基于因果知识和时空关联的云平台攻击场景重构

云计算环境下的攻击行为逐步表现出隐蔽性强、攻击路径复杂多步等特点,即一次完整的攻击需要通过执行多个不同的攻击步骤来实现最终目的。而现有的入侵检测系统往往不具有必要的关联能力,仅能检测单步攻击或攻击片段,难以发现和识别多步攻击模式,无法还原攻击者完整的攻击渗透过程。针对这一问题,提出了基于因果知识和时空关联的攻击场景重构技术。首先,利用贝叶斯网络对因果知识进行建模,从具有IP地址相关性的告警序列中发掘出具有因果关系的攻击模式,为后续关联分析提供模板依据。然后,借助因果知识网络,从因果、时间和空间多维度上对告警进行关联分析,以发现潜在的隐藏关系,重构出高层次的攻击场景,为构建可监管、可追责的云环境提供依据和参考。     

一种基于多因素的告警关联方法

入侵检测系统作为保护网络安全的重要工具已被广泛使用,其通常产生大量冗余度高、误报率高的告警。告警关联分析通过对底层告警进行综合分析与处理,揭示出其中包含的多步攻击行为。许多告警关联方法通过在历史告警中挖掘频繁模式来构建攻击场景,方法容易受冗余告警、误报影响,挖掘出的多步攻击链在某些情况下不能反映出真实的多步攻击行为。为此,提出一种基于多因素的多步攻击关联方法。通过聚合原始告警以得到超级告警,降低冗余告警带来的影响;将超级告警构造成超级告警时间关系图,同时结合超级告警间的多因素关联度评价函数从时间关系图中挖掘出多步攻击场景。实验结果表明,该方法能克服冗余告警及大部分误报带来的负面影响、有效地挖掘出多步攻击链。     

一种新的在线攻击意图识别方法研究

现有的利用入侵检测告警来构建攻击场景、识别多步攻击意图的方法存在着需要定义复杂的关联规则、过于依赖专家知识和难以发现完整场景等不足,为此提出了一种基于攻击行为序列模式挖掘方法的攻击意图识别技术.通过分析入侵告警的攻击行为序列,挖掘出多步攻击的行为模式,再进行在线的告警模式匹配和告警关联度计算来发现攻击者的攻击意图,预测攻击者的下一步攻击行为.实验结果表明,该方法可以有效的挖掘出攻击者的多步攻击行为模式,并能有效的实现在线的攻击意图识别.     

一种新的基于统计的攻击场景挖掘算法研究

提出了一种新的攻击场景挖掘算法.该算法建立在对高级告警的进一步分析和处理之上,通过统计挖掘找出概率统计上的弱关联攻击链,再对这些攻击链进行进一步的关联分析,从而构建出真实攻击场景模型.该方法较之大多数需要定义复杂的关联规则的方法而言更容易实现,并具有一定的独创性.初步的实验结果证明该方法能有效地挖掘出攻击场景模型,并能用于发现新的攻击场景.     

基于攻击规划图的实时报警关联方法

针对报警因果关联分析方法存在无法及时处理大规模报警且攻击场景图分裂的不足,提出一种基于攻击规划图(APG)的实时报警关联方法。该方法首先给出APG和攻击规划树(APT)的定义;其次,根据先验知识构建APG模型,并提出基于APG的实时报警关联方法,重建攻击场景;最后,结合报警推断完善攻击场景和预测攻击。实验结果表明,该方法能够有效地处理大规模报警和重建攻击场景,具有较好的实时性,可应用于分析入侵攻击意图和指导入侵响应。     

一个用于IDS告警分析的验证-聚类-关联模型

多步骤攻击是当前占据主流的攻击模式,但当前的入侵检测系统在检测这种攻击时存在告警冗余、告警孤立等问题.为解决这些问题,提出了一个验证-聚类-关联告警分析模型.该模型将验证、聚类、关联这3个告警分析环节结合在一起,逐层地对告警信息进行分析,通过验证过滤掉原始告警信息中的误报及无关信息,验证后的有效告警信息通过聚类生成无冗余的单步告警,再通过关联生成能描述攻击者意图的全局告警.对相关的算法与规则进行了描述,并通过几个实际的攻击场景验证了该模型的有效性.     

