网络综合监控技术

网络综合监控系统是将入侵检测技术,旁路式网络审计相结合的一套综合系统,在不影响网络性能的前提下实现对网络主机的全面监测。提供多种报警手段,对违规事件进行实时报警和阻断,有效防止内部信息泄露与被窃行为。     

Windows下基于主机的安全日志服务器

越来越多的计算机犯罪需要进行电子取证,安全日志服务器在针对电子犯罪的监控、审计以及取证活动中发挥了重要作用。主机日志在电子取证以及入侵检测中有着不可替代的作用,通过深入分析主机日志可以发现系统的异常行为并记录下来作为日后的电子证据或进行实时的入侵检测分析。该文简要介绍了安全日志服务器系统的发展背景,分析了主机日志的构成,主机日志在计算机安全领域中的应用,详述了对主机日志信息的处理并给出了基于主机日志的安全系统的结构搭建。     

主机型异常检测的隐半马尔可夫模型方法

提出基于HSMM模型的主机型入侵检测系统框架。以BSM审计数据作为数据源,提取正常主机行为的特权流系统调用序列,利用HSMM模型对正常主机行为进行建模,然后将当前主机行为与之比较,判定当前主机行为是否异常。选取特权流变化事件作为研究对象以缩短建模时间,同时滤去了过多的无用信息,一定程度上提高了检测效率。实验结果表明,提出的HSMM方法比HMM优越,同时该方法建模的系统不仅节省训练时间,而且在提高检测率的同时可以降低误报率。     

开放接入点的安全可信接入

随着无线网络公众服务的推进,免费的开放接入点爆发式增长。针对开放接入点日益突出的安全问题,尤其是伪造接入点带来的个人隐私信息泄露,钓鱼攻击,漏洞攻击等,提出了一种基于接入点行为分析的安全可信接入方法。该方法参考了垃圾邮件判定的相关技术,采用D-S证据理论,建立一个推理规则库（包含SSID判别,Beacon密度,AP的物理层特性,数据转发行为特性等）,通过接入点行为证据的分析和合成,完成对接入点可信性的判定,从而避免无线客户端接入非法的接入点。通过典型实例验证了该方法。     

基于证据推理的程序恶意性判定方法

针对可执行程序恶意性难以判定的情况,提出一种基于证据推理的程序恶意性判定方法.首先,建立程序恶意性判定模型;然后,通过对程序进行反编译,抽取影响程序安全性的特征,建立程序行为集合;使用BP神经网络对模型进行训练得到各个行为的概率分配函数BPAF(basic probability assignment functions),并使用加权和形式的合成法则对程序行为进行合成;最后,实现对程序恶意性的判定.实验结果表明了该方法的有效性.     

软件组件组装行为兼容性检查研究

在开放环境下,仅包含了语法层信息的组件接口不足以刻画组件交互的行为信息,从而不能对组装后的系统进行兼容性验证。提出了既包含组件接口调用方法又包含内部逻辑行为的组件视图,采用LTS表示组件行为协议,将组件交互过程表示为多个LTS之间的同步变迁;借助LTS操作语义,通过LTS同步积模拟组合系统交互的动态行为,以此为基础,检查同步积中是否出现死锁状态来进行兼容性判定,并设计了判定算法以实现兼容性的自动判定,通过一个典型的电子商务应用检验该方法的有效性。     

多传感器网络信息数据融合技术研究

本文提出了多传感器网络信息数据融合技术。通过多传感器探测节点向目标主机发送探测信息,并将返回信息输入到经过大量产生式规则训练和学习的BP神经网络中,得到目标主机属性信息。然后,通过D-S证据推理对属性信息进行信任度融合处理,得到目标主机上可能存在的漏洞分布及漏洞存在的可能性,为进一步的主机安全性能评估打下基础。     

基于蜜罐的数字取证系统的研究与实现

数字取证已成为信息安全和司法领域的研究热点，文中在深入分析各种Web攻击行为的基础上，利用蜜罐搭建了当前流行的Web服务器系统，综合利用基于主机和网络的入侵检测技术，开发出一套高效实用可控的Web数字取证系统。该系统通过多个分布式取证代理不断监视和分析网络中对Web服务器的访问情况，在构建高度可控的Web服务器基础上，确定网络入侵者的行为是否已构成犯罪，然后提取和分析入侵犯罪信息，实现证据信息的完整性保护，同时通过对证据进行融合．生成入侵犯罪证据。     

基于改进Mask RCNN的电力检修违规操作检测

电力检修现场中施工行为的规范关系到工作人员的人身安全, 对电力行业的发展至关重要. 为了从计算机视觉的角度对电力检修工作人员的违规操作行为进行检测, 基于Mask RCNN算法设计了一种多任务多分支违规行为检测算法, 综合目标检测、关键点检测与实例分割任务, 并行对目标进行检测并获得目标的边框坐标、关键点与mask信息. 实验结果表明, 相对于原来的Mask RCNN, 该算法在实例分割和关键点检测方面都有了显著的提升, 具有更高的准确性和鲁棒性, 在电力检修违规检测方面满足实际部署的精度要求.     

