网络安全威胁与态势评估方法研究
|
摘要
日益严峻的网络安全形势给传统的网络安全技术带来了挑战。现有的检测工具只能根据有限信息产生告警,并且告警数量巨大、质量低下,难以从中获知事件的威胁程度和系统的安全状态。而传统的安全评估方法只是静态评估,也不能反映实时风险。这使得网络操作员很难借助现有技术来感知实时网络安全态势,因而难以根据现实网络状况做出决策,造成防御、检测、响应和分析四大环节严重脱节,安全事件响应严重滞后的现状。
近年来,源于战场态势感知领域的威胁与态势评估技术的引入为解决网络安全态势感知问题提供了新的思路。网络安全威胁与态势评估指:采用信息融合方法处理检测工具产生的实时网络安全数据,对攻击威胁程度和实时网络安全状态进行评估,给出直观有效的安全态势报告,并对未来安全状况做出合理预测。本文对威胁评估、态势评估和态势预测方法分别进行了研究。
攻击威胁程度的影响因素可归纳为攻击破坏性、环境、成功率、统计、关联和效果六类。构造一种威胁评估框架,分六个阶段:严重度评估、环境评估、可信度评估、统计评估、关联评估和效果评估。对各阶段的方法进行了阐述,并在设计的SATA系统(Security Alert and Threat Analysis)中实现了相关方法。严重度评估采用危害度分级和CVSS漏洞评价方法;环境评估通过设定资产值和优先级实现;可信度评估使用贝叶斯网络;统计评估采用告警频度统计和周期型误报警统计识别方法;关联评估使用告警关联语言;效果评估则采用定性的攻击效果评估方法。
态势评估使用隐马尔科夫模型(HMM)。解决了观测事件分类和模型参数配置问题。采用威胁评估结果对告警分类,提高了事件分类的准确性。采用遗传算法优化HMM参数,建立网络安全态势评估结果的定量评价机制来确定优化目标,使用蜜网数据建立了评价规则集。比较实验表明,该方法是有效的。
归纳出决定网络安全态势可预测性的五个特点:1)攻击之间具有因果关系;2)不同攻击能作为未来攻击证据出现的可能性不同;3)通常,未来攻击与“证据”具有相同属性;4)攻击意图具有可推测性;5)证据与安全状态走势之间具有联系。
设计了以“提取证据”为核心的预测方法。用攻击序列模式和攻击的“预测率”从告警中提取证据。提出“预测率”指标表示攻击可作为未来攻击的证据出现的可能性大小,作为选择证据的依据。修改序列模式挖掘的AprioriAll算法,使其从历史告警中挖掘攻击序列模式时能计算预测率。选择预测率较高的告警序列作为证据。然后构建证据与安全走势之间的HMM来预测安全态势。基于DARPA数据集的实验表明该方法是有效的。
The traditional network security techniques have shown their drawbacks in the increasingly complex and severe network security environment. The intrusion detection tools can only deliver alerts on limited knowledge of attacks, while the alert stream is always poor in quality and can easily be over-whelming, which makes it very hard to know how much threat the detected attacks pose to the network and which security states the hosts are in. Meanwhile, the traditional security assessment approaches can not assess the real time security situation. These problems make the security operators very difficult to know the current security threat and situation by the traditional security tools.
Network security threat and situation assessment aims to extract knowledge of current security threat and situation from raw security data reported by traditional security tools, through the techniques of data fusion, and predict the future security situation based on historical security information and the present attacks. This paper studied the approaches of threat assessment, situation assessment and situation prediction.
The threat of a network attack is determined by six aspects of factor: attack severity, attack environment, probability to succeed, statistical factors, correlation factors and attack effect. Based on this conclusion, a framework to threat assessment is proposed, which comprises of six steps. The approaches of every step are introduced in the paper and implemented in SATA (Security Alert and Threat Analysis) system. The approach of qualitative attack hazard gradation and the CVSS mechanism are used in severity assessment. The values of assets and security policies are set to evaluate the environmental factors. The Bayesian Network is used to calculate the reliability of the alerts. In statistical assessment, a novel approach is proposed to find the periodicity of alerts based on time series analysis techniques. A language of alert correlation is implemented in the system. And an experiment of qualitative attack effect assessment is introduced.
