网络安全态势感知技术研究
|
摘要
近年来,Internet技术迅速发展,计算机网络在政治、经济、军事、社会生活等各个领域发挥着日益重要的作用。然而,网络中存在着大量黑客攻击、木马和病毒等威胁,使得网络安全状况日益严重。虽然防火墙、入侵检测、防病毒软件、身份认证、安全审计等安全防护和管理产品在网络中得到了广泛应用,但是这些设备往往仅限于对单点、单一的安全问题进行处理,不能相互支撑、协同工作,而且日志中存在大量的冗余、虚假警报,使得它们尚不能满足全局网络尤其是大规模网络安全状况的监控需求。因此,本文从态势感知的角度,对安全事件关联分析、网络威胁及宏观安全态势评估、态势预测等方面进行了相关研究,主要包括以下四个方面:
首先,根据网络安全威胁态势评估指标的提取原则选取威胁评估指标。在此基础上,给出了评估指标的量化方法。针对灰色关联分析方法中分辨系数的选取意义不明确的问题,还提出了基于改进灰色关联分析的评估指标权重确定方法。该方法采用层次分析法对评价指标赋予归一化的重要性权重,对关联系数赋予比较序列与参考序列数值接近程度的量化权重,从而实现了对传统的灰色关联分析模型的修正,得到的指标权重更加客观、可信。
其次,提出了基于层次式聚类的安全事件聚类方法。该方法采用层次方式结合不同的聚类方法对告警事件进行聚合,在充分体现不同聚类算法优点的同时避免了因方法单一而导致的聚类结果的单一性。此外,还提出了基于攻击图的安全事件关联方法。该方法借助网络攻击图提供的信息,得到弱点利用节点间距离(攻击图距离),通过攻击图距离来衡量安全事件间相关性,从而对多步攻击进行关联。
再次,提出了基于灰色模糊权矩阵的网络威胁评估模型和基于自适应神经模糊推理系统的网络安全宏观态势评估模型。通过建立模糊权矩阵得到最终的网络威胁评估结果和网络威胁态势图,对网络威胁评估数据进行灰色关联分析,得到每种威胁类型的和各主机的威胁程度排序结果,进而发现哪些攻击类型更危险、哪些主机受到的威胁更严重。从入侵检测系统、漏洞扫描系统等多种设备提取能够反映网络安全性的指标,并采用自适应神经模糊推理技术对其进行融合、评估,最终以量化的形式显示宏观的网络安全态势演变趋势。
最后,针对网络安全态势的预警问题,提出基于时间序列分析的网络安全态势预测技术。通过分析过去和当前的网络安全状况,结合ARMA (Auto-Regressive and Moving Average Model)时间序列分析模型对历史网络安全态势序列进行分析,得到了较为准确的网络安全态势的预测值。
With the fast development of Internet technologies, computer networks have played an increasingly important role in the fields of politics, economy, military, and social life. However, there are too many attacks, Trojans, viruses and other threats in Internet, which make the network security situation even worse. Although the firewalls, VPN, IDS, anti-virus software, identity authentication, data encryption, security audit and other network security management products have been widely used, these devices are often limited to single point and single security issues which cannot mutually support each other or work together. There are so many redundancies and false alarms in the logs that make them cannot satisfy the security monitoring requirements of global network or large-scale network. As a result, this paper does research work on security alerts correlation analysis, network threat & macrco situation assessment and situation trend prediction. It mainly includes:
Firstly, according to the principles of the network security situation dissertation select the threat evaluation indicators. On this basis, a quantitative evaluation method is proposed. To solve the problem of the unclearness in selecting coefficients of gray correlation analysis, a weight-determined method which based on improved gray relational analysis is proposed. The method assigns normalized weight to evaluation indicators with AHP (Analytic Hierarchy Process), and then assigns the quantified weight which is close to comparing numerical sequence and reference sequence. Accordingly Dissertation realize the amendment for the traditional gray relation analysis model, and the weight is more objective and credible.
Secondly, a security alerts method based on hierarchical clustering is proposed. It clusters alerts hierarchically combined with different clustering methods. This method takes the advantage of different clustering algorithms, and avoids the single clustering result caused by single method. In addition, a security alerts correlation method based on attract graph is presented. With this method, weakness-used nodes'distance (attract graph distance) is obtained by using the informations of attract graph. We can measure the correlativity of security alerts according to the attract graph, and then correlate multi-step attracts.
Thirdly, Dissertation propose a network threat situation assessment model based on Grey-Fuzzy weight matrix and a network situation assessment model based on ANIFS. With the fuzzy weight matrix, we can evaluate the dangerous degree of network threats and draw the threat situation trend picture. With the grey relation analysis, Dissertation can sort the threat degrees of different attacks and hosts and find out which type is more dangerous and which host is more threaten. With the indicatiors extracted from IDS and Nessus, we fuse and evaluate them with ANIFS and ultimately express the network security situation trend in a qualified form.
Finally, Dissertation solve the network security situation trend prediction problem with time series analysis technology. With the analysis of the historical and current situation, Dissertation analysis the trend data series with ARMA model and get a relatively accurate predicted value of network security situation trend.