一种基于用电规律的污染企业违规生产监控方法

在雾霾严重时期,部分地方政府会要求污染企业采取关停措施,以减少污染物的排放。但某些污染企业为追求经济利益,在被要求关停期间仍然违规生产,由于其生产行为具有较高的隐蔽性,环保部门难以判定其是否在存在违规生产行为,同时也无法准确掌握违规生产企业的生产时段,这严重阻碍了环保督查工作的开展。本文针对上述问题,给出了一种污染企业违规生产监控方法。该方法基于污染企业的日用电量与日用电最大负荷,实现了对污染企业违规生产行为的研判。另外,该方法还基于污染企业的用电负荷数据,实现了对污染企业生产时段的分类。该方法为相关部门准确的掌握污染企业的生产规律提供了有效的技术手段。本文利用污染企业的用电负荷历史数据对该方法进行了验证,结果表明该方法有效可行。     

Checking several requirements at once by CEGAR

Currently, static verifiers based on counterexample-guided abstraction refinement (CEGAR) can prove correctness of a program against a specified requirement, find its violation in a program, and stop analysis or exhaust the given resources without producing any useful result. Theoretically, we could use this approach for checking several requirements at once; however, finding of the first violation of some requirement or exhausting resources for some requirement will prevent from checking the program against other requirements. Moreover, if the program contains more than one violation of the requirement, CEGAR will find only the very first violation and may miss potential errors in the program. At the same time, static verifiers perform similar actions during checking of the same program against different requirements, which results in waste of a lot of resources. This paper presents a new CEGAR-based method for software static verification, which is aimed at checking programs against several requirements at once and getting the same result as basic CEGAR checking requirements one by one. To achieve this goal, the suggested method distributes resources over requirements and continues analysis after finding a violation of a requirement. We used Linux kernel modules to conduct experiments, in which implementation of the suggested method reduced total verification time by five times. The total number of divergent results in comparison with the base CEGAR was about 2%. Having continued the analysis after finding the first violation, this method guarantees that all violations of given requirements are found in 40% of cases, with the number of violations found being 1.5 times greater than in that in the base CEGAR approach.     

烟草行业主机系统采集与监控平台的研究

从烟草行业基础平台动态监管系统的核心组成部分——主机系统出发,深入分析主机系统信息采集与监控的内在需求,提出信息采集和监控的方法。以HP UNIX主机系统为例,实现了从手工检查到系统自动监控报警的跨越。实验结果表明,该方法能有效促进烟草行业信息系统长期稳定运行,具有广阔的应用前景。     

基于三值语义的软件运行时验证方法

运行时验证技术是对传统的程序正确性保证技术如模型检验和测试的有效补充。模型检验和测试都试图验证系统的所有可能执行路径的正确性,而运行时验证关注的是系统的当前执行路径。本文提出一种基于三值语义的软件运行时验证方法,一方面该方法提供了从代码插装、系统底层信息提取到监控器生成、验证系统运行轨迹是否满足性质规约的完整的解决方案;另一方面基于三值语义的监控器有发现一条无穷运行轨迹的最小好(坏)前缀的能力,从而使得监控器能尽可能早的发现性质违背。同时,我们开发了基于三值语义的软件运行时验证原型工具并针对案例进行了分析。     

Keeping secure to the end: a long-term perspective to understand employees’ consequence-delayed information security violation

Employees’ violation of information security policies is a major threat to an organisation. Some violations such as using an easy-to-guess password or storing confidential data on personal unencrypted flash drives usually do not cause immediate harm; instead, these actions create security flaws that can be attacked in the future and cause delayed consequences. We call such behaviour consequence-delayed information security violation (CDISV). The ignorance or denial of the possible delayed consequences is the main reason employees engage in such insecure behaviour. Due to the delay between the action and the consequence, a long-term mindset could play an important role in employees’ current decision-making. Specifically, in this study, we propose that long-term orientation is an influential factor in decreasing CDISV. The long-term orientation includes three dimensions: continuity, futurity, and perseverance. In addition, based on the stewardship theory and the needs theory, we further propose that value identification and the fulfilment of higher-order needs (trusted relationship and growth) are important drivers for employees to have a long-term orientation. We collected survey data using the 170 responses we received from a global company’s employees. The empirical results support our arguments. Our findings provide implications to organisations to encourage employees’ information security behaviours.     

