网络安全告警信息处理技术研究
|
摘要
在网络安全防御体系中,各类安全设备实时产生大量不准确的告警信息,夹杂着误报和无关告警,真正的入侵意图淹没在大量低质量的数据中,导致难以对这些告警信息进行正确地分析和理解,同时孤立的告警信息不能准确地反映网络当前的安全状态。为解决上述问题,本文对告警信息处理若干关键技术进行研究。主要研究内容如下:
1、告警信息预处理
研究了告警信息规范化描述方法,扩展了IDMEF模型,并进行了二进制方式的实现;设计了一种基于正则表达式匹配的告警筛选机制,规则树匹配方法灵活方便;研究了基于多特征的告警聚合方法,提出利用告警空间特征的层次性,缩小聚合比较范围,提高处理效率。
2、基于多源信息的告警校验与融合
提出了一种基于谓词逻辑的告警校验方法,对告警属性与目标网络系统信息进行相关性分析,有效检测无关告警;采用模糊综合评判方法进行告警校验,提出将目标网络系统信息采集的时效性和准确性两方面因素,引入到隶属度计算中,得到更为合理的评判结果;提出了一种基于多源告警信息的可信度融合框架,通过融合不同安全设备的告警信息,提高攻击检测的准确性。
3、基于告警的攻击场景构建
基于攻击策略模型,提出了一种多尺度告警关联方法,通过分析告警之间的因果联系,构建不同粒度的攻击场景,利用告警类型属性在不同尺度上的抽象关系,约束告警关联的遍历空间,提高了告警关联的效率;针对告警关联图的断裂问题,提出了一种基于模糊聚类的关联图组合方法,能有效重构攻击场景。
4、基于告警的安全状态评估
从宏观和微观两个层面研究了基于实时告警的安全状态评估方法。在宏观层面,提出了一种基于任务的安全状态量化评估方法,给出系统在特定任务背景下面临的威胁和状态演化;在微观层面,提出了一种基于攻击场景的安全状态量化评估方法,以攻击场景为评估输入,能够从全过程的角度反映具有因果联系的一系列攻击对网络系统造成的威胁和影响。
5、告警信息处理系统实现
设计了一个具有构件化特点的安全管理平台原型,为告警信息处理提供数据支撑和运行环境;设计实现了事件处理模块,提出了利用分发/订阅模式进行告警事件的实时传输,采用构件化方法实现了论文研究的告警信息处理算法。
In the defense system of network, different security devices will produce a large number of alerts for identifying malicious activities. However, those alerts consist of lots of wrong alerts that are either not related to malicious activity (false positives) or not representative of a successful attack (non-relevant positives). The high volume and the low quality of intrusion alerts make it a very challenging task for network system managers to understand the alerts and take appropriate actions. Furthermore, the isolated alerts can not reflect the current security state of network appropriately. To solve these problems, this dissertation does research on the several key techniques of alert information processing. The main research content in the thesis is as follows:
1. Alert information pre-process
An alert normalization description method is given, which extends IDMEF data model and uses binary code to implement the IDMEF. An alert filter mechanism based on rules is designed and implemented. It is flexible and convenient to process alerts. Then, an alert clustering method for reducing data redundancy based on multi-character is presented. To improve the clustering efficiency, the method uses the hiberarchy of alert character to reduce comparing space.
2. Alert verification and fusion based on multi-source information
An alert verification method based on predicate logic is showed, which depends on the matching of alert attribute and target network system information. There are uncertain factors that influence accuracy of alert verification. One factor is the quality of the gathered information. Another factor is its timeliness. To ensure the rationality of the verifying results, an approach using fuzzy comprehensive judgement to analyze the uncertainties is given. An alert confidence fusion framework fusing information from diverse sensors is presented, which results in a decrease in false positives while achieving an improved level of detection.
3. Attack scenario construction based on alerts
Based on the model of attack strategy, a muli-scale alert correlation approach is put forward, which makes use of the cause-effect relationship of alerts to construct different scale attack scenarios. The approach utilizes the abstraction relationship of the attribute of alert type on different scales to restrict the searching space. The experiment results show that this approach can improve the efficiency of alert correlation evidently. In some conditions, the alert correlation graph will be split because of loss of causal information. To solve this problem, an algorithm based on fuzzy clustering is proposed to reconstruct attack scenario that uses the similarity of alert attributes to measure the cause-effect relationship of alerts.
4. Security situation assessment based on alerts
Developing the research on network security situation evaluation based on received alerts at macroscopical level and microcosmic level. At macroscopical level, a security situation quantitative assessment method based on mission is given, which show the threat level of attack to quantify the network security situation. At microcosmic level, a security situation quantitative assessment method based on attack scenario is advanced. Using the attack scenario as assessed object, the method provides the threat and impact of a series attack with cause relationship from whole process.
5. Realization of the alert information processing system
A prototype of security management platform is designed, which has the component characteristics and provides an underlying data and running environment for the implement of alert information processing. The component event process module is designed and implemented in detail, which adopts publish/subscribe mode served to distributed system for real-time transmission of alerts.
1、告警信息预处理
研究了告警信息规范化描述方法,扩展了IDMEF模型,并进行了二进制方式的实现;设计了一种基于正则表达式匹配的告警筛选机制,规则树匹配方法灵活方便;研究了基于多特征的告警聚合方法,提出利用告警空间特征的层次性,缩小聚合比较范围,提高处理效率。
2、基于多源信息的告警校验与融合
提出了一种基于谓词逻辑的告警校验方法,对告警属性与目标网络系统信息进行相关性分析,有效检测无关告警;采用模糊综合评判方法进行告警校验,提出将目标网络系统信息采集的时效性和准确性两方面因素,引入到隶属度计算中,得到更为合理的评判结果;提出了一种基于多源告警信息的可信度融合框架,通过融合不同安全设备的告警信息,提高攻击检测的准确性。
3、基于告警的攻击场景构建
基于攻击策略模型,提出了一种多尺度告警关联方法,通过分析告警之间的因果联系,构建不同粒度的攻击场景,利用告警类型属性在不同尺度上的抽象关系,约束告警关联的遍历空间,提高了告警关联的效率;针对告警关联图的断裂问题,提出了一种基于模糊聚类的关联图组合方法,能有效重构攻击场景。
4、基于告警的安全状态评估
从宏观和微观两个层面研究了基于实时告警的安全状态评估方法。在宏观层面,提出了一种基于任务的安全状态量化评估方法,给出系统在特定任务背景下面临的威胁和状态演化;在微观层面,提出了一种基于攻击场景的安全状态量化评估方法,以攻击场景为评估输入,能够从全过程的角度反映具有因果联系的一系列攻击对网络系统造成的威胁和影响。
5、告警信息处理系统实现
设计了一个具有构件化特点的安全管理平台原型,为告警信息处理提供数据支撑和运行环境;设计实现了事件处理模块,提出了利用分发/订阅模式进行告警事件的实时传输,采用构件化方法实现了论文研究的告警信息处理算法。
In the defense system of network, different security devices will produce a large number of alerts for identifying malicious activities. However, those alerts consist of lots of wrong alerts that are either not related to malicious activity (false positives) or not representative of a successful attack (non-relevant positives). The high volume and the low quality of intrusion alerts make it a very challenging task for network system managers to understand the alerts and take appropriate actions. Furthermore, the isolated alerts can not reflect the current security state of network appropriately. To solve these problems, this dissertation does research on the several key techniques of alert information processing. The main research content in the thesis is as follows:
1. Alert information pre-process
An alert normalization description method is given, which extends IDMEF data model and uses binary code to implement the IDMEF. An alert filter mechanism based on rules is designed and implemented. It is flexible and convenient to process alerts. Then, an alert clustering method for reducing data redundancy based on multi-character is presented. To improve the clustering efficiency, the method uses the hiberarchy of alert character to reduce comparing space.
