Model-driven situational awareness in large-scale, complex systems
Gespeichert in:
| Titel: | Model-driven situational awareness in large-scale, complex systems |
|---|---|
| Autoren: | Viswanathan, Arun A. (author) |
| Verlagsinformationen: | University of Southern California Digital Library (USC.DL), 2015. |
| Publikationsjahr: | 2015 |
| Schlagwörter: | Viterbi School of Engineering (school), Doctor of Philosophy (degree), Computer Science (Computer Security) (degree program) |
| Beschreibung: | Situational awareness, or the knowledge of what is going on? to figure out what to do?, has become a crucial driver of the decision?making necessary for effectively managing and operating large?scale, complex systems such as the smart grid. The awareness fundamentally depends on the ability of decision?making entities to convert the low?level operational data from systems into higher?level insights relevant for decision?making and response. Technological advances have enabled monitoring and collection of a wide variety of low?level operational event data from system monitors and sensors, along with several domain?independent tools (e.g. visualization, data mining) and domain?specific tools (e.g. knowledge?driven tools, custom scripts) to assist decision?makers in extracting relevant higher?level insights from the data. But, despite the availability of data and tools to make sense of the data, recent high profile incidents involving large?scale systems such as the North American power blackouts, the disruption of train services in Sydney, Australia, and the malicious shutting down of nuclear centrifuges in Iran, have all been linked to a lack of situational awareness of the decision?makers, which prevented them from taking proactive actions to contain the scale and impact of the incident. A key reason for the lack of situational awareness in each circumstance was the inability of decision?making entities to integrate and interpret the heterogeneous low?level information in a way semantically?relevant to their goals and objectives. ? Improving the situation awareness of a decision?making entity in such systems requires capabilities to assist decision?making entities to integrate and interpret the heterogeneous event data from the system, and extract insights relevant to their goals and objectives. Specification?driven methods are a popular choice for decision?makers in large?scale, complex systems to extract high?level insights from data. In the specification?driven approach, a decision?maker writes a specification (such as a rule) to process the low?level event data, which then drives analysis over the operational event data at runtime, and results in high?level insights relevant to the decision?maker. We observe that while such approaches are popular, a fundamental problem today is with the low?level nature of the languages used to build specifications, which increases the burden for high?level decision?makers to combine and interpret information in a way relevant to their goals and objectives. ? In this work, we propose a model?driven approach to enable decision-makers to write high?level specifications to drive analysis over the event data, and extract insights semantically?relevant to their goals and objectives. Specifically, we introduce two abstractions: behavior models, and situation models. Behavior models provide effective high?level abstractions to specify complex behaviors (such as multi?step attacks, or process execution) over a sequence or group of related events. Situation models provide effective high?level abstractions to model the high?-level cause?effect relationships of situations in large?scale, complex systems over isolated, independent low?level events. Decision?makers compose high?level models using the above abstractions to drive analysis over low?level data. The models capture relevant high?level knowledge at a level of abstraction relevant to a decision?making entity, and explicitly encode their high?level goals and objectives. When such a model is used as an input to the analysis process, the insights produced are semantically?relevant to a decision?making entity's goals and objectives. ? The proposed modeling abstractions are expressive, simple, allow sharing and reuse of knowledge, and allow customization to suit a decision?maker's needs. We demonstrate the effectiveness of the above abstractions by applying them to a set of case studies relevant to large?scale, complex systems. First, we apply behavior models to model the complex multi?step attack behavior of a DNS cache poisoning attack, and demonstrate how such a model can be used to effectively extract insights in the form of attack instances from network events. Then, we demonstrate how behavior models can be used to rapidly compose a description of a distributed denial of service (DDoS) attack to extract DDoS attack instances from an ISP packet trace. We then demonstrate how situation models enable multiple decision?making entities involved in a demand response operation to make sense of heterogeneous, low?level facts and extract insights semantically?relevant to their high?level decision?making goals. ? Overall, in this work, we fundamentally demonstrate that the introduction of simple, semantically?relevant modeling constructs is effective in enabling decision?makers in complex environments to build specifications at a higher?level of abstraction, and extract insights relevant to their goals and objectives. Our model?driven approach emphasizes reuse, composibility and extensibility of specifications, and thus introduces a more systematic way to build specifications, and retain expert knowledge for sharing and reuse. |
