网络安全态势感知若干关键性问题研究
|
摘要
随着信息技术的持续发展和网络规模的日益扩大,信息安全的重要性已经得到了业内人士的普遍认同。为了保障网络信息安全,开展大规模的网络安全态势感知研究是十分必要的。相关研究对于提高我国网络系统的应急响应能力、缓解网络攻击所造成的危害、发现潜在恶意的入侵行为、提高系统的反击能力等具有十分重要的意义。网络态势感知技术作为一项新技术,具有很大的发展空间。
网络安全态势感知的研究,目前尚未有严格统一的标准。但是业内人士在该领域的不懈研究,已对态势感知形成共识。网络安全态势感知包括三个阶段的处理过程,即网络安全态势觉察(Perception)、网络安全态势理解(Comprehension)和网络安全态势预测(Prediction),其通过定性或定量的网络安全态势评价体系对底层各类安全事件进行归并、关联和融合处理,并将获取的态势感知结果以可视化图形提供给网络管理人员。管理人员根据视图提供的信息判断网络当前及未来可能的安全态势发展趋势,进而做出有效应对措施。因此,使用信息融合和风险评估等技术,提高底层监测设备对事件的检测能力,并在此基础上获取准确有效的定性或定量评价体系,成为网络安全态势感知领域的重要研究方向。
在网络安全态势觉察阶段,网络安全态势感知使用的安全事件或性能指标来自底层安全设备,因此其感知能力受到底层安全设备的准确性和效率的直接影响。通过考察Dempster-Shafer证据合并理论及其不确定性分配原则,将该理论身份推理方法同多个传感器检测的结果进行联合,定义主观不确定度和客观不确定度的概念,提出了传感器空间合并方案及不确定度再分配原则,达到了消除单传感器检测盲区,提升检测准确度的目的。此外,为解决以往研究中较少讨论如何在流量指标选择过程中利用特征提取方案有效地甄别异常的问题,本文引入无指导学习(Unsupervised Learning)算法对特征选择(Feature Selection)方案进行了最优评估,得出了流量统计特征能够有效地区分流量状态的结论,为检测融合方案的实现提供了理论基础。
当前,网络安全态势感知多集中在面向攻击威胁的态势理解研究。态势理解方案一般采用风险指数(Risk Index)作为评价指标,通过将网络进行层次划分,利用加权融合底层元素的风险值来实现对态势感知结果的定量评价。本文的研究旨在获得更具客观性和通用性的评价结果,消除以往定量评价指标体系中加权系数分配所带有的随机性和主观性的不足。在深入分析网络层次化结构的基础上,将层次分析法(Analytic Hierarchy Process)引入网络安全态势定量评价指标体系中,将服务层、主机层和网络层与AHP中的方案层、指标层和目标层对应起来。本文定义态势元(Situation Meta)、态势权(Situation Weight)和态势基(Situation Base)概念来规范网络安全态势的定量评价指标体系。并通过实例描述了如何构建成对比较矩阵(判断矩阵),利用服务风险指数作为态势基,最终获得定量的网络安全态势感知结果的过程。仿真结果证明了方案的可行性。
不同的研究组织对网络安全态势感知过程的理解不同,再加之缺少一个标准的态势信息载体和态势提取框架,使得网络安全态势理解能力无从评价,缺少规范性。Endsley态势模型是传统态势感知领域内的经典模型,具有规范的数据处理和态势提取过程,但该模型较少应用于网络安全态势领域。同时针对以往研究多集中在安全态势的定性或定量评价体系设计,较少涉及安全态势建模的现状,本文提出了基于Endsley模型的可扩展网络安全态势模型及态势提取框架。该方案将用户所关心的攻击频次、攻击时间以及空间等态势信息合并形成细粒度的多元结构,同时引入重要的知识库概念辅助态势提取,使用户可在态势模型之上进行基于时间、空间因素的二次分析,提取感兴趣的态势信息,进而辅助用户决策。该方案分别使用HoneyNet和交大校园网的数据进行评估,能够形成高效明确的态势可视图。在突出高危态势变化的同时也注重低危态势变化的细节,便于用户的分析和管理,对规范态势提取过程及安全态势建模具有一定的参考价值。
完整的网络安全态势感知包括网络安全态势觉察、态势理解和态势预测,但历史研究多集中在前两阶段。由于网络入侵或攻击的强随机性和不确定性,使得以此为基础所获取的安全态势变化是一个复杂非线性过程,限制了传统预测模型的使用。本文在对网络攻击导致的态势变化过程分析中,得到了网络安全态势风险值的累加曲线具有“S”型曲线特征的论点,并对经典的灰色Verhulst模型提出改进方案。所提出的基于自适应参数(Adaptive Parameters)及等维灰数递补(Equal-Dimensions Grey Filling)灰色Verhulst模型,利用一阶累加数列的波动情况进行模型参数的动态调整。该方案还通过引入等维灰数递补方法,能够在不增加常规模型计算复杂度的情况下,克服以往预测方案不能对曲线趋势变化及时更新的不足。试验结果证明,相对于以往基于常规GM(1,1)及常规灰色Verhulst模型的预测方法,本方案有效地改善了预测精度,并且具有可推广的价值。
最后本文在总结全文的基础上讨论了未来安全态势感知研究需要面对的问题,并提出了时间序列(Time Series)分析在安全态势感知中的应用思路;提出了粗糙集理论(Rough Sets Theory)在预测未来安全态势变化的思路;提出了基于多准则融合的态势预测思路。
With the rapid development of the information technologies and the prevalence of internet, the researchers have agreed on the importance of information security. To protect the information and infrastructure, large-scale investigation on Network Situational Awareness (NSA) is very necessary, which can improve the emergency response capability, reduce the damage of the network attacks, find the underlying malicious activities and enhance the counterattack ability.
As an emerging and promising technique, though a unified standard has not been formed presently, some common knowledge has achieved. The acquirement of NSA is such a process: merging, combining and fusing the low level security events, extracting the interesting information and providing the visualization results. Based on the visual analysis, the current status and trend of real network security situation can be obtained and then some effective measures can be taken. Hence, using data fusion to enhance the detection performance of low-level equipments and obtaining accurate and effective situation evaluation system become the important research direction.
The index system of NSA originates from the fusion of security events captured by multiple intrusion detection (ID) systems, and the ability of NSA is influenced by the accuracy and efficiency of the ID. By investigating on the Dempster-Shafer Evidence Theory widely applied in event detection, the uncertainty assignment rule and the evidence combination theory, combining the identity reasoning with detection results from multi-sensor, introducing the definitions of the Subjective Uncertainty and Objective Uncertainty, the spatial combination rule and the uncertainty reassignment rule are proposed to eliminate the blind zone and improve the detection accuracy. Furthermore, to solve the issues about how to distinguish the anomaly in the selection of flow index, Unsupervised Learning is introduced to perform the optimal evaluation of feature selection and conclude that the flow statistics features can differentiate the flow status. The evaluation provides the theoretical basis for the proposed fusion detection method.
The research on NSA focuses on the real-time security situation evaluation. The risk index is usually adopted as the evaluation index, and the scheme is implemented by the division of the network hierarchy, simple weighted coefficients and the fusion of the low-level risk. The purpose is to acquire objective and general evaluation results and eliminate the deficiency exist in the assignment of weighted coefficients. On the basis of the deep analysis of the network hierarchy, Analytic Hierarchy Process is employed in the whole situation analysis, which makes the service level, host level and network level correspond to scheme level, index level and target level of AHP, respectively. Several concepts such as Situation Meta, Situation Weight and Situation Base are introduced to standardize the situation evaluation. The process can be summarized in using an example how to construct the pairwise matrix, adopting the risk index of service as situation base, and achieving the evaluation results. The simulated results prove the scheme feasible, and the scheme can be extended.