2. Alert verification and fusion based on multi-source information
An alert verification method based on predicate logic is showed, which depends on the matching of alert attribute and target network system information. There are uncertain factors that influence accuracy of alert verification. One factor is the quality of the gathered information. Another factor is its timeliness. To ensure the rationality of the verifying results, an approach using fuzzy comprehensive judgement to analyze the uncertainties is given. An alert confidence fusion framework fusing information from diverse sensors is presented, which results in a decrease in false positives while achieving an improved level of detection.
3. Attack scenario construction based on alerts
Based on the model of attack strategy, a muli-scale alert correlation approach is put forward, which makes use of the cause-effect relationship of alerts to construct different scale attack scenarios. The approach utilizes the abstraction relationship of the attribute of alert type on different scales to restrict the searching space. The experiment results show that this approach can improve the efficiency of alert correlation evidently. In some conditions, the alert correlation graph will be split because of loss of causal information. To solve this problem, an algorithm based on fuzzy clustering is proposed to reconstruct attack scenario that uses the similarity of alert attributes to measure the cause-effect relationship of alerts.
4. Security situation assessment based on alerts
Developing the research on network security situation evaluation based on received alerts at macroscopical level and microcosmic level. At macroscopical level, a security situation quantitative assessment method based on mission is given, which show the threat level of attack to quantify the network security situation. At microcosmic level, a security situation quantitative assessment method based on attack scenario is advanced. Using the attack scenario as assessed object, the method provides the threat and impact of a series attack with cause relationship from whole process.
5. Realization of the alert information processing system
A prototype of security management platform is designed, which has the component characteristics and provides an underlying data and running environment for the implement of alert information processing. The component event process module is designed and implemented in detail, which adopts publish/subscribe mode served to distributed system for real-time transmission of alerts.
引文
[1]CSI/FBI.2005 CSI/FBI Computer Crime and Security Survey.http://www.usdoj.gov/criminal/cybercrime/FBI2005.pdf,2005.
[2]CERT/CC.CERT/CC Statistics-Incidents reported,http://www.cert.org/stats/cert_stats.html,2004.
[3]W.Schwartau.Time Based Security:Practical and Provable Methods to Protect Enterprise and Infrastructure.Networks and Nation,Interpact Press,1999.
[4]Fabien Pouget,Marc Dacier.Alert Correlation:Review of the state of the art.Research Report RR-03-093.Institut Eurecom Corporate Communications Department.November,2003.
[5]RFC3067—TERENA's Incident Object Description and Exchange Format Requirements.www.ietf.org/rfc/rfc3067.txt.
[6]JINGMIN ZHOU,MARK HECKMAN and BRENNEN REYNOLDS,et al.Modeling Network Intrusion Detection Alerts for Correlation.ACM Transactions on Information and System Security,2007,10(1):1-31.
[7]JP1-02,DOD Dictionary of Military and Associated Terms[EB/OL].http://www.fas.org/irp/doddir/jp1-02.pdf.
[8]Stefan Axelsson.The base-rate fallacy and its implications for the difficulty of intrusion detection.In 6~(th) ACM Conference on computer and communications security,Singapore,November 1999,pp.1-7.
[9]Chr.Kruegel,W.Robertson and Giovanni Vigna.Using alert verification to identify successful intrusion attempts.Practice in Information Processing and Communication(PIK),K.G.Saur Verlag,2004,27(4):220-228.
[10]穆成坡,黄厚宽,田盛丰.基于多层模糊综合评判的入侵检测系统报警验证.计算机应用,2006,26(3):553-557.
[11]Marcus J.Ranum.False Positives:a User's guide to making sense of IDS alarms.http://www.icsalabs.com/html/comm-unities/ids/whitepaper/False Posit ives.pdf,ICSA Labs IDSC,2003.
[12]谭小彬.分布式入侵检测系统的设计和算法研究[D].博士学位论文.中国科学技术大学,2003.
[13]吴作顺.事件关联及在网络安全管理中的应用研究.博士后研究报告,总参××所,2005.
[14]D.Denning.An intrusion detection model.IEEE Trans.on Software Engineering,1987,13(2):222-232.
[15]L.T.Heberlein,G.V.Dias,K.N.Levitt,B.Mukherjee,et al.A network security monitor.Proc.of the IEEE Symposium on Research in Security and Privacy, Oakland,CA,May 1990,296-304.
[16]A.K.Ghosh,J.Wanken,and F.Charron.Detecting anomalous and unknown intrusions against programs.In Proceedings of the 1998 Annual Computer Security Applications Conference(ACSAC98),Dec 1998.
[17]Sandeep Kumar.Classification and Detection of Computer Intrusions.Ph.D Thesis.ftp://ftp.cerias.purdue.edu/pub/papers/sandeep-kumar/kumar-intdet-phd diss.ps.Z.1994.
[18]Terran Lane.Machine learning techniques for the domain of anomaly detection for computer security.Technical Report,COAST,Purdue University,1998.
[19]Fyodor Yarochkin.SnortNet-A distributed IDS approach http://snortnet.scorpi -ons.net/snortnet.pdf.
[20]S.R.Snapp,S.E.Smaha,D.M.Teal,and T.Grance.The DIDS(distributed intrusion detection system) prototype.Proceedings of the USENIX Conference,Berkeley,CA,USA,1992,227-233.
[21]C.Kahn,P.A.Porras,S.Staniford-Chen,and B.Tung.A common intrusion detection framework,http://gost.isi.edu/cidf/papers/cidf-jcs.ps.
[22]Carl Endorf,Gene Schultz,Jim Mellander.Intrusion Detection and Prevention.Publisher:McGraw-Hill Osborne Media.December,2003.
[23]Cisco—Network Security Policy:Best Practices White Paper.http://www.Kon -gonetworks.com/documents/secpol.pdf.
[24]Tim Bass.Intrusion Detection Systems and Multi-sensor Data Fusion.Creating Cyberspace Situational Awareness,Communications of the ACM,2000,43(4):99-105.
[25]J.Allen.State of the Practice of Intrusion Detection Technologies.Technical Report,Carnegie Mellon Software Eng.Institute,Jan.2000.
[26]G.Liu A.K.Mok E.J.Yang.Composite Events for Network Event Correlation.IEEE/IFIP International Symposium on Integrated Network Management.May 1999.
[27]N.Carey,A.Clark,G.Mohay,IDS Interoperability and Correlation Using IDMEF and Commodity Systems.In Proceedings of 4th International Conference of Information and Communications Security(ICICS),Singapore,December 2002.Volume 2513 of LNCS,pages 252-264.
