分布式入侵检测与响应协作模型研究

提出了一个分布式入侵检测与响应协作模型。在该模型中，设计了协作代理，负责对来自干各入侵检测代理的检测结果进行关联分析，并结合从其它域的协作代理收到的报警消息来检测复杂的入侵行为。扩展了IDMEF消息交换格式，使用XML文档来表示各入侵检测部件间交换的消息，协作代理问通过XML消息交换来实现协作。提出了怀疑度的概念，将发现的所有可疑的和入侵行为都报告给监控.     

基于异常和特征的入侵检测系统模型

目前大多数入侵检测系统(Intrusion Detection System，IDS)没有兼备检测已知和未知入侵的能力，甚至不能检测已知入侵的微小变异，效率较低。本文提出了一种结合异常和特征检测技术的IDS。使用单一技术的IDS存在严重的缺点，为提高其效率，唯一的解决方案是两者的结合，即基于异常和特征的入侵检测。异常检测能发现未知入侵，而基于特征的检测能发现已知入侵，结合两者而成的基于异常和特征的入侵检测系统不但能检测已知和未知的入侵，而且能更新基于特征检测的数据库，因而具有很高的效率。     

D-SCIDS: Distributed soft computing intrusion detection system

An Intrusion Detection System (IDS) is a program that analyzes what happens or has happened during an execution and tries to find indications that the computer has been misused. A Distributed IDS (DIDS) consists of several IDS over a large network (s), all of which communicate with each other, or with a central server that facilitates advanced network monitoring. In a distributed environment, DIDS are implemented using co-operative intelligent agents distributed across the network(s). This paper evaluates three fuzzy rule-based classifiers to detect intrusions in a network. Results are then compared with other machine learning techniques like decision trees, support vector machines and linear genetic programming. Further, we modeled Distributed Soft Computing-based IDS (D-SCIDS) as a combination of different classifiers to model lightweight and more accurate (heavy weight) IDS. Empirical results clearly show that soft computing approach could play a major role for intrusion detection.     

一种基于协作代理的分布式入侵检测模型

在分布式入侵检测系统中,各部件间有时需要互相协作来完成复杂的检测任务,因此需要一种通用而且高效的入侵检测协作机制。本文设计了一种基于协作代理的分布式入侵检测模型,在这种方式中,设计了协作代理,负责对来自于各个入侵检测代理的检测结果进行关联分析,并结合从其他域的协作代理收到的报警消息来检测复杂的入侵行为。     

基于聚类的未标识数据的入侵检测

自动化入侵检测是入侵检测的重要研究方向。传统的入侵检测由于依赖标识数据进行训练,不能做到自动更新规则库和检测新的入侵。提出一种自动检测入侵的方法——基于聚类（Clustering）的未标识数据的检测。它不依赖分类标识数据进行训练,能检测到未知的入侵而保持着很低的误报率。     

数据挖掘技术在入侵检测系统中的应用

入侵检测系统是一种检测网络入侵行为的工具,然而现在的入侵检测系统内部的知识库中的入侵模式（正常模式和异常模式）往往不能很好地反应入侵行为的特征,所以有时候经常出现漏报或误报的情况,另外,系统提了的用户行为特征有时候也不能正确地反映用户的实际行为特征,针对这一情况,详细讨论了数据挖掘技术在入侵检测系统中的应用,提出了采用数据挖掘技术的入侵检测系统的结构模型。     

基于数据挖掘的CIDF协同交换

随着DDOS(分布式拒绝服务)攻击的兴起，互联网上的开放主机几乎很难摆脱其困扰。在这种新的情形下，要求IDS能及时检测新的攻击和更新自身的检测规则，尤其是要求地理上分布的各个IDS能够协同起来。该文中，把数据挖掘的方法运用到IDS，建立基于数据挖掘方法的IDS规则挖掘引擎。在此基础上，为了解决协同问题，提出把DME（数据挖掘引擎)嵌入到CIDF的思路，形成协同交换框架，应对分布式攻击。     

