基于网络安全态势感知的预警技术研究
|
摘要
为及早发现并有效防御对网络空间的突然袭击,仅仅依靠身份认证、可信计算、防火墙、入侵检测技术等传统安全防护技术是不够的。通过监控和识别大规模的受保护网络上的入侵企图和入侵行为,基于安全态势感知的预警技术可以获得更精确的安全威胁行为描述和更全面、及时的网络安全状态估计,并试图在攻击发生或造成严重后果之前,对攻击发生的数量及时空特性进行预测,预先采取相应的防御措施来加强网络的安全。开展面向大规模网络的预警技术的研究,对于提高网络系统的应急响应能力、缓解网络攻击所造成的危害、提高系统的反击能力等具有十分重要的意义。
本论文研究了基于网络安全态势感知的预警系统相关技术。研究内容包括安全预警体系结构、安全态势知识表示模型、安全态势感知中的网络测量技术、安全态势评估技术、安全预警中的主动学习技术、安全态势预警技术。本文的研究工作和成果包括:
1.本文分析了预警系统的体系结构,包括组成、运行模式和工作过程,指出预警系统中对数据的处理流程是在数据、信息和知识三个层面的抽象过程。本文针对预警需求,对IDMEF数据模型进行了改进,设计了一个网络安全态势知识表示模型,定义了相关描述语言。
2.研究了预警系统中态势感知器的感知方法、部署模型和优化问题。态势感知器通过主动和被动测量技术,采集网络的性能数据、拓扑数据和安全事件数据等网络态势信息。态势感知器的部署和优化是建立性能良好的预警系统必不可少的环节之一。本文研究了不同感知方法下态势感知器的部署模型和优化算法,以期达到部署尽量少的态势传感器节点,来获取尽量多的态势信息的目的。
3.提出了一种新的网络路径流量测量策略COPP。在安全态势信息中,流量是描述网络性能的重要数据,也是衡量蠕虫、拒绝服务等攻击的重要指标。但在没有权限获取网络节点流量数据的条件下,如何实施有效的网络流量测量成为预警系统必须解决的问题之一。COPP充分利用探测报文的信息,结合报文对与自拥塞测量原则,通过考察报文的单向延迟及其变化规律,得到发送速率与可用带宽的关系,同时根据成为转换点的报文对其相邻报文对所受干扰的不同程度,给予相应转换带宽不同的权值,以较小的开销得到较好的测量精度。仿真实验表明,COPP与传统方法相比,在开销、精度、平稳性和网络状态变化敏感性上具有更好的特性。
4.提出了一种基于网络安全态势图的态势评估方法。通过分析态势评估在军事应用领域的概念,给出了网络安全态势评估的一种定义,包括安全态势评估的问题描述、功能模型和推理框架。给出了一种基于Honeypot技术的网络安全态势评估框架,并提出了一种基于网络安全态势图的态势评估方法。该方法利用生成算法生成网络安全态势图,引入攻击可信度和攻击度的概念,结合安全态势知识库,对组合攻击实施动态评估。该方法在形式上可以完整再现攻击过程,不仅动态展现入侵对系统的安全威胁演变过程,而且可以用量化的形式预知攻击的潜在威胁。实验测试验证了该评估方法的有效性。
5.面向安全态势信息获取,提出了基于委员会的误分类采样主动学习算法和基于图约束及预聚类的可伸缩主动学习算法。攻击和正常状态是安全态势信息获取的重要内容。通过入侵检测的方式获取这些状态信息的过程依赖于获取知识的质量和速度。与人工方式相比较,将机器学习引入其中具有优势。如何获得高质量的已标注历史数据是构建安全态势知识库的关键技术之一,本文利用主动学习技术减少构造入侵检测分类器所需的标注代价。采样算法是主动学习中的关键问题,由于传统采样算法的前提假设在预警系统中不一定成立,本文提出基于委员会的误分类采样算法。更进一步地,考虑到当前主动学习完全不考虑未标注样本分布的弊端,将主动学习和半监督学习相结合,提出基于图约束及预聚类的可伸缩主动学习算法。通过实验测试,证明这两种主动学习算法在达到目标正确率时所需的标注代价小于传统的随机采样、Uncertainty采样和QBC采样算法。
6.面向安全态势信息获取,提出基于误分类代价最小化的代价敏感主动学习算法。采用机器学习技术获取网络安全态势信息的关键性能指标之一是误分类代价。传统的机器学习仅仅考虑分类正确率,传统主动学习仅仅考虑标注代价,基于误分类代价最小化的代价敏感主动学习算法用代价敏感算法对学习引擎进行优化,使训练出的版本空间中的假设具有低误分类代价,并且在采样时选择具有最大期望误分类代价的样本。通过实验测试,在考虑误分类代价时,证明该主动学习算法在降低到目标误分类代价时所需的标注代价小于传统的SRS、CRS和CAD采样算法。
7.提出了攻击预测的分层认知模型。定义了攻击的认知过程,包括攻击步骤认知、攻击行为认知和攻击过程认知,该认知模型可以有效描述攻击,为攻击预测提供支持。
8.提出了一种基于粒子群优化算法的组合预测模型。攻击预测是基于态势感知的预警技术必不可少的功能之一。本文提出的基于粒子群优化算法的组合预测模型利用加权系数对各种预测方法进行组合,集成不同来源的预测结果,从不同的侧面反映整个预测过程,力图使预测结果更加地精确。在各种预测方法加权系数的确定上,利用PSO快速全局优化的特点,可以减少试算的盲目性,提高模型预测准确性。实验结果表明,该组合预测模型与单一预测模型比较,误差更小,精度更高。
最后实现了一个预警原型系统。该系统体现了上述研究成果,能够管理和控制态势感知器的工作,接受和处理态势感知器提交的数据,展示当前网络态势和预警的结果。
For early discovery and defense of the assaulting to cyberspace, it's not enough to rely on the traditional security protection technologies such as authentication、authentic computing、firewall and intrusion detection. Through supervision and recognition of the attempts and action of invasion in large scale networks, the early-warning technology of security situational awareness can acquire more accurate description of threatening actions and more overall evaluation of the network security status in time, and try to forecast the quantity and the space-time characteristic of attacks before attacks occur or result in serious consequences, so we can adopt corresponding defense measures to intensify the security of networks in advance. To launch the research of early-warning systems facing to large-scale networks is very important to improve the response capability of network systems, alleviate the damage of network attacks, and enhance the counterattack ability of network systems.
The technologies related to early-warning systems based on the network security situational awareness were studied in the thesis. The contents include the architecture of early-warning systems, the model of security situational knowledge, the measure technology in security situational awareness, the active learning technology in security early-warning systems and the attack early-warning technology. The main work and contributions of the thesis are summarized as follows:
1. The architecture of early-warning system including composition, operation mode and process was analyzed in this thesis. We pointed out that the flow of data transaction in the early-warning system is the abstract process in three levels of data, information and knowledge. Aiming at the requirements of early warning, the thesis carried on an improvement to the IDMEF data model, designed a network security situational knowledge model and defined a related description language.
2. The sensing method, deployment model and optimization of situational sensors in the early-warning system were studied in this thesis. Through the active and passive measurement technologies, the situational sensors collect the situational awareness information, such as the performance data, topology data, security event data, and so on. The optimized deployment of the situational sensors is one of the essential factors to create an early-warning system with fairly performance. To achieve the goal of obtaining more situational information through deploying less situational sensors as possible, the deployment model and the optimization algorithms of situational sensors under different sensing methods were studied.
3. A new measuring strategy of network path traffic named COPP was proposed in this thesis. In the security situational information, traffics are the important data that describes network performance, and also the important indicative data that measures a worm and deny of service attack etc. But under the limited condition without privileges to obtain the traffic data in network nodes, how can we carry out a valid traffic measurement, becomes one of the problem has to be resolved in the early-warning system. The COPP strategy makes use of the information of detected messages, and then combines the message pairs and self-induced congestion principle. Thus through the investigation of one-way delay and variety regulation, we can obtain the relationship between the transmit rate and available bandwidth. In the same time, according to the different disturbing extent of the message to contiguous message pairs, the COPP strategy gives different weights to the corresponding conversion bandwidth, so we can obtain better measurement accuracy with less cost. The result of the simulation experiments show that COPP obtains better characteristic on the expense, accuracy, stabilization and sensitivity to the variety of network status compared to the traditional methods.
4. An assessment method based on the network security situational graph was proposed. We analyzed the concept of situational assessment in the military realm, and presented the definition about network security situational assessment, including the question description, function model and reasoning framework of the assessment. We presented an assessment framework of network security situational based on honeypot, and submitted an assessment method based on the network security situational graph. The proposed method makes use of the generating algorithm to construct the network security situational graph, by introducing the concept of attack reliability and severity. Using the security situational knowledge base, the method implements the dynamic assessment to combined attacks. The method can exhibit the whole attack process, not only exhibit the process which invasion threat the target system in dynamic, but also predict the latent threat of attacks in quantity. The test on DARPA LLDOS1.0 dataset proved validity of the proposed method.
5. Aiming at security situational information acquisition, a misclassification sampling active learning algorithm based on committee and a scalable active learning algorithm based on graph constraints and pre-clustering were proposed. Attacking and normal state are important content in security situational information acquisition. The process of constructing network security situational knowledge base depends on the quality and speed of knowledge acquisition. Compared with human participation, machine learning has advantages on knowledge acquisition. To attain labeled history data with high quality is a key technology for network security situational information acquisition. In the thesis, active learning is employed to reduce the labeling cost. Instances selection algorithm is a key problem in active learning. As the assumption may not be true in early-warning systems, a committee-based misclassification instances selection algorithm was proposed. Moreover, considering the current machine learning methods ignore the distribution of unlabeled instances, we combine active learning and semi-supervised learning and then propose a scalable active learning algorithm based on graph constraints and pre-clustering. The experiment shows that these two proposed algorithm can achieve the target accuracy with fewer labeling cost than traditional random sampling, Uncertainty sampling and QBC sampling algorithms.
6. Aiming at security situational information acquisition, a cost-sensitive active learning algorithm base on misclassification cost minimization was proposed. Misclassification cost is a key criterion for network security situational acquisition using machine learning. Traditional machine learning methods only focus on accuracy and traditional active learning methods only concentrate on labeling cost. The proposed cost-sensitive active learning algorithm optimizes the learning engine with cost-sensitive method for low cost hypotheses in the version space. Furthermore, it tends to select the instances with the largest expected misclassification cost for labeling. The experiment shows that when considering misclassification cost, the proposed active learning algorithm costs less labeling than SRS, CRS and CAD algorithm when obtains the target misclassification cost.
