Download presentation
Presentation is loading. Please wait.
Published byHelen Martin Modified over 9 years ago
1
SRS Common Architecture Bob Balzer Neil Goldman Dave Wile Teknowledge Corp.
2
Defense In Depth –Outer Prevention Layer: Block most attacks Prevention SRS Integration Architecture Proactive Prevention Reactive Prevention –Inner Regenerative Layer: Repair (and prevent) unblocked attacks Self-Regeneration Recovery Health Monitoring Diagnosis Memory Layout Diversity, Network Filter, Scalable Redundant Storage, Robust Scalable Comm. Software Dynamic Translation, Generated Network Filter, Dynamic Method Dispatch Component Diagnosis, Attack Recognition, Malicious Intent Determiner Corruption Extent Determiner, Reconstitution Planner Architecture Diffferencer, Harm Detector Sensor Repair
3
Technical Goals Include as many SRS program elements as possible Minimal intrusion into existing tools, primarily –by announcing system status incrementally –And dynamically responding to other tools’ results Integrate capabilities for seamless interoperation Stimulate the production of new capabilities to further integration goals
4
Project Abbreviations AWDRAT: MIT: Shrobe and Teknowledge:Balzer Cortex: Honeywell: Musliner Daikon: MIT: Ernst and Rinard Dawson: Global Infotek: Just JHU: Johns Hopkins U.: Amir and Purdue U.: Nita-Rotaru MBE (model-based executive): MIT: Williams and Sullivan PMOP: Teknowledge: Balzer and MIT: Shrobe SensorNet: Telcordia: Van Den Berg and Rutgers: Rajagopalan Strata (Genesis): UVA: Knight, Davidson, Evans, Nguyen-Tuong and CMU: Wang
5
SRS Component Shared System Architecture Announce and analyze system status Dawson PMOP JHU DaikonSensorNet Strata MBE Cortex AWDRAT Choose response Effect response
6
Technical Approach Parallel monitoring and analysis by SRS components of a single target system Components communicate via a global blackboard Blackboard organized by a shared ontology for describing system and heartbeat states Subscriptions provide access to others’ sensors, analysis, and response choice
7
SRS Organizational Architecture Cortex Pervasive Self-Regeneration Learning&Repair AWDRAT PMOPSensorNet GenesysDawson
8
Overview of Potential Scenarios Setup Install Learning Harness (Cortex, Daikon, MBE, PMOP) Determine Method / Class Equivalents (PMOP, Strata) Install Wrappers and Obfuscate DLLs (AWDRAT, Dawson, PMOP) Data Error (Daikon) Program Error (AWDRAT, Cortex, Dawson, JHU, MBE, Strata) Operator Induced Error (PMOP, SensorNet) Detect Heartbeat (Cortex) Attack Indicator (Dawson) Collateral Damage Assessment (AWDRAT, Daikon, JHU, MBE) Trust and Risk (AWDRAT, Cortex, MBE, PMOP, SensorNet) Analyze Assess Learning Data (Cortex, Daikon, MBE, PMOP) Data Error: Data Repair (Daikon) Restore Data / DB (Cortex) Operator Induced Error: Automated surrogate or backup operator Omit the affected component Propose Repair Program Error: Execute a component in the virtual machine (Strata) Select from method alternatives & regenerate from scratch (AWDRAT, Dawson, MBE) Select from method alternatives & backtrack (JHU)
9
Scenarios Continued Choose Repair (New Work to choose among additional proposed repairs) Data Error: Data Repair (Daikon) Restore Compromised DB (Cortex) Program Error: Execute a component in the virtual machine (Strata) Select from method alternatives & regenerate from scratch (AWDRAT, Dawson, MBE) Select from method alternatives & backtrack (JHU) Make Repair Operator Induced Error: Prevent bad effects (PMOP, SensorNet) Ignore or encapsulate the error (New Work)
10
Blackboard Organization Blackboard layers correspond to scenario layers S (setup) D (detect) A (analyze) PR (propose repair) CR (choose repair) MR (make repair
11
Messages Passed Setup and Status SRS Agents –S:Environment attribute or input A has value V –S:Program mode for Sys is M –S:System components for Sys are { c i } –S:Variants for CID are { c i } S:Variant generator for CID is SRSAgent [ mode, CID] –S:Checkpoint Sys in D –S:GUI checkpoint E in D Detection SRS Agents –D:Program Sys had fault F at L in c i [where L is contained in Sys] (Fault is supertype of DataError, OperatorInducedError, ProgramError) –D:Missed heartbeat Sys at time T fault F –D:Attack of Sys indicator I for CID at L in c i Analysis SRS Agents –A:Program Sys has vulnerability V at L { to risk R } –A:Program Sys has collateral damage V at L –A:Component c i would incur risk R with certainty P –A:End of Positive {or Negative} learning example trial for Sys
12
Propose Repair, Choose Repair & Make Repair SRS Agents – Same messages used in each layer for different purposes: –Detectors and analyzers populate PR layer with these assertions (see following Messages). –Choose Repair agent asserts these same facts into CR, triggering repair. –Effectors assert these facts into MR to indicate repair completion. Messages –[layer] :Replay component c i from checkpoint D in history H –[layer] :Substitute c i in Sys at L [used for Data repair, database substitution, and program regeneration] –[layer] :Remove component c i in Sys at L –[layer] :Revert Sys to checkpoint D in history H Messages Passed
13
Ontology for Blackboard All blackboard objects part of ontologically described database Historical and Metadata – facts as objects –May need special assertions –And special queries
14
Ontology Demo
16
Blackboard Design Issues System representation –Identity –Versions (especially with learning) –Historical data –Specific types Programs GUI actions States Environment Control Modes Conflict resolution Control resolution –Metadata –Layered blackboard –Agent relationships Activities and Results to be communicated among SRS agents
17
Traditional Conflict Resolution Solutions “First” rule by some criterion Highest “priority” rule Most “specific” rule Rule that refers to the element most “recently” added New rule Arbitrary All rules in parallel Compartmentalized knowledge
18
Race Conditions Blackboards lose their elegance when agents cannot freely access them, e.g. when agents don’t know whether to wait for more information to arrive. –E.g. Good: agents A and B both analyze message M and report their results independently –E.g. Bad: agents A, B, and C all analyze message M but B and C need A to have “passed” message M before they can work –Bad solution: B waits for A to “bless” M or “fail M” before proceeding Good solution: when A can respond to M in a blackboard layer not examined by B and C, subsequently asserting M into a blackboard layer that both B and C look at. If they’re all in the same layer, a possible solution is lattice-based access within a layer: –Register B and C as higher in the layer’s lattice relating all agents’ access –When a message M arrives that A is interested in, it is sent to A first. –If A reasserts M, both B and C can act on it. Otherwise, it has been “consumed” and must be removed from the blackboard. –Multiple, simultaneous messages: prefer complex message groups to simpler ones. Use to introduce fault analyzers and repair choice between layers. BC A
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.