Different understandings on the Network Security Situation (NSS) among research organizations and the absence of the NSA standard lead to the diversity in the acquirement of NSA. As a classical model in the conventional SA field, Endsley situation model is provided with standard data processing and situation extraction, whereas the model is seldom employed in the NSS. At the same time, the earlier research focuses on the framework design of the situation evaluation without involving in NSS modeling. The NSS model and situation exaction framework based on Endsley model is proposed, which combines incident frequency, incident time and incident space together and form the fine-grained multi-dimensions structure. Three important knowledge bases, denoted as situation extraction assistance, can be employed to implement secondary analysis over temporal factor and spatial factor, to extract the interesting information and to aid decisions. By evaluating the scheme based on the data captured in HoneyNet and SJTU campus network, an effective and explicit visual graphics can be obtained for the convenience of analysis and management, especially emphases the details of lower severity attacks while highlighting the situation variation of higher severity attacks.
The whole NSA can be divided into three phases: situation perception (event detection), situation evaluation and situation prediction, but the earlier research mainly concentrates on the former two phases. The strong randomicity and uncertainty of the network intrusions and attacks make the acquired situation variation a complicated non-linear process and restrict the employment of conventional models. The conventional grey Verhulst model is improved on the viewpoint that the 1-AGO curve of the situation risk value is characteristic of S type curve. In the proposed grey Verhulst model with adaptive parameters and equal-dimensions grey filling, the parameters are adjusted dynamically by virtue of the 1-AGO curve variation. Without increasing the computation complexity,the equal-dimensions grey filling method is adopted to overcome the defect of real-time update corresponding to curve tendency in the conventional prediction schemes. The simulation results prove that the precision is efficiently improved compared with the traditional GM (1, 1) and grey Verhulst model.
Finally, on the basis of the summarization of the research work, the further development about the NSA is discussed. We present the application of Time Series Analysis in the future research on the NSA, and propose that Rough Sets Theory can be used to predict the future situation variation qualitatively.
网络安全态势感知的研究,目前尚未有严格统一的标准。但是业内人士在该领域的不懈研究,已对态势感知形成共识。网络安全态势感知包括三个阶段的处理过程,即网络安全态势觉察(Perception)、网络安全态势理解(Comprehension)和网络安全态势预测(Prediction),其通过定性或定量的网络安全态势评价体系对底层各类安全事件进行归并、关联和融合处理,并将获取的态势感知结果以可视化图形提供给网络管理人员。管理人员根据视图提供的信息判断网络当前及未来可能的安全态势发展趋势,进而做出有效应对措施。因此,使用信息融合和风险评估等技术,提高底层监测设备对事件的检测能力,并在此基础上获取准确有效的定性或定量评价体系,成为网络安全态势感知领域的重要研究方向。
在网络安全态势觉察阶段,网络安全态势感知使用的安全事件或性能指标来自底层安全设备,因此其感知能力受到底层安全设备的准确性和效率的直接影响。通过考察Dempster-Shafer证据合并理论及其不确定性分配原则,将该理论身份推理方法同多个传感器检测的结果进行联合,定义主观不确定度和客观不确定度的概念,提出了传感器空间合并方案及不确定度再分配原则,达到了消除单传感器检测盲区,提升检测准确度的目的。此外,为解决以往研究中较少讨论如何在流量指标选择过程中利用特征提取方案有效地甄别异常的问题,本文引入无指导学习(Unsupervised Learning)算法对特征选择(Feature Selection)方案进行了最优评估,得出了流量统计特征能够有效地区分流量状态的结论,为检测融合方案的实现提供了理论基础。
当前,网络安全态势感知多集中在面向攻击威胁的态势理解研究。态势理解方案一般采用风险指数(Risk Index)作为评价指标,通过将网络进行层次划分,利用加权融合底层元素的风险值来实现对态势感知结果的定量评价。本文的研究旨在获得更具客观性和通用性的评价结果,消除以往定量评价指标体系中加权系数分配所带有的随机性和主观性的不足。在深入分析网络层次化结构的基础上,将层次分析法(Analytic Hierarchy Process)引入网络安全态势定量评价指标体系中,将服务层、主机层和网络层与AHP中的方案层、指标层和目标层对应起来。本文定义态势元(Situation Meta)、态势权(Situation Weight)和态势基(Situation Base)概念来规范网络安全态势的定量评价指标体系。并通过实例描述了如何构建成对比较矩阵(判断矩阵),利用服务风险指数作为态势基,最终获得定量的网络安全态势感知结果的过程。仿真结果证明了方案的可行性。
不同的研究组织对网络安全态势感知过程的理解不同,再加之缺少一个标准的态势信息载体和态势提取框架,使得网络安全态势理解能力无从评价,缺少规范性。Endsley态势模型是传统态势感知领域内的经典模型,具有规范的数据处理和态势提取过程,但该模型较少应用于网络安全态势领域。同时针对以往研究多集中在安全态势的定性或定量评价体系设计,较少涉及安全态势建模的现状,本文提出了基于Endsley模型的可扩展网络安全态势模型及态势提取框架。该方案将用户所关心的攻击频次、攻击时间以及空间等态势信息合并形成细粒度的多元结构,同时引入重要的知识库概念辅助态势提取,使用户可在态势模型之上进行基于时间、空间因素的二次分析,提取感兴趣的态势信息,进而辅助用户决策。该方案分别使用HoneyNet和交大校园网的数据进行评估,能够形成高效明确的态势可视图。在突出高危态势变化的同时也注重低危态势变化的细节,便于用户的分析和管理,对规范态势提取过程及安全态势建模具有一定的参考价值。
完整的网络安全态势感知包括网络安全态势觉察、态势理解和态势预测,但历史研究多集中在前两阶段。由于网络入侵或攻击的强随机性和不确定性,使得以此为基础所获取的安全态势变化是一个复杂非线性过程,限制了传统预测模型的使用。本文在对网络攻击导致的态势变化过程分析中,得到了网络安全态势风险值的累加曲线具有“S”型曲线特征的论点,并对经典的灰色Verhulst模型提出改进方案。所提出的基于自适应参数(Adaptive Parameters)及等维灰数递补(Equal-Dimensions Grey Filling)灰色Verhulst模型,利用一阶累加数列的波动情况进行模型参数的动态调整。该方案还通过引入等维灰数递补方法,能够在不增加常规模型计算复杂度的情况下,克服以往预测方案不能对曲线趋势变化及时更新的不足。试验结果证明,相对于以往基于常规GM(1,1)及常规灰色Verhulst模型的预测方法,本方案有效地改善了预测精度,并且具有可推广的价值。
最后本文在总结全文的基础上讨论了未来安全态势感知研究需要面对的问题,并提出了时间序列(Time Series)分析在安全态势感知中的应用思路;提出了粗糙集理论(Rough Sets Theory)在预测未来安全态势变化的思路;提出了基于多准则融合的态势预测思路。
With the rapid development of the information technologies and the prevalence of internet, the researchers have agreed on the importance of information security. To protect the information and infrastructure, large-scale investigation on Network Situational Awareness (NSA) is very necessary, which can improve the emergency response capability, reduce the damage of the network attacks, find the underlying malicious activities and enhance the counterattack ability.
As an emerging and promising technique, though a unified standard has not been formed presently, some common knowledge has achieved. The acquirement of NSA is such a process: merging, combining and fusing the low level security events, extracting the interesting information and providing the visualization results. Based on the visual analysis, the current status and trend of real network security situation can be obtained and then some effective measures can be taken. Hence, using data fusion to enhance the detection performance of low-level equipments and obtaining accurate and effective situation evaluation system become the important research direction.
The index system of NSA originates from the fusion of security events captured by multiple intrusion detection (ID) systems, and the ability of NSA is influenced by the accuracy and efficiency of the ID. By investigating on the Dempster-Shafer Evidence Theory widely applied in event detection, the uncertainty assignment rule and the evidence combination theory, combining the identity reasoning with detection results from multi-sensor, introducing the definitions of the Subjective Uncertainty and Objective Uncertainty, the spatial combination rule and the uncertainty reassignment rule are proposed to eliminate the blind zone and improve the detection accuracy. Furthermore, to solve the issues about how to distinguish the anomaly in the selection of flow index, Unsupervised Learning is introduced to perform the optimal evaluation of feature selection and conclude that the flow statistics features can differentiate the flow status. The evaluation provides the theoretical basis for the proposed fusion detection method.
