.. .. The,

, Illustration of the model checking technique

, A DTMC of a gambler at a roulette game

, The statistical model checking process

, Examples of stochastic real-time BIP components

. .. , 49 3.3 Computation of upper and lower bounds in the case of timed interactions

]. .. ,

, Shifting and normalizing a Normal density function in the case of stochastic interactions

, Example of an SRT-BIP component with discrete probabilities, p.60

, Code generation process for RT-BIP models, p.61

, 8 Functional view of the stochastic simulation engine

. .. , 66 3.10 Rejection sampling from a normal distribution N (3, 1) truncated at time t = 2. Random points are generated in the non-dashed area. The green area represents the accepted points and the light gray one identifies the rejected ones, Sequence diagram of the simulation algorithm, p.67

, Probabilistic strategy with uniform choice

, Identifying empty intervals with time-split operation

, The three APTA models for the sample S

. .. Ap-t-as, , p.86

, Degrees of generalization of the learned language L(H ? ) with respect to the target language L(H)

, Experimental setup to validate the improved learning procedure, p.89

, CSMA/CD communication medium model for a 2-station network, p.90

, Example of a model transformation

, Screen-shot of SBIP graphical user interface

.. .. Screenshot,

. .. Results, 117 5.10 Screenshots of the rare events workflow

, Simplified package diagram of the SBIP tool

. .. Considered-firewire-topologies,

, Stochastic real-time BIP: Components of the FireWire Protocol, p.129

, Probability of ? 1 (top) and ? 2 (bottom) for different FireWire topologies, p.130

, Bluetooth model with two devices

. .. , Probability of properties ? 5 (left and middle) and ? 6 (right), p.133

S. and .. .. ,

). .. ,

, A concurrency model with three components sharing a single resource, p.137

, Detailed processing times for different trace sizes

, Design approach based on formal methods integrating quantitative risk assessment where: ? denotes model transformation, i is the index of the number of performed steps, j is the index for the number of explored models within a step bounded by n i , and k is the number of iterative transformations performed on a model. Initially i is set to 0, and j and k to 1

. .. , The Bridget Rover (courtesy of Airbus Defense and Space UK), p.144

, Overview of the case study software architecture

, Library of components and their behavior: triggers represented with triangle ( ) and queues represented with square ( ) in Fig

W. Sbip and . Faults, fault detection and standard recovery action are represented in red, more complex recovery strategy in blue, and deployment-specific actions in dark green

, Probability and runtime of ? 9 for the model including fault2, p.154

, Probability and runtime of ? 9 for the model including fault3, p.154

, SBIP results for the deployed model including transmission delays, p.157

, Parametric exploration of ? 11 (left) and ? 12 (right) on the deployed model with transmission delays

, Parametric exploration of ? 13 on the deployed model with transmission delays, p.159

. .. , 161 7.14 SMC results for the deployed model with command losses, SMC results for the deployed model with writing delays, p.161

, Proposed workflow for risk assessment based on model learning and strategies exploration

, Workflow of IEGA with a population of N individuals over M generations, p.179

, Illustration of Pareto dominance ranking on a population of 10 individuals, p.183

. .. , Results obtained with IO-Def on different case studies, p.187

. .. Alergia, 190 8.10 Scenario graph of the network intrusion obtained with IOALERGIA, p.191

, Scenario graph of the network intrusion with uncertainty using explicit output encoding

B. , ORGA case study description

, Resetting a BGP session description

, A Malicious Insider attack (MI) description

, SCADA system description

]. .. , 25 2.2 Example of temporal logics and their distinguishing features, p.30

. Decidable and . .. Mtl,

, Distinguishing features of the state-of-the-art

, Accuracy results for the synthetic benchmarks with the four APTAs, p.91

, Experimental results for CSMA/CD using the four APTA models, p.93

, Comparison table of the state-of-the-art

, Parameters for the pacemaker and the heart models

, Results of IP on the concurrency model

. .. Summary-of-performance,

, Requirements of the planetary robotics case study at the different levels of granularity of system design

, Results obtained with the SBIP framework on the system design with faults and with respect to requirements from Table 7.1. n * ? refers to the parameter value for which ?(n) is satisfied with probability 1

, Proportion of non-deterministic stop commands when increasing MTD, p.159

M. I. Scada, 185 8.2 IEGA results with various defense configurations on ORGA benchmark, IEGA results with various defense configurations on BGP, p.186

, Strategy synthesis using Prism and IEGA with/without IDS penalty, p.193

. Antlr-web-page, , pp.2019-2021

, ESROCOS Planetary Exploration Demonstrator

G. Esrocos-project,

, Graph-based algorithms for boolean function manipulation, IEEE Transactions on Computers, C, vol.35, issue.8, pp.677-691, 1986.