[28]Herve Debar,Andreas Wespi.Aggregation and Correlation of intrusion etection Alerts.In Recent Advances in Intrusion Detection,Lecture Notes in Computer Science,Berlin,Springer Verlag,2001.85-103.
[29]Ambareen Siraj,Rayford B.Vaughn.Multi-Level Alert Clustering for Intrusion Detection Sensor Data.Fuzzy Information Processing Society,NAFIPS 2005,pp.748-753.
[30]F.Cuppens.Managing alerts in a multi-intrusion detection environment.In Proceedings of the 17~(th) Annual Computer Security Applications Conference,(ACSAC'01).
[31]A.Valdes,K.Skinner.Probabilistic alert correlation.In Proceedings of the 4~(th)International Symposium on Recent Advances in Intrusion Detection(RAID 2001),31-38.
[32]龚俭,梅海彬,丁勇,魏德昊.多特征关联的入侵事件冗余消除.东南大学学报(自然科学版),2005,35(3):366-371.
[33]Stephen W.Neville.Necessary conditions for determining a robust time threshold in standard INFOSEC alert clustering algorithms,2005 IEEE International Conference on Systems,Man and Cybemetics,Oct.2005,1:791-797.
[34]K.Julisch.Clustering intrusion detection alarms to support root cause analysis.ACM Transactions on Information and System Security,2002,6(4):443-471.
[35]Ron Gula.Correlating IDS alerts with vulnerability information Tenable Network Security.Tech.Rep.2002.
[36]Phillip A.Porras,Martin W.Fong,and Alfonso Valdes.A mission-impact-based approach to INFOSEC alarm correlation.In Proceedings of the 5~(th) International Symposium on Recent Advances in Intrusion Detection(RAID),2002.
[37]Ye Wang,Hussein Abdel-Wahab.A Correlative Context-based Framework for Network Intrusion Detection System.In Proceedings of the 10~(th) IEEE Symposium on Computers and Communications(ISCC 2005),27-30 June 2005,pp.463-468.
[38]Yohann Thomas,Herve Debar,Benjamin Morin Supelec.Improving Security Management through Passive Network Observation.In Proceedings of the First International Conference on Availability,Reliability and Security(ARES'06),20-22 April 2006,pp.382-389.
[39]Yan zhai,Peng Ning,Purush Iyer,Douglas S.Reeve.Reasoning about complementary intrusion evidence.In Proceedings of 20~(th) Annual Computer Security Applications Conference,December 2004,pp.39-48.
[40]Emmanuel Hooper,Royal Holloway.An Intelligent Detection and Response Strategy to False Positives and Network Attacks.In Proceedings of the Fourth IEEE International Workshop on Information Assurance(IWIA'06).
[41]Lawrence A.Klein,戴亚平等译.多传感器数据融合理论及应用.北京理工大学出版社,2004.
[42]David L.Hall,James Llnias.Handbook of Multi-sensor Data Fusion.CRC Press,2001.
[43]Ye N,Chen Q.An anomaly detection techniques based on a Chi-square statistic for detecting intrusions into information systems.Quality and Reliability engineering international,2001,17(2):105-112.
[44]Wei Wang,Xiaohong Guan,Xiangliang Zhang.A novel intrusion detection method based on principle component analysis in computer security.Advances in neural network,Lecture notes in computer science 3174,Springer,2004,657-662.
[45]诸葛建伟.网络入侵检测与行为关联分析技术研究[D].博士学位论文.北京大学,2006.
[46]Mallikarjun Shankar,Nageswara Rao,Stephen Batsell.Fusing intrusion data for detection and containment.Military Communications Conference(MILCOM),IEEE,2003(Volume 2),pp.741-746.
[47]褚永刚.大规模分布式入侵检测系统关键技术研究[D].博士学位论文.北京邮电大学,2005.
[48]Yong Wang,Huihua Yang,Xingyu Wang and Ruixia Zhang.Distributed intrusion detection based on data fusion method.Proceedings of the 5~(th) world congress on intelligent control and automation,Hangzhou,china,june,2004,pp.4331-4334.
[49]Dong Yu,Deborah Frincke.Alert Confidence Fusion in Intrusion Detection Systems with Extended Dempster-Shafer Theory.ACM Proceedings of the 43rd annual southeast regional conference,Kennesaw,Georgia,2005,pp.142-147.
[50]Denise W.Guerer,Irfan Khan,Richard Ogler,Renee Keffer.An Artificial Intelligence Approach to Network Fault Management.http://www.sce.carleton.ca/netmanage/docs/An_AI_Approach.pdf.
[51]G.Jakobson,M.D.Weissmann.Alarm Correlation.IEEE Trans.on Network,1993,7(6):52-59.
[52]P.Ning,Y.Cui,D.S.Reeves.Constructing attack scenarios through correlation of intrusion alerts.In Proceedings of the 9~(th) ACM Conference on Computer and Communications Security,Washington,D.C.,2002,pp.245-254.
[53]Bin Zhu,Ali A.Ghorbani.Alert correlation for extracting attack strategies.International Journal of Network Security,October 2005,3(2):259-270.
[54]Oliver M.Dain and R.K.Cunningham.Building scenarios from a heterogeneous alert stream.ACM Workshop on Data mining for Security Applications,June 2001,pp.1-13.
[55]F.Cuppens.A language to model a data base for detection of attacks.In Proc.of Recent Advances in Intrusion Detection(RAID 2000),pp.197-216.
[56]Cristopher Kr(u|¨)gel,Thomas Toth and Clemens Kerer.Decentralized Event Correlation for Intrusion Detection.In Proceedings of the 4~(th) International Conference on Information Security and Cryptology,2001,pp.114-131.
[57]Steven Cheung,Ulf Lindqvist,Martin W.Fong.Modeling Multi-step Cyber Attacks for Scenario Recognition.In Proceedings of the Third DARPA Information Survivability Conference and Exposition,Washington,D.C.,April 22-24,2003,Volume I,pp.284-292.
[58]B.Schneier.Attack trees,modeling security threats.Dr.Dobb's Journal of Software Tools,24(12):21-29,Dec 1999.
[59]C.Phillips and L.Swiler.A graph-based system for network vulnerability analysis.In ACM New Security Paradigms Workshop,1998,pp.71-79.
[60]Oleg Mikhail Sheyner.Scenario Graphs and Attack Graphs.Ph.D.Thesis,School of Computer Science Computer Science Department Carnegie Mellon University Pittsburgh,PA.
[61]刘美君,陈弈明.一种利用彩色派翠网关联警讯以重构多步骤攻击的方法,中央大学资讯管理研究所.
[62]Dong Yu,Deborah Frincke.Improving the quality of alerts and predicting intruder's next goal with Hidden Colored Petri-Net.Journal of Computer and Telecommunications Networking,2007,51(3):632-654.
[63]Steven J.Templeton and Karl Levitt.A requires/provides model for computer attacks.In Proceedings of New Security Paradigms Workshop,New York,September 2000,pp.31-38.
[64]P.Ning,D.Xu.Hypothesizing and Reasoning about Attacks Missed by Intrusion Detection Systems.ACM Transactions on Information and System Security,2004,7(4):591-627.