首先,根据网络安全威胁态势评估指标的提取原则选取威胁评估指标。在此基础上,给出了评估指标的量化方法。针对灰色关联分析方法中分辨系数的选取意义不明确的问题,还提出了基于改进灰色关联分析的评估指标权重确定方法。该方法采用层次分析法对评价指标赋予归一化的重要性权重,对关联系数赋予比较序列与参考序列数值接近程度的量化权重,从而实现了对传统的灰色关联分析模型的修正,得到的指标权重更加客观、可信。
其次,提出了基于层次式聚类的安全事件聚类方法。该方法采用层次方式结合不同的聚类方法对告警事件进行聚合,在充分体现不同聚类算法优点的同时避免了因方法单一而导致的聚类结果的单一性。此外,还提出了基于攻击图的安全事件关联方法。该方法借助网络攻击图提供的信息,得到弱点利用节点间距离(攻击图距离),通过攻击图距离来衡量安全事件间相关性,从而对多步攻击进行关联。
再次,提出了基于灰色模糊权矩阵的网络威胁评估模型和基于自适应神经模糊推理系统的网络安全宏观态势评估模型。通过建立模糊权矩阵得到最终的网络威胁评估结果和网络威胁态势图,对网络威胁评估数据进行灰色关联分析,得到每种威胁类型的和各主机的威胁程度排序结果,进而发现哪些攻击类型更危险、哪些主机受到的威胁更严重。从入侵检测系统、漏洞扫描系统等多种设备提取能够反映网络安全性的指标,并采用自适应神经模糊推理技术对其进行融合、评估,最终以量化的形式显示宏观的网络安全态势演变趋势。
最后,针对网络安全态势的预警问题,提出基于时间序列分析的网络安全态势预测技术。通过分析过去和当前的网络安全状况,结合ARMA (Auto-Regressive and Moving Average Model)时间序列分析模型对历史网络安全态势序列进行分析,得到了较为准确的网络安全态势的预测值。
With the fast development of Internet technologies, computer networks have played an increasingly important role in the fields of politics, economy, military, and social life. However, there are too many attacks, Trojans, viruses and other threats in Internet, which make the network security situation even worse. Although the firewalls, VPN, IDS, anti-virus software, identity authentication, data encryption, security audit and other network security management products have been widely used, these devices are often limited to single point and single security issues which cannot mutually support each other or work together. There are so many redundancies and false alarms in the logs that make them cannot satisfy the security monitoring requirements of global network or large-scale network. As a result, this paper does research work on security alerts correlation analysis, network threat & macrco situation assessment and situation trend prediction. It mainly includes:
Firstly, according to the principles of the network security situation dissertation select the threat evaluation indicators. On this basis, a quantitative evaluation method is proposed. To solve the problem of the unclearness in selecting coefficients of gray correlation analysis, a weight-determined method which based on improved gray relational analysis is proposed. The method assigns normalized weight to evaluation indicators with AHP (Analytic Hierarchy Process), and then assigns the quantified weight which is close to comparing numerical sequence and reference sequence. Accordingly Dissertation realize the amendment for the traditional gray relation analysis model, and the weight is more objective and credible.
Secondly, a security alerts method based on hierarchical clustering is proposed. It clusters alerts hierarchically combined with different clustering methods. This method takes the advantage of different clustering algorithms, and avoids the single clustering result caused by single method. In addition, a security alerts correlation method based on attract graph is presented. With this method, weakness-used nodes'distance (attract graph distance) is obtained by using the informations of attract graph. We can measure the correlativity of security alerts according to the attract graph, and then correlate multi-step attracts.
Thirdly, Dissertation propose a network threat situation assessment model based on Grey-Fuzzy weight matrix and a network situation assessment model based on ANIFS. With the fuzzy weight matrix, we can evaluate the dangerous degree of network threats and draw the threat situation trend picture. With the grey relation analysis, Dissertation can sort the threat degrees of different attacks and hosts and find out which type is more dangerous and which host is more threaten. With the indicatiors extracted from IDS and Nessus, we fuse and evaluate them with ANIFS and ultimately express the network security situation trend in a qualified form.
Finally, Dissertation solve the network security situation trend prediction problem with time series analysis technology. With the analysis of the historical and current situation, Dissertation analysis the trend data series with ARMA model and get a relatively accurate predicted value of network security situation trend.
引文
[1]2008年中国互联网络发展状况统计报告.中国互联网络信息中心.2009
[2]2008 CSI Computer Crime and Security Survey. http://i.cmpnet.com/v2. gocsi.com/pdf/CSIsurvey2008.pdf
[3]中国互联网网络安全报告.2008. http://www.cert.org.cn/UserFiles /File/CISR2008fh.pdf
[4]瑞星2008年度病毒疫情与安全报告.http://it.rising.com.cn /new2008/News/NewsInfo/2008-11-18/1226970618d50435.shtml
[5]B Felton. Cyber security breaches threaten 2006 forecasts, Civil Engineering/Siviele Ingenieurswese,14(1),2006:26-28 P.