7. A hierarchy recognition model of attack forecasting was defined in this thesis. The recognition of attacks, including step recognition, action recognition and process recognition of attacks were defined in the thesis. The proposed recognition model can describe attacks effectively and support attack anticipation.
8. A combination prediction model based on particle swarm based learning algorithms was proposed in the thesis. We analyzed several traditional methods of prediction and proposed a combination prediction model. In this model, weight-coefficients are given to every prediction method and the predicting results are integrated to reflect the whole predicting process from different aspects to make the predicting results more exact. The PSO global optimization is used to get the weight-coefficients, which can reduce the blindness of testing computation and raise the precision of prediction of the model. The experiment of Santa Fe test datasets showed that the combination prediction model obtains less errors and higher accuracy compared to single prediction models.
An early-warning prototype system was implemented. The system reflects the above research results, can regulate and control the operation of situational sensors. Moreover, the system can accept and transact the data provided by situational sensors, and then display current network situation and early-warning results.
本论文研究了基于网络安全态势感知的预警系统相关技术。研究内容包括安全预警体系结构、安全态势知识表示模型、安全态势感知中的网络测量技术、安全态势评估技术、安全预警中的主动学习技术、安全态势预警技术。本文的研究工作和成果包括:
1.本文分析了预警系统的体系结构,包括组成、运行模式和工作过程,指出预警系统中对数据的处理流程是在数据、信息和知识三个层面的抽象过程。本文针对预警需求,对IDMEF数据模型进行了改进,设计了一个网络安全态势知识表示模型,定义了相关描述语言。
2.研究了预警系统中态势感知器的感知方法、部署模型和优化问题。态势感知器通过主动和被动测量技术,采集网络的性能数据、拓扑数据和安全事件数据等网络态势信息。态势感知器的部署和优化是建立性能良好的预警系统必不可少的环节之一。本文研究了不同感知方法下态势感知器的部署模型和优化算法,以期达到部署尽量少的态势传感器节点,来获取尽量多的态势信息的目的。
3.提出了一种新的网络路径流量测量策略COPP。在安全态势信息中,流量是描述网络性能的重要数据,也是衡量蠕虫、拒绝服务等攻击的重要指标。但在没有权限获取网络节点流量数据的条件下,如何实施有效的网络流量测量成为预警系统必须解决的问题之一。COPP充分利用探测报文的信息,结合报文对与自拥塞测量原则,通过考察报文的单向延迟及其变化规律,得到发送速率与可用带宽的关系,同时根据成为转换点的报文对其相邻报文对所受干扰的不同程度,给予相应转换带宽不同的权值,以较小的开销得到较好的测量精度。仿真实验表明,COPP与传统方法相比,在开销、精度、平稳性和网络状态变化敏感性上具有更好的特性。
4.提出了一种基于网络安全态势图的态势评估方法。通过分析态势评估在军事应用领域的概念,给出了网络安全态势评估的一种定义,包括安全态势评估的问题描述、功能模型和推理框架。给出了一种基于Honeypot技术的网络安全态势评估框架,并提出了一种基于网络安全态势图的态势评估方法。该方法利用生成算法生成网络安全态势图,引入攻击可信度和攻击度的概念,结合安全态势知识库,对组合攻击实施动态评估。该方法在形式上可以完整再现攻击过程,不仅动态展现入侵对系统的安全威胁演变过程,而且可以用量化的形式预知攻击的潜在威胁。实验测试验证了该评估方法的有效性。
5.面向安全态势信息获取,提出了基于委员会的误分类采样主动学习算法和基于图约束及预聚类的可伸缩主动学习算法。攻击和正常状态是安全态势信息获取的重要内容。通过入侵检测的方式获取这些状态信息的过程依赖于获取知识的质量和速度。与人工方式相比较,将机器学习引入其中具有优势。如何获得高质量的已标注历史数据是构建安全态势知识库的关键技术之一,本文利用主动学习技术减少构造入侵检测分类器所需的标注代价。采样算法是主动学习中的关键问题,由于传统采样算法的前提假设在预警系统中不一定成立,本文提出基于委员会的误分类采样算法。更进一步地,考虑到当前主动学习完全不考虑未标注样本分布的弊端,将主动学习和半监督学习相结合,提出基于图约束及预聚类的可伸缩主动学习算法。通过实验测试,证明这两种主动学习算法在达到目标正确率时所需的标注代价小于传统的随机采样、Uncertainty采样和QBC采样算法。
6.面向安全态势信息获取,提出基于误分类代价最小化的代价敏感主动学习算法。采用机器学习技术获取网络安全态势信息的关键性能指标之一是误分类代价。传统的机器学习仅仅考虑分类正确率,传统主动学习仅仅考虑标注代价,基于误分类代价最小化的代价敏感主动学习算法用代价敏感算法对学习引擎进行优化,使训练出的版本空间中的假设具有低误分类代价,并且在采样时选择具有最大期望误分类代价的样本。通过实验测试,在考虑误分类代价时,证明该主动学习算法在降低到目标误分类代价时所需的标注代价小于传统的SRS、CRS和CAD采样算法。
7.提出了攻击预测的分层认知模型。定义了攻击的认知过程,包括攻击步骤认知、攻击行为认知和攻击过程认知,该认知模型可以有效描述攻击,为攻击预测提供支持。
8.提出了一种基于粒子群优化算法的组合预测模型。攻击预测是基于态势感知的预警技术必不可少的功能之一。本文提出的基于粒子群优化算法的组合预测模型利用加权系数对各种预测方法进行组合,集成不同来源的预测结果,从不同的侧面反映整个预测过程,力图使预测结果更加地精确。在各种预测方法加权系数的确定上,利用PSO快速全局优化的特点,可以减少试算的盲目性,提高模型预测准确性。实验结果表明,该组合预测模型与单一预测模型比较,误差更小,精度更高。
最后实现了一个预警原型系统。该系统体现了上述研究成果,能够管理和控制态势感知器的工作,接受和处理态势感知器提交的数据,展示当前网络态势和预警的结果。
For early discovery and defense of the assaulting to cyberspace, it's not enough to rely on the traditional security protection technologies such as authentication、authentic computing、firewall and intrusion detection. Through supervision and recognition of the attempts and action of invasion in large scale networks, the early-warning technology of security situational awareness can acquire more accurate description of threatening actions and more overall evaluation of the network security status in time, and try to forecast the quantity and the space-time characteristic of attacks before attacks occur or result in serious consequences, so we can adopt corresponding defense measures to intensify the security of networks in advance. To launch the research of early-warning systems facing to large-scale networks is very important to improve the response capability of network systems, alleviate the damage of network attacks, and enhance the counterattack ability of network systems.
The technologies related to early-warning systems based on the network security situational awareness were studied in the thesis. The contents include the architecture of early-warning systems, the model of security situational knowledge, the measure technology in security situational awareness, the active learning technology in security early-warning systems and the attack early-warning technology. The main work and contributions of the thesis are summarized as follows:
1. The architecture of early-warning system including composition, operation mode and process was analyzed in this thesis. We pointed out that the flow of data transaction in the early-warning system is the abstract process in three levels of data, information and knowledge. Aiming at the requirements of early warning, the thesis carried on an improvement to the IDMEF data model, designed a network security situational knowledge model and defined a related description language.
2. The sensing method, deployment model and optimization of situational sensors in the early-warning system were studied in this thesis. Through the active and passive measurement technologies, the situational sensors collect the situational awareness information, such as the performance data, topology data, security event data, and so on. The optimized deployment of the situational sensors is one of the essential factors to create an early-warning system with fairly performance. To achieve the goal of obtaining more situational information through deploying less situational sensors as possible, the deployment model and the optimization algorithms of situational sensors under different sensing methods were studied.
3. A new measuring strategy of network path traffic named COPP was proposed in this thesis. In the security situational information, traffics are the important data that describes network performance, and also the important indicative data that measures a worm and deny of service attack etc. But under the limited condition without privileges to obtain the traffic data in network nodes, how can we carry out a valid traffic measurement, becomes one of the problem has to be resolved in the early-warning system. The COPP strategy makes use of the information of detected messages, and then combines the message pairs and self-induced congestion principle. Thus through the investigation of one-way delay and variety regulation, we can obtain the relationship between the transmit rate and available bandwidth. In the same time, according to the different disturbing extent of the message to contiguous message pairs, the COPP strategy gives different weights to the corresponding conversion bandwidth, so we can obtain better measurement accuracy with less cost. The result of the simulation experiments show that COPP obtains better characteristic on the expense, accuracy, stabilization and sensitivity to the variety of network status compared to the traditional methods.
4. An assessment method based on the network security situational graph was proposed. We analyzed the concept of situational assessment in the military realm, and presented the definition about network security situational assessment, including the question description, function model and reasoning framework of the assessment. We presented an assessment framework of network security situational based on honeypot, and submitted an assessment method based on the network security situational graph. The proposed method makes use of the generating algorithm to construct the network security situational graph, by introducing the concept of attack reliability and severity. Using the security situational knowledge base, the method implements the dynamic assessment to combined attacks. The method can exhibit the whole attack process, not only exhibit the process which invasion threat the target system in dynamic, but also predict the latent threat of attacks in quantity. The test on DARPA LLDOS1.0 dataset proved validity of the proposed method.
5. Aiming at security situational information acquisition, a misclassification sampling active learning algorithm based on committee and a scalable active learning algorithm based on graph constraints and pre-clustering were proposed. Attacking and normal state are important content in security situational information acquisition. The process of constructing network security situational knowledge base depends on the quality and speed of knowledge acquisition. Compared with human participation, machine learning has advantages on knowledge acquisition. To attain labeled history data with high quality is a key technology for network security situational information acquisition. In the thesis, active learning is employed to reduce the labeling cost. Instances selection algorithm is a key problem in active learning. As the assumption may not be true in early-warning systems, a committee-based misclassification instances selection algorithm was proposed. Moreover, considering the current machine learning methods ignore the distribution of unlabeled instances, we combine active learning and semi-supervised learning and then propose a scalable active learning algorithm based on graph constraints and pre-clustering. The experiment shows that these two proposed algorithm can achieve the target accuracy with fewer labeling cost than traditional random sampling, Uncertainty sampling and QBC sampling algorithms.
