网络入侵事件防御决策技术研究

针对传统入侵检测系统对付复杂攻击防御时暴露出的不足,提出利用数据挖掘技术进行网络入侵事件协同分析,建立关联规则与序列规则模型,并结合两者进行全局信息推理获取复杂攻击模式.重点研究了复杂入侵事件的防御决策技术和基于有限自动机的危机分析方法,详细分析了防御决策向量的制定过程以及防御知识的表示问题.实验结果表明,所提出的模型和方法能通过提前确定防御点增强系统防御的实时性与有效性.     

模糊Petri网知识表示方法在入侵检测中的应用

根据网络攻击具有并发性,攻击特征的提取具有不确定性等特点,给出了采用模糊Pelri网实现攻击知识的表达和入侵检测的推理模型。该模型解决了误用入侵检测系统中现有知识表示方法不能并行推理的问题,以及传统的基于Pelri网可达图搜索求解导致模型描述复杂、推理缺少智能的问题。最后通过入侵实例验证了该模型的正确性和有效性。     

基于规则推理的FPN误用入侵检测方法

针对网络入侵攻击活动的模糊性，提出了一种基于模糊推理的模糊Petri网（FPN）误用入侵检测方法。该方法定义了一个六元组FPN，并将模糊产生式规则精化为两种基本类型。在此基础上给出了FPN表示模糊规则的模型、推理过程和基于FPN的推理算法。最后通过入侵检测的实例对该方法的正确性和有效性进行了验证，结果表明该方法推理过程简单直观、容易实现，而且具有并行推理能力，可适用于大规模的FPN模型，是误用入侵检测技术的一种非常有效的解决方案。     

基于数据挖掘与CIDF的自适应入侵检测系统

传统的由安全专家手工构造入侵检测规则的方法在新攻击频繁出现的今天越来越暴露出其工作量大、响应慢的局限性。为克服上述局限,该文提出一种自适应的入侵检测系统框架。该系统基于公共入侵检测框架(CIDF)构建,当出现新攻击时,利用数据挖掘对海量数据进行挖掘,得出入侵模型后由系统自动转换为检测规则以实现规则库的自动更新。另外,在一定授权情况下,其他入侵检测系统可以向该系统请求分发入侵模型以得到及时更新。     

基于优化Apriori算法的入侵检测系统模型设计

复合攻击是网络入侵的主要形式之一。如何检测复合攻击是当前入侵检测研究的一个重要方向,经过对复合攻击模式的大量研究,提出了一种基于自动调节的警报关联模型。为了提高入侵检测系统的效率,针对入侵检测系统的特点,将数据挖掘技术引入模型中。阐述了使用为关联规则提取所优化的Apriori算法,对日志文件进行特征分析与知识发掘的入侵检测系统模型的设计。     

NIDS的攻击知识表达模型与知识库构架

提出基于面向对象的攻击知识表达模型(OOAK),准确描述潜在的复杂攻击和多步骤组合攻击.对网络入侵检测系统(NIDS)的攻击知识库进行构架,以OOAK为基础,以规则库和方法库为核心,融入了层次知识库的设计思想,通过事件处理引擎调配知识库中的规则库和方法库,协同知识库与数据库的通信.     

基于模块化本体的入侵检测研究

建立了一种基于模块化本体的入侵检测模型,该模型能共享和重用知识并进行分析,具有检测分布式复杂攻击的能力。通过本体的模块化降低对存储空间的要求、提高推理的速度、增强系统的健壮性。用OWL对入侵检测中的模块化本体进行了规格说明并进行了应用举例。     

基于增量式GHSOM神经网络模型的入侵检测研究

传统的网络入侵检测方法利用已知类型的攻击样本以离线的方式训练入侵检测模型,虽然对已知攻击类型具有较高的检测率,但是不能识别网络上新出现的攻击类型.这样的入侵检测系统存在着建立系统的速度慢、模型更新代价高等不足,面对规模日益扩大的网络和层出不穷的攻击,缺乏自适应性和扩展性,难以检测出网络上新出现的攻击类型.文中对GHSOM(Growing Hierarchical Self-Organizing Maps)神经网络模型进行了扩展,提出了一种基于增量式GHSOM神经网络模型的网络入侵检测方法,在不破坏已学习过的知识的同时,对在线检测过程中新出现的攻击类型进行增量式学习,实现对入侵检测模型的动态扩展.作者开发了一个基于增量式GHSOM神经网络模型的在线网络入侵检测原型系统,在局域网环境下开展了在线入侵检测实验.实验结果表明增量式GHSOM入侵检测方法具有动态自适应性,能够实现在线检测过程中对GHSOM模型的动态更新,而且对于网络上新出现的攻击类型,增量式GHSOM算法与传统GHSOM算法的检测率相当.     

