honeywell laboratories
DESCRIPTION
Honeywell Laboratories. C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response. 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican. Outline. Project overview. Thin-slice initial demo. Proactive response planning. Planner evaluation tools. Quadchart. - PowerPoint PPT PresentationTRANSCRIPT
1
Honeywell LaboratoriesHoneywell Laboratories
1/27/05 PI Meeting David MuslinerChristopher Geib
Mike Pelican
CORTEX:
Mission-Aware Closed-Loop Cyber Assessment and Response
~circadia/talks/review-1-01 2
OutlineOutline
• Project overview.
• Thin-slice initial demo.
• Proactive response planning.
• Planner evaluation tools.
• Quadchart.
3
Project OverviewProject Overview
• Technical Objectives – Automated defense systems that:
– Model and understand their changing mission needs.
– Automatically develop defensive plans to recognize and stop attacks.
– Automatically regenerate and rebuild system infrastructure.
– Learn to prevent attacks.
– Resulting in a highly reliable self-regenerative system.
• Existing Practice – Very limited condition-action rules within some IDS systems.
– Not mission aware, not self-aware.
– No lookahead, no proactive resource testing.
– No dynamic replanning or performance tradeoffs.
4
Project OverviewProject Overview
• Technical Approach – Integrate, extend & improve:
– Scyllarus’ state of the art intrusion detection/correlation technology.
– CIRCADIA’s automated planning and controller synthesis.
– Learning methods to:
- Refine models of attacks.
- Improve recognition of new attacks.
• Truly New –
– Mission-aware, context-sensitive response and self-regeneration.
– Planned preemptive self-testing to detect faults in mission-critical assets before they are required.
– Focused learning to improve the system’s performance on its specific mission.
5
The CORTEX VisionThe CORTEX Vision
Controller Synthesis Module
Mission Aware Meta Planner
Active Security ControllerExecutive
Mission/phase specific planning problem
Custom reactive plan (proactive protection, reactive defense, and healing)
Unexpected states, unhandled contingencies
System, security,
and mission
application actions
System Reference Model
(Mission, behaviors, faults, threats)
Dynamic Evidence Aggregator
LikelySecuritySituation
Learning
Sensor inputs
6
Overview (cont’d)Overview (cont’d)
• Major Risks and Mitigations –
– Planning domain complexity:
- System demonstrations on limited-scope domain.
- Scalable synthetic evaluation domains for planning.
- Alternative planning approaches.
– Learning:
- Focused learning techniques for knowledge-rich parts of the problem (e.g., learning size limits on buffer overflow vulnerability).
– Aggressive schedule:
- Thin-slice first demonstration emphasizing infrastructure.
- Cyclic development plan focusing on incremental improvement in each sub-area.
7
Overview (cont’d)Overview (cont’d)
• Quantitative Metrics –
– Measures of attack learning and detection rates.
– Respond to 100% of detected attacks.
• Expected Major Achievements –
– High confidence intrusion assessment and diagnosis.
– Pre-planned responses to contain/recover from faults and attacks.
– Automatic tradeoffs of security vs. service level & accessibility.
– Learning to recognize and defeat novel attack.
8
OverviewOverview
• Task Schedule:
– Develop thin-slice demonstration (first version complete).
– Extend scenario (in progress).
– Develop learning capability & experiments (in progress).
– Model mission phases (in progress).
– Proactive response planning (in progress).
• Milestones
JUL 04
Demos: Thin slice demo
DEC 04 APR 05
Learning Demo
DEC 05
Mission Aware Demo
9
Thin Slice Demo:
Self-Regenerative MySQL
10
Demo ObjectivesDemo Objectives
• Implement “taste-tester” architecture to form a redundant, high-reliability MySQL server system.
• Illustrate detection and self-regenerative response to successful attack.
• Illustrate (simple) learning to improve immunity.
• Provide basis for future demonstrations of multi-phase mission-awareness and learning.
11
Demo ScenarioDemo Scenario
• N (8) MySQL servers are available as redundant, replicable assets.
• Queries arrive and are processed by the designated “Lead Taster”.
• If the Lead Taster has no problem with the query, it is replicated to each of the servers.
• If the Lead Taster fails:
– Bad query is not sent to other servers.
– A backup server becomes Lead Taster.
– Bad query is sent to learning module for generalization.
– Dead server is restarted.