A Representational Framework for Scenarios of System Use

Scenarios are becoming widely used in three areas of system development: software engineering, human–computer interaction (HCI), and organisational process design. There are many reasons to use scenarios during system design. The one usually advanced in support of the practice is to aid the processes of validating the developers’ understanding of the customers’ or users’ work practices, organisational goals and structures, and system requirements. All three areas identified above deal with these processes, and not surprisingly this has given rise to a profusion of scenario-based practices and representations. Yet there has been little analysis of why scenarios should be useful, let alone whether they are. Only by having such a framework for understanding what scenarios are, and what they are for, can we begin to evaluate different scenario approaches in specific development contexts. This paper is a contribution toward such a framework. We lay out a space of representational possibilities for scenarios and enumerate a set of values or criteria that are important for different uses of scenarios. We then summarise several salient representations drawn from the software engineering, HCI, and organisational process design communities to clarify how these representational choices contribute to or detract from the goals of the respective practices. Finally, we discuss how scenario representations from one area of design may be useful in others, and we discuss the relationship between these representations and other significant early-design and requirements engineering practices.     

MOVIH-IDS: A mobile-visualization hybrid intrusion detection system

A novel hybrid artificial intelligent system for intrusion detection, called MObile-VIsualization Hybrid IDS (MOVIH-IDS), is presented in this study. A hybrid model built by means of a multiagent system that incorporates an unsupervised connectionist intrusion detection system (IDS) has been defined to guaranty an efficient computer network security architecture. This hybrid IDS facilitates the intrusion detection in dynamic networks, in a more flexible and adaptable manner. The proposed improvement of the system in this paper includes deliberative agents characterized by the use of an unsupervised connectionist model to identify intrusions in computer networks. This hybrid IDS has been probed through several real anomalous situations related to the simple network management protocol as it is potentially dangerous. Experimental results probed the successful detection of such attacks through MOVIH-IDS.     

Requirements Engineering-Based Conceptual Modelling

The software production process involves a set of phases where a clear relationship and smooth transitions between them should be introduced. In this paper, a requirements engineering-based conceptual modelling approach is introduced as a way to improve the quality of the software production process. The aim of this approach is to provide a set of techniques and methods to capture software requirements and to provide a way to move from requirements to a conceptual schema in a traceable way. The approach combines a framework for requirements engineering (TRADE) and a graphical object-oriented method for conceptual modelling and code generation (OO-Method). The intended improvement of the software production process is accomplished by providing a precise methodological guidance to go from the user requirements (represented through the use of the appropriate TRADE techniques) to the conceptual schema that properly represents them (according to the conceptual constructs provided by the OO-Method). Additionally, as the OO-Method provides full model-based code generation features, this combination minimises the time dedicated to obtaining the final software product.     

A Method for Extracting and Stating Software Requirements that a User Interface Prototype Contains

User interface and requirements prototyping is a requirements elicitation technique. A user interface and requirements prototype is built during the requirements engineering phase of a software system development. Along with the user interface prototype are produced various documents such as the system requirement specification. When a prototype and other documents exist, they may not describe the same functionality, particularly because there may be behaviour of the prototype, artefacts of prototyping, that may not be intended. The problem is that in later development stages, when there is a prototype and other documents, it is often difficult to reconcile the difference between the prototype and the other documents. This paper presents an approach for avoiding this difficulty. It demonstrates the approach by showing its application to parts of a real software development.     

A software platform for testing intrusion detection systems

Intrusion detection systems monitor system activities to identify unauthorized use, misuse, or abuse. IDSs offer a defense when your system's vulnerabilities are exploited and do so without requiring you to replace expensive equipment. The steady growth in research on intrusion detection systems has created a demand for tools and methods to test their effectiveness. The authors have developed a software platform that both simulates intrusions and supports their systematic methodology for IDS testing     

一种基于多Agent的分布式入侵检测系统设计

在分析现有基于Agent的入侵检测系统的基础上,提出了一种基于多Agent分布式入侵检测系统模型。该模型采用了分布检测、分布响应的模式,各Agent之间具有良好的相对独立性。通过多Agent技术的思想建立系统总体结构,给出了模型的各个组成部分,并对结构中各种Agent与中心控制台的功能设计进行了分析。同时对涉及到特征匹配算法、动态选举算法、协同算法进行了初步的设计与分析。系统可充分利用各Agent的协同完成入侵检测任务,实时响应,可有效地改进传统IDS。     