HMM (Hidden Markov Model) is used to assess the network security situation. The problems of observation event classification and parameter configuration lying in the approach are solved. To the first problem, the result of threat assessment is used to classify the alerts based on their threat scores, which can limit the scale of the Obs matrix of HMM and improve the accuracy of observation classification. To the latter, the genetic programming algorithm is used. A mechanism of quantitatively evaluating the fitness of situation assessment result is proposed. A set of risk description rules are defined and the matching degree between the result of situation assessment and rules is calculated, which determines the fitness of the result. The honey net alerts are used to construct risk description rule set. The comparative tests validated the effectiveness of the approach.
Five characteristics of the network situation prediction problem are defined: 1) there is relationship of causality between the future attacks and the past attacks; 2) the possibility of different attack types to have following attacks are different; 3)the evidence of future attacks can reflect important information of future attacks by itself; 4) the attack plan can be recognized based on the accumulation of evidence; 5)there is relationship between the evidence of future attacks and the trend of network situation. Based on the characteristics, an approach to situation prediction is proposed.
First, the evidence of future attacks is extracted from IDS alerts according to the attack sequence patterns and the predictability of attack types. The predictability of attack types represents the possibility of the attacks to be the evidence of future attacks. The attack sequence patterns are generated by a data mining algorithm. The AprioriAll algorithm is modified so that it can calculate the probability of sequence patterns occurring in the opening or middle of other sequence patterns, which determined the predictability of the attack sequences. Then the future security situation can be predicted based on the evidence. D-S evidence theory is used for plan recognition, and the HMM model between the evidence and the trend of security situation is constructed to predict the probability distribution of future security states. The experiment with DARPA data sets shows the effectiveness of the approach.
近年来,源于战场态势感知领域的威胁与态势评估技术的引入为解决网络安全态势感知问题提供了新的思路。网络安全威胁与态势评估指:采用信息融合方法处理检测工具产生的实时网络安全数据,对攻击威胁程度和实时网络安全状态进行评估,给出直观有效的安全态势报告,并对未来安全状况做出合理预测。本文对威胁评估、态势评估和态势预测方法分别进行了研究。
攻击威胁程度的影响因素可归纳为攻击破坏性、环境、成功率、统计、关联和效果六类。构造一种威胁评估框架,分六个阶段:严重度评估、环境评估、可信度评估、统计评估、关联评估和效果评估。对各阶段的方法进行了阐述,并在设计的SATA系统(Security Alert and Threat Analysis)中实现了相关方法。严重度评估采用危害度分级和CVSS漏洞评价方法;环境评估通过设定资产值和优先级实现;可信度评估使用贝叶斯网络;统计评估采用告警频度统计和周期型误报警统计识别方法;关联评估使用告警关联语言;效果评估则采用定性的攻击效果评估方法。
态势评估使用隐马尔科夫模型(HMM)。解决了观测事件分类和模型参数配置问题。采用威胁评估结果对告警分类,提高了事件分类的准确性。采用遗传算法优化HMM参数,建立网络安全态势评估结果的定量评价机制来确定优化目标,使用蜜网数据建立了评价规则集。比较实验表明,该方法是有效的。
归纳出决定网络安全态势可预测性的五个特点:1)攻击之间具有因果关系;2)不同攻击能作为未来攻击证据出现的可能性不同;3)通常,未来攻击与“证据”具有相同属性;4)攻击意图具有可推测性;5)证据与安全状态走势之间具有联系。
设计了以“提取证据”为核心的预测方法。用攻击序列模式和攻击的“预测率”从告警中提取证据。提出“预测率”指标表示攻击可作为未来攻击的证据出现的可能性大小,作为选择证据的依据。修改序列模式挖掘的AprioriAll算法,使其从历史告警中挖掘攻击序列模式时能计算预测率。选择预测率较高的告警序列作为证据。然后构建证据与安全走势之间的HMM来预测安全态势。基于DARPA数据集的实验表明该方法是有效的。
The traditional network security techniques have shown their drawbacks in the increasingly complex and severe network security environment. The intrusion detection tools can only deliver alerts on limited knowledge of attacks, while the alert stream is always poor in quality and can easily be over-whelming, which makes it very hard to know how much threat the detected attacks pose to the network and which security states the hosts are in. Meanwhile, the traditional security assessment approaches can not assess the real time security situation. These problems make the security operators very difficult to know the current security threat and situation by the traditional security tools.