[65]P.Ning,D.Xu,Christopher G.Healey,Building Attack Scenarios through Integration of Complementary Alert Correlation Methods.In Proceedings of the 11th Annual Network and Distributed System Security Symposium(NDSS'04),February,2004,pp.97-111.
[66]F.Cuppens and M.Alexandre.Alert correlation in a cooperative intrusion detection framework.In Proceedings of the IEEE Symposium of Security and Privacy,2002,pp.202-215.
[67]李之棠,王莉,黎耀.一种新的基于统计的攻击场景挖掘算法研究.计算机研究与发展,43(Suppl.):442-446.
[68]Xinzhou Qin and Wenke Lee.Statistical Causality of INFOSEC Alert Data.In Proceedings of the 6~(th) symposium on Recent Advances in Intrusion Detection (RAID 2003),Pittsburgh,PA,September 2003,LNCS 2820,pp.73-94.
[69]侯定丕,王战军.非线性评估的理论探索与应用.合肥:中国科技大学出版社,2001.
[70]JP1-02.DOD Dictionary of Military and Associated Terms.http://www.fas.org /irp/doddir/dod/jp1_02.pdf.
[71]王永杰.网络攻击效果关键技术及其应用研究.博士学位论文.国防科学技术大学,2006.
[72]汪渊.网络安全量化评估方法研究.博士学位论文.中国科学技术大学, 2003.
[73]Jonas Hallberg,Amund Hunstad and Mikael Peterson.A Framework for System Security Assessment.In Proceedings of the 2005 IEEE Workshop on Information Assurance and Security United States Military Academy,West Point,NY.
[74]Grigorios Fragkos,Andrew Blyth.Architecture for Near Real-Time Threat Assessment using IDS Data.4~(th) European Conference on Information Warfare and Security,University of Glamorgan.
[75]F.Cohen.Managing network security attack and defense strategies.Network Security,1999,7(5):7-11.
[76]Hariri S,Qu GZ,Dharmagadda T,et al.Impact analysis of faults and attacks in large-scale networks.IEEE Trans.on Security & Privacy,2003,1(5):49-54.
[77]J.W.Freeman,T.C.Darr,R.B.Neely.Risk assessment for large heterogeneous systems.In Proceedings of 13~(th) annual computer security application conference,San Diego,CA,USA,1997,pp.44-52.
[78]李涛.基于免疫的网络安全风险检测.中国科学E辑:信息科学,2005,35(8):798-816.
[79]陈秀真,郑庆华,管晓宏,林晨光.层次化网络安全威胁态势量化评估方法.软件学报,2006,17(4):885-897.
[80]Stephen Boyer,Oliver Dain and Robert Cunningham.Stellar:A fusion system for scenario construction and security risk assessment.Proceedings of Third IEEE International Workshop on Information Assurance(IWIA 05).Maryland,USA,2005,pp.105-116.
[81]Andre Arnes,Karin Sallhammar,Kjetil Haslum et al.Real time risk assessment with network sensors and intrusion detection systems.International Conference on Computational Intelligence and Security(CIS 2005),Xi'an,China.
[82]Andre Arnes,Fredrik Valeur,Giovanni Vigna and Richard A.Kemmerer.Using Hidden Markov models to evaluate the risks of intrusion.9th International Symposium On Recent Advances In Intrusion Detection(RAID 2006),Hamburg,Germany,September 2006,Vol.4219.
[83]D.Curry and Herve Debar.Intrusion Detection Message Exchange Format Data Model and Extensible Markup Language(xml) Document Type Definition.Internet Draft,draft-ietf-idwg-idmef-xml-10.txt,2003.
[84]Fredrik Valeur,Giovanni Vigna,Christopher Kruegel and Richard A.Kemmerer.A Comprehensive Approach to Intrusion Detection Alert Correlation.IEEE Trans.on dependable and secure computing,2004,1(3):1-23.
[85]Rebecca Bace,Peter Mell.Intrusion detection systems.NIST Special Publication on Intrusion Detection Systems,National Institute of Standards and Technology,2000.
[861 C.Berge.Hypergraphs.North-Holland,1989.
[87]陈波.逻辑学导论(第2版)——21世纪哲学系列教材.中国人民大学出版社,2006.
[88]MIT Lincoln Laboratory.1999 DARPA Intrusion Detection Evaluation Data Set.http://www.ll.mit.edu/SST/ideval/data/1999/1999_data_index.html,1999.
[89]DEFCON.Def con capture the flag(CTF) contest,http://www.defcon.org/html/defcon-9/defcon-9-pre.html,July 2001.
[90]M.Roesch,C.Green.Snort users manual,snort release 2.0.0.2003.http://www.snort.org/docs/SnortUsersManual.pdf.
[91]刘普寅,吴孟达.模糊理论及其应用.国防科技大学出版社.1998.
[92]秦寿康.综合评价原理与应用.电子工业出版社,2003.
[93]何友等.多传感器信息融合及应用.电子工业出版社,2001.
[94]A.Dempster.Upper and lower probabilities induced by multi-valued mapping.Annals of Mathematical statistics,1967,38(2):325-339.
[95]段新生.证据理论与决策、人工智能.北京:中国人民大学出版社.1993,13-36.
[96]田新广.基于主机的入侵检测方法研究.博士学位论文.国防科学技术大学,2005.
[97]C.W.Geib,R.P.Goldman.Plan recognition in intrusion detection systems.DARPA Information Survivability Conference and Exposition(DISCEX Ⅱ'01),Anaheim,California,June 2001.
[98]C.W.Geib,R.P.Goldman.Probabilistic Plan Recognition for Hostile Agents,Proceedings of the Fourteenth International Florida Artificial Intelligence Research Society Conference,580-584,2001.
[99]严芬,黄皓,殷新春.基于CTPN的复合攻击检测方法研究.计算机学报,2005,29(8):1383-1391.
[100]鲍旭华,戴英侠,冯萍慧等.基于入侵意图的复合攻击检测和预测算法.软件学报,2005,16(12):2132-2138.
[101]P.Ning,Y.Cui,D.S.Reeves,D.Xu.Techniques and Tools for Analyzing Intrusion Alerts.ACM Transactions on Information and System Security,2004,7(2):274-318.
[102]P.Ning,D.Xu.Adapting query optimization techniques for efficient intrusion alert correlation.Technical report,NCSU,Department of Computer Science,2002.
[103]F.Cuppens,F.Autrel,A.Miege and S.Benferhat,Recognizing malicious intention in an intrusion detection process.Second International Conference on Hybrid Intelligent Systems(HIS 2002),Santiago,Chili,December 1-4,2002.
[104]Lingyu Wang,Anyi Liu,Sushil Jajodia.Using attack graphs for correlating,hypothesizing,and predicting intrusion alerts.Computer Communications,2006 (29):2917-2933.
[105]M.E.Bratman.Intention,Plans and Practical Reason.Harvard University Press,1987.
[106]M.E.Bratman,D.J.Israel,and M.E.Pollack.Plans and resource-bounded practical reasoning.Computational Intelligence,1988,4(4):349-355.
