RSRS Architecture Study

Doug Blough and Calton Pu

CERCS/Georgia Tech

Study Outline

Part 1: Architectural Analysis and SRS Evaluation

1. Develop high-level architecture concept

2. Study existing projects and evaluate how they fit with architecture

3. Evaluate program strengths/weaknesses vis-a-vis architecture

Part 2: Moving Forward

4. Develop more concrete architecture

5. Apply architecture to system examples and an application scenario

Part 1: Architectural Analysis and Evaluation of SRS Projects

Biologically-InspiredDiversity Tools

(BID)

Cognitive Immunity and Regeneration Environment

Reasoning About Insider Threats

ApplicationsApplications

Granular, Scalable,Redundant Data and

Communication (GSR)

MonitorLearnin

gActuato

r

GSR

BID

GSR

GSR

GSR

GSR

GSR

Attacks Attacks

RSRS Architecture

RSRS Architecture applied to Cognitive Area

 

Biologically-InspiredDiversity Tools

(BID) 

Cognitive Immunity and Regeneration Environment

ApplicationsApplications

 

Granular, Scalable,Redundant Data and

Communications (GSR)   

   

MonitorLearnin

gActuato

r    

Attacks Attacks

 

Comparison of Cognitive Projects

    

variable

observ.

data repair

constraints

 AWDRAT 

  

differencer

restoratio

n

model-

based

Model-based Executive 

   obse

rvereactcom

pare

Cortex    

State estimat

e

Mission-aware respon

se

statistical

learning

Learn/Repair

System models

Learning

model

Taster DBs

Master DB

query

Summary of Cognitive Projects

• 3 of 4 projects employ model-based approaches (Model-Based, AWDRAT, Cortex)

• Model-based approaches are well-suited for embedded systems, e.g. autonomous vehicles, or single applications, e.g. SQL

• Cognitive approaches still need to be developed and proven for large complex systems

• Learn/Repair is developing self-regenerative techniques that can be applied inside a program

RSRS Architecture applied to Diversity Area

Biologically-Inspired Diversity Tools

Cognitive Immunity and Self-Healing

Attack-resistant variants

Attack description

Create Variants

Test Variants

Feedback

• Monitoring: After the variants are created, their resistance to attacks is evaluated• Learning-Based Diagnosis: The winning variants are stored in a KED, while the losing variants are marked as such or discarded• Regenerative Actuation: The winning variants are used to increase system robustness by replacing vulnerable components, possibly by a Cognitive component or system

Comparison of Diversity Projects

Genesis creates variants at multiple levels: compilation,

linking, loading, run-time

Cognitive Immunity and Self-Healing

Attack-resistant variants

Attack description

Create Variants

Test Variants

Dawson creates variants from binary for Windows

platforms

Cognitive Immunity and Self-Healing

Attack-resistant variants

Attack description

Create Variants

Test Variants

Summary of Diversity Projects

• Genesis generates program variants from source using techniques such as Calling Sequence Diversity and Instruction Set Randomization

• DAWSON generates program variants from binary for the Windows environment using techniques such as variable location (stack/heap) randomization and address (DLL/IAT) randomization

RSRS Architecture applied to Redundancy Area

Sensors, Monitors

& Sources

Biologically-Inspired

Diversity Tools Reasoning About Insider

Threats

Applications

Cognitive Immunity and Self-Healing

GSR

GSRGSR

GSR GSR

Sensors, Monitors

& Sources

Event Dissemination and Processing

QuickSilver/Cayuga

GSRGSR

GSR CommunicationsQuickSilver/Ricochet

GSR Object/Data Mgmt

SAIIA, IITSR

Summary of Redundancy Area

• Steward (SAIIA) provides intrusion-tolerant objects over wide-area networks

• IITSR focuses on Byzantine-tolerant data/object replication• QuickSilver considers scalable and reliable mechanisms, e.g. group

multicast and event dissemination • Projects are primarily focused on performance (as called for in BAA)

but do not investigate internal self-regeneration or reconfiguration (static fault tolerance is provided, in general)

• Opportunities exist to extend existing projects to provide self-regenerative redundant components, which could provide building blocks for larger self-regenerative systems, e.g. a self-regenerative replicated data store or self-regenerative objects

• Scalable event dissemination and processing is critical for RSRS architecture

RSRS Architecture applied to Insider Area

Reasoning About Insider Threats

    

