Journal of Applied Mathematics

Volume 2013 (2013), Article ID 654059, 10 pages

http://dx.doi.org/10.1155/2013/654059

## Verification of Opacity and Diagnosability for Pushdown Systems

School of Information Science, Japan Advanced Institute of Science and Technology, Ishikawa 923-1292, Japan

Received 26 February 2013; Revised 28 April 2013; Accepted 30 April 2013

Academic Editor: Guiming Luo

Copyright © 2013 Koichi Kobayashi and Kunihiko Hiraishi. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

In control theory of discrete event systems (DESs), one of the challenging topics is the extension of theory of finite-state DESs to that of infinite-state DESs. In this paper, we discuss verification of opacity and diagnosability for infinite-state DESs modeled by pushdown automata (called here pushdown systems). First, we discuss opacity of pushdown systems and prove that opacity of pushdown systems is in general undecidable. In addition, a decidable class is clarified. Next, in diagnosability, we prove that under a certain assumption, which is different from the assumption in the existing result, diagnosability of pushdown systems is decidable. Furthermore, a necessary condition and a sufficient condition using finite-state approximations are derived. Finally, as one of the applications, we consider data integration using XML (Extensible Markup Language). The obtained result is useful for developing control theory of infinite-state DESs.

#### 1. Introduction

To extend control theory of discrete event systems (DESs) expressed by finite automata [1] to that of infinite-state DESs is one of the challenging topics. Infinite automata [2] and unbounded Petri nets [3, 4] are common models of infinite-state DESs. In this paper, we focus on a pushdown automaton (PDA) [5, 6], which is one of the standard classes of infinite automata. A PDA is a finite automaton having a stack with infinite length, and a state transition is decided by the input symbol (event) and the stack symbol in the top of the stack. The stack can be manipulated by the input symbol in which the empty symbol is included. Furthermore, a visibly pushdown automaton (VPA) has been proposed as a special class of PDAs [7, 8]. Input symbols in a VPA are composed of three kinds of symbols, that is, push manipulations, pop manipulations, and internal manipulations (see Section 2.1 for further details). It is easier to analyze a VPA than a PDA. Some examples are given as applications of PDAs and VPAs. In the modeling of a software system, a PDA is frequently used (see, e.g., [9]). Also in analysis of a cyber-physical system (CPS), which has recently attracted much attention, a PDA is used [10]. A CPS is a system featuring a combination between computer systems and physical systems [11]. To model the complicate behavior of such a CPS, it is important to use a PDA. In addition, as an application of a PDA, intrusion detection in the field of computer security has been studied so far [12]. As an application of a VPA, analysis of XML (Extensible Markup Language), which is one of the markup languages and is widely used in several fields [8, 13], has been studied so far [8, 13]. Thus a PDA and a VPA have many applications, and, developing theory of DESs using a PDA and a VPA is important.

For DESs modeled by PDAs and VPAs (called here pushdown systems), supervisory control [9, 14] and diagnosability verification [15] have been studied so far. Diagnosability verification is the problem of testing if the state reaches a given failure state under partial observations. In diagnosability verification, it has been proven in [15] that diagnosability of pushdown systems is in general undecidable and is decidable under the assumption that stack manipulations are completely observed. This assumption is very strong and is not practical. Furthermore, it is important to approximately verify diagnosability for pushdown systems without assumptions. On the other hand, in recent years, opacity in computer security has been studied in the framework of DESs [16–22]. Opacity aims to determine if a secret behavior in the system is kept opaque to outsiders. In [17], it has been shown that opacity verification of infinite-state systems is undecidable. Also in [19], opacity verification of infinite-state systems has been discussed using approximate models. However, to our knowledge, opacity verification of pushdown systems has not been studied so far.

In this paper, we discuss verification of opacity and diagnosability for pushdown systems based on basic results in formal language theory [5, 6]. In opacity verification, it is proven that opacity of pushdown systems is in general undecidable. Furthermore, we clarify a condition such that opacity is decidable. In diagnosability verification, first, it is proven that if a part of observations in the system can be expressed as a regular language, that is, a language accepted by some finite automaton, then diagnosability is decidable. Next, a necessary condition for the pushdown system not to be diagnosable is derived based on finite-state overapproximations. In a similar way, a sufficient condition is also derived based on finite-state underapproximations. The proposed conditions enable us to verify diagnosability of a wider class of pushdown systems. Also, the relation among opacity verification, diagnosability verification, and the sensor selection problem is discussed. Finally, as one of the applications, we consider data integration of XML documents. In the case that documents in databases are expressed by the XML, one of the important problems is data integration, which is called here XML data integration. In particular, we discuss XML data integration with security considerations and show the effectiveness of the proposed approach. The conference paper [23] is a preliminary version of this paper. In this paper, we provide improved formulations and explanations, discussion on the computational complexity, and application to XML data integration.