[6]J Theureau. Use of nuclear-reactor control room simulators inresearch & development. Cognition, Technology & Work,2(2),2005.97-105 P.
[7]M R Endsley. Situation Awareness Global Assessment Technique (SAGAT). IEEE Proceedings of the National Aerospace and Electronics Conference, 1988.789-795 P.
[8]'T Bass. Intrusion Detection Systems and Multisensor Data Fusion:Creating Cyberspace Situational Awareness. Communications of the ACM,2000, 43 (4):99-105 P.
[9]王慧强,赖积保,朱亮,梁颖.网络态势感知系统研究综述.计算机科学,2006,33(10):5-10页.
[10]D Shen, G Chen, Leonard Haynes, Erik Blasch. Strategies comparison for game theoretic cyber situational awareness and impact assessment. Proceeding of 10th International Conference on Information Fusion, p 1-8, July 2007.
[11]赵文涛,殷建平,龙军.安全态势感知系统中攻击预测的认知模型.计算机工程与科学,2007,29(11):17-19页
[12]赖积保,王慧强,朱亮.网络安全态势感知模型研究.计算机研究与发展,2006,43(增刊):456-460页.
[13]陈彦德,赵陆文,王琼,潘志松,周志杰.网络安全态势感知系统结构研究.计算机工程与应用,2008,44(1):100-102页.
[14]M R Endsley. Design and evaluation for situation awareness enhancement. Paper presented at the Human Factors Society 32nd Annual Meeting. Santa Monica, CA,1988.
[15]陈晓苏,伊宏斌.入侵检测中的事件关联分析.华中科技大学学报.2003,31(4):30-33页.
[16]A Valdes, K Skinner. Adaptive Model-Based Monitoring for Cyber Attack Detection.RAID 2000 Conf, Oct.2000:80-92 P.
[17]A Valdes and K Skinner. Probabilistic alert correlation. Proceedings of the 4thInternational Symposium on Recent Advances in Intrusion Detection (RAID 2001),2001:54-68 P.
[18]S Staniford, JA Hoagland, JM McAlerney. Practical automated detection of stealthy portscans. Journal of Computer Security,2002(10):105-136 P.
[19]K Julisch. Mining Alarm Clusters to Improve Alarm Handling Efficiency. In Proc. of the 17th Annual Computer Security Applications Conf, New Orleans, LA, Dec.2001:12-21 P.
[20]F Cuppens. Manageing Alerts in a multi intrusion detection environment. 17th Annual Computer Security Applications Conference(ACSAC), New-Orleans, December 2001:22-31 P.
[21]H Debar, A Wespi. Aggregation and correlation of intrusion detection alerts. October 2001 RAID:87-105 P.
[22]O M DAIN, R K CUNNINGHAM. Building scenarios from a heterogeneous alert stream. Proceedings of the 2001 IEEE Workshop on Information Assurance and Security. United States Military Academy, West Point, NY,2001:231-235 P.
[23]A S Rayford, B V Susan, M Bridges. Intrusion Sensor Data Fusion in an Intelligent Intrusion Detection System Architecture, Communications of the ACM,1997(3):34-55 P.
[24]A Siraj.A unified alert fusion model for intelligent analysis of sensor data in an intrusion detection environment. Mississippi State University Mississippi State, MS, USA,2006.8:135-177 P.
[25]O Dain, R K Cunningham. Fusing a heterogeneous alert stream into scenarios. In Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications, November 2001:1-13 P.
[26]C RUGEL, T TOTH, C KERER. Decentralized Event Correlation for Intrusion Detection.4th International Conference on Information Security and Cryptology (ICISC),2001:114-131 P.
[27]L P Swiler, C Phillips, D Ellis, et al. Computer attack graph generation tool Proceedings. DARPA Information Survivability Conference and Exposition (DISCEX II'Ol), Vol 2, Anaheim, California, IEEE Computer Society,2001: 1307-1321 P.
[28]L P Swiler, C Phillips, T Gaylor. A graph-based network-vulnerability analysis system, SAND97-3010/1. Sandia National Laboratories, Albuquerque, New Mexico and Livermore, California,1998:71-77 P.
[29]S Templeton, K Levitt. A requires/provides model for computer attacks. Proc of New Security Paradigms Workshop, ACM Press,2000:31-38 P.
[30]S Cheung, U f Lindqvist, M W Fong. Modeling multi-step cyber attacks for scenario recognition. The 3rd DARPA Information Survivability Conference and Exposition (DISCEX III), Washington DC,2003:284-292 P.
[31]P Ning, D Reeves, Y Cui. Correlating alerts using prerequisites of intrusions. Technical Report TR-2001-13, North Carolina State University, Department of Computer Science,2001:23-39 P.
[32]P Ning, Y Cui. An intrusion alert correlator based on prerequisites of intrusions. Technical Report TR-2002-01, North Carolina State University, Department of Computer Science,2002:31-43 P.
