Rahmira Rufus et al. MAICS 2016 pp. 105–108 An Autonomic Computing System based on a Rule-based Policy Engine and Artificial Immune Systems Rahmira Rufus, William Nick, Joseph Shelton and Albert Esterline Department of Computer Science, North Carolina A&T State University, Greensboro, NC 27411 {rsrufus, wmnick, jashelt1}@aggies.ncat.edu, esterlin@ncat.edu Abstract system. The final section presents the conclusion and future Autonomic computing systems arose from the notion that work. complex computing systems should have properties like those of the autonomic nervous system, which coordinates bodily Background functions and allows attention to be directed to more pressing needs. An autonomic system allows the system administra- Autonomic Computing tor to specify high-level policies, which the system maintains IBM, in a 2001 manifesto, compared complex computing without administrator assistance. Policy enforcement can be systems to the human body, which has an autonomic nervous done with a rule based system such as Jess (a java expert sys- system that removes the tasks of consciously coordinating tem shell). An autonomic system must be able to monitor bodily functions (Huebscher and McCann 2008). Complex itself, and this is often a limiting factor. We are developing computing systems should have autonomic properties that an automatic system that has a policy engine and uses Arti- ficial Immune Systems (AISs) to sense its environment and independently take care of tasks of regular maintenance and to monitor its components and performance. AISs emulate optimization tasks, thus reducing the workload on the sys- the natural immune system to defend the body against exter- tem administrator. nal malicious entities. The proposed system monitors itself IBM also articulated the four self-CHOP properties. Self- without human intervention and thus addresses the problem configuration is defined as components and systems being of systems complexity. configured as per high-level policies (Kephart and Chess 2003). When a component is introduced into a system, it is Introduction incorporated seamlessly, and the rest of the system adapts to With more systems and devices networked together, more the presence of the new component. With self-optimization, system administrators are required to monitor and maintain components and systems continually seek to improve their these networks, and maintenance becomes costly and time performance and efficiency. Self-healing is defined as a consuming. Yet it may not be clear how a complex sys- system automatically detecting, diagnosing, and repairing tem may manage itself in the absence of a human. We problems in software and hardware. Finally, self-protection here report on an autonomic system we are developing for is defined as a system being able to automatically defend a network-connected computer system that self-manages by against malicious attacks or cascading failures. Kephart et using mechanisms similar to the autonomic nervous sys- al. (Kephart and Walsh 2004) came up with three types of tem of the body to achieve the so-called self-CHOP prop- policies for autonomic computing: 1) action policies, 2) goal erties: self-configuring, self-healing, self-optimizing, and policies, and 3) utility function policies. Action policies self-protecting. A rule-based policy enforcement engine is specify what actions should be taken based on the current used (like the body’s hypothalamus) to regulate the auto- state of the system. A goal policy specifies either a desired nomic system, and the system has artificial immune systems state or a set of criteria for a desired state. Utility function (AIS) that mimic the functions of the sensory and motor sub- policies are objective functions that provide a utility value systems. for each possible state. The remaining sections of this paper are organized as fol- lows. The next section provides background on autonomic Artificial Immune Systems computing, AISs, and rule-based systems. We then discuss The natural immune system is a defense mechanism that can the motivation for implementing an AIS. There follows a learn about foreign entities that enter the body and respond section that presents the architecture of our autonomic sys- to them by creating defensive antibodies. This concept has tem. This is followed by the AIS sensoring agent section, been artificially simulated for intrusion detection, resulting where we describe how the AIS aids the autonomic system in an approach known as an artificial immune system (AIS) with its self-CHOP capabilities via anomaly detection. The (Hofmeyr and Forrest 2000). Similar to the biological im- context monitor is then described, followed by a section de- mune system, the goal of an AIS is to distinguish between scribing how the self-CHOP properties are realized by our self and non-self entities. The natural immune system that 105 Rahmira Rufus et al. MAICS 2016 pp. 105–108 this system imitates depicts self as a cell that is innate or tem’s configuration (De Castro and Von Zuben 2000). Fur- safe for the body while non-self is not. One can associate thermore, accompanying this detection method with a re- this mapping with detecting or sensing what is as opposed sponse procedure that reduces the damage of the compro- to what is not; this mapping is also known as a detector. mised component is crucial, but also crucial