R. Aarenstrup, Managing model-based design, 2015.

T. Abdellatif, S. Bensalem, J. Combaz, F. Lavindra-de-silva, and . Ingrand, Rigorous design of robot software: A formal component-based approach, Robotics and Autonomous Systems, vol.60, issue.12, pp.1563-1578, 2012.
URL : https://hal.archives-ouvertes.fr/hal-01980036

T. Abdellatif, J. Combaz, and J. Sifakis, Rigorous implementation of real-time systems -from theory to application, Mathematical Structures in Computer Science, vol.23, issue.4, pp.882-914, 2013.

G. Agha and K. Palmskog, A survey of statistical model checking, ACM Transactions on Modeling and Computer Simulation (TOMACS), vol.28, issue.1, p.6, 2018.

B. K. Aichernig, P. Bauerstätter, E. Jöbstl, S. Kann, R. Koro?ec et al., Learning and statistical model checking of system response times, Software Quality Journal, 2019.

R. Alur, C. Courcoubetis, and D. Dill, Model-checking in dense real-time, vol.104, pp.2-34, 1993.

R. Alur and D. L. Dill, A theory of timed automata, Theor. Comput. Sci, vol.126, issue.2, pp.183-235, 1994.

R. Alur, T. Feder, and T. A. Henzinger, The benefits of relaxing punctuality, 1994.

D. Angluin, Learning regular sets from queries and counterexamples. Information and computation, vol.75, pp.87-106, 1987.

S. Arora, A. Legay, T. Richmond, and L. Traonouez, Statistical model checking of incomplete stochastic systems, International Symposium on Leveraging Applications of Formal Methods, pp.354-371, 2018.
URL : https://hal.archives-ouvertes.fr/hal-02011309

S. Arry and A. Kaur, Article: Formal verification of device discovery mechanism using uppaal, International Journal of Computer Applications, vol.58, issue.19, pp.32-37, 2012.

C. Baier, B. Haverkort, H. Hermanns, and J. Katoen, Model checking continuous-time markov chains by transient analysis, International Conference on Computer Aided Verification, pp.358-372, 2000.

C. Baier and J. Katoen, Principles of model checking, 2008.

H. George, A. Baker, and . Berg, Supervisory control and data acquisition (scada) systems, The Critical Infrastructure Protection Report, vol.1, issue.6, pp.5-6, 2002.

T. Ball, K. Sriram, and . Rajamani, The slam toolkit, International Conference on Computer Aided Verification, pp.260-264, 2001.

P. Ballarini, B. Barbot, M. Duflot, S. Haddad, and N. Pekergin, Hasl: A new approach for performance evaluation and model checking from concepts to experimentation, Performance Evaluation, vol.90, pp.53-77, 2015.
URL : https://hal.archives-ouvertes.fr/hal-01221815

B. Barry, Software engineering economics, 1981.

D. Basile, M. H. Ter-beek, and V. Ciancia, Statistical model checking of a moving block railway signalling scenario with uppaal smc, Leveraging Applications of Formal Methods, Verification and Validation. Verification, pp.372-391, 2018.

A. Basu, S. Bensalem, and M. Bozga, Benoît Caillaud, Benoît Delahaye, and Axel Legay. Statistical abstraction and model-checking of large heterogeneous systems, Formal Techniques for Distributed Systems, pp.32-46, 2010.

A. Basu, M. Bozga, and J. Sifakis, Modeling heterogeneous real-time components in bip, Proceedings of the Fourth IEEE International Conference on Software Engineering and Formal Methods, SEFM'06, pp.3-12, 2006.
URL : https://hal.archives-ouvertes.fr/hal-00375298

M. Batteux, T. Prosvirnova, A. Rauzy, and L. Kloul, The AltaRica 3.0 project for model-based safety assessment, 11th IEEE International Conference on Industrial Informatics, INDIN 2013, pp.741-746, 2013.
URL : https://hal.archives-ouvertes.fr/hal-01239379

S. Bensalem, A. Lavindra-de-silva, F. Griesmayer, A. Ingrand, R. Legay et al., A Formal Approach for Incremental Construction with an Application to Autonomous Robotic Systems, Software Composition -10th International Conference, pp.116-132, 2011.