This paper is organized as follows. In Section 2, first, the outline of pushdown systems is explained. Next, decidable problems and undecidable problems in PDAs and VPAs are explained. Finally, we introduce a finite-state overapproximation of PDAs. In Section 3, opacity verification is discussed. In Section 4, diagnosability verification is discussed, and some diagnosability conditions are derived. In Section 5, related topics are discussed. In Section 6, we consider an application of the proposed approach to XML data integration. In Section 7, we conclude this paper.

*Notation.* For a finite set , let denote a set of all finite strings, which consist of elements in , including the empty string . Let denote a set of all infinite strings. Let denote the number of elements in . The set is defined as .

#### 2. Preliminaries

In this section, first, we introduce pushdown automata and their subclass. Next, undecidable problems in pushdown automata are explained. Furthermore, we introduce assumptions that will enable the undecidable problems to become decidable. Finally, a finite-state overapproximation used in diagnosability verification is explained.

##### 2.1. Pushdown Systems

Consider the following pushdown automaton (PDA): where is the finite set of states, is the finite set of input symbols (events), are the finite set of stack symbols, : transition relations, are the initial state, and is the initial stack symbol. : the set of final states.

In theory of DESs, the empty string is regarded as an unobservable event. In the PDA to be studied here, transition relations are composed of , , and , which are called here a “push” manipulation, a “pop” manipulation, and an “internal” manipulation, respectively. In the push manipulation, a particular symbol is pushed to the top of the stack. In the pop manipulation, the top of the stack is popped off. In the internal manipulation, the stack is not changed, and only the state is changed. More precisely, three manipulations are given as respectively. Functional forms of , , and are given as , , and , respectively. If the state and the symbol sequence in the stack are uniquely determined for given initial state and input symbol, a given PDA is said to be deterministic.

In addition, if the state reaches some element of a subset by an execution , then it is said that an execution reaches . Furthermore, we can naturally extend these definitions to an infinite execution. If the state reaches some element of by one of the prefixes of an infinite execution , then it is said that the infinite execution reaches .

Let denote the set of observable events, and the set is the set of unobservable events. Let denote the set of languages accepted by . Then let denote the set of sequences of observable events; that is, the following two relations hold:

Since is satisfied for the two unobservable events , , two events , are indistinguishable.

Next, we introduce visibly PDAs [7, 8] as a subclass of PDAs.

*Definition 1. *A PDA (1) is said to be a visibly PDA (VPA) if comprises , where , , and are input symbols corresponding to , , and , respectively.

In VPAs, manipulations to the stack can be visualized from .

We illustrate this with a simple example.

*Example 2. *Consider the VPA in Figure 1, where

In Figure 1, and express push manipulations, and express pop manipulations, and expresses an internal manipulation. Since comprises
we see that this automaton is a VPA. In addition, we have
where corresponds to the set of event sequences such that the state reaches . corresponds to the set of event sequences such that the state reaches .

Hereafter, a discrete event system expressed by a PDA and a VPA is called a DES-PDA and a DES-VPA, respectively. If it is not necessary to distinguish a DES-PDA and a DES-VPA, then these discrete event systems are called here pushdown systems (PDSs).

##### 2.2. Decidable Problems and Undecidable Problems in Pushdown Automata

In this subsection, we explain decidable problems and undecidable problems in a language accepted by PDA or VPA , that is, a context-free language (CFL). See [5, 6] for further details.

Suppose that the two PDAs and are given. Then and are CFLs, and the following result is known.

Lemma 3. *The emptiness problem of an intersection of and , that is, the problem of deciding if holds, is undecidable.*

This lemma follows from the fact that is not a CFL in general. The emptiness problem of an intersection of two CFLs is decidable under a given assumption.