• Future occurrences of the same or similar exploits are ineffective.
12
Demo Development ProcessDemo Development Process
• Design architecture for integrating sensor data aggregation, reaction planning, plan execution, and learning.
• Design reduced-scope architecture for Demo 1.
• Survey MySQL vulnerabilities to identify suitable host versions and exploits.
• Build infrastructure and simple visualization machinery.
• Execute demonstration with hand-generated plan.
• Build planning input model of domain.
• Evaluate planner performance on domain model.
13
Demo System ArchitectureDemo System Architecture
14
Demo 1 ArchitectureDemo 1 Architecture
SQL Query
VerterPush Cache RTS
SnortRules
Append new rule
After rule update Kill -HUP
Learning
Write new snort rules via CIRCADIA proto
LeadTaster
Good Query
Good | Bad Query Result
Alert Distributor
HB_syncIf(alert)
Q=Qb
Else
Q=Qg
SnortHB_sync, good/bad, Query
Are we dead after this “good” query?
If(hb_sync_good) {
Replicate to all tasters
}
Tasters
If(hb_sync_bad) {
Send bad query to learning
}
High Events
If(hb_sync_bad) {
switch to next taster
}
Tail alerts
Tail xml
Replicator
15
Survey of MySQL VulnerabilitiesSurvey of MySQL VulnerabilitiesBUGTRAQ vulns for MySQL VULNERABLE VERSIONS
Vulnerability BID rem/loc 3.20 3.21. 3.22. 3.23. 4.0. 4.1. 5.0. IMPACT EXPLOIT NOTESglobal password changing 926 R/L ? ? 27-29 8 ? ? ? Access Yunauth remote access vuln 975 R ? ? 26-30 8-10 ? ? ? Access Fweak authentication algorithm 1826 R all all all all? ? ? ? Access FSELECT local buffer overflow 2262 L ? ? 26-32 8-31 ? ? ? Exec Yshow grants password disclosure 2380 L ? ? ? 3-30 ? ? ? Access Froot op symbolic link overwriting 2522 L 32 ? ? 34 ? ? ? Access Ynull root password 5503 R 32 ? 26-32 2-52 ? ? ? Access Y wdatadir parameter bov 5853 L ? ? ? 49 0-1 ? ? DoS/Exec F/N wCOM_TABLE_DUMP corrupt 6368 R ? ? 26-32 2-53 0-5 ? ? DoS Fclient read_rows bov 6370 R 32 ? 26-32 2-53 0-5 ? ? DoS/Exec F/N cCOM_CHANGE_USER passwd 6373 R ? ? 26-32 3-53 0-5 ? ? Access Yclient read_one_row bov 6374 R 32a ? 26-32 <54 0-5 ? ? DoS F cCOM_CHANGE_USER corrupt 6375 R ? ? 26-32 < 54 0-5 ? ? DoS/Exec F/Ndouble free heap corruption 6718 R ? ? ? < 55 ? ? ? DoS Froot privilege escalation vuln 7052 R ? ? ? 36-55 ? ? ? Access Yweak password encryption 7500 L all all all all 0-11 0 ? Access Yclient mysql_real_connect bov 7887 R/L ? ? ? all 0-13 ? ? DoS/Exec Y/N codbc driver plain text password 8245 L - - - - - - - Access Y wpassword handler bov 8590 R ? ? ? all < 15 0 ? Access Ymultiple vulnerabilities 8796 - ? ? ? < 54 ? ? ? DoS/Exec Yaborted bug report tmp file 9976 L 32 ? 26-32 2-58 0-18 0 ? DoS Ymysql_multi insecure tmp file 10142 L 32 ? 26-32 2-58 0-18 0 ? DoS Fauthentication bypass vuln 10654 R ? ? ? ? ? <3 0 Access Ypassword length remote bov 10655 R ? ? ? ? ? 0, 2, 3 0 DoS/Exec F/NMysql_real_connect bov 10981 R all all 26-32 all < 19 0-3 0 DoS/Exec F/NBounded param statemnt bov 11261 R/L ? ? ? ? ? < 5 ? DoS/Exec F/NInsecure tmp file creation 11291 L ? ? ? ? 18 ? ? DoS FMultiple local vulnerabilities 11357 L ? ? ? < 59 < 21 ? ? DoS YFULLTEXT search DoS 11432 R ? ? ? ? < 21 none ? DoS FUnauthorized GRANT Privilege 11435 R all all all all < 21 ? ? Access Y
How easy to exploit this exploit? code * Bold face Vulnerability descriptions for remotely exploitable with available exploitexploit would not be easy N * Not all versions/platforms have been tested against all vulnerabilities so some may have broader coverage.exploit feasible with some work F * Exploits are linux or cross-platform unless otherwise noted. exploit code readily available Y
3.23.8NOTES code 4.0.0
demonstrated in ms windows wvulnerability in mysql client cexploit worked in our lab x
The sweet spot seems to be an early 3.23 version of MySQLalthough 4.0.0/1 are also ripe.
