基于可疑行为识别的PE病毒检测方法

针对当前PE病毒难以防范及查杀的现象，对PE病毒关键技术进行分析，提取病毒典型特征的可疑行为，在此基础上提出一种Windows平台下的静态检测方法。该方法在对程序反编译处理的基础上，以指令序列与控制流图的分析为行为识别依据，完成基于可疑行为识别的病毒检测方法的设计。实验结果证明，该检测方法能有效检测混淆变换病毒。  

STBAC:一种新的操作系统访问控制模型

现代操作系统的主要威胁来自网络,传统访问控制机制在这方面尚有不足.提出一种应用于操作系统的访问控制模型--STBAC,可以有效防御网络攻击,并保持较好的兼容性和易用性.即使系统被攻破,STBAC模型仍然能保护关键资源,使入侵者无法达到真正的破坏目的.STBAC模型以进行过不可信远程通信的进程为可疑感染的起点,依据感染规则追踪可疑感染进程及其子进程在内核中的活动,依据保护规则禁止可疑感染进程非法访问关键资源,以防止系统关键资源遭到破坏.对原型系统的测试表明,STBAC模型在不明显影响系统兼容性和性能的前提下,可以有效地保护系统安全.  

A family of code coverage-based heuristics for effective fault localization

Locating faults in a program can be very time-consuming and arduous, and therefore, there is an increased demand for automated techniques that can assist in the fault localization process. In this paper a code coverage-based method with a family of heuristics is proposed in order to prioritize suspicious code according to its likelihood of containing program bugs. Highly suspicious code (i.e., code that is more likely to contain a bug) should be examined before code that is relatively less suspicious; and in this manner programmers can identify and repair faulty code more efficiently and effectively. We also address two important issues: first, how can each additional failed test case aid in locating program faults; and second, how can each additional successful test case help in locating program faults. We propose that with respect to a piece of code, the contribution of the first failed test case that executes it in computing its likelihood of containing a bug is larger than or equal to that of the second failed test case that executes it, which in turn is larger than or equal to that of the third failed test case that executes it, and so on. This principle is also applied to the contribution provided by successful test cases that execute the piece of code. A tool, χDebug, was implemented to automate the computation of the suspiciousness of the code and the subsequent prioritization of suspicious code for locating program faults. To validate our method case studies were performed on six sets of programs: Siemens suite, Unix suite, space, grep, gzip, and make. Data collected from the studies are supportive of the above claim and also suggest Heuristics III(a), (b) and (c) of our method can effectively reduce the effort spent on fault localization.  

基于两阶段聚类的洗钱行为识别

通过改进层次聚类和k-means聚类，建立两阶段聚类方法。采用两阶段聚类识别出异常点并得到高质量的聚类结果。结合证券公司客户真实交易数据和人工数据，使用Clementine进行建模从而实现聚类过程，识别出异常值并计算可疑记录的可疑程度，为金融情报部门提供了高质量的调查数据。  

利用链接分析技术监测可疑外汇资金流动

金融犯罪一般和账户的资金流动有着紧密的关系。本文利用聚类技术和链接分析技术,对外汇资金交易数据库进行分析。首先以账户间资金流动的频繁度为标准,对账户进行聚类;然后应用链接分析技术,从中发现可疑账户类,为发现外汇金融犯罪提供决策依据。  

基于执行轨迹的软件缺陷定位方法研究

软件中隐含的缺陷数目与可靠性直接相关,软件缺陷定位是移除软件缺陷的关键,缺陷定位的及时性和有效性直接影响软件的可用性。基于执行轨迹的软件缺陷定位能够很好地与自动化测试相结合,有较强的现实意义。讨论了基于执行轨迹的软件缺陷定位方法通用框架FLOC,详细介绍了该框架的各个阶段,包括执行轨迹的组织、执行轨迹的选择、怀疑率的计算、定位报告的评价。分析了现有的基于执行轨迹的软件缺陷定位方法,并按照框架的结构比较了这些方法的特点,提出了改进的思路。最后对缺陷定位的发展提出展望。  

Detecting Irregularities in Images and in Video

We address the problem of detecting irregularities in visual data, e.g., detecting suspicious behaviors in video sequences, or identifying salient patterns in images. The term “irregular” depends on the context in which the “regular” or “valid” are defined. Yet, it is not realistic to expect explicit definition of all possible valid configurations for a given context. We pose the problem of determining the validity of visual data as a process of constructing a puzzle: We try to compose a new observed image region or a new video segment (“the query”) using chunks of data (“pieces of puzzle”) extracted from previous visual examples (“the database”). Regions in the observed data which can be composed using large contiguous chunks of data from the database are considered very likely, whereas regions in the observed data which cannot be composed from the database (or can be composed, but only using small fragmented pieces) are regarded as unlikely/suspicious. The problem is posed as an inference process in a probabilistic graphical model. We show applications of this approach to identifying saliency in images and video, for detecting suspicious behaviors and for automatic visual inspection for quality assurance. Patent Pending  

检查存储变动的入侵检测技术研究

大部分的入侵行为都会引起被入侵主机的存储变动，因此检查存储变动是一种有效的入侵检测方法。校验和方法与基于存储的入侵检测技术是两种重要的检查存储变动的入侵检测技术。综述和比较了这两种技术。  

分布式网络主动防御系统研究

针对DDOS和蠕虫的特点,提出了一种NeTraMet和QOS相结合的主动防御机制,实现对DDOS和蠕虫经济高效的防治.在蠕虫检测上考虑了无特征蠕虫和有特征蠕虫两种情况;一般基于流量的DDOS检测方法预警时,网络实际已经受到一定程度的攻击而且发生阻塞,为了能够更早预警DDOS攻击,提高网络生存性,在DDOS检测中提出了可疑流量线,当流量达到可疑流量和攻击流量之间时,就启动防御机制,利用路由器的QOS功能,尽量减少攻击流的消耗带宽,维持网络正常服务.最后在NS2中进行模拟验证.  

一种基于嫌疑事件链的变种入侵检测技术

滥用检测(misuse detection)是两大主要的入侵检测方法之一，它虽然对已知入侵的检测成效显著，但对其变种攻击，就无能为力。鉴于此，该论文提出了一个新的滥用检测方案，它不但能对已知入侵本身准确识别，而且对其变种，也能尽可能地予以识别，并确认出变种与原种入侵之间的差异。