The research on NSA focuses on the real-time security situation evaluation. The risk index is usually adopted as the evaluation index, and the scheme is implemented by the division of the network hierarchy, simple weighted coefficients and the fusion of the low-level risk. The purpose is to acquire objective and general evaluation results and eliminate the deficiency exist in the assignment of weighted coefficients. On the basis of the deep analysis of the network hierarchy, Analytic Hierarchy Process is employed in the whole situation analysis, which makes the service level, host level and network level correspond to scheme level, index level and target level of AHP, respectively. Several concepts such as Situation Meta, Situation Weight and Situation Base are introduced to standardize the situation evaluation. The process can be summarized in using an example how to construct the pairwise matrix, adopting the risk index of service as situation base, and achieving the evaluation results. The simulated results prove the scheme feasible, and the scheme can be extended.
Different understandings on the Network Security Situation (NSS) among research organizations and the absence of the NSA standard lead to the diversity in the acquirement of NSA. As a classical model in the conventional SA field, Endsley situation model is provided with standard data processing and situation extraction, whereas the model is seldom employed in the NSS. At the same time, the earlier research focuses on the framework design of the situation evaluation without involving in NSS modeling. The NSS model and situation exaction framework based on Endsley model is proposed, which combines incident frequency, incident time and incident space together and form the fine-grained multi-dimensions structure. Three important knowledge bases, denoted as situation extraction assistance, can be employed to implement secondary analysis over temporal factor and spatial factor, to extract the interesting information and to aid decisions. By evaluating the scheme based on the data captured in HoneyNet and SJTU campus network, an effective and explicit visual graphics can be obtained for the convenience of analysis and management, especially emphases the details of lower severity attacks while highlighting the situation variation of higher severity attacks.
The whole NSA can be divided into three phases: situation perception (event detection), situation evaluation and situation prediction, but the earlier research mainly concentrates on the former two phases. The strong randomicity and uncertainty of the network intrusions and attacks make the acquired situation variation a complicated non-linear process and restrict the employment of conventional models. The conventional grey Verhulst model is improved on the viewpoint that the 1-AGO curve of the situation risk value is characteristic of S type curve. In the proposed grey Verhulst model with adaptive parameters and equal-dimensions grey filling, the parameters are adjusted dynamically by virtue of the 1-AGO curve variation. Without increasing the computation complexity,the equal-dimensions grey filling method is adopted to overcome the defect of real-time update corresponding to curve tendency in the conventional prediction schemes. The simulation results prove that the precision is efficiently improved compared with the traditional GM (1, 1) and grey Verhulst model.
Finally, on the basis of the summarization of the research work, the further development about the NSA is discussed. We present the application of Time Series Analysis in the future research on the NSA, and propose that Rough Sets Theory can be used to predict the future situation variation qualitatively.
引文
[1] 李建华. 信息安全技术发展及若干关键技术 [J]. 信息安全与通信保密. 2000(10): 18-22.
[2] 郭军编著. 网络管理 [M]. 北京: 北京邮电大学出版社, 2001.
[3] Bass T. Intrusion Detection Systems and Multi-Sensor Data Fusion: Creating Cyberspace Situational Awareness [J]. Communications of the ACM, 2000, 43(4): 99–105.
[4] Bass T. Multi-Sensor Data Fusion for Next Generation Distributed Intrusion Detection Systems [C]. 1999 IRIS National Symposium on Sensor and Data Fusion, Laurel, USA, 1999(1): 24–27.
[5] Llinas J, Hall D L. An Introduction to Multi-Sensor Data Fusion [C]. Proceedings of the 1998 IEEE International Symposium on Circuits and Systems, Monterey, CA, USA. 1998 (6): 537–540;
[6] Hall D L, Llinas J. An Introduction to Multisensor Data Fusion [J]. Proceedings of the IEEE, 1997, 85(1): 6–23;
[7] Hall D L, Llinas J. A Challenge for the Data Fusion Community I: Research Imperatives for Improved Processing [C]. Proceedings of the 7th National Symposium on Sensor Fusion, Albuquerque, NM, 1994, 159–175;
[8] Llinas J, Hall D L. A Challenge for the Data Fusion Community II: Research Imperatives for Improved Processing [C]. Proceedings of the 7th National Symposium on Sensor Fusion, Albuquerque, NM, 1994, 361–374;
[9] Waltz E, Llinas J. Multi-Sensor Data Fusion [M]. Artech House, Boston, MA, 1990;
[10] Hall D L. Mathematical Techniques in Multi-Sensor Data Fusion [M]. Artech House, Boston, MA, 1992;
[11] Hall D L, Llinas J. Handbook of Multi-Sensor Data Fusion [M]. CRC Press, Washington, NY, 2001;
[12] Steinberg A N, Bowman C L, White F E. Revision to the JDL Data Fusion Model [C]. Proceedings of SPIE Aero Sense, Orlando, Florida, USA, 1999(3719): 430-441.
[13] Boyd J R. A Discourse on Winning and Losing [M]. Unpublished Set of Briefing Slides Available at Air University Library, Maxwell AFB, Alabama, 1987;
[14] Markin M, Harris C, Benhardt M, et al. Technology Foresight on Data Fusion and Data Processing. Publication [M]. The Royal Aeronautical Society, 1997;
[15] Bedworth M, Brein J O. The Omnibus Model: A New Model of Data Fusion [J]. IEEE AES Systems Magazine, 2000, 15(4): 30–36;
[16] 郭惠勇. 多传感器信息融合技术的研究与进展 [J]. 中国科学基金, 2005, 19(1): 17–21;
[17] 杨万海著. 多传感器数据融合及其应用 [M]. 西安: 电子科技大学出版社, 2004.
[18] Gigerenzer G, Hoffrage U. How to Improve Bayesian Reasoning without Instruction: Frequency Formats [J]. Psychological Review, 1995, 102(4): 684 – 704.
[19] Lewis C, Keren G. On the Difficulties underlying Bayesian Reasoning: A Comment on Gigerenzer and Hoffrage [J]. Psychological Review, 1999, 106(2): 411 - 416
[20] Mellers B A, McGraw A P. How to Improve Bayesian Reasoning: A Comment on Gigerenzer and Hoffrage (1995) [J]. Psychological Review, 1999, 106(2): 417 - 424.
[21] Le Hegarat-Mascle S, Richard D, et al. Mulit-Scale Data Fusion Using Dempster-Shafer Evidence Theory [C]. 2002 IEEE International Geosciences and Remote Sensing Symposium. Toronto, 2002(2): 911-913.
[22] Shafer G. A Mathematical Theory of Evidence [M]. Princeton University Press, Princeton, 1976.
[23] Sentz K. Combination of Evidence in Dempster-Shafer Theory [D]. Binghamton, Binghamton University. Apr. 2002.
[24] Braun J J, Dasarathy B Y. Dempster-Shafer Theory and Bayesian Reasoning in Mulit-sensor Data Fusion in Sensor Fusion: Architectures, Algorithms, and Applications IV [C]. Proceedings of SPIE, 2000(4051): 255-266.
[25] Sengupta S, Andriamanalimanana B, etc. Towards Data Mining Temporal Patterns for Anomaly Intrusion Detection Systems [C]. The Proceedings of the Second International Workshop on Intelligence Data Acquisition and Advanced Computing Systems: Technology and Applications, 2003: 205-209.
[26] Dash M, Choi K, Scheuermann P, et al. Feature Selection for Clustering – A Filter Solution [C]. Proceedings of the 2002 IEEE International Conference on Data Mining (ICDM'02), 2002: 115.
[27] BS7799 标准: ISO/IEC 17799-2000; BS7799-2, 2002.
[28] Christopher J A, Sandara G B, Richard D P, et al. Operationally Critical Threat, Asset and Vulnerability Evaluation SM Framework. Pittsburgh, PA: Software Engineer Institue, Carnegie Mellon University, 1999.
[29] Bass T, Roger R. Defense-in-Depth Revisited: Qualitative Risk Analysis Methdology for Complex Network-Centric Operations [C]. Proceedings of IEEE Military Communications Conference, 2001(1): 64–70.
[30] 朱 亮 , 王 慧 强 , 郑 丽 君 . 网 络 安 全 态 势 可 视 化 研 究 评 述 [EB/OL], http://www.paper.edu.cn/en/downloadpaper.php?serial_number=200607-36&type=1.