16
Assumptions Assumptions
• Attacks take the Lead Taster off line.
– We are now beginning to look at other forms of attacks.
• The query just processed is responsible for failures.
– Queries must be transactional in effect.
- Required adding synchronous commits for non-transactional administrative commands that did, in fact, contain a vulnerability.
– For “binary poisons,” we assume that preventing the final step of the attack is sufficient.
17
Before the AttackBefore the Attack
Bad Guy
Good Guy
Replicator
Verter RTS (Executive)
Tasters
Snort
18
Before the AttackBefore the AttackBad Guy enters exploit…
19
After the AttackAfter the Attack
Lead Taster died
RTS detects failure and switches Lead, sends bad query to learning
New Lead Taster
20
Before the 2nd AttackBefore the 2nd Attack
Learner builds new tailored Snort rule
Dead Taster is restarted
21
After the 2nd AttackAfter the 2nd AttackBad Guy enters exploit again…
To no avail; system has learned to block bad
query
22
Show Movie
23
Proactive Response Planning
24
Simple Planner Model for Demo 1Simple Planner Model for Demo 1
(def-temporal query-arrives :preconds ((query F)) :postconds ((query T)) :delay-distribution (uniform-distribution 10 20) :min-delay 10 )
(def-temporal query-stale :preconds ((query T)) :postconds ((failure T)) :delay-distribution (uniform-distribution 20 50) :min-delay 20 )
25
Planner Model (cont’d)Planner Model (cont’d)
(def-reliable process:preconds ((taster T) (query T)):postconds ( (.5 (taster F) (query F) (hb-sync F)) (.5 (current F) (query F) (hb-sync T)))
:delay-distribution (uniform-distribution 1 1) :cost 1 )
(def-action replicate-to-tasters :preconds ( (current F) (taster T) (backup T) ) :postconds ( (current T) ) :wcet 1 :cost 1 )
26
Planner ModelPlanner Model
• Goal: maximize Expected Utility (EU).
• Rewards: maintain “(current T)” for 10 utils/tick.
• Arbitrary duration: 200 ticks.
• Maximum possible EU < 2000 (200 duration * 10 utils/tick)– Less than because some queries will arrive, incurring cost.
• Planner uses goal-driven heuristic to derive plan.
• Evaluates safety and EU performance of plan using simulation (sampling).
• Backtracks/jumps to create new plans, directed by failures.– Not yet well-directed in search after non-failure plan found.
27
Plan EU vs. Elapsed Planning TimePlan EU vs. Elapsed Planning Time
1870
1880
1890
1900
1910
1920
1930
1940
1950
100 1000 10000 100000 1e+06 1e+07
Exp
ect
ed
Utilit
y
Time (ms)
28
First Safe Plan FoundFirst Safe Plan Found
Blue states satisfy goal.
Two non-goal states.
EU = 1880.
Elapsed planning time: 800 milliseconds.
If query kills taster, wait until next query arrives to switch tasters and rebuild the dead one.
29
12th Safe Plan Found12th Safe Plan Found
• Only one non-goal state.
• EU = 1940.
• Elapsed planning time: 30 minutes.
• Key: Switch tasters and restart backup server immediately, even though you are in the goal state.
• Pre-position for eventuality of being pushed out of goal state and pre-arranging to speed restoration of goal state.
30
Improving the PlannerImproving the Planner
• Local search (plan patching) based on heuristic guidance.
– E.g.: If the current plan includes a multi-step chain to re-establish a maintenance goal, try to move one or more of the steps earlier, before the goal is violated.
– Random restarts probably required to escape local maxima.
• Investigate alternative solution method: map to MDPs.