嵌入式实时系统的软件需求检测

以需求描述模型HRFSM(hierarchical finite state machines based on rules)为基础,提出了一个嵌入式实时系统软件的动态执行模型(dynamic execution model,简称DEM)和基于该模型的检测方法.由于DEM能将控制流、数据流和时间有效地集成为一体,故提出的检测方法能检测嵌入式实时系统的软件需求的一致性和完全性.该检测方法由3种侧重点不同的检测形式组成,并能在检测过程中提供一些重要的检测信息.分析员可以利用基于该检测方法的工具灵活地对嵌入式实时系统的软件需求进行检测,以提高分析和检测软件需求的效率.     

Scientific Theories of Computational Systems in Model Checking

Model checking, a prominent formal method used to predict and explain the behaviour of software and hardware systems, is examined on the basis of reflective work in the philosophy of science concerning the ontology of scientific theories and model-based reasoning. The empirical theories of computational systems that model checking techniques enable one to build are identified, in the light of the semantic conception of scientific theories, with families of models that are interconnected by simulation relations. And the mappings between these scientific theories and computational systems in their scope are analyzed in terms of suitable specializations of the notions of model of experiment and model of data. Furthermore, the extensively mechanized character of model-based reasoning in model checking is highlighted by a comparison with proof procedures adopted by other formal methods in computer science. Finally, potential epistemic benefits flowing from the application of model checking in other areas of scientific inquiry are emphasized in the context of computer simulation studies of biological information processing.     

基于 BIM 和本体的建筑不规则类型审查

建筑不规则类型审查是建筑抗震审查的重要组成部分,对建筑抗震安全有重要意义。为提高审查 效率和准确性,提出一套基于建筑信息模型(BIM)和本体的建筑不规则类型审查方法。首先解析梳理建筑不规则 类型审查规范条文,然后将规范条文转译成计算机可识别的语义审查规则,并根据审查逻辑构建建筑不规则类型 审查本体;其次从待审查建筑的 BIM 文件中抽取审查信息,如楼层开洞面积,基于模板匹配算法从结构计算书 自动抽取审查所需计算结果参数,如扭转位移比;接着基于建筑不规则类型审查本体组织审查信息,利用审查规 则推理获得审查结果,进而生成审查报告。最后以某建筑为例验证了该方法的可行性和较强地扩展能力,为进一 步实现建筑抗震审查的自动化奠定了技术基础。     

Fuzzy-stochastic-based violation analysis method for planning water resources management systems with uncertain information

In this study, a fuzzy-stochastic-based violation analysis (FSVA) approach is developed for the planning of water resources management systems with uncertain information, based on a multistage fuzzy-stochastic integer programming (FSIP) model. In FSVA, a number of violation variables for the objective and constraints are allowed, such that in-depth analyses of tradeoffs among economic objective, satisfaction degree, and constraint-violation risk can be facilitated. Besides, the developed method can deal with uncertainties expressed as probability distributions and fuzzy sets; it can also reflect the dynamics in terms of decisions for water-allocation and surplus-flow diversion, through transactions at discrete points of a complete scenario set over a multistage context. The developed FSVA method is applied to a case study of water resources management within a multi-stream, multi-reservoir and multi-period context. The results indicate that the satisfaction degrees and system benefits would be different under varied violation levels; moreover, different violation levels can also lead to changed water-allocation and surplus-flow diversion plans. Violation analyses are also conducted to demonstrate that violating different constraints have different effects on system benefit and satisfaction degree.     

基于知识管理的 BIM 模型建筑设计合规性自动检查系统研究

建筑设计合规性自动检查对保证建筑信息模型(BIM)符合设计规范要求,增加规范 检查自动化程度具有重要意义。结合合规性检查理论与专家系统方法,提出了以BIM 模型为检 查对象的合规性自动检查系统框架,以规则知识与推理机制分开的方式实现合规性检查过程。 以《住宅设计规范》为例,对规范中的条文进行知识分析,总结出规范知识表达式,构建规则 库和规则库访问机制;建立了逻辑策略下推理机制,将规则库中的规则信息与BIM 信息进行推 理,输出检查结果;最后构建了合规性检查系统验证平台,通过BIM 模型实例完成模型数据提 取及规则推理的过程,实现了合规性检查的功能,验证了合规性检查方法框架。该方法在一定 程度上能够指导后续的合规性检查相关研究,有效提高BIM 模型的建筑设计合规性检查效率, 保证检查质量,促进建筑工程领域信息化的发展。