[31] D’Amico A, Kocka M. Information Assurance Visualizations for Specific Stages of Situational Awareness and Intended Users: Lessons Learned [C]. Visualization for Computer Security VizSEC 2005, 2005.
[32] Office of The Secretary of Defense (OSD) Deputy Director of Defense Research & Engineering Deputy Under Secretary of Defense (Science & Technology). Small Business Innovation Research (SBIR) FY 2005, 3 Program Description, USA, 2005;
[33] Advanced Research and Development Activity (ARDA) [EB/OL]. Exploratory Program Call for Proposals 2006, USA, 2005.
[34] Ning P, Cui Y. Techniques and Tools for Analyzing Intrusion Alerts [J]. ACM Transaction on Information and System Security, 2004, 7 (2): 274-318.
[35] Durso F T, Gronlund S D. Situation Awareness [M]. In: Durso Fed. Handbook of Applied Cognition. New York: John Wiley & Sons, 1999, 283–314.
[36] Baclawski K, Kokar M K, Matheus C J, et al. Formalization of Situation Awareness [C]. 11th OOPSLA Workshop on Behavioral Semantics (OOPSLA 02), Seattle, WA, 2002: 1–15.
[37] Endsley M R. Toward A Theory of Situation Awareness in Dynamic Systems [J]. Human Factors, 1995, 37(1): 32–64.
[38] Endsley M R. Design and Evaluation for Situation Awareness Enhancement [C]. Proceedings of the Human Factors Society 32nd Annual Meeting, Santa Monica, 1988(1): 97–101.
[39] Dominguez C, Vidulich M, Vogel E, McMillan G. Situation Awareness: Papers and Annotated Bibliography [EB/OL]. Armstrong Laboratory, Human System Center, 1994;
[40] Dominguez, C. Can SA be defined? Situation Awareness: Papers and Annotated Bibliography [R]. Wright-Patterson Airforce Base, OH: Air Force Systems Command. 5-15.
[41] 王慧强, 赖积宝, 朱亮等. 网络态势感知系统研究综述 [J]. 计算机科学, 2006, 33(10): 5-11.
[42] P2DR Model. 安氏互联网安全系统(中国)有限公司, Internet Security Systems Inc., 1999.
[43] 方滨兴. 信息安全技术发展趋势 [R]. 2007 年第二届技术创新大会, 2007.
[44] 陈秀真, 郑庆华, 管晓宏等. 网络化系统安全态势评估的研究 [J]. 西安交通大学学报, 2004, 38(4): 404–408;
[45] 陈秀真、郑庆华、管晓宏等. 层次化网络安全威胁态势量化评估方法 [J]. 软件学报, 2006, 17(4): 885-897.
[46] Chen X Z, Zheng Q H, Guan X H, et al. Multiple Behavior Information Fusion Based Quantitative Threat Evaluation [J]. Computer & Security, 2005, 24(3): 218-231.
[47] 刘勃, 周荷琴. 基于贝叶斯网络的网络安全评估方法研究 [J]. 计算机工程, 2004, 30(22): 111-113.
[48] 张永铮, 方滨兴, 云晓春. 一种主机系统安全的量化风险评估方法 [J]. 计算机工程, 2005, 31(14): 147-149.
[49] 姚婷婷, 郑庆华, 管晓宏等. 一种基于主机实时流量的安全评估方法 [J]. 西安交通大学学报, 2006, 40(4): 415-419.
[50] Goldman R P, Heimerdinger W, Harp S A, et al. Information Modeling for Intrusion Report Aggregation [C]. Proceedings of DARPA Information Survivability Conference & Exposition II (DISCEX’01), 2001(1): 329-342.
[51] Yegneswaran V, Barford P, Paxson V. Using Honeynets for Internet Situational Awareness [C]. Proceedings of the Fourth Workshop on Hot Topics in Networks (HotNets-IV), College Park, MD,2005(1): 1-6.
[52] Lakkaraju K, Yurcik W, Lee A J. NVisionIP: NetFlow Visualizations of System State for Security Situational Awareness [C]. Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security (VizSEC/DMSEC), Washington DC, USA, 2004;
[53] Yin X X, Yurcik W, Treaster M, et al. VisFlowConnect: NetFlow Visualizations of Link Relations for Security Situational Awareness [C]. Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security (VizSEC/DMSEC), Washington DC, USA, 2004;
[54] Porras P A, Neumann P G. EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances [C]. Proceedings of the National Conference on Information Systems Security, 1997(1): 353-365.
[55] Undercoffer J, Perich F, Nicholas C. SHOMAR: An Open Architecture for Distributed Intrusion Detection Services [EB/OL]. Technical Report: TR-CS-02-14;
[56] Mathew S, Shah C, Upadhyaya S. An Alert Fusion Framework for Situation Awareness of Coordinated Multistage Attacks [C]. Proceedings of the Third IEEE International Workshop on Information Assurance (IWIA’05). 2005(1): 95-104;
[57] Valeur F, Vigna G, Kuregel C, et al. A Comprehensive Approach to Intrusion Detection Alert Correlation [J]. IEEE Transactions on Dependable and Secure Computing. 2004, 1(3): 146-168;
[58] Gorodetski V, Karsayev O, Samoilov V. Multi-Agent Data Fusion Systems: Design and Implementation Issues [C]. Proceedings of the 10th International Conference on Telecommunication Systems, Modeling and Analysis. Monterey, CA, 2002(2): 762-774;
[59] Shifflet J. A Technique Independent Fusion Model for Network Intrusion Detection [C]. Proceedings of the Midstates Conference on Undergraduate Research in Computer Science and Mathematics. 2005(3): 13-19.
[60] Fragkos G, Blyth A. Architecture for Near Real-Time Threat Assessment using IDS Data [C]. The 4th European Conference on Information Warfare and Security, University of Glamorgan. 2000, 91-98.
[61] Xiao H D, Li J H. Knowledge Base Based Analysis of Security Situational Awareness [C].Proceedings of International Conference on Networking, Systems, Mobile Communications and Learning Technologies, 2006(0): 81-84.
[62] 尚雅玲, 胡昌振. 战场感知与认知:网络空间安全态势感知的建立方法 [J]. 科技导报, 2004(7): 37-39.
[63] Lau S. The Spinning Cube of Potential Doom [J]. Communications of the ACM. 2004, 47(6): 25-26.
[64] Conti G, Adbullah K. Passive Visual FingerPrinting of Network Attack Tools [C]. Proceedings of the 2004 ACM Workshop on Visualization and Data Mining of Computer Security. New York, USA, 2004(0): 45-54.
[65] Krasser S, Conti G, Grizzard J, et al. Real-Time and Forensic Network Data Animated and Coordinated Visualization [C]. Proceedings of the 2005 IEEE Workshop on Information Assurance, United States Military Academy. West Point. New York, 2005(1): 42-49.
[66] Lee C P, Trost J, Gibbs N, et al. Visual Firewall: Real-Time Network Security Monitor [C]. Visualization for Computer Security. VizSEC, 2005;
[67] Lee W. A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems [D]. New York: Columbia University, 1999;
[68] Kim Y, Street W N, Menczer F. Feature Selection in Unsupervised Learning via Evolutionary Search [J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2004, 26(9): 1154-1166
[69] Law M H, Jain A K, Figueiredo A T. Feature Selection in Mixture-Based Clustering [J]. IEEE Transactions on Pattern Analysis and Machine Learning. 2004, 26(9): 625-632
[70] Roth V, Lange T. Feature Selection in Clustering Problems [J]. Neural Information Processing Systems. 2004: 1237 – 1244.
[71] Yang Y J, Ma F Y. An Unsupervised Anomaly Detection Patterns Learning Algorithm [C]. The Proceedings of International Conference on Communication Technology 2003 (ICCT2003), 2003(1): 400-402;
[72] Guan Y, Ghorbani A, Belacel N. Y-Means: A Clustering Method for Intrusion Detection [C]. The 2003 IEEE Canadian Conference on Electrical and Computer Engineering (CCECE 2003),2003(2): 1083-1086.
[73] 梁铁柱, 李建成, 王晖. 一种应用聚类技术检测网络入侵的新方法 [J]. 国防科技大学学报, 2002, 24(2): 59-63;
[74] KDD Cup 1999 DataSet. http://www.kdnuggets.com/datasets/kddcup.html [EB/OL]: KDnuggets.com, 1997.