– Younes (CMU): Tempastic-DTP planner maps GSMDP problems to MDPs using phase-type distributions.
– Exponential state space growth, but solution method is non-iterative.
31
Scalable Planner Evaluation DomainsScalable Planner Evaluation Domains
• In addition to demo-specific domains, we have built scalable test domain generators to provide rigorous evaluation metrics.
• Expands test coverage to domains where utilities and probabilities determine success.
– Include abstractions for important SRS domain characteristics.
– Goal: help drive Cortex planner development by identifying relevant weaknesses.
32
Basic AbstractionsBasic Abstractions
• Each test consists of "games", revolving around a single "goal".
• Dwell goals: per-tick reward for maintaining a feature in face of clobbering threats, e.g., providing a network service, while under attack.
• Achievement goals: one-time reward for completing multi-step process, e.g., configuring a network.
• Goals and threats can be combined to test scalability or the ability to make trade-offs.
33
Example Scalability BaselineExample Scalability Baseline
• Domain: single dwell goal subject to N threats.
• Threat delay: uniform distribution from 1 to 100.
• Time-to-failure: 20 ticks.
• Response time: 1 tick.
100
1000
10000
100000
1e+006
0 1 2 3 4 5 6 7 8
Tim
e to b
est
pla
n (
mse
cs)
Num Threats
"new-scaling-num-threats-fixed.data" using 1:2
34
SCHEDULE
CORTEX – Mission-Aware Closed-Loop Cyber Assessment and Response
• System Reference Model including mission models drives intrusion assessment, diagnosis, and response.
• Automatically search for response policies that optimize tradeoff of security against mission ops.
• “Taste-tester” server redundancy supports robustness and learning from new attacks.
• High confidence intrusion assessment and diagnosis.
• Pre-planned automatic responses to contain and recover from faults and attacks.
• Automatic tradeoffs of security vs. service level & accessibility.
• Learns to recognize and defeat novel attacks.
Computing services
Active Security ControllerExecutive
Controller Synthesis ModuleNetworks, Computers
Attacks, intrusions
IMPACT
NEW IDEAS
Security Tradeoff Planner
Scyllarus Intrusion
Assessment
JUL 04
Demos: Thin slice demo
DEC 04 APR 05
Learning Demo
DEC 05
Mission Aware Demo
35
The End
36
How Scyllarus Intrusion Detection WorksHow Scyllarus Intrusion Detection Works
Audit reportof
network probe
Audit reportof communication
attempt
Audit reportof unauthorized
user
Intrusionin
progress
Accidentallymis-configuredapplication
Hypotheses(Possible situations)
NetworkModel
SecurityModel
AttackModels
Dynamic Evidence Aggregator
Intrusion Reference Model
LikelySecuritySituation
AuditReports
H1 H2
IntrusionsAttacks
37
Sifting Key Events from Raw ReportsSifting Key Events from Raw Reports
• Daily Traffic Example
16,000Raw
Reports
IDS-1
IDS-2
IDS-3
ClusteringReports
into Events
1000
4000
EvidenceAnalysis
10
Uninteresting events
Interesting events
Believable Interesting
events
38
Example of How Scyllarus Reduces WorkloadExample of How Scyllarus Reduces Workload
1
10
100
1000
10000
100000
Days in November, 2001
IDS Reports
Events
All Plausible Events
Med/HighPlausibility &Med/High SeverityHigh Plausibility &High Severity
39
Controller Synthesis ModuleController Synthesis Module
Controller Synthesis Module
Active Security ControllerExecutive
Security Tradeoff Planner
ThreatModel
DynamicsModel
ActionModel
Projection/Synthesis Algorithm
SchedulerVerifier
Controller Synthesis Module reasons about models of goals, threats, cyberspace dynamics and actions to derive new sets of control rules online.
– Timed automata models capture temporal constraints, probabilities.
– Game theoretic view plus time: search for controller automaton while projecting adversary’s moves.
– Temporal reasoning derives requirements on sensing/monitoring.
– Formal methods verify controller behavior against policy requirements.
40
Controlled State Space GraphControlled State Space Graph
• Considers different orders of attacker actions, consistent with preconditions.
– Factored, transition-based attacker model allows CIRCADIA to generalize beyond single-path characterization of a given attack script.
• Includes sequences of CIRCADIA actions to prevent further damage and recover from current (non-goal) situations.