基于多源告警的攻击事件分析

为解决多源告警中的复杂攻击难以被发现的问题,提出一种攻击序列模式挖掘算法。利用正则表达式匹配告警,将多源告警规范化为统一格式。对冗余告警信息进行压缩,利用强关联规则训练得到的规则集聚合同一阶段的告警,有效去除冗余告警,精简告警数量。利用滑动窗口对聚合后的告警进行划分得到候选攻击事件数据集,通过改进的PrefixSpan算法挖掘得到多阶段攻击事件的攻击序列模式。实验结果表明,该算法在不依赖专家知识的前提下,能够准确并高效地分析告警相关性,还原攻击事件中的攻击步骤。相比传统PrefixSpan算法,提出的改进算法的攻击模式挖掘效率提升了48.05%。     

分布式入侵告警关联分析

为了精简分布式入侵检测系统中重复性的、不完善的或不完整的告警数据，降低误告警率，解决具有因果关系和非因果关系共存的告警关联问题，提出了一种分级关联算法．利用告警数据的检测时间属性的接近度将关联分析分为两类：概率关联和因果关联．给出了自调节增量贝叶斯分类器和实时因果关联算法，从而实现了多种特征混合的告警关联，提高了告警关联率．使用MIT Lincoln Lab提供的2000 DARPA入侵检测攻击场景数据集LLDOS1．0对该算法进行了性能测试，实验结果验证了算法的有效性．     

基于关联规则和情景规则的网络告警分析模型

网络告警关联中隐含着丰富的模式知识,通过研究告警信息间的因果相关性,能够显著的提高网络故障管理的智能度.文章通过研究网络告警中的知识发现问题,提出一种基于关联规则和情景规则的网络告警分析模型.     

通过关联报警重建攻击场景

论文提出一系列的技术来整合两种互补型的报警关联方法:基于报警属性之间的相似性(聚类关联),和基于攻击的因果关系(因果关联)。尤其是根据入侵报警间的因果关系和它们需要满足的等同约束关系来假设和推理可能被IDSs漏报的攻击,同时使用一定的方法来整理假设的攻击重建更简单更可信的攻击场景。     

European Community policy and the market

Abstract This paper starts with some reflections on the policy considerations and priorities which are shaping European Commission (EC) research programmes. Then it attempts to position the current projects which seek to capitalise on information and communications technologies for learning in relation to these priorities and the apparent realities of the marketplace. It concludes that while there are grounds to be optimistic about the contribution EC programmes can make to the efficiency and standard of education and training, they are still too technology driven.     

一种自适应子融合集成多分类器方法

融合集成方法已经广泛应用在模式识别领域,然而一些基分类器实时性能稳定性较差,导致多分类器融合性能差,针对上述问题本文提出了一种新的基于多分类器的子融合集成分类器系统。该方法考虑在度量层融合层次之上通过对各类基多分类器进行动态选择,票数最多的类别作为融合系统中对特征向量识别的类别,构成一种新的自适应子融合集成分类器方法。实验表明,该方法比传统的分类器以及分类融合方法识别准确率明显更高,具有更好的鲁棒性。     

Explanation and prediction: an architecture for default and abductive reasoning

Although there are many arguments that logic is an appropriate tool for artificial intelligence, there has been a perceived problem with the monotonicity of classical logic. This paper elaborates on the idea that reasoning should be viewed as theory formation where logic tells us the consequences of our assumptions. The two activities of predicting what is expected to be true and explaining observations are considered in a simple theory formation framework. Properties of each activity are discussed, along with a number of proposals as to what should be predicted or accepted as reasonable explanations. An architecture is proposed to combine explanation and prediction into one coherent framework. Algorithms used to implement the system as well as examples from a running implementation are given.     

Three Process Perspectives: Organizations, Teams, and People

This paper provides the author's personal views and perspectives on software process improvement. Starting with his first work on technology assessment in IBM over 20 years ago, Watts Humphrey describes the process improvement work he has been directly involved in. This includes the development of the early process assessment methods, the original design of the CMM, and the introduction of the Personal Software Process (PSP)^SM and Team Software Process (TSP){^SM}. In addition to describing the original motivation for this work, the author also reviews many of the problems he and his associates encountered and why they solved them the way they did. He also comments on the outstanding issues and likely directions for future work. Finally, this work has built on the experiences and contributions of many people. Mr. Humphrey only describes work that he was personally involved in and he names many of the key contributors. However, so many people have been involved in this work that a full list of the important participants would be impractical.     