Lemma 4. *Assume that either or is given as a regular language; that is, either or is given as a finite automaton. Then the emptiness problem of an intersection of and is decidable. In addition, this problem can be solved in PTIME.*

Under the assumption in Lemma 4, is a CFL, and the emptiness problem is decidable. This result in the emptiness problem of an intersection is used in diagnosability verification in Section 4.

Next, the following result on the inclusion problem has been obtained.

Lemma 5. *The inclusion problem of two PDAs, and , that is, the problem of deciding if holds, is undecidable.*

For VPAs, the following result has been obtained [7].

Lemma 6. *The inclusion problem of two VPAs and , that is, the problem of deciding if holds is decidable. In addition, this problem can be solved in EXPTIME.*

On the other hand, a class of deterministic PDAs such that the inclusion problem is decidable is called superdeterministic PDAs [24]. A deterministic VPA is a subclass of the superdeterministic PDAs. This fact is clear from the definitions in [7, 24]. As a result, the following result can be obtained.

Lemma 7. *Assume that and are given as a PDA and a deterministic VPA, respectively. Then the problem of deciding if is decidable. In addition, this problem can be solved in 2-EXPTIME.*

These results of the inclusion problem are used in opacity verification in Section 3.

##### 2.3. Finite-State Overapproximation of Pushdown Automata

In this section, we explain the finite-state overapproximations of PDAs. Several approximations have been proposed so far (see, e.g., [25] for further details). In this paper, the following finite-state overapproximation proposed in [9] is used.

*Definition 8. *For a given PDA of (1), the finite-state overapproximation of is defined by
where and are defined as follows:(i).(ii) is given as . holds if and only if one of the following three conditions holds:(1) holds for some ;(2) holds for some ;(3) holds.

Let denote the PDA obtained by replacing with . In the transitions of , the conditions on the stack are ignored. So holds.

A finite-state overapproximation will be used in the topic on diagnosability (see Section 4.4 for further details).

#### 3. Opacity Verification

This section looks at opacity verification of PDSs. First, the notion of opacity is defined. Next, after a condition for a PDS to be opaque is derived, a decidable class of PDSs is clarified.

##### 3.1. Definition of Opacity

First, secret states are defined. Let denote the set of secret states. Then we define the notion of opacity based on the definition in [20].

*Definition 9. *For the PDS of (1), suppose that the set of secret states and the set of observable events are given. Then the PDS is said to be opaque if for all there exists such that if reaches , then does not reach and .

Several definitions of opacity have been proposed so far (see, e.g., [17, 20–22]). In this paper, the simplest definition in [20] is used.

##### 3.2. Decidability of Opacity

Let denote the set of finite event sequences such that the state reaches . Let denote the set of finite event sequences such that the state reaches . Then the opacity condition of PDSs can be derived as follows.

Theorem 10. *A PDS is opaque if and only if holds.*

*Proof. *If a PDS is opaque, then is included in . Conversely, if holds, then for any , there exists such that . So the PDS is opaque.

From Lemma 5 and Theorem 10, we can obtain the following result immediately.

Theorem 11. *Opacity of a DES-PDA is in general undecidable.*

In addition, from Lemma 5 and Theorem 10, we can obtain the following result.

Theorem 12. *Opacity of a DES-VPA is in general undecidable.*

*Proof. *Even if and are languages accepted by VPAs, then and are in general given as languages accepted by PDAs [15]. Then, from Lemma 5 and Theorem 10, opacity of a DES-VPA is undecidable.

From Theorems 11 and 12, we see that opacity of a DES-PDA and a DES-VPA are in general undecidable. On the other hand, from Lemma 6 and Theorem 10, we see that if observations of a DES-PDA is expressed by some VPA, then opacity of a DES-PDA may be decidable. Then we can obtain the following result.

Theorem 13. *Assume that and are languages accepted by VPAs, respectively. Then the problem of deciding if holds is decidable; that is, opacity of a PDS is decidable. In addition, this problem can be solved in EXPTIME.*

In addition, from Lemma 7 and Theorem 10, we can obtain the following result.

Theorem 14. *Assume that and are languages accepted by a PDA and a deterministic VPA, respectively. Then the problem of deciding if holds is decidable; that is, opacity of a PDS is decidable. In addition, this problem can be solved in 2-EXPTIME.*

From Theorem 14, we see that if is given as a language accepted by a deterministic VPA, then the decidable condition is relaxed. Comparing Theorem 13 with Theorem 14, the inclusion problem in Theorem 14 is more difficult than that in Theorem 13. This is because in Theorem 14, may be given as a language accepted by a PDA. If an overapproximation of a PDA can be derived as a VPA, then we can obtain a sufficient condition of a PDS to be opaque. In future work we plan to consider how to approximate a PDA by a VPA. On the other hand, in recent years, VPAs have been applied to several applications (see, e.g., [7–9]). Therefore, Theorem 13 and Theorem 14 will be useful.

