GTRI_B-1

ArtificiaI Intelligence Methods for Detection and Handling of

Software Behavior Anomalies

Chris Simpkins

Georgia Tech Research Institute

http://www.cc.gatech.edu/~simpkins/

GTRI_B-2

Key Problem #1: Self-Aware Software

• For Applications Community vision to work, software must “know” when something is wrong

• Formally, software systems (or wrappers/monitors) must implement the function

• F({features}+,g(t)) -> normal/abnormal operation

• Features can be disk I/O, system calls, etc

• g(t) is some characterization of the features with respect to some time-slicing

• {features}+, g, and t are optimizable model parameters

• F is a learnable (approximatable) function.

GTRI_B-3

Solving the Self-Aware Software Problem

• Solution: Create intelligent agents that can monitor software behavior, learn patterns in behavior, and use this knowledge to diagnose and solve problems

• Georgia Tech researchers solve similar problems in other domains:

• Mutual Information Maximizing Input Clustering (MIMIC) and genetic algorithms for antenna design, neural network optimization (Isbell, Simpkins, Maloney, Kemper, Markle, Bueno)

• Continuous case-based reasoning for robotic navigation, equipment condition monitoring (Ram)

• Machine learning techniques to identify software execution phases in time-series data (Ozakin)

GTRI_B-4

Key Problem #2: Multiple Instances of Vulnerable Software

• There are many instances of the same software running on multiple computers

• They can fail or be attacked individually, collectively, or in any combination

• Recognizing an attack may require collective knowledge of many/all software instances

GTRI_B-5

Solving the Multiple Instances Problem

• Solution: Create multi-agent systems of intelligent, self-aware software agents which collaborate to create shared situation awareness and offer more options for dealing with problems.

• Georgia Tech researchers solve similar problems in other domains:

• Adaptive network intrusion detection using distributed data mining (Lee)

• Social intelligence in large scale multi-agent systems: ant and bee behavior modeling (Balch, Dellaert)

• RoboCup robotic soccer dogs (Balch)

GTRI_B-6

AI Needed to Make Application Communities Work

• Key Problem #1: Making Software Self-Aware

• Solution: Intelligent agents employing machine learning to detect anomalies

• Key Problem #2: Multiple Copies

• Solution: Compose self-aware software into collaborative multi-agent systems

• Georgia Tech has solved these AI problems in other domains, can solve them for AC

GTRI_B-7

More Information

• Georgia Tech College of Computing

• http://www.cc.gatech.edu/

• Georgia Tech Information Security Center

• http://www.gtisc.gatech.edu/

• Cognitive Computing Lab

• http://www.ccl.cc.gatech.edu/

• BORG Lab

• http://borg.cc.gatech.edu/