Network security threat and situation assessment aims to extract knowledge of current security threat and situation from raw security data reported by traditional security tools, through the techniques of data fusion, and predict the future security situation based on historical security information and the present attacks. This paper studied the approaches of threat assessment, situation assessment and situation prediction.
The threat of a network attack is determined by six aspects of factor: attack severity, attack environment, probability to succeed, statistical factors, correlation factors and attack effect. Based on this conclusion, a framework to threat assessment is proposed, which comprises of six steps. The approaches of every step are introduced in the paper and implemented in SATA (Security Alert and Threat Analysis) system. The approach of qualitative attack hazard gradation and the CVSS mechanism are used in severity assessment. The values of assets and security policies are set to evaluate the environmental factors. The Bayesian Network is used to calculate the reliability of the alerts. In statistical assessment, a novel approach is proposed to find the periodicity of alerts based on time series analysis techniques. A language of alert correlation is implemented in the system. And an experiment of qualitative attack effect assessment is introduced.
HMM (Hidden Markov Model) is used to assess the network security situation. The problems of observation event classification and parameter configuration lying in the approach are solved. To the first problem, the result of threat assessment is used to classify the alerts based on their threat scores, which can limit the scale of the Obs matrix of HMM and improve the accuracy of observation classification. To the latter, the genetic programming algorithm is used. A mechanism of quantitatively evaluating the fitness of situation assessment result is proposed. A set of risk description rules are defined and the matching degree between the result of situation assessment and rules is calculated, which determines the fitness of the result. The honey net alerts are used to construct risk description rule set. The comparative tests validated the effectiveness of the approach.
Five characteristics of the network situation prediction problem are defined: 1) there is relationship of causality between the future attacks and the past attacks; 2) the possibility of different attack types to have following attacks are different; 3)the evidence of future attacks can reflect important information of future attacks by itself; 4) the attack plan can be recognized based on the accumulation of evidence; 5)there is relationship between the evidence of future attacks and the trend of network situation. Based on the characteristics, an approach to situation prediction is proposed.
First, the evidence of future attacks is extracted from IDS alerts according to the attack sequence patterns and the predictability of attack types. The predictability of attack types represents the possibility of the attacks to be the evidence of future attacks. The attack sequence patterns are generated by a data mining algorithm. The AprioriAll algorithm is modified so that it can calculate the probability of sequence patterns occurring in the opening or middle of other sequence patterns, which determined the predictability of the attack sequences. Then the future security situation can be predicted based on the evidence. D-S evidence theory is used for plan recognition, and the HMM model between the evidence and the trend of security situation is constructed to predict the probability distribution of future security states. The experiment with DARPA data sets shows the effectiveness of the approach.
引文
[1]胡道元,闵京华.网络安全.北京:清华大学出版社, 2004.
[2] Steinberg, A., Bowman, C., White, F. Revisions to the JDL Data Fusion Model. SPIE 3719. 1999, 430-441.
[3] Bass, T. Intrusion Detection System and Multisensor Data Fusion: Creating Cyberspace Situational Awareness. Communications of The ACM. 2000, 43(4): 90-105.
[4]李辉,郑庆华,韩崇昭.基于多假设跟踪的入侵场景构建研究[J].通信学报. 2005, 26(4): 70-79.