Finally, we show a simple example.

*Example 15. *Consider the DES-VPA in Figure 1. Assume . Suppose that , , and are given. Then we obtain

and are languages accepted by VPAs, respectively, and holds. Therefore, this system is opaque.

#### 4. Diagnosability Verification

In this section, first, diagnosability for the PDS (1) is defined according to the definition in [15, 26, 27]. Next, after the existing results in [15] are explained, two kinds of diagnosability conditions are proposed.

##### 4.1. Definition of Diagnosability

First, failure states are defined. Let denote the set of failure states. For , the following two assumptions are made: (i) and (ii) if the state reaches the set , then the state stays within . Since in this paper we focus on whether some failure has occurred in the past or not, these assumptions are imposed. These assumptions also imply that any failure is not restored automatically. Let denote the set of executions such that the state reaches some element in .

Next, the notion of diagnosability for the PDS (1) is defined according to [15, 26, 27].

*Definition 16. *For the PDS (1), suppose that the set of failure states and the set of observable events are given. Then the PDS (1) is diagnosable if the following condition holds:
where , and is the set of executions such that an observation is .

In this definition, implies that all executions such that an observation is are included in . So a failure can be detected from a finite observation. In other words, if there exists an unobservable infinite suffix, then the system is not diagnosable. Furthermore, deriving in this definition is important, but this topic is not discussed in this paper. In [15], under some assumptions, a method for deriving has been already discussed.

Hereafter, a construction method of a diagnoser is not focused on (see [15] for construction of a diagnoser), and a method to test diagnosability is considered.

##### 4.2. Existing Results

First, we introduce a necessary and sufficient condition of the PDS (1) not to be diagnosable [15, 28].

Lemma 17. *For the PDS (1), suppose that the set of failure states and the set of observable events are given. Then the PDS is not diagnosable if and only if there exist two indistinguishable infinite executions and such that reaches while does not.*

Next, the existing results [15] on diagnosability verification are introduced.

Lemma 18. *Diagnosability of a DES-PDA is in general undecidable.*

Lemma 19. *Diagnosability of a DES-VPA is in general undecidable.*

These results can be obtained immediately, because the emptiness problem for an intersection of observations of infinite executions and such that reaches while does not is undecidable from Lemma 3.

In [15], the following result has been derived.

Lemma 20. *Assume . Then diagnosability of a DES-VPA is decidable.*

In Lemma 20, it is assumed that events corresponding to push and pop manipulations of the stack are observable. In [15], the diagnosability verification problem is reduced to the emptiness problem of Büchi automata under . So the property of pushdown automata is not considered. In this paper, as another approach, we consider diagnosability verification under other assumptions. Furthermore, approximate methods for verifying diagnosability of PDSs without assumptions are proposed.

##### 4.3. Proposed Diagnosability Condition

First, based on Lemma 4, we propose a diagnosability condition of PDSs.

Let denote the set of finite event sequences such that the state reaches . Let denote the set of finite event sequences such that the state reaches .

Then we obtain the following result.

Theorem 21. *Assume that either or is given as a language accepted by some finite automaton, that is, a regular language. Then diagnosability of a PDS is decidable. Furthermore, a PDS is not diagnosable if and only if holds. In addition, this problem can be solved in PTIME.*

*Proof. *From Lemma 4 and Lemma 17, this theorem is obtained straightforwardly.

We show a simple example.

*Example 22. *Consider the DES-VPA in Figure 1 again. Suppose that , , and are given. Then we obtain

Since is a regular language, diagnosability of this DES-VPA is decidable. In fact, we see that does not hold, and the defect can be detected by observing the event . This example is very simple. However, we note that diagnosability of this system is undecidable in the case using the existing result in [15]. This is because this system does not satisfy the assumption in Lemma 20; that is, the unobservable event is not an internal manipulation and is a pop manipulation.

