基于贝叶斯的入侵检测

入侵检测技术在网络安全领域的应用越来越重要,它是网络安全防护的重要组成部分。提出将贝叶斯原理应用于入侵检测,把AI领域中的概念引入入侵检测,建立入侵检测的规划识别模型,尝试预测攻击者的下一步行为或攻击意图,从而起到提前预警的作用。用一实例说明了贝叶斯原理在入侵检测领域内的一些应用,提出了一个基于改进贝叶斯算法的新模型。该模型提高了入侵检测系统的完备性和准确性,能有效保障信息系统的安全。     

基于动态贝叶斯网络的入侵意图识别方法

在构建高层次攻击场景和处理复杂攻击时,入侵检测技术难以有效察觉入侵者的意图、识别攻击间的语义以及预测下一步攻击。为此,针对网络复杂攻击过程中的不确定性,提出一种基于动态贝叶斯网络的入侵意图识别方法,采用动态贝叶斯有向无环图实时表述攻击行为、意图与攻击目标之间的关联,应用概率推理方法预测入侵者的下一步攻击。实验结果反映入侵者的意图在入侵过程中的变化规律,验证该方法的有效性。     

基于分类样本和贝叶斯动态预测的异常入侵检测

在大规模网络环境中,入侵检测系统得到的警报数据具有一定的规律。据此提出了一种基于警报事件强度的异常检测方法,采用分类样本空间和贝叶斯动态预测方法,解决了警报数据的时间效应问题。实验数据分析表明,该方法对于大规模入侵行为具有较好的检测效果。     

基于LZW算法和贝叶斯MARS的入侵检测研究

提出了一种基于LZW算法的入侵检测算法。使用系统调用序列作为特征数据,采用LZW算法对系统调用序列数据进行变长短序列划分,同时对短序列进行压缩,并在应用的过程中对LZW算法进行适当调整以适应序列的划分。通过贝叶斯多元自适应回归样条(贝叶斯MARS)模型,对正常和异常序列进行分类并标识入侵。实验结果表明,基于LZW变长序列划分方法符合系统调用序列的内在规律,在较高压缩比的情况下,获得了很好的检测性能。LZW算法与贝叶斯MARS相结合的入侵检测算法,对各种数据表现稳定,具有一定可行性和实用性。     

基于模糊小波神经网络的主机入侵预测

综合利用模糊技术、神经网络与小波技术,提出一种主机入侵预测模型FWNN-IP。将系统调用按危险度进行分类,并为高危险度的系统调用赋予较高的值,利用模糊化后的系统调用短序列分析程序(进程)的踪迹,达到入侵预测的目的。实验结果表明,FWNN-IP模型能够及时预测程序(进程)中的异常,采取更加积极主动的预防措施抵制入侵行为。     

基于贝叶斯网络的入侵容忍系统

提出一种基于贝叶斯网络的入侵容忍系统,给出系统的运行流程.用进程特性向量来表示一个具体的进程,并对进程特性进行具体的分类.提出利用贝叶斯网络模型来描述进程的运行过程,给出基于贝叶斯网络推理的进程类型概率值的计算公式,构造了用于确定进程危险程度的危险函数,并用实例说明了对入侵进程的具体识别过程.     

基于贝叶斯攻击图的网络入侵意图识别方法

现有入侵意图识别方法对报警证据的有效性缺乏考虑,影响了入侵意图识别的准确性。为此提出基于贝叶斯攻击图的入侵意图识别方法。首先建立贝叶斯攻击图模型,然后通过定义报警的置信度及报警间的关联强度,去除低置信水平的孤立报警;根据提取到的有效报警证据进行贝叶斯后验推理,动态更新攻击图中各状态节点遭受攻击的概率,识别网络中已发生和潜在的攻击行为。实验结果表明,该方法能有效提取报警证据,提高网络入侵预测的准确性。     

用于入侵检测的贝叶斯网络

大型网络的入侵检测主要采用多个分布式代理(Agent)．这些代理具有一定的智能以便处理各种入侵．文章提出用贝叶斯网络构造各Agent，这样的Agent具有学习、快速识别和对不完备数据集的处理能力，从而使系统具有更好的适应性．最后用一实例来说明贝叶斯网络在入侵检测领域内的应用．     

基于概率推理的入侵意图识别研究

攻击者的入侵行为背后往往蕴含着攻击者的目标和意图,据此提出了入侵意图识别的层次化模型。为了处理网络环境中的不确定性信息,提出了基于概率推理的入侵意图识别算法,并在此基础上预测攻击者的后续攻击规划和目标,从而起到提前预警的作用。根据网络安全事件、目标和意图之间的因果关系建立的贝叶斯网络能够描述和处理并发意图识别问题。试验证明了该方法的可行性和有效性。     