[5] Julisch, K. Mining Alarm Clusters to Improve Alarm Handling Efficiency. in: Proceedings 17th Annual Computer Security Applications Conference. New Orleans, LA, USA: IEEE Comput. Soc, 2001. 12.
[6] Goodall, J. R., Lutters, W. G., Komlodi, A. The Work of Intrusion Detection:Rethinking the Role of Security Analyst. in: Proceedings of the Tenth Americas Conference on Information Systems. New York: 2004.
[7] Ammann, P., Wijesekera, D., Kaushik, S. Scalable, Graph-based Network Vulnerability Analysis. in: Proceedings of 9th ACM Conference on Computer and Communications Security (CCS 2002): 2002.
[8]张涛,胡铭曾,云晓春等.计算机网络安全性分析建模研究[J].通信学报. 20065, 26(12): 100-109.
[9]张永铮,方滨兴,迟悦.用于评估网络信息系统的风险传播模型[J].软件学报. 2007, 18(1): 137-145.
[10]肖道举,杨素娟,周开锋等.网络安全评估模型研究[J].华中科技大学学报(自然科学版). 2002, 30(4): 37-39.
[11]冯登国,张阳,张玉清.信息安全风险评估综述[J].通信学报. 2004, 25(7): 10-18.
[12]李涛.网络安全概论.北京:电子工业出版社, 2004.
[13] ARDA. Advanced Research and Development Activity. Exploratory Program Call for Proposals 2006. USA. 2005.
[14]赖积保.网络安全态势感知系统关键技术研究. [硕士学位论文].哈尔滨工程大学. 2006.12.
[15]陈秀真,郑庆华,管晓宏等.层次化网络安全威胁态势量化评估方法[J].软件学报. 2006, 17(4): 885-897.
[16]雷英杰.基于直觉模糊推理的态势与威胁评估研究. [博士学位论文].西安电子科技大学. 2005.
[17]梅海彬,龚俭.一种基于时间序列面向预警的警报分析方法[J].计算机科学. 2007, 34(12): 68-72.
[18]李涛.基于免疫的网络安全风险检测[J].中国科学E辑. 2005, 35(8): 798-816.
[19] Porras, P. A., Fong, M. W., Valdes, A. A Mission-Impact-based Approach to INFOSEC Alarm Correlation. in: Poceedings of the 5th International Symposium on Recent Advances in Intrusion Detection(RAID2002). Zurich, Switzerland: Springer-Verlag, 2002. 95.
[20] Valdes, A., Skinner, K. Probabilistic Alert Correlation. in: Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID2001): Springer-Verlag, 2001. 54~68.
[21] Ning, P., Cui, Y., Reeves, S., Xu, D. Techniques and Tools for Analyzing Intrusion Alerts. ACM Transactions on Information and System Security. 2004, 7(2): 274.
[22] Lee, W., Qin, X. Statistical Causality Analysis of INFOSEC Alert Data. in: Poceedings of the 6th International Symposium on Recent Advances in Intrusion Detection(RAID2003): Springer-Verlag, 2003. 73-94.
[23] Cuppens, F., Miege, A. Alert Correlation in a Cooperative Intrusion Detection Framework. in: Proceedings 2002 IEEE Symposium on Security and Privacy, 12-15 May 2002. Berkeley, CA, USA: IEEE Comput. Soc, 2002. 202.
[24] Debar, H., Wespi, A. Aggregation and Correlation of Intrusion-Detection Alerts. in: Poceedings of the 4th International Symposium on Recent Advances in Intrusion Detection(RAID2001): 2001.
[25] Roesch, M. Snort - Lightweight Intrusion Detection for Networks. in: Proceedings of the USENIX LISA’99 Conference: 1999.
[26] CVE. Common Vulnerabilities and Exposures, http://www.cve.mitre.org/. 2008.
[27] Bugtraq. http://www.securityfocus.com/archive/1, 2008.
[28] CVSS. Common Vulnerability Scoring System. http://nvd.nist.gov/cvss.cfm, 2008.