[107]L.Padgham,P.Lambrix.Agent Capabilities:Extending BDI Theory.In Proceedings of Seventeenth National Conference on Artificial Intelligence-AAAI 2000,Aug 2000,pp.68-73.
[108]C.W.Geib,R.P.Goldman,Plan recognition in intrusion detection systems.DARPA Information Survivability Conference and Exposition(DISCEX Ⅱ'01),Anaheim,California,June 2001.
[109]R.Fikes,N.Nilsson.STRIPS:A new approach to the application of theorem proving to problem solving.Artificial Intelligence,1971,5(2):189-208.
[110]W.van der Hoek,R.Verbrugge.Epistemic Logic:A survey.Game Theory and Applications,2002,vol.8,pp.53-94.
[111]J.Kevorkian and J.D.Cole.Multiple Scale and Singular Perturbation Methods.Springer,New York,1996.
[112]吕秀琴,吴凡.多尺度空间对象拓扑相似关系的表达与计算.测绘信息与工程.2006,31(2):29-31.
[113]Mark Tabb,Narendra Ahuja.Multiscale Image Segmentation by Integrated Edge and Region Detection.IEEE Trans.on Image Processing,1997,6(5):642-654.
[114]Sunu Mathew,Daniel Britt,Richard Giomundo and Shambhu Upadhyaya.Real time multistage attack awareness through enhanced intrusion alert clustering.Military Communications Conference,2005,3:1801-18063.
[115]MIT Lincoln Laboratory.2000 DARPA Intrusion Detection Scenario Specific Data Sets.http://www.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html,2000.
[116]P.Ning and Y.Cui.Intrusion alert correlator(version0.2).http://discovery.csc.ncsu.edu/software/correlator/ver0.2/iac.html,2002.
[117]Hai Jin,Jiarthua Sun.A Fuzzy Data Mining Based Intrusion Detection Model.In Proceedings of the 10~(th) IEE Axelsson E International Workshop on Future Trends of Distributed Computing Systems(FTDCS'04),2004.
[118]Huang,Zhe-xue.Clustering large data sets with mixed numeric and categorical values.In Proceedings of the 1~(st) Pacific-Asia Conference on Knowledge Discovery & DataMining.Singapore,1997,pp.21-34.
[119]Infosec assessment methodology.Research Report.National Security Agency.http://www.iatrp.com/iam.cfm.
[120]K.Clark,J.Dawkins,J.Hale.Security Risk Metrics:Fusing Enterprise Objectives and Vulnerabilities.In Proceedings of the 2005 IEEE Workshop on Information Assurance and Security United States Military Academy,West Point,NY.
[121]S.Axelsson.The Base-Rate Fallacy and Its Implications for the Difficulty of Intrusion Detection.ACM Transactions on Information and System Security (TISSEC),August 2000.pp.186-205.
[122]Xinzhou Qin.A Probabilistic-Based Framework for INFOSEC Alert Correl -ation.Ph.D Thesis.College of Computing Georgia Institute of Technology,August 2005.
[123]HAYTER.Probability and Statistics for Engineers and Scientists.Duxbury Press,2002.
[124]J.W.Harris,H.Stocker.Maximum likelihood method § 21.10.4.in:Handbook of Mathematics and Computational Science,Springer-Verlag,New York,1998,pp.824.
[125]Ming-Yuh Huang,Thomas M.Wicks.A Large-scale Distributed Intrusion Detection Framework Based on Attack Strategy Analysis.Computer Networks,1999,31:2465-2475.
[126]R.Ritchey,P.Ammann.Using model checking to analyze network vulnerabilities.In proceedings of IEEE Symposium on security and privacy,Oakland,California,2000:156-165.
[127]张勇铮.计算机安全弱点及其对应关键技术研究.学位论文.哈尔滨工业大学,2006.
[128]Benferhat S,Autrel F,Cuppens F.Enhanced Correlation in an Intrusion Detection Process.Second International Workshop Mathematical Methods,Models and Architectures for Computer Networks Security,St Petersburg,Russia,September 2003.
[129]Henning M.A new approach to object oriented middleware.IEEE Internet Computing,2004,8(1):66-7.
[130]Symantec Security Information Manager datasheet:Security Management,http://eval.symantec.com/mktginfo/enterprise/fact_sheets/ent-datasheet_security_information_manager_3-2007.en-us.pdf.
[131]Security Management & Real-Time Threat Detection From OpenService.www.openservice.com/products/smc.php,2007
[132]Cisco Security Management Solutions.http://www.tepum.com.tr/Etkinlikler/-Cisco SecurityManagementSolutions.pdf
[133]I.Katzela,A.T.Bouloutas,and S.B.Calo.Centralized vs Distributed Fault Localization.Proc.of IFIP/IEEE International Symposium on Integrated Network Management Ⅳ,editing by A.S.Sethi,Y.Raynaud and F.Faure-Vincent,London:Chapman & Hall,1995,pp.250-261.
[134] Henning M, Spruiell M. Distributed programming with ICE. www.zero.com,2003.
[2]CERT/CC.CERT/CC Statistics-Incidents reported,http://www.cert.org/stats/cert_stats.html,2004.
[3]W.Schwartau.Time Based Security:Practical and Provable Methods to Protect Enterprise and Infrastructure.Networks and Nation,Interpact Press,1999.
[4]Fabien Pouget,Marc Dacier.Alert Correlation:Review of the state of the art.Research Report RR-03-093.Institut Eurecom Corporate Communications Department.November,2003.
[5]RFC3067—TERENA's Incident Object Description and Exchange Format Requirements.www.ietf.org/rfc/rfc3067.txt.
[6]JINGMIN ZHOU,MARK HECKMAN and BRENNEN REYNOLDS,et al.Modeling Network Intrusion Detection Alerts for Correlation.ACM Transactions on Information and System Security,2007,10(1):1-31.
[7]JP1-02,DOD Dictionary of Military and Associated Terms[EB/OL].http://www.fas.org/irp/doddir/jp1-02.pdf.
[8]Stefan Axelsson.The base-rate fallacy and its implications for the difficulty of intrusion detection.In 6~(th) ACM Conference on computer and communications security,Singapore,November 1999,pp.1-7.
[9]Chr.Kruegel,W.Robertson and Giovanni Vigna.Using alert verification to identify successful intrusion attempts.Practice in Information Processing and Communication(PIK),K.G.Saur Verlag,2004,27(4):220-228.
[10]穆成坡,黄厚宽,田盛丰.基于多层模糊综合评判的入侵检测系统报警验证.计算机应用,2006,26(3):553-557.
[11]Marcus J.Ranum.False Positives:a User's guide to making sense of IDS alarms.http://www.icsalabs.com/html/comm-unities/ids/whitepaper/False Posit ives.pdf,ICSA Labs IDSC,2003.
[12]谭小彬.分布式入侵检测系统的设计和算法研究[D].博士学位论文.中国科学技术大学,2003.
[13]吴作顺.事件关联及在网络安全管理中的应用研究.博士后研究报告,总参××所,2005.
[14]D.Denning.An intrusion detection model.IEEE Trans.on Software Engineering,1987,13(2):222-232.
[15]L.T.Heberlein,G.V.Dias,K.N.Levitt,B.Mukherjee,et al.A network security monitor.Proc.of the IEEE Symposium on Research in Security and Privacy, Oakland,CA,May 1990,296-304.