6. Aiming at security situational information acquisition, a cost-sensitive active learning algorithm base on misclassification cost minimization was proposed. Misclassification cost is a key criterion for network security situational acquisition using machine learning. Traditional machine learning methods only focus on accuracy and traditional active learning methods only concentrate on labeling cost. The proposed cost-sensitive active learning algorithm optimizes the learning engine with cost-sensitive method for low cost hypotheses in the version space. Furthermore, it tends to select the instances with the largest expected misclassification cost for labeling. The experiment shows that when considering misclassification cost, the proposed active learning algorithm costs less labeling than SRS, CRS and CAD algorithm when obtains the target misclassification cost.
7. A hierarchy recognition model of attack forecasting was defined in this thesis. The recognition of attacks, including step recognition, action recognition and process recognition of attacks were defined in the thesis. The proposed recognition model can describe attacks effectively and support attack anticipation.
8. A combination prediction model based on particle swarm based learning algorithms was proposed in the thesis. We analyzed several traditional methods of prediction and proposed a combination prediction model. In this model, weight-coefficients are given to every prediction method and the predicting results are integrated to reflect the whole predicting process from different aspects to make the predicting results more exact. The PSO global optimization is used to get the weight-coefficients, which can reduce the blindness of testing computation and raise the precision of prediction of the model. The experiment of Santa Fe test datasets showed that the combination prediction model obtains less errors and higher accuracy compared to single prediction models.
An early-warning prototype system was implemented. The system reflects the above research results, can regulate and control the operation of situational sensors. Moreover, the system can accept and transact the data provided by situational sensors, and then display current network situation and early-warning results.
引文
[1]中国互联网信息中心.第22次中国互联网络发展状况统计报告.2008[http://www.cnnic.net.cn/uploadfiles/pdf/2008/7/23/170516.pdf].
[2]应向荣.网络攻击新趋势下主动防御系统的重要性.计算机安全,2003(7):53-55.
[3]CNCERT/CC国家计算机网络应急技术处理协调中心.CNCERT/CC2008年上半年网络安全工作报告.2008.
[4]Shannon. A mathematical theory of communication. BellSystem Tech. J,1948, 27:379-423.
[5]Diffie W, H. M. E. New Directions in Cryptography. IEEE Transaction on Information Theory,1976(6):644-654.
[6]DES. [http://csrc.nist.gov/CryptoToolkit/tkencryption.html].
[7]B. D., L. L. J. Secure computer system:Unified exposition and MULTICS interpretation, Technical Report MTR-2997. MITRE Corporation.1976.
[8]TCSEC (Trusted Computer System Evaluation Criteria), DoD 5200.28-STD. National Computer Security Center.1985.
[9]Common Criteria for Information Technology Security Evaluation(CC) version 2.1, International Standard 15408. International Standards Organization.2000.
[10]网络安全基础—P2DR动态安全模型.[http://www.sundy.com.cn/Safe/protect/200611/20061115102221_30.shtml].
[11]世界震惊美国担心王小云破解全球两大密码算法.[http://news3.xinhuanet.com/newscenter/2005-03/25/content_2741030.htm],
[12]F. Cohen. Simulating Cyber Attacks, Defenses, and Consequences. http://secinf.neUmisc/Simulating Cyber Attackses Defenseses and Consequences_.html].
[13]胡华平.网络安全深度防御与保障体系研究.计算机工程与科学,2002.
[14]A. Rathmell, J. Dorschner, M. Knights. Summary of Research Results:threat Assessment and Early Warning Methodologies for Information Assurance.2003.
[15]A. Rathmell, R. Ovrill, L. Valeri. Information Warfare Attack Assessment system. 2003.
[16]苗青,范勤,苏金树.网络安全战略预警系统的特征信息融合方法.计算机工程,2002,28(7):61-62.
[17]宣蕾,苏金树,苗青.网络安全战略预警系统研究.通信技术,2001(7):90-92.
[18]苗青,宣蕾,苏金树.网络安全战略预警系统的攻击检测技术研究.计算机
工程与科学,2002,24(1):14-17.
[19]胡华平,张怡,陈海涛,宣蕾,et al.面向大规模网络的入侵检测与预警系统研究.国防科技大学学报,2003,25(1):21-25.
[20]赖积保,王慧强,金爽.基于Netflow的网络安全态势感知系统研究.计算机应用研究,2007,24(8):167-169.
[21]R. P. Goldman, W. Heimerdinger, S. A. Harp, C. W. Geib, et al. Information modeling for intrusion report aggregation. In:DARPA Information Survivability Conference & Exposition 11.2001,329-342.
[22]J. Betser, A. Walther, M. Erlinger, T. Buchheim, et al. GlobalGuard:creating the IETF-IDWG Intrusion Alert Protocol (IAP). In:DARPA Information Survivability Conference & Exposition Ⅱ.2001,22-34.
[23]IETF. rfc4765.
[24]D. Moore, V. Paxson, S. Savage, C. Shannon, et al. Inside the Slammer Worm. IEEE Security & Privacy,2003,1(4):33-39.
[25]P. Barford, J. Kline, D. Plonka, A. Ron. A signal analysis of network traffic anormalies. In:Internet Measurement Workshop.2002,71-82.
[26]B. Madhusudan, J. Lockwood. Design of a System for Real Time Worm Detection. In:12th Annual IEEE Symposium on High Performance Interconnects. Stanford, CA,2004,77-83.
[27]A. Lakhina, K. Papagiannaki, M. Crovella, C. Diot, et al. Structural analysis of network traffic flows. In:Proc ACM SIGMETRICS.2004,61-72.
[28]侯定丕,王战军.非线性评估的理论探索与应用.2001,合肥:中国科技大学出版社.
[29]王永杰.网络攻击效果关键技术及其应用研究.国防科学技术大学[博士学位论文].2006.
[30]汪渊.网络安全量化评估方法研究.中国科学技术大学[博士学位论文]:合肥.2003.
[31]J. Hallberg, A. Hunstad, M. Peterson. A Framework for System Security Assessment. In:Proceedings of the IEEE Workshop on Information Assurance and Security.2005,224-231.
[32]G. Fragkos, A. Blyth. Architecture for Near Real-Time Threat Assessment using IDS Data. In:Proc of the 4th European Conference on Information Warfare and Security.2005,91-98.
[33]P. A. Porras, M. W. Fong, A. Valdes. A Mission-Impact-Based Approach to INFOSEC Alarm Correlation. In:Proceedings of the International Symposium on Recent Advances in Intrusion Detection.2002,95-114.
[34]F. Cohen. Managing network security attack and defense strategies. Network
Security,1999,7(5):7-11.
[35]H. S, Q. G. Z, D. T. Impact analysis of faults and attacks in large-scale networks. IEEE Trans, on Security & Privacy,2003,1(5):49-54.
[36]J. W. Freeman, T. C. Darr, R. B. Neely. Risk assessment for large heterogeneous systems. In:Proceedings of 13th annual computer security application conference. San Diego, CA, USA,1997,44-52.
[37]李涛.基于免疫的网络安全风险检测.中国科学E辑:信息科学,2005,35(8):798-816.
[38]S. Boyer, O. Dain, R. Cunningham. Stellar:A fusion system for scenario construction and security risk assessment. In:Proceedings of Third IEEE International Workshop on Information Assurance.2005,105-116.
[39]A. Arnes, K. Sallhammar, K. Haslum. Real time risk assessment with network sensors and intrusion detection systems. In:International Conference on Computational Intelligence and Security. Xi'an, China,2005,388-397.
[40]A. Arnes, F. Valeur, G. Vigna, R. A. Kemmerer. Using Hidden Markov models to evaluate the risks of intrusion. In:9th International Symposium On Recent Advances In Intrusion Detection. Hamburg, Germany,2006,23.
[41]王慧强,赖积保,朱亮,梁颖.网络态势感知系统研究综述.计算机科学,2006,33(10):5-10.
[42]冯毅.关于我军信息与网络安全的几点思考.中国信息战,2005.
[43]陈秀真,郑庆华,管晓宏,林晨光.层次化网络安全威胁态势量化评估方法.软件学报,2006,17(4):885-897.
[44]M. Almgren, E. Jonsson. Using Active Learning in Intrusion Detection. In: Computer Security Foundations Workshop.2004,88-98.
[45]J. W. Stokes, J. C. Platt, J. Kravis, M. Shilman. ALADIN:Active Learning of Anomalies to Detect Intrusions, MSR-TR-2008-24. Microsoft Research.2008. 22.
[46]A. J. P. Computer security threat monitoring and surveillance (Technical Report). James P. Anderson Company:Fort Washington, Pennsylvania.1980.
[47]R. G. Bace. Intrusion Detection.2000:Macmillan Technology Publishing
[48]B. Mukherjee, L. T. Heberlein, K. N. Levitt. Network intrusion detection. IEEE Network,1994,8(3):26-41.
[49]K. Ilgun, R. A. Kemmerer, P. A. Porras. State transition analysis:A rule-based intrusion detection approach. IEEE Trans. on Software Engineering,1995,21(3): 181-199.
[50]G. Vigna, R. A. Kemmerer. NetSTAT:A network-based intrusion detection system. Journal of Computer Security,1999,7(1):37-71.
[51]P. A. Porras, P. G. Neumann. EMERALD:Event monitoring enabling response
to anomalous live disturbances. In:Proc. of the 20th National Information Systems Security Conf.1997,353-365.
[52]S. Cheung, U. Lindqvist, M. W. Fong. Modeling multistep cyber attacks for scenario recognition. In:Proc. of the 3rd DARPA Information Survivability Conf. and Exposition. Washington,2003,284-292.
[53]F. Cuppens, A. Miege. Alert correlation in a cooperative intrusion detection framework, IEEE Symposium on Security and Privacy. Oakland, USA.2002.
[54]P. Ning, D. B. Xu, C. G. Healey, R. A. Amant. Building attack scenarios through integration of complementary alert correlation methods. In:Proc. of the 1 lth Annual Network and Distributed System Security Symp.2004,97-111.
[55]A. Valdes, K. Skinner. Probabilistic alert correlation. In:Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection.2001, 54-68.
[56]S. Eckmann, G. Vigna, R. Kemmerer. STATL:An attack language for state-based intrusion detection Journal of Computer Security,2002,10(1/2): 71-104.
[57]S. Templeton, K. Levitt. A requires/provides model for computer attacks. In: Proc. of the New Security Paradigms Workshop.2000,31-38.
[58]M. Y. Huang, T. M. Wicks. A large-scale distributed intrusion detection framework based on attack strategy analysis. Computer Networks,1999: 2465-2475.