From this example, we can indicate that even if , are CFLs, then , are generally neither CFLs nor regular languages. In the above example, is a CFL, but is a regular language. So we may consider to directly approximate , by a regular language. From this viewpoint, we propose diagnosability conditions using the finite-state over/under-approximations.

##### 4.4. Proposed Diagnosability Conditions Using Finite-State Approximations

Now, we show a diagnosability condition using a finite-state overapproximation in Definition 8.

Theorem 23. *Suppose that either or is approximated by a finite-state overapproximation in Definition 8. Let and denote approximated and , respectively. Then a necessary condition for a PDS to be not diagnosable is that either or holds. In addition, this condition can be solved in PTIME.*

*Proof. *From Theorem 21, , and , we obtain the theorem immediately.

Theorem 23 provides a necessary condition.

On the other hand, it is also important to obtain a sufficient condition. Then a finite-state underapproximation must be considered. A simple method to derive a finite-state underapproximation is that the length of the stack in a PDS is limited to a given finite length. See Example 25 below for further details. So we assume that a finite-state under-approximation of either or is given.

Then we obtain the following result.

Theorem 24. *Suppose that either or is approximated by a finite-state under-approximation. Let and denote approximated and , respectively. Then a sufficient condition for a PDS to be not diagnosable is that either or holds. In addition, this condition can be solved in PTIME.*

*Proof. *From Theorem 21, , and , we obtain the theorem immediately.

From Theorems 23 and 24, we see that diagnosability of a PDS can be approximately verified in PTIME. So Theorems 23 and 24 are simple but can be applied to several systems such as software systems.

*Example 25. *Suppose that and are given as
respectively. Then is obtained, and we see that this system is not diagnosable. However, is not a CFL (see [6] for further details).

Next, we verify diagnosability using Theorem 23. In this example, we approximate by a regular language. The PDA accepting is given by

See also Figure 2. Consider to derive the finite-state overapproximation in Definition 8. Then is given as

Next, we derive . From , we obtain

From , we obtain

From , we obtain

So is obtained. Thus we can obtain the finite-state overapproximation of the PDA (see Figure 3). Using , the language accepted by is obtained by

From the obtained , we see that holds. Furthermore, since holds, the necessary condition in Theorem 23 is satisfied.

Next, we verify diagnosability using Theorem 24. By limiting the length of the stack in to , the finite-state under-approximation can be obtained as

is accepted by the finite automaton in Figure 4. Since holds, the sufficient condition in Theorem 24 is satisfied.

#### 5. Discussions

##### 5.1. Relationship between Opacity and Diagnosability Verifications

Opacity and diagnosability are closely related concepts. We can interpret that opacity is the converse notion of diagnosability. However, decidability conditions are different.

In opacity verification, if and are languages accepted by some VPA, respectively, then opacity is decidable (see also Theorem 13). That is, opacity can be discussed only in the framework of VPAs.

On the other hand, in diagnosability verification, if either or is a language accepted by some finite automaton, then diagnosability is decidable (see Section 4.3). Thus approximations such as finite-state approximations described in Section 2.3 are required.

From these results, the difference between opacity verification and diagnosability verification is clarified from the theoretical viewpoint. However, it is known that the computational complexity of the inclusion problem of VPAs is EXPTIME-complete and that of finite automata is PSPACE-complete [7]. Thus, from the computational viewpoint, it may be desirable to use finite-state approximations in opacity verification.

##### 5.2. Optimal Sensor Selection

The optimal sensor selection problem, that is, the problem of minimizing the number of sensors which observe events, such that the system is diagnosable has been discussed in [29, 30]. Further, in opacity, the sensor selection problem has been discussed in [18]. One of the trivial solutions to the sensor selection problem in opacity is that the number of sensors should be zero, but this is not practical. So it is important to consider the optimal sensor selection problem such that the system is opaque and diagnosable simultaneously under . Then we can derive an optimal solution of this problem according to the results in Sections 4 and 3. This is one of the challenges to be undertaken in the future, that is, to develop an efficient algorithm.

##### 5.3. Extension to Higher-Order Pushdown Systems

Higher-order pushdown automata (HPAs) [31, 32] have been proposed as one of the extensions of PDAs. HPAs are defined by using higher-order stacks, that is, a nested “stack of stacks” structures. HPAs are closely related to infinite graph theory and higher-order logic programming. Decidable problems and undecidable problems in HPAs are basically similar to those in PDAs. Thus our proposed approach will be applied to HPAs. In fact, the conditions that diagnosability of discrete event systems modeled by HPAs is decidable have been obtained in [15]. Since one of the conditions is , the conditions obtained can be regarded as a natural extension of Lemma 20.

