Integrating semantic mechanisms like Description Logics (DLs), to describe static knowledge, and full-fledged mechanisms like transition systems, to describe dynamics is of great interest, especially in the context of a semantic view of data-aware and artifact-based processes [ 16,7,13 ]. The tight combination of these two aspects into a single logical formalism is notoriously difficult [ 20 ]. In particular, due to the nature of DL assertions we get one of the most difficult kinds of static constraints for reasoning about actions [ 18 ]. This combination gives rise to a semantics based on two-dimensional structures (DL domain + dynamics/time), which easily leads to undecidability [ 20,14 ]. To regain decidability, one has to restrict the combination only to concepts (vs. roles) [ 2 ]. This limitation is unsatisfactory in all those applications where we want to progress a full-fledged knowledge base (KB) representing a shared conceptualization of a domain of interest, such as an ontology, (a formalization of) a UML Class Diagram, or an Ontology Based Data Access System [ 9 ].

Recently, to overcome such difficulties, a looser coupling of the static and dynamic representation mechanisms has been proposed, giving rise to a rich body of research [ 3,10,5 ]. Virtually all such work is implicitly or explicitly based on Levesque’s functional approach [ 15 ], where a KB is seen as a system that provides the ability of querying its knowledge in terms of logical implication/certain answers (“ask” operation), and the ability of progressing it through forms of updates (“tell” operation). As a consequence, ? This paper is an abridged version of [ 11 ], best paper award at RR 2013. the knowledge description formalism becomes decoupled from the formalism that describes the progression: we can define the dynamics through a transition system, whose states are DL KBs, and transitions are labeled by the action (with object parameters) that causes the transition. The key issue in this context is that such transition systems are infinite in general, and hence some form of faithful abstraction is needed. Note that, if for any reason we learn that the number of states is finite, then verifying dynamic properties over such systems amounts to a form a finite-state model checking.

In this paper, we follow this approach and devise a general framework for DL Based Dynamic Systems, which is parametric w.r.t. the DL used for the knowledge base and the mechanism used for progressing the state of the system. We study verification and (adversarial) synthesis for specifications expressed in a variant of first-order calculus, with a controlled form of quantification across successive states. We recall that -calculus subsumes virtually all logics used in verification, including LTL, CTL and CTL . Adversarial synthesis for -calculus captures a wide variety of synthesis problems, including conditional planning with full-observability, behaviour composition, and several other sophisticated forms of synthesis and planning [ 12 ].

We provide key decidability results for verification under a “bounded-state” assumption. Such assumption states that while progressing, the system can change arbitrarily the stored individuals but their total number at each time point cannot exceed a certain bound. Notice that along an infinite run (and hence in the overall transition system), the total numer of individuals can still be infinite. We then turn to adversarial synthesis, where we consider the system engaged in a sort of game with an adversarial environment. The two agents (the system and the environment) move in alternation, and the problem is to synthesize a strategy for the system to force the evolution of the game so as to satisfy a given synthesis specification. Such a specification is expressed in the above first-order -calculus, using the temporal operators to express that the system is able to force a formula in the next state regardless of the environment moves, as in the strategy logic ATL [ 1 ]. We show again decidability under the “bounded-state” assumption.

This paper is an abridged version of [ 11 ], best paper award at the 7th International Conference on Web Reasoning and Rule Systems (RR 2013). Proofs are omitted and can be found in [ 11 ]. 2