S. Bensalem, B. Delahaye, and A. Legay, Statistical model checking: Present and future, 2010.

N. Bertrand, P. Bouyer, T. Brihaye, Q. Menet, C. Baier et al., Stochastic timed automata, 2014.
URL : https://hal.archives-ouvertes.fr/hal-01102368

A. Biere, A. Cimatti, E. M. Clarke, O. Strichman, and Y. Zhu, Bounded model checking, Advances in computers, vol.58, issue.11, pp.117-148, 2003.

B. Bittner, M. Bozzano, R. Cavada, A. Cimatti, M. Gario et al., The xSAP Safety Analysis Platform, TACAS 2016, pp.533-539, 2016.

B. Bittner, M. Bozzano, A. Cimatti, R. De-ferluc, M. Gario et al., An Integrated Process for FDIR Design in Aerospace, IMBSA 2014, pp.82-95, 2014.

H. Bohnenkamp, H. Pedro-r-d'argenio, J. Hermanns, and . Katoen, Modest: A compositional modeling formalism for hard and softly timed systems, IEEE Transactions on Software Engineering, vol.32, issue.10, pp.812-830, 2006.

B. Bollig, P. Habermehl, C. Kern, and M. Leucker, Angluin-style learning of nfa, IJCAI, vol.9, pp.1004-1009, 2009.
URL : https://hal.archives-ouvertes.fr/hal-00772636

P. Bouyer, N. Markey, J. Ouaknine, and J. Worrell, On expressiveness and complexity in real-time model checking, Automata, Languages and Programming, pp.124-135, 2008.
URL : https://hal.archives-ouvertes.fr/hal-01194597

M. Bozga, C. Daws, O. Maler, A. Olivero, S. Tripakis et al., Kronos: A model-checking tool for real-time systems, International Symposium on Formal Techniques in Real-Time and Fault-Tolerant Systems, pp.298-302, 1998.
URL : https://hal.archives-ouvertes.fr/hal-00374788

T. Brázdil, J. Kr?ál, J. K?etínský, and V. ?ehák, Fixed-Delay Events in Generalized Semi-Markov Processes Revisited, pp.140-155, 2011.

L. Bu, D. Peled, D. Shen, and Y. Zhuang, Genetic synthesis of concurrent code using model checking and statistical model checking, International Symposium on Model Checking Software, pp.275-291, 2018.

E. Peter, A. Bulychev, . David, G. Kim, A. Larsen et al., Rewrite-based statistical model checking of wmtl, RV, vol.7687, pp.260-275, 2012.

W. Jonathan, . Butts, F. Robert, R. O. Mills, and . Baldwin, Developing an insider threat model using functional decomposition, International Workshop on Mathematical Methods, Models, and Architectures for Computer Network Security, pp.412-417

. Springer, , 2005.

C. Rafael, J. Carrasco, and . Oncina, Learning stochastic regular grammars by means of a state merging method, International Colloquium on Grammatical Inference, pp.139-152, 1994.

E. Cavalcante, J. Quilbeuf, L. Traonouez, F. Oquendo, T. Batista et al., Statistical model checking of dynamic software architectures, European Conference on Software Architecture, pp.185-200, 2016.
URL : https://hal.archives-ouvertes.fr/hal-01390707

F. Cérou and A. Guyader, Adaptive multilevel splitting for rare event analysis, Stochastic Analysis and Applications, vol.25, issue.2, pp.417-443, 2007.

Y. Chen and . Thomas-dyhre-nielsen, Active learning of markov decision processes for system verification, Machine Learning and Applications (ICMLA), 2012 11th International Conference on, vol.2, pp.289-294, 2012.

M. Edmund, E. Clarke, and . Emerson, Design and synthesis of synchronization skeletons using branching time temporal logic, Workshop on Logic of Programs, pp.52-71, 1981.

A. Edmund-m-clarke, S. Emerson, A. Jha, and . Sistla, Symmetry reductions in model checking, International Conference on Computer Aided Verification, pp.147-158, 1998.

E. M. Clarke, A. Emerson, and A. Sistla, Automatic verification of finite-state concurrent systems using temporal logic specifications, vol.8, pp.244-263, 1986.

D. Jamieson-m-cobleigh, C. S. Giannakopoulou, and . P?s?reanu, Learning assumptions for compositional verification, International Conference on Tools and Algorithms for the Construction and Analysis of Systems, pp.331-346, 2003.

, WASC: The Web Application Security Consortium. Web application security statistics, 2008.

S. Convery, D. Cook, and M. Franz, An attack tree for the border gateway protocol, 2002.

P. Cousot and R. Cousot, Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints, Proceedings 4th ACM Symp. Principles Prog. Lang, pp.238-252, 1977.