[33]A Benavoli, B Ristic. An approach to threat assessment based on evidential networks.2007 10th International Conference on Information Fusion. July 2007:79-86.
[34]B T Liu. The Study of the Evaluation of Service Quality in the MuseumsAn Application of Fuzzy Multiple Attribute Decision Making. Master Thesis of Southern Taiwan University Dept. of IndustrialManagement,2004:289-297.
[35]X D Sun, Y Jiao, J S Hu. Grey correlation based on combinational weight and its application. Industrial Engineering and Management, No.1,2006: 62-66 P.
[36]王倩.高校网络课程的评价研究[学位论文].山东师范大学.2006.
[37]许福永,申健,李剑英.基于Delphi和ANN的网络安全综合评价方法研究.微机发展,2005,15(10):11-13,15页.
[38]陈秀真,郑庆华,管晓宏,林晨光.层次化网络安全威胁态势量化评估方法.软件学报,2006,17(4):885-897页.
[39]姚婷婷,郑庆华,管晓宏等.一种基于主机实时流量的安全评估方法.西安交通大学学报.2006,40(4):415-419页.
[40]王益丰,李涛,胡晓勤等.一种基于人工免疫的网络安全实时风险检测方法.电子学报,2005,33(5):945-949页.
[41]J Pearl. Fusion propagation and structuring in belief networks. Artificial Intelligence.1986.29(3):241-288页.
[42]程岳,王宝树,李伟生.实现态势估计的一种推理方法.计算机科学.
2002,29(6):111-1113页.
[43]刘同明,夏祖勋,解洪成.数据融合技术及应用.国防工业出版社,长沙,1998.09.
[44]S Glenn. A Mathematical Theory of Evidence. Princeton University Press. (Princeton, N.J.),1976:30-89 P.
[45]段新生.证据理论与决策、人工智能.中国人民大学出版社,北京,1993.
[46]L A Zadeh. Fuzzy sets. Information and Control,1965,8(2):338-353 P.
[47]“预测方法和技术的应用研究”课题组.中国预测技术发展研究,预测.1991
[48]神经网络模型分类.http://baike.baidu.com/view/572427.htm3
[49]姜仁锋.实用预测技术.哈尔滨船舶工程学院出版社,哈尔滨.1993
[50]马光思,白燕.基于灰色理论和神经网络建立预测模型的研究与应用.微电子学与计算机.2008,25(1):153-155页.
[51]陈秀真,郑庆华,管晓宏,林晨光.网络化系统安全态势评估的研究.西安交通大学学报,2004,38(4):404-408页.
[52]刘孙俊,李涛,赵奎,胡强,彭凌西.基于人工免疫的网络安全态势评估模型.微计算机信息,2008,24(18):3-6页.
[53]韩崇昭,朱洪艳,段战胜等.多源信息融合.清华大学出版社,北京,2006.4.
[54]雷英杰.基于直觉模糊推理的态势与威胁评估研究[博士论文].西安:西安电子科技大学.2005.
[55]D L Hall, J Llina. An Introduction to Multisensor Data Fusion. Proceedings of the IEEE,1997,85(1):6-23 P.
[56]A N Steinberg, C L Bowman, F E White. Revisions to the JDL Data Fusion Model. Part of the SPIE Conference on Sensor Fusion:Architectures, Algorithms, and Applications Ⅲ,1999,3719:430-441 P.
[57]J Llinas, C L Browman, G Rogova, A Steinberg. Revisiting the JDL Data Fusion Model II. Seventh International Conference on Information Fusion, 2004,2:1218-30 P.
[58]扎德.模糊集与应用.John Wiley出版社,美国,1987.
[59]李洪兴,汪培庄.模糊数学.国防工业出版社,北京,1994.
[60]王新洲,史文中,王树良.模糊空间信息处理.武汉大学出版社,武汉,2003.
[61]秦侠.卫生管理运筹学.人民卫生出版社,北京,2005.
[62]刘普寅,吴孟达.模糊理论及其应用.国防科技大学出版社,长沙,1998.
[63]邓聚龙.灰理论基础.华中科技大学出版社,武汉,2003.
[64]刘思峰,党耀国,方志耕等.灰色系统理论及其应用.科学出版社,北京,2004.
[65]吴晓莉,林哲辉等.MATLAB辅助模糊系统设计.西安电子科技大学出版社,西安,2003.
[66]J R Jang. ANFIS:Adaptive network-based fuzzy Inference system. IEEE trans. on SMC,1993,23(3):665-685 P.
[67]王娟,张凤荔,傅种,陈丽莎.网络态势感知中的指标体系研究.计算机应用.2007,27(8),1907-1909页.
[68]张世永.网络安全原理与应用.科学出版社,北京,2003.
[69]Project Honeynet. Scan 17. http://www.honeynet.org/scans/scan17/.2001.
[70]SecurityFocus. Bugtraq Vulnerability Database. http://www.securityfocus. com/bid/11173/exploit/.2008.
[71]张永铮,云晓春,胡铭曾.基于特权提升的多维量化属性弱点分类法的研究.通信学报.2004,25(7):107-114页
[72]Roesch M, Green C. Snort users manual, snort release 2.0.0.2003.