In this paper we follow Leveque’s functional approach [ 15 ]. We introduce Description Logic Based Dynamic Systems (DLDSs), which are systems constituted by a DL knowledge base, consisting of a fixed TBox and an ABox that changes as the system evolves, and a set of actions that step-wise progress the knowledge base by changing the ABox. We formalize such systems in a general form, referring neither to any specific DL nor to any specific action representation formalism, and making only minimal assumptions on the various components. In Section 6, we show concrete instantiations of the framework. Object universe. We fix a countably infinite (object) universe of individuals. These constants act as standard names and allow us to refer to individuals across time. DL knowledge bases. A (DL) knowledge base (KB) (T; A) is constituted by a TBox T representing the intensional knowledge about the domain of interest in terms of concepts and roles, and an ABox A representing extensional knowledge about individuals. The TBox T is a finite set of universal assertions (we don’t allow nominals, to avoid confusion between intensional and extensional levels). The ABox A is a finite set of assertions consisting of facts, i.e., atomic formulas of the form N (d) and P (d; d0), where N is a concept name, P is a role name (we use binary roles, but all our results can be extended to n-ary relations), and d, d0 are individual constants in . We use ADOM(A) to denote the set of constants actually appearing in A. We adopt the standard DL semantics based on first-order interpretations and on the notion of (first-order) model. Naturally, the only TBoxes of interest for us are those that are satisfiable, i.e., admit at least one model. We say that an ABox A is consistent w.r.t. a TBox T if (T; A) is satisfiable, and that (T; A) logically implies an ABox assertion , denoted (T; A) j= , if every model of (T; A) is also a model of . As usual in DLs, we assume that reasoning, i.e., checking KB satisfiability and logical implication are decidable tasks.

Description Logic based Dynamic Systems. A Description Logic based Dynamic System (DLDS) is a tuple S = (T; A0; ), where (T; A0) is a KB and is a finite set of actions. The set ADOM(A0) of constants in A0 are called distinguished and we denoted them by C, i.e., C = ADOM(A0). Such constants play a special role because they are the only ones that can be used in verification formulas (see Section 4). Actions are parametrized, and when an action is executed formal parameters are substituted with individual constants from . Formal parameters are taken from a countably infinite set P of parameter names. Interestingly, we do not assume that the number of formal parameters of an action is fixed a priory, but we allow it to depend on the KB (actually, the ABox, since the TBox is fixed) on which the action is executed.

Notice that this mechanism is more general than what typically found in procedures/functions of programming languages, where the number of parameters is fixed by the signature of the procedure/function. Our mechanism is directly inspired by web systems, in which input forms are dynamically constructed and customized depending on data already acquired. For example, when inserting author data in a conference submission system, the input fields that are presented to the user depend on the (previously specified) number of authors.

Once formal parameters are substituted by actual ones, executing the action has the effect of generating a new ABox. We use AT to denote the set of all ABoxes that can be constructed using concept and role names in T , and individuals in . Formally, each action in has the form ( ; ), where – : AT ! 2P is a parameter selection function that, given an ABox A, returns the finite set (A) P of parameters of interest for w.r.t. A (see below); – : AT P 7! AT , is a (partial) effect function that, given an ABox A and a parameter assignment m : (A) ! , returns (if defined) the ABox A0 = (A; m), which (i) is consistent wrt T , and (ii) contains only constants in ADOM(A)[ IM(m).3 Observe that since (A) is finite, so is IM(m), thus only finitely many new individuals, w.r.t. A, can be added to A0.

We focus our attention on DLDS’s that are generic, which intuitively means that the two functions constituting an action are invariant w.r.t. renaming of individuals4. 3 By IM( ) we denote the image of a function. 4 This name is due to the notion of genericity in databases, also called uniformity in [ 6 ].

Genericity is a natural assumption that essentially says that the properties of individuals are only those that can be inferred from the KB. To capture genericity, we first introduce the notion of equivalence of ABoxes modulo renaming. Specifically, given two ABoxes A1, A2, sets S1 ADOM(A1) [ C and S2 ADOM(A2) [ C, and a bijection h : S1 ! S2 that is the identity on C, we say that A1 and A2 are logically equivalent modulo renaming h w.r.t. a TBox T , written A1 =hT A2, if: (i) for each assertion 1 in A1, (T; A2) j= h( 1), (ii) for each assertion 2 in A2, (T; A1) j= h 1( 2), where h( 1) (resp. h 1( 2)) is a new assertion obtained from 1 (resp., 2), by replacing each occurrence of an individual d 2 with h(d) (resp., h 1(d)). We say that A1 and A2 are logically equivalent modulo renaming w.r.t. T , written A1 =T A2, if A1 =hT A2 for some h. We omit T when clear from the context.