[59]C. W. Geib, R. P. Goldman. Plan recognition in intrusion detection systems. In: DARPA Information Survivability Conference & Exposition 11.2001,46-55.
[60]N. Ye, X. Li, Q. Chen, S. M. Emran, et al. Probabilistic techniques for intrusion detection based on computes audit data IEEE Transactions on System,2001, 31(4):266-274.
[61]张永,陆余良.攻击树在多阶段入侵检测系统中的应用.计算机应用与软件,2004(8):104-106.
[62]王祖俪,程小平.入侵响应中基于事件相关性的攻击预测算法.计算机科学,2005,32(4):144-147.
[63]J. Yuill, S. F. Wu, F. Gong, M.-Y. Huang. Intrusion Detection for an On-Going Attack.1999.
[64]M.-Y. Huang, R. J. Jasper, T. M. Wicks. A Large scale Distributed Intrusion Detection Framework Based on Attack Strategy Analysis. Computer Networks, 1999,31(23-24):2465-2475.
[65]C. Estan, G. Varghese. Data streaming in computer networks. In:ACM Workshop on Management and Processing of Data Streams.2003.
[66]金澈清.数据流上若干查询处理算法的研究.复旦大学[博士学位论文].2005.
[67]R. Keralapura, G. Cormode, J. Ramamirtham. Communication-Efficient Distributed Monitoring of Thresholded Counts. In:ACM SIGMOD International Conference on Management of Data. Chicago, Illinois, USA,2006,289-300.
[68]韩崇昭,朱洪艳,段战胜.多源信息融合.信号与信息处理丛书.2006:清华大学出版社.
[69]D. Moore, C. Shannon, D. Brown, G. M. Voelker, et al. Inferring Internet Denial-of-Service Activity. ACM Transaction on Computer System,2006,24(2): 115-139.
[70]W. Stallings. SNMP, SNMPv2, SNMPv3, and RMON 1 and 2.3rd ed 1998.
[71]Cisco Systems:NetFlow Services and Applications. White Paper,1999.
[72]J.-C. Bolot. End-to-End Packet Delay and Loss Behavior in the Internet. In:Proc. ACM SIGCOMM.1993,289-298.
[73]K. Lai, M. Baker. Measuring Bandwidth. In:Proc. IEEE INFOCOM.1999, 235-245.
[74]V. Jacobsen. Dynamic Distance Maps of the Internet Paths.1997 [ftp://ftp.ee.lbl.gov/pathchar].
[75]N. Hu, L. Li, Z. M. Mao, P. Steenkiste, et al. Locating Internet Bottlenecks: Algorithms, Measurements, and Implications. In:Proc. SIGCOMM. Portland, USA,2004,41-54.
[76]S. S. Kim, N. Reddy. A Study of Analyzing Network Traffic as Images in Real-Time. In:Proc. IEEE INFOCOM. Miami, USA,2005,2056-2067.
[77]K. Suh, Y. Guo, J. Kurose, D. Towsley. Locating Network Monitors: Complexity, Heuristics, and Coverage. In:Proc. IEEE INFOCOM.2005,351-361.
[78]S. Khuller, A. Moss, J. Naor. The budgeted maximum coverage problem. Information Processing Letters,1999,7(1):39-45.
[79]P. Slavik. Improved performance of the greedy algorithm for the minimum set cover and minimum partial cover problems. Electronic Colloquium on Computational Complexity,1995,2(53).
[80]F. Chudak, D. Shmoys. Improved approximation algorithms for the uncapacitated facility location problems. ACM SIAM Journal on Computing,2003,33(1): 1-25.
[81]Y. Breitbart, C. Y. Chan, M. N. Garofalakis, R. Rastogi, et al. Efficiently monitoring bandwidth and latency in IP networks. In:IEEE INFOCOM.2001, 933-942.
[82]刘湘辉,殷建平,唐乐乐,赵建民.网络流量的有效测量方法分析.软件学报,2003,14(2):300-304.
[83]M. E. Crovella, A. Bestavros. Self-Similarity in World Wide Web Traffic: Evidence and Possible Cause. IEEE/ACM Transactions on Networking,1997, 5(6):835-846.
[84]. Cooperative Association for Internet Data Analysis (CAIDA). [http://www.caida.org/.].
[85]Z. Cai, J. Yin, X. Liu, F. Liu, et al. Efficiently Monitoring Link Bandwidth in IP Networks. In:IEEE GLOBECOM. St. Louis, USA,2005,354-358.
[86]X. Liu, J. Yin, Z. Cai. The Analysis of Algorithm for Efficient Network Flow Monitoring. In:IEEE Workshop on IP Operations and Management.2004,29-33.
[87]Active Measurement Project. [http://amp.nlanr.net/
[88]Passive Measurement and Analysis. [http://pma.nlanr.net/].
[89]S. Jamin, C. Jin, Y. Jin, D. Raz, et al. On the placement of Internet instrumentation. In:IEEE INFOCOM.2000,295-304.
[90]Y. Bartal. Probabilistic Approximation of Metric Space and its Algorithmic Applications. In:37th Annual IEEE Symposium on Foundations of Computer Science.1996,184-193.
[91]D. S. Hochbaum. Approximation Algorithm for NP-hard Problems. PWS Publishing Company,1997.
[92]J. D. Horton, A. Lopez-Ortiz. On the Number of Distributed Measurement Points for Network Tomography. In:Proc of ACM SIGCOMM IMC.2003,204-209.
[93]M. Adler, T. Bu, R. K. Sitaraman, D. Towsley. Tree Layout for Internal Network Characterizations in Multicast Network. In:Proc of Networked Group Comm.2001,189-204.
[94]Y. Bejerano, R. Rastogi. Robust monitoring of link delays and faults in IP networks. In:Proc. IEEE INFOCOM.2003.
[95]Y. Breitbart, F. Dragan, H. Gobjuka. Effective network monitoring. In:Proc. of IEEE ICCCN.2004,394-399.
[96]黎文伟,王俊峰,谢高岗,张大方.基于包对采样的IP网络时延变化测量方法.计算机研究与发展,2004,41(8):1353-1360.
[97]R. Kumar, J. Kaur. Efficient Beacon Placement for Network Tomography. In: Proc. ACM Internet Measurement Conference.2004,181-186.
[98]L. Li, M. Thottan, B. Yao, S. Paul. Distributed network monitoring with bounded link utilization in IP networks. In:Proc. of IEEE INFOCOM.2003.
[99]V. Paxson. Measurement and Analysis of End-to-End Internet Dynamics. Ph.D. Dissertation. UC Berkeley.1997.
[100]C. Dovrolis, P. Ramanathan, D. Moore. Packet Dispersion Techniques and a Capacity Estimation Methodology. IEEE/ACM Transactions on Networking, 2004,12(3):1000-1025.
[101]V. Jacoboson. Congestion Avoidance and Control. In:Proc. SIGCOMM. Stanford,1988,314-329.
[102]K. Harfoush, A. Bestavros, J. Byers. Measuring Bottleneck Bandwidth of Targeted Path Segments. In:proceedings of IEEE INFOCOM.2003.
[103]R. Kapoor, L. Chen, L. Lao, M. Gerla, et al. CapProbe:A Simple and Accurate Capacity Estimation Technique. In:proceedings of SIGCOMM.2004,67-78.
[104]M. Liu, J. Shi, Z. Li, Z. Kan, et al. A New End-to-End Measurement Method for Estimating Available Bandwidth. In:Proc of ISCC.2003,1393-1400.
[105]K. Lakshminarayanan, V. Padmanabhan, J. Padhye. Bandwidth Estimation in Broadband Access Networks. In:Proc of Internet Measurement Conference.2004, 314-321.
[106]J. Strauss, D. Katabi, F. Kaashoek. A Measurement Study of Available Bandwidth Estimation Tools. In:ACM SIGCOMM/USENIX IMC.2003,39-44.
[107]J. Navrati, R. Cottrell. ABwE:A Practical Approach to Available Bandwidth Estimation, Passive and Active Measurement Workshop.2003.
[108]N. Hu, P. Steenkiste. Evaluation and Characterization of Available Bandwidth Probing Techniques. IEEE JSAC,2003,21(6):1003-1018.
[109]D. Kiwior, J. Kingston, A. Spratt. Pathmon:a Methodology for Determining Available Bandwidth over an Unknown Network.Tech Report.2004.
[110]B. Melander, M. Bjorkman, P. Gunningberg. A New end-to-end Probing and Analysis Method for Estimating Bandwidth Bottlenecks, Global Internet Symposium, GLOBECOM 2000.2000.
[111]M. Jain, C. Dovrolis. End-to-End Available Bandwidth:Measurement Methodology, Dynamics, and Relation with TCP Throughput, proceedings of SIGCOMM.2002.
[112]V. Ribeiro, R. Riedi, R. Baraniuk, J. Navrati, et al. PathChirp:Efficient Available Bandwidth Estimation for Network Paths. In:PAM.2003,200-211.
[113]S. Keshav. A Control-theoretic Approach to Flow Control. In:Proc. SIGCOMM.1991,3-15.
[114]S. Kang, X. Liu, M. Dai, D. Loguinov. Packet-Pair Bandwidth Estimation: Stochastic Analysis of a Single Congested Node. In:proceedings of IEEE ICNP.2004,316-325.
[115]K. Lai, M. Baker. Measuring Link Bandwidth Using a Deterministic Model of Packet Delay. In:proceedings of SIGCOMM.2000,283-294.
[116]NS version 2. Network Simulator. [Http://www.isi.edu/nsnam/ns.].
[117]D.L.Hall, J.Llinas. An Introduction to Multisensor Data Fusion. In:Proceedings of the IEEE.1997.
[118]D.L.Hall, J. Llinas. Handbook of Multisensor Data Fusion.2001, Washington DC,NY:CRC Press.
[119]A.N.Steinberg, C.L.Bowman, F.E.White. Revisions to the JDL Data Fusion Model, Proceedings Of 3rd NATO/IRIS Conference. Quebec,Canada.1998.
[120]D. L. Hall. Lectures in Multi-sensor Data Fusion and Target Tracking.2002.
[121]M.Ben-Bassat. Knowledge Requirement and Management in Expert Decision Support Systems for (Military) Situation Assessment IEEE Trans on SMC,1992,12(4):479-490.
[122]E. Waltz, J.Llinas. Multisensor Data Fusion.1990, Boston,MA:Artech House.
