Papers
Topics
Authors
Recent
Search
2000 character limit reached

RampoNN: Reachability-Guided Falsification for CPS

Updated 5 July 2026
  • RampoNN is a reachability-guided falsification framework for CPS that integrates static control-flow analysis, neural reachability via Deep Bernstein networks, and guided counterexample search to accelerate vulnerability discovery.
  • It employs SMT-based path-range abstraction, temporal abstraction trees, and quantitative STL robustness evaluation to efficiently prune vast execution spaces and isolate unsafe trajectories.
  • Empirical results demonstrate up to 98.27% acceleration in finding deep-nested cyber-kinetic vulnerabilities in systems such as PLC-controlled water tanks and switched PID automotive engines.

RampoNN is a reachability-guided falsification framework for cyber-physical systems (CPS) that targets cyber-kinetic vulnerabilities: faults in control software that can induce hazardous physical behavior through repeated interaction with plant dynamics. It takes as input a controller program gg, a neural surrogate of the plant NfN_f, and a Signal Temporal Logic (STL) specification φ\varphi, then combines control-flow abstraction, neural reachability, robustness analysis, and guided falsification to identify behaviors that may violate safety requirements. Its central contribution is to replace loose neural over-approximations with Deep Bernstein neural networks, enabling aggressive pruning of provably safe or unsafe abstract behaviors and accelerating vulnerability discovery by up to 98.27%98.27\% (Tsujio et al., 20 Nov 2025).

1. Problem setting and formalization

RampoNN addresses CPS settings in which periodic control execution creates long-horizon interactions between discrete software branches and continuous plant evolution. The difficulty is not merely that the controller is branching, but that each branch choice affects the physical state, which in turn affects future branch feasibility. This induces a combinatorial explosion of execution paths over horizon HH: if each control cycle admits kk branch outcomes, then there are kHk^H possible cyber trajectories (Tsujio et al., 20 Nov 2025).

The framework models the closed loop as a discrete-time CPS:

xt+1=Nf(xt,ut)+ϵt,ut=g(xt),x_{t+1} = N_f(x_t, u_t) + \epsilon_t, \qquad u_t = g(x_t),

where xtRnx_t \in \mathbb{R}^n, utRmu_t \in \mathbb{R}^m, NfN_f0 is a neural plant surrogate, and the model error is bounded by NfN_f1. The controller is decomposed into disjoint path constraints and path functions,

NfN_f2

with each NfN_f3 and NfN_f4 (Tsujio et al., 20 Nov 2025).

A cyber trajectory is the branch sequence NfN_f5, where each NfN_f6 corresponds to the path taken by the controller at time NfN_f7. RampoNN seeks the set

NfN_f8

namely branch sequences for which there exists a physical trajectory violating the STL safety requirement (Tsujio et al., 20 Nov 2025).

This formulation makes explicit that the objective is not full verification of all closed-loop behavior. Instead, RampoNN is organized around efficient falsification: it attempts to exclude large sets of trajectories that are provably safe or unsafe, then directs an expensive counterexample search toward the residual uncertain cases.

2. Analysis pipeline and abstraction strategy

RampoNN proceeds in five stages. First, it performs a static one-cycle path-range analysis over the controller code using SMT with Z3. For each path NfN_f9, it computes an abstract control interval by solving

φ\varphi0

This yields per-branch abstract control ranges

φ\varphi1

Second, it builds a temporal abstraction tree of depth φ\varphi2, where each node branches into φ\varphi3 children labeled by these control intervals. Third, it represents both the plant and the STL robustness computation as Deep Bernstein networks: a DynamicsNN φ\varphi4 and an STL2NN φ\varphi5. Fourth, it propagates reachable state sets through the abstraction tree, computes robustness intervals for path prefixes, and classifies each prefix as SAFE, UNSAFE, or UNCERTAIN. Fifth, it uses the remaining uncertain prefixes to guide a falsification engine toward the most promising counterexamples (Tsujio et al., 20 Nov 2025).

The key scalability claim is that the framework maintains one abstract set per tree edge rather than enumerating all concrete branch sequences. As reported, the reachable set computation is linear in φ\varphi6 and polynomial in φ\varphi7 per level, rather than exponential in φ\varphi8, because it reuses the φ\varphi9 per-step abstract control ranges and propagates sets through 98.27%98.27\%0 and 98.27%98.27\%1 instead of exploring all 98.27%98.27\%2 runs explicitly (Tsujio et al., 20 Nov 2025).

This abstraction is structurally important. Traditional falsifiers repeatedly sample initial conditions and disturbances against the full simulator; RampoNN instead constrains the search space before falsification begins. A plausible implication is that its performance depends less on stochastic luck in the falsifier and more on the quality of the reachability bounds.

