot _2\} \rangle \!\rangle {\mathtt R}^{ time }_{\,\min =?}[\,{{{{\mathtt {F}}}\ } goal _{2A}}\,]\) —what is the minimum expected time with which robot 2 can reach goal A?
3.2 Multiobjective properties
An important class of properties, added in version 2.0 of PRISMgames, are those which characterise the goals of a player (or players) using multiple objectives. We continue to use the coalition operator \(\langle \!\langle C \rangle \!\rangle \theta \) discussed above, but now allow \(\theta \) to be, for example, a conjunction of different objectives all of which need to be satisfied. More generally, we allow \(\theta \) to be a Boolean combination of different objectives. For this class of properties, we focus purely on rewardbased properties and consider a different range of reward objectives, which we explain in more detail below. The full syntax is as follows.
Definition 6
As can be seen from the rule for \(\theta \), multiobjective properties can incorporate three different types of reward objective in the \({\mathtt R}\) operator and an alternative form of the \({\mathtt P}\) operator. We can reason about total reward (indefinitely cumulated rewards; \( {\mathtt R}^{r}_{\,\bowtie x}[\,{\mathtt {C}}\,]\)), mean payoff (longrun average reward; \({\mathtt R}^{r}_{\,\bowtie x}[\,{{\mathtt S}}\,]\)), or the longrun ratio of two rewards (\(\smash {{\mathtt R}^{r_1/r_2}_{\,\bowtie x}[\,{{\mathtt S}}\,]}\)). The \({\mathtt P}\) operator is used to specify almostsure (i.e. probability 1) satisfaction objectives for mean payoff and ratio rewards.

\(\langle \!\langle \{ robot _1\} \rangle \!\rangle ({\mathtt R}^{ energy _1}_{\,\leqslant e_1}[\,{\mathtt {C}}\,] \; \wedge \; {\mathtt R}^{ tasks _1}_{\,\geqslant t_1}[\,{\mathtt {C}}\,])\) —robot 1 has a strategy which ensures that both the expected total energy consumed is at most \(e_1\) and the expected total number of tasks completed is at least \(t_1\), regardless of the behaviour of robots 2 and 3.

\(\langle \!\langle \{ robot _1, robot _2\} \rangle \!\rangle ( {\mathtt R}^{ energy_1 / time }_{\,\leqslant e_1}[\,{{\mathtt S}}\,] \; {\vee } \; {\mathtt R}^{ energy_2 / time }_{\,\leqslant e_2}[\,{{\mathtt S}}\,] )\) — robots 1 and 2 have a combined strategy which ensures that either the expected longrun energy consumption rate of robot 1 is at most \(e_1\) or it is at most \(e_2\) for robot 2, whatever robot 3 does.
In the same way that singleobjective properties can be written in a numerical form (\(\min =?\) or \(\max =?\)) to obtain optimal values directly, PRISMgames allows the extraction of Pareto sets to visualise the tradeoffs between objectives in a multiobjective query (see Sects. 4, 5 for details).
3.3 Property semantics
We conclude our discussion of the PRISMgames property specification language with a presentation of its formal semantics. A property \(\phi \) of an SMG \(\mathcal {G}\) (for either of the two grammars presented above) is interpreted for a state s of \(\mathcal {G}\). We write \(s {\,\models \,}\phi \) to denote that \(\phi \) is satisfied (i.e. is true) in state s. The formal definition of the relation \({\,\models \,}\) is shown in Fig. 3. As can be seen, the definition also uses several auxiliary satisfaction relations. In particular, \(s,{\sigma }{\,\models \,}\theta \) means that, when the game is under the control of strategy \({\sigma }\), \(\theta \) is satisfied in state s. This is used for the definition of the semantics of the coalition operator \(\langle \!\langle C \rangle \!\rangle \theta \), which requires the existence of a (combined) strategy \({\sigma }_1\) for all players in C such that, for all possible strategies \({\sigma }_2\) of the other players, \(s,({\sigma }_1,{\sigma }_2) {\,\models \,}\theta \) holds, where \(({\sigma }_1,{\sigma }_2)\) is the strategy combining the individual strategies for all players in the game.
4 Algorithms
We now describe the implementation of PRISMgames in more detail. In this section, we summarise the key algorithms required for model checking and give pointers to further information. In the next section, we will describe the overall architecture of the tool and explain some of the lowlevel implementation details.
The key algorithmic task performed by PRISMgames is model checking of a property expressed in the logic of Sect. 3 against an SMG constructed from a description in the PRISM modelling language. Since the property specification language is based on a branchingtime logic (it extends PCTL, which in turn extends CTL), the basic model checking algorithm performs a recursive traversal of the parse tree of the logical formula to be checked and, for each subformula, determines the set of states of the model that satisfy it.