P. , A. Legay, S. Sedwards, and L. Traonouez, Smart Sampling for Lightweight Verification of Markov Decision Processes, International Journal on Software Tools for Technology Transfer, vol.17, issue.4, pp.469-484, 2015.
URL : https://hal.archives-ouvertes.fr/hal-01088633

A. David, K. Larsen, A. Legay, M. Miku?ionis, and Z. Wang, Time for statistical model checking of real-time systems, Computer Aided Verification, pp.349-355, 2011.

A. David, G. Kim, A. Larsen, M. Legay, D. B. Miku?ionis et al., Uppaal smc tutorial, International Journal on Software Tools for Technology Transfer, vol.17, issue.4, pp.397-415, 2015.

A. David, G. Kim, A. Larsen, M. Legay, D. B. Miku?ionis et al., Statistical model checking for biological systems, International Journal on Software Tools for Technology Transfer, vol.17, issue.3, pp.351-367, 2015.

C. De-la-higuera, Grammatical inference: learning automata and grammars, 2010.
URL : https://hal.archives-ouvertes.fr/hal-00476128

M. André-de, P. A. Pedro, S. Crocker, and . Sousa, Learning Stochastic Timed Automata from Sample Executions, pp.508-523, 2012.

A. Desai, S. Qadeer, . Sanjit, and . Seshia, Programming Safe Robotics Systems: Challenges and Advances, International Symposium on Leveraging Applications of Formal Methods, pp.103-119, 2018.

I. Dragomir, ESROCOS Planetary Exploration Demonstrator: the Watchdog component in TASTE and BIP

I. Dragomir, S. Iosti, M. Bozga, and S. Bensalem, Designing Systems with Detection and Reconfiguration Capabilities: A Formal Approach, Leveraging Applications of Formal Methods, Verification and Validation -8th International Symposium, 2018.
URL : https://hal.archives-ouvertes.fr/hal-01896605

Y. Duplouy, Applying Formal Methods to Autonomous Vehicle Control. Theses, 2018.
URL : https://hal.archives-ouvertes.fr/tel-01960966

A. Pedro-r-d'argenio, S. Hartmanns, and . Sedwards, Lightweight statistical model checking in nondeterministic continuous time, International Symposium on Leveraging Applications of Formal Methods, pp.336-353, 2018.

S. Kenneth, . Edge, C. George, R. A. Dalton, R. Raines et al., Using attack and protection trees to analyze threats and defenses to homeland security, Military Communications Conference, 2006. MILCOM 2006. IEEE, pp.1-7, 2006.

R. E. Ballouli, S. Bensalem, M. Bozga, and J. Sifakis, Four exercises in programming dynamic reconfigurable systems: methodology and solution in dr-bip, International Symposium on Leveraging Applications of Formal Methods, pp.304-320
URL : https://hal.archives-ouvertes.fr/hal-01888571

. Springer, , 2018.

A. Emerson, S. Kedar, and . Namjoshi, Verification of a parameterized bus arbitration protocol, International Conference on Computer Aided Verification, pp.452-463

. Springer, , 1998.

A. Eugene, A. Feinberg, and . Shwartz, Handbook of Markov decision processes: methods and applications, vol.40, 2012.

B. Finkbeiner and H. Sipma, Checking finite traces using alternating automata, Formal Methods in System Design, vol.24, issue.2, pp.101-127, 2004.

M. Foughali, B. Berthomieu, S. D. Zilio, P. Hladik, F. Ingrand et al., Formal Verification of Complex Robotic Systems on Resource-Constrained Platforms, FormaliSE: 6th International Conference on Formal Methods in Software Engineering, 2018.
URL : https://hal.archives-ouvertes.fr/hal-01778960

S. Fujiwara, F. Bochmann, M. Khendek, A. Amalou, and . Ghedamsi, Test selection based on finite state models, IEEE Transactions on software engineering, vol.17, issue.6, pp.591-603, 1991.

O. Gadyatskaya, K. G. René-rydhof-hansen, A. Larsen, and . Legay, Mads Chr Olesen, and Danny Bøgsted Poulsen. Modelling attack-defense trees using timed automata, International Conference on Formal Modeling and Analysis of Timed Systems, pp.35-50, 2016.

A. Gallego, D. López, and J. Calera-rubio, Grammatical inference of directed acyclic graph languages with polynomial time complexity, Journal of Computer and System Sciences, vol.95, pp.19-34, 2018.

P. Garcia, E. Vidal, and J. Oncina, Learning locally testable languages in the strict sense, ALT, pp.325-338, 1990.

S. Gerwinn, E. Möhlmann, and A. Sieper, Statistical Model Checking for Scenario-Based Verification of ADAS, pp.67-87, 2019.