is simulta- AISs have also been applied to the problems of fault di- neously permitting uncompromised system components to agnostics, fraud detection and detecting viruses (DasGupta continue. One goal of this research is to provide a sensoring 1993). There are a few methods for using an AIS. One is the component that promotes the self-CHOP requirements for negative selection algorithm (Forrest et al. 1994).This tech- an autonomic system. nique randomly generates a set of detectors that are trained One immunity-inspired algorithm of interest focuses on to match any non-self entities for any system and not match danger theory, which extends the role of the innate im- any self entities. More specifically, the detectors are first ap- mune system for discriminating between ‘self’ and ‘non- plied on a set of self entities and the ones that detect the self self’ but employs the acquired immune system to react to entities are discarded. The idea is that, if a detector does danger (Brownlee 2011). Sensing danger lets a system pro- not match self, it has a better chance of detecting non-self, tect, recover or heal, optimize and determine whether a re- which would be any anomaly in the system. The surviving configuration assessment is necessary. Unlike Fail2ban, our detectors can then be applied on non-self to observe how system will learn new malicious and unwanted traffic to pro- much of the set can be detected. tect itself from malicious and unwanted traffic in the future. Rule-Based Systems System Architecture The classical application of rule-based systems is in expert systems, which typically use a human experts knowledge for Figure 1 shows our proposed system, which realizes the self- solving real world problems (Abraham 2005). This expert CHOP properties. The external world feeds information into knowledge is often expressed in the terms of rules. These the system through a series of sensors. AISs are used as de- rules and data constitute a rule-based expert systems. Such tectors that identify anomalies from the outside world. The systems have played a role in modern artificial intelligence input from the external world also feeds into a rule-based and other applications such as fault monitoring. The Pon- policy engine. The rule-based policy engine connects to a der rule-based policy language (Bradshaw, Uszok, and Mon- rule base of policies. This engine accepts as input sensor tanari 2014) is the broadest and most widely used policy data from the AISs as well as the context monitor, which language.Its policies are rules that define system behavior is the component collecting information about the state of choices that reflect on objectives set by system managers. the system’s context by monitoring network connections and Other rule-based policy enforcement systems use the event- system resources. In addition to providing status informa- condition-action rule paradigm. An example of this is Bell tion to the context monitor, the system resources also pro- Labs’ policy description language, in which a policy is a vide status information to the AISs to help inform the de- function that maps a series of events into a set of actions. tectors. The system is maintained in a proper state by the Carey et al. created a composite service execution engine rule-based policy engine. for composing web services (Carey, Lewis, and Wade 2004). The policy engine for this execution engine uses the Jess rule engine (Friedman-Hill 2013). The rules are executed to re- fine goals into service policies. Before the policy engine can execute, additional information is required such as the name of the service and the finite state machine (FSM) models for each of the constituted services. Goals are refined by Jess rules triggered when the state used in high-level policy matches the state in the FSM of the composite service. Requirements We aim for a system capable of adapting to unforeseen oc- currences in the operating environment. This includes ad- justing to situations in a proactive manner as well as reac- tively supporting system recovery. Here pro-action amounts to perceiving danger then preempting harm or any compro- mised system state. Fault tolerance in the operating environ- ment permits system execution to continue without interrup- tion, while preempting failure from a system-wide perspec- tive presupposes the occurrence of a compromised system component or operation. Figure 1: AIS & Autonomic System with Rule Based Sys- tem Anomaly detection can be a key component to prop- erly assessing whether events are uncharacteristic of a sys- 106 Rahmira Rufus et al. MAICS 2016 pp. 105–108 AIS Sensor Agents generally external; however, there is no reason that the envi- We here discuss how the AISs contribute to the self-CHOP ronment cannot be the internal workings of a system. There properties. Note that sometimes we refer to a single AIS are several consistent workings of any system that are con- while other times we partition the functionality among sev- sistent, such as CPU usage, amount of memory available, eral AISs. Although we refer to sensing, note that the AISs and network traffic to name a few. detect both external and internal state. The AIS sensoring apparatus will consist of detector populations that moni- Rule-based Policy Engine tor system activity as does a network sniffer or intercept- For our rule-based policy engine, we