The key operator for model checking is the coalition operator \(\langle \!\langle C \rangle \!\rangle \theta \), where \(\theta \) is either a single (probabilistic or reward) objective or a Boolean combination of such objectives. In either case, model checking essentially reduces to a strategy synthesis problem: determining whether the set of players C has a combined strategy that achieves the objective (or objectives), irrespective of the strategies of the other players.
This problem always reduces to a strategy synthesis problem on a (turnbased) stochastic twoplayer game, in which the first player represents the players in C and the second player represents the others (a socalled coalition game). Thus, the main component of the SMG model checking algorithm is strategy synthesis for either single or multiobjective queries on a stochastic twoplayer game.
4.1 Singleobjective strategy synthesis
For singleobjective strategy synthesis, determining if a suitable strategy exists in this game reduces to computing optimal strategies for player 1, i.e. strategies that minimise or maximise the value of the objective. The problems of computing optimal probabilities of reaching a set of states or expected cumulative rewards in stochastic twoplayer games are known to be in the complexity class NP \(\cap \) coNP [18]. However, in practice, we can use value iteration algorithms, which iteratively approximate the optimal values for all states of the model, until some specified convergence criterion is met. This approach can be adapted to handle each of the variants of the \({{{\mathtt {F}}}\ }^{\!\!\star }\) reward operators described in Sect. 3.1. This relies on the use of graphbased precomputation algorithms (e.g. to identify states from which the expected reward is infinite) and, for the case \(\star =0\), the use of two successive instances of value iteration which compute an upper and lower bound on the required values, respectively. The process is described in more detail in [12].
For the cases of probabilistic reachability or until formulas (\({\mathtt P}_{\bowtie \,p}[\,{{{{\mathtt {F}}}\ }\phi }\,]\) or \({\mathtt P}_{\bowtie \,p}[\,{\phi _1{\ {\mathtt {U}}\ }\phi _2}\,]\)) and cumulative expected reward (\({\mathtt R}^{r}_{\,\bowtie \,x}[\,{{{{\mathtt {F}}}\ }\!\!^{\star }\phi }\,]\)), PRISMgames synthesises optimal strategies that are both memoryless and deterministic. For the bounded variants of reachability/until, a finitememory strategy is generated. In each case, the optimal strategy can be inspected in the tool, or exported to a file for further analysis.
4.2 Multiobjective strategy synthesis
For multiobjective properties (which, again, only need to be considered on a stochastic twoplayer game), PRISMgames implements the techniques presented in [5, 7, 14, 16]. The syntax described in Sect. 3.2 allows a variety of different reward objectives to be used: expected total reward, expected longrun average reward (mean payoff), expected longrun reward ratio and almostsure (probability 1) variants of the latter two.
At the heart of the strategy, synthesis algorithm is a unified fixpoint computation, used for all classes of properties after appropriate transformations have been applied. In particular, Boolean combinations of expectation objectives are converted to conjunctions by selecting appropriate weights for the individual objectives (see [14, Theorem 6] for details).
The core task is then to compute the set of achievable values for a conjunction of expected reward objectives. Assuming a conjunction of n reward objectives, with thresholds \(x_1,\dots ,x_n\), a vector of n values is said to be achievable if a single (player 1) strategy of the game can simultaneously satisfy the threshold \(x_i\) for each of the n reward objectives.
Strategy synthesis is again performed using a value iteration style algorithm, but now computing, for each state s of the model, a polytope \(P_S\subseteq \mathbb {R}^n\) of achievable values for that state, rather than a single value as in the singleobjective case. In fact, the value iteration algorithm computes and stores the Pareto set of optimal values for the polytope, i.e. the frontier set containing achievable values that cannot be improved in any direction without degrading another. The full polytope is represented by its downward closure.
Since value iteration performs an approximate computation, up to a specified accuracy, the algorithm in fact constructs an \(\varepsilon \)approximation of the Pareto set. Improvements in performance can be achieved by computing successive polytopes using inplace (i.e. Gauss–Seidel) updates, as well as rounding the corners of the polytopes at every iteration (where the latter comes at the cost of precision) [16].
From the results of the value iteration computation, a succinct stochastic memory update strategy (see Sect. 2.1 for the definition) can be constructed, which achieves the required values. Intuitively, the vertices of the polytope for each state form the memory elements of the constructed strategy and are used to track the values that need to be achieved for each objective. As for multiobjective strategy synthesis on the simpler model of MDPs [23], randomisation is needed in the strategy to capture tradeoffs between objectives. See [16, 44] for more information and some detailed examples.