[29] Kruegel, C., Robertson, W. Alert Verification: Determining the Success of Intrusion Attempts. in: Proc. First Workshop the Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA 2004): 2004.
[30] Deraison, R. Nessus Vulnerability Scanner. http://www.nessus.org/. 2008.
[31] Koike, H., Ohno, K. SnortView: Visualization systems of snort logs. in: 2004 ACM workshop on Visulization and data mining for computer security. Washington DC, USA: 2004. 143-147.
[32] Danyliw, R. ACID: Analysis Console for Intrusion Databases. http://acidlab.sourceforge.net. 2001.
[33] Hariri, S., Qu, G., Dharmagadda, T. Impact Analysis of Faults and Attacks in Large-scale Networks. in: IEEE Security & Privacy: vol. 1, 2003. 49-54.
[34]张义荣,鲜明,王国玉.一种基于网络熵的计算机网络攻击效果定量评估方法[J].通信学报. 2004, 25(11): 159-165.
[35] Blyth, A. Footprinting for intrusion detection and threat assessment. Information Security Technical Report. 1999, 4(3): 43-53.
[36] Mehta, V., Bartzis, C., Zhu, H., Clarke, E., et al. Ranking Attack Graphs. in: Proceedings of the International Symposium on the Recent Advances in Intrusion Detection(RAID 2006): Springer-Verlag, 2006. 127-144.
[37] Arnes, A., Valeur, F., Vigna, G., Kemmerer, R. A. Using Hidden Markov Models to Evaluate the Risk of Intrusions. in: Proceedings of the International Symposium on the Recent Advances in Intrusion Detection(RAID 2006): Springer-Verlag, vol. LNCS, 2006. 145-164.
[38] Sunu Mathew, C. S., Shambhu Upadhyaya. An Alert Fusion Framework for Situation Awareness of Coordinated Multistage Attacks. in: Proceedings of the Third IEEE International Workshop on Information Assurance (IWIA'05): 2005.
[39] Holsopplea, J., Yanga, S. J., Suditb, M. TANDI: Threat Assessment of Network Data and Information. in: Multisensor, Multisource Information Fusion: Architectures, Algorithms, and Applications 2006: Proc. of SPIE Vol. 6242, 2006.
[40]吴世忠.基于风险管理的信息安全保障的研究. [博士学位论文].四川大学. 2002.
[41] Ramkumar Chinchani, A. I., Hung Q. Ngo, Shambhu Upadhyaya. Towards A Theory Of Insider Threat Assessment. in: Proceedings of the 2005 International Conference on Dependable Systems and Networks (DSN’05): IEEE, 2005.
[42] Cukier, R. M. a. M. Assessing the Attack Threat due to IRC Channels. in: Proceedings of the 2006 International Conference on Dependable Systems and Networks (DSN’06): 2006.
[43] OSSIM. Open Source Security Information Management. http://www.ossim.net/, 2008.
[44] Wing, J. M., Manadhata. Measuring a System's Attack Surface. in: 13th USENIX Security Symposium. San Diego, CA: 2004.
[45] Jonsson, E., Olovsson, T. An Empirical Model of the Security Intrusion Process. in: 11th Ann. Conf. Computer Assurance. Gaithersburg: 1996. 176-186.
[46] Jonsson, E., Olovsson, T. A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior. IEEE Transactions on Software Engineering. April 1997 23(4): 235-245.
[47] Gehani, A., Kedem, G., Rheostat. Real-time Risk Management. in: the 7th International Symposium on Recent Advances in Intrusion Detection(RAID2004): 2004.
[48] Arnes, A., Valeur, F., Vigna, G., Kemmerer, R. A. Using Hidden Markov Models to Evaluate the Risk of Intrusions. in: Proceedings of the International Symposium on the Recent Advances in Intrusion Detection(RAID 2006): Springer-Verlag, 2006. 145-164.
[49] Niedermayer, D. An Introduction to Bayesian Networks and their Contemporary Applications. in: 1998.