[123]J. Azarewicz, G. Fala, C. Heithecker. Template-based multi-agent plan recognition for tactical situation assessment, Proceedings of Fifth Conference on Artificial Intelligence for Applications. Miami:IEEE Computer Society.1989.
[124]V. P. Kirillov. Constructive Stochastic Temporal Reasoning in Situation Assessment IEEE Trans on System, Man and Cybernetics,1994,21(7): 1099-1113.
[125]G.Klein. Soure of Power:How people make decisions.1998, Cambridge, Mass, USA:MIT Press.
[126]M.R.Endsley. Theoretical Underpinnings of Situation Awareness. Situation Awareness Analysis and Measurement,2000.
[127]梁百川,梁小平.数据融合中的态势估计.舰船电子对抗,2003,26(1):12-15.
[128]吴霁.态势评估关键技术的研究.西安电子科技大学[博士学位论文].1996.
[129]A.Yavnai. Context Recognition and Situation Assessment in Intelligent Autonomous Systems. In:Proceedings of the 1993 International symposium on Intelligent Control. Chicago,Illinois,USA,1993,394-399.
[130]戴行信.预警的数学理论研究.武汉理工大学学报,2002,26(2):195-198.
[131]D.F.Noble. Schema-Based Knowledge Elicitation for planning and Situation Assessment Aids. IEEE Trans On SMC,1989,19(3):473-48.
[132]姚春燕,郁文贤.C3I系统中战术态势估计的推理问题.国防大学学报,1998,20(5):70-74.
[133]李伟生.信息融合系统中态势估计技术研究.西安电子科技大学[博士学位论文].2004.
[134]R. Baumann, C. Plattner. Honeypots. Diploma Thesis in Computer Science, 2002.
[135]D. J. Hand, P. Smyth, H. Mannils. Principle of Data Mining.2000:MIT Press.
[136]宣蕾.信息系统安全风险评估及在预警中的应用研究,国防科技大学[博士学位论文].2005.
[137]E. Hacker. Data Mining IDS Detection. SecurityFocus,2000.
[138]陈光.信息系统信息安全风险管理方法研究.国防科技大学[博士学位论文].2006.
[139]龚俭,梅海彬,丁勇,魏德昊.多特征关联的入侵事件冗余消除.东南大学学报(自然科学版),2005,35:366-371.
[140]D. D. Lewis, W. A. Gale. A sequential algorithm for training text classifiers. In: 17th ACM International Conference on Research and Development in Information Retrieval.1994,3-12.
[141]G. Schohn, D. Cohn. Less is more:Active learning with support vector machines. In:17th International Conf on Machine Learning.2000.
[142]C. Campbell, N. Cristianini, A. Smola. Query learning with large margin classifiers. In:17th International Conf. on Machine Learning.2000,111-118.
[143]C. A. Thompson, R. J. Mooney. Active learning for natural language parsing and information extraction1999,406-414.
[144]H. S. Seung, M. Opper, H. Sompolinsky. Query by committee. In:Proceedings of the Fifth Workshop on Computational Learning Theory. San Mateo, CA,1992, 287-294.
[145]D. Cohn, L. Atlas, R. Ladner. Improving Generalization with Active Learning. Machine Learning,1994,15(2):201-221.
[146]N. Abe, H. Mamitsuka. Query learning using boosting and bagging. In:Proc. 15th International Conf on Machine Learning. Madison, CA,1998,1-10.
[147]P. Melville, R. J. Mooney. Diverse ensembles for active learning. In:Proc.21th International Conf. on Machine Learning. Banff, CA,2004,584-591.
[148]Y. Freund, H. S. Seung, E. Shamir, N. Tishby. Selective sampling using the query by committee algorithm. Machine Learning,1997,28:133-168.
[149]D. A. Cohn, Z. Ghahramani, M. I. Jordan. Active learning with statistical models. Journal of Artificial Intelligence research,1996,4:129-145.
[150]N. Roy, A. McCallum. Toward optimal active learning through sampling estimation of error. In:Proc.18th International Conf. on Machine Learning. San Francisco, CA,2001,441-448.
[151]L. K. Hansen, P. Salamon. Neural Network Ensembles. IEEE International on Pattern Analysis And Machine Intelligence,1990,12(10):993-1001.
[152]A. McCallum, K. Nigam. Employing EM and Pool-Based Active Learning for Text Classification. In:ICML.1998,350-358.
[153]I. Muslea, S. Minton, C. A. Knoblock. Active Learning with Multiple Views. Journal of Artificial Intelligence Research,2006,27:203-233.
[154]M. Belkin, P. Niyogi. Semi-Supervised Learning on Riemannian Manifolds. Machine Learning.,2004,56(1-3):209-239.
[155]O. Chapelle, J. Weston, B. SchAolkopf. Cluster Kernels for Semi-Supervised Learning. In:NIPS.2002,585-592.
[156]T. Joachims. Transductive Learning via Spectral Graph Partitioning. In: ICML.2003,290-297.
[157]A. Blum, S. Chawla. Learning from Labeled and Unlabeled Data using Graph Mincuts. In:ICML.2001,19-26.
[158]X. Zhu, Z. Ghahramani, J. D. Lafferty. Semi-Supervised Learning Using Gaussian Fields and Harmonic Functions. In:ICML.2003,912-919.
[159]X. Zhu, Z. Ghahramani. Learning from labeled and unlabeled data with label propagation, CMU-CALD-02-107. CMU CALD.2002.
[160]D. Zhou,O. Bousquet, h. N. Lal, Jason Weston, et al. Learning with Local and Global Consistency. In:NIPS.2003.
[161]X. Zhu. Semi-supervised learning with graphs. Carnegie Mellon University.2005.
[162]R. O. Duda, P. E. Hart, D. G. Stork. Pattern Classffication (2nd Edition). Wiley-Interscience.
[163]W. Lee, W. Fan, M. Miller, S. J. Stolfo, et al. Toward Cost-Sensitive Modeling for Intrusion Detection and Response. Journal of Computer Security,2002, 10(1/2):5-22.
[164]W. Fan, W. Lee, S. J. Stolfo, M. Miller. A Multiple Model Cost-Sensitive Approach for Intrusion Detection. In:11th European Conference on Machine Learning. Barcelona, Catalonia, Spain,2000,142-153.
[165]D. D. Margineantu. Active Cost-Sensitive Learning. In:Proceedings of the Nineteenth International Joint Conference on Artificial Intelligence. Edinburgh, Scotland, UK,2005,1622-1613.
[166]P. Chan, S. Stolfo. Toward scalable learning with non-uniform class and cost distibutions. In:Proceedings of the Fourth International Conference on Knowledge Discovery and Data Mining.1998,164-168.
[167]B. Zadrozny, J. Langford, N. Abe. Cost-sensitive learning by cost-proportionate example weighting. In:Proceedings of the Third IEEE Internantional Conference on Data Mining.2003,435-442.
[168]P. Domingos. MetaCost:A General Method for Making Classifiers Cost-Sensitive. In:KDD 99.1999,155-164.
[169]K. M. Ting. An Instance-Weighting Method to Induce Cost-Sensitive Trees. IEEE Trans. Knowl. Data Eng,2002,14(3):659-665.
[170]Z. H. Zhou, X. Y. Liu. Training Cost-Sensitive Neural Networks with Methods Addressing the Class Imbalance Problem IEEE Trans. Knowl. Data Eng,2006, 18(1):63-77.
[171]W. Fan, S. J. Stolfo, J. Zhang, P. K. Chan. AdaCost:misclassification cost-sensitive boosting. In:Proc.16th International Conf. on Machine Learning.1999,97-105.
[172]T. U. K. Kdd cup 1999 data:Intrusion detection.1999 [http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html].
[173]M. K-R, M. S, R. G. e. al. An Introduction to Kernel-based Learning Algorithms. IEEE Transactions on Neutral Networks,2001,12(2):181-201.
[174]T. Bass. Intrusion detection systems and multisensor data fusion. Communications of the ACM,2000,43(4):99-105.
[175]A.Valdes, K. Skinner. Probabilistic alert correlation. In:Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection.2001, 54-68.
[176]P. Ning, Y. Cui. An intrusion alert correlator based on prerequisites of intrusions, Technical Report TR-2002-01. Department of Computer Science, North Carolina State University.2002.
[177]P. Ning, D.Reeves, Yun Cui. Correlating alerts using prerequisites of intrusions, Technical Report TR-2001-13. Department of Computer Science, North Carolina State University.2001.
[178]F.Cuppens. Managing alerts in a multiintrusion detection environmnent,17th Annual Computer Security Applications Conference. New-Orleans.2001.
[179]H.Debar, A.Wespi. Aggregation and correlation of intrusion-detection alerts. Recent Advances in Intrusion Detection, LNCS 2212,2001:85-103.
[180]F.Cuppens, R.Ortalo. LAMBDA:A Language to Model a Database for Detection of Attacks, Proc. Of RAID.2000.
[181]C. Networks. The CaptIO and CaptIO-G security solutions.2001 [http://www.captusnetworks.com/].
[182]O.Dain, R. K. Cunningham. Fusing a heterogeneous alert stream into scenarios. In:Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications.2001,1-13.
[183]A. Adas. Traffic models in broadband networks. IEEE Communications Magazine,1997,35(7):82-89.
[184]B. S. Chen, S. C. Peng, K. C. Wang. Traffic Modeling,Prediction,and Congestion Contol for High-SpeedNetworks:A Fuzzy AR Approach. IEEE Trans. Fuzzy Systems,2000,8(5):491-508.
[185]V. Paxson, S. Floyd. Wide area traffic:The failure ofPoisson modeling. IEEE/ACM Trans. Networking,1995,3(3):226-244.
[186]N. Akar, E. Arikan. Markov modulated periodic arrivalprocess offered to an ATM multiplexer. Perform. Eval.,1994,22:175-190.
[187]V. N. Bhat. Renewal approximations of the switched Poisson processes and their applications to queueing system. Operational Res. Soc.,1994,45(3):345-353.
[188]D. R. Hush, B. G. Home. Progress in Supervised Neural Networks. IEEE Signal Processing Magazine,1993,10(1):8-39.
[189]N. Davey, S. P. Hunt, R. J. Frank. Time Series Prediction and Neural Networks. In:Proc.5th International Conference on Engineering Applications of Neural Networks.1999,93-98.
[190]T. Edwards, D. S. W. Tansley, R. J. Frank, N. Davey. Traffic Trends Analysis using Neural Networks. In:Proceedings of the International Workshop on Applications of Neural Networks to Telecommunications.1997,157-164.