分布式网络入侵检测系统NetNumen的设计与实现

详细介绍了在Linux环境下基于规则的分布式网络入侵检测系统NetNumen.同现有的网络入侵检测系统相比,NetNumen将异常检测(检测包到达频度的异常)和特征检测(检测特定攻击和攻击工具的固有特征)有机地结合起来,对DoS(denial of service),DdoS(distributed denial of service)攻击的检测效果较现有方法有明显的改善.     

基于规则的IDS中的CBR研究

本文在入侵检测系统（IDS）中引入基于案例的推（CBR）来降低基于规则的精确匹配所造成的漏报率,有效地检测由已知攻击变异成的攻击。描述了实现CBR的步骤;给出了由规则设计和构造案例库的启发式方法;分析了实现CBR的有关算法;最后给出在入侵检测系统Snort上扩充CBR功能的实验结果。     

基于智能体的混合知识自适应推理控制

本文将传统的混合知识表示法推广，建立了一个将一般知识、案例知识、模型知识、模型知识及神经网络知识有机集成的结构．该种知识表示结构有助于知识的搜索、匹配和推理控制，解决了复杂问题的知识表示．为适应推理方法的需要，将各种不同的推理方法有机融合与集成，提出一种基于智能体的自适应推理控制结构，该种自适应推理控制结构对于改进解决复杂问题的效果以及提高解决复杂问题的效率具有重要意义。     

Building explanations from rules and structured cases

A central task underlying many of the activities of attorneys is inferring the legal consequences of a given set of facts. GREBE (GeneratoR of Exemplar-Based Explanations) is a system that uses detailed knowledge of the facts and reasoning of specific past cases, together with legal rules and common-sense knowledge, to determine and justify the legal consequences of new cases. GREBE can apply either rule-based reasoning or case-based reasoning to goals at any level of its analysis. GREBE uses an approach to case-based reasoning in which new cases are compared with the smallest collections of precedent facts that justified an individual inference step in the explanation of a precedent case. This enables knowledge of the interactions among individual inference steps in a precedent to be used in case comparison. Case comparison is also assisted by an expressive semantic network representation of case facts. Techniques are presented for retrieving and comparing cases represented in this formalism. GREBE's output is a memorandum that justifies a legal conclusion in terms of the applicable precedents and legal rules.     

Are case-based reasoning and dissimilarity-based classification two sides of the same coin?

Case-based reasoning (CBR) is used when generalized knowledge is lacking. The method works on a set of cases formerly processed and stored in the case base. A new case is interpreted based on its similarity to cases in the case base. The closest case with its associated result is selected and presented as output of the system. Recently, dissimilarity-based classification (DSC) has been introduced due to the curse of dimensionality of feature spaces and the problem arising when trying to make image features explicitly. The approach classifies samples based on their dissimilarity value to all training samples. In this paper we are reviewing the basic properties of these two approaches. We show the similarity of dissimilarity-based classification to case-based reasoning. Finally, we conclude that dissimilarity-based classification is a variant of case-based reasoning and that most of the open problems in dissimilarity-based classification are research topics of case-based reasoning.     

SDSS中空间知识库系统模型的设计

提出并实现了一个适用于智能化空间决策支持系统（SDSS）的空间知识库系统模型。在本知识库系统模型上，知识表示采用一阶谓词逻辑和案例两者相结合的方式，对于不同的知识表示方式，实现了相应的知识推理机制及相互间的切换，在此基础上，还设计实现了对案例知识的学习与获取方法。     

Framework for evaluation and selection of the software packages: A hybrid knowledge based system approach

Evaluation and selection of the software packages is complicated and time consuming decision making process. Selection of inappropriate software package can turn out to be costly and adversely affects business processes and functioning of the organization. In this paper we describe (i) generic methodology for software selection, (ii) software evaluation criteria, and (iii) hybrid knowledge based system (HKBS) approach to assist decision makers in evaluation and selection of the software packages. The proposed HKBS approach employs an integrated rule based and case based reasoning techniques. Rule based reasoning is used to capture user needs of the software package and formulate a problem case. Case based reasoning is used to retrieve and compare candidate software packages with the user needs of the package. This paper also evaluates and compares HKBS approach with the widely used existing software evaluation techniques such as analytic hierarchy process (AHP) and weighted scoring method (WSM).     

