机构地区:[1]计算机软件新技术国家重点实验室,南京大学计算机科学与技术系,南京210093
出 处:《南京大学学报(自然科学版)》2010年第2期122-130,共9页Journal of Nanjing University(Natural Science)
基 金:国家自然科学基金(60875038,60721002,60503021);教育部重点项目基金(108151);江苏省支撑计划(BE2009142)
摘 要:作为一种主动的信息安全保障措施,入侵检测已经成为计算机安全特别是网络安全领域的研究热点,出于对入侵检测的回避,入侵行为也逐渐表现为智能化、分布式的特点.将人工智能技术、机器学习技术引入入侵检测以增强入侵检测系统的能力已经成为工业界和学术界关注的课题.本文将入侵和入侵检测建模为利益对立的2个多Agent系统,认为入侵行为是按照既定的目标制定攻击计划,在此场景下,入侵检测的核心就应该是根据对手的攻击行为预测出其攻击意图,这是个典型的意图识别问题,这意味着应该将对手思维建模技术和计划识别思想引入入侵检测中来.考虑到对手在实际的动作过程中会根据实际情况随时调整自己的战略部署,因此不能将此问题直接建模为传统的KEY-HOLE观察问题.本文从入侵者的角度出发,引入部分可观测马尔可夫决策过程作为在环境状态和行动效果都不确定的条件下,通过一系列决策达到最优目标的数学模型,从而达到入侵意图识别的目的.最后,本文在DARPA测试数据集上的实验结果证明了方法的有效性.Intrusion detection, as an active measure to assure information security, has been receiving intensive attention and has recently become the focus of the computer security especially the network security research communities. In order to avoid being detected, however, intrusion events have evolved to become intelligent and distributive, making them good at concealing their purposes and so penetrating the intrusion detection system. To deal with this problem, as this paper does, techniques involving artificial intelligence and machine learning are brought in. This paper models intrusion and its detection as two multi agent systems that have conflict interests, and holds the opinion that to intrude is just to device and execut attacking plans aiming to achieve certain objectives, the key of intrusion detection then is to analyze the observed opopnent's actions perceived as abnormal and reveal their intentions, which is then a classical intention recognition problem. Be is justifiable, we noticed that the traditional KEY-HOLE observing method for intention recognition is not suitable to be used here, because the environment for intrusion detection usually has an attack defense nature thus is dynamic and can be extremely complex, making it expectable that failures to report intrusions and false reports of intrusions do happen, as a result acquiring a complete and true action sequence of the intruder is impossible. Under this circumstance, to design a strategy so robust that can recognize the intruder's intention using just an action sequence which not only contains only part of the intruder's complete action squence and also unknownly includs some misclassified actions is desperated needed, and this is exactly what this paper may contribute. Further than proposing the two multi-agent systems model, this paper sees the intrusion process as a Partially Observable Markov Decision Process(P()MDP), and then estimates the intruder's intention as the output of the process. In this eae intention of the intrud
分 类 号:TP3[自动化与计算机技术—计算机科学与技术]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