W. Peter and . Glynn, A gsmp formalism for discrete event systems, Proceedings of the IEEE, vol.77, pp.14-23, 1989.

P. Godefroid, Using partial orders to improve automatic verification methods, International Conference on Computer Aided Verification, pp.176-185, 1990.

E. Gold, Complexity of automaton identification from given data, Information and control, vol.37, issue.3, pp.302-320, 1978.

Y. Joseph, M. Y. Halpern, and . Vardi, Model checking vs. theorem proving: a manifesto. Artificial intelligence and mathematical theory of computation, vol.212, pp.151-176, 1991.

M. Harchol, -. Balter, and A. Downey, Exploiting process lifetime distributions for dynamic load balancing, ACM Transactions on Computer Systems (TOCS), vol.15, issue.3, pp.253-285, 1997.

A. Thomas, R. Henzinger, R. Jhala, G. Majumdar, and . Sutre, Software verification with blast, International SPIN Workshop on Model Checking of Software, pp.235-239, 2003.

T. Hérault, R. Lassaigne, F. Magniette, and S. Peyronnet, Approximate Probabilistic Model Checking, International Conference on Verification, Model Checking, and Abstract Interpretation, VMCAI'04, pp.73-84, 2004.

G. J. Holzmann, The model checker spin, IEEE Transactions on software engineering, vol.23, issue.5, pp.279-295, 1997.

F. Howar and B. Steffen, Active automata learning in practice, Machine Learning for Dynamic Software Analysis: Potentials and Limits, pp.123-148, 2018.

. Sans-ics, Analysis of the cyber attack on the ukrainian power grid, p.25, 2016.

M. Isberner, F. Howar, and B. Steffen, The ttt algorithm: a redundancyfree approach to active automata learning, International Conference on Runtime Verification, pp.307-322, 2014.

, Risk management -guidelines. Standard, International Organization for Standardization, 2018.

C. Jegourel, Rare event simulation for statistical model checking, 2014.
URL : https://hal.archives-ouvertes.fr/hal-01088479

C. Jegourel, K. G. Larsen, and A. Legay, Marius Miku?ionis, Danny Bøgsted Poulsen, and Sean Sedwards. Importance Sampling for Stochastic Timed Automata, pp.163-178, 2016.

C. Jegourel, A. Legay, and S. Sedwards, Cross-entropy optimisation of importance sampling parameters for statistical model checking, International Conference on Computer Aided Verification, pp.327-342, 2012.
URL : https://hal.archives-ouvertes.fr/hal-01087341

C. Jegourel, A. Legay, and S. Sedwards, A platform for high performance statistical model checking -plasma, Proceedings of the 18th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, TACAS'12, pp.498-503, 2012.
URL : https://hal.archives-ouvertes.fr/hal-01087824

C. Jegourel, A. Legay, and S. Sedwards, Importance splitting for statistical model checking rare properties, CAV, vol.13, pp.576-591, 2013.
URL : https://hal.archives-ouvertes.fr/hal-01087826

C. Jegourel, J. Sun, and J. S. Dong, Sequential schemes for frequentist estimation of properties in statistical model checking, International Conference on Quantitative Evaluation of Systems, pp.333-350, 2017.

Z. Jiang, M. Pajic, S. Moarref, R. Alur, and R. Mangharam, Modeling and verification of a dual chamber implantable pacemaker. Tools and Algorithms for the Construction and Analysis of Systems, pp.188-203, 2012.

M. Kanovich, V. Tajana-ban-kirigin, A. Nigam, C. Scedrov, and . Talcott, Discrete vs. dense times in the analysis of cyber-physical security protocols, Principles of Security and Trust, pp.259-279, 2015.

J. Katoen, S. Ivan, E. Zapreev, H. Moritz-hahn, D. Hermanns et al., The ins and outs of the probabilistic model checker mrmc. Performance evaluation, vol.68, pp.90-104, 2011.

M. Robert and . Keller, Formal verification of parallel programs, Communications of the ACM, vol.19, issue.7, pp.371-384, 1976.

B. Kordy, S. Mauw, S. Radomirovi?, and P. Schweitzer, Foundations of attack-defense trees, International Workshop on Formal Aspects in Security and Trust, pp.80-95, 2010.

R. Koymans, Specifying real-time properties with metric temporal logic. Real-Time Systems, vol.2, pp.255-299, 1990.

P. Dirk, R. Y. Kroese, and . Rubinstein, Monte carlo methods. Wiley Interdisciplinary Reviews: Computational Statistics, vol.4, issue.1, pp.48-58, 2012.