Monitor activitie

s

Control operat

or scope

Learn/refine model

Cognitive Immunity and Self-Healing

Comparison of Insider Projects

PMOP

Cognitive Immunity and Self-Healing

Send harmful action for remediation

Potential action

behavior monitor

operating model

assess harm/intent

Normal/error

Danger/ Malicious

High Dimensional Search/Monitoring

Cognitive Immunity and Self-Healing

Restrict privilegesRefine

Model

sensor net

HD search engine

repository

Response

engine

Summary of Insider Area

• PMOP uses a model-based approach• HDSM uses a model-based approach to

represent insider knowledge acquisition and high-dimensional search techniques for identifying suspicious activity from large sensor network output

• High-dimensional search is a candidate for learning-based diagnosis for large complex systems

Summary of Findings

• All SRS program areas fit well within RSRS architecture concept

• More work is needed on cognitive approaches for large complex systems

• Examples of critical technologies for RSRS: scalable and reliable event dissemination/processing, high-dimensional search, biodiversity generators

• Opportunities exist to develop self-regenerative building-block components from some of the SRS technologies

Part 2: Moving Forward

RSRS Structural Architecture for Complex System

Event Disseminator

Cognitive/Reflective

SystemManager

M

L

A

Control Plane

System Status Info

SRS Commands

M

Application Group

Software Components

D

Detectors, e.g. IDS and Failure Detectors

Network of Virtual Sensors

A

M

AMulticas

tL L

M

A

L

M

A

L

D D

Self-regenerative Data Store (optional)

High-dimensiona

l search

RSRS Structural Architecture for System of Systems

Global Event Disseminator

Centralized Event

Analyzer (optional)

M

L

A

Military Data/Operations/Command Center

DCGS Global C4ISR Enterprise

Time-Critical Targeting (TCT)

• Executed within Air Operations Centers • Time-sensitive target with limited window of

opportunity• Tasks: find, fix, track, target, engage, and

assess• Applications: intelligence preparation, terrain

analysis, target development/nomination, weapon-target pairing

RSRS Scenario with TCT and DCGS

1. TCT tasks are underway when a non-critical display application reports a data structure corruption event; the data structure is automatically repaired and the application continues; a few minutes later, another corruption is reported and repaired, although the application is forced to display at a lower resolution

2. The RSRS cognitive/reflective component queries DCGS event streams for recent reports and notes that a larger-than-expected number of workstation crashes have occurred over the last 15 minute period

3. The cognitive/reflective component then receives a report of errors from a replica, which is running a critical TCT task and is hosted on the same workstation as the display application

RSRS Scenario, continued

4. A short time later, the workstation hosting the replica and display application crashes

5. Critical applications use reconfigurable objects, so the system automatically starts a new replica on another workstation

6. The RSRS high-dimensional search module is activated to analyze recent log and other event data within the Operations Center

7. The search reveals unusual activity on the Operations Center gateway and a connection from the gateway to the crashed machine via a rarely-used port shortly before data corruption began

RSRS Scenario, continued

7. The cognitive/reflective component also notes that the application using the port is on the list of applications that interact with the display application

8. The RSRS actuator takes the following actions:• It disseminates its analysis results (suspected application

and port) to all other data/command/operations centers via DCGS

• It temporarily disconnects the Operations Center from DCGS and shuts down the gateway

• It reboots the failed workstation and disables the suspected application and port on all workstations

RSRS Scenario, continued

9. Another data center, after seeing the Operations Center report, is able to capture and analyze the attack

10. The attack info is then used by a bio-diversity generator to create a resistant variant of the targeted application, which it distributes to other centers via DCGS

11. Once the TCT operation is completed, RSRS reconnects the Operations Center to DCGS, receives and installs the new variant on all machines, and reopens the closed ports

Use of SRS Technologies in RSRS

• Learn/Repair: self-regeneration within software components, monitoring and event generation

• Cognitive model-based approaches: self-regeneration within embedded systems, e.g. UAVs, or single applications

• Cortex: self-regenerating databases• Dawson, Genesis: generation of resistant

software variants

Use of SRS Technologies in RSRS

• HDSM: Analysis of event streams containing diverse event types and widely varying granularities and time scales

• SAIIA: object replication, reconfigurable and/or self-regenerating objects?

• IITSR: data replication, reconfigurable and/or self-regenerating data stores?

• QuickSilver: robust communication within the data center; event dissemination and filtering within the data center and across enterprise

RSRS Architecture - Next Steps

• Integrate SRS technologies• Architect cognitive reflective component• Study how existing systems can be integrated

with RSRS architecture, e.g. using wrappers and external monitors

• Apply RSRS to complex system and demonstrate successful self-regeneration in scenario like TCT or alternative