Using AI to Detect Software Behavior Anomalies and Deal With Them

Download Report

Transcript Using AI to Detect Software Behavior Anomalies and Deal With Them

ArtificiaI Intelligence Methods for
Detection and Handling of
Software Behavior Anomalies
Chris Simpkins
Georgia Tech Research Institute
http://www.cc.gatech.edu/~simpkins/
GTRI_B-‹#›
Key Problem #1: Self-Aware Software
• For Applications Community vision to work, software must
“know” when something is wrong
• Formally, software systems (or wrappers/monitors) must
implement the function
• F({features}+,g(t)) -> normal/abnormal operation
• Features can be disk I/O, system calls, etc
• g(t) is some characterization of the features with respect to
some time-slicing
• {features}+, g, and t are optimizable model parameters
• F is a learnable (approximatable) function.
GTRI_B-‹#›
Solving the Self-Aware Software Problem
• Solution: Create intelligent agents that can monitor software
behavior, learn patterns in behavior, and use this knowledge to
diagnose and solve problems
• Georgia Tech researchers solve similar problems in other domains:
• Mutual Information Maximizing Input Clustering (MIMIC) and
genetic algorithms for antenna design, neural network
optimization (Isbell, Simpkins, Maloney, Kemper, Markle, Bueno)
• Continuous case-based reasoning for robotic navigation,
equipment condition monitoring (Ram)
• Machine learning techniques to identify software execution
phases in time-series data (Ozakin)
GTRI_B-‹#›
Key Problem #2: Multiple Instances of
Vulnerable Software
• There are many instances of the same software running
on multiple computers
• They can fail or be attacked individually, collectively, or
in any combination
• Recognizing an attack may require collective knowledge
of many/all software instances
GTRI_B-‹#›
Solving the Multiple Instances Problem
• Solution: Create multi-agent systems of intelligent, self-
aware software agents which collaborate to create
shared situation awareness and offer more options for
dealing with problems.
• Georgia Tech researchers solve similar problems in
other domains:
• Adaptive network intrusion detection using distributed
data mining (Lee)
• Social intelligence in large scale multi-agent systems:
ant and bee behavior modeling (Balch, Dellaert)
• RoboCup robotic soccer dogs (Balch)
GTRI_B-‹#›
AI Needed to Make Application
Communities Work
• Key Problem #1: Making Software Self-Aware
• Solution: Intelligent agents employing machine
learning to detect anomalies
• Key Problem #2: Multiple Copies
• Solution: Compose self-aware software into
collaborative multi-agent systems
• Georgia Tech has solved these AI problems in
other domains, can solve them for AC
GTRI_B-‹#›
More Information
• Georgia Tech College of Computing
• http://www.cc.gatech.edu/
• Georgia Tech Information Security Center
• http://www.gtisc.gatech.edu/
• Cognitive Computing Lab
• http://www.ccl.cc.gatech.edu/
• BORG Lab
• http://borg.cc.gatech.edu/
GTRI_B-‹#›