[73]冯文权,茅奇,周毓萍.经济预测与决策技术.武汉大学出版社,武汉,2002.3.
[74]王燕.应用时间序列分析.中国人民大学出版社,北京,2005.
[75]高铁梅.计量经济分析方法与建模—EViews应用及实例.清华大学出版社,北京,2006.
[76]Eviews_百度百科.http://baike.baidu.com/view/207806.htm.
[77]张晓峒.Eviews使用指南与案例.机械工业出版社,北京,2007.2.
[78]F C Li, Y X Jiang, D Q Zhou. The building model of decision on the core competitive capacity of enterprises and evaluating demonstration. Bus Econ Adm,2006(6):42-46 P.
[79]S Zhang. Evaluation technology of the aerial targets threat (Periodical style). Information Command Control System & Simulation Technology,2005: 41-45 P.
[80]J P Xu, W Wu. The theory and method of multiple attribute decision making (Book style). published by TsingHua University Press,2006:260-261P
[81]张永铮,方滨兴,迟悦等.用于评估网络信息系统的风险传播模型.软件学报,2007,18(1):137-145页.
[82]陆余良,夏阳.主机安全量化融合模型研究.计算机学报,2005,28(5):914-920页.
[83]肖道举,杨素娟,周开峰等.网络安全评估模型研究.华中科技大学学报(自然科学版),2002,30(4):37-39页.
[84]X Z Chen, Q H Zheng, X H Guan and et al. Multiple behavior information fusion based quantitative threat evaluation. Computer & Security,2005,24: 218-231 P.
[85]K Julisch.Clustering Intrusion Detection Alarms to Support Root Cause Analysis. Transactions on Information and System Security (TISSEC) 2003, November 2003:449-451 P.
[86]G Helmer, J Wong, M Slagell, et al. A Software Fault Tree Approach to Requirements Analysis of an Intrusion Detection System. Requirements Engineering Journal,2002,7(4):207-220 P.
[87]B Schneier. Attack Trees. Dr. Dobb's Journal,1999,24(12):21-29 P.
[88]C Ramakrishnan, R Sekar. Model-based Vulnerability Analysis of Computer Systems. Proc the 2nd International Workshop on Verification, Model Checking and Abstract Interpretation, NY, USA,1998.
[89]C Ramakrishnan, R Sekar. Model-based Analysis of Configuration Vulnerabilities. Journal of Computer Security,2002,10(1-2):189-209 P.
[90]R W Ritchey, P Ammann. Using Model Checking to Analyze Network Vulnerabilities. Proc of 2001 IEEE Symposium on Security and Privacy, California, USA, IEEE Press,2001.156-165 P.
[91]O Sheyner, J Haines, S Jha, et al. Automated Generation and Analysis of Attack Graphs. Proc of 2002 IEEE Symposium on Security and Privacy, California, USA, IEEE Press,2002.254-265 P.
[92]H R Shahriari, R Jalili. Using CSP to Model and Analyze Transmission Control Vulnerabilities Within the Broadcast Network. Proc the IEEE International Networking and Communication Conference (INCC'2004), Pakistan, IEEE Press,2004.42-47 P.
[93]王永杰,鲜明,刘进等.基于攻击图模型的网络安全评估研究.通信学报,2007,28(3):29-34页.
[94]Do Hoon Kim, Taek Lee, Sung-Oh David Jung, Hoh Peter In, Hee Jo Lee. Cyber Threat Trend Analysis Model Using HMM. Third International
[95]Symposium on Information Assurance and Security,2007.177-182 P,
[96]M Sudit, A Stotz, M Holender. Situational awareness of a coordinated cyber attack. Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security 2005. Edited by Dasarathy, Belur V. Proceedings of the SPIE,5812,114-129 P.
[97]G Tadda. Measuring performance of Cyber situation awareness systems. 2008 11th International Conference on Information Fusion, July 2008.1-8 P.
[98]L Cumiford. Situation Awareness for Cyber Defense. The State of the Art and the State of the Practice,2006 CCRTS.
[99]General Dynamics Awarded $48 Million to Provide Cyber Situational Awareness Support to DHS US-CERT, http://www.globalsecurity.org/ security/library/news/2007/12/sec-071206-general-dynamics01.htm.
[100]胡铮.网络与信息安全.清华大学出版社,北京,2006
[101]A Montigny-Leboeuf, F Massicotte. Passive Network Discovery for Real Time Situation Awareness. Proceeding of the RTO 1ST Symposium on Adaptive Defence in Unclassified Networks, Toulouse, France,2004.19-20 P.
[102]O Thonnard, M Dacier. A framework for attack patterns'discoverty in honeynet data. Digital Investigation,5,2008.128-129P.