used Jess (Java Ex- ing proxy. The AIS component will deploy detectors that pert System Shell) (Friedman-Hill 2013) . The policies use compare system activity against normal system behavior. if-then rules as is standard with Jess. The variables in the The detection methods behave as intrusion detection sys- rules are values provided by the AIS and the context moni- tems (IDSs) that detect system irregularities not stated in the tor. The rule-based system will control switches and various innate system configuration. The detection method can also resources. The sensor data from the AIS and the context adapt to changes in the system. monitor will be fused using the Dempster-Shafer theory of The detector set will become a new feature vector for de- evidence (Shafer 1976). Based on the fused data, policies tecting danger in the system. The new vector will allow the that are appropriate will be executed. system to recognize system behavior that has been previ- One of the purposes of our proposed system is intrusion ously labeled as dangerous. The new danger vector is then detection. With this in mind, there are policies that are fo- propagated throughout the system to scan for stress levels cused on this activity. For one thing, if packets from the that are approaching this danger state. network come in and the timestamp of these packets are a Each round, the AIS will acquire more knowledge about certain time away from the system’s current time, a flag will the operating environment via the detector populations. The be raised. If continuous traffic is coming from one specific cloning process allows one generation to be more adept than IP address, it could be indicative of a Denial-of-Service at- the previous. The acquired immunity that aids the AIS in de- tack. In this case, the system may block packets from that termining the health of the system is expressed via the num- particular IP address. For any input coming into the system, ber of danger vectors that have been detected and mitigated it is assumed that the input is in a standard format. How- properly, with more emphasis on the mitigation process. ever, if the input appears to be irregular, such as a password Following the detection of a stress level threshold being having many symbols not numerical or alphabetical, then a met, the policy engine will determine whether the system is warning flag may be raised. There are also policies related in danger based upon the signal that the AIS found to indi- to internally monitoring the system. The system should run cate danger. If danger is confirmed, then the policy engine fairly consistently, where the CPU usage may spike or idle will determine what the system needs to repair or heal itself. depending on certain actions occurring on the system. If For each consecutive detection round, the AIS will monitor there are times when the CPU spikes or peaks and none of the healing process by executing a subset of detectors for the activities that normally causes this are occurring, then repair monitoring. the system may take actions to run a diagnostics check on The system will adapt to the configuration expected of it. If enough memory is consumed, the system may run a systems and components as per high-level policies during heuristic to delete items that it considers to no longer be nec- self-configuration (Kephart and Chess 2003). Conversely, essary. The AISs in the machine are developing detectors to within the configuration assessment module, the AIS will detect anomalies externally and internally. The policies can initially transmit a response to the policy engine that the have additional steps that state that if it catches anything the need for repair or healing is not foreseeable. During the detectors from the AISs do not, it will prompt the AISs to healing or repair process, the repair subset monitors the heal- adjust its detector creation strategy. ing of the system via the change from affinity to a danger enough memory is consumed, the system may run a vector to the self set. Excessive danger is the signal to the heuristic to delete items that it considers to no longer be nec- policy engine to determine whether the system should limit essary. The AISs in the machine are developing detectors to the usage of the system component because the component detect anomalies externally and internally. The policies can might cause other components to be compromised. To in- have additional steps that state that if it catches anything the crease the fault tolerant capabilities for the autonomic sys- detectors from the AISs do not, it will prompt the AISs to tem, the AIS will monitor the affinity to danger or self for all adjust its detector creation strategy. system components involved or related to this configuration Within any automated system, faults can occur. Faults can assessment. be described as unexpected changes from the normal system condition. The area of research dedicated to detecting faults is referred to as the Abnormal Event Management (AEM) Context Monitor in research done by Laurentys et al. (Laurentys et al. 2010). The environment of a computer system can undergo changes More specifically, the AEM deals with detecting, diagnosing for any number of reasons. To deal with this, one ex- and correcting abnormal conditions in real-time. An AIS can ploits context awareness, a computer sensing and reacting develop