[16]A.K.Ghosh,J.Wanken,and F.Charron.Detecting anomalous and unknown intrusions against programs.In Proceedings of the 1998 Annual Computer Security Applications Conference(ACSAC98),Dec 1998.
[17]Sandeep Kumar.Classification and Detection of Computer Intrusions.Ph.D Thesis.ftp://ftp.cerias.purdue.edu/pub/papers/sandeep-kumar/kumar-intdet-phd diss.ps.Z.1994.
[18]Terran Lane.Machine learning techniques for the domain of anomaly detection for computer security.Technical Report,COAST,Purdue University,1998.
[19]Fyodor Yarochkin.SnortNet-A distributed IDS approach http://snortnet.scorpi -ons.net/snortnet.pdf.
[20]S.R.Snapp,S.E.Smaha,D.M.Teal,and T.Grance.The DIDS(distributed intrusion detection system) prototype.Proceedings of the USENIX Conference,Berkeley,CA,USA,1992,227-233.
[21]C.Kahn,P.A.Porras,S.Staniford-Chen,and B.Tung.A common intrusion detection framework,http://gost.isi.edu/cidf/papers/cidf-jcs.ps.
[22]Carl Endorf,Gene Schultz,Jim Mellander.Intrusion Detection and Prevention.Publisher:McGraw-Hill Osborne Media.December,2003.
[23]Cisco—Network Security Policy:Best Practices White Paper.http://www.Kon -gonetworks.com/documents/secpol.pdf.
[24]Tim Bass.Intrusion Detection Systems and Multi-sensor Data Fusion.Creating Cyberspace Situational Awareness,Communications of the ACM,2000,43(4):99-105.
[25]J.Allen.State of the Practice of Intrusion Detection Technologies.Technical Report,Carnegie Mellon Software Eng.Institute,Jan.2000.
[26]G.Liu A.K.Mok E.J.Yang.Composite Events for Network Event Correlation.IEEE/IFIP International Symposium on Integrated Network Management.May 1999.
[27]N.Carey,A.Clark,G.Mohay,IDS Interoperability and Correlation Using IDMEF and Commodity Systems.In Proceedings of 4th International Conference of Information and Communications Security(ICICS),Singapore,December 2002.Volume 2513 of LNCS,pages 252-264.
[28]Herve Debar,Andreas Wespi.Aggregation and Correlation of intrusion etection Alerts.In Recent Advances in Intrusion Detection,Lecture Notes in Computer Science,Berlin,Springer Verlag,2001.85-103.
[29]Ambareen Siraj,Rayford B.Vaughn.Multi-Level Alert Clustering for Intrusion Detection Sensor Data.Fuzzy Information Processing Society,NAFIPS 2005,pp.748-753.
[30]F.Cuppens.Managing alerts in a multi-intrusion detection environment.In Proceedings of the 17~(th) Annual Computer Security Applications Conference,(ACSAC'01).
[31]A.Valdes,K.Skinner.Probabilistic alert correlation.In Proceedings of the 4~(th)International Symposium on Recent Advances in Intrusion Detection(RAID 2001),31-38.
[32]龚俭,梅海彬,丁勇,魏德昊.多特征关联的入侵事件冗余消除.东南大学学报(自然科学版),2005,35(3):366-371.
[33]Stephen W.Neville.Necessary conditions for determining a robust time threshold in standard INFOSEC alert clustering algorithms,2005 IEEE International Conference on Systems,Man and Cybemetics,Oct.2005,1:791-797.
[34]K.Julisch.Clustering intrusion detection alarms to support root cause analysis.ACM Transactions on Information and System Security,2002,6(4):443-471.
[35]Ron Gula.Correlating IDS alerts with vulnerability information Tenable Network Security.Tech.Rep.2002.
[36]Phillip A.Porras,Martin W.Fong,and Alfonso Valdes.A mission-impact-based approach to INFOSEC alarm correlation.In Proceedings of the 5~(th) International Symposium on Recent Advances in Intrusion Detection(RAID),2002.
[37]Ye Wang,Hussein Abdel-Wahab.A Correlative Context-based Framework for Network Intrusion Detection System.In Proceedings of the 10~(th) IEEE Symposium on Computers and Communications(ISCC 2005),27-30 June 2005,pp.463-468.
[38]Yohann Thomas,Herve Debar,Benjamin Morin Supelec.Improving Security Management through Passive Network Observation.In Proceedings of the First International Conference on Availability,Reliability and Security(ARES'06),20-22 April 2006,pp.382-389.
[39]Yan zhai,Peng Ning,Purush Iyer,Douglas S.Reeve.Reasoning about complementary intrusion evidence.In Proceedings of 20~(th) Annual Computer Security Applications Conference,December 2004,pp.39-48.
[40]Emmanuel Hooper,Royal Holloway.An Intelligent Detection and Response Strategy to False Positives and Network Attacks.In Proceedings of the Fourth IEEE International Workshop on Information Assurance(IWIA'06).
[41]Lawrence A.Klein,戴亚平等译.多传感器数据融合理论及应用.北京理工大学出版社,2004.
[42]David L.Hall,James Llnias.Handbook of Multi-sensor Data Fusion.CRC Press,2001.
[43]Ye N,Chen Q.An anomaly detection techniques based on a Chi-square statistic for detecting intrusions into information systems.Quality and Reliability engineering international,2001,17(2):105-112.
[44]Wei Wang,Xiaohong Guan,Xiangliang Zhang.A novel intrusion detection method based on principle component analysis in computer security.Advances in neural network,Lecture notes in computer science 3174,Springer,2004,657-662.
[45]诸葛建伟.网络入侵检测与行为关联分析技术研究[D].博士学位论文.北京大学,2006.
[46]Mallikarjun Shankar,Nageswara Rao,Stephen Batsell.Fusing intrusion data for detection and containment.Military Communications Conference(MILCOM),IEEE,2003(Volume 2),pp.741-746.
[47]褚永刚.大规模分布式入侵检测系统关键技术研究[D].博士学位论文.北京邮电大学,2005.
[48]Yong Wang,Huihua Yang,Xingyu Wang and Ruixia Zhang.Distributed intrusion detection based on data fusion method.Proceedings of the 5~(th) world congress on intelligent control and automation,Hangzhou,china,june,2004,pp.4331-4334.
[49]Dong Yu,Deborah Frincke.Alert Confidence Fusion in Intrusion Detection Systems with Extended Dempster-Shafer Theory.ACM Proceedings of the 43rd annual southeast regional conference,Kennesaw,Georgia,2005,pp.142-147.
[50]Denise W.Guerer,Irfan Khan,Richard Ogler,Renee Keffer.An Artificial Intelligence Approach to Network Fault Management.http://www.sce.carleton.ca/netmanage/docs/An_AI_Approach.pdf.
[51]G.Jakobson,M.D.Weissmann.Alarm Correlation.IEEE Trans.on Network,1993,7(6):52-59.
[52]P.Ning,Y.Cui,D.S.Reeves.Constructing attack scenarios through correlation of intrusion alerts.In Proceedings of the 9~(th) ACM Conference on Computer and Communications Security,Washington,D.C.,2002,pp.245-254.
