&nbsp;基于部分可观测马尔可夫决策过程的网络入侵意图识别研究＊&nbsp;<br><br>

PDF(595815 KB)

南京大学学报(自然科学版) ›› 2010, Vol. 46 ›› Issue (2) : 122-130.

基于部分可观测马尔可夫决策过程的网络入侵意图识别研究＊

吴　涛,王崇骏＊＊ ,谢俊元

作者信息 +

Research on cyber attack intention recognition based on partially observable Markov decision process

Wu Tao , Wang Chong- Jun , Xie Jun- Y uan

Author information +

文章历史 +

摘要

作为一种主动的信息安全保障措施, 入侵检测已经成为计算机安全特别是网络安全领域的研究热点, 出于对入侵检测的回避, 入侵行为也逐渐表现为智能化、分布式的特点. 将人工智能技术、机器
学习技术引入入侵检测以增强入侵检测系统的能力已经成为工业界和学术界关注的课题. 本文将入侵和入侵检测建模为利益对立的 2 个多 Agent 系统, 认为入侵行为是按照既定的目标制定攻击计划, 在此
场景下, 入侵检测的核心就应该是根据对手的攻击行为预测出其攻击意图, 这是个典型的意图识别问题, 这意味着应该将对手思维建模技术和计划识别思想引入入侵检测中来. 考虑到对手在实际的动作过
程中会根据实际情况随时调整自己的战略部署, 因此不能将此问题直接建模为传统的 KEY-HOLE 观察问题. 本文从入侵者的角度出发, 引入部分可观测马尔可夫决策过程作为在环境状态和行动效果都不
确定的条件下, 通过一系列决策达到最优目标的数学模型, 从而达到入侵意图识别的目的. 最后, 本文在DARPA 测试数据集上的实验结果证明了方法的有效性.

Abstract

Intrusion detection, as an active measure to assure information security , has been receiving intensive attention and has recently become the focus of the computer security especially the network security research
communities.In order to avoid being detected, however, intrusion events have evolved to become intelligent and distributive, making them good at concealing their purposes and so penetrating the indeal with this problem, as this paper does,
techniques involving artificial intelligence and machine learning are brought in.This paper models intrusion and its detection as two multi-agent systems that have conflict interests,
and holds the opinion that to intrude is just to device and execut attacking plans aiming to achieve certain objectives, the key of intrusion detection then is to analyze the observed opopnent’ s actions perceived as abnormal and reveal
their intentions, which is then a classical intention recognition problem.Be is justifiable, we noticed that the traditional KEY -HOLE observing method for intention recognition is not suitable to be used here, because the
environment for intrusion detection usually has an attack-defense nature thus is dynamic and can be extremely complex , making it expectable that failures to report intrusions and false reports of intrusions do happen, as a result
acquiring a complete and true action sequence of the intruder is impossible.Under this circumstance, to design a strategy so robust that can recognize the intruder ’ s intention using just an action sequence which not only contains
only part of the intruder’ s complete action squence and also unknownly includs some misclassified actions is desperated needed, and this is exactly what this paper may contribute.Further than proposing the two multi-agent
systems model, this paper sees the intrusion process as a Partially Observable Markov Decision Process( POMDP) , and then estimates the intruder ’ s intention as the output of the process.In this cae intention of the intruder can be
recognized through an incomplete and defective action sequence it has just taken.The effectiveness of the proposed method is proved by experiments on data set contributed by DARPA .

引用本文

EndNote

Ris (Procite)

Bibtex

导出引用

吴　涛,王崇骏＊＊ ,谢俊元. 基于部分可观测马尔可夫决策过程的网络入侵意图识别研究＊

[J]. 南京大学学报(自然科学版), 2010, 46(2): 122-130

Wu Tao , Wang Chong- Jun , Xie Jun- Y uan
. Research on cyber attack intention recognition based on partially observable Markov decision process[J]. Journal of Nanjing University(Natural Sciences), 2010, 46(2): 122-130

参考文献

[ 1] 　 Zhou J E, Liu G Q . User modeling based on in- ner -belif state POMDP.Mini Micro Systems, 2004, 25( 11): 1979～ 1983. ( 周继恩, 刘贵全. 基于内部信念状态 POM DP 模型在用户兴趣获取中的应用. 小型微型计算机系统, 2004, 25( 11) : 1979～ 1983) .
[ 2] 　 Zhang B, Cai Q S, Mao J F, et al.Planning and acting under uncertainty :A new model for spoken dialogue system. Proceedings of the 17 th Annual Conference on Uncertainty in Artificial Intelligence. SanFrancisco , USA , 2001,572～ 579.
[ 3] 　 Zhang B, Cai Q S.POMDP model and its sou-lution for spoken dialogue system.Journal of Computer Research and Development, 2002, 39 ( 2): 217～ 224. ( 张　波, 蔡庆生. 口语对话系统的 POMDP 模型及求解. 计算机研究与发展, 2002, 39( 2) 217～ 224).
[ 4] 　 Roy N , Pineau J, Thrun S.Spoken dialogue management using probabilistic reasoning .Pro-ceedings of the 38 th Annual Meeting of the · 129 · 第 2 期吴　涛等: 基于部分可观测马尔可夫决策过程的网络入侵意图识别Association for Computational Linguistics.As-
sociation for Computational Linguistics Morris- town, NJ, USA :93～ 100.
[ 5] 　 Williams J D, Poupart P, Young S.Factored partially observable Markov decision processes for dialogue management.Proceedings of the Workshop on Knowledge and Reasoning in
Practical Dialog Systems, International Joint Conference on Artificial Intelligence, Edin- burgh, 2005, 191～ 217.
[ 6] 　 Long J, Yin J P , Zhu E, et al .Cost-sensitive active learning algorithm for intrusion detection. Journal of Nanjing University (Natural Sci- ences), 2008, 44( 5): 527～ 535.
( 龙军, 殷建平, 祝恩等. 针对入侵检测的代价敏感主动学习算法.南京大学学报(自然科学), 2008,44( 5) :527～ 535).
[ 7] 　 Moore B L, Quasny T M , Pyeatt L D, et al. Performance of a single action partially observa- ble Markov decision process in a recognition task. Proceedings of the 4 th Annual Internation-
al Conference on Artificial Intelligence and Soft Computing, Cancun, Mexico , 2001, 1～ 10.
[ 8] 　 MIT Lincoln Lab.2000 DARPA intrusion de- tection scenario specific datasets. http: //www. ll. mit. edu/IST/ ideval/data/2000/ 2000 - data -index. html, 2000.