In a similar fashion to the handling of numerical queries for singleobjective properties, PRISMgames can also provide direct access to the Pareto set for a multiobjective property. In practice, these are visualised by selecting twodimensional slices of the full set (see Sect. 5 and Fig. 5 for an example).
4.3 Compositional strategy synthesis
Finally, we discuss the functionality in PRISMgames for compositional strategy synthesis techniques. Building upon assumeguarantee verification rules for probabilistic automata (i.e. games with only a single player), proposed in [33], support is provided for assumeguarantee strategy synthesis in stochastic twoplayer games [6, 7].
The tool compositionally computes a Pareto set for the property \(\varphi \) of the toplevel system, which is an underapproximation of the Pareto set computed directly on the monolithic system. For a target in the compositional Pareto set, the targets for the local property specifications \(\varphi _i\) can be derived, so that the local strategies can be synthesised. Figure 4 shows an example, with the property specifications given beneath each of the generated Pareto sets, using ratio reward objectives and 4 reward structures \(r_1\), \(r_2\), \(r_3\) and c. The rightmost image shows the compositional Pareto set \(P'\). The global target is \(({\texttt {v}}_2,{\texttt {v}}_3) = (\frac{3}{4},\frac{9}{8})\), and the local targets can be seen to be consistent with \({\texttt {v}}_1 = \frac{1}{4}\).
5 Architecture and implementation
which also includes documentation, examples and related publications, as well as links to resources shared with PRISM, such as the support and discussion forums. The source code can also be accessed and browsed from the PRISM project’s GitHub page:
This site also hosts resources such as the benchmark and regression test suites, which are currently being extended with SMG model checking examples.
5.1 Architecture

Parsers for the modelling language and property specification languages, which are extended to support games and the new strategy synthesis properties.

The discreteevent simulator, used for manual or automatic model exploration, which now supports SMGs, as well as the new notions of twoplayer parallel composition for assumeguarantee strategy synthesis.

The commandline interface, which is well suited for automated verification runs, longrunning tasks or remote invocation.

The graphical user interface (GUI), which provides editors for models and properties, graph plotting functionality and a simulator. Notable new features in the GUI include the ability to explore synthesised game strategies in the simulator, the possibility to apply a generated strategy to a game model and then perform further model checking, and the ability to visualise Pareto sets from multiobjective strategy synthesis. Screenshots illustrating the first and third of these can be found in Fig. 5.

The application programming interface (API), which provides direct programmatic access (in Java) to the underlying model checking engine used by both the commandline and graphical user interfaces.
5.2 Data structures
We now give some details of the key data structures needed to implement model checking of SMGs and the operations needed to manipulate them. Further details can be found in [44].
Games and strategies The current implementation of model checking within PRISMgames uses explicitstate data structures, building upon PRISM’s existing “explicit” engine which is written in Java.
Stochastic multiplayer games are represented using sparse matrix data structures. For the purposes of performing strategy synthesis (which is primarily based on value iteration), the sparse matrices are equipped with various matrixvector multiplication algorithms, which form the most expensive part of the solution process.
In order to support compositional modelling and verification, PRISMgames adds support to the data structures for combining SMGs using the notion of parallel composition from [6], described in Sect. 2.3. This includes various auxiliary steps, including an (optional) compatibility check and normal form transformation.
Strategies are also implemented in an explicitstate fashion. Memoryless strategies are represented as vectors and stochastic memory update strategies as maps encoding the next choice and memory update functions. For compositional verification within the assumeguarantee framework, the synthesised strategies are not explicitly composed, but the individual strategies are stored separately. When simulating a composed game under a composed strategy, the memory update is performed at each step only for the strategies corresponding to the involved components.
Polytopes For singleobjective SMG model checking, the core numerical computation techniques compute a single value (e.g. a probability or expected reward value) for each state of the SMG. These are mostly performed using fixpoint approximations over stateindexed vectors of floating point numbers. However, for multiobjective model checking, we need to compute sets of achievable objective values for each state, which can be done by associating each state with a convex, closed polytope.
Polytope representation and manipulation is done using the Parma Polyhedra Library (PPL) [4]. In particular, this provides support for performing the settheoretic operations of convex union and intersection. The PPL library represents each polytope by both its vertices and the set of bounding hyperplanes, called the Motzkin double description method [4]. The vertex representation also allows for rays, which we use for downward closure operations: a ray is a vector \(\mathbf {y}\) such that, for any point \(\mathbf {x}\) in a polytope X, any point \(\mathbf {x} + \alpha \cdot \mathbf {y}\) is also in X, for any \(\alpha > 0\).
