gtri_b-1 artificiai intelligence methods for detection and handling of software behavior anomalies...
TRANSCRIPT
GTRI_B-1
ArtificiaI Intelligence Methods for Detection and Handling of
Software Behavior Anomalies
Chris Simpkins
Georgia Tech Research Institute
http://www.cc.gatech.edu/~simpkins/
GTRI_B-2
Key Problem #1: Self-Aware Software
• For Applications Community vision to work, software must “know” when something is wrong
• Formally, software systems (or wrappers/monitors) must implement the function
• F({features}+,g(t)) -> normal/abnormal operation
• Features can be disk I/O, system calls, etc
• g(t) is some characterization of the features with respect to some time-slicing
• {features}+, g, and t are optimizable model parameters
• F is a learnable (approximatable) function.
GTRI_B-3
Solving the Self-Aware Software Problem
• Solution: Create intelligent agents that can monitor software behavior, learn patterns in behavior, and use this knowledge to diagnose and solve problems
• Georgia Tech researchers solve similar problems in other domains:
• Mutual Information Maximizing Input Clustering (MIMIC) and genetic algorithms for antenna design, neural network optimization (Isbell, Simpkins, Maloney, Kemper, Markle, Bueno)
• Continuous case-based reasoning for robotic navigation, equipment condition monitoring (Ram)
• Machine learning techniques to identify software execution phases in time-series data (Ozakin)
GTRI_B-4
Key Problem #2: Multiple Instances of Vulnerable Software
• There are many instances of the same software running on multiple computers
• They can fail or be attacked individually, collectively, or in any combination
• Recognizing an attack may require collective knowledge of many/all software instances
GTRI_B-5
Solving the Multiple Instances Problem
• Solution: Create multi-agent systems of intelligent, self-aware software agents which collaborate to create shared situation awareness and offer more options for dealing with problems.
• Georgia Tech researchers solve similar problems in other domains:
• Adaptive network intrusion detection using distributed data mining (Lee)
• Social intelligence in large scale multi-agent systems: ant and bee behavior modeling (Balch, Dellaert)
• RoboCup robotic soccer dogs (Balch)
GTRI_B-6
AI Needed to Make Application Communities Work
• Key Problem #1: Making Software Self-Aware
• Solution: Intelligent agents employing machine learning to detect anomalies
• Key Problem #2: Multiple Copies
• Solution: Compose self-aware software into collaborative multi-agent systems
• Georgia Tech has solved these AI problems in other domains, can solve them for AC
GTRI_B-7
More Information
• Georgia Tech College of Computing
• http://www.cc.gatech.edu/
• Georgia Tech Information Security Center
• http://www.gtisc.gatech.edu/
• Cognitive Computing Lab
• http://www.ccl.cc.gatech.edu/
• BORG Lab
• http://borg.cc.gatech.edu/