[2]2008 CSI Computer Crime and Security Survey. http://i.cmpnet.com/v2. gocsi.com/pdf/CSIsurvey2008.pdf
[3]中国互联网网络安全报告.2008. http://www.cert.org.cn/UserFiles /File/CISR2008fh.pdf
[4]瑞星2008年度病毒疫情与安全报告.http://it.rising.com.cn /new2008/News/NewsInfo/2008-11-18/1226970618d50435.shtml
[5]B Felton. Cyber security breaches threaten 2006 forecasts, Civil Engineering/Siviele Ingenieurswese,14(1),2006:26-28 P.
[6]J Theureau. Use of nuclear-reactor control room simulators inresearch & development. Cognition, Technology & Work,2(2),2005.97-105 P.
[7]M R Endsley. Situation Awareness Global Assessment Technique (SAGAT). IEEE Proceedings of the National Aerospace and Electronics Conference, 1988.789-795 P.
[8]'T Bass. Intrusion Detection Systems and Multisensor Data Fusion:Creating Cyberspace Situational Awareness. Communications of the ACM,2000, 43 (4):99-105 P.
[9]王慧强,赖积保,朱亮,梁颖.网络态势感知系统研究综述.计算机科学,2006,33(10):5-10页.
[10]D Shen, G Chen, Leonard Haynes, Erik Blasch. Strategies comparison for game theoretic cyber situational awareness and impact assessment. Proceeding of 10th International Conference on Information Fusion, p 1-8, July 2007.
[11]赵文涛,殷建平,龙军.安全态势感知系统中攻击预测的认知模型.计算机工程与科学,2007,29(11):17-19页
[12]赖积保,王慧强,朱亮.网络安全态势感知模型研究.计算机研究与发展,2006,43(增刊):456-460页.
[13]陈彦德,赵陆文,王琼,潘志松,周志杰.网络安全态势感知系统结构研究.计算机工程与应用,2008,44(1):100-102页.
[14]M R Endsley. Design and evaluation for situation awareness enhancement. Paper presented at the Human Factors Society 32nd Annual Meeting. Santa Monica, CA,1988.
[15]陈晓苏,伊宏斌.入侵检测中的事件关联分析.华中科技大学学报.2003,31(4):30-33页.
[16]A Valdes, K Skinner. Adaptive Model-Based Monitoring for Cyber Attack Detection.RAID 2000 Conf, Oct.2000:80-92 P.
[17]A Valdes and K Skinner. Probabilistic alert correlation. Proceedings of the 4thInternational Symposium on Recent Advances in Intrusion Detection (RAID 2001),2001:54-68 P.
[18]S Staniford, JA Hoagland, JM McAlerney. Practical automated detection of stealthy portscans. Journal of Computer Security,2002(10):105-136 P.
[19]K Julisch. Mining Alarm Clusters to Improve Alarm Handling Efficiency. In Proc. of the 17th Annual Computer Security Applications Conf, New Orleans, LA, Dec.2001:12-21 P.
[20]F Cuppens. Manageing Alerts in a multi intrusion detection environment. 17th Annual Computer Security Applications Conference(ACSAC), New-Orleans, December 2001:22-31 P.
[21]H Debar, A Wespi. Aggregation and correlation of intrusion detection alerts. October 2001 RAID:87-105 P.
[22]O M DAIN, R K CUNNINGHAM. Building scenarios from a heterogeneous alert stream. Proceedings of the 2001 IEEE Workshop on Information Assurance and Security. United States Military Academy, West Point, NY,2001:231-235 P.
[23]A S Rayford, B V Susan, M Bridges. Intrusion Sensor Data Fusion in an Intelligent Intrusion Detection System Architecture, Communications of the ACM,1997(3):34-55 P.
[24]A Siraj.A unified alert fusion model for intelligent analysis of sensor data in an intrusion detection environment. Mississippi State University Mississippi State, MS, USA,2006.8:135-177 P.
[25]O Dain, R K Cunningham. Fusing a heterogeneous alert stream into scenarios. In Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications, November 2001:1-13 P.
[26]C RUGEL, T TOTH, C KERER. Decentralized Event Correlation for Intrusion Detection.4th International Conference on Information Security and Cryptology (ICISC),2001:114-131 P.
[27]L P Swiler, C Phillips, D Ellis, et al. Computer attack graph generation tool Proceedings. DARPA Information Survivability Conference and Exposition (DISCEX II'Ol), Vol 2, Anaheim, California, IEEE Computer Society,2001: 1307-1321 P.
[28]L P Swiler, C Phillips, T Gaylor. A graph-based network-vulnerability analysis system, SAND97-3010/1. Sandia National Laboratories, Albuquerque, New Mexico and Livermore, California,1998:71-77 P.
[29]S Templeton, K Levitt. A requires/provides model for computer attacks. Proc of New Security Paradigms Workshop, ACM Press,2000:31-38 P.
[30]S Cheung, U f Lindqvist, M W Fong. Modeling multi-step cyber attacks for scenario recognition. The 3rd DARPA Information Survivability Conference and Exposition (DISCEX III), Washington DC,2003:284-292 P.
[31]P Ning, D Reeves, Y Cui. Correlating alerts using prerequisites of intrusions. Technical Report TR-2001-13, North Carolina State University, Department of Computer Science,2001:23-39 P.