Weighted Minkowski sum One operation required by PRISMgames for manipulating polytopes, but not directly supported by the PPL library, is the weighted Minkowski sum. This is one of the core operations used during the iterative approximation of Pareto sets for multiobjective strategy synthesis, with the weights corresponding to the probabilities attached to outgoing transitions from each state of the SMG. Given sets \(X, Y \subseteq \mathbb {R}^n\), their Minkowski sum is the set Open image in new window ; given also a weight \(\alpha \in [0,1]\) their weighted Minkowski sum is the set Open image in new window .
Note that the weighted Minkowski sum is the most computationally expensive operation that we have to implement, as the number of vertices of the polytope \(\alpha P_1 + (1\alpha ) P_2\) is \(\mathcal {O}(P_1 \cdot P_2)\); see Theorem 4.1.1 of [43]. In contrast, the number of vertices of the polytopes \(P_1 \cap P_2\) and \(\textsf {conv}(P_1 \cup P_2)\) is \(\mathcal {O}(P_1 + P_2)\) in both cases. The performance of our synthesis algorithms is therefore dependent on the outgoing branching degree of the states.
6 Experimental results
Next, we present some experimental results for a selection of models analysed with PRISMgames, in order to give an illustration of the scalability of the tool. Although the property specification language presented in Sect. 3 allows multiple coalition operators \(\langle \!\langle C \rangle \!\rangle \theta \) to be combined, either using Boolean combinations or nesting of subformulas, in practice, most queries are single instances of the operator so we restrict our attention to such properties. We discuss the cases of singleobjective and multiobjective queries separately, since the techniques used to check them are quite different.
First, Table 1 shows statistics for a selection of models and the time taken to check various singleobjective properties. The models are taken from three case studies: teamform (team formation protocols) [15], mdsm (microgrid demandside management) [12, 38] and investor (future markets investor) [35]. Each case study has a parameter that can be varied to yield increasingly large models. (Details can be found in the references cited above.) The table shows the number of players and model size (number of states) for each one.
Again, we focus our attention on the kinds of objectives used most frequently in practice, which refer to either the probability of reaching a set of target states, or the expected reward accumulated before reaching it. For the latter, we show two of the three possible variants. Times are presented for performing strategy synthesis in each case using a 2.80GHz PC with 32GB RAM. Since this process reduces to the analysis of a stochastic twoplayer game, the number of players in the original SMG has no impact on the solution time. Instead, the model size is the key factor. We observe that, for a given example, the time for strategy synthesis increases roughly linearly with the increase in state space size. This is as expected since these properties are checked using an iterative numerical method, each iteration of which performs an operation for each state of the model.
A selection of experimental results for singleobjective strategy synthesis queries
Case study [parameters]  SMG statistics  Strategy synthesis  

Players  States  Property type  Time (s)  
teamform [N]  3  3  12,475  \(\langle \!\langle C \rangle \!\rangle {\mathtt P}_{\max =?}[\,{{{{\mathtt {F}}}\ }\phi }\,]\)  0.2 
4  4  96,665  0.9  
5  5  907,993  11  
mdsm [N]  5  5  743,904  \(\langle \!\langle C \rangle \!\rangle {\mathtt R}^{\max =?}_{\,r}[\,{{{{\mathtt {F}}}\ }\!\!^{\infty } \phi }\,]\)  62 
6  6  2,384,369  222  
7  7  6,241,312  1055  
investor [vmax]  10  2  10,868  \(\langle \!\langle C \rangle \!\rangle {\mathtt R}^{\max =?}_{\,r}[\,{{{{\mathtt {F}}}\ }\!\!^{c} \phi }\,]\)  0.7 
100  2  750,893  122  
200  2  2,931,643  821 
A selection of experimental results for multiobjective/compositional strategy synthesis queries
Case study  SMG statistics  Strategy synthesis  

Components  States  Num. obj.s  Objective types  Accuracy  Time (s)  
uav  1  6,251  2  Exp. total, Pareto  0.1  652 
uav  1  6,251  2  Exp. total, Pareto  0.01  871 
driving [charlton]  1  501  3  Exp. total  0.001  2603 
driving [islip]  1  1,527  3  Exp. total  0.001  1968 
power [d=0]  2  7,296/7,296  3/3  Almostsure ratio  0.01  586/484 
power [d=1]  2  24,744/24,744  3/3  Almostsure ratio  0.01  3325/2377 
temp  3  1,478/1,740/1,478  3/2/3  Exp. ratio  0.05  829/69/734 
temp  3  1,478/1,740/1,478  3/2/3  Exp. ratio  0.01  860/92/2480 
Table 2 shows statistics for multiobjective strategy synthesis. The models are taken from four case studies: uav (humanintheloop UAV mission planning) [24], driving (autonomous urban driving) [16], power (aircraft power distribution) [5] and temp (temperature control) [44]; the first three are discussed in the next section.