[50] Das, S., Grey, R., Gonsalves, P. Situation Assessment via Bayesian BeliefNetworks. in: the Fifth International Conference on Information Fusion: vol. 1, 2002. 664-671.
[51] Stover, J. A., Hall, D., Gibson, R. A Fuzzy-logic Architecture for Autonomous Multisensor Data Fusion. IEEE Transations on Industrial Electronics. 1996, 43(3): 403-410.
[52] P.L.Bogler. Shafer-Dempster Reasoning with Application on Multisensor Target Identification System. IEEE Trans on System, Man and Cybernetics. 1987, 17: 968-977.
[53] Ballard, D., Rippy, L. A knowledge-based Decision Aid for Enhanced Situational Awareness. in: AIAA/IEEE 13th Digital Avionic Systems Conference: 1994. 340-347.
[54] Geib, C. W., Goldman, R. P. Plan Recognition in Intrusion Detection Systems. in: Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX II' 01): 2001.
[55] Schmidt, C., Sridharan, N., Goodson, J. The Plan Recognition Problem: an Intersection of Psychology and Artificial Intelligence. Artificial Intelligence. 1978, 11: 45-83.
[56] Kautz, H., Allen, J. F. Generalized Plan Recognition. in: Proceedings of the Fifth National Conference on Artificial Intelligence: 1986. 32-38.
[57] Charniak, E., Goldman, R. P. A Probabilistic Model of Plan Recognition. in: the Ninth National Conference on Artificial Intelligence: 1991. 160–165.
[58] Qin.X, Lee.W. Attack Plan Recognition and Prediction Using Causal Networks. in: Proceedings of The 20th Annual Computer Security Applications Conference (ACSAC 2004): 2004. 370-379.
[59] Wang, L., Liu, A., Jajodia, S. Using Attack Graphs for Correlating, Hypothesizing, and Predicting intrusion alerts. Computer Communications. 2006, 29: 2917-2933.
[60] Cunningham, W. H. Optimal Attack and Reinforcement of A Network. Journal of the ACM(JACM). 1985, 32(3): 549-561.
[61] Ritchey, R., Ammann, P. Using Model Checking to Analyze Network Vulnerabilities. in: Proceedings of the IEEE Symposim on Security and Privacy. Berkeley: IEEE Computer Society Press, 2000.
[62] Sheyner, O., Haines, J., Jha, S., Lippmann, R., et al. Automated Generation and Analysis of Attack Graphs. in: Proceedings of the 2002 IEEE Symposium on Security and Privacy (SP 2002): 2002. 273-284.
[63] Wing, Sheyner, O., Jeannette. Tools for Generating and Analyzing Attack Graphs. in: Proceedings of Workshop on Formal Methods for Components and Objects: Springer-Verlag, vol. 3188, 2004. 344-371.
[64] Hellerstein, J. L., Ma, S., Perng, C.-S. Discovering Actionable Patterns in Event Data. IBM Systems Journal. 2002, 41(3): 475.
[65] Templeton, S. J., Levitt, K. A requires/provides model for computer attacks. in: Proceedings New Security Paradigm Workshop. Ballycotton, Ireland: ACM, 2001. 31.
[66] Cuppens, F., Miege, A. Alert Correlation in a Cooperative Intrusion Detection Framework. in: Proceedings 2002 IEEE Symposium on Security and Privacy (SP 2002). Berkeley, CA, USA: IEEE Comput. Soc, 2002. 202.
[67] Dain, O. a. C., R. . Fusing a Heterogeneous alert stream into scenarios. in: Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications: 2001.
[68] Lincoln Laboratory, Lincoln Laboratory DDoS Attack Scenario 1.0. http://www.ll.mit.edu/SST/ideval/data/2000/2000_data_index.html 2000.
[69]刘欣然.网络攻击分类技术综述[J].通信学报. 2004, 25(7): 30-37.
[70] J.HOWARD. An Analysis of Security Incidents on the Internet[D], USA: Carnegie Mellon University. 1997.