[53]Bin Zhu,Ali A.Ghorbani.Alert correlation for extracting attack strategies.International Journal of Network Security,October 2005,3(2):259-270.
[54]Oliver M.Dain and R.K.Cunningham.Building scenarios from a heterogeneous alert stream.ACM Workshop on Data mining for Security Applications,June 2001,pp.1-13.
[55]F.Cuppens.A language to model a data base for detection of attacks.In Proc.of Recent Advances in Intrusion Detection(RAID 2000),pp.197-216.
[56]Cristopher Kr(u|¨)gel,Thomas Toth and Clemens Kerer.Decentralized Event Correlation for Intrusion Detection.In Proceedings of the 4~(th) International Conference on Information Security and Cryptology,2001,pp.114-131.
[57]Steven Cheung,Ulf Lindqvist,Martin W.Fong.Modeling Multi-step Cyber Attacks for Scenario Recognition.In Proceedings of the Third DARPA Information Survivability Conference and Exposition,Washington,D.C.,April 22-24,2003,Volume I,pp.284-292.
[58]B.Schneier.Attack trees,modeling security threats.Dr.Dobb's Journal of Software Tools,24(12):21-29,Dec 1999.
[59]C.Phillips and L.Swiler.A graph-based system for network vulnerability analysis.In ACM New Security Paradigms Workshop,1998,pp.71-79.
[60]Oleg Mikhail Sheyner.Scenario Graphs and Attack Graphs.Ph.D.Thesis,School of Computer Science Computer Science Department Carnegie Mellon University Pittsburgh,PA.
[61]刘美君,陈弈明.一种利用彩色派翠网关联警讯以重构多步骤攻击的方法,中央大学资讯管理研究所.
[62]Dong Yu,Deborah Frincke.Improving the quality of alerts and predicting intruder's next goal with Hidden Colored Petri-Net.Journal of Computer and Telecommunications Networking,2007,51(3):632-654.
[63]Steven J.Templeton and Karl Levitt.A requires/provides model for computer attacks.In Proceedings of New Security Paradigms Workshop,New York,September 2000,pp.31-38.
[64]P.Ning,D.Xu.Hypothesizing and Reasoning about Attacks Missed by Intrusion Detection Systems.ACM Transactions on Information and System Security,2004,7(4):591-627.
[65]P.Ning,D.Xu,Christopher G.Healey,Building Attack Scenarios through Integration of Complementary Alert Correlation Methods.In Proceedings of the 11th Annual Network and Distributed System Security Symposium(NDSS'04),February,2004,pp.97-111.
[66]F.Cuppens and M.Alexandre.Alert correlation in a cooperative intrusion detection framework.In Proceedings of the IEEE Symposium of Security and Privacy,2002,pp.202-215.
[67]李之棠,王莉,黎耀.一种新的基于统计的攻击场景挖掘算法研究.计算机研究与发展,43(Suppl.):442-446.
[68]Xinzhou Qin and Wenke Lee.Statistical Causality of INFOSEC Alert Data.In Proceedings of the 6~(th) symposium on Recent Advances in Intrusion Detection (RAID 2003),Pittsburgh,PA,September 2003,LNCS 2820,pp.73-94.
[69]侯定丕,王战军.非线性评估的理论探索与应用.合肥:中国科技大学出版社,2001.
[70]JP1-02.DOD Dictionary of Military and Associated Terms.http://www.fas.org /irp/doddir/dod/jp1_02.pdf.
[71]王永杰.网络攻击效果关键技术及其应用研究.博士学位论文.国防科学技术大学,2006.
[72]汪渊.网络安全量化评估方法研究.博士学位论文.中国科学技术大学, 2003.
[73]Jonas Hallberg,Amund Hunstad and Mikael Peterson.A Framework for System Security Assessment.In Proceedings of the 2005 IEEE Workshop on Information Assurance and Security United States Military Academy,West Point,NY.
[74]Grigorios Fragkos,Andrew Blyth.Architecture for Near Real-Time Threat Assessment using IDS Data.4~(th) European Conference on Information Warfare and Security,University of Glamorgan.
[75]F.Cohen.Managing network security attack and defense strategies.Network Security,1999,7(5):7-11.
[76]Hariri S,Qu GZ,Dharmagadda T,et al.Impact analysis of faults and attacks in large-scale networks.IEEE Trans.on Security & Privacy,2003,1(5):49-54.
[77]J.W.Freeman,T.C.Darr,R.B.Neely.Risk assessment for large heterogeneous systems.In Proceedings of 13~(th) annual computer security application conference,San Diego,CA,USA,1997,pp.44-52.
[78]李涛.基于免疫的网络安全风险检测.中国科学E辑:信息科学,2005,35(8):798-816.
[79]陈秀真,郑庆华,管晓宏,林晨光.层次化网络安全威胁态势量化评估方法.软件学报,2006,17(4):885-897.
[80]Stephen Boyer,Oliver Dain and Robert Cunningham.Stellar:A fusion system for scenario construction and security risk assessment.Proceedings of Third IEEE International Workshop on Information Assurance(IWIA 05).Maryland,USA,2005,pp.105-116.
[81]Andre Arnes,Karin Sallhammar,Kjetil Haslum et al.Real time risk assessment with network sensors and intrusion detection systems.International Conference on Computational Intelligence and Security(CIS 2005),Xi'an,China.
[82]Andre Arnes,Fredrik Valeur,Giovanni Vigna and Richard A.Kemmerer.Using Hidden Markov models to evaluate the risks of intrusion.9th International Symposium On Recent Advances In Intrusion Detection(RAID 2006),Hamburg,Germany,September 2006,Vol.4219.
[83]D.Curry and Herve Debar.Intrusion Detection Message Exchange Format Data Model and Extensible Markup Language(xml) Document Type Definition.Internet Draft,draft-ietf-idwg-idmef-xml-10.txt,2003.
[84]Fredrik Valeur,Giovanni Vigna,Christopher Kruegel and Richard A.Kemmerer.A Comprehensive Approach to Intrusion Detection Alert Correlation.IEEE Trans.on dependable and secure computing,2004,1(3):1-23.
[85]Rebecca Bace,Peter Mell.Intrusion detection systems.NIST Special Publication on Intrusion Detection Systems,National Institute of Standards and Technology,2000.
[861 C.Berge.Hypergraphs.North-Holland,1989.
[87]陈波.逻辑学导论(第2版)——21世纪哲学系列教材.中国人民大学出版社,2006.
[88]MIT Lincoln Laboratory.1999 DARPA Intrusion Detection Evaluation Data Set.http://www.ll.mit.edu/SST/ideval/data/1999/1999_data_index.html,1999.
[89]DEFCON.Def con capture the flag(CTF) contest,http://www.defcon.org/html/defcon-9/defcon-9-pre.html,July 2001.
[90]M.Roesch,C.Green.Snort users manual,snort release 2.0.0.2003.http://www.snort.org/docs/SnortUsersManual.pdf.
[91]刘普寅,吴孟达.模糊理论及其应用.国防科技大学出版社.1998.
[92]秦寿康.综合评价原理与应用.电子工业出版社,2003.