The case studies do not all have parameters to scale the models, as in Table 1, but we show two variants of driving (using maps for two villages), and for power, we vary the switch delays d. The last two case studies are used for compositional (assumeguarantee) strategy synthesis. We do not focus on that aspect here, but simply use it as a source of multiobjective queries. The table shows the number of components (subsystems), and sizes/times are given for each one, separated by slashes in the table entries. We omit the number of players since this is 2 in all cases.
The final column shows the time required for strategy synthesis, using the same hardware as above. In addition to considering different models, we also vary the accuracy with which Pareto curves are approximated. For multiobjective strategy synthesis, we observe that performance depends on multiple factors. Again, model size affects the time (see, e.g. the power example), but the number of objectives also has a significant impact (see, e.g. the temp example) and increasing the solution accuracy also results in longer runtimes.
7 Case studies
PRISMgames has been under development since 2012 and has since then been successfully deployed to model and analyse systems across a wide range of application domains. In this section, we survey some representative examples. Further details of several of the examples can be found in [38, 40, 42, 44], and an uptodate list of case studies is maintained at the tool web site [45].
Microgrid demandside management [38] The example models a decentralised energy management protocol for smart grids that draw energy from a variety of sources. The system consists of a set of households, where each household follows a simple probabilistic protocol to execute a load if the current energy cost is below a preagreed limit, and otherwise it only executes the load with a preagreed probability. The energy cost to execute a load for a single time unit is the number of loads currently being executed in the grid. The analysis of the protocol with respect to the expected load per cost unit for a household, formulated as a singleobjective total reward property, exposed a protocol weakness. The weakness was then corrected by disincentivising noncooperative behaviour.
Humanintheloop UAV mission planning [24] This case study concerns autonomous unmanned aerial vehicles (UAV) performing road network surveillance and reacting to inputs from a human operator. The UAV performs most of the piloting functions, such as selecting the waypoints and flying the route. The human operator performs tasks such as steering the onboard sensor to capture imagery of targets, but may also pick a road for the UAV at waypoints. The optimal UAV piloting strategy depends on mission objectives, e.g. safety, reachability, coverage and operator characteristics, i.e. workload, proficiency and fatigue. The main focus of the case study is on studying a multiobjective property to analyse the tradeoff between the mission completion time and the number of visits to restricted operating zones, which have been investigated by computing Pareto sets.
Autonomous urban driving [16] An SMG model of an autonomous car is developed, which considers the car driving through an urban environment and reacting to hazards such as pedestrians, obstacles and traffic jams. The car not only decides on the reactions to hazards, which are adversarial, but also chooses the roads to take in order to reach a target location. The presence and probability of hazards are based on statistical information for the road. Through multiobjective strategy synthesis, strategies with optimal tradeoff between the probability of reaching the target location, the probability of avoiding accidents and the overall quality of roads on the route are identified.
Aircraft power distribution [5] An aircraft electrical power network is considered, where power is to be routed from generators to buses through controllable switches. The generators can exhibit failures and switches have delays. The system consists of several components, each containing buses and generators, and the components can deliver power to each other. The network is modelled as a composition of stochastic games, one for each component. These components are physically separated for reliability and hence allow limited interaction and communication. Compositional strategy synthesis is applied to find strategies with good tradeoff between uptime of buses and failure rate. By employing stochasticity, we can faithfully encode the reliability specifications in quantitative fashion, thus improving over previous results. The property is modelled as a conjunction of ratio reward properties.
Selfadaptive software architectures [10, 26] Selfadaptive software automatically adapts its structure and behaviour according to changing requirements and quantitative goals. Several selfadaptive software architectures, such as adaptive industrial middleware used to monitor and manage sensor networks in renewable energy production plants, have been modelled as stochastic games and analysed. Both single and multiobjective verification of multiplayer stochastic games has been applied to evaluate their resilience properties and synthesise proactive adaptation policies.
DNS bandwidth amplification attack [22] The Domain Name System (DNS) is an Internetwide hierarchical naming system for assigning IP addresses to domain names, and any disruption of the service can lead to serious consequences. A notable threat to DNS, namely the bandwidth amplification attack, where an attacker attempts to flood a victim DNS server with malicious traffic, is modelled as a stochastic game. Verification and strategy synthesis is used to analyse and generate countermeasures to defend against the attack.