A DLDS S = (T; A0; ) is generic, if for every ( ; ) 2 and every A1; A2 2 AT s.t. A1 =T A2, we have that (i) (A1) = (A2), and (ii) for every two parameter assignments m1 : (A1) ! and m2 : (A2) ! , if there exists a bijection h : ADOM(A1) [ C [ IM(m1) ! ADOM(A2) [ C [ IM(m2) s.t. A1 =hT A2, then, whenever A01 = (A1; m1) is defined then also A02 = (A2; m2) is defined and viceversa, and moreover A01 =hT A02.

DLDS Transition System. The dynamics of a DLDS S is characterized by the transition system S it generates. The kind of transition systems we consider here have the general form = (U; T; ; s0; abox ; )), where: (i) U is the universe of individual constants, which includes the distinguished constants C; (ii) T is a TBox; (iii) is a set of states; (iv) s0 2 is the initial state; (v) abox is a function that, given s 2 , returns an ABox that has terms of as individuals, and conforms to T ; (vi) ) L is a labeled transition relation between states, where L is the set of labels. We also introduce an unlabeled transition relation ) obtained from the labeled transition relation by projecting out the labels (we use this notion when dealing with verification properties). Given a DLDS S = (T; A0; ), its (generated) transition system

S = (U; T; ; s0; abox ; )) is defined as: (i) U = ; (ii) abox is the identity function (thus AT ); (iii) s0 = A0; (iv) ) L is a labeled transition relation where L = M, with M the domain of action parameter assignments, is a set of labels containing one pair (a; m) for every action a 2 and corresponding parameter assignment m 2 M; (v) and ) are defined by mutual induction as the smallest sets satisfying the following property: if A 2 then for every ( ; ) 2 , m : (A) ! , and A )` A0, s.t. ` = (( ; ); m). and A0 2 AT , s.t. A0 = (A; m), we have A0 2 3

DLp To specify dynamic properties over DLDSs, we use a first-order variant of -calculus [ 19 ]. -calculus is virtually the most powerful temporal logic used for model checking of finite-state transition systems, and is able to express both linear time logics such as LTL and PSL, and branching time logics such as CTL and CTL*. Technically, -calculus separates local properties, asserted on the current state or on states that are immediate successors of the current one, from properties talking about states that are arbitrarily far away from the current one [ 19 ]. The latter are expressed through the use of fixpoints.

In our variant of -calculus, we allow local properties to be expressed as queries in any language for which query entailment for DL KBs is decidable [ 8 ]. Specifically, given a KB (T; A), a query Q, and an assignment v for the free variables of Q, we say that Qv is entailed by (T; A), if (T; A) j= Qv, i.e., (T; A) logically implies the formula Qv obtained from Q by substituting its free variables according to v. Notice that the set of v such that (T; A) j= Qv are the so-called certain answers.

Following [ 4 ], we allow for a controlled form of first-order quantification across states: it ranges over individual objects across time only as long as they persist in the active domain. Formally, we define the logic DLp as: ::= Q j : j 1 ^ 2 j 9x:LIVE(x) ^

j LIVE(x) ^ h i j LIVE(x) ^ [ ] j Z j Z: where Q is a (possibly open) query as described above, in which the only constants that may appear are those in C, Z is a second order predicate variable (of arity 0), and, with a slight abuse of notation, we write LIVE(x1; : : : ; xn) = Vi2f1;:::;ng LIVE(xi). For DLp, the following assumption holds: in LIVE(x) ^ h i and LIVE(x) ^ [ ] , the variables x are exactly the free variables of , once we substitute to each bounded predicate variable Z in its bounding formula Z: 0. We use the usual abbreviations, including: LIVE(x) ! h i = :(LIVE(x) ^ [ ]: ) and LIVE(x) ! [ ] = :(LIVE(x) ^ h i: ). Intuitively, the use of LIVE( ) in DLp ensures that individuals are only considered if they persist along the system evolution, while the evaluation of a formula with individuals that are not present in the current database trivially leads to false or true.

The formula Z: denotes the least fixpoint of the formula (seen as the predicate transformer Z: ). As usual in -calculus, formulae of the form Z: must obey to the syntactic monotonicity of w.r.t. Z, which states that every occurrence of the variable Z in must be within the scope of an even number of negation symbols. This ensures that the least fixpoint Z: always exists.

