RampoNN: Reachability-Guided Falsification for CPS
- RampoNN is a reachability-guided falsification framework for CPS that integrates static control-flow analysis, neural reachability via Deep Bernstein networks, and guided counterexample search to accelerate vulnerability discovery.
- It employs SMT-based path-range abstraction, temporal abstraction trees, and quantitative STL robustness evaluation to efficiently prune vast execution spaces and isolate unsafe trajectories.
- Empirical results demonstrate up to 98.27% acceleration in finding deep-nested cyber-kinetic vulnerabilities in systems such as PLC-controlled water tanks and switched PID automotive engines.
RampoNN is a reachability-guided falsification framework for cyber-physical systems (CPS) that targets cyber-kinetic vulnerabilities: faults in control software that can induce hazardous physical behavior through repeated interaction with plant dynamics. It takes as input a controller program , a neural surrogate of the plant , and a Signal Temporal Logic (STL) specification , then combines control-flow abstraction, neural reachability, robustness analysis, and guided falsification to identify behaviors that may violate safety requirements. Its central contribution is to replace loose neural over-approximations with Deep Bernstein neural networks, enabling aggressive pruning of provably safe or unsafe abstract behaviors and accelerating vulnerability discovery by up to (Tsujio et al., 20 Nov 2025).
1. Problem setting and formalization
RampoNN addresses CPS settings in which periodic control execution creates long-horizon interactions between discrete software branches and continuous plant evolution. The difficulty is not merely that the controller is branching, but that each branch choice affects the physical state, which in turn affects future branch feasibility. This induces a combinatorial explosion of execution paths over horizon : if each control cycle admits branch outcomes, then there are possible cyber trajectories (Tsujio et al., 20 Nov 2025).
The framework models the closed loop as a discrete-time CPS:
where , , 0 is a neural plant surrogate, and the model error is bounded by 1. The controller is decomposed into disjoint path constraints and path functions,
2
with each 3 and 4 (Tsujio et al., 20 Nov 2025).
A cyber trajectory is the branch sequence 5, where each 6 corresponds to the path taken by the controller at time 7. RampoNN seeks the set
8
namely branch sequences for which there exists a physical trajectory violating the STL safety requirement (Tsujio et al., 20 Nov 2025).
This formulation makes explicit that the objective is not full verification of all closed-loop behavior. Instead, RampoNN is organized around efficient falsification: it attempts to exclude large sets of trajectories that are provably safe or unsafe, then directs an expensive counterexample search toward the residual uncertain cases.
2. Analysis pipeline and abstraction strategy
RampoNN proceeds in five stages. First, it performs a static one-cycle path-range analysis over the controller code using SMT with Z3. For each path 9, it computes an abstract control interval by solving
0
This yields per-branch abstract control ranges
1
Second, it builds a temporal abstraction tree of depth 2, where each node branches into 3 children labeled by these control intervals. Third, it represents both the plant and the STL robustness computation as Deep Bernstein networks: a DynamicsNN 4 and an STL2NN 5. Fourth, it propagates reachable state sets through the abstraction tree, computes robustness intervals for path prefixes, and classifies each prefix as SAFE, UNSAFE, or UNCERTAIN. Fifth, it uses the remaining uncertain prefixes to guide a falsification engine toward the most promising counterexamples (Tsujio et al., 20 Nov 2025).
The key scalability claim is that the framework maintains one abstract set per tree edge rather than enumerating all concrete branch sequences. As reported, the reachable set computation is linear in 6 and polynomial in 7 per level, rather than exponential in 8, because it reuses the 9 per-step abstract control ranges and propagates sets through 0 and 1 instead of exploring all 2 runs explicitly (Tsujio et al., 20 Nov 2025).
This abstraction is structurally important. Traditional falsifiers repeatedly sample initial conditions and disturbances against the full simulator; RampoNN instead constrains the search space before falsification begins. A plausible implication is that its performance depends less on stochastic luck in the falsifier and more on the quality of the reachability bounds.
3. Deep Bernstein neural networks and reachability
RampoNN’s distinctive mechanism is its use of Deep Bernstein neural networks for both plant approximation and robustness evaluation. A Bernstein polynomial of degree 3 on 4 is written as
5
with basis
6
In a DeepBern-Net, the activation itself is a Bernstein polynomial,
7
Two properties are operationally central. The first is the convex-hull range enclosure: on 8, the output range is bounded by the minimum and maximum Bernstein coefficients. The second is subdivision: intervals can be split with exact coefficient transformations for refinement. Because the activation is a single global polynomial rather than a piecewise-linear map, reachability does not suffer the region explosion characteristic of ReLU analyses (Tsujio et al., 20 Nov 2025).
For an input set 9, reachability is posed as
0
and RampoNN computes a conservative enclosure 1 such that
2
Affine layers are handled exactly, while Bernstein activations are bounded by propagating coefficient boxes and reading off extremal coefficients (Tsujio et al., 20 Nov 2025).
The paper positions this as an alternative to interval bound propagation, zonotopes, star sets, DeepPoly, and 3-CROWN-style linear relaxations. Its claim is not merely lower runtime, but substantially tighter enclosures. This tightness is what makes safe-subtree pruning effective; when bounds are loose, nearly all prefixes remain UNCERTAIN and the pruning strategy collapses.