基于复小波噪声方差显著修正的SAR图像去噪

提出了一种基于复小波域统计建模与噪声方差估计显著性修正相结合的合成孔径雷达(Synthetic Aperture Radar,SAR)图像斑点噪声滤波方法。该方法首先通过对数变换将乘性噪声模型转化为加性噪声模型,然后对变换后的图像进行双树复小波变换(Dualtree Complex Wavelet Transform,DCWT),并对复数小波系数的统计分布进行建模。在此先验分布的基础上,通过运用贝叶斯估计方法从含噪系数中恢复原始系数,达到滤除噪声的目的。实验结果表明该方法在去除噪声的同时保留了图像的细节信息,取得了很好的降噪效果。     

How do children do mathematics with LOGO?

Abstract  This paper considers some results of a study designed to investigate the kinds of mathematical activity undertaken by children (aged between 8 and 11) as they learned to program in LOGO. A model of learning modes is proposed, which attempts to describe the ways in which children used and acquired understanding of the programming/mathematical concepts involved. The remainder of the paper is concerned with discussing the validity and limitations of the model, and its implications for further research and curriculum development.     

Editorial: Special issue on recent advances in hybrid control theory and applications

正The demands of a rapidly advancing technology for faster and more accurate controllers have always had a strong influence on the progress of automatic control theory.In recent years control problems have been arising with increasing frequency in widely different areas,which cannot be addressed using conventional control techniques.The principal reason for this is the fact that a highly competitive economy is forcing systems to operate in regimes where     

Information for Authors

正Aim The Journals of Zhejiang University-SCIENCE(A/B/C)areedited by the international board of distinguished Chinese andforeign scientists,and are aimed to present the latest devel-opments and achievements in scientific research in China andoverseas to the world’s scientific circles,especially to stimulateand promote academic exchange between Chinese and for-eign scientists everywhere.     

Enhancing a leaf radiative transfer model to estimate concentrations and in vivo specific absorption coefficients of total carotenoids and chlorophylls a and b from single-needle reflectance and transmittance

The relative concentrations of different pigments within a leaf have significant physiological and spectral consequences. Photosynthesis, light use efficiency, mass and energy exchange, and stress response are dependent on relationships among an ensemble of pigments. This ensemble also determines the visible characteristics of a leaf, which can be measured remotely and used to quantify leaf biochemistry and structure. But current remote sensing approaches are limited in their ability to resolve individual pigments. This paper focuses on the incorporation of three pigments—chlorophyll a, chlorophyll b, and total carotenoids—into the LIBERTY leaf radiative transfer model to better understand relationships between leaf biochemical, biophysical, and spectral properties.Pinus ponderosa and Pinus jeffreyi needles were collected from three sites in the California Sierra Nevada. Hemispheric single-leaf visible reflectance and transmittance and concentrations of chlorophylls a and b and total carotenoids of fresh needles were measured. These data were input to the enhanced LIBERTY model to estimate optical and biochemical properties of pine needles. The enhanced model successfully estimated reflectance (RMSE = 0.0255, BIAS = 0.00477, RMS%E = 16.7%), had variable success estimating transmittance (RMSE = 0.0442, BIAS = 0.0294, RMS%E = 181%), and generated very good estimates of carotenoid concentrations (RMSE = 2.48 µg/cm², BIAS = 0.143 µg/cm², RMS%E = 20.4%), good estimates of chlorophyll a concentrations (RMSE = 10.7 µg/cm², BIAS = − 0.992 µg/cm², RMS%E = 21.1%), and fair estimates of chlorophyll b concentrations (RMSE = 7.49 µg/cm², BIAS = − 2.12 µg/cm², RMS%E = 43.7%). Overall root mean squared errors of reflectance, transmittance, and pigment concentration estimates were lower for the three-pigment model than for the single-pigment model. The algorithm to estimate three in vivo specific absorption coefficients is robust, although estimated values are distorted by inconsistencies in model biophysics. The capacity to invert the model from single-leaf reflectance and transmittance was added to the model so it could be coupled with vegetation canopy models to estimate canopy biochemistry from remotely sensed data.     

Mr. Twinn’s bombes

This article discusses the history and design of the special versions of the bombe key-finding machines used by Britain’s Government Code & Cypher School (GC&CS) during World War II to attack the Enigma traffic of the Abwehr (the German military intelligence service). These special bombes were based on the design of their more numerous counterparts used against the traffic of the German armed services, but differed from them in important ways that highlight the adaptability of the British bombe design, and the power and flexibility of the diagonal board. Also discussed are the changes in the Abwehr indicating system that drove the development of these machines, the ingenious ways in which they were used, and some related developments involving the bombes used by the U.S. Navy’s cryptanalytic unit (OP-20-G).