Christoph C. Michael

Generating software test data by evolution

This paper discusses the use of genetic algorithms (GAs) for automatic software test data generation. This research extends previous work on dynamic test data generation where the problem of test data generation is reduced to one of minimizing a function. In our work, the function is minimized by using one of two genetic algorithms in place of the local minimization techniques used in earlier research. We describe the implementation of our GA-based system and examine the effectiveness of this approach on a number of programs, one of which is significantly larger than those for which results have previously been reported in the literature. We also examine the effect of program complexity on the test data generation problem by executing our system on a number of synthetic programs that have varying complexities.

Simple, state-based approaches to program-based anomaly detection

This article describes variants of two state-based intrusion detection algorithms from Michael and Ghosh [2000] and Ghosh et al. [2000], and gives experimental results on their performance. The algorithms detect anomalies in execution audit data. One is a simply constructed finite-state machine, and the other two monitor statistical deviations from normal program behavior. The performance of these algorithms is evaluated as a function of the amount of available training data, and they are compared to the well-known intrusion detection technique of looking for novel n-grams in computer audit data.

Genetic algorithms for dynamic test data generation

In software testing, it is often desirable to find test inputs that exercise specific program features. To find these inputs by hand is extremely time-consuming, especially when the software is complex. Therefore, numerous attempts have been made to automate the process. Random test data generation consists of generating test inputs at random, in the hope that they will exercise the desired software features. Often, the desired inputs must satisfy complex constraints, and this makes a random approach seem unlikely to succeed. In contrast, combinatorial optimization techniques, such as those using genetic algorithms, are meant to solve difficult problems involving the simultaneous satisfaction of many constraints. In this paper, we discuss experiments with a test generation problem that is harder than the ones discussed in earlier literature-we use a larger program and more complex test adequacy criteria. We find a widening gap between a technique based on genetic algorithms and those based on random test generation.

Automated software test data generation for complex programs

We report on GADGET, a new software test generation system that uses combinatorial optimization to obtain condition/decision coverage of C/C++ programs. The GADGET system is fully automatic and supports all C/C++ language constructs. This allows us to generate tests for programs more complex than those previously reported in the literature. We address a number of issues that are encountered when automatically generating tests for complex software systems. These issues have not been discussed in earlier work on test-data generation, which concentrates on small programs (most often single functions) written in restricted programming languages.

A Real-Time Intrusion Detection System Based on Learning Program Behavior

In practice, most computer intrusions begin by misusing programs in clever ways to obtain unauthorized higher levels of privilege. One effective way to detect intrusive activity before system damage is perpetrated is to detect misuse of privileged programs in real-time. In this paper, we describe three machine learning algorithms that learn the normal behavior of programs running on the Solaris platform in order to detect unusual uses or misuses of these programs. The performance of the three algorithms has been evaluated by an independent laboratory in an off-line controlled evaluation against a set of computer intrusions and normal usage to determine rates of correct detection and false alarms. A real-time system has since been developed that will enable deployment of a program-based intrusion detection system in a real installation.

Two state-based approaches to program-based anomaly detection

This paper describes two intrusion detection algorithms, and gives experimental results on their performance. The algorithms detect anomalies in execution audit data. One is a simply constructed finite-state machine, and the other monitors statistical deviations from normal program behavior. The performance of these algorithms is evaluated as a function of the amount of available training data, and they are compared to the well-known intrusion detection technique of looking for novel n-grams in computer audit data.

Regularization in the synthesis of host-based anomaly detectors

The goal of host-based intrusion detection is to detect attacks against a single information system. Many host-based intrusion detector systems - especially those that use anomaly detection - use training data to synthesize detectors automatically, that is, the detectors are classifiers created by machine learning. Regularization, which often improves the performance of machine learning algorithms, has not previously been applied to intrusion detector synthesis. This paper discusses regularization for machine learning-based intrusion detectors, showing how regularization can be accomplished for such systems and providing the results of an empirical evaluation.