[32]P Ning, Y Cui. An intrusion alert correlator based on prerequisites of intrusions. Technical Report TR-2002-01, North Carolina State University, Department of Computer Science,2002:31-43 P.
[33]A Benavoli, B Ristic. An approach to threat assessment based on evidential networks.2007 10th International Conference on Information Fusion. July 2007:79-86.
[34]B T Liu. The Study of the Evaluation of Service Quality in the MuseumsAn Application of Fuzzy Multiple Attribute Decision Making. Master Thesis of Southern Taiwan University Dept. of IndustrialManagement,2004:289-297.
[35]X D Sun, Y Jiao, J S Hu. Grey correlation based on combinational weight and its application. Industrial Engineering and Management, No.1,2006: 62-66 P.
[36]王倩.高校网络课程的评价研究[学位论文].山东师范大学.2006.
[37]许福永,申健,李剑英.基于Delphi和ANN的网络安全综合评价方法研究.微机发展,2005,15(10):11-13,15页.
[38]陈秀真,郑庆华,管晓宏,林晨光.层次化网络安全威胁态势量化评估方法.软件学报,2006,17(4):885-897页.
[39]姚婷婷,郑庆华,管晓宏等.一种基于主机实时流量的安全评估方法.西安交通大学学报.2006,40(4):415-419页.
[40]王益丰,李涛,胡晓勤等.一种基于人工免疫的网络安全实时风险检测方法.电子学报,2005,33(5):945-949页.
[41]J Pearl. Fusion propagation and structuring in belief networks. Artificial Intelligence.1986.29(3):241-288页.
[42]程岳,王宝树,李伟生.实现态势估计的一种推理方法.计算机科学.
2002,29(6):111-1113页.
[43]刘同明,夏祖勋,解洪成.数据融合技术及应用.国防工业出版社,长沙,1998.09.
[44]S Glenn. A Mathematical Theory of Evidence. Princeton University Press. (Princeton, N.J.),1976:30-89 P.
[45]段新生.证据理论与决策、人工智能.中国人民大学出版社,北京,1993.
[46]L A Zadeh. Fuzzy sets. Information and Control,1965,8(2):338-353 P.
[47]“预测方法和技术的应用研究”课题组.中国预测技术发展研究,预测.1991
[48]神经网络模型分类.http://baike.baidu.com/view/572427.htm3
[49]姜仁锋.实用预测技术.哈尔滨船舶工程学院出版社,哈尔滨.1993
[50]马光思,白燕.基于灰色理论和神经网络建立预测模型的研究与应用.微电子学与计算机.2008,25(1):153-155页.
[51]陈秀真,郑庆华,管晓宏,林晨光.网络化系统安全态势评估的研究.西安交通大学学报,2004,38(4):404-408页.
[52]刘孙俊,李涛,赵奎,胡强,彭凌西.基于人工免疫的网络安全态势评估模型.微计算机信息,2008,24(18):3-6页.
[53]韩崇昭,朱洪艳,段战胜等.多源信息融合.清华大学出版社,北京,2006.4.
[54]雷英杰.基于直觉模糊推理的态势与威胁评估研究[博士论文].西安:西安电子科技大学.2005.
[55]D L Hall, J Llina. An Introduction to Multisensor Data Fusion. Proceedings of the IEEE,1997,85(1):6-23 P.
[56]A N Steinberg, C L Bowman, F E White. Revisions to the JDL Data Fusion Model. Part of the SPIE Conference on Sensor Fusion:Architectures, Algorithms, and Applications Ⅲ,1999,3719:430-441 P.
[57]J Llinas, C L Browman, G Rogova, A Steinberg. Revisiting the JDL Data Fusion Model II. Seventh International Conference on Information Fusion, 2004,2:1218-30 P.
[58]扎德.模糊集与应用.John Wiley出版社,美国,1987.
[59]李洪兴,汪培庄.模糊数学.国防工业出版社,北京,1994.
[60]王新洲,史文中,王树良.模糊空间信息处理.武汉大学出版社,武汉,2003.
[61]秦侠.卫生管理运筹学.人民卫生出版社,北京,2005.
[62]刘普寅,吴孟达.模糊理论及其应用.国防科技大学出版社,长沙,1998.
[63]邓聚龙.灰理论基础.华中科技大学出版社,武汉,2003.
[64]刘思峰,党耀国,方志耕等.灰色系统理论及其应用.科学出版社,北京,2004.
[65]吴晓莉,林哲辉等.MATLAB辅助模糊系统设计.西安电子科技大学出版社,西安,2003.
[66]J R Jang. ANFIS:Adaptive network-based fuzzy Inference system. IEEE trans. on SMC,1993,23(3):665-685 P.
[67]王娟,张凤荔,傅种,陈丽莎.网络态势感知中的指标体系研究.计算机应用.2007,27(8),1907-1909页.
[68]张世永.网络安全原理与应用.科学出版社,北京,2003.
[69]Project Honeynet. Scan 17. http://www.honeynet.org/scans/scan17/.2001.