基于分布式智能代理的入侵检测方法研究

在分析和研究通用入侵检测框架理论和传统入侵检测系统实现策略的基础上,提出融合了滥用检测和异常检测两种方法的检测模型——基于分布式智能代理的网络入侵检测模型,并对检测引擎和检测算法进行了改进,使之具有更高的准确性和对潜在的入侵行为的识别和预测等智能化能力。     

Predicting intrusion goal using dynamic Bayesian network with transfer probability estimation

Predicting the intentions of an observed agent and taking corresponding countermeasures is the essential part for the future proactive intrusion detection systems (IDS) as well as intrusion prevention systems (IPS). In this paper, an approach of dynamic Bayesian network with transfer probability estimation was developed to predict whether the goal of system call sequences is normal or not, with early-warnings being launched, so as to ensure that some appropriate countermeasures could be taken in advance. Since complete set of system call state transfer can hardly be built in real environments, the empirical results show that the newly emerging system call transfer would have great impact on the prediction performance if we straightly use dynamic Bayesian network without transfer probability estimation. Therefore, we estimate the probability of new state transfer to predict the goals of system call sequences together with those in conditional probability table (CPT). It surmounts the difficulties of manually selecting compensating parameters with dynamic Bayesian network approach [Feng L, Guan X, Guo S, Gao Y, Liu P. Predicting the intrusion intentions by observing system call sequences. Computers & Security 2004; 23/3: 241–252] and obviously makes our prediction model more applicable. The University of New Mexico (UNM) and KLINNS data sets were analyzed and the experimental results show that it performs very well for predicting the goals of system call sequences with high accuracy and furthermore dispenses with much more manual work for selecting compensating parameters.     

基于粗糙集理论的入侵检测新方法

提出了一种高效低负荷的异常检测方法，用于监控进程的非正常行为，该方法借助于粗糙集理论从进程正常运行情况下产生的系统调用序列中提取出一个简单的预测规则模型，能有效地检测了进程的异常运行状态，同其它方法相比，用粗糙集建立正常模型要求的训练数据获取简单，而且得到的模型更适用于在线检测，实验结果表明，该方法的检测效果优于同类的其它方法。     

异常检测中正常行为规则性的度量

异常检测是防范新型攻击的基本手段,正常行为的规则性是影响检测能力的基本因素．在使用信息熵作为分析工具的基础上,提出了一种度量异常检测中正常行为规则程度的方法,并将这种方法用于对两个异常检测实例的分析,从理论上分析了如何改造特征以获得更多的规则性信息．在此理论的基础上,针对不同的数据类型提出了两种新的异常检测算法．     

基于免疫原理与粗糙集理论的入侵检测方法

针对目前基于进程系统调用的入侵检测方法中存在的问题,提出了一种基于免疫原理与粗糙集理论的入侵检测方法。该方法在对系统调用序列中的循环序列进行置换的基础上,借助于粗糙集理论,提取出一个简单的最小预测规则模型;同时融合免疫原理的有关机制,在检测模型中加入对已知入侵的快速检测引擎。同其他方法相比,该方法不需要完备的进程系统调用数据,而且得到的规则简单,更适用于实时检测。实验结果表明,该方法的检测效果优于同类的其他方法。     

双流增强融合网络微表情识别

为解决微表情识别领域数据集样本数量少,样本类型分布不均导致识别率鲁棒性差的问题,提出了一种基于双流增强网络的微表情识别模型。该模型基于单帧RGB图像流及光流图像流的双流卷积神经网络,以权威数据集为基础,数据增强为基准,构建微表情识别模型。通过在SoftMax逻辑回归层融合单帧空域信息和光流时域信息,对两个独立流的网络性能进行提升,并通过引入基于带循环约束的生成对抗网络的图像生成方式对数据集进行扩充。通过将输入微表情视频帧序列进行分解,将其分割为双流网络的灰度单帧序列与光流单帧序列,对两类序列图进行数据增强,再进行微表情识别模型构建的方法,有效提高了微表情识别率。基于双流增强网络的微表情识别模型可以较好提升微表情识别准确度,鲁棒性较好,泛化状态较稳定。     