| Publikationsart: | Doctoral thesis |
| Sprache: | English |
| DOI: | 10.25549/usctheses-c3-532211 |
| Dokumentencode: | edsair.doi...........13f4f7a9099ffd47ba79dba350c088ac |
| Datenbank: | OpenAIRE |
Nájsť tento článok vo Web of Science | Abstract: | Situational awareness, or the knowledge of what is going on? to figure out what to do?, has become a crucial driver of the decision?making necessary for effectively managing and operating large?scale, complex systems such as the smart grid. The awareness fundamentally depends on the ability of decision?making entities to convert the low?level operational data from systems into higher?level insights relevant for decision?making and response. Technological advances have enabled monitoring and collection of a wide variety of low?level operational event data from system monitors and sensors, along with several domain?independent tools (e.g. visualization, data mining) and domain?specific tools (e.g. knowledge?driven tools, custom scripts) to assist decision?makers in extracting relevant higher?level insights from the data. But, despite the availability of data and tools to make sense of the data, recent high profile incidents involving large?scale systems such as the North American power blackouts, the disruption of train services in Sydney, Australia, and the malicious shutting down of nuclear centrifuges in Iran, have all been linked to a lack of situational awareness of the decision?makers, which prevented them from taking proactive actions to contain the scale and impact of the incident. A key reason for the lack of situational awareness in each circumstance was the inability of decision?making entities to integrate and interpret the heterogeneous low?level information in a way semantically?relevant to their goals and objectives. ? Improving the situation awareness of a decision?making entity in such systems requires capabilities to assist decision?making entities to integrate and interpret the heterogeneous event data from the system, and extract insights relevant to their goals and objectives. Specification?driven methods are a popular choice for decision?makers in large?scale, complex systems to extract high?level insights from data. In the specification?driven approach, a decision?maker writes a specification (such as a rule) to process the low?level event data, which then drives analysis over the operational event data at runtime, and results in high?level insights relevant to the decision?maker. We observe that while such approaches are popular, a fundamental problem today is with the low?level nature of the languages used to build specifications, which increases the burden for high?level decision?makers to combine and interpret information in a way relevant to their goals and objectives. ? In this work, we propose a model?driven approach to enable decision-makers to write high?level specifications to drive analysis over the event data, and extract insights semantically?relevant to their goals and objectives. Specifically, we introduce two abstractions: behavior models, and situation models. Behavior models provide effective high?level abstractions to specify complex behaviors (such as multi?step attacks, or process execution) over a sequence or group of related events. Situation models provide effective high?level abstractions to model the high?-level cause?effect relationships of situations in large?scale, complex systems over isolated, independent low?level events. Decision?makers compose high?level models using the above abstractions to drive analysis over low?level data. The models capture relevant high?level knowledge at a level of abstraction relevant to a decision?making entity, and explicitly encode their high?level goals and objectives. When such a model is used as an input to the analysis process, the insights produced are semantically?relevant to a decision?making entity's goals and objectives. ? The proposed modeling abstractions are expressive, simple, allow sharing and reuse of knowledge, and allow customization to suit a decision?maker's needs. We demonstrate the effectiveness of the above abstractions by applying them to a set of case studies relevant to large?scale, complex systems. First, we apply behavior models to model the complex multi?step attack behavior of a DNS cache poisoning attack, and demonstrate how such a model can be used to effectively extract insights in the form of attack instances from network events. Then, we demonstrate how behavior models can be used to rapidly compose a description of a distributed denial of service (DDoS) attack to extract DDoS attack instances from an ISP packet trace. We then demonstrate how situation models enable multiple decision?making entities involved in a demand response operation to make sense of heterogeneous, low?level facts and extract insights semantically?relevant to their high?level decision?making goals. ? Overall, in this work, we fundamentally demonstrate that the introduction of simple, semantically?relevant modeling constructs is effective in enabling decision?makers in complex environments to build specifications at a higher?level of abstraction, and extract insights relevant to their goals and objectives. Our model?driven approach emphasizes reuse, composibility and extensibility of specifications, and thus introduces a more systematic way to build specifications, and retain expert knowledge for sharing and reuse. |
|---|---|
| DOI: | 10.25549/usctheses-c3-532211 |