[70]SecurityFocus. Bugtraq Vulnerability Database. http://www.securityfocus. com/bid/11173/exploit/.2008.
[71]张永铮,云晓春,胡铭曾.基于特权提升的多维量化属性弱点分类法的研究.通信学报.2004,25(7):107-114页
[72]Roesch M, Green C. Snort users manual, snort release 2.0.0.2003.
[73]冯文权,茅奇,周毓萍.经济预测与决策技术.武汉大学出版社,武汉,2002.3.
[74]王燕.应用时间序列分析.中国人民大学出版社,北京,2005.
[75]高铁梅.计量经济分析方法与建模—EViews应用及实例.清华大学出版社,北京,2006.
[76]Eviews_百度百科.http://baike.baidu.com/view/207806.htm.
[77]张晓峒.Eviews使用指南与案例.机械工业出版社,北京,2007.2.
[78]F C Li, Y X Jiang, D Q Zhou. The building model of decision on the core competitive capacity of enterprises and evaluating demonstration. Bus Econ Adm,2006(6):42-46 P.
[79]S Zhang. Evaluation technology of the aerial targets threat (Periodical style). Information Command Control System & Simulation Technology,2005: 41-45 P.
[80]J P Xu, W Wu. The theory and method of multiple attribute decision making (Book style). published by TsingHua University Press,2006:260-261P
[81]张永铮,方滨兴,迟悦等.用于评估网络信息系统的风险传播模型.软件学报,2007,18(1):137-145页.
[82]陆余良,夏阳.主机安全量化融合模型研究.计算机学报,2005,28(5):914-920页.
[83]肖道举,杨素娟,周开峰等.网络安全评估模型研究.华中科技大学学报(自然科学版),2002,30(4):37-39页.
[84]X Z Chen, Q H Zheng, X H Guan and et al. Multiple behavior information fusion based quantitative threat evaluation. Computer & Security,2005,24: 218-231 P.
[85]K Julisch.Clustering Intrusion Detection Alarms to Support Root Cause Analysis. Transactions on Information and System Security (TISSEC) 2003, November 2003:449-451 P.
[86]G Helmer, J Wong, M Slagell, et al. A Software Fault Tree Approach to Requirements Analysis of an Intrusion Detection System. Requirements Engineering Journal,2002,7(4):207-220 P.
[87]B Schneier. Attack Trees. Dr. Dobb's Journal,1999,24(12):21-29 P.
[88]C Ramakrishnan, R Sekar. Model-based Vulnerability Analysis of Computer Systems. Proc the 2nd International Workshop on Verification, Model Checking and Abstract Interpretation, NY, USA,1998.
[89]C Ramakrishnan, R Sekar. Model-based Analysis of Configuration Vulnerabilities. Journal of Computer Security,2002,10(1-2):189-209 P.
[90]R W Ritchey, P Ammann. Using Model Checking to Analyze Network Vulnerabilities. Proc of 2001 IEEE Symposium on Security and Privacy, California, USA, IEEE Press,2001.156-165 P.
[91]O Sheyner, J Haines, S Jha, et al. Automated Generation and Analysis of Attack Graphs. Proc of 2002 IEEE Symposium on Security and Privacy, California, USA, IEEE Press,2002.254-265 P.
[92]H R Shahriari, R Jalili. Using CSP to Model and Analyze Transmission Control Vulnerabilities Within the Broadcast Network. Proc the IEEE International Networking and Communication Conference (INCC'2004), Pakistan, IEEE Press,2004.42-47 P.
[93]王永杰,鲜明,刘进等.基于攻击图模型的网络安全评估研究.通信学报,2007,28(3):29-34页.
[94]Do Hoon Kim, Taek Lee, Sung-Oh David Jung, Hoh Peter In, Hee Jo Lee. Cyber Threat Trend Analysis Model Using HMM. Third International
[95]Symposium on Information Assurance and Security,2007.177-182 P,
[96]M Sudit, A Stotz, M Holender. Situational awareness of a coordinated cyber attack. Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security 2005. Edited by Dasarathy, Belur V. Proceedings of the SPIE,5812,114-129 P.
[97]G Tadda. Measuring performance of Cyber situation awareness systems. 2008 11th International Conference on Information Fusion, July 2008.1-8 P.
[98]L Cumiford. Situation Awareness for Cyber Defense. The State of the Art and the State of the Practice,2006 CCRTS.
[99]General Dynamics Awarded $48 Million to Provide Cyber Situational Awareness Support to DHS US-CERT, http://www.globalsecurity.org/ security/library/news/2007/12/sec-071206-general-dynamics01.htm.
[100]胡铮.网络与信息安全.清华大学出版社,北京,2006
[101]A Montigny-Leboeuf, F Massicotte. Passive Network Discovery for Real Time Situation Awareness. Proceeding of the RTO 1ST Symposium on Adaptive Defence in Unclassified Networks, Toulouse, France,2004.19-20 P.
[102]O Thonnard, M Dacier. A framework for attack patterns'discoverty in honeynet data. Digital Investigation,5,2008.128-129P.