[75] 朱明. 数据挖掘[M]. 合肥: 中国科技大学出版社, 2002.
[76] Stefano Z, Sergio M S. Unsupervised Learning Techniques for an Intrusion Detection System [C]. The Proceedings of 2004 ACM Symposium on Applied Computing (SAC2004), ACM 2004: 412 – 419.
[77] Lee W K, Stolfo S J, Chan P K. Real Time Data Mining-based Intrusion Detection [C]. The Proceedings of Second DARPA Information Survivability Conference & Exposition II, 2001(1): 89-100;
[78] Siaterlis C, Basil M. Towards Multisensor Data Fusion for DoS Detection [C]. Proceedings of the 2004 ACM Symposium on Applied Computing. Nicosia, Cyprus. 2004(1): 439 – 446;
[79] Wang Y, Yang H H, Wang X Y. Distributed Intrusion Detection System Based on Data Fusion Method [C]. Proceedings of the 5th World Congress on Intelligent Control and Automation. Hangzhou, China, 2004(5): 4331-4334;
[80] Yu D, Frincke D. Alert Confidence Fusion in Intrusion Detection Systems with Extended Dempster-Shafer Theory [C]. Proceedings of ACMSE 2005. Kennesaw, GA. 2005.
[81] 程光, 龚俭, 丁伟. 基于抽样测量的高速网络实时异常检测模型 [J]. 软件学报, 2002, 13(4): 1-6.
[82] 诸葛建伟, 王大为, 陈昱等. 基于 D-S 证据理论的网络异常检测方法 [J]. 软件学报, 2006, 17(3): 463-471.
[83] Ortalo R, Deswarte Y, Kaaniche M. Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security [J]. IEEE Transaction on Software Engineering, 1999, 25(5): 633-651.
[84] Xiao D J, Yang S J, Zhou K F, et al. A Study of Evaluation Model for Network Security [J].Journal of Huazhong University of Science & Technology (Nature Science Edition), 2002, 30(4): 37-39.
[85] Feng D G, Zhang Y, Zhang Y Q. Survey of Information Security Risk Assessment [J]. Journal of China Institute of Communications, 2004, 25(7): 10-18.
[86] D’Ambrosio B, Takikawa M, Upper D, et al. Security Situation Assessment and Response Evaluation [C]. DARPA Information Survivability Conference & Exposition II, Anaheirn, 2001: 387-394.
[87] Porras P, Fong M, Valdes A. A Mission-Impact Based Approach to INFOSEC Alarm Correlation [C]. Proceedings of the 15th International Symposium on Recent Advances in Intrusion Detection. Zurich, 2002: 95-114.
[88] Hariri S, Qu G Z, Dharmagadda T, et al. Impact Analysis of Faults and Attacks in Large-scale Networks [J]. IEEE Security & Privacy, 2003, 1(5): 49-54.
[89] Cohen F. Managing Network Security Attack and Defense Strategies [EB/OL], Network Security, http://all.net/journal/netsec/1999-07.html, 2004.
[90] Blyth A. Footprinting for Intrusion Detection and Threat Assessment [R]. Information Security Technical Report, 1999, 4(3): 43-53.
[91] 张慧敏, 钱亦萍, 郑庆华等. 集成化网络安全监控平台的研究与实现 [J]. 通信学报, 2003, 24(7): 155-163.
[92] 北京理工大学信息安全与对抗技术研究中心. 网络安全态势评估系统技术白皮书 [EB/OL]. http://www.thinkor.com/product/download/网络安全态势评估系统技术白皮书2.doc, 2005.
[93] 胡华平, 张怡, 陈海涛等. 面向大规模网络的入侵检测与预警系统研究 [J]. 国防科技大学学报, 2003, 25(1): 21-25.
[94] Xiao H D, Li J H. Analysis of Security Situation of Networks Based on Knowledge Base [J]. WSEAS Trans on Electronics, 2006, 3 (1): 34-39.
[95] 陈秀真, 郑庆华, 管晓宏等. 基于粗糙集理论的主机安全评估方法 [J]. 西安交通大学学报, 2004, 38(12): 1228-1231, 1255.
[96] 李伟生, 王宝树. 基于贝叶斯网络的态势评估 [J]. 系统工程与电子技术, 2003, 25(4): 480-483.
[97] 汪楚娇, 林果园. 网络安全风险的模糊层次综合评估模型 [J]. 武汉大学学报, 2006, 52(5): 622-626.
[98] Satty T L. The Analytic Hierarchy Process [M]. New York: McGraw-Hill, 1980.
[99] 齐欢. 数学模型方法[M]. 武汉: 华中科技大学出版社, 2002.
[100] The Nessus Vulnerability Scanner. http://www.nessus.com: Tenable Network SecurityTM, 2005.
[101] Snort. http://www.snort.org: SourceFire.com, 2001.
[102] Hale T. Analysis of Snort Alert Log for the Project HoneyNet Scan of the Month #17 [EB/OL]. http://www.honeynet.org/scans/scan17/som/som1/som1-LogAnalysis.html: HoneyNet.org, 2001.
[103] 国家反计算机入侵和防病毒中心, http://www.aiav.com.cn: 国家反计算机入侵和防病毒中心, 2005.
[104] Ning P, Cui Y, Reeves D S, et al. Techniques and Tools for Analyzing Intrusion Alerts [J]. ACM Transaction on Information and System Security, 2004, 7 (2): 274-318.
[105] Bearavolu R, Lakkaraju K, Yurcik W, et al. A Visualization Tool for Situational Awareness of Tactical and Strategic Security Events on Large and Complex Computer Networks [C]. Proceedings of the 2003 IEEE Military Communications Conference, 2003(2): 850-855.
[106] CISCO ISO NetFlow. http://www.cisco.com: CISCO System Inc., 1992-2007.
[107] Cole G, Bulashova N, Yurcik W. Geographical NetFlows Visualization for Network Situational Awareness: NaukaNet Administrative Data Analysis System (NADAS) [C]. The 12th International Conference on Telecommunication Systems, Modeling and Analysis (ICTSM), 2004.
[108] Yin X X, Yurcik W, Slagell A. The Design of VisFlowConnect-IP: a Link Analysis System for IP Security Situational Awareness [C]. Proceedings of the Third IEEE International Workshop on Information Assurance (IWIA’ 05), 2005: 141-153.
[109] D’Amico A, Kocka M. Information Assurance Visualizations for Specific Stages of Situation Awareness and Intended Users: Lessons Learned [C]. Visualization for Computer Security VizSEC 2005, 2005.
[110] The HoneyNet Project. http://www.honeynet.org: HoneyNet.org, 2001.
[111] The SJTU Campus Net. http://www.sjtu.edu.cn: SJTU, 2000.
[112] Yavnai A. Context Recognition and Situation Assessment in Intelligent Autonomous Systems [C]. Proceedings of the 1993 International Symposium on Intelligent Control, 1993(8): 394-399.
[113] Theureau J. Use of nuclear reactor control room simulators in research & development [C]. The 7th IFAC/IFIP/IFORS/IEA Symposium on Analysis, Design and Evaluation of Man-Machine Systems, Kyoto, 1998, 425-430.
[114] Endsley M R. Design and Evaluation for Situation Awareness Enhancement [C]. The Human Factors Society 32nd Annual Meeting. Santa Monica, CA, 1988(1): 97-101.
[115] Snort User Manual. http://www.snort.org/docs/ [EB/OL]. SourceFire.com, 2001.
[116] Intrusion Detection Message Exchange Format [EB/OL]. http://www.ietf.org/: IETF, 2000.
[117] MySQL Database. http://www.mysql.com/: MySQL A.B, 1995.
[118] HoneyNet Project. Know Your Enemy Statistics. [EB/OL]. http://www.HoneyNet.org/papers/stats/, 2001.
[119] 任伟, 蒋兴浩, 孙锬峰. 基于 RBF 神经网络的网络安全态势预测方法 [J]. 计算机工程与应用, 2006, 42(31): 136-138, 144.