The semantics of DLp formulae is defined over possibly infinite transition systems of the form (U; T; ; s0; abox ; )) seen above. Since DLp also contains formulae with both individual and predicate free variables, given a transition system , we introduce an individual variable valuation v, i.e., a mapping from individual variables x to U , and a predicate variable valuation V , i.e., a mapping from the predicate variables Z to subsets of . With these three notions in place, we assign meaning to formulae by associating to , v, and V an extension function ( )v;V , which maps formulae to subsets of . Formally, the extension function ( )v;V is defined inductively as: (Q)v;V = fs 2 j (T; abox (s)) j= Qvg (: )v;V = n ( )v;V ( 1 ^ 2)v;V = ( 1)v;V \ ( 2)v;V (9x:LIVE(x) ^ )v;V = fs 2 j 9d 2 ADOM(abox (s)):s 2 ( )v[x=d];V g (LIVE(x) ^ h i )v;V = fs 2 j x=d 2 v implies d ADOM(abox (s)) and 9s0:s ) s0 and s0 2 ( )v;V g (LIVE(x) ^ [ ] )v;V = fs 2 j x=d 2 v implies d ADOM(abox (s)) and 8s0:s ) s0 implies s0 2 ( )v;V g (Z)v;V = V (Z) ( Z: )v;V = TfE j ( )v;V [Z=E] Eg Intuitively, ( )v;V assigns to such constructs the following meaning. (i) The boolean connectives have the expected meaning. (ii) The quantification of individuals is done over the individuals of the “current” ABox, using the special LIVE( ) predicate (active domain quantification). Notice that such individuals can be referred in a later state, provided that they persist in between (see below). (iii) The extension of h i consists of the states s s.t.: for some successor state s0 of s, holds in s0 under v. (iv) The extension of Z: is the smallest subset E of s.t., assigning to Z the extension E , the resulting extension of (under v) is contained in E . That is, the extension of Z: is the least fixpoint of the operator ( )v;V [Z=E], where V [Z=E ] denotes the predicate valuation obtained from V by forcing the valuation of Z to be E . When is a closed formula, ( )v;V does not depend on v or V , and we denote the extension of simply by ( ) . A closed formula holds in a state s 2 if s 2 ( ) . In this case, we write ; s j= . A closed formula holds in , denoted by j= , if ; s0 j= . Given a DLDS S, we say that S j= if S j= . We call model checking the problem of verifying whether j= holds. 4

Next we focus on checking a DLp formula against a DLDS. It is easy to show, by reduction from the halting problem, that this is in general undecidable, even under the assumption of genericity (see, e.g., [ 5 ]). On the other hand, it can be shown that for finite , the problem is decidable: only finitely many ABoxes exist, thus, by quantifier elimination, one can can reduce the problem to model checking of propositional calculus. Undecidability calls for the identification of decidable classes of the problem. To this end, we focus our attention on a particular class of DLDS, which we call statebounded. Under the assumption of genericity, we are able to prove decidability of verification for state-bounded DLDS. A state-bounded DLDS K is one for which there exists a finite bound b s.t., for each state s of K, jADOM(abox (s))j < b. Observe that state-bounded DLDS contain in general infinitely many states, and that a DLDS K can be state-unbounded even if, for every state s of K, jADOM(abox (s))j is finite (but not bounded). W.l.o.g., for state-bounded DLDS, we assume that the maximum number n of parameters that actions may request is known (nevertheless, it can be obtained can be obtained in PSPACE.) We are able to show the following result.

Theorem 1. Model checking of DLp over a state-bounded, generic DLDS K is decidable, and can be reduced to model checking of propositional -calculus over a finite-state transition system, whose number of state is at most exponential in the size of K. 5

We turn now to the problem of adversarial synthesis, i.e., we consider a setting in which two agents act in turn as adversaries. The first agent, called environment, acts autonomously, whereas we control the second agent, called system. The joint behavior of the two agents gives rise to a so-called two-player game structure (2GS) [ 12 ], which can be seen as the arena of a game. On top of the 2GS we can formulate, using variants of -calculus, what the system should obtain in spite of the adversarial moves of the environment. This specification can be considered the goal of the game for the system. The synthesis problem amounts to synthesizing a strategy, i.e., a suitable refined behavior for the system that guarantees to the system the fulfillment of the specification. Many synthesis problems can be rephrased using 2GS. An example is conditional planning in nondeterministic fully observable domains, where the system is the action executor, and the environment is the domain that nondeterministically chooses the (fully observable) effect of the action among those possible. Another example is behavior composition, which aims at synthesizing an orchestrator that realizes a given target behavior by delegating the execution of actions to available behaviors. Here the system is the orchestrator, and the environment is formed by the target and the available behaviors. The goal of the system is to maintain over time the ability of delegating requested actions. Several other sophisticated forms of synthesis and planning can be captured through 2GS [ 12 ].

