基于不确定性知识发现的入侵报警关联方法

针对入侵检测系统报警信息量大、琐碎和分散的问题,提出了一种基于不确定性知识发现的入侵报警关联方法。该方法的知识发现部分采用提出的不确定性序列模式发现算法—CWINEPI对报警数据进行序列模式发现,并将经过筛选后获得的入侵报警序列模式转化成入侵报警精简规则;再对入侵报警序列模式进行关联以获取攻击模式,并转化为入侵场景重建规则。入侵报警关联部分利用获取的入侵报警精简规则和入侵场景重建规则,以模式匹配方法构造报警关联引擎,对多个入侵检测系统上报的入侵报警进行关联。美国国防部高级研究计划局2000年入侵评测数据（DARPA2000）的报警数据验证了知识发现部分的良好性能;测试环境中的入侵报警的关联结果表明了该方法是高效、可行的。     

入侵检测报警聚合与关联系统设计与实现

入侵检测系统的大部分报警事件之间都存在某种联系。通过对这些报警的聚合与关联能够消除或减少重复报警，降低误报率及发现高层多步攻击策略。论文设计并实现了一种报警聚合与关联系统，系统主要包括报警聚合、报警校验、多步攻击报警关联和报告分析与规则控制等部分。实验证明：该系统能够减少报警数量，并能识别攻击意图，达到预警的目的。     

网络入侵事件防御决策技术研究

针对传统入侵检测系统对付复杂攻击防御时暴露出的不足,提出利用数据挖掘技术进行网络入侵事件协同分析,建立关联规则与序列规则模型,并结合两者进行全局信息推理获取复杂攻击模式.重点研究了复杂入侵事件的防御决策技术和基于有限自动机的危机分析方法,详细分析了防御决策向量的制定过程以及防御知识的表示问题.实验结果表明,所提出的模型和方法能通过提前确定防御点增强系统防御的实时性与有效性.     

基于事件关联的电子取证实时入侵重构

针对目前电子取证入侵重构多用事后分析的方式导致分析信息不完整的问题，定义入侵事件的形式化描述和黑客攻击场景的表示，将事件关联方法引入电子取证入侵重构分析中，建立了事件关联的动态实时电子取证入侵重构系统，该系统预先了因果关联表，找出事件问的因果关联度，并消除它们的冗余关系，来获得入侵过程图。最后，通过一个实例来说明通过关联部分攻击片断来构建一个完整的攻击场景的过程。     

入侵检测系统报警信息聚合与关联技术研究综述

报警的聚合与关联是入侵检测领域一个很重要的发展方向·阐述了研发报警聚合与关联系统的必要性通过对报警的聚合与关联可以实现的各项目标;重点讨论了现有的各种报警聚合与关联算法,并分析了各算法的特点;介绍了在开发入侵报警管理系统(IDAMS)中如何根据算法特点选择算法的原则;总结了现有聚合与关联系统的体系结构;简要介绍了IDMEF标准数据格式以及它在报警关联中的作用;最后,介绍了现有聚合与关联系统的发展现状,并提出了研发入侵报警聚合与关联系统所面临的重要技术问题和发展方向·     

利用关联和风险评估方法减少误报和漏报 *

高误报和漏报率是入侵检测系统面临的主要问题。提出了一种利用关联和风险评估的方法 ,利用构建的安全关联模型 ,计算出每个安全事件 (如告警事件、系统安全日志记录等 )的实时风险值 ,对风险值较高的事件给出新的警告 ,并摈弃那些风险值较低的事件 ,从而降低漏报和误报率。实验结果表明 ,利用这种方法实现的事件关联系统能够显著降低检测系统的误报和漏报率。     

基于案例推理的入侵检测关联分析研究

针对基于规则和模型的入侵检测专家系统中难以建立和表达入侵检测规则的问题,利用基于案例推理(CBR)方法对知识要求的低依赖性,将它引入入侵检测(ID)领域,提出了基于案例推理的入侵检测关联分析(CBRIDRA)模型的框架,研究了系统各功能模块,并对其中攻击案例定义、攻击案例检索、攻击案例管理、专家知识系统等关键技术的解决思路和实现方法进行了讨论。     

