Self-Protection Agents (SPAs)

The researchers at AVIRTEK have developed and successfully implemented a general autonomic computing environment that has been the basis for AVIRTEK ACS autonomic management capabilities. AVIRTEK is currently commercializing this architecture in its ACS-based cybersecurity products. By adopting the Autonomic architecture shown in Figure below we implement Autonomic Management using two software modules: the Observer and the Controller modules. The Observer module monitors and analyzes the current state of the managed cyber resources or services. The Controller module is delegated to manage their operations and enforce the operational policies. In fact, the Observer and Controller pair provides a unified management interface to support self-management services by continuously monitoring and analyzing the current managed resource conditions in order to dynamically select the appropriate response to correct or remove anomalous conditions once they are detected and/or predicted. The Observer monitors and gathers data about the logical and physical resources and analyzes them to build the knowledge required by the Controller in order to carried the most effective responses to cyberattacks.

The self-protection agent is a software module that runs on any managed resource (computers, servers, etc.)  to take the recommended actions once the self-recognition agents detect any “non-self” behavior in the monitored computers, applications or users. To reduce the false alarms in “non-self” user behavior detection, we adopt a Challenge-Response approach by requiring each user to provide the correct answers to a prior selected set of questions as shown in Figure below.

If the SRA detects any “non-self” user behavior at runtime, it will ask the user to answer one or more random questions from the list as shown in Figure 14. If the user does not answer the question correctly during a specified period of time, an alert is generated to the SPA to take the appropriate responses (lock user account, lock the machine, shutdown computer, etc.). If the user answers the questions correctly, the adaptive learning module will be triggered to adopt the self-recognition user model.