[191]J. Jacek, K. Krzyszt. Rough Set Reduction of Attributes and Their Domains for Neural Networks. Computational Intelligence,1995,11(2):339-347.
[192]R. C. Everhart, J. A. Kennedy. New Optimizer Using Particle Swarm Theory. In: Proc Sixth International Symposium on Micro Machine and Human Science. Nagoya,1995,39-43.
[193]J. Kennedy, R. C. Eberhart. Particle swarm optimization. In:IEEE International Conference on Neural Network. Perth,1995,1942-1948.
[194]K. R. Muller, A. J. Smola, G. Ratsch, B. Scholkopf, et al. Predicting Time Series with Support Vector Machines. In:Proceedings of ICANN.1997,999-1004.
[195]The Santa Fe Time Series Competition Data.1994 [http://www-psych.stanford.edu/~andreas/Time-Series/SantaFe.html].
[2]应向荣.网络攻击新趋势下主动防御系统的重要性.计算机安全,2003(7):53-55.
[3]CNCERT/CC国家计算机网络应急技术处理协调中心.CNCERT/CC2008年上半年网络安全工作报告.2008.
[4]Shannon. A mathematical theory of communication. BellSystem Tech. J,1948, 27:379-423.
[5]Diffie W, H. M. E. New Directions in Cryptography. IEEE Transaction on Information Theory,1976(6):644-654.
[6]DES. [http://csrc.nist.gov/CryptoToolkit/tkencryption.html].
[7]B. D., L. L. J. Secure computer system:Unified exposition and MULTICS interpretation, Technical Report MTR-2997. MITRE Corporation.1976.
[8]TCSEC (Trusted Computer System Evaluation Criteria), DoD 5200.28-STD. National Computer Security Center.1985.
[9]Common Criteria for Information Technology Security Evaluation(CC) version 2.1, International Standard 15408. International Standards Organization.2000.
[10]网络安全基础—P2DR动态安全模型.[http://www.sundy.com.cn/Safe/protect/200611/20061115102221_30.shtml].
[11]世界震惊美国担心王小云破解全球两大密码算法.[http://news3.xinhuanet.com/newscenter/2005-03/25/content_2741030.htm],
[12]F. Cohen. Simulating Cyber Attacks, Defenses, and Consequences. http://secinf.neUmisc/Simulating Cyber Attackses Defenseses and Consequences_.html].
[13]胡华平.网络安全深度防御与保障体系研究.计算机工程与科学,2002.
[14]A. Rathmell, J. Dorschner, M. Knights. Summary of Research Results:threat Assessment and Early Warning Methodologies for Information Assurance.2003.
[15]A. Rathmell, R. Ovrill, L. Valeri. Information Warfare Attack Assessment system. 2003.
[16]苗青,范勤,苏金树.网络安全战略预警系统的特征信息融合方法.计算机工程,2002,28(7):61-62.
[17]宣蕾,苏金树,苗青.网络安全战略预警系统研究.通信技术,2001(7):90-92.
[18]苗青,宣蕾,苏金树.网络安全战略预警系统的攻击检测技术研究.计算机
工程与科学,2002,24(1):14-17.
[19]胡华平,张怡,陈海涛,宣蕾,et al.面向大规模网络的入侵检测与预警系统研究.国防科技大学学报,2003,25(1):21-25.
[20]赖积保,王慧强,金爽.基于Netflow的网络安全态势感知系统研究.计算机应用研究,2007,24(8):167-169.
[21]R. P. Goldman, W. Heimerdinger, S. A. Harp, C. W. Geib, et al. Information modeling for intrusion report aggregation. In:DARPA Information Survivability Conference & Exposition 11.2001,329-342.
[22]J. Betser, A. Walther, M. Erlinger, T. Buchheim, et al. GlobalGuard:creating the IETF-IDWG Intrusion Alert Protocol (IAP). In:DARPA Information Survivability Conference & Exposition Ⅱ.2001,22-34.
[23]IETF. rfc4765.
[24]D. Moore, V. Paxson, S. Savage, C. Shannon, et al. Inside the Slammer Worm. IEEE Security & Privacy,2003,1(4):33-39.
[25]P. Barford, J. Kline, D. Plonka, A. Ron. A signal analysis of network traffic anormalies. In:Internet Measurement Workshop.2002,71-82.
[26]B. Madhusudan, J. Lockwood. Design of a System for Real Time Worm Detection. In:12th Annual IEEE Symposium on High Performance Interconnects. Stanford, CA,2004,77-83.
[27]A. Lakhina, K. Papagiannaki, M. Crovella, C. Diot, et al. Structural analysis of network traffic flows. In:Proc ACM SIGMETRICS.2004,61-72.
[28]侯定丕,王战军.非线性评估的理论探索与应用.2001,合肥:中国科技大学出版社.
[29]王永杰.网络攻击效果关键技术及其应用研究.国防科学技术大学[博士学位论文].2006.
[30]汪渊.网络安全量化评估方法研究.中国科学技术大学[博士学位论文]:合肥.2003.
[31]J. Hallberg, A. Hunstad, M. Peterson. A Framework for System Security Assessment. In:Proceedings of the IEEE Workshop on Information Assurance and Security.2005,224-231.
[32]G. Fragkos, A. Blyth. Architecture for Near Real-Time Threat Assessment using IDS Data. In:Proc of the 4th European Conference on Information Warfare and Security.2005,91-98.
[33]P. A. Porras, M. W. Fong, A. Valdes. A Mission-Impact-Based Approach to INFOSEC Alarm Correlation. In:Proceedings of the International Symposium on Recent Advances in Intrusion Detection.2002,95-114.
[34]F. Cohen. Managing network security attack and defense strategies. Network
Security,1999,7(5):7-11.
[35]H. S, Q. G. Z, D. T. Impact analysis of faults and attacks in large-scale networks. IEEE Trans, on Security & Privacy,2003,1(5):49-54.
[36]J. W. Freeman, T. C. Darr, R. B. Neely. Risk assessment for large heterogeneous systems. In:Proceedings of 13th annual computer security application conference. San Diego, CA, USA,1997,44-52.
[37]李涛.基于免疫的网络安全风险检测.中国科学E辑:信息科学,2005,35(8):798-816.
[38]S. Boyer, O. Dain, R. Cunningham. Stellar:A fusion system for scenario construction and security risk assessment. In:Proceedings of Third IEEE International Workshop on Information Assurance.2005,105-116.
[39]A. Arnes, K. Sallhammar, K. Haslum. Real time risk assessment with network sensors and intrusion detection systems. In:International Conference on Computational Intelligence and Security. Xi'an, China,2005,388-397.
[40]A. Arnes, F. Valeur, G. Vigna, R. A. Kemmerer. Using Hidden Markov models to evaluate the risks of intrusion. In:9th International Symposium On Recent Advances In Intrusion Detection. Hamburg, Germany,2006,23.
[41]王慧强,赖积保,朱亮,梁颖.网络态势感知系统研究综述.计算机科学,2006,33(10):5-10.
[42]冯毅.关于我军信息与网络安全的几点思考.中国信息战,2005.
[43]陈秀真,郑庆华,管晓宏,林晨光.层次化网络安全威胁态势量化评估方法.软件学报,2006,17(4):885-897.
[44]M. Almgren, E. Jonsson. Using Active Learning in Intrusion Detection. In: Computer Security Foundations Workshop.2004,88-98.
[45]J. W. Stokes, J. C. Platt, J. Kravis, M. Shilman. ALADIN:Active Learning of Anomalies to Detect Intrusions, MSR-TR-2008-24. Microsoft Research.2008. 22.
[46]A. J. P. Computer security threat monitoring and surveillance (Technical Report). James P. Anderson Company:Fort Washington, Pennsylvania.1980.
[47]R. G. Bace. Intrusion Detection.2000:Macmillan Technology Publishing
[48]B. Mukherjee, L. T. Heberlein, K. N. Levitt. Network intrusion detection. IEEE Network,1994,8(3):26-41.
[49]K. Ilgun, R. A. Kemmerer, P. A. Porras. State transition analysis:A rule-based intrusion detection approach. IEEE Trans. on Software Engineering,1995,21(3): 181-199.
[50]G. Vigna, R. A. Kemmerer. NetSTAT:A network-based intrusion detection system. Journal of Computer Security,1999,7(1):37-71.
[51]P. A. Porras, P. G. Neumann. EMERALD:Event monitoring enabling response
to anomalous live disturbances. In:Proc. of the 20th National Information Systems Security Conf.1997,353-365.
[52]S. Cheung, U. Lindqvist, M. W. Fong. Modeling multistep cyber attacks for scenario recognition. In:Proc. of the 3rd DARPA Information Survivability Conf. and Exposition. Washington,2003,284-292.
[53]F. Cuppens, A. Miege. Alert correlation in a cooperative intrusion detection framework, IEEE Symposium on Security and Privacy. Oakland, USA.2002.
[54]P. Ning, D. B. Xu, C. G. Healey, R. A. Amant. Building attack scenarios through integration of complementary alert correlation methods. In:Proc. of the 1 lth Annual Network and Distributed System Security Symp.2004,97-111.
[55]A. Valdes, K. Skinner. Probabilistic alert correlation. In:Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection.2001, 54-68.
[56]S. Eckmann, G. Vigna, R. Kemmerer. STATL:An attack language for state-based intrusion detection Journal of Computer Security,2002,10(1/2): 71-104.
[57]S. Templeton, K. Levitt. A requires/provides model for computer attacks. In: Proc. of the New Security Paradigms Workshop.2000,31-38.
[58]M. Y. Huang, T. M. Wicks. A large-scale distributed intrusion detection framework based on attack strategy analysis. Computer Networks,1999: 2465-2475.
[59]C. W. Geib, R. P. Goldman. Plan recognition in intrusion detection systems. In: DARPA Information Survivability Conference & Exposition 11.2001,46-55.
[60]N. Ye, X. Li, Q. Chen, S. M. Emran, et al. Probabilistic techniques for intrusion detection based on computes audit data IEEE Transactions on System,2001, 31(4):266-274.
[61]张永,陆余良.攻击树在多阶段入侵检测系统中的应用.计算机应用与软件,2004(8):104-106.
[62]王祖俪,程小平.入侵响应中基于事件相关性的攻击预测算法.计算机科学,2005,32(4):144-147.
[63]J. Yuill, S. F. Wu, F. Gong, M.-Y. Huang. Intrusion Detection for an On-Going Attack.1999.
