面向应用系统的基于柔性、信任和协同机制的检测与防护软件模型

While mission-critical application systems merge into the Internet environment, their isolated protection has been inadequate, and a lot of suspicious behaviors and uncertain harmful acts seriously threaten the survivability of mission-critical applications, meanwhile they are a challenge to traditional detection and provention means. Therefore, the analysis and judgement of suspicious behavior and uncertainty behavior is a key problem to increase mission-critical applications high survivability. .This project intends to build a trust-based flexible software model for coordination detection and defense of application system with target layer, monitor layer and corodination layer. The model has a flexible hierarchical structure and a flexible coupling mechanism, which can enable the model to bind with or separate from an aplication in the non-interfered way. The expected behaviors and unexpected behaviors of the key entities in the target system abstractly described in the active roles in monitor layer. Process algebra is used to formally defined entity behavior, and to carry out reasoning. A trust mechanism is proposed to integrate instant and historical evidence and information of suspicious behaviors and uncertain behaviors in present entity and other entities, which can provide the quantitative fact for judgement and determintation of behavior property. The model completes multi-point cordiantion detection and provention through coodination in multi-role, strategy, behavior and information, which can prevents malicious behavior form occuring and spreading..This project proposed flexible coupling mechanism, multi-point coordiantion detection and protection, judgement and determintation of suspicious behavior based on trust, the methods and techniques to determine uncertain behavior，which are effective means to enhance the survivability of mission-critical applications. The research achievements will reveal the principle of behavior detection, promote the theories of application-oriented coodination detection and prevention and techniques, and provide theoretical and technical support for the development of new detection and prevention software for application systems.

随着关键应用系统向互联网环境的融合，大量的可疑行为和不确定有害行为对其可生存性构成了严重威胁，是对传统检测和防护手段的一个挑战。.本课题拟构建一个具有目标层、监控层、协同层的协同检测与防护模型，它采用进程代数描述实体及其行为，完成行为推理和性质判定，采用柔性层次结构和柔性耦合机制，实现模型的可拔插。它通过监控层的主动角色抽象描述目标系统中实体的预期行为和非预期行为，基于信任机制，使用信任值继承和综合可疑行为和不确定行为的即时表现、历史表现、及在其它实体上的表现，为可疑行为性质判定提供定量依据。协同层通过多角色协作、策略协同、行为协同实现多点协同检测和协同防护。. 所提出柔性耦合机制、基于信任的可疑行为判定机理、协同检测和防护方法是增强关键应用系统可生存性的有效手段，研究成果有助于揭示面向应用系统行为检测与防护规律，为开发新型协同检测与防护软件提供理论和技术依托。

在国民经济、社会生活和国家基础设施等领域发挥着重要作用的关键应用系统日趋与Internet融合，如何保障其安全性和可生存性成为一个亟待解决的问题。项目针对关键应用系统中大量的可疑行为和不确定有害行为难以判定的问题展开研究。总结了关键应用系统的软件行为特征，提出了基于进程代数的实体行为形式化表示、判定和推理机制；利用目标层、监控层和协同层的层次结构将检测与防护逻辑、业务逻辑、协同逻辑分离，设计了检测与防护模型与应用系统之间的耦合方式，构建了基于角色的柔性协同检测与防护模型，实现了模型的可拔插；提出了多点协同检测与防护方法，给出了协同规则，有效阻止了恶意行为的传播和扩散；提出了基于信任的可疑行为判定方法和基于交互感知的动态自适应的信任评估方法，提高了综合推荐信任度计算的准确性，给出了行为检测与判定的信任评估模型，建立了信任继承和积累的机制。进行了成果扩展与应用，利用所得到的理论、方法和技术成果设计开发了行为检测和防护原型系统，开发了“WT用户行为检测和防护系统2.0”，申请软件著作权2项。发表了基金资助文章26篇，其中SCI收录4篇（SCI 二区1篇），EI收录15篇。培养博士生4人，硕士生16人，将该行为检测模型引入了计算机和软件工程专业的操作系统教学和人才培养中，获得河北省教学成果二等奖2项，课题组依托及应用本课题的成果获得的国家和省部级项目 5 项。积极开展国内外学术交流，参加国内外学术会议8次，申利民教授作为程序委员会副主席带领课题组成功地举办了“第七届中国可信计算与信息安全学术会议”。这些成果有助于增强关键应用系统的安全性和可生存性，是对应用系统中软件行为建模方法、协同检测与防护理论和技术的有益探索。