3. Deep Bernstein neural networks and reachability

RampoNN’s distinctive mechanism is its use of Deep Bernstein neural networks for both plant approximation and robustness evaluation. A Bernstein polynomial of degree 98.27%98.27\%3 on 98.27%98.27\%4 is written as

98.27%98.27\%5

with basis

98.27%98.27\%6

In a DeepBern-Net, the activation itself is a Bernstein polynomial,

98.27%98.27\%7

Two properties are operationally central. The first is the convex-hull range enclosure: on 98.27%98.27\%8, the output range is bounded by the minimum and maximum Bernstein coefficients. The second is subdivision: intervals can be split with exact coefficient transformations for refinement. Because the activation is a single global polynomial rather than a piecewise-linear map, reachability does not suffer the region explosion characteristic of ReLU analyses (Tsujio et al., 20 Nov 2025).

For an input set 98.27%98.27\%9, reachability is posed as

HH0

and RampoNN computes a conservative enclosure HH1 such that

HH2

Affine layers are handled exactly, while Bernstein activations are bounded by propagating coefficient boxes and reading off extremal coefficients (Tsujio et al., 20 Nov 2025).

The paper positions this as an alternative to interval bound propagation, zonotopes, star sets, DeepPoly, and HH3-CROWN-style linear relaxations. Its claim is not merely lower runtime, but substantially tighter enclosures. This tightness is what makes safe-subtree pruning effective; when bounds are loose, nearly all prefixes remain UNCERTAIN and the pruning strategy collapses.

4. STL robustness, pruning, and guided falsification

RampoNN uses quantitative STL robustness to determine whether a whole abstract set of trajectories can be discarded or prioritized. Standard STL semantics are expressed through nested HH4 and HH5:

HH6

HH7

HH8

For until,

HH9

To encode these operators inside a DeepBern network, RampoNN replaces the nondifferentiable absolute value with its Bernstein approximation on kk0,

kk1

and defines

kk2

These layers form STL2NN, whose output is a robustness interval over a reachable state sequence (Tsujio et al., 20 Nov 2025).

For each prefix kk3, RampoNN computes a robustness interval and inflates it by the plant-model error:

kk4

The classification rule is simple: SAFE if kk5, UNSAFE if kk6, and UNCERTAIN if kk7. SAFE and UNSAFE subtrees are pruned entirely, while UNCERTAIN prefixes are ranked by violation potential and passed to the falsifier (Tsujio et al., 20 Nov 2025).

The falsification stage then solves a constrained search problem over initial states and perturbations consistent with a chosen cyber trajectory. The paper emphasizes that pruning is sound but the overall method is not complete: if the falsifier fails to find a counterexample within an uncertain region, safety is not thereby proved (Tsujio et al., 20 Nov 2025).

5. Empirical evaluation and comparative results

The framework was evaluated on two systems: a PLC-controlled water tank and a switched PID controller for an automotive engine. The water tank has a one-state plant and a branching controller with four regions; its safety requirement is kk8. The engine benchmark is higher-dimensional, with a four-branch switched PID-like controller over RPM, Speed, and Throttle; its safety requirement is kk9 (Tsujio et al., 20 Nov 2025).

Before the end-to-end falsification results, the paper reports a direct reachability comparison between DeepBern and ReLU surrogates. For the water tank, a DeepBern-Net kHk^H0 of degree kHk^H1 achieved MSE kHk^H2, reachable-set volume kHk^H3, and kHk^H4 tightness, whereas a ReLU network kHk^H5 had MSE kHk^H6, volume kHk^H7, and kHk^H8 tightness. For the engine, a DeepBern-Net kHk^H9 of degree xt+1=Nf(xt,ut)+ϵt,ut=g(xt),x_{t+1} = N_f(x_t, u_t) + \epsilon_t, \qquad u_t = g(x_t),0 achieved volume xt+1=Nf(xt,ut)+ϵt,ut=g(xt),x_{t+1} = N_f(x_t, u_t) + \epsilon_t, \qquad u_t = g(x_t),1 with xt+1=Nf(xt,ut)+ϵt,ut=g(xt),x_{t+1} = N_f(x_t, u_t) + \epsilon_t, \qquad u_t = g(x_t),2 tightness, while a ReLU xt+1=Nf(xt,ut)+ϵt,ut=g(xt),x_{t+1} = N_f(x_t, u_t) + \epsilon_t, \qquad u_t = g(x_t),3 reached volume xt+1=Nf(xt,ut)+ϵt,ut=g(xt),x_{t+1} = N_f(x_t, u_t) + \epsilon_t, \qquad u_t = g(x_t),4 with xt+1=Nf(xt,ut)+ϵt,ut=g(xt),x_{t+1} = N_f(x_t, u_t) + \epsilon_t, \qquad u_t = g(x_t),5 tightness; larger ReLU models inflated to xt+1=Nf(xt,ut)+ϵt,ut=g(xt),x_{t+1} = N_f(x_t, u_t) + \epsilon_t, \qquad u_t = g(x_t),6–xt+1=Nf(xt,ut)+ϵt,ut=g(xt),x_{t+1} = N_f(x_t, u_t) + \epsilon_t, \qquad u_t = g(x_t),7 in volume with tightness up to xt+1=Nf(xt,ut)+ϵt,ut=g(xt),x_{t+1} = N_f(x_t, u_t) + \epsilon_t, \qquad u_t = g(x_t),8 (Tsujio et al., 20 Nov 2025).