[64]M.-Y. Huang, R. J. Jasper, T. M. Wicks. A Large scale Distributed Intrusion Detection Framework Based on Attack Strategy Analysis. Computer Networks, 1999,31(23-24):2465-2475.
[65]C. Estan, G. Varghese. Data streaming in computer networks. In:ACM Workshop on Management and Processing of Data Streams.2003.
[66]金澈清.数据流上若干查询处理算法的研究.复旦大学[博士学位论文].2005.
[67]R. Keralapura, G. Cormode, J. Ramamirtham. Communication-Efficient Distributed Monitoring of Thresholded Counts. In:ACM SIGMOD International Conference on Management of Data. Chicago, Illinois, USA,2006,289-300.
[68]韩崇昭,朱洪艳,段战胜.多源信息融合.信号与信息处理丛书.2006:清华大学出版社.
[69]D. Moore, C. Shannon, D. Brown, G. M. Voelker, et al. Inferring Internet Denial-of-Service Activity. ACM Transaction on Computer System,2006,24(2): 115-139.
[70]W. Stallings. SNMP, SNMPv2, SNMPv3, and RMON 1 and 2.3rd ed 1998.
[71]Cisco Systems:NetFlow Services and Applications. White Paper,1999.
[72]J.-C. Bolot. End-to-End Packet Delay and Loss Behavior in the Internet. In:Proc. ACM SIGCOMM.1993,289-298.
[73]K. Lai, M. Baker. Measuring Bandwidth. In:Proc. IEEE INFOCOM.1999, 235-245.
[74]V. Jacobsen. Dynamic Distance Maps of the Internet Paths.1997 [ftp://ftp.ee.lbl.gov/pathchar].
[75]N. Hu, L. Li, Z. M. Mao, P. Steenkiste, et al. Locating Internet Bottlenecks: Algorithms, Measurements, and Implications. In:Proc. SIGCOMM. Portland, USA,2004,41-54.
[76]S. S. Kim, N. Reddy. A Study of Analyzing Network Traffic as Images in Real-Time. In:Proc. IEEE INFOCOM. Miami, USA,2005,2056-2067.
[77]K. Suh, Y. Guo, J. Kurose, D. Towsley. Locating Network Monitors: Complexity, Heuristics, and Coverage. In:Proc. IEEE INFOCOM.2005,351-361.
[78]S. Khuller, A. Moss, J. Naor. The budgeted maximum coverage problem. Information Processing Letters,1999,7(1):39-45.
[79]P. Slavik. Improved performance of the greedy algorithm for the minimum set cover and minimum partial cover problems. Electronic Colloquium on Computational Complexity,1995,2(53).
[80]F. Chudak, D. Shmoys. Improved approximation algorithms for the uncapacitated facility location problems. ACM SIAM Journal on Computing,2003,33(1): 1-25.
[81]Y. Breitbart, C. Y. Chan, M. N. Garofalakis, R. Rastogi, et al. Efficiently monitoring bandwidth and latency in IP networks. In:IEEE INFOCOM.2001, 933-942.
[82]刘湘辉,殷建平,唐乐乐,赵建民.网络流量的有效测量方法分析.软件学报,2003,14(2):300-304.
[83]M. E. Crovella, A. Bestavros. Self-Similarity in World Wide Web Traffic: Evidence and Possible Cause. IEEE/ACM Transactions on Networking,1997, 5(6):835-846.
[84]. Cooperative Association for Internet Data Analysis (CAIDA). [http://www.caida.org/.].
[85]Z. Cai, J. Yin, X. Liu, F. Liu, et al. Efficiently Monitoring Link Bandwidth in IP Networks. In:IEEE GLOBECOM. St. Louis, USA,2005,354-358.
[86]X. Liu, J. Yin, Z. Cai. The Analysis of Algorithm for Efficient Network Flow Monitoring. In:IEEE Workshop on IP Operations and Management.2004,29-33.
[87]Active Measurement Project. [http://amp.nlanr.net/
[88]Passive Measurement and Analysis. [http://pma.nlanr.net/].
[89]S. Jamin, C. Jin, Y. Jin, D. Raz, et al. On the placement of Internet instrumentation. In:IEEE INFOCOM.2000,295-304.
[90]Y. Bartal. Probabilistic Approximation of Metric Space and its Algorithmic Applications. In:37th Annual IEEE Symposium on Foundations of Computer Science.1996,184-193.
[91]D. S. Hochbaum. Approximation Algorithm for NP-hard Problems. PWS Publishing Company,1997.
[92]J. D. Horton, A. Lopez-Ortiz. On the Number of Distributed Measurement Points for Network Tomography. In:Proc of ACM SIGCOMM IMC.2003,204-209.
[93]M. Adler, T. Bu, R. K. Sitaraman, D. Towsley. Tree Layout for Internal Network Characterizations in Multicast Network. In:Proc of Networked Group Comm.2001,189-204.
[94]Y. Bejerano, R. Rastogi. Robust monitoring of link delays and faults in IP networks. In:Proc. IEEE INFOCOM.2003.
[95]Y. Breitbart, F. Dragan, H. Gobjuka. Effective network monitoring. In:Proc. of IEEE ICCCN.2004,394-399.
[96]黎文伟,王俊峰,谢高岗,张大方.基于包对采样的IP网络时延变化测量方法.计算机研究与发展,2004,41(8):1353-1360.
[97]R. Kumar, J. Kaur. Efficient Beacon Placement for Network Tomography. In: Proc. ACM Internet Measurement Conference.2004,181-186.
[98]L. Li, M. Thottan, B. Yao, S. Paul. Distributed network monitoring with bounded link utilization in IP networks. In:Proc. of IEEE INFOCOM.2003.
[99]V. Paxson. Measurement and Analysis of End-to-End Internet Dynamics. Ph.D. Dissertation. UC Berkeley.1997.
[100]C. Dovrolis, P. Ramanathan, D. Moore. Packet Dispersion Techniques and a Capacity Estimation Methodology. IEEE/ACM Transactions on Networking, 2004,12(3):1000-1025.
[101]V. Jacoboson. Congestion Avoidance and Control. In:Proc. SIGCOMM. Stanford,1988,314-329.
[102]K. Harfoush, A. Bestavros, J. Byers. Measuring Bottleneck Bandwidth of Targeted Path Segments. In:proceedings of IEEE INFOCOM.2003.
[103]R. Kapoor, L. Chen, L. Lao, M. Gerla, et al. CapProbe:A Simple and Accurate Capacity Estimation Technique. In:proceedings of SIGCOMM.2004,67-78.
[104]M. Liu, J. Shi, Z. Li, Z. Kan, et al. A New End-to-End Measurement Method for Estimating Available Bandwidth. In:Proc of ISCC.2003,1393-1400.
[105]K. Lakshminarayanan, V. Padmanabhan, J. Padhye. Bandwidth Estimation in Broadband Access Networks. In:Proc of Internet Measurement Conference.2004, 314-321.
[106]J. Strauss, D. Katabi, F. Kaashoek. A Measurement Study of Available Bandwidth Estimation Tools. In:ACM SIGCOMM/USENIX IMC.2003,39-44.
[107]J. Navrati, R. Cottrell. ABwE:A Practical Approach to Available Bandwidth Estimation, Passive and Active Measurement Workshop.2003.
[108]N. Hu, P. Steenkiste. Evaluation and Characterization of Available Bandwidth Probing Techniques. IEEE JSAC,2003,21(6):1003-1018.
[109]D. Kiwior, J. Kingston, A. Spratt. Pathmon:a Methodology for Determining Available Bandwidth over an Unknown Network.Tech Report.2004.
[110]B. Melander, M. Bjorkman, P. Gunningberg. A New end-to-end Probing and Analysis Method for Estimating Bandwidth Bottlenecks, Global Internet Symposium, GLOBECOM 2000.2000.
[111]M. Jain, C. Dovrolis. End-to-End Available Bandwidth:Measurement Methodology, Dynamics, and Relation with TCP Throughput, proceedings of SIGCOMM.2002.
[112]V. Ribeiro, R. Riedi, R. Baraniuk, J. Navrati, et al. PathChirp:Efficient Available Bandwidth Estimation for Network Paths. In:PAM.2003,200-211.
[113]S. Keshav. A Control-theoretic Approach to Flow Control. In:Proc. SIGCOMM.1991,3-15.
[114]S. Kang, X. Liu, M. Dai, D. Loguinov. Packet-Pair Bandwidth Estimation: Stochastic Analysis of a Single Congested Node. In:proceedings of IEEE ICNP.2004,316-325.
[115]K. Lai, M. Baker. Measuring Link Bandwidth Using a Deterministic Model of Packet Delay. In:proceedings of SIGCOMM.2000,283-294.
[116]NS version 2. Network Simulator. [Http://www.isi.edu/nsnam/ns.].
[117]D.L.Hall, J.Llinas. An Introduction to Multisensor Data Fusion. In:Proceedings of the IEEE.1997.
[118]D.L.Hall, J. Llinas. Handbook of Multisensor Data Fusion.2001, Washington DC,NY:CRC Press.
[119]A.N.Steinberg, C.L.Bowman, F.E.White. Revisions to the JDL Data Fusion Model, Proceedings Of 3rd NATO/IRIS Conference. Quebec,Canada.1998.
[120]D. L. Hall. Lectures in Multi-sensor Data Fusion and Target Tracking.2002.
[121]M.Ben-Bassat. Knowledge Requirement and Management in Expert Decision Support Systems for (Military) Situation Assessment IEEE Trans on SMC,1992,12(4):479-490.
[122]E. Waltz, J.Llinas. Multisensor Data Fusion.1990, Boston,MA:Artech House.
[123]J. Azarewicz, G. Fala, C. Heithecker. Template-based multi-agent plan recognition for tactical situation assessment, Proceedings of Fifth Conference on Artificial Intelligence for Applications. Miami:IEEE Computer Society.1989.
[124]V. P. Kirillov. Constructive Stochastic Temporal Reasoning in Situation Assessment IEEE Trans on System, Man and Cybernetics,1994,21(7): 1099-1113.
[125]G.Klein. Soure of Power:How people make decisions.1998, Cambridge, Mass, USA:MIT Press.
[126]M.R.Endsley. Theoretical Underpinnings of Situation Awareness. Situation Awareness Analysis and Measurement,2000.
[127]梁百川,梁小平.数据融合中的态势估计.舰船电子对抗,2003,26(1):12-15.
[128]吴霁.态势评估关键技术的研究.西安电子科技大学[博士学位论文].1996.