安全事件关联分析引擎的研究与设计

入侵检测系统是动态安全防御里的重要环节，现有的入侵检测系统（IDS）存在一个致命的缺陷：误报率高居不下，IDS无法展现事件之间的逻辑关系，结果用户很难了解事件背后隐藏的攻击策略或逻辑步骤。为了解决IDS存在的上述问题，在深入分析入侵技术的基础上提出了基于入侵序列的启发式关联方法，设计并实现了一个事件关联分析引擎，最后验证了有效性。     

基于事件关联分析的入侵检测技术研究

事件关联分析是通过分析相关事件,发现隐藏在不同事件之后的整体事件和触发事件的真正原因的基本技术。文章首先分析了事件关联分析和处理技术在网络入侵检测中的作用,然后提出了基于事件关联分析的入侵检测系统实现方法和实现步骤,最后通过仿真验证,证明其有效性。     

攻击案例综合学习系统研究

随着入侵检测系统在安全领域的广泛应用，入侵报警学习和分析已经成为一个研究热点。针对目前入侵报警泛滥和知识贫乏等问题，设计了一个完整的攻击案例学习系统框架。该学习系统分为两个阶段：入侵报警精简和典型攻击案例挖掘。前者利用改进的密度聚类方法实现相似报警聚合以及报警聚类的自动精简表示，后者利用序列模式挖掘方法挖掘频繁入侵事件序列。进一步提出一种基于入侵执行顺序约束关系的攻击案例评估算法实现典型攻击案例的自动筛选。最后，利用真实入侵报警数据测试了该攻击案例学习系统，结果表明该系统能够实现高效报警精简和典型攻击案例的准确学习。     

Fuzzy rule-based reasoning approach for event detection and annotation of broadcast soccer video

This paper presents an approach for event detection and annotation of broadcast soccer video. It benefits from the fact that occurrence of some audiovisual features demonstrates remarkable patterns for detection of semantic events. However, the goal of this paper is to propose a flexible system that can be able to be used with minimum reliance on predefined sequences of features and domain knowledge derivative structures. To achieve this goal, we design a fuzzy rule-based reasoning system as a classifier which adopts statistical information from a set of audiovisual features as its crisp input values and produces semantic concepts corresponding to the occurred events. A set of tuples is created by discretization and fuzzification of continuous feature vectors derived from the training data. We extract the hidden knowledge among the tuples and correlation between the features and related events by constructing a decision tree (DT). A set of fuzzy rules is generated by traversing each path from root toward leaf nodes of constructed DT. These rules are inserted in fuzzy rule base of designed fuzzy system and employed by fuzzy inference engine to perform decision-making process and predict the occurred events in input video. Experimental results conducted on a large set of broadcast soccer videos demonstrate the effectiveness of the proposed approach.     

An intelligent simulation model to evaluate scheduling strategies in a steel company

An embedded structure is selected to construct an intelligent simulation model. A framework is proposed so that both the event generator and expert system are controlled by a simulation mechanism. The expert system includes an inference engine and a knowledge base. When the simulation mechanism starts the inference engine, the inference engine reasons based on the system states. Then the system will process the events according to the inference results. An ‘intelligent entity’ simulates an entity with intelligence such as a ‘real’ server, manager or pilot. The SIMSCRIPT II.5 simulation language is used to illustrate how the proposed framework can be implemented in an example situation of harbour unloading by a steel company which needs to import coal when the capacity of the harbour is limited. Finally, possible future research directions are presented.     

基于规则的联想网络

本文提出一种用于人工智能专家系统的知识表达方式--基于规则的联想网络(ANBR), ANBR把智能系统获取的知识表达分为内外两种形式.外部形式是基于规则的知识结构,用 于知识的获取和知识库管理;内部形式是分块联想网络,用于驱动推理控制.由于把产生式规 则的可理解性和模块性与网络的知识索引和联想推理功能结合于同一系统,使ANBR成为专 家系统知识表达的有效方式.     