[120] Lai J B, Wang H Q, Zhu L. Study of Network Security Awareness Model Based on Simple Additive Weight and Grey Theory [C]. Proceedings of 2006 International Conference on Computational Intelligence and Security, 2006(2): 1545-1548.
[121] 赵 国 生 , 李 明 军 , 那 锐 . 网 络 安 全 态 势 感 知 模 型 研 究 [EB/OL]. http:// hgxwl.hrbeu.edu.cn/ppt/zgs.ppt.
[122] Deng J L. Grey Forecast and Grey Decision [M]. Wuhan: Huazhong University of Science and Technology Press, 2002.
[123] 邓聚龙著. 灰色系统理论 [M]. 武汉: 华中科技大学出版社, 2002.
[124] 刘思峰, 郭天榜著. 灰色系统理论及应用 [M]. 河南: 河南大学出版社,1998.
[125] 刘思峰著. 灰色系统理论及其应用 [M]. 北京: 科学出版社, 1999.
[126] 王义闹, 刘光珍, 刘开第. GM(1,1)的一种逐步优化直接建模方法 [J]. 系统工程理论与实践, 2000, 20(1): 99-104.
[127] 傅立著. 系统理论及应用 [M]. 北京: 科学出版社, 1992.
[128] Liu S F, Lin Y. An Introduction to Grey Systems: Foundation, Methodology and Application [M]. USA: IIGSS Academic Publisher, 1998.
[2] 郭军编著. 网络管理 [M]. 北京: 北京邮电大学出版社, 2001.
[3] Bass T. Intrusion Detection Systems and Multi-Sensor Data Fusion: Creating Cyberspace Situational Awareness [J]. Communications of the ACM, 2000, 43(4): 99–105.
[4] Bass T. Multi-Sensor Data Fusion for Next Generation Distributed Intrusion Detection Systems [C]. 1999 IRIS National Symposium on Sensor and Data Fusion, Laurel, USA, 1999(1): 24–27.
[5] Llinas J, Hall D L. An Introduction to Multi-Sensor Data Fusion [C]. Proceedings of the 1998 IEEE International Symposium on Circuits and Systems, Monterey, CA, USA. 1998 (6): 537–540;
[6] Hall D L, Llinas J. An Introduction to Multisensor Data Fusion [J]. Proceedings of the IEEE, 1997, 85(1): 6–23;
[7] Hall D L, Llinas J. A Challenge for the Data Fusion Community I: Research Imperatives for Improved Processing [C]. Proceedings of the 7th National Symposium on Sensor Fusion, Albuquerque, NM, 1994, 159–175;
[8] Llinas J, Hall D L. A Challenge for the Data Fusion Community II: Research Imperatives for Improved Processing [C]. Proceedings of the 7th National Symposium on Sensor Fusion, Albuquerque, NM, 1994, 361–374;
[9] Waltz E, Llinas J. Multi-Sensor Data Fusion [M]. Artech House, Boston, MA, 1990;
[10] Hall D L. Mathematical Techniques in Multi-Sensor Data Fusion [M]. Artech House, Boston, MA, 1992;
[11] Hall D L, Llinas J. Handbook of Multi-Sensor Data Fusion [M]. CRC Press, Washington, NY, 2001;
[12] Steinberg A N, Bowman C L, White F E. Revision to the JDL Data Fusion Model [C]. Proceedings of SPIE Aero Sense, Orlando, Florida, USA, 1999(3719): 430-441.
[13] Boyd J R. A Discourse on Winning and Losing [M]. Unpublished Set of Briefing Slides Available at Air University Library, Maxwell AFB, Alabama, 1987;
[14] Markin M, Harris C, Benhardt M, et al. Technology Foresight on Data Fusion and Data Processing. Publication [M]. The Royal Aeronautical Society, 1997;
[15] Bedworth M, Brein J O. The Omnibus Model: A New Model of Data Fusion [J]. IEEE AES Systems Magazine, 2000, 15(4): 30–36;
[16] 郭惠勇. 多传感器信息融合技术的研究与进展 [J]. 中国科学基金, 2005, 19(1): 17–21;
[17] 杨万海著. 多传感器数据融合及其应用 [M]. 西安: 电子科技大学出版社, 2004.
[18] Gigerenzer G, Hoffrage U. How to Improve Bayesian Reasoning without Instruction: Frequency Formats [J]. Psychological Review, 1995, 102(4): 684 – 704.
[19] Lewis C, Keren G. On the Difficulties underlying Bayesian Reasoning: A Comment on Gigerenzer and Hoffrage [J]. Psychological Review, 1999, 106(2): 411 - 416
[20] Mellers B A, McGraw A P. How to Improve Bayesian Reasoning: A Comment on Gigerenzer and Hoffrage (1995) [J]. Psychological Review, 1999, 106(2): 417 - 424.
[21] Le Hegarat-Mascle S, Richard D, et al. Mulit-Scale Data Fusion Using Dempster-Shafer Evidence Theory [C]. 2002 IEEE International Geosciences and Remote Sensing Symposium. Toronto, 2002(2): 911-913.
[22] Shafer G. A Mathematical Theory of Evidence [M]. Princeton University Press, Princeton, 1976.
[23] Sentz K. Combination of Evidence in Dempster-Shafer Theory [D]. Binghamton, Binghamton University. Apr. 2002.
[24] Braun J J, Dasarathy B Y. Dempster-Shafer Theory and Bayesian Reasoning in Mulit-sensor Data Fusion in Sensor Fusion: Architectures, Algorithms, and Applications IV [C]. Proceedings of SPIE, 2000(4051): 255-266.
[25] Sengupta S, Andriamanalimanana B, etc. Towards Data Mining Temporal Patterns for Anomaly Intrusion Detection Systems [C]. The Proceedings of the Second International Workshop on Intelligence Data Acquisition and Advanced Computing Systems: Technology and Applications, 2003: 205-209.
[26] Dash M, Choi K, Scheuermann P, et al. Feature Selection for Clustering – A Filter Solution [C]. Proceedings of the 2002 IEEE International Conference on Data Mining (ICDM'02), 2002: 115.
[27] BS7799 标准: ISO/IEC 17799-2000; BS7799-2, 2002.
[28] Christopher J A, Sandara G B, Richard D P, et al. Operationally Critical Threat, Asset and Vulnerability Evaluation SM Framework. Pittsburgh, PA: Software Engineer Institue, Carnegie Mellon University, 1999.
[29] Bass T, Roger R. Defense-in-Depth Revisited: Qualitative Risk Analysis Methdology for Complex Network-Centric Operations [C]. Proceedings of IEEE Military Communications Conference, 2001(1): 64–70.
[30] 朱 亮 , 王 慧 强 , 郑 丽 君 . 网 络 安 全 态 势 可 视 化 研 究 评 述 [EB/OL], http://www.paper.edu.cn/en/downloadpaper.php?serial_number=200607-36&type=1.
[31] D’Amico A, Kocka M. Information Assurance Visualizations for Specific Stages of Situational Awareness and Intended Users: Lessons Learned [C]. Visualization for Computer Security VizSEC 2005, 2005.
[32] Office of The Secretary of Defense (OSD) Deputy Director of Defense Research & Engineering Deputy Under Secretary of Defense (Science & Technology). Small Business Innovation Research (SBIR) FY 2005, 3 Program Description, USA, 2005;
[33] Advanced Research and Development Activity (ARDA) [EB/OL]. Exploratory Program Call for Proposals 2006, USA, 2005.
[34] Ning P, Cui Y. Techniques and Tools for Analyzing Intrusion Alerts [J]. ACM Transaction on Information and System Security, 2004, 7 (2): 274-318.
[35] Durso F T, Gronlund S D. Situation Awareness [M]. In: Durso Fed. Handbook of Applied Cognition. New York: John Wiley & Sons, 1999, 283–314.
[36] Baclawski K, Kokar M K, Matheus C J, et al. Formalization of Situation Awareness [C]. 11th OOPSLA Workshop on Behavioral Semantics (OOPSLA 02), Seattle, WA, 2002: 1–15.
[37] Endsley M R. Toward A Theory of Situation Awareness in Dynamic Systems [J]. Human Factors, 1995, 37(1): 32–64.