[71]诸葛建伟,叶志远,邹维.攻击技术分类研究[J].计算机工程. 2005, 31(21): 121-125.
[72] J.Christy. Cyber Threat & Legal Issues. in: Shadowcon Conference. USA: 1999.
[73] Carey, N., Clark, A., Mohay, G. IDS Interoperability and Correlation Using IDMEF and Commodity Systems. in: Information and Communications Security. 4th International Conference, ICICS 2002. Proceedings, 9-12 Dec. 2002. Singapore: Springer-Verlag, 2002. 252.
[74] Stephen Boyer, O. D., and Robert Cunningham. Stellar: A Fusion System forScenario Construction and Security Risk Assessment. in: Proceedings of the Third IEEE International Workshop on Information Assurance (IWIA05): IEEE, 2005.
[75] Eschelbeck, G., Krieger, M. Eliminating Noise from Intrusion Detection Systems. Information Security Technical Report. 2003, 8(4): 26.
[76] Morin, B., Me, L., Debar, H., Ducasse, M. M2D2: a Formal Data Model for IDS Alert Correlation. in: 5th International Symposium on Recent Advances in Intrusion Detection(RAID2002). Zurich, Switzerland: Springer-Verlag, 2002. 115.
[77] Gula, R. Correlating IDS Alerts with Vulnerability Information. technical report, Tenable Network Security. Dec. 2002.
[78] Stephenson, T. A. An Introduction to Bayesian Network Theory and Usage. IDIAP-PR00-03. Feb, 2000.
[79] Allen, R., Mills, D. Signal analysis: Time, Frequency, Scale, and Structure. New York: Wiley, 2004.
[80]王会梅,王永杰,张义荣等.粗糙集理论在网络攻击效果评估中的应用研究[J].计算机应用研究. 2007, 24(6): 118-120.
[81]李雄伟,于明,杨义先等. Fuzzy-AHP法在网络攻击效果评估中的应用[J].北京邮电大学学报. 2006, 29(1): 124-127.
[82] L.E.Baum, Petrie, T. Statistical Inference for Probabilistic Functions of Finite State Markov Chains. Ann. Math. Stat. 1966, 37: 1554-1563.
[83] Honeynet Project, http://wwww.honeynet.org/. 2008.
[84]国家计算机网络应急技术处理协调中心. CNCERT/CC2007年网络安全工作报告. 2007.
[85] Susmit Panjwani, S. T., Keith M. Jarrin, and Michel Cukier. An Experimental Evaluation to Determine if Port Scans are Precursors to an Attack. in: Proceedings of the 2005 International Conference on Dependable Systems and Networks (DSN’05): 2005.
[86] Dempster, A. P. A Generalization of Bayesian Inference. Journal of the Royal Statistical Society. Series B. 1968, 30: 205-247.
[87] Lee, W., Stolfo, S. Data Mining Approaches for Intrusion Detection. in: Proceedings of the 7th USENIX Security Symposium: 1998. 79-94.
[88] Treinen, J. J., Thurimella, R. A Framework for the Application of Association Rule Mining in Large Intrusion Detection Infrastructure. in: Proceedings of the International Symposium on the Recent Advances in Intrusion Detection(RAID 2006): Springer-Verlag, 2006. 1-18.
[89] Agrawal R., I. T., Swami A. Mining Association Rules Between Sets of Items in Large Databases. in: Proceedings of the ACM SIGMOD Conference on Management of Data: 1993. 207-216.
[90] Agrawal, R., Srikant, R. Mining Sequential Patterns. in: Eleventh International Conference on Data Engineering. Taipei, Taiwan: IEEE Computer Society Press, 1995. 3-14.
[91] Shafer, G. A Mathematical Theory of Evidence. Princeton, New Jersey: Princeton University Press, 1976.
[2] Steinberg, A., Bowman, C., White, F. Revisions to the JDL Data Fusion Model. SPIE 3719. 1999, 430-441.
[3] Bass, T. Intrusