%
% GENERATED FROM http://acme.able.cs.cmu.edu
% by : anonymous
% IP : 216.73.216.80
% at : Wed, 16 Jul 2025 09:44:24 -0400 GMT
%
% Selection : Year = 2024
%
@InProceedings{ICSE2024:Duerschmid:ROSInfer,
AUTHOR = {D\"{u}rschmid, Tobias and Timperley, Christopher Steven and Garlan, David and Le Goues, Claire},
TITLE = {ROSInfer: Statically Inferring Behavioral Component Models for ROS-based Robotics Systems},
YEAR = {2024},
MONTH = {14-20 April},
BOOKTITLE = {Proceedings of the 46th International Conference on Software Engineering (ICSE 2024)},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/icse2023-static-inference.pdf},
ABSTRACT = {Robotics systems are complex, safety-critical systems that can con- sist of hundreds of software components that interact with each other dynamically during run time. Software components of robot- ics systems often exhibit reactive, periodic, and state-dependent behavior. Incorrect component composition can lead to unexpected behavior, such as components passively waiting for initiation mes- sages that never arrive. Model-based software analysis is a common technique to identify incorrect behavioral composition by checking desired properties of given behavioral models that are based on component state machines. However, writing state machine models for hundreds of software components manually is a labor-intensive process. This motivates work on automated model inference. In this paper, we present an approach to infer behavioral models for systems based on the Robot Operating System (ROS) using static analysis by exploiting assumptions about the usage of the ROS API and ecosystem. Our approach is based on searching for common behavioral patterns that ROS developers use for implementing reac- tive, periodic, and state-dependent behavior using the ROS frame- work API. We evaluate our approach and our tool ROSInfer on five complex real-world ROS systems with a total of 534 components. For this purpose we manually created 155 models of components from the source code to be used as a ground truth and available data set for other researchers. ROSInfer can infer causal triggers for 87 % of component architectural behaviors in the 534 components.},
KEYWORDS = {Software Architecture}
}
@Article{Camara:Expl:IEEESoftware:2024,
AUTHOR = {C\'{a}mara, Javier and Wohlrab, Rebekka and Garlan, David and Schmerl, Bradley},
TITLE = {Focusing on What Matters: Explaining Quality Tradeoffs in Software-Intensive Systems via Dimensionality Reduction},
YEAR = {2024},
MONTH = {January},
JOURNAL = {IEEE Software},
VOLUME = {41},
PAGES = {64-73},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/IEEE_Software__Tradeoff_Focused_ExplanationsCamara_Expl_IEEESoftware_2024.pdf},
ABSTRACT = {Building and operating software-intensive systems often involves exploring decision spaces made up of large numbers of variables and complex relations among them. Understanding such spaces is often overwhelming to human decision makers, who have limited capacity to digest large amounts of information, making it difficult to distinguish the forest through the trees. In this article, we report on our experience in which we used dimensionality reduction techniques to enable decision makers in different domains (software architecture, smart manufacturing, automated planning for service robots) to focus on the elements of the decision space that explain most of the quality variation, filtering out noise, and thus reducing cognitive complexity.},
NOTE = {DOI: https://doi.ieeecomputersociety.org/10.1109/MS.2023.3320689},
KEYWORDS = {Explainable Software, Planning, Self-adaptation, Software Architecture}
}
@InProceedings{Garlan:2024:Designing,
AUTHOR = {Garlan, David and Schmerl, Bradley and Wohlrab, Rebekka and C\'{a}mara, Javier},
TITLE = {Challenges in Creating Effective Automated Design Environments: An experience report from the domain of generative manufacturing},
YEAR = {2024},
MONTH = {15 April},
BOOKTITLE = {Proc. the 1st International Workshop on Designing Software},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/DesigningLMCO-2.pdf},
ABSTRACT = {The emergence of powerful automated design tools in many domains is changing the nature of design, as human-intensive activities can be increasingly off-loaded to those tools. Rather than having a human consider only handful of options, as has been done historically, such tools now enable the generation of a large space of potential designs, exhibiting different tradeoffs among competing qualities of merit, and supporting systematic exploration of the design space. At the same time, this paradigm raises new challenges centered on enabling humans to effectively navigate that generated space in order to select a design that best meets their requirements. In this paper we describe our experience in the domain of generative manufacturing, in which we developed a novel design environment for airplane parts manufacturing that incorporates a number of sophisticated design tools and attempts to tackle the emergent problems of design space exploration that are faced by designers of those parts. We use this experience to highlight the challenges that we faced and reflect on their applicability more generally to tool-assisted software design environments.},
KEYWORDS = {Explainable Software}
}
@Article{Sousa:2024:Security,
AUTHOR = {Sousa, Bruno and Dias, Duarte and Antunes, Nuno and C\'{a}mara, Javier and Wagner, Ryan and Schmerl, Bradley and Garlan, David and Fidalgo, Pedro},
TITLE = {MONDEO-Tactics5G: Multistage botnet detection and tactics for 5G/6G networks},
YEAR = {2024},
MONTH = {May},
JOURNAL = {Computers & Security},
VOLUME = {140},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/MONDEO_AIDA.pdf},
ABSTRACT = {Mobile malware is a malicious code specifically designed to target mobile devices to perform multiple types of fraud. The number of attacks reported each day is increasing constantly and is causing an impact not only at the end-user level but also at the network operator level. Malware like FluBot contributes to identity theft and data loss but also enables remote Command & Control (C2) operations, which can instrument infected devices to conduct Distributed Denial of Service (DDoS) attacks. Current mobile device-installed solutions are not effective, as the end user can ignore security warnings or install malicious software. This article designs and evaluates MONDEO-Tactics5G - a multistage botnet detection mechanism that does not require software installation on end-user devices, together with tactics for 5G network operators to manage infected devices. We conducted an evaluation that demonstrates high accuracy in detecting FluBot malware, and in the different adaptation strategies to reduce the risk of DDoS while minimising the impact on the clients' satisfaction by avoiding disrupting established sessions.},
NOTE = {https://doi.org/10.1016/j.cose.2024.103768},
KEYWORDS = {Rainbow}
}
@InProceedings{Pace:2024:Design,
AUTHOR = {Diaz-Pace, Andres and Garlan, David},
TITLE = {The Architect in the Maze: On the Effective Usage of Automated Design Exploration},
YEAR = {2024},
MONTH = {15 April},
BOOKTITLE = {Proc. the 1st International Workshop on Designing Software},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/Designing2024_updated1.pdf},
ABSTRACT = {
Designing a software architecture that satisfies a set of quality- attribute requirements has traditionally been a challenging activity for human architects, as it involves the exploration and assessment of alternative design decisions. The development of automated optimization tools for the architecture domain has opened new opportunities, because these tools are able to explore a large space of alternatives, and thus extend the architect’s capabilities. In this context, however, architects need to efficiently navigate through a large space and understand the main relations between design decisions and feasible quality-attribute tradeoffs in a maze of possi- ble alternatives. Although Machine Learning (ML) techniques can help to reduce the complexity of the task by sifting through the data generated by the tools, the standard techniques often fall short because they cannot offer architectural insights or relevant answers to the architect’s questions. In this paper, and based on previous experiences, we argue that ML techniques should be adapted to the architecture domain, and propose a conceptual framework towards that goal. Furthermore, we show how the framework can be instan- tiated by adapting clustering techniques to answer architectural questions regarding a client-server design space.},
KEYWORDS = {Explainable Software}
}
@InProceedings{Chu:SEAMS:2024,
AUTHOR = {Chu, Simon and Koe, Justin and Garlan, David and Kang, Eunsuk},
TITLE = {Integrating Graceful Degradation and Recovery through Requirement-driven Adaptation},
YEAR = {2024},
MONTH = {15-16 April},
BOOKTITLE = {Proc. the International Conference on Software Engineering for Adaptive and Self-managing Systems (SEAMS)},
ABSTRACT = {Cyber-physical systems (CPS) are subject to environmental uncer- tainties such as adverse operating conditions, malicious attacks, and hardware degradation. These uncertainties may lead to failures that put the system in a sub-optimal or unsafe state. Systems that are resilient to such uncertainties rely on two types of operations: (1) graceful degradation, for ensuring that the system maintains an acceptable level of safety during unexpected environmental condi- tions and (2) recovery, to facilitate the resumption of normal system functions. Typically, mechanisms for degradation and recovery are developed independently from each other, and later integrated into a system, requiring the designer to develop an additional, ad-hoc logic for activating and coordinating between the two operations.
In this paper, we propose a self-adaptation approach for improv- ing system resiliency through automated triggering and coordina- tion of graceful degradation and recovery. The key idea behind our approach is to treat degradation and recovery as requirement-driven adaptation tasks: Degradation can be thought of as temporarily weakening original (i.e., ideal) system requirements to be achieved by the system, and recovery as strengthening the weakened require- ments when the environment returns within an expected operating boundary. Furthermore, by treating weakening and strengthen- ing as dual operations, we argue that a single requirement-based adaptation method is sufficient to enable coordination between degradation and recovery. Given system requirements specified in signal temporal logic (STL), we propose a run-time adaptation framework that performs degradation and recovery in response to environmental changes. We describe a prototype implementation of our framework and demonstrate the feasibility of the proposed approach using a case study in unmanned underwater vehicles.},
KEYWORDS = {Self-adaptation}
}
@InProceedings{Zhang:FM24,
AUTHOR = {Zhang, Changjian and Kapoor, Parv and Meira Goes, Romulo and Garlan, David and Kang, Eunsuk and Ganlath, Akila and Mishra, Shatadal and Ammar, Nejib},
TITLE = {Tolerance of Reinforcement Learning Controllers against Deviations in Cyber Physical Systems},
YEAR = {2024},
MONTH = {11-13 September},
BOOKTITLE = {26th International Symposium on Formal Methods (FM24)},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/FM 2024.pdf},
ABSTRACT = {Cyber-physical systems (CPS) with reinforcement learning (RL)-based controllers are increasingly being deployed in complex phys- ical environments such as autonomous vehicles, the Internet-of-Things (IoT), and smart cities. An important property of a CPS is tolerance; i.e., its ability to function safely under possible disturbances and un- certainties in the actual operation. In this paper, we introduce a new, expressive notion of tolerance that describes how well a controller is ca- pable of satisfying a desired system requirement, specified using Signal Temporal Logic (STL), under possible deviations in the system. Based on this definition, we propose a novel analysis problem, called the tol- erance falsification problem, which involves finding small deviations that result in a violation of the given requirement. We present a novel, two- layer simulation-based analysis framework and a novel search heuristic for finding small tolerance violations. To evaluate our approach, we con- struct a set of benchmark problems where system parameters can be configured to represent different types of uncertainties and disturbances in the system. Our evaluation shows that our falsification approach and heuristic can effectively find small tolerance violations.
},
KEYWORDS = {Cyberphysical Systems, Formal Methods, Machine Learning}
}
@Article{Casimira:TAAS:2024,
AUTHOR = {Casimiro, Maria and Soares, Diogo and Garlan, David and Rodrigues, Luis and Romano, Paolo},
TITLE = {Self-Adapting Machine Learning-based Systems via a Probabilistic Model Checking Framework},
YEAR = {2024},
MONTH = {March},
JOURNAL = {ACM Transactions on Autonomous and Adaptive Systems},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ACSOS_TAAS_journal_extension_CR.pdf},
ABSTRACT = {This paper focuses on the problem of optimizing system utility of Machine-Learning (ML) based systems in the presence of ML mispredictions. This is achieved via the use of self-adaptive systems and through the execution of adaptation tactics, such as model retraining, which operate at the level of individual ML components.
To address this problem, we propose a probabilistic modeling framework that reasons about the cost/benefit trade-offs associated with adapting ML components. The key idea of the proposed approach is to decouple the problems of estimating (i) the expected performance improvement after adaptation and (ii) the impact of ML adaptation on overall system utility.
We apply the proposed framework to engineer a self-adaptive ML-based fraud-detection system, which we evaluate using a publicly-available, real fraud detection data-set. We initially consider a scenario in which information on model’s quality is immediately available. Next we relax this assumption by integrating (and extending) state-of-the-art techniques for estimating model’s quality in the proposed framework. We show that by predicting the system utility stemming from retraining a ML component, the probabilistic model checker can generate adaptation strategies that are significantly closer to the optimal, as compared against baselines such as periodic or reactive retraining.},
KEYWORDS = {Machine Learning, Model Checking, Self-adaptation}
}
@InProceedings{Mendes:ECAI:2024,
AUTHOR = {Mendes, Pedro and Romano, Paolo and Garlan, David},
TITLE = {Error-Driven Uncertainty Aware Training},
YEAR = {2024},
MONTH = {19-24 October},
BOOKTITLE = {27th European Conference on Artificial Intelligence},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/EUAT_ECAI.pdf},
ABSTRACT = {Neural networks are often overconfident about their pre- dictions, which undermines their reliability and trustworthiness. In this work, we present a novel technique, named Error-Driven Un- certainty Aware Training (EUAT), which aims to enhance the ability of neural models to estimate their uncertainty correctly, namely to be highly uncertain when they output inaccurate predictions and low uncertain when their output is accurate. The EUAT approach oper- ates during the model’s training phase by selectively employing two loss functions depending on whether the training examples are cor- rectly or incorrectly predicted by the model. This allows for pursu- ing the twofold goal of i) minimizing model uncertainty for correctly predicted inputs and ii) maximizing uncertainty for mispredicted in- puts, while preserving the model’s misprediction rate. We evaluate EUAT using diverse neural models and datasets in the image recog- nition domains considering both non-adversarial and adversarial set- tings. The results show that EUAT outperforms existing approaches for uncertainty estimation (including other uncertainty-aware train- ing techniques, calibration, ensembles, and DEUP) by providing un- certainty estimates that not only have higher quality when evaluated via statistical metrics (e.g., correlation with residuals) but also when employed to build binary classifiers that decide whether the model’s output can be trusted or not and under distributional data shifts.},
KEYWORDS = {Machine Learning, uncertainty}
}
@InProceedings{Mendes:AISafety:2024,
AUTHOR = {Mendes, Pedro and Romano, Paolo and Garlan, David},
TITLE = {Hyper-parameter Tuning for Adversarially Robust Models},
YEAR = {2024},
MONTH = {4 August},
BOOKTITLE = {AISafety 2024},
ADDRESS = {Jeju, South Korea},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/HTP_Robust_Models_AIsafetyMendes_AISafety_2024.pdf},
ABSTRACT = {This work focuses on the problem of hyper-parameter tuning (HPT) for robust (i.e., adversarially trained) models, shedding light on the new challenges and opportunities arising during the HPT process for robust models. To this end, we conduct an extensive experimental study based on three popular deep models and explore exhaustively nine (discretized) hyper-parameters (HPs), two fidelity dimensions, and two attack bounds, for a total of 19208 configurations (corresponding to 50 thousand GPU hours).
Through this study, we show that the complexity of the HPT problem is further exacerbated in adversarial settings due to the need to independently tune the HPs used during standard and adversarial training: succeeding in doing so (i.e., adopting different HP settings in both phases) can lead to a reduction of up to 80% and 43% of the error for clean and adversarial inputs, respectively. We also identify new opportunities to reduce the cost of HPT for robust models. Specifically, we propose to leverage cheap adversarial training methods to obtain inexpensive, yet highly correlated, estimations of the quality achievable using more robust/expensive state-of-the-art methods. We show that, by exploiting this novel idea in conjunction with a recent multi-fidelity optimizer (taKG), the efficiency of the HPT process can be enhanced by up to 2.1x.},
NOTE = {Best Paper Award},
KEYWORDS = {Machine Learning}
}
@InProceedings{Canelas:ISSTA:2024,
AUTHOR = {Canelas, Paulo and Schmerl, Bradley and Fonesca, Alcides and Timperley, Christopher Steven},
TITLE = {Understanding Misconfigurations in ROS: An Empirical Study
and Current Approaches},
YEAR = {2024},
MONTH = {16-20 September},
BOOKTITLE = {The ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA)},
ADDRESS = {Vienna, Austria},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/study_misconfigurations_paper.pdf},
ABSTRACT = {The Robot Operating System (ROS) is a highly popular framework and ecosystem that allows developers to build robot software sys- tems from reusable, off-the-shelf components. Systems are often built by customizing and connecting components into a working ensemble via configuration files. While reusable components allow developers to quickly prototype working robots in theory, in prac- tice, ensuring that those components are configured and connected appropriately is fundamentally challenging, as evidenced by the large number of questions asked on developer forums. Developers must be careful to abide by the assumptions of individual compo- nents, which are often unchecked and unstated when building their systems. Failure to do so can result in misconfigurations that are only discovered once the robot is deployed in the field, at which point errors may lead to unpredictable and dangerous behavior. De- spite misconfigurations having been studied in the broader context of software engineering, robotics software (and ROS in particular) poses domain-specific challenges with potentially disastrous conse- quences. To understand and improve the reliability of ROS projects, it is critical to identify the types of misconfigurations developers face. To that end, we study ROS Answers, a Q&A platform, to iden- tify and categorize misconfigurations during ROS development. We then conduct a literature review to assess the coverage of these misconfigurations using existing detection techniques. In total, we find 12 high-level categories and 50 sub-categories of misconfigura- tions. Of these categories, 27 are not covered by existing techniques. To conclude, we discuss how to tackle those misconfigurations in future work.},