We can deal with adversarial synthesis in our framework by building a 2GS in which we encode explicitly in the DL KB the alternation of the moves of the two players. Specifically, we introduce a fresh concept name Turn and two fresh distinguished constants te and ts, whose (mutual exclusive) presence in Turn indicates which of the two players will move next. We denote with AeT the set of ABoxes in AT that contain Turn(e) (and not Turn(s)). Similarly, for AsT .

A DL based 2GS (DL2GS) is a DLDS K = (T; A0; ), where Turn(e) 2 A0 and the set of actions is partitioned into a set e of environment actions and a set s of system actions. The effect function of each environment action is defined only for ABoxes in e and brings about an ABox in s. Symmetrically, the effect function of each system action is defined only for ABoxes in s and brings about an ABox in e. In this way we achieve the desired alternation of environment and system moves: starting from the initial state, the environment moves arbitrarily and the system suitably responds to the environment move, and this is repeated (possibly forever).

Logics of interest for 2GSs are temporal logics in the style of ATL [ 1 ], in which “next ” has the meaning of “system can force ” to hold in the next state, by suitably responding to every move done by the environment. Here, we introduce a specialization of the logic DLp, called ADLp, defined as follows: ::= Q j :Q j 1 ^ 2 j 1 _ 2 j Z j Z: j Z: j 9x:LIVE(x) ^ j 8x:LIVE(x) ! j

LIVE(x) ^ [h i]s j LIVE(x) ! [h i]s j LIVE(x) ^ [h i]w j LIVE(x) ! [h i]w where [h i]s stands for [ ](LIVE(x) ^ h i ), and [h i]w stands for [ ](LIVE(x) ! h i ). Technically, ADLp is a fragment of DLp, where negation normal form is enforced, i.e., negation is pushed inwards so that it appears only in front of atoms (in our case, queries Q). Intuitively, both [h i]s and [h i]w mean that the system can force to hold, i.e., for every (environment) move there is a (system) move leading to . The difference between the two is that [h i]s precludes the environment from dropping objects existing before its move, while [h i]w does not.

As an immediate consequence of Theorem 1, we get that checking ADLp formulas over state-bounded, generic DL2GS’s is decidable. However, we are not only interested in verifying ADLp formulas, but also in synthesizing strategies to actually fulfill them. A strategy is a partial function f : (AeT AsT ) AeT 7! s M where M is the domain of action parameter assignments, such that for every history = Ae0; As0 Aen; Asn; Aen+1, it is the case that Ais = f( [i])(Aie; mf( [i])) where [i] is prefix of of length i, and mf( [i]) : f( [i])(Aie) ! , and symmetrically Aie+1 = (Ais; m) for some m : (Ais) ! . We say that a strategy f is winning if by resolving the existential choice in evaluating the formulas of the form [h i]s and [h i]w according to f , the goal formula is satisfied. Notably, model checking algorithms provide a witness of the checked property [ 17 ], which, in our case, consists of a labeling produced during the model checking process of the abstract DL2GS’s. From labelled game states, one can read how the controller is meant to react to the environment in order to fulfill the formulas that label the state itself, and from this, define a strategy to fulfill the goal formula. It remains to lift such abstract strategy on the finite abstract DL2GS to the actual DL2GS. The abstract strategy f models a family of concrete strategies. Thus, in principle, in order to obtain an actual strategy, it would be sufficient concretizing f by replacing the abstract individuals and parameter assignments with concrete individuals and assignments that satisfy, step-by-step, the same equality commitments. While theoretically correct, this procedure cannot be realized in practice, as the resulting family of strategies is in general infinite. However, we adopt a lazy approach that allows us to generate and follow a concrete strategy, as the game progresses. Formally we have: Theorem 2. There exists an algorithm that, given a state-bounded, generic DL2G K and a ADLp formula , realizes a concrete strategy to force .