G. Vidyadhar and . Kulkarni, Introduction to Modeling and Analysis of Stochastic Systems, 2011.

G. Vidyadhar and . Kulkarni, Modeling and analysis of stochastic systems, 2016.

N. Kumar, K. Sen, J. Meseguer, and G. Agha, A rewriting based model for probabilistic distributed object systems, FMOODS, pp.32-46, 2003.

M. Kwiatkowska, G. Norman, and D. Parker, Prism 4.0: verification of probabilistic real-time systems, Proceedings of the 23rd international conference on Computer aided verification, CAV'11, pp.585-591, 2011.
URL : https://hal.archives-ouvertes.fr/hal-00648035

M. Kwiatkowska, G. Norman, R. Segala, and J. Sproston, Automatic verification of real-time systems with discrete probability distributions, Theoretical Computer Science, vol.282, issue.1, pp.101-150, 2002.

M. Kwiatkowska, G. Norman, J. Sproston, and F. Wang, Symbolic model checking for probabilistic timed automata, Information and Computation, vol.205, issue.7, pp.1027-1077, 2007.

J. Kevin, . Lang, A. Barak, R. Pearlmutter, and . Price, Results of the abbadingo one dfa learning competition and a new evidence-driven state merging algorithm, In International Colloquium on Grammatical Inference, pp.1-12, 1998.

A. Legay, B. Delahaye, and S. Bensalem, Statistical model checking: An overview, International conference on runtime verification, pp.122-135, 2010.
URL : https://hal.archives-ouvertes.fr/inria-00591593

A. Legay, D. Nowotka, D. B. Poulsen, and L. Tranouez, Statistical model checking of llvm code, Formal Methods, pp.542-549, 2018.
URL : https://hal.archives-ouvertes.fr/hal-01640097

M. Lindahl, P. Pettersson, and W. Yi, Formal design and analysis of a gear controller, International Journal on Software Tools for Technology Transfer (STTT), vol.3, issue.3, pp.353-368, 2001.

A. Maier, A. Vodencarevic, O. Niggemann, R. Just, and M. Jaeger, Anomaly detection in production plants using timed automata, 8th International Conference on Informatics in Control, Automation and Robotics (ICINCO), pp.363-369, 2011.

O. Maler and D. Nickovic, Monitoring temporal properties of continuous signals, Formal Techniques, Modelling and Analysis of Timed and Fault-Tolerant Systems, pp.152-166, 2004.

H. Mao, Y. Chen, M. Jaeger, D. Thomas, . Nielsen et al., Learning probabilistic automata for model checking, Quantitative Evaluation of Systems (QEST), pp.111-120, 2011.

H. Mao, Y. Chen, M. Jaeger, D. Thomas, . Nielsen et al., Learning markov decision processes for model checking, 2012.

S. Mauw and M. Oostdijk, Foundations of attack trees, International Conference on Information Security and Cryptology, pp.186-198, 2005.

F. Mayr and S. Yovine, Regular inference on artificial neural networks, Machine Learning and Knowledge Extraction, pp.350-369, 2018.
URL : https://hal.archives-ouvertes.fr/hal-02060043

. Kenneth-l-mcmillan, Symbolic model checking, Symbolic Model Checking, pp.25-60, 1993.

S. Braham-lotfi-mediouni, R. Niar, K. Benmansour, M. Benatchba, and . Koudil, A bi-objective heuristic for heterogeneous mpsoc design space exploration, Design & Test Symposium (IDT), 2015 10th International, pp.90-95, 2015.

A. Braham-lotfi-mediouni, M. Nouri, S. Bozga, and . Bensalem, Improved learning for stochastic timed models by state-merging algorithms, NASA Formal Methods Symposium, pp.178-193, 2017.

A. Braham-lotfi-mediouni, M. Nouri, M. Bozga, and . Dellabani, Axel Legay, and Saddek Bensalem. SBIP 2.0: Statistical Model Checking Stochastic Real-Time Systems, Automated Technology for Verification and Analysis -16th International Symposium, ATVA 2018, pp.536-542, 2018.

A. Braham-lotfi-mediouni, M. Nouri, A. Bozga, S. Legay, and . Bensalem, Mitigating security risks through attack strategies exploration, International Symposium On Leveraging Applications of Formal Methods, Verification and Validation, 2018.