Attack–defence scenarios in RFID goods management system [3] This case study considers complex attack–defence scenarios, such as an RFID goods management system, translating attack–defence trees to twoplayer stochastic games. Probabilistic verification is then employed to check security properties of the attack–defence scenarios and to synthesise strategies for attackers or defenders which guarantee or optimise some quantitative property. The properties considered include singleobjective properties such as the probability of a successful attack or the incurred cost, as well as their multiobjective combinations.
8 Related tools
There are a variety of probabilistic model checking tools currently available. PRISMgames builds upon components of the PRISM [32] tool, as discussed in Sect. 5. Other generalpurpose probabilistic model checkers include MRMC [31], STORM [21], the Modest Toolset [29], iscasMc [27] and PAT [39]. However, none of these provide support for stochastic games.
Other tools exist for the analysis of game models, but have a different focus to PRISMgames. For stochastic games, there is support for qualitative verification in GIST [11] and partial support in the generalpurpose game solver GAVS+ [17], but there are no tools for multiobjective or compositional analysis.
Analysis of Nash equilibria can be performed with EAGLE [41] or PRALINE [9], but only for nonstochastic games. Lastly, Uppaal Stratego [19] performs strategy synthesis against quantitative properties, but with a focus on realtime systems.
We also mention that multiobjective probabilistic verification, one of the key features of PRISMgames, is also available elsewhere for simpler models, notably Markov decision processes. This is supported by generalpurpose model checkers, such as PRISM [32] and STORM [21], and the more specialised tool MultiGain [8].
9 Conclusions and future work
PRISMgames is a tool for verification and strategy synthesis of stochastic multiplayer games. It incorporates an array of techniques to support the generation of strategies specified by a wide range of formally specified quantitative properties, including singleobjective and multiobjective variants. In this paper, we have provided an overview of the tool, from both a user perspective and in terms of the underlying implementation.
Various extensions are under development or planned for the future. Firstly, support for a wider range of temporal properties, specified in linear temporal logic (LTL), is in progress. Secondly, symbolic implementations of model checking are being added, to complement the current explicitstate version. Initially, this builds upon the existing symbolic techniques implemented in PRISM for other probabilistic models using binary decision diagrams (BDDs) and multiterminal BDDs.
Future work will investigate verification and strategy synthesis techniques for alternative gametheoretic solution concepts such as Nash equilibria and wider classes of stochastic games, such as concurrent variants and games operating under partial observability.
Notes
Acknowledgements
This work has been supported by the ERC Advanced Grant VERIWARE and the EPSRC Mobile Autonomy Programme Grant. The authors also gratefully acknowledge helpful feedback from the anonymous reviewers.
References
 1.Alur, R., Henzinger, T.: Reactive modules. In: Proceedings of 11th Annual IEEE Symposium on Logic in Computer Science (LICS’96), pp. 207–218. IEEE Computer Society Press, July 1996Google Scholar
 2.Alur, R., Henzinger, T., Kupferman, O.: Alternatingtime temporal logic. J. ACM 49(5), 672–713 (2002)MathSciNetCrossRefMATHGoogle Scholar
 3.Aslanyan, Z., Nielson, F., Parker, D.: Quantitative verification and synthesis of attack–defence scenarios. In: Proceedings of 29th IEEE Computer Security Foundations Symposium (CSF’16), pp. 105–119. IEEE (2016)Google Scholar
 4.Bagnara, R., Hill, P., Zaffanella, E.: The parma polyhedra library. Sci. Comput. Program. 72(1–2), 3–21 (2008)CrossRefMATHGoogle Scholar
 5.Basset, N., Kwiatkowska, M., Topcu, U., Wiltsche, C.: Strategy synthesis for stochastic games with multiple longrun objectives. In: Proceedings of 21st International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’15), volume 9035 of LNCS, pp. 256–271. Springer (2015)Google Scholar