基于CLIPS的卫星任务规划专家系统设计

本文提出了基于CLIPS的卫星任务规划专家系统的设计方法,详细分析了系统的结构和功能,重点讨论了中文产生式系统的BNF范式、基于上下文的推理机制和集合运算符。中文产生式系统的BNF范式基于CLIPS标准BNF范式定义,并依据BNF范式进行规则表示和规则自定义获取;推理机采用上下文限制的规则控制策略,依据不同的上下文加载相关的事实和规则,提高推理机的运行效率;利用规则中的对象逻辑子式进行了集合运算符的设计,并对极值运算符、属性差值运算符和均值运算符等三类集合运算符进行了探讨。该系统解决了卫星任务规划中知识表示和知识获取问题,提高了卫星任务规划推理效率,为卫星任务规划人员提供有效的辅助决策功能。     

Defending against XML-related attacks in e-commerce applications with predictive fuzzy associative rules

Security administrators need to prioritise which feature to focus on amidst the various possibilities and avenues of attack, especially via Web Service in e-commerce applications. This study addresses the feature selection problem by proposing a predictive fuzzy associative rule model (FARM). FARM validates inputs by segregating the anomalies based fuzzy associative patterns discovered from five attributes in the intrusion datasets. These associative patterns leads to the discovery of a set of 18 interesting rules at 99% confidence and subsequently, categorisation into not only certainly allow/deny but also probably deny access decision class. FARM's classification provides 99% classification accuracy and less than 1% false alarm rate. Our findings indicate two benefits to using fuzzy datasets. First, fuzzy enables the discovery of fuzzy association patterns, fuzzy association rules and more sensitive classification. In addition, the root mean squared error (RMSE) and classification accuracy for fuzzy and crisp datasets do not differ much when using the Random Forest classifier. However, when other classifiers are used with increasing number of instances on the fuzzy and crisp datasets, the fuzzy datasets perform much better. Future research will involve experimentation on bigger data sets on different data types.     

基于数据挖掘的Snort系统改进模型

针对Snort系统对新的入侵行为无能为力的缺点,设计了一种基于数据挖掘理论的Snort网络入侵检测系统的改进模型。该模型在Snort入侵检测系统的基础上增加了正常行为模式挖掘模块、异常检测引擎模块和新规则生成模块,使得系统具有从新的入侵行为中学习新规则和从正常数据中学习正常行为模式的双重能力。实验结果表明,新模型不仅能够有效地检测到新的入侵行为,降低了Snort系统的漏报率,而且提高了系统的检测效率。     

Interactive exploration of interesting findings in the Telecommunication Network Alarm Sequence Analyzer (TASA)

In this paper we describe the final version of a knowledge discovery system, Telecommunication Network Alarm Sequence Analyzer (TASA), for telecommunication networks alarm data analysis. The system is based on the discovery of recurrent, temporal patterns of alarms in databases; these patterns, episode rules, can be used in the construction of real-time alarm correlation systems. Also association rules are used for identifying relationships between alarm properties. TASA uses a methodology for knowledge discovery in databases (KDD) where one first discovers large collections of patterns at once, and then performs interactive retrievals from the collection of patterns. The proposed methodology suits very well such KDD formalisms as association and episode rules, where large collections of potentially interesting rules can be found efficiently. When searching for the most interesting rules, simple threshold-like restrictions, such as rule frequency and confidence may satisfy a large number of rules. In TASA, this problem can be alleviated by templates and pattern expressions that describe the form of rules that are to be selected or rejected. Using templates the user can flexibly specify the focus of interest, and also iteratively refine it. Different versions of TASA have been in prototype use in four telecommunication companies since the beginning of 1995. TASA has been found useful in, e.g. finding long-term, rather frequently occurring dependencies, creating an overview of a short-term alarm sequence, and evaluating the alarm data base consistency and correctness.     

基于网络安全知识库的入侵检测模型

在网络安全知识库系统的基础上,提出一个基于网络安全基础知识库系统的入侵检测模型,包括数据过滤、攻击企图分析和态势评估引擎。该模型采用进化型自组织映射发现同源的多目标攻击;采用时间序列分析法获取的关联规则来进行在线的报警事件的关联,以识别时间上分散的复杂攻击;最后对主机级和局域网系统级威胁分别给出相应的评估指标以及对应的量化评估方法。相比现有的IDS,该模型的结构更加完整,可利用的知识更为丰富,能够更容易地发现协同攻击并有效降低误报率。