[93]何友等.多传感器信息融合及应用.电子工业出版社,2001.
[94]A.Dempster.Upper and lower probabilities induced by multi-valued mapping.Annals of Mathematical statistics,1967,38(2):325-339.
[95]段新生.证据理论与决策、人工智能.北京:中国人民大学出版社.1993,13-36.
[96]田新广.基于主机的入侵检测方法研究.博士学位论文.国防科学技术大学,2005.
[97]C.W.Geib,R.P.Goldman.Plan recognition in intrusion detection systems.DARPA Information Survivability Conference and Exposition(DISCEX Ⅱ'01),Anaheim,California,June 2001.
[98]C.W.Geib,R.P.Goldman.Probabilistic Plan Recognition for Hostile Agents,Proceedings of the Fourteenth International Florida Artificial Intelligence Research Society Conference,580-584,2001.
[99]严芬,黄皓,殷新春.基于CTPN的复合攻击检测方法研究.计算机学报,2005,29(8):1383-1391.
[100]鲍旭华,戴英侠,冯萍慧等.基于入侵意图的复合攻击检测和预测算法.软件学报,2005,16(12):2132-2138.
[101]P.Ning,Y.Cui,D.S.Reeves,D.Xu.Techniques and Tools for Analyzing Intrusion Alerts.ACM Transactions on Information and System Security,2004,7(2):274-318.
[102]P.Ning,D.Xu.Adapting query optimization techniques for efficient intrusion alert correlation.Technical report,NCSU,Department of Computer Science,2002.
[103]F.Cuppens,F.Autrel,A.Miege and S.Benferhat,Recognizing malicious intention in an intrusion detection process.Second International Conference on Hybrid Intelligent Systems(HIS 2002),Santiago,Chili,December 1-4,2002.
[104]Lingyu Wang,Anyi Liu,Sushil Jajodia.Using attack graphs for correlating,hypothesizing,and predicting intrusion alerts.Computer Communications,2006 (29):2917-2933.
[105]M.E.Bratman.Intention,Plans and Practical Reason.Harvard University Press,1987.
[106]M.E.Bratman,D.J.Israel,and M.E.Pollack.Plans and resource-bounded practical reasoning.Computational Intelligence,1988,4(4):349-355.
[107]L.Padgham,P.Lambrix.Agent Capabilities:Extending BDI Theory.In Proceedings of Seventeenth National Conference on Artificial Intelligence-AAAI 2000,Aug 2000,pp.68-73.
[108]C.W.Geib,R.P.Goldman,Plan recognition in intrusion detection systems.DARPA Information Survivability Conference and Exposition(DISCEX Ⅱ'01),Anaheim,California,June 2001.
[109]R.Fikes,N.Nilsson.STRIPS:A new approach to the application of theorem proving to problem solving.Artificial Intelligence,1971,5(2):189-208.
[110]W.van der Hoek,R.Verbrugge.Epistemic Logic:A survey.Game Theory and Applications,2002,vol.8,pp.53-94.
[111]J.Kevorkian and J.D.Cole.Multiple Scale and Singular Perturbation Methods.Springer,New York,1996.
[112]吕秀琴,吴凡.多尺度空间对象拓扑相似关系的表达与计算.测绘信息与工程.2006,31(2):29-31.
[113]Mark Tabb,Narendra Ahuja.Multiscale Image Segmentation by Integrated Edge and Region Detection.IEEE Trans.on Image Processing,1997,6(5):642-654.
[114]Sunu Mathew,Daniel Britt,Richard Giomundo and Shambhu Upadhyaya.Real time multistage attack awareness through enhanced intrusion alert clustering.Military Communications Conference,2005,3:1801-18063.
[115]MIT Lincoln Laboratory.2000 DARPA Intrusion Detection Scenario Specific Data Sets.http://www.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html,2000.
[116]P.Ning and Y.Cui.Intrusion alert correlator(version0.2).http://discovery.csc.ncsu.edu/software/correlator/ver0.2/iac.html,2002.
[117]Hai Jin,Jiarthua Sun.A Fuzzy Data Mining Based Intrusion Detection Model.In Proceedings of the 10~(th) IEE Axelsson E International Workshop on Future Trends of Distributed Computing Systems(FTDCS'04),2004.
[118]Huang,Zhe-xue.Clustering large data sets with mixed numeric and categorical values.In Proceedings of the 1~(st) Pacific-Asia Conference on Knowledge Discovery & DataMining.Singapore,1997,pp.21-34.
[119]Infosec assessment methodology.Research Report.National Security Agency.http://www.iatrp.com/iam.cfm.
[120]K.Clark,J.Dawkins,J.Hale.Security Risk Metrics:Fusing Enterprise Objectives and Vulnerabilities.In Proceedings of the 2005 IEEE Workshop on Information Assurance and Security United States Military Academy,West Point,NY.
[121]S.Axelsson.The Base-Rate Fallacy and Its Implications for the Difficulty of Intrusion Detection.ACM Transactions on Information and System Security (TISSEC),August 2000.pp.186-205.
[122]Xinzhou Qin.A Probabilistic-Based Framework for INFOSEC Alert Correl -ation.Ph.D Thesis.College of Computing Georgia Institute of Technology,August 2005.
[123]HAYTER.Probability and Statistics for Engineers and Scientists.Duxbury Press,2002.
[124]J.W.Harris,H.Stocker.Maximum likelihood method § 21.10.4.in:Handbook of Mathematics and Computational Science,Springer-Verlag,New York,1998,pp.824.
[125]Ming-Yuh Huang,Thomas M.Wicks.A Large-scale Distributed Intrusion Detection Framework Based on Attack Strategy Analysis.Computer Networks,1999,31:2465-2475.
[126]R.Ritchey,P.Ammann.Using model checking to analyze network vulnerabilities.In proceedings of IEEE Symposium on security and privacy,Oakland,California,2000:156-165.
[127]张勇铮.计算机安全弱点及其对应关键技术研究.学位论文.哈尔滨工业大学,2006.
[128]Benferhat S,Autrel F,Cuppens F.Enhanced Correlation in an Intrusion Detection Process.Second International Workshop Mathematical Methods,Models and Architectures for Computer Networks Security,St Petersburg,Russia,September 2003.
[129]Henning M.A new approach to object oriented middleware.IEEE Internet Computing,2004,8(1):66-7.
[130]Symantec Security Information Manager datasheet:Security Management,http://eval.symantec.com/mktginfo/enterprise/fact_sheets/ent-datasheet_security_information_manager_3-2007.en-us.pdf.
[131]Security Management & Real-Time Threat Detection From OpenService.www.openservice.com/products/smc.php,2007
[132]Cisco Security Management Solutions.http://www.tepum.com.tr/Etkinlikler/-Cisco SecurityManagementSolutions.pdf
[133]I.Katzela,A.T.Bouloutas,and S.B.Calo.Centralized vs Distributed Fault Localization.Proc.of IFIP/IEEE International Symposium on Integrated Network Management Ⅳ,editing by A.S.Sethi,Y.Raynaud and F.Faure-Vincent,London:Chapman & Hall,1995,pp.250-261.
[134] Henning M, Spruiell M. Distributed programming with ICE. www.zero.com,2003.