Data mining the memory access stream to detect anomalous application behavior

Francis B. Moreira, Matthias Diener, Philippe O.A. Navaux, Israel Koren

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Detecting anomalous application executions is a challenging problem, due to the diversity of anomalies that can occur, such as programming bugs, silent data corruption, or even malicious code corruption. Moreover, the similarity to a regular execution that can occur in these cases, especially in silent data corruption, makes distinction from normal executions difficult. In this paper, we develop a mechanism that can detect such anomalous executions based on changes in the memory access pattern of an application. We analyze memory patterns using a two-level machine learning approach. First, we classify the behavior of different memory access periods within applications using Gaussian mixtures. Then, based on these classifications, we construct matrix representations of Markov chains to obtain information regarding the temporal behavior of these memory accesses. Based on metrics of matrix similarity, we can classify whether the application behaves as expected or anomalously. Using gradient boosting on the metrics of matrix similarity, our technique correctly classifies more than 85% of all executions, identifying instances of the same application and different applications. We can also detect a range of faulty executions caused by benign or malicious permanent bit flips in the code section.

Original languageEnglish (US)
Title of host publicationACM International Conference on Computing Frontiers 2017, CF 2017
PublisherAssociation for Computing Machinery
Pages45-52
Number of pages8
ISBN (Electronic)9781450344876
DOIs
StatePublished - May 15 2017
Externally publishedYes
Event14th ACM International Conference on Computing Frontiers, CF 2017 - Siena, Italy
Duration: May 15 2017May 17 2017

Publication series

NameACM International Conference on Computing Frontiers 2017, CF 2017

Conference

Conference14th ACM International Conference on Computing Frontiers, CF 2017
Country/TerritoryItaly
CitySiena
Period5/15/175/17/17

Keywords

  • Machine learning
  • Memory access patterns
  • Single bit flips

ASJC Scopus subject areas

  • General Computer Science

Fingerprint

Dive into the research topics of 'Data mining the memory access stream to detect anomalous application behavior'. Together they form a unique fingerprint.

Cite this