#### 6. Application to XML Data Integration

In this section, we consider XML data integration as an application. The XML (Extensible Markup Language) is a markup language that defines a set of rules for encoding data and documents and is widely used in several fields such as data and documents on the Web and medical databases. In cases where documents in databases are expressed by the XML, one of the important problems is data integration, which is called here XML data integration. In XML data integration, first, XML documents are extracted from multiple databases. Next, the extracted XML documents are integrated as one XML document. Here, we assume the existence of a database where the integrated XML document is indistinguishable from its extracted components. The XML document in such a database is called here the target XML document. Then we consider the following problems:

*Problem 1. *Suppose that an integrated XML document and a target XML document are given. Then(i)can the integrated XML document be indistinguishable from the target XML document?(ii)by masking particular data in the integrated XML document, can the integrated XML document be indistinguishable from the target XML document?

These problems are important from the viewpoint of security. In addition, this problem is closely related to opacity verification of PDSs in Section 3. This is because in recent years, a method for expressing XML documents as a VPA has been studied in, for example, [8, 13].

Hereafter, the relation between VPAs and XML documents will be explained. Next, by using a simple example, we explain how to solve the above problems.

##### 6.1. Relation between Pushdown Systems and XML Documents

First, an example of XML documents expressing information about books is shown as follows: C. G. Cassandras S. Lafortune 978-0-387-33332-8

The XML scheme in the above example is based on the example in [13]. In addition, the above example implies information about the book of [1]. <book>, <title>, <author>, and <ISBN> are open tags. </book>, </title>, </author>, and </ISBN> are close tags. Actual data such as “978-0-387-33332-8” is called a local symbol. Since in this paper we focus on XML schemas, we omit local symbols. The above XML document can then be expressed as the VPA , where

Close tags are expressed by . See also Figure 5. Thus a given XML document can be expressed by a VPA.

##### 6.2. XML Data Integration with Security Considerations

Next, suppose that a VPA expressing information about publishers is given as in Figure 6, where pub, pname, and addr imply “publisher,” “publisher name,” and “address,” respectively. Consider how to integrate the VPA with the VPA . One of the simple methods is to connect with in series. Then we can obtain the VPA in Figure 7.

Here, suppose that a target XML document is given as the VPA in Figure 8, where “#” implies a wild-card event or a wild-card stack symbol. We consider Problem 1 (i). That is, we must check if is satisfied. This is the same as opacity verification. In this example, is not satisfied, because by observing “country,” the VPA is distinguishable from the VPA . Therefore, a solution of Problem 1 (i) is “no.” In other words, the integrated XML document is not opaque. From Theorem 13, it is assumed that this problem is decidable in general cases. We remark that in this case, holds.

Next, consider Problem 1 (ii). Suppose that the set of unobservable events is given as . Then the VPA is indistinguishable from the VPA . Therefore, a solution of Problem 1 (i) is “yes.” In other words, we can say that the integrated XML document becomes opaque by masking “country.” Also in general cases, this problem is decidable. On the other hand, it is one part of the future work, that is, to develop an efficient algorithm for finding masked events. Since this problem is the converse notion of the optimal sensor selection problem for diagnosability, there is a possibility that the existing result on sensor selection can be applied.

#### 7. Conclusion and Future Work

In this paper, opacity and diagnosability of discrete event systems expressed by pushdown automata (called here pushdown systems, PDSs) have been discussed based on formal language theory. In opacity verification, we have not only proven that opacity of a PDS is in general undecidable, but also characterized the condition such that opacity is decidable. We have also clarified that depending on a class of observations, the computational complexity is different. In diagnosability verification, we have proposed a new diagnosability condition, based on the fact that an intersection of a context-free language and a regular language is derived as a context-free language. In addition, we have derived diagnosability conditions using finite-state over/under-approximations of observations. Also we have clarified that the proposed diagnosability conditions can be solved in PTIME. In particular, since diagnosability conditions using approximations can be applied to a general class of PDSs and can be efficiently solved, several applications will be able to be considered. Finally, as an application, we have considered XML data integration. The obtained result is valuable as the basis of verification of PDSs and will be the first step toward development of control theory for infinite-state discrete event systems.

