SRS Common Architecture

1
SRS Common Architecture

• Bob Balzer
• Neil Goldman
• Dave Wile
• Teknowledge Corp.

2
SRS Integration Architecture
Component Diagnosis, Attack Recognition,
Malicious Intent Determiner
Architecture Diffferencer, Harm Detector
Corruption Extent Determiner, Reconstitution
Planner
Software Dynamic Translation, Generated Network
Filter, Dynamic Method Dispatch
Memory Layout Diversity, Network Filter, Scalable
Redundant Storage, Robust Scalable Comm.
3
Technical Goals

• Include as many SRS program elements as possible
• Minimal intrusion into existing tools, primarily
• by announcing system status incrementally
• And dynamically responding to other tools
  results
• Integrate capabilities for seamless
  interoperation
• Stimulate the production of new capabilities to
  further integration goals

4
Project Abbreviations

• AWDRAT MIT Shrobe and TeknowledgeBalzer
• Cortex Honeywell Musliner
• Daikon MIT Ernst and Rinard
• Dawson Global Infotek Just
• JHU Johns Hopkins U. Amir and Purdue U.
  Nita-Rotaru
• MBE (model-based executive) MIT Williams and
  Sullivan
• PMOP Teknowledge Balzer and MIT Shrobe
• SensorNet Telcordia Van Den Berg and Rutgers
  Rajagopalan
• Strata (Genesis) UVA Knight, Davidson, Evans,
  Nguyen-Tuong and CMU Wang

5
Shared System Architecture
Announce and analyze system status
6
Technical Approach

• Parallel monitoring and analysis by SRS
  components of a single target system
• Components communicate via a global blackboard
• Blackboard organized by a shared ontology for
  describing system and heartbeat states
• Subscriptions provide access to others sensors,
  analysis, and response choice

7
SRS Organizational Architecture
8
Overview of Potential Scenarios
9
Scenarios Continued

10
Blackboard Organization

• Blackboard layers correspond to scenario layers
• S (setup)
• D (detect)
• A (analyze)
• PR (propose repair)
• CR (choose repair)
• MR (make repair

11
Messages Passed

• Setup and Status SRS Agents
• SEnvironment attribute or input A has value V
• SProgram mode for Sys is M
• SSystem components for Sys are ci
• SVariants for CID are ci
• SVariant generator for CID is SRSAgent ? mode,
  CID
• SCheckpoint Sys in D
• SGUI checkpoint E in D
• Detection SRS Agents
• DProgram Sys had fault F at L in ci where L is
  contained in Sys(Fault is supertype of
  DataError, OperatorInducedError, ProgramError)
• DMissed heartbeat Sys at time T fault F
• DAttack of Sys indicator I for CID at L in ci
• Analysis SRS Agents
• AProgram Sys has vulnerability V at L to risk
  R
• AProgram Sys has collateral damage V at L
• AComponent ci would incur risk R with certainty
  P
• AEnd of Positive or Negative learning example
  trial for Sys

12
Messages Passed

• Propose Repair, Choose Repair Make Repair SRS
  Agents Same messages used in each layer for
  different purposes
• Detectors and analyzers populate PR layer with
  these assertions (see following Messages).
• Choose Repair agent asserts these same facts into
  CR, triggering repair.
• Effectors assert these facts into MR to indicate
  repair completion.
• Messages
• layer Replay component ci from checkpoint D in
  history H
• layer Substitute ci in Sys at L used for
  Data repair, database substitution, and program
  regeneration
• layer Remove component ci in Sys at L
• layer Revert Sys to checkpoint D in history H

13
Ontology for Blackboard

• All blackboard objects part of ontologically
  described database
• Historical and Metadata facts as objects
• May need special assertions
• And special queries

14
OntologyDemo
15
(No Transcript)
16
Blackboard Design Issues

• System representation
• Identity
• Versions (especially with learning)
• Historical data
• Specific types
• Programs
• GUI actions
• States
• Environment
• Control Modes
• Conflict resolution
• Control resolution
• Metadata
• Layered blackboard
• Agent relationships
• Activities and Results to be communicated among
  SRS agents

17
Traditional Conflict Resolution Solutions

• First rule by some criterion
• Highest priority rule
• Most specific rule
• Rule that refers to the element most recently
  added
• New rule
• Arbitrary
• All rules in parallel
• Compartmentalized knowledge

18
Race Conditions

• Blackboards lose their elegance when agents
  cannot freely access them, e.g. when agents dont
  know whether to wait for more information to
  arrive.
• E.g. Good agents A and B both analyze message M
  and report their results independently
• E.g. Bad agents A, B, and C all analyze message
  M but B and C need A to have passed message M
  before they can work
• Bad solution B waits for A to bless M or fail
  M before proceeding
• Good solution when A can respond to M in a
  blackboard layer not examined by B and C,
  subsequently asserting M into a blackboard layer
  that both B and C look at.
• If theyre all in the same layer, a possible
  solution is lattice-based access within a layer
• Register B and C as higher in the layers lattice
  relating all agents access
• When a message M arrives that A is interested in,
  it is sent to A first.
• If A reasserts M, both B and C can act on it.
  Otherwise, it has been consumed and must be
  removed from the blackboard.
• Multiple, simultaneous messages prefer complex
  message groups to simpler ones.
• Use to introduce fault analyzers and
  repairchoice between layers.

B
C
A