detectors that have a great information processing to changes in its environment (Abowd et al. 1999). The en- capability, pattern recognition and learning ability. These vironment that is monitored by some context-aware device is abilities can be applied towards creating detectors that can 107 Rahmira Rufus et al. MAICS 2016 pp. 105–108 detect faults and take appropriate action. In the scope of our context and context-awareness. In Handheld and ubiquitous problem, the faults would be internal such as if something computing, 304–307. Springer. goes wrong with disk mirroring, or memory swapping from Abraham, A. 2005. Rule-based expert systems. Handbook the disk. The self set of a detector would be the “normal” of measuring system design. state of the system, and non-self would be anything that is Bradshaw, J. M.; Uszok, A.; and Montanari, R. 2014. different enough from the baseline of the system. Policy-based governance of complex distributed systems: What past trends can teach us about future requirements. Ag- Realization of the Self-CHOP Properties ile Computing. A major aspect of protection is sensing attempted intrusion, Brownlee, J. 2011. Clever algorithms: nature-inspired pro- which is a standard task for AISs, detecting “self” and “non- gramming recipes. Jason Brownlee. self.” We can generalize this function to perceiving danger (in the environment) in general and perhaps even to recog- Carey, V. K.; Lewis, D.; and Wade, V. 2004. Automated nizing a need to adapt to a change in the environment. The policy-refinement for managing composite services. M- general notion is that of monitoring the environment to pro- Zones White Paper June 4:114–130. tect self. The intent is that an AIS will identify a threat and DasGupta, D. 1993. An overview of artificial immune sys- characterize it sufficiently so that the policy engine may ac- tems and their applications. Springer. tivate resources as per the applicable policies. The expert De Castro, L. N., and Von Zuben, F. J. 2000. Artificial system may consult with AISs in the course of enforcing a immune systems: Part i–basic theory and applications. Uni- policy. versidade Estadual de Campinas, Dezembro de, Tech. Rep In a similar vein, we can have the AISs detect when the 210. system is not “itself” and in need of repair; this is the heal Forrest, S.; Perelson, A. S.; Allen, L.; and Cherukuri, R. CHOP attribute, and what is monitored is self. The role of 1994. Self-nonself discrimination in a computer. In null, the AIS here is to identify faulty behavior and to characterize 202. Ieee. it so that the expert system may activate resources as per the applicable policies. Again, the policy engine may consult Friedman-Hill, E. 2013. Jess, the rule engine for the java with AISs in the course of enforcing a policy. platform. Java Expert System Shell, http://jessrules.com, This vigilance regarding the system’s own behavior may United States. extend to self-optimization if we have a baseline reading of Hofmeyr, S. A., and Forrest, S. 2000. Architecture for system behavior. An AIS would help us distinguish accept- an artificial immune system. Evolutionary computation able patterns that deviate from this pattern (as when some re- 8(4):443–473. source is accessed) from unacceptable patterns. Something Huebscher, M. C., and McCann, J. A. 2008. A survey of au- similar could address self-configuration. The most obvious tonomic computingdegrees, models, and applications. ACM occasions for self-configuration, however, are where a new Computing Surveys (CSUR) 40(3):7. device is attached. In such cases, a simple signal from a Kephart, J. O., and Chess, D. M. 2003. The vision of auto- context monitor would suffice to provide the policy engine nomic computing. Computer 36(1):41–50. all the information needed to apply policies. Kephart, J. O., and Walsh, W. E. 2004. An artificial in- telligence perspective on autonomic computing policies. In Conclusion & Future Work Policies for Distributed Systems and Networks, 2004. POL- We have sketched the autonomic system we are developing ICY 2004. Proceedings. Fifth IEEE International Workshop that uses artificial immune systems (AISs) augmented with on, 3–12. IEEE. a context monitor to provide data to a rule-based policy en- Laurentys, C.; Ronacher, G.; Palhares, R. M.; and Camin- gine. The architecture is conceptualized as the AISs and has, W. M. 2010. Design of an artificial immune system context monitor providing sense data to the policy engine, for fault detection: a negative selection approach. Expert but not that the data is also from the internal state of the sys- Systems with Applications 37(7):5507–5513. tem. We discussed how the system supports the self-CHOP properties: self configuring, self-healing, self-optimizing, Shafer, G. 1976. A mathematical theory of evidence, vol- and self-protecting. ume 1. Princeton university press Princeton. We are implementing our autonomic architecture on a stock workstation that is attached to the Internet (inviting in- truders) and to which we can attached multiple accessories (requiring self-configuration). In the future, we plan to in- vestigate autonomic cyberphysical systems. In the future, we shall look into other biological metaphors and implement some into our system. References Abowd, G. D.; Dey, A. K.; Brown, P. J.; Davies, N.; Smith, M.; and Steggles, P. 1999. Towards a better understanding of 108