[38] Endsley M R. Design and Evaluation for Situation Awareness Enhancement [C]. Proceedings of the Human Factors Society 32nd Annual Meeting, Santa Monica, 1988(1): 97–101.
[39] Dominguez C, Vidulich M, Vogel E, McMillan G. Situation Awareness: Papers and Annotated Bibliography [EB/OL]. Armstrong Laboratory, Human System Center, 1994;
[40] Dominguez, C. Can SA be defined? Situation Awareness: Papers and Annotated Bibliography [R]. Wright-Patterson Airforce Base, OH: Air Force Systems Command. 5-15.
[41] 王慧强, 赖积宝, 朱亮等. 网络态势感知系统研究综述 [J]. 计算机科学, 2006, 33(10): 5-11.
[42] P2DR Model. 安氏互联网安全系统(中国)有限公司, Internet Security Systems Inc., 1999.
[43] 方滨兴. 信息安全技术发展趋势 [R]. 2007 年第二届技术创新大会, 2007.
[44] 陈秀真, 郑庆华, 管晓宏等. 网络化系统安全态势评估的研究 [J]. 西安交通大学学报, 2004, 38(4): 404–408;
[45] 陈秀真、郑庆华、管晓宏等. 层次化网络安全威胁态势量化评估方法 [J]. 软件学报, 2006, 17(4): 885-897.
[46] Chen X Z, Zheng Q H, Guan X H, et al. Multiple Behavior Information Fusion Based Quantitative Threat Evaluation [J]. Computer & Security, 2005, 24(3): 218-231.
[47] 刘勃, 周荷琴. 基于贝叶斯网络的网络安全评估方法研究 [J]. 计算机工程, 2004, 30(22): 111-113.
[48] 张永铮, 方滨兴, 云晓春. 一种主机系统安全的量化风险评估方法 [J]. 计算机工程, 2005, 31(14): 147-149.
[49] 姚婷婷, 郑庆华, 管晓宏等. 一种基于主机实时流量的安全评估方法 [J]. 西安交通大学学报, 2006, 40(4): 415-419.
[50] Goldman R P, Heimerdinger W, Harp S A, et al. Information Modeling for Intrusion Report Aggregation [C]. Proceedings of DARPA Information Survivability Conference & Exposition II (DISCEX’01), 2001(1): 329-342.
[51] Yegneswaran V, Barford P, Paxson V. Using Honeynets for Internet Situational Awareness [C]. Proceedings of the Fourth Workshop on Hot Topics in Networks (HotNets-IV), College Park, MD,2005(1): 1-6.
[52] Lakkaraju K, Yurcik W, Lee A J. NVisionIP: NetFlow Visualizations of System State for Security Situational Awareness [C]. Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security (VizSEC/DMSEC), Washington DC, USA, 2004;
[53] Yin X X, Yurcik W, Treaster M, et al. VisFlowConnect: NetFlow Visualizations of Link Relations for Security Situational Awareness [C]. Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security (VizSEC/DMSEC), Washington DC, USA, 2004;
[54] Porras P A, Neumann P G. EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances [C]. Proceedings of the National Conference on Information Systems Security, 1997(1): 353-365.
[55] Undercoffer J, Perich F, Nicholas C. SHOMAR: An Open Architecture for Distributed Intrusion Detection Services [EB/OL]. Technical Report: TR-CS-02-14;
[56] Mathew S, Shah C, Upadhyaya S. An Alert Fusion Framework for Situation Awareness of Coordinated Multistage Attacks [C]. Proceedings of the Third IEEE International Workshop on Information Assurance (IWIA’05). 2005(1): 95-104;
[57] Valeur F, Vigna G, Kuregel C, et al. A Comprehensive Approach to Intrusion Detection Alert Correlation [J]. IEEE Transactions on Dependable and Secure Computing. 2004, 1(3): 146-168;
[58] Gorodetski V, Karsayev O, Samoilov V. Multi-Agent Data Fusion Systems: Design and Implementation Issues [C]. Proceedings of the 10th International Conference on Telecommunication Systems, Modeling and Analysis. Monterey, CA, 2002(2): 762-774;
[59] Shifflet J. A Technique Independent Fusion Model for Network Intrusion Detection [C]. Proceedings of the Midstates Conference on Undergraduate Research in Computer Science and Mathematics. 2005(3): 13-19.
[60] Fragkos G, Blyth A. Architecture for Near Real-Time Threat Assessment using IDS Data [C]. The 4th European Conference on Information Warfare and Security, University of Glamorgan. 2000, 91-98.
[61] Xiao H D, Li J H. Knowledge Base Based Analysis of Security Situational Awareness [C].Proceedings of International Conference on Networking, Systems, Mobile Communications and Learning Technologies, 2006(0): 81-84.
[62] 尚雅玲, 胡昌振. 战场感知与认知:网络空间安全态势感知的建立方法 [J]. 科技导报, 2004(7): 37-39.
[63] Lau S. The Spinning Cube of Potential Doom [J]. Communications of the ACM. 2004, 47(6): 25-26.
[64] Conti G, Adbullah K. Passive Visual FingerPrinting of Network Attack Tools [C]. Proceedings of the 2004 ACM Workshop on Visualization and Data Mining of Computer Security. New York, USA, 2004(0): 45-54.
[65] Krasser S, Conti G, Grizzard J, et al. Real-Time and Forensic Network Data Animated and Coordinated Visualization [C]. Proceedings of the 2005 IEEE Workshop on Information Assurance, United States Military Academy. West Point. New York, 2005(1): 42-49.
[66] Lee C P, Trost J, Gibbs N, et al. Visual Firewall: Real-Time Network Security Monitor [C]. Visualization for Computer Security. VizSEC, 2005;
[67] Lee W. A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems [D]. New York: Columbia University, 1999;
[68] Kim Y, Street W N, Menczer F. Feature Selection in Unsupervised Learning via Evolutionary Search [J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2004, 26(9): 1154-1166
[69] Law M H, Jain A K, Figueiredo A T. Feature Selection in Mixture-Based Clustering [J]. IEEE Transactions on Pattern Analysis and Machine Learning. 2004, 26(9): 625-632
[70] Roth V, Lange T. Feature Selection in Clustering Problems [J]. Neural Information Processing Systems. 2004: 1237 – 1244.
[71] Yang Y J, Ma F Y. An Unsupervised Anomaly Detection Patterns Learning Algorithm [C]. The Proceedings of International Conference on Communication Technology 2003 (ICCT2003), 2003(1): 400-402;
[72] Guan Y, Ghorbani A, Belacel N. Y-Means: A Clustering Method for Intrusion Detection [C]. The 2003 IEEE Canadian Conference on Electrical and Computer Engineering (CCECE 2003),2003(2): 1083-1086.
[73] 梁铁柱, 李建成, 王晖. 一种应用聚类技术检测网络入侵的新方法 [J]. 国防科技大学学报, 2002, 24(2): 59-63;
[74] KDD Cup 1999 DataSet. http://www.kdnuggets.com/datasets/kddcup.html [EB/OL]: KDnuggets.com, 1997.
[75] 朱明. 数据挖掘[M]. 合肥: 中国科技大学出版社, 2002.
[76] Stefano Z, Sergio M S. Unsupervised Learning Techniques for an Intrusion Detection System [C]. The Proceedings of 2004 ACM Symposium on Applied Computing (SAC2004), ACM 2004: 412 – 419.
[77] Lee W K, Stolfo S J, Chan P K. Real Time Data Mining-based Intrusion Detection [C]. The Proceedings of Second DARPA Information Survivability Conference & Exposition II, 2001(1): 89-100;
[78] Siaterlis C, Basil M. Towards Multisensor Data Fusion for DoS Detection [C]. Proceedings of the 2004 ACM Symposium on Applied Computing. Nicosia, Cyprus. 2004(1): 439 – 446;
[79] Wang Y, Yang H H, Wang X Y. Distributed Intrusion Detection System Based on Data Fusion Method [C]. Proceedings of the 5th World Congress on Intelligent Control and Automation. Hangzhou, China, 2004(5): 4331-4334;
[80] Yu D, Frincke D. Alert Confidence Fusion in Intrusion Detection Systems with Extended Dempster-Shafer Theory [C]. Proceedings of ACMSE 2005. Kennesaw, GA. 2005.