Autonomic self healing and recovery informed by environment knowledge

An important goal of autonomic computing is the development of computing systems that are capable of self healing with a minimum of human intervention. Typically, recovery from even a simple fault will require knowledge of the environment in which a computing system operates. To meet this need, we present an approach to self healing and recovery informed by environment knowledge that combines case based reasoning (CBR) and rule based reasoning. Specifically, CBR is used for fault diagnosis and rule based reasoning for fault remediation, recovery, and referral. We also show how automated information gathering from available sources in a computing system’s environment can increase problem solving efficiency and help to reduce the occurrence of service failures. Finally, we demonstrate the approach in an intelligent system for fault management in a local printer network.     

Reasoning about reasoning in a meta-level architecture

In this paper we discuss reasoning about reasoning in a multiple agent scenario. We consider agents that are perfect reasoners, loyal, and that can take advantage of both the knowledge and ignorance of other agents. The knowledge representation formalism we use is (full) first order predicate calculus, where different agents are represented by different theories, and reasoning about reasoning is realized via a meta-level representation of knowledge and reasoning. The framework we provide is pretty general: we illustrate it by showing a machine checked solution to the three wisemen puzzle. The agents' knowledge is organized into units: the agent's own knowledge about the world and its knowledge about other agents are units containing object-level knowledge; a unit containing meta-level knowledge embodies the reasoning about reasoning and realizes the link among units. In the paper we illustrate the meta-level architecture we propose for problem solving in a multi-agent scenario; we discuss our approach in relation to the modal one and we compare it with other meta-level architectures based on logic. Finally, we look at a class of applications that can be effectively modeled by exploiting the meta-level approach to reasoning about knowledge and reasoning.     

Extended event–condition–action rules and fuzzy Petri nets based exception handling for workflow management

Exception handling plays a key role in dynamic workflow management that enables streamlined business processes. Handling application-specific exceptions is a knowledge-intensive process involving different decision-making strategies and a variety of knowledge, especially much fuzzy knowledge. Current efforts in workflow exception management are not adequate to support the knowledge-based exception handling. This paper proposes a hybrid exception handling approach based on two extended knowledge models, i.e., generalized fuzzy event–condition–action (GFECA) rule and typed fuzzy Petri net extended by process knowledge (TFPN-PK). The approach realizes integrated representation and reasoning of fuzzy and non-fuzzy knowledge as well as specific application domain knowledge and workflow process knowledge. In addition, it supports two handling strategies, i.e., direct decision and analysis-based decision, during exception management. The approach fills in the gaps in existing related researches, i.e., only providing the capability of direct exception handling and neglecting fuzzy knowledge. Based on TFPN-PK, a weighted fuzzy reasoning algorithm is designed to address the reasoning problem of uncertain goal propositions and known goal concepts by combining forward reasoning with backward reasoning and therefore to facilitate cause analysis and handling of workflow exceptions. A prototype system is developed to implement the proposed approach.     

Floor plan design using block algebra and constraint satisfaction

Architectural floor plan layout design is what architects and designers do when they conceptually combine design units, such as rooms or compartments. At the end of this activity, they deliver precise geometric schemas as solutions to particular problems. More research on this topic is needed to develop productive tools. The authors propose orthogonal compartment placement (OCP) as a new approach to this activity. OCP includes a problem formulation and a solution method in which qualitative and quantitative knowledge are combined. Topological knowledge underlies human spatial reasoning. Computers can adequately perform repetitive topological reasoning. We believe that OCP is the first approach in CAAD to incorporate a full relational algebra to generate floor plan layouts. Based on block algebra (BA) and constraint satisfaction (CS), OCP can generate candidate solutions that correspond to distinct topological options. The analysis of a case study using a prototype tool is included.     

基于证据推理和置信规则库的装备寿命评估

针对航天产品试验样本少,寿命评估难的特点,结合产品在研制阶段多种工作环境的失效数据,提出了一种基于证据推理(evidential reasoning,ER)和置信规则库(belief-rule-base,BRB)进行装备寿命评估的新方法.首先,分析了模型的合理性并使用多维BRB模型将多种环境下的寿命数据折合为标准工作环境下的寿命数据,然后通过ER算法将折合后数据和实际工作环境数据进行融合.其次,详细说明了BRB--ER模型的推理过程和寿命评估的步骤.最后,采用某航天产品的失效数据对该方法进行了验证,并用已有的产品寿命的固定值进行BRB的参数更新.研究结果表明,在专家知识准确合理时,该模型能够准确地评估产品寿命,并可根据已有的产品的固定寿命进行训练,建立更加准确的寿命预测模型.