Active Trust Management for Adaptive Survivable Systems

(ATM for ASS's)

M.I.T. Artificial Intelligence Laboratory

M.I.T. Labratory for Computer Science

The goal of the ATM for ASS's project is to develop the technology and infrastructure necessary to enable applications to continue to deliver useful services even when the underlying computational resources have been sucessfully compromised.  There are four major components to this project:
  1. Perpetual Analytic Monitoring:  A monitoring infrastructure that collects evidence from a wide variety of sources including intrusion detection systems, fire-walls and self-monitoring applications.  It collates and analyses these reports, looking for temporal patterns suggestive of complex attacks and/or successful compromises.
  2. Trust Models: We are not interested in attacks per se, but rather in what they tell us about the health of our systems.  Fundamentally, we are interested in whether our computation resources can be trusted to deliver certain properties (e.g. privacy, integrity, quality of service).  To know this we must know whether there have been compromises to the computational resources involved in providing these properties.  Finally, the history of attacks and other unexpected behaviors allow to make assessments about the state of compromise of the resources.  Thus, our trust model is structured in three levels: Trustability, Compromises, Attacks, each with its own ontology.
  3. Adaptive Survivable Systems: Survivable systems provide useful services even after successful attacks have compromised resources.  They do so by having several different methods available for performing each major sub-task.  Each method requires a different class of resources and guarantees a different quality of answer.  Adaptive Survivable Systems choose that method whose resources needs and quality of answer lead to the greatest expected net benefit, given the health status of the resources modeled in the Trust Model.  In addition, Adaptive Survivable Systems have a model of their own expected behavior: they know the conditions that each method is expected to achieve.  If these conditions are not obtained, they diagnose the breakdown, inform the monitoring infrastructure, and attempt to achieve the failed goal through other means.
  4. Rational Resource Management:  Health monitoring uses the same computational resources as do the applications which deliver useful services.  Dedicating too many resources to health monitoring will starve the applications, causing a self-inflicted denial of service.  Dedicating too few resources to health monitoring will allow compromises to go unnoticed, allowing attackers easier access.  Rational resouce management attempts to balance these competing needs by using a decision theoretic  analysis to allocate resources so as to achieve maximum expected net benefit.  This analysis is guided by the trust model.
Our Quad Chart




Howard E. Shrobe 
Jon  Doyle
  • Peter Szolovits
  • Related Projects

    The Intelligent Room provides an interesting example of the type of system we would like to make survivable. It is a distributed agent system consisting of  ~100 agents running on several machines.  Our testbed will be based on the structure of the Intelligent Room.
    The MAITA Project provides the foundations for Perpetual Analytic Monitoring. 


    Defense Advanced Research Projects Agency