The algorithm iterates over three steps: (i) matching of the current concrete history with an abstract history over which f is defined; (ii) extraction of the action and abstract parameter assignment; (iii) concretization of the obtained parameter assignment.

As a concrete instantiation of the abstract framework introduced in Section 2, we consider a variant of Knowledge and Action Bases (KABs) [ 5 ], instantiated on the lightweight DL DL-Lite and the expressive DL ALCQI. A KAB is a tuple K = (T; A0; Act ) where T and A0 form the knowledge base, and Act is the action base. In practice, K is a stateful device that stores the information of interest into a KB, formed by a fixed TBox T and an initial ABox A0, which evolves by executing actions in Act .

An action 2 Act modifies the current ABox A by adding or deleting assertions, thus generating a new ABox A0. consists of a set fe1; : : : ; eng of effects, that take place simultaneously. An effect ei has the form Qi A0i, where – Qi is an ECQ, i.e., a domain independent first-order query whose atoms represent certain answers of unions of conjunctive queries (UCQs) [ 8 ]. – A0i is a set of ABox assertions that include as terms: individuals in A0, free variables of Qi, and Skolem terms f (x) having as arguments such free variables. Given 2 Act , we can capture its execution by defining an action ( ; ) as follows: – (A) returns the ground Skolem terms obtained by executing the queries Qi of the effects over (T; A), instantiating the facts A0i using the returned answers, and extracting the (ground) Skolem terms occurring therein. – (A; m) returns the ABox obtained by executing over (T; A) the queries Qi of the effects, instantiating the facts A0i using the returned answers, and assigning to the (ground) Skolem terms occurring therein values according to a freely chosen parameter assignment m, as long as such an ABox is consistent with T . If the ABox is not consistent with T , then (A; m) is undefined. In this way, we can define from Act , and hence the DLDS S = (T; A0; ) corresponding to the KAB K = (T; A0; Act ). Notice that, being the parameter assignment freely chosen, the resulting DLDS is actually generic.

In this context, we use ECQs also as the query language for the local properties in the verification and synthesis formalism. Now observe that if the TBox is expressed in a lightweight DL of the DL-Lite family, answering ECQ queries is PSPACE-complete in combined complexity (and in AC0 in data complexity, i.e., the complexity measured in the size of the ABox only). The same complexity bounds hold for the construction of (A) and (A; m), and hence, under the assumption of state-boundedness, the abstract transition system generated by S can be constructed in EXPTIME. It follows that both verification and synthesis can be done in EXPTIME. Instead, if the TBox is expressed in an expressive DL such as ALCQI, the cost that dominates the construction of the abstract transition system is the 2EXPTIME cost of answering over (T; A) the UCQs that are the atoms of the EQL queries in the actions. If instead of UCQs we use atomic concepts and roles (i.e., we do instance checking), the cost of query evaluation drops to EXPTIME, and so does the cost of building the abstract transition system.

These results can be extended to other DLs as long as they do not include nominals, given that the presence of nominals blurs the distinction between the extensional and the intensional knowledge, and hence requires more careful handling. 7

This work complements and generalizes two previous papers focussing on forms of verification on DL-based dynamics. One is [ 5 ] from which we took the formalism for the instantiations. The crucial difference is that in their framework they use Skolem terms to denote new values, which as a consequence remain unknown during the construction of the transition system, while we substitute these Skolem terms with actual values. Decidability of weakly acyclic systems is shown. The other one is [ 10 ], where a sort of light-weight DL-based dynamic was proposed. There, a semantic layer in DL-Lite is built on top of a data-aware process. The DL-Lite ontology plus mapping is our knowledge component, while the dynamic component (the actions) are induced by the process working directly on the data-layer. Exploiting DL-Lite first-order rewritability properties of conjunctive queries, the verification can be done directly on the data-aware process. Decidability of checking properties in -calculus without quantification across is shown for state-bounded data-aware process. In both, synthesis is not considered.