[129]A.Yavnai. Context Recognition and Situation Assessment in Intelligent Autonomous Systems. In:Proceedings of the 1993 International symposium on Intelligent Control. Chicago,Illinois,USA,1993,394-399.
[130]戴行信.预警的数学理论研究.武汉理工大学学报,2002,26(2):195-198.
[131]D.F.Noble. Schema-Based Knowledge Elicitation for planning and Situation Assessment Aids. IEEE Trans On SMC,1989,19(3):473-48.
[132]姚春燕,郁文贤.C3I系统中战术态势估计的推理问题.国防大学学报,1998,20(5):70-74.
[133]李伟生.信息融合系统中态势估计技术研究.西安电子科技大学[博士学位论文].2004.
[134]R. Baumann, C. Plattner. Honeypots. Diploma Thesis in Computer Science, 2002.
[135]D. J. Hand, P. Smyth, H. Mannils. Principle of Data Mining.2000:MIT Press.
[136]宣蕾.信息系统安全风险评估及在预警中的应用研究,国防科技大学[博士学位论文].2005.
[137]E. Hacker. Data Mining IDS Detection. SecurityFocus,2000.
[138]陈光.信息系统信息安全风险管理方法研究.国防科技大学[博士学位论文].2006.
[139]龚俭,梅海彬,丁勇,魏德昊.多特征关联的入侵事件冗余消除.东南大学学报(自然科学版),2005,35:366-371.
[140]D. D. Lewis, W. A. Gale. A sequential algorithm for training text classifiers. In: 17th ACM International Conference on Research and Development in Information Retrieval.1994,3-12.
[141]G. Schohn, D. Cohn. Less is more:Active learning with support vector machines. In:17th International Conf on Machine Learning.2000.
[142]C. Campbell, N. Cristianini, A. Smola. Query learning with large margin classifiers. In:17th International Conf. on Machine Learning.2000,111-118.
[143]C. A. Thompson, R. J. Mooney. Active learning for natural language parsing and information extraction1999,406-414.
[144]H. S. Seung, M. Opper, H. Sompolinsky. Query by committee. In:Proceedings of the Fifth Workshop on Computational Learning Theory. San Mateo, CA,1992, 287-294.
[145]D. Cohn, L. Atlas, R. Ladner. Improving Generalization with Active Learning. Machine Learning,1994,15(2):201-221.
[146]N. Abe, H. Mamitsuka. Query learning using boosting and bagging. In:Proc. 15th International Conf on Machine Learning. Madison, CA,1998,1-10.
[147]P. Melville, R. J. Mooney. Diverse ensembles for active learning. In:Proc.21th International Conf. on Machine Learning. Banff, CA,2004,584-591.
[148]Y. Freund, H. S. Seung, E. Shamir, N. Tishby. Selective sampling using the query by committee algorithm. Machine Learning,1997,28:133-168.
[149]D. A. Cohn, Z. Ghahramani, M. I. Jordan. Active learning with statistical models. Journal of Artificial Intelligence research,1996,4:129-145.
[150]N. Roy, A. McCallum. Toward optimal active learning through sampling estimation of error. In:Proc.18th International Conf. on Machine Learning. San Francisco, CA,2001,441-448.
[151]L. K. Hansen, P. Salamon. Neural Network Ensembles. IEEE International on Pattern Analysis And Machine Intelligence,1990,12(10):993-1001.
[152]A. McCallum, K. Nigam. Employing EM and Pool-Based Active Learning for Text Classification. In:ICML.1998,350-358.
[153]I. Muslea, S. Minton, C. A. Knoblock. Active Learning with Multiple Views. Journal of Artificial Intelligence Research,2006,27:203-233.
[154]M. Belkin, P. Niyogi. Semi-Supervised Learning on Riemannian Manifolds. Machine Learning.,2004,56(1-3):209-239.
[155]O. Chapelle, J. Weston, B. SchAolkopf. Cluster Kernels for Semi-Supervised Learning. In:NIPS.2002,585-592.
[156]T. Joachims. Transductive Learning via Spectral Graph Partitioning. In: ICML.2003,290-297.
[157]A. Blum, S. Chawla. Learning from Labeled and Unlabeled Data using Graph Mincuts. In:ICML.2001,19-26.
[158]X. Zhu, Z. Ghahramani, J. D. Lafferty. Semi-Supervised Learning Using Gaussian Fields and Harmonic Functions. In:ICML.2003,912-919.
[159]X. Zhu, Z. Ghahramani. Learning from labeled and unlabeled data with label propagation, CMU-CALD-02-107. CMU CALD.2002.
[160]D. Zhou,O. Bousquet, h. N. Lal, Jason Weston, et al. Learning with Local and Global Consistency. In:NIPS.2003.
[161]X. Zhu. Semi-supervised learning with graphs. Carnegie Mellon University.2005.
[162]R. O. Duda, P. E. Hart, D. G. Stork. Pattern Classffication (2nd Edition). Wiley-Interscience.
[163]W. Lee, W. Fan, M. Miller, S. J. Stolfo, et al. Toward Cost-Sensitive Modeling for Intrusion Detection and Response. Journal of Computer Security,2002, 10(1/2):5-22.
[164]W. Fan, W. Lee, S. J. Stolfo, M. Miller. A Multiple Model Cost-Sensitive Approach for Intrusion Detection. In:11th European Conference on Machine Learning. Barcelona, Catalonia, Spain,2000,142-153.
[165]D. D. Margineantu. Active Cost-Sensitive Learning. In:Proceedings of the Nineteenth International Joint Conference on Artificial Intelligence. Edinburgh, Scotland, UK,2005,1622-1613.
[166]P. Chan, S. Stolfo. Toward scalable learning with non-uniform class and cost distibutions. In:Proceedings of the Fourth International Conference on Knowledge Discovery and Data Mining.1998,164-168.
[167]B. Zadrozny, J. Langford, N. Abe. Cost-sensitive learning by cost-proportionate example weighting. In:Proceedings of the Third IEEE Internantional Conference on Data Mining.2003,435-442.
[168]P. Domingos. MetaCost:A General Method for Making Classifiers Cost-Sensitive. In:KDD 99.1999,155-164.
[169]K. M. Ting. An Instance-Weighting Method to Induce Cost-Sensitive Trees. IEEE Trans. Knowl. Data Eng,2002,14(3):659-665.
[170]Z. H. Zhou, X. Y. Liu. Training Cost-Sensitive Neural Networks with Methods Addressing the Class Imbalance Problem IEEE Trans. Knowl. Data Eng,2006, 18(1):63-77.
[171]W. Fan, S. J. Stolfo, J. Zhang, P. K. Chan. AdaCost:misclassification cost-sensitive boosting. In:Proc.16th International Conf. on Machine Learning.1999,97-105.
[172]T. U. K. Kdd cup 1999 data:Intrusion detection.1999 [http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html].
[173]M. K-R, M. S, R. G. e. al. An Introduction to Kernel-based Learning Algorithms. IEEE Transactions on Neutral Networks,2001,12(2):181-201.
[174]T. Bass. Intrusion detection systems and multisensor data fusion. Communications of the ACM,2000,43(4):99-105.
[175]A.Valdes, K. Skinner. Probabilistic alert correlation. In:Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection.2001, 54-68.
[176]P. Ning, Y. Cui. An intrusion alert correlator based on prerequisites of intrusions, Technical Report TR-2002-01. Department of Computer Science, North Carolina State University.2002.
[177]P. Ning, D.Reeves, Yun Cui. Correlating alerts using prerequisites of intrusions, Technical Report TR-2001-13. Department of Computer Science, North Carolina State University.2001.
[178]F.Cuppens. Managing alerts in a multiintrusion detection environmnent,17th Annual Computer Security Applications Conference. New-Orleans.2001.
[179]H.Debar, A.Wespi. Aggregation and correlation of intrusion-detection alerts. Recent Advances in Intrusion Detection, LNCS 2212,2001:85-103.
[180]F.Cuppens, R.Ortalo. LAMBDA:A Language to Model a Database for Detection of Attacks, Proc. Of RAID.2000.
[181]C. Networks. The CaptIO and CaptIO-G security solutions.2001 [http://www.captusnetworks.com/].
[182]O.Dain, R. K. Cunningham. Fusing a heterogeneous alert stream into scenarios. In:Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications.2001,1-13.
[183]A. Adas. Traffic models in broadband networks. IEEE Communications Magazine,1997,35(7):82-89.
[184]B. S. Chen, S. C. Peng, K. C. Wang. Traffic Modeling,Prediction,and Congestion Contol for High-SpeedNetworks:A Fuzzy AR Approach. IEEE Trans. Fuzzy Systems,2000,8(5):491-508.
[185]V. Paxson, S. Floyd. Wide area traffic:The failure ofPoisson modeling. IEEE/ACM Trans. Networking,1995,3(3):226-244.
[186]N. Akar, E. Arikan. Markov modulated periodic arrivalprocess offered to an ATM multiplexer. Perform. Eval.,1994,22:175-190.
[187]V. N. Bhat. Renewal approximations of the switched Poisson processes and their applications to queueing system. Operational Res. Soc.,1994,45(3):345-353.
[188]D. R. Hush, B. G. Home. Progress in Supervised Neural Networks. IEEE Signal Processing Magazine,1993,10(1):8-39.
[189]N. Davey, S. P. Hunt, R. J. Frank. Time Series Prediction and Neural Networks. In:Proc.5th International Conference on Engineering Applications of Neural Networks.1999,93-98.
[190]T. Edwards, D. S. W. Tansley, R. J. Frank, N. Davey. Traffic Trends Analysis using Neural Networks. In:Proceedings of the International Workshop on Applications of Neural Networks to Telecommunications.1997,157-164.
[191]J. Jacek, K. Krzyszt. Rough Set Reduction of Attributes and Their Domains for Neural Networks. Computational Intelligence,1995,11(2):339-347.
[192]R. C. Everhart, J. A. Kennedy. New Optimizer Using Particle Swarm Theory. In: Proc Sixth International Symposium on Micro Machine and Human Science. Nagoya,1995,39-43.
[193]J. Kennedy, R. C. Eberhart. Particle swarm optimization. In:IEEE International Conference on Neural Network. Perth,1995,1942-1948.
[194]K. R. Muller, A. J. Smola, G. Ratsch, B. Scholkopf, et al. Predicting Time Series with Support Vector Machines. In:Proceedings of ICANN.1997,999-1004.
[195]The Santa Fe Time Series Competition Data.1994 [http://www-psych.stanford.edu/~andreas/Time-Series/SantaFe.html].