In future work, there are many open problems, for example, implementation using a model checker and decentralized diagnosis [33]. In addition, the result on diagnosability analysis of unbounded Petri nets has been obtained in [4]. Also, for recursive tile systems, which are a class of infinite discrete event systems, the result on opacity and diagnosability has been obtained in [34]. It is important to clarify the relation between our result and these results. Finally, in order to show the effectiveness of our proposed method, it is important to consider several applications.

#### Acknowledgment

This work was partially supported by Grant-in-Aid for Young Scientists (B) 23760387.

#### References

- C. G. Cassandras and S. Lafortune,
*Introduction to Discrete Event Systems*, Springer, 2nd edition, 2008. View at Publisher · View at Google Scholar · View at MathSciNet - W. Thomas, “A short introduction to infinite automata,” in
*Developments in Language Theory*, vol. 2295 of*Lecture Notes in Computer Science*, pp. 130–144, 2002. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - M. P. Cabasino, A. Giua, S. Lafortune, and C. Seatzu, “Diagnosability analysis of unbounded Petri nets,” in
*Proceedings of the Joint 48th IEEE Conference on Decision and Control and 28th Chinese Control Conference*, pp. 1267–1272, 2009. - M. P. Cabasino, A. Giua, S. Lafortune, and C. Seatzu, “A new approach for diagnosability analysis of Petri nets using verifier nets,”
*IEEE Transactions on Automatic Control*, vol. 57, no. 12, pp. 3104–3117, 2012. View at Publisher · View at Google Scholar · View at MathSciNet - J.-M. Autebert, J. Berstel, and L. Boasson, “Context-free languages and pushdown automata,” in
*Handbook of Formal Languages*, vol. 1, pp. 111–174, Springer, 1997. View at Google Scholar · View at MathSciNet - J. E. Hopcroft and J. D. Ullman,
*Introduction to Automata Theory, Languages, and Computation*, Addison-Wesley, 3rd edition, 1979. View at MathSciNet - R. Alur and P. Madhusudan, “Visibly pushdown languages,” in
*Proceedings of the 36th Annual ACM Symposium on Theory of Computing*, pp. 202–211, ACM, 2004. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - V. Kumar, P. Madhusudan, and M. Viswanathan, “Visibly pushdown automata for streaming XML,” in
*Proceedings of the 16th International Conference on World Wide Web*, pp. 1053–1062, 2007. - K. Hiraishi and P. Kucera, “Applications of DES theory to verification of software components,”
*IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences*, vol. 92, no. 2, pp. 604–610, 2009. View at Google Scholar - N. Saeedloei and G. Gupta, “Verifying complex continuous real-time systems with coinductive CLP(R),” in
*Proceedings of the 4th International Conference on Language and Automata Theory and Applications*, vol. 6031 of*Lecture Notes in Computer Science*, pp. 536–548, 2010. - E. Lee, “Cyber physical systems: design challenges,” in
*Proceedings of the 11th International Symposium on Object Oriented Real-Time Distributed Computing*, pp. 363–369, 2008. - D. Wagner and D. Dean, “Intrusion detection via static analysis,” in
*Proceedings of the IEEE Symposium on Security and Privacy*, pp. 156–168, 2001. - A. Thomo and S. Venkatesh, “Rewriting of visibly pushdown languages for XML data integration,”
*Theoretical Computer Science*, vol. 412, no. 39, pp. 5285–5297, 2011. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - C. Griffin, “A note on the properties of the supremal controllable sublanguage in pushdown systems,”
*IEEE Transactions on Automatic Control*, vol. 53, no. 3, pp. 826–829, 2008. View at Publisher · View at Google Scholar · View at MathSciNet - C. Morvan and S. Pinchinat, “Diagnosability of pushdown systems,” in
*Proceedings of the Haifa Verification Conference 2009*, vol. 6405 of*Lecture Notes in Computer Science*, pp. 21–33, 2011. - E. Badouel, M. Bednarczyk, A. Borzyszkowski, B. Caillaud, and P. Darondeau, “Concurrent secrets,”
*Discrete Event Dynamic Systems: Theory and Applications*, vol. 17, no. 4, pp. 425–446, 2007. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - J. W. Bryans, M. Koutny, L. Mazare, and P. Y. A. Ryan, “Opacity generalised to transition systems,”