 6.Basset, N., Kwiatkowska, M., Wiltsche, C.: Compositional controller synthesis for stochastic games. In: Proceedings of 25th International Conference on Concurrency Theory (CONCUR’14), volume 8704 of LNCS, pp. 173–187. Springer (2014)Google Scholar
 7.Basset, N., Kwiatkowska, M., Wiltsche, C.: Compositional strategy synthesis for stochastic games with multiple objectives. Inf. Comput. (2017). https://doi.org/10.1016/j.ic.2017.09.010
 8.Brázdil, T., Chatterjee, K., Forejt, V., Kučera, A.: MultiGain: a controller synthesis tool for MDPs with multiple meanpayoff objectives. In: Proceedings of 21st International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’15), volume 9035 of LNCS, pp. 181–187. Springer (2015)Google Scholar
 9.Brenguier, R.: PRALINE: a tool for computing Nash equilibria in concurrent games. In: Proceedings of 25th International Conference on Computer Aided Verification (CAV’13), volume 8044 of LNCS, pp. 890–895. Springer (2013)Google Scholar
 10.Cámara, J., Moreno, G.A. Garlan, D.: Stochastic game analysis and latency awareness for proactive selfadaptation. In: Proceedings of Software Engineering for Adaptive and SelfManaging Systems (SEAMS’14), pp. 155–164 (2014)Google Scholar
 11.Chatterjee, K., Henzinger, T. Jobstmann, B., Radhakrishna, A.: Gist: a solver for probabilistic games. In: Proceedings of 22nd International Conference on Computer Aided Verification (CAV’10), LNCS, pp. 665–669. Springer (2010)Google Scholar
 12.Chen, T., Forejt, V., Kwiatkowska, M., Parker, D., Simaitis, A.: Automatic verification of competitive stochastic systems. Form. Methods Syst. Des. 43(1), 61–92 (2013)CrossRefMATHGoogle Scholar
 13.Chen, T., Forejt, V., Kwiatkowska, M., Parker, D., Simaitis, A.: PRISMgames: a model checker for stochastic multiplayer games. In: Proc. 19th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’13), volume 7795 of LNCS, pp. 185–191. Springer (2013)Google Scholar
 14.Chen, T., Forejt, V., Kwiatkowska, M., Simaitis, A., Wiltsche, C.: On stochastic games with multiple objectives. In: Proceedings of 38th International Symposium on Mathematical Foundations of Computer Science (MFCS’13), volume 8087 of LNCS, pp. 266–277. Springer (2013)Google Scholar
 15.Chen, T., Kwiatkowska, M., Parker, D., Simaitis, A.: Verifying team formation protocols with probabilistic model checking. In: Proceedings of 12th International Workshop on Computational Logic in MultiAgent Systems (CLIMA XII 2011), volume 6814 of LNCS, pp. 190–297. Springer (2011)Google Scholar
 16.Chen, T., Kwiatkowska, M., Simaitis, A., Wiltsche, C.: Synthesis for multiobjective stochastic games: an application to autonomous urban driving. In: Proceedings of 10th International Conference on Quantitative Evaluation of Systems (QEST’13), volume 8054 of LNCS, pp. 322–337. Springer (2013)Google Scholar
 17.Cheng, C., Knoll, A., Luttenberger, M., Buckl, C.: GAVS+: an open platform for the research of algorithmic game solving. In: Proceedings of 17th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’11), pp. 258–261. Springer (2011)Google Scholar
 18.Condon, A.: On algorithms for simple stochastic games. Adv. Comput. Complex. Theory DIMACS Ser. Discrete Math. Theor. Comput. Sci. 13, 51–73 (1993)MathSciNetMATHGoogle Scholar
 19.David, A., Jensen, P.G., Larsen, K.G., Mikucionis, M., Taankvist, J.H.: Uppaal stratego. In: Proceedings of 21st International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’15), volume 9035 of LNCS, pp. 206–211. Springer (2015)Google Scholar
 20.de Alfaro, L.: Formal verification of probabilistic systems. Ph.D. thesis, Stanford University (1997)Google Scholar
 21.Dehnert, C., Junges, S., Katoen, J.P., Volk, M.: A Storm is coming: a modern probabilistic model checker. In: Proceedings of 29th International Conference on Computer Aided Verification (CAV’17) (2017)Google Scholar
 22.Deshpande, T., Katsaros, P., Smolka, S., Stoller, S.: Stochastic gamebased analysis of the DNS bandwidth amplification attack using probabilistic model checking. In: Proceedings of European Dependable Computing Conference (EDCC’14), pp. 226–237 (2014)Google Scholar
 23.Etessami, K., Kwiatkowska, M., Vardi, M., Yannakakis, M.: Multiobjective model checking of Markov decision processes. Logical Methods Comput. Sci. 4(4), 1–21 (2008)MathSciNetMATHGoogle Scholar
