TY - GEN
T1 - Data mining the memory access stream to detect anomalous application behavior
AU - Moreira, Francis B.
AU - Diener, Matthias
AU - Navaux, Philippe O.A.
AU - Koren, Israel
N1 - Funding Information:
This work received partial funding from CAPES/PVE, the EU H2020 Programme and from MCTI/RNP-Brazil under the HPC4E project, grant agreement no. 689772.
Publisher Copyright:
© 2017 Copyright held by the owner/author(s). Publication rights licensed to ACM.
PY - 2017/5/15
Y1 - 2017/5/15
N2 - Detecting anomalous application executions is a challenging problem, due to the diversity of anomalies that can occur, such as programming bugs, silent data corruption, or even malicious code corruption. Moreover, the similarity to a regular execution that can occur in these cases, especially in silent data corruption, makes distinction from normal executions difficult. In this paper, we develop a mechanism that can detect such anomalous executions based on changes in the memory access pattern of an application. We analyze memory patterns using a two-level machine learning approach. First, we classify the behavior of different memory access periods within applications using Gaussian mixtures. Then, based on these classifications, we construct matrix representations of Markov chains to obtain information regarding the temporal behavior of these memory accesses. Based on metrics of matrix similarity, we can classify whether the application behaves as expected or anomalously. Using gradient boosting on the metrics of matrix similarity, our technique correctly classifies more than 85% of all executions, identifying instances of the same application and different applications. We can also detect a range of faulty executions caused by benign or malicious permanent bit flips in the code section.
AB - Detecting anomalous application executions is a challenging problem, due to the diversity of anomalies that can occur, such as programming bugs, silent data corruption, or even malicious code corruption. Moreover, the similarity to a regular execution that can occur in these cases, especially in silent data corruption, makes distinction from normal executions difficult. In this paper, we develop a mechanism that can detect such anomalous executions based on changes in the memory access pattern of an application. We analyze memory patterns using a two-level machine learning approach. First, we classify the behavior of different memory access periods within applications using Gaussian mixtures. Then, based on these classifications, we construct matrix representations of Markov chains to obtain information regarding the temporal behavior of these memory accesses. Based on metrics of matrix similarity, we can classify whether the application behaves as expected or anomalously. Using gradient boosting on the metrics of matrix similarity, our technique correctly classifies more than 85% of all executions, identifying instances of the same application and different applications. We can also detect a range of faulty executions caused by benign or malicious permanent bit flips in the code section.
KW - Machine learning
KW - Memory access patterns
KW - Single bit flips
UR - http://www.scopus.com/inward/record.url?scp=85027049402&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85027049402&partnerID=8YFLogxK
U2 - 10.1145/3075564.3075578
DO - 10.1145/3075564.3075578
M3 - Conference contribution
AN - SCOPUS:85027049402
T3 - ACM International Conference on Computing Frontiers 2017, CF 2017
SP - 45
EP - 52
BT - ACM International Conference on Computing Frontiers 2017, CF 2017
PB - Association for Computing Machinery
T2 - 14th ACM International Conference on Computing Frontiers, CF 2017
Y2 - 15 May 2017 through 17 May 2017
ER -