[81] 程光, 龚俭, 丁伟. 基于抽样测量的高速网络实时异常检测模型 [J]. 软件学报, 2002, 13(4): 1-6.
[82] 诸葛建伟, 王大为, 陈昱等. 基于 D-S 证据理论的网络异常检测方法 [J]. 软件学报, 2006, 17(3): 463-471.
[83] Ortalo R, Deswarte Y, Kaaniche M. Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security [J]. IEEE Transaction on Software Engineering, 1999, 25(5): 633-651.
[84] Xiao D J, Yang S J, Zhou K F, et al. A Study of Evaluation Model for Network Security [J].Journal of Huazhong University of Science & Technology (Nature Science Edition), 2002, 30(4): 37-39.
[85] Feng D G, Zhang Y, Zhang Y Q. Survey of Information Security Risk Assessment [J]. Journal of China Institute of Communications, 2004, 25(7): 10-18.
[86] D’Ambrosio B, Takikawa M, Upper D, et al. Security Situation Assessment and Response Evaluation [C]. DARPA Information Survivability Conference & Exposition II, Anaheirn, 2001: 387-394.
[87] Porras P, Fong M, Valdes A. A Mission-Impact Based Approach to INFOSEC Alarm Correlation [C]. Proceedings of the 15th International Symposium on Recent Advances in Intrusion Detection. Zurich, 2002: 95-114.
[88] Hariri S, Qu G Z, Dharmagadda T, et al. Impact Analysis of Faults and Attacks in Large-scale Networks [J]. IEEE Security & Privacy, 2003, 1(5): 49-54.
[89] Cohen F. Managing Network Security Attack and Defense Strategies [EB/OL], Network Security, http://all.net/journal/netsec/1999-07.html, 2004.
[90] Blyth A. Footprinting for Intrusion Detection and Threat Assessment [R]. Information Security Technical Report, 1999, 4(3): 43-53.
[91] 张慧敏, 钱亦萍, 郑庆华等. 集成化网络安全监控平台的研究与实现 [J]. 通信学报, 2003, 24(7): 155-163.
[92] 北京理工大学信息安全与对抗技术研究中心. 网络安全态势评估系统技术白皮书 [EB/OL]. http://www.thinkor.com/product/download/网络安全态势评估系统技术白皮书2.doc, 2005.
[93] 胡华平, 张怡, 陈海涛等. 面向大规模网络的入侵检测与预警系统研究 [J]. 国防科技大学学报, 2003, 25(1): 21-25.
[94] Xiao H D, Li J H. Analysis of Security Situation of Networks Based on Knowledge Base [J]. WSEAS Trans on Electronics, 2006, 3 (1): 34-39.
[95] 陈秀真, 郑庆华, 管晓宏等. 基于粗糙集理论的主机安全评估方法 [J]. 西安交通大学学报, 2004, 38(12): 1228-1231, 1255.
[96] 李伟生, 王宝树. 基于贝叶斯网络的态势评估 [J]. 系统工程与电子技术, 2003, 25(4): 480-483.
[97] 汪楚娇, 林果园. 网络安全风险的模糊层次综合评估模型 [J]. 武汉大学学报, 2006, 52(5): 622-626.
[98] Satty T L. The Analytic Hierarchy Process [M]. New York: McGraw-Hill, 1980.
[99] 齐欢. 数学模型方法[M]. 武汉: 华中科技大学出版社, 2002.
[100] The Nessus Vulnerability Scanner. http://www.nessus.com: Tenable Network SecurityTM, 2005.
[101] Snort. http://www.snort.org: SourceFire.com, 2001.
[102] Hale T. Analysis of Snort Alert Log for the Project HoneyNet Scan of the Month #17 [EB/OL]. http://www.honeynet.org/scans/scan17/som/som1/som1-LogAnalysis.html: HoneyNet.org, 2001.
[103] 国家反计算机入侵和防病毒中心, http://www.aiav.com.cn: 国家反计算机入侵和防病毒中心, 2005.
[104] Ning P, Cui Y, Reeves D S, et al. Techniques and Tools for Analyzing Intrusion Alerts [J]. ACM Transaction on Information and System Security, 2004, 7 (2): 274-318.
[105] Bearavolu R, Lakkaraju K, Yurcik W, et al. A Visualization Tool for Situational Awareness of Tactical and Strategic Security Events on Large and Complex Computer Networks [C]. Proceedings of the 2003 IEEE Military Communications Conference, 2003(2): 850-855.
[106] CISCO ISO NetFlow. http://www.cisco.com: CISCO System Inc., 1992-2007.
[107] Cole G, Bulashova N, Yurcik W. Geographical NetFlows Visualization for Network Situational Awareness: NaukaNet Administrative Data Analysis System (NADAS) [C]. The 12th International Conference on Telecommunication Systems, Modeling and Analysis (ICTSM), 2004.
[108] Yin X X, Yurcik W, Slagell A. The Design of VisFlowConnect-IP: a Link Analysis System for IP Security Situational Awareness [C]. Proceedings of the Third IEEE International Workshop on Information Assurance (IWIA’ 05), 2005: 141-153.
[109] D’Amico A, Kocka M. Information Assurance Visualizations for Specific Stages of Situation Awareness and Intended Users: Lessons Learned [C]. Visualization for Computer Security VizSEC 2005, 2005.
[110] The HoneyNet Project. http://www.honeynet.org: HoneyNet.org, 2001.
[111] The SJTU Campus Net. http://www.sjtu.edu.cn: SJTU, 2000.
[112] Yavnai A. Context Recognition and Situation Assessment in Intelligent Autonomous Systems [C]. Proceedings of the 1993 International Symposium on Intelligent Control, 1993(8): 394-399.
[113] Theureau J. Use of nuclear reactor control room simulators in research & development [C]. The 7th IFAC/IFIP/IFORS/IEA Symposium on Analysis, Design and Evaluation of Man-Machine Systems, Kyoto, 1998, 425-430.
[114] Endsley M R. Design and Evaluation for Situation Awareness Enhancement [C]. The Human Factors Society 32nd Annual Meeting. Santa Monica, CA, 1988(1): 97-101.
[115] Snort User Manual. http://www.snort.org/docs/ [EB/OL]. SourceFire.com, 2001.
[116] Intrusion Detection Message Exchange Format [EB/OL]. http://www.ietf.org/: IETF, 2000.
[117] MySQL Database. http://www.mysql.com/: MySQL A.B, 1995.
[118] HoneyNet Project. Know Your Enemy Statistics. [EB/OL]. http://www.HoneyNet.org/papers/stats/, 2001.
[119] 任伟, 蒋兴浩, 孙锬峰. 基于 RBF 神经网络的网络安全态势预测方法 [J]. 计算机工程与应用, 2006, 42(31): 136-138, 144.
[120] Lai J B, Wang H Q, Zhu L. Study of Network Security Awareness Model Based on Simple Additive Weight and Grey Theory [C]. Proceedings of 2006 International Conference on Computational Intelligence and Security, 2006(2): 1545-1548.
[121] 赵 国 生 , 李 明 军 , 那 锐 . 网 络 安 全 态 势 感 知 模 型 研 究 [EB/OL]. http:// hgxwl.hrbeu.edu.cn/ppt/zgs.ppt.
[122] Deng J L. Grey Forecast and Grey Decision [M]. Wuhan: Huazhong University of Science and Technology Press, 2002.
[123] 邓聚龙著. 灰色系统理论 [M]. 武汉: 华中科技大学出版社, 2002.
[124] 刘思峰, 郭天榜著. 灰色系统理论及应用 [M]. 河南: 河南大学出版社,1998.
[125] 刘思峰著. 灰色系统理论及其应用 [M]. 北京: 科学出版社, 1999.
[126] 王义闹, 刘光珍, 刘开第. GM(1,1)的一种逐步优化直接建模方法 [J]. 系统工程理论与实践, 2000, 20(1): 99-104.
[127] 傅立著. 系统理论及应用 [M]. 北京: 科学出版社, 1992.
[128] Liu S F, Lin Y. An Introduction to Grey Systems: Foundation, Methodology and Application [M]. USA: IIGSS Academic Publisher, 1998.