 24.Feng, L., Wiltsche, C., Humphrey, L., Topcu, U.: Controller synthesis for autonomous systems interacting with human operators. In: Proceedings of IEEE/ACM International Conference on CyberPhysical Systems (ICCPS’15), pp. 70–79 (2015)Google Scholar
 25.Forejt, V., Kwiatkowska, M., Norman, G., Parker, D.: Automated verification techniques for probabilistic systems. In: Bernardo, M., Issarny, V. (eds.) Formal Methods for Eternal Networked Software Systems (SFM’11), Volume 6659 of LNCS, pp. 53–113. Springer, Berlin (2011)CrossRefGoogle Scholar
 26.Glazier, T., Camara, J., Schmerl, B., Garlan, D.: Analyzing resilience properties of different topologies of collective adaptive systems. In: Proceedings of SelfAdaptive and SelfOrganizing Systems Workshops (SASOW’15), pp. 55–60 (2015)Google Scholar
 27.Hahn, E.M., Li, Y., Schewe, S., Turrini, A., Zhang, L.: iscasMc: a webbased probabilistic model checker. In: Proceedings of 19th International Symposium on Formal Methods (FM’14), pp. 312–317 (2014)Google Scholar
 28.Hansson, H., Jonsson, B.: A logic for reasoning about time and reliability. Form. Asp. Comput. 6(5), 512–535 (1994)CrossRefMATHGoogle Scholar
 29.Hartmanns, A., Hermanns, H.: The modest toolset: an integrated environment for quantitative modelling and verification. In: Proceedings of 20th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’14), volume 8413 of LNCS, pp. 593–598. Springer (2014)Google Scholar
 30.Huber, B., Rambau, J., Santos, F.: The Cayley trick, lifting subdivisions and the BohneDress theorem on zonotopal tilings. JEMS 2, 179–198 (1999)MathSciNetCrossRefMATHGoogle Scholar
 31.Katoen, J.P., Zapreev, I., Hahn, E.M., Hermanns, H., Jansen, D.: The ins and outs of the probabilistic model checker MRMC. Perform. Eval. 68(2), 90–104 (2011)CrossRefGoogle Scholar
 32.Kwiatkowska, M., Norman, G., Parker, D.: PRISM 4.0: verification of probabilistic realtime systems. In: Gopalakrishnan, G., Qadeer, S. (eds.) Proceedings of 23rd International Conference on Computer Aided Verification (CAV’11), volume 6806 of LNCS, pp, 585–591. Springer (2011)Google Scholar
 33.Kwiatkowska, M., Norman, G., Parker, D., Qu, H.: Compositional probabilistic verification through multiobjective model checking. Inf. Comput. 232, 38–65 (2013)MathSciNetCrossRefMATHGoogle Scholar
 34.Kwiatkowska, M., Parker, D., Wiltsche, C.: PRISMgames 2.0: a tool for multiobjective strategy synthesis for stochastic games. In: Proceedings of 22nd International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’16), LNCS. Springer (2016)Google Scholar
 35.McIver, A., Morgan, C.: Results on the quantitative mucalculus qMu. ACM Trans. Comput. Logic 8(1), 3 (2007)CrossRefMATHGoogle Scholar
 36.Segala, R.: Modelling and verification of randomized distributed real time systems. Ph.D. thesis, Massachusetts Institute of Technology (1995)Google Scholar
 37.Shapley, L.S.: Stochastic games. PNAS 39(10), 1095 (1953)MathSciNetCrossRefMATHGoogle Scholar
 38.Simaitis, A.: Automatic verification of competitive stochastic systems. Ph.D. thesis, Department of Computer Science, University of Oxford (2014)Google Scholar
 39.Sun, J., Liu, Y., Dong, J.S., Pang. J.: PAT: towards flexible verification under fairness. In: Proceedings of 21st International Conference on Computer Aided Verification (CAV’09), volume 5643 of LNCS, pp. 709–714. Springer (2009)Google Scholar
 40.Svorenova, M., Kwiatkowska, M.: Quantitative verification and strategy synthesis for stochastic games. Eur. J. Control 30, 15–30 (2016)MathSciNetCrossRefMATHGoogle Scholar
 41.Toumi, A., Gutierrez, J., Wooldridge, M.: A tool for the automated verification of Nash equilibria in concurrent games. In: Proceedings of 12th International Colloquium on Theoretical Aspects of Computing (ICTAC’15), volume 9399 of LNCS, pp. 583–594. Springer (2015)Google Scholar
 42.Ujma, M.: On verification and controller synthesis for probabilistic systems at runtime. Ph.D. thesis, University of Oxford (2015)Google Scholar
 43.Weibel, C.: Minkowski sums of polytopes: combinatorics and computation. Ph.D. thesis, École Polytechnique Fédérale de Lausanne (2007)Google Scholar
 44.Wiltsche, C.: Assumeguarantee strategy synthesis for stochastic games. Ph.D. thesis, University of Oxford (2015)Google Scholar
 45.PRISMgames website. www.prismmodelchecker.org/games/
Copyright information
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.