Data Mining the Memory Access Stream to detect Anomalous Behavior

The HPC4E researcher Francis B. Moreira (UFRGS) presented the talk Data mining the memory access stream to detect anomalous application behavior at the ACM International Conference on Computing Frontiers 2017 held in Siena (Italy) from 15 to 17 May 2017. The presentation took place during the session "Trusted Execution", chaired by Davide Ariu.

This conference focuses on a wide spectrum of advanced technologies and radically new solutions relevant to development of computer systems and aims to foster communication among scientists and engineers to achieve this.

Detecting anomalous application executions is a challenging problem, due to the diversity of anomalies that can occur, such as programming bugs, silent data corruption, or even malicious code corruption. Moreover, the similarity to a regular execution that can occur in these cases, especially in silent data corruption, makes distinction from normal executions difficult. In this paper, we develop a mechanism that can detect such anomalous executions based on changes in the memory access pattern of an application. We analyze memory patterns using a two-level machine learning approach. First, we classify the behavior of different memory access periods within applications using Gaussian mixtures. Then, based on these classifications, we construct matrix representations of Markov chains to obtain information regarding the temporal behavior of these memory accesses. Based on metrics of matrix similarity, we can classify whether the application behaves as expected or anomalously. Using gradient boosting on the metrics of matrix similarity, our technique correctly classifies more than 85% of all executions, identifying instances of the same application and different applications. We can also detect a range of faulty executions caused by benign or malicious permanent bit flips in the code section.

Download presentation (PDF).