*International Journal of Information Security*, vol. 7, no. 6, pp. 421–435, 2008. View at Google Scholar - F. Cassez, J. Dubreil, and H. Marchand, “Synthesis of opaque systems with static and dynamic masks,”
*Formal Methods in System Design*, vol. 40, no. 1, pp. 88–115, 2012. View at Google Scholar - J. Dubreil, “Opacity and abstractions,” in
*Proceedings of the 1st International Workshop on Abstractions for Petri Nets and Other Models of Concurrency*, 2009. - A. Saboori and C. N. Hadjicostis, “Notions of security and opacity in discrete event systems,” in
*Proceedings of the 46th IEEE Conference on Decision and Control*, pp. 5056–5061, 2007. - A. Saboori and C. N. Hadjicostis, “Verification of infinite-step opacity and complexity considerations,”
*IEEE Transactions on Automatic Control*, vol. 57, no. 5, pp. 1265–1269, 2012. View at Publisher · View at Google Scholar · View at MathSciNet - A. Saboori and C. N. Hadjicostis, “Verification of K-step opacity and analysis of its complexity,”
*IEEE Transactions on Automation Science and Engineering*, vol. 8, no. 3, pp. 549–559, 2011. View at Google Scholar - K. Kobayashi and K. Hiraishi, “On opacity and diagnosability in discrete event systems modeled by pushdown automata,” in
*Proceedings of the 8th IEEE International Conference on Automation Science and Engineering*, pp. 658–663, 2012. - S. A. Greibach and E. P. Friedman, “Superdeterministic PDAs: a subcase with a decidable inclusion problem,”
*Journal of the Association for Computing Machinery*, vol. 27, no. 4, pp. 675–700, 1980. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - M. Mohri and M. J. Nederhof, “Regular approximation of context-free grammars through transformation,” in
*Robustness in Language and Speech Technology*, J.-C. Junqua and G. van Noord, Eds., chapter 6, pp. 153–163, 2000. View at Google Scholar - M. Sampath, R. Sengupta, S. Lafortune, K. Sinnamohideen, and D. C. Teneketzis, “Diagnosability of discrete-event systems,”
*IEEE Transactions on Automatic Control*, vol. 40, no. 9, pp. 1555–1575, 1995. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - M. Sampath, R. Sengupta, S. Lafortune, K. Sinnamohideen, and D. C. Teneketzis, “Failure diagnosis using discrete-event models,”
*IEEE Transactions on Control Systems Technology*, vol. 40, no. 2, pp. 105–124, 1996. View at Google Scholar - T. Jeron, H. Marchand, S. Pinchinat, and M.-O. Cordier, “Supervision patterns in discrete event systems diagnosis,” in
*Proceedings of the 8th Workshop on Discrete Event Systems*, 2006. - S. Jiang, R. Kumar, and H. E. Garcia, “Optimal sensor selection for discrete-event systems with partial observation,”
*IEEE Transactions on Automatic Control*, vol. 48, no. 3, pp. 369–381, 2003. View at Publisher · View at Google Scholar · View at MathSciNet - T.-S. Yoo and S. Lafortune, “NP-completeness of sensor selection problems arising in partially observed discrete-event systems,”
*IEEE Transactions on Automatic Control*, vol. 47, no. 9, pp. 1495–1499, 2002. View at Publisher · View at Google Scholar · View at MathSciNet - A. Carayol and S. Wöhrle, “The Caucal hierarchy of infinite graphs in terms of logic and higher-order pushdown automata,” in
*Proceedings of the Foundations of Software Technology and Theoretical Computer Science*, vol. 2914 of*Lecture Notes in Computer Science*, pp. 112–123, 2003. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - T. Knapik, D. Niwinski, and P. Urzyczyn, “Higher-order pushdown trees are easy,” in
*Proceedings of the 5th International Conference on Foundations of Software Science and Computation Structures*, vol. 2303 of*Lecture Notes in Computer Science*, pp. 205–222, 2002. - W. Qiu and R. Kumar, “Decentralized failure diagnosis of discrete event systems,”
*IEEE Transactions on Systems, Man and Cybernetics A*, vol. 36, no. 2, pp. 384–395, 2006. View at Google Scholar - S. Chédor, C. Morvan, S. Pinchinat, and H. Marchand, “Analysis of partially observed recursive tile systems,” in
*Proceedings of the 11th International Workshop on Discrete Event Systems*, pp. 265–271, 2012.