4. STL robustness, pruning, and guided falsification
RampoNN uses quantitative STL robustness to determine whether a whole abstract set of trajectories can be discarded or prioritized. Standard STL semantics are expressed through nested 4 and 5:
6
7
8
For until,
9
To encode these operators inside a DeepBern network, RampoNN replaces the nondifferentiable absolute value with its Bernstein approximation on 0,
1
and defines
2
These layers form STL2NN, whose output is a robustness interval over a reachable state sequence (Tsujio et al., 20 Nov 2025).
For each prefix 3, RampoNN computes a robustness interval and inflates it by the plant-model error:
4
The classification rule is simple: SAFE if 5, UNSAFE if 6, and UNCERTAIN if 7. SAFE and UNSAFE subtrees are pruned entirely, while UNCERTAIN prefixes are ranked by violation potential and passed to the falsifier (Tsujio et al., 20 Nov 2025).
The falsification stage then solves a constrained search problem over initial states and perturbations consistent with a chosen cyber trajectory. The paper emphasizes that pruning is sound but the overall method is not complete: if the falsifier fails to find a counterexample within an uncertain region, safety is not thereby proved (Tsujio et al., 20 Nov 2025).
5. Empirical evaluation and comparative results
The framework was evaluated on two systems: a PLC-controlled water tank and a switched PID controller for an automotive engine. The water tank has a one-state plant and a branching controller with four regions; its safety requirement is 8. The engine benchmark is higher-dimensional, with a four-branch switched PID-like controller over RPM, Speed, and Throttle; its safety requirement is 9 (Tsujio et al., 20 Nov 2025).
Before the end-to-end falsification results, the paper reports a direct reachability comparison between DeepBern and ReLU surrogates. For the water tank, a DeepBern-Net 0 of degree 1 achieved MSE 2, reachable-set volume 3, and 4 tightness, whereas a ReLU network 5 had MSE 6, volume 7, and 8 tightness. For the engine, a DeepBern-Net 9 of degree 0 achieved volume 1 with 2 tightness, while a ReLU 3 reached volume 4 with 5 tightness; larger ReLU models inflated to 6–7 in volume with tightness up to 8 (Tsujio et al., 20 Nov 2025).
| System | Safety specification | Reported outcome |
|---|---|---|
| PLC-controlled water tank | 9 | Used to evaluate tightness and falsification acceleration |
| Switched PID automotive engine | 0 | Used to evaluate deep-nested vulnerability discovery |
End to end, RampoNN accelerated vulnerability discovery by up to 1 relative to the reported baselines, scaled to horizon 2 where unguided falsifiers timed out, and uniquely found deep-nested vulnerabilities in the engine at 3 (Tsujio et al., 20 Nov 2025). In an iterative remediation study on the engine, it found a critical violation in a simple PID version in 4 minutes, found a subtler transition-logic violation in a revised version in 5 minutes, and on the final version analyzed the entire abstract cyber tree, pruned everything as SAFE via reachability, after which the falsifier confirmed no remaining violations (Tsujio et al., 20 Nov 2025).
The reported implementation used Python with angr for code-path extraction, Z3 for path-range optimization, DeepBern-Nets for DynamicsNN and STL2NN, and S-TaLiRo as the falsifier, running on Ubuntu 20.04.6 with dual Intel Xeon E5-2650 v4 CPUs, 256 GB RAM, and 6 NVIDIA RTX 2080 Ti GPUs (Tsujio et al., 20 Nov 2025).
6. Assumptions, limitations, and terminological ambiguity
RampoNN assumes a discrete-time plant model with a known uniform error bound 7, a controller program that can be decomposed into disjoint SMT-solvable paths, bounded-horizon STL specifications, and box-shaped input sets. Its pruning effectiveness depends on the tightness of the DeepBern reachability bounds. If these become conservative, many prefixes remain UNCERTAIN and the search degenerates toward ordinary falsification. The paper also notes that model mismatch beyond 8 risks unsound SAFE classifications, so robustness intervals are explicitly inflated by 9; low polynomial degree can likewise degrade tightness, with adaptive subdivision and higher degree offered as mitigations (Tsujio et al., 20 Nov 2025).
A common source of confusion is the name itself. In the arXiv record, “RampoNN” officially denotes the CPS falsification framework described above (Tsujio et al., 20 Nov 2025). Other nearby names refer to different topics. “Machine learning-based Raman amplifier design” uses a multi-layer neural network to predict pump powers and wavelengths from target Raman gain profiles, but the supplied source does not confirm an official method named “RampoNN” (Zibar et al., 2018). The analog in-memory computing paper on ramp-ADC-based nonlinear activation names its mechanism “NL-ADC” rather than RampoNN, even though it is described as conceptually aligned with a ramp-based nonlinear neuron (Yang et al., 2024). “RAMP-CNN” is an automotive radar recognition model operating on range-velocity-angle heatmap sequences (Gao et al., 2020), and “Neuro-RAM” is a spiking-network indexing module for similarity testing and compression (Lynch et al., 2017).
Within CPS research, the significance of RampoNN lies in its synthesis of program analysis, set-based neural reachability, STL robustness, and falsification guidance. This suggests a methodological niche between pure falsification and full formal verification: it does not attempt exhaustive proof of safety for arbitrary code and dynamics, yet it uses formal over-approximation aggressively enough to discard large parts of the search space before optimization-based counterexample generation begins.