Exploring agent support at the user interface in e-commerce applications

In this paper, we present some of the results from our ongoing research work in the area of ‘agent support’ for electronic commerce, particularly at the user interface level. Our goal is to provide intelligent agents to assist both the consumers and the vendors in an electronic shopping environment. Users with a wide variety of different needs are expected to use the electronic shopping application and their expectations about the interface could vary a lot. Traditional studies of user interface technology have shown the existence of a ‘gap’ between what the user interface actually lets the users do and the users’ expectations. Agent technology, in the form of personalized user interface agents, can help to narrow this gap. Such agents can be used to give a personalized service to the user by knowing the user’s preferences. By doing so, they can assist in the various stages of the users’ shopping process, provide tailored product recommendations by filtering information on behalf of their users and reduce the information overload. From a vendor’s perspective, a software sales agent could be used for price negotiation with the consumer. Such agents would give the flexibility offered by negotiation without the burden of having to provide human presence to an online store to handle such negotiations. Published online: 25 July 2001     

基于优化Apriori算法的入侵检测系统模型设计

复合攻击是网络入侵的主要形式之一。如何检测复合攻击是当前入侵检测研究的一个重要方向,经过对复合攻击模式的大量研究,提出了一种基于自动调节的警报关联模型。为了提高入侵检测系统的效率,针对入侵检测系统的特点,将数据挖掘技术引入模型中。阐述了使用为关联规则提取所优化的Apriori算法,对日志文件进行特征分析与知识发掘的入侵检测系统模型的设计。     

人工异常在入侵检测中的应用

异常检测由于自身的原因很难在商业入侵检测系统中得到应用。文中构造了入侵检测系统模型，并且给出了产生人工异常的算法，结果表明模型经过人工异常训练后，能够检测绝大多数系统未知的入侵类型。在检测已知入侵方面，模型也有不俗表现。     

基于移动Agent的主动网络自适应入侵响应系统的研究

随着网络入侵及安全事件的频繁发生,使得自动响应受到广泛关注。在对相关研究领域已有的工作进行总结的基础上,提出了一种基于移动Agent的主动网络自适应入侵响应系统（Intrusion Response System,IRS）。系统通过响应分析,自动产生响应策略,并派遣移动Agent去执行;根据入侵检测系统（Intrusion Detection System,IDS）的报警可信度和响应执行情况,系统能够自适应地调整响应策略,体现了系统的自动性和自适应性。     

Platitudes and attitudes

In October 2002 I attended the Ninth Monterey Software Engineering workshop held in Venice, Italy. This year’s theme was titled “Radical Innovations of Software and Systems Engineering in the Future.” In preparing my talk for the workshop, I thought hard about what I could possibly say on this topic that would not sound stupid. I certainly thought it would be awfully presumptious of me to predict how people will or should be developing software in the future. More easily, I could imagine what the systems of tomorrow will look like and who will be developing them, though anything I would say would sound like platitudes. I could also state some strong opinions about what matters and what doesn’t in the process of software development. Stating such attitudes would at least provoke some discussion. Hence, what follows captures some of what I said at the workshop. Published online: 10 April 2003     

Easy concurrency

Advances in technology raise expectations. As far as software engineering is concerned, the common expectation is that coding and deploying applications is going to be simple. It seems, though, that software engineering is not getting easier, and the complexity moves to an application domain. One of the sources of complexity is an application concurrency. It is not an uncommon development practice that concurrency and transaction management in multi-user, multi-threaded, event-driven applications are postponed until after most of the required functionality is implemented. This situation has various explanations. On the one hand, business logic may require access and modification of large sets of inter-connected application objects. On the other, testing and stress-testing of this logic becomes possible only at advanced stages of product development. At these stages, increasing lock granularities may appear to be less "expensive" than debugging race conditions and deadlocks. Coarse-grained locking has, of course, an adverse effect on application scalability. Declaring rules of concurrency outside of the application may solve part of the problem. This paper presents an approach allowing developers to define concurrency in application-specific terms, design it in the early stages of development, and implement it using a documented API of the concurrency engine (CE). Simple notation makes it possible to record concurrency specifications in terms of application operations, relationships between application resources, and synchronization conflicts between operations. These concepts are demonstrated on examples. The final sections include the CE UML diagram, notes on API usage, and performance benchmarks. Published online: 25 July 2001