S. Mitsch, K. Ghorbal, D. Vogelbacher, and A. Platzer, Formal verification of obstacle avoidance and navigation of ground robots, The International Journal of Robotics Research, vol.36, issue.12, pp.1312-1340, 2017.
URL : https://hal.archives-ouvertes.fr/hal-01658197

J. Moerman, M. Sammartino, and A. Silva, Bartek Klin, and Micha? Szynwelski. Learning nominal automata, 2016.

M. Munoz, G. Montano, M. Wirkus, K. Hoeflinger, D. Silveira et al., ESROCOS: a Robotic Operating System for Space and Terrestrial Applications, Symposium on Advanced Space Technologies in Robotics and Automation (ASTRA) 2017, 2017.
URL : https://hal.archives-ouvertes.fr/hal-01709676

A. Nouri, S. Bensalem, M. Bozga, C. Benoit-delahaye, A. Jegourel et al., Statistical model checking QoS properties of systems with SBIP, Int. J. Softw. Tools Technol. Transf. (STTT), vol.17, issue.2, pp.171-185, 2015.
URL : https://hal.archives-ouvertes.fr/hal-00847827

A. Nouri and M. Bozga, Astrolabe: A rigorous approach for system-level performance modeling and analysis, Anca Molnos, Axel Legay, and Saddek Bensalem, vol.15, p.31, 2016.
URL : https://hal.archives-ouvertes.fr/hal-01406474

A. Nouri, M. Braham-lotfi-mediouni, J. Bozga, S. Combaz, A. Bensalem et al., Performance evaluation of stochastic real-time systems with the SBIP framework, International Journal of Critical Computer-Based Systems, vol.8, issue.3-4, pp.340-370, 2018.
URL : https://hal.archives-ouvertes.fr/hal-01898426

J. Ocon, F. Colemenero, J. Estremera, K. Buckley, M. Alonso et al., The ERGO framework and its use in planetary/orbital scenarios, International Astronautical Congress (IAC), 2018.

M. Okamoto, Some inequalities relating to the partial sum of binomial probabilities, Annals of the institute of Statistical Mathematics, vol.10, issue.1, pp.29-35, 1959.

J. Oncina and P. Garcia, Identifying regular languages in polynomial time, Advances in Structural and Syntactic Pattern Recognition, pp.99-108, 1992.

J. Ouaknine and J. Worrell, Safety metric temporal logic is fully decidable, Tools and Algorithms for the Construction and Analysis of Systems, pp.411-425, 2006.

J. Ouaknine and J. Worrell, Some recent results in metric temporal logic, Formal Modeling and Analysis of Timed Systems, pp.1-13, 2008.

D. Peled, Y. Moshe, M. Vardi, and . Yannakakis, Black box checking, Formal Methods for Protocol Engineering and Distributed Systems, pp.225-240, 1999.

A. Pnueli, The temporal logic of programs, 18th Annual Symposium on Foundations of Computer Science (sfcs 1977), pp.46-57, 1977.

J. , P. Queille, and J. Sifakis, Specification and verification of concurrent systems in cesar, International Symposium on programming, pp.337-351, 1982.

J. Quilbeuf, M. Barbier, L. Rummelhard, C. Laugier, A. Legay et al., Statistical model checking applied on perception and decision-making systems for autonomous driving, 10th Workshop on Planning, Perception and Navigation for Intelligent Vehicles at the IEEE International Conference on Intelligent Robots and Systems, 2018.
URL : https://hal.archives-ouvertes.fr/hal-01888556

J. Quilbeuf, E. Cavalcante, L. Traonouez, F. Oquendo, T. Batista et al., A Logic for the Statistical Model Checking of Dynamic Software Architectures, ISoLA, volume 9952 of Leveraging Applications of Formal Methods, Verification and Validation: Foundational Techniques, pp.806-820, 2016.
URL : https://hal.archives-ouvertes.fr/hal-01387429

A. Roy, D. S. Kim, and K. Trivedi, Attack countermeasure trees (ACT): towards unifying the constructs of attack and defense trees, vol.5, pp.929-943, 2012.

E. Ruijters, D. Guck, P. Drolenga, and M. Stoelinga, Fault maintenance trees: reliability centered maintenance via statistical model checking, 2016 Annual Reliability and Maintainability Symposium (RAMS), pp.1-6, 2016.

K. Sen, M. Viswanathan, and G. Agha, Learning continuous time markov chains from sample executions, Proceedings of the The Quantitative Evaluation of Systems, First International Conference, QEST '04, pp.146-155, 2004.

K. Sen, M. Viswanathan, and G. A. Agha, Vesta: A statistical model-checker and analyzer for probabilistic systems, International Conference on the Quantitative Evaluation of Systems, QEST'05, pp.251-252, 2005.