41
MotivationMotivation
• Current computational mission (resources, tasks) affects:
– Detection of attacks and failures.
– Appropriate responses.
• Existing intrusion detection and response does not incorporate knowledge of mission.
• Thesis: mission awareness will enable Self-Regenerative System behavior.
42
ScyllarusScyllarus
A management and analysis system for network security monitoring:
• Correlates reports from many disparate intrusion detectors to provide information useful to operating personnel or administrators.
– Weighs evidence for/against intrusions to reduce false alarms.
– Assesses intrusion events for plausibility and severity.
– Discounts attacks against non-susceptible targets.
• Consolidates and retains all report data for forensic investigation.
• Maintains detector and system configuration information.
43
Scyllarus Capability Summary Scyllarus Capability Summary• Process reports from a variety
of intrusion detection sensors:
– Network, host, and hybrid.
– Commercial, open-source, research.
• Process substantial report volume: thousands of reports/hour.
• Provide significant reductions in report volume: thousands -> tens.
• Monitor sizeable networks
– Up to 1000 nodes with one system.
• Cluster and correlate reports from multiple sensors:
– More effective detection of stealthy attacks.
– Vast reduction in false alarms and noise.
• Categorize events for efficient review
– Plausibility, severity, utility of events.
• Discount attacks on unsusceptible targets.
• Retain events and reports in database for forensic analysis.
44
CIRCADIACIRCADIA
Cooperative Intelligent Real-time Control Architecture for Dynamic Information Assurance
• Autonomic defense for computing resources.
• Adaptive monitoring.
• Real-time reactive control responses.
• Uses control-theoretic methods to automatically synthesize its control strategies, rather than relying on hand-built rules or other knowledge.
45
• Use control theory to derive appropriate response actions automatically.
• Automatically tailor monitoring and responses according to mission, available resources, varying threats, and policies.
• Reason explicitly about response time requirements to provide performance guarantees.
• Automatic responses guaranteed to defeat intruders in real-time.
• System derives appropriate responses for novel attack combinations.
• Automatic tradeoffs of security and monitoring vs. service and accessibility.
• Easier to deploy & maintain than manual rule bases.
IMPACT NEW IDEAS
`̀
Active Security ControllerExecutive
Controller Synthesis Module
Security Tradeoff Planner
Automatically Synthesizing Security Control SystemsAutomatically Synthesizing Security Control Systems
Intrusion Assessment
Networks, computers
Computational mission services
46
CORTEX Advances (Beyond Scyllarus)CORTEX Advances (Beyond Scyllarus)
• Add mission modeling capability to form System Reference Model.
• Incorporate propagation models to represent information flow and filtering components.
• Enhance state assessment for mission awareness:
– Mission affects expected sensor behavior.
– Mission affects criticality of failures and attacks.
• Bring state assessment fully online for soft real-time performance.
• Stretch Goal: Retrospective revision of alerts based on new information.
47
CORTEX Advances (Beyond CIRCADIA)CORTEX Advances (Beyond CIRCADIA)
• Automatically map System Reference Model elements to planning problem for controller synthesis.
• Develop new controller synthesis algorithms for qualitative probabilistic models, based on local search.
• Develop meta-level control to focus and adjust response planning algorithms based on mission phasing and urgency of self-reconfiguration.
• Interface to state assessment for real-time response.
48
CORTEX Advances (Learning)CORTEX Advances (Learning)
• Adapt existing concept drift algorithms to update surprise levels (qualitative probabilities) within the threat models.
• Adapt performance profiles within the Mission models and Self (meta-level) models.
• Develop strategies for preemptively testing resource capacities based on mission, self, and threat models.
– Predict and test for failures and adapt before they are critical.
