Online Behavior Classification for Anomaly Detection in Self-X Real-Time Systems

Autonomous adaptation in self-adapting embedded real-time systems introduces novel risks as it may lead to unforeseen system behavior. An anomaly detection framework integrated in a real-time operating system can ease the identification of such suspicious novel behavior and, thereby, offers the potential to enhance the reliability of the considered self-x system. However, anomaly detection is based on knowledge about normal behavior. When dealing with self-reconfiguring applications, normal behavior changes so that the knowledge base requires adaptation or even (re-)construction at runtime. The stringent restrictions of real-time systems in terms of runtime and memory consumption assign this task to be a really challenging problem. In this paper, we present our idea for online construction of application behavior knowledge that does not rely on any training phase. The applications´ behavior is defined by the application´s system call invocations. For the knowledge base, we exploit Suffix Trees as they offer potentials to represent application behavior patterns and their associated information in a compact manner. We apply the online algorithm provided by Suffix Trees as a basis to construct the knowledge base with low computational effort. However, we integrate anomaly detection and classification into the online construction method. We ensure thereby that new behavioral patterns do not unconditionally update the behavior knowledge base, but beforehand, have been evaluated in a context-related manner inspired by Danger Theory, a special discipline of Artificial Immune Systems.