Online behavior classification for anomaly detection in self-x real-time systems

Autonomous adaptation in self-adapting embedded real-time systems introduces novel risks as it may lead to unforeseen system behavior. An anomaly detection framework integrated in a real-time operating system can ease the identification of such suspicious novel behavior and, thereby, offers the potential to enhance the reliability of the considered self-x system. However, anomaly detection is based on knowledge about normal behavior. When dealing with self-reconfiguring applications, normal behavior changes. Hence, knowledge base requires adaptation or even re-construction at runtime. The stringent restrictions of real-time systems considering runtime and memory consumption make this task to a really challenging problem. We present our idea for online construction of application behavior knowledge that does not rely on training phase. The applications' behavior is defined by the application's system call invocations. For the knowledge base, we exploit suffix trees as they offer potentials to represent application behavior patterns and associated information in a compact manner. The online algorithm provided by suffix trees is a basis to construct the knowledge base with low computational effort. Anomaly detection and classification is integrated into the online construction method. New behavioral patterns do not unconditionally update the behavior knowledge base. They are evaluated in a context-related manner inspired by Danger Theory, a special discipline of artificial immune systems. Copyright © 2015 John Wiley & Sons, Ltd.