System Safety specification Reported outcome
PLC-controlled water tank xt+1=Nf(xt,ut)+ϵt,ut=g(xt),x_{t+1} = N_f(x_t, u_t) + \epsilon_t, \qquad u_t = g(x_t),9 Used to evaluate tightness and falsification acceleration
Switched PID automotive engine xtRnx_t \in \mathbb{R}^n0 Used to evaluate deep-nested vulnerability discovery

End to end, RampoNN accelerated vulnerability discovery by up to xtRnx_t \in \mathbb{R}^n1 relative to the reported baselines, scaled to horizon xtRnx_t \in \mathbb{R}^n2 where unguided falsifiers timed out, and uniquely found deep-nested vulnerabilities in the engine at xtRnx_t \in \mathbb{R}^n3 (Tsujio et al., 20 Nov 2025). In an iterative remediation study on the engine, it found a critical violation in a simple PID version in xtRnx_t \in \mathbb{R}^n4 minutes, found a subtler transition-logic violation in a revised version in xtRnx_t \in \mathbb{R}^n5 minutes, and on the final version analyzed the entire abstract cyber tree, pruned everything as SAFE via reachability, after which the falsifier confirmed no remaining violations (Tsujio et al., 20 Nov 2025).

The reported implementation used Python with angr for code-path extraction, Z3 for path-range optimization, DeepBern-Nets for DynamicsNN and STL2NN, and S-TaLiRo as the falsifier, running on Ubuntu 20.04.6 with dual Intel Xeon E5-2650 v4 CPUs, 256 GB RAM, and xtRnx_t \in \mathbb{R}^n6 NVIDIA RTX 2080 Ti GPUs (Tsujio et al., 20 Nov 2025).

6. Assumptions, limitations, and terminological ambiguity

RampoNN assumes a discrete-time plant model with a known uniform error bound xtRnx_t \in \mathbb{R}^n7, a controller program that can be decomposed into disjoint SMT-solvable paths, bounded-horizon STL specifications, and box-shaped input sets. Its pruning effectiveness depends on the tightness of the DeepBern reachability bounds. If these become conservative, many prefixes remain UNCERTAIN and the search degenerates toward ordinary falsification. The paper also notes that model mismatch beyond xtRnx_t \in \mathbb{R}^n8 risks unsound SAFE classifications, so robustness intervals are explicitly inflated by xtRnx_t \in \mathbb{R}^n9; low polynomial degree can likewise degrade tightness, with adaptive subdivision and higher degree offered as mitigations (Tsujio et al., 20 Nov 2025).

A common source of confusion is the name itself. In the arXiv record, “RampoNN” officially denotes the CPS falsification framework described above (Tsujio et al., 20 Nov 2025). Other nearby names refer to different topics. “Machine learning-based Raman amplifier design” uses a multi-layer neural network to predict pump powers and wavelengths from target Raman gain profiles, but the supplied source does not confirm an official method named “RampoNN” (Zibar et al., 2018). The analog in-memory computing paper on ramp-ADC-based nonlinear activation names its mechanism “NL-ADC” rather than RampoNN, even though it is described as conceptually aligned with a ramp-based nonlinear neuron (Yang et al., 2024). “RAMP-CNN” is an automotive radar recognition model operating on range-velocity-angle heatmap sequences (Gao et al., 2020), and “Neuro-RAM” is a spiking-network indexing module for similarity testing and compression (Lynch et al., 2017).

Within CPS research, the significance of RampoNN lies in its synthesis of program analysis, set-based neural reachability, STL robustness, and falsification guidance. This suggests a methodological niche between pure falsification and full formal verification: it does not attempt exhaustive proof of safety for arbitrary code and dynamics, yet it uses formal over-approximation aggressively enough to discard large parts of the search space before optimization-based counterexample generation begins.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to RampoNN.