49
(def-action rebuild-taster
:preconds ( (backup F) )
:postconds ( (backup T) )
:wcet 5
:cost 1
)
;;; ************ problem def ***********
(def-machine system-ops (query-arrives
query-stale
process
)
)
(def-machine manage-system (send_to_learning_switch_tasterdb
replicate-to-tasters
rebuild-taster
)
)
(def-maintenance-goal dbcurrent
;;:features ((current T)(taster T)(backup T))
:features ((current T))
:reward 10
)
(def-problem cortex-taster
:version "$Revision: 1.2 $"
:machines (system-ops
manage-system
)
:initial-states (scenario1-initial-state)
:transitions ()
:goals (dbcurrent)
)
(solve-problem cortex-taster)
50
;;; cortex-taster.lisp
#|
(defun t1 () (load "domains/taster/cortex-taster"))
(set-verifier-mode :meu)(set-search-mode :forward)(setf *sim-maxtime* 200)(setf *max-utility* 2000)
(setf *debug-list* NIL)(pushnew :top *debug-list*)(pushnew :csm *debug-list*)(pushnew :meu *debug-list*)
(setf *max-number-of-intermediate-plans-considered* 10000)
(setf *TEMPSWITCH-FIX-MC-SIM-CULPRIT-NO-OP-BUG* T)
(setf *store-all-improved-plans* T);;(setf *check-all-plans-diff* T)
;;(setf *backjump-if-inferior* T);;(setf *cautious-culprit-match* T)
(reset-randoms)
;; testing results stuff....
(setf *omit-no-ops* nil)
; a= first plan produced...(setf a (first (last *stored-plan-list*)))
(setf b (first *stored-plan-list*))
(diff a b)
(mapcar #'eu *stored-plan-list*)(mapcar #'elapsed-time *stored-plan-list*)
(restore-stored-plan a)(davinci-draw-sim-reachable-states)
(restore-stored-plan b)(davinci-draw-sim-reachable-states)
|#
(def-state scenario1-initial-state :features ((failure F)
(query F) (current T) ;
backups are current (taster T) ; taster is
up (hb-sync T) ; last
query was good (backup T) ; backup
is up )
)
(def-temporal query-arrives :preconds ((query F)) :postconds ((query T))
:delay-distribution (uniform-distribution 10 20) :min-delay 10
)
(def-temporal query-stale :preconds ((query T))
:postconds ((failure T)) :delay-distribution (uniform-distribution 20 50)
:min-delay 20 )
(def-reliable process :preconds ((taster T) (query T))
:postconds ( (.5 (taster F) (query F) (hb-sync F)) (.5 (query F) (hb-sync T) (current
F))) :delay-distribution (uniform-distribution 1 1)
:delay (make-range 1 1) :cost 1
)
;;; ************ manage tasters **************(def-action send-to-learning-switch-tasterdb
:preconds ( (taster F) (backup T) ) :postconds ( (taster T ) (backup F) )
:wcet 1 :cost 1
)
(def-action replicate-to-tasters :preconds ( (current F) (taster T) (backup T))
:postconds ( (current T) ) :wcet 1 :cost 1
)
(def-action rebuild-taster :preconds ( (backup F) ) :postconds ( (backup T) )
:wcet 5 :cost 1
)
;;; ************ problem def ***********
(def-machine system-ops (query-arrives query-stale process
) )
(def-machine manage-system (send_to_learning_switch_tasterdb
replicate-to-tasters
rebuild-taster )
)
(def-maintenance-goal dbcurrent ;;:features ((current T)(taster T)(backup T))
:features ((current T)) :reward 10
)
(def-problem cortex-taster :version "$Revision: 1.2 $"
:machines (system-ops manage-system
) :initial-states (scenario1-initial-state)
:transitions () :goals (dbcurrent)
)
(solve-problem cortex-taster)
51
GSMDP Solution MethodGSMDP Solution Method
Continuous-time MDPGSMDP Discrete-time MDPDiscrete-time MDP
Phase-type distributions(approximation)
Uniformization (optional)[Jensen 1953; Lippman 1975]
GSMDP Continuous-time MDP
MDP policyGSMDP policySimulate
phase transitions
52
Continuous Phase-Type Distributions [Neuts 1981]
Continuous Phase-Type Distributions [Neuts 1981]
• Time to absorption in a continuous-time Markov chain with n transient states
1
Exponential
21p1
(1 – p)1
2
Two-phase Coxian
n21 …p
(1 – p)
n-phase generalized Erlang
53
Approximating GSMDP with Continuous-time MDP
Approximating GSMDP with Continuous-time MDP
• Approximate each distribution Ge with a continuous phase-type distribution
– Phases become part of state description
– Phases represent discretization into random-length intervals of the time events have been enabled
54
Policy ExecutionPolicy Execution
• The policy we obtain is a mapping from modified state space to actions
• To execute a policy we need to simulate phase transitions
• Times when action choice may change:
– Triggering of actual event or action
– Simulated phase transition