确定学习与基于数据的建模及控制

确定学习运用自适应控制和动力学系统的概念与方法, 研究未知动态环境下的知识获取、表达、存储和利用等问题. 针对产生周期或回归轨迹的连续 非线性动态系统, 确定学习可以对其未知系统动态进行局部准确建模, 其基本要 素包括: 1)使用径向基函数(Radial basis function, RBF)神经网络; 2)对于周期(或回归)状态轨迹 满足部分持续激励条件; 3)在周期(或回归)轨迹的邻域内实现对非线性系统动态的局部准确神经网络逼近(局部准确建模); 4)所学的知识以时不变且空间分布的方式表达、以常值神经网络权值的方式存储, 并可在动态环境下用于动态模式的快速识别或者闭环神经网络控制. 本文针对离散动态系统, 扩展了确定学习理论, 提出一个根据时态数据序列对离散动态系统进行建模与控制的框架. 首先, 运用确定学习原理和离散系统的自适应辨识方法, 实现对产生时态数据的离散非线性系统的未知动态进行局部准确的神经网络建模, 并利用此建模结果对时态数据序列进行时不变表达. 其次, 提出时态数据序列的基于动力学的相似性定义, 以及对离散动态系统产生的时态数据序列(亦可称为动态模式)进行快速识别方法. 最后, 针对离散非线性控制系统, 实现了基于时态数据序列对控制系统动态的闭环辨识(局部准确建模). 所学关于闭环动态的知识可用于基于模式的智能控制. 本文表明确定学习可以为时态数据挖掘的研究提供新的途径, 并为基于数据的建模与控制等问题提供新的研究思路.     

Feature representation and selection in malicious code detection methods based on static system calls

Currently almost all static methods for detecting malicious code are signature-based, this leads the result that viruses can easily escape detection by simple mechanisms such as code obfuscation. In this paper, a behavior-based detection approach is proposed to address this problem. The behaviors of interest are defined as static system call sequences. Unlike the traditional approach, which derives system call sequences by running executables (i.e., dynamic system call sequences), this approach statically analyzes binary code to derive system call sequences. In this paper, a method for deriving static system call sequences is presented, and two automatic feature-selection methods based on n-grams are proposed. We use machine-learning methods, including the K-nearest neighbor, Support Vector Machine, and decision tree methods to classify executables. The proposed approach is compared with the dynamic detection approach using dynamic system call sequences. The experimental results show that the proposed approach has higher accuracy and a lower false positive rate than the dynamic detection approach.     

Network intrusion detection based on system calls and data mining

Anomaly intrusion detection is currently an active research topic in the field of network security. This paper proposes a novel method for detecting anomalous program behavior, which is applicable to host-based intrusion detection systems monitoring system call activities. The method employs data mining techniques to model the normal behavior of a privileged program, and extracts normal system call sequences according to their supports and confidences in the training data. At the detection stage, a fixed-length sequence pattern matching algorithm is utilized to perform the comparison of the current behavior and historic normal behavior, which is less computationally expensive than the variable-length pattern matching algorithm proposed by Hofmeyr et al. At the detection stage, the temporal correlation of the audit data is taken into account, and two alternative schemes could be used to distinguish between normalities and intrusions. The method gives attention to both computational efficiency and detection accuracy, and is especially suitable for online detection. It has been applied to practical hosted-based intrusion detection systems, and has achieved high detection performance.     

Network intrusion detection based on system calls and data mining

Anomaly intrusion detection is currently an active research topic in the field of network security. This paper proposes a novel method for detecting anomalous program behavior, which is applicable to host-based intrusion detection systems monitoring system call activities. The method employs data mining techniques to model the normal behavior of a privileged program, and extracts normal system call sequences according to their supports and confidences in the training data. At the detection stage, a fixed-length sequence pattern matching algorithm is utilized to perform the comparison of the current behavior and historic normal behavior, which is less computationally expensive than the variable-length pattern matching algorithm proposed by Hofmeyr et al. At the detection stage, the temporal correlation of the audit data is taken into account, and two alternative schemes could be used to distinguish between normalities and intrusions. The method gives attention to both computational efficiency and detection accuracy, and is especially suitable for online detection. It has been applied to practical hosted-based intrusion detection systems, and has achieved high detection performance.     

A pose-wise linear illumination manifold model for face recognition using video

The objective of this work is to recognize faces using video sequences both for training and novel input, in a realistic, unconstrained setup in which lighting, pose and user motion pattern have a wide variability and face images are of low resolution. There are three major areas of novelty: (i) illumination generalization is achieved by combining coarse histogram correction with fine illumination manifold-based normalization; (ii) pose robustness is achieved by decomposing each appearance manifold into semantic Gaussian pose clusters, comparing the corresponding clusters and fusing the results using an RBF network; (iii) a fully automatic recognition system based on the proposed method is described and extensively evaluated on 600 head motion video sequences with extreme illumination, pose and motion pattern variation. On this challenging data set our system consistently demonstrated a very high recognition rate (95% on average), significantly outperforming state-of-the-art methods from the literature.