B. Steffen, F. Howar, and M. Merten, Introduction to active automata learning from a practical perspective, International School on Formal Methods for the Design of Computer, Communication and Software Systems, pp.256-296, 2011.
URL : https://hal.archives-ouvertes.fr/hal-00647729

F. Thollard, P. Dupont, and C. De-la-higuera, Probabilistic dfa inference using kullback-leibler divergence and minimality, ICML, pp.975-982, 2000.

T. Tosun, G. Jing, H. Kress-gazit, and M. Yim, Computer-aided compositional design and verification for modular robots, Robotics Research, pp.237-252, 2018.

E. Sicco and . Verwer, Efficient identification of timed automata: Theory and practice, 2010.

A. Wald, Sequential tests of statistical hypotheses, Annals of Mathematical Statistics, vol.16, issue.2, pp.117-186, 1945.

A. Wald, Statistical decision functions, 1950.

N. Walkinshaw, R. Taylor, and J. Derrick, Inferring extended finite state machine models from software executions, Empirical Software Engineering, vol.21, issue.3, pp.811-853, 2016.

A. Wander and R. Förstner, Innovative Fault Detection, Isolation and Recovery Strategies On-board Spacecraft: State of the Art and Research Challenges, 2012.

P. Wang, W. Lin, P. Kuo, H. Lin, and T. Wang, Threat risk analysis for cloud security based on attack-defense trees, Computing Technology and Information Management (ICCM), 2012 8th International Conference on, vol.1, pp.106-111, 2012.

Y. Wang, S. Nalluri, B. Bonakdarpour, and M. Pajic, Statistical model checking for probabilistic hyperproperties, 2019.

M. Jeannette and . Wing, Scenario graphs applied to network security. Information assurance: survivability and security in networked systems, pp.247-277, 2008.

N. Yang, K. Aslam, R. Schiffelers, L. Lensink, D. Hendriks et al., Improving model inference in industry by combining active and passive learning, IEEE International Conference on Software Analysis, Evolution, and Reengineering, 2018.

L. S. Håkan and . Younes, Verification and Planning for Stochastic Processes with Asynchronous Events, 2005.

L. S. Håkan, M. Younes, G. Kwiatkowska, D. Norman, and . Parker, Numerical vs. statistical probabilistic model checking, International Journal on Software Tools for Technology Transfer, vol.8, issue.3, pp.216-228, 2006.

L. S. Håkan and . Younes, Ymer: A statistical model checker, Computer Aided Verification, CAV'05, pp.429-433, 2005.

E. Zio, The future of risk assessment, Reliability Engineering & System Safety, vol.177, pp.176-190, 2018.
URL : https://hal.archives-ouvertes.fr/hal-01988966

P. Zuliani, A. Platzer, and E. M. Clarke, Bayesian statistical model checking with application to stateflow/simulink verification. Formal Methods in System Design, vol.43, pp.338-367, 2013.

A. , Note that some requirements are expressed as several MTL properties. For instance, requirement P 13 induces 6 MTL properties. We also point out the fact that requirements P 9

, The gear can be set to gear 5 and the reverse gear

, The switch gear can be performed in 1000 ms

, The engine is guaranteed to find synchronous speed in the case where no error occurs in it

, If the gear is N, the engine is either in initial or going to initial (i.e. ToGear = 0 and engine in zero)

, Torque is always indicated in the engine when the gear controller has a gear set

, The controller is in predefined locations depending on the clutch state

, Open ? gc.ClutchOpen ? gc.ClutchOpenT wo ? gc.CheckGearSetT wo ? gc.ReqSetGearT wo ? gc.ClutchClose ? gc.CheckClutchClosed ? gc.CheckClutchClosedT wo ? gc

, If clutch is closed ? [0,10000] (¬c.Closed ? gc.ReqT orqueC ? gc.GearChanged ? gc.Gear ? gc.Initiate ? gc.CheckT orque ? gc.ReqN euGear ? gc.CheckGearN eu ? gc, ReqSyncSpeed ? gc.CheckSyncSpeed ? gc.ReqSetGear ? gc.CheckGearSet)

, Open ? gc.ClutchOpen ? gc.ClutchOpenT wo ? gc.CheckGearSetT wo ? gc.ReqSetGearT wo ? gc.ClutchClose ? gc.CheckClutchClosed ? gc.CheckClutchClosedT wo ? gc

, N eutral ? gc.ReqSetGear ? gc.CheckClutchClosedT wo ? gc.ReqT orqueC ? gc.GearChanged ? gc.Gear ? gc.Initiate ? gc.ReqSyncSpeed ? gc.CheckSyncSpeed ? gc.ReqSetGear ? gc.CheckClutch ? gc.ClutchOpen ? gc

, If engine regulates on torque, then the clutch must be closed