KEYWORDS = {Robot Adaptation}
}
@Article{SPE:2024:Mendonca,
AUTHOR = {Aderaldo, Carlos and Costa, Thiago M. and Vasconcelos, Davi M. and Mendon\c{c}a, Nabor C. and C\'{a}mara, Javier and Garlan, David},
TITLE = {A Declarative Approach and Benchmark Tool for Controlled Evaluation of Microservice Resiliency Patterns},
YEAR = {2024},
MONTH = {August},
JOURNAL = {Software Practice and Experience},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/spe2023-resilence-bench-accepted.pdf},
ABSTRACT = {Microservice developers increasingly use resiliency patterns such as Retry and Circuit Breaker to cope with remote services that are likely to fail. However, there is still little research on how the invocation delays typically introduced by those resiliency patterns may impact application performance under varying workloads and failure scenarios. This paper presents a novel approach and benchmark tool for experimentally evaluating the performance impact of existing resiliency patterns in a controlled setting. The main novelty of this approach resides in the ability to declaratively specify and automatically generate multiple testing scenarios involving different resiliency patterns, which one can implement using any programming language and resilience library. The paper illustrates the benefits of the proposed approach and tool by reporting on an experimental study of the performance impact of the Retry and Circuit Breaker resiliency patterns in two mainstream programming languages (C# and Java) using two popular resilience libraries (Polly and Resilience4j), under multiple service workloads and failure rates. Our results show that, under low to moderate failure rates, both resiliency patterns effectively reduce the load over the application’s target service with barely any impact on the application’s performance. However, as the failure rate increases, both patterns significantly degrade the application’s performance, with their effect varying depending on the service’s workload and the patterns’ programming language and resilience library.},
KEYWORDS = {Resilience}
}
@PhdThesis{2024:PhD:Zhang,
AUTHOR = {Zhang, Changjian},
TITLE = {Behavioral Robustness of Software System Designs},
YEAR = {2024},
MONTH = {December},
SCHOOL = {Software and Societal Systems Department, School of Computer Science, Carnegie Mellon University},
HOWPUBLISHED = {Technical Report CMU-S3D-24-111},
ABSTRACT = {Abstract Software systems are designed and implemented with assumptions about the environment. However, once a system is deployed, the actual environment may deviate from its expected behavior, potentially leading to violations of desired properties. Ideally, a system should be robust to continue establishing its most critical requirements even in the presence of possible deviations in the environment. To enable systematic design of robust systems against environmental deviations, this work proposes a rigorous behavioral notion of robustness for software systems. Then, it presents a technique called behavioral robustification, which involves two tactics to systematically and rigorously improve the robustness of a system design against potential deviations.
Specifically, the robustness of a system is defined as the largest set of deviating environmental behaviors under which the system is capable of guaranteeing a desired property. Then, we present an approach to compute robustness based on this definition. On the other hand, the system is not robust against an environment when the environment exhibits deviations causing a violation of the desired property. The robustification method finds a redesign that is capable of satisfying the property under such a deviated environment. In particular, two tactics, namely robustification-by-control and robustification-by-specification-weakening, are introduced. The robustification-by-control tactic formulates the robustification problem as a multi-objective optimization problem with the goal of guaranteeing the desired property while maximally preserving the existing functionality and minimizing the cost of changes to the original design. Then, the specification-weakening tactic is used alongside the control tactic, which allows weakening the property to generate more feasible redesigns that retain more functionality or have a lower cost.
The proposed robustness computation and robustification method are implemented in a tool named Fortis. The applicability and efficiency of these approaches are evaluated through experimental results across five case studies, including a radiation therapy machine, an electronic voting machine, network protocols, a transportation fare system, and an infusion pump machine.},
KEYWORDS = {Formal Methods, Software Architecture, Software Engineering}
}
@PhdThesis{Casimiro:PhD:2024,
AUTHOR = {Casimiro, Maria},
TITLE = {Self-Adaptive Machine Learning-based Systems},
YEAR = {2024},
MONTH = {December},
SCHOOL = {Software and Societal Systems Department, School of Computer Science, Carnegie Mellon University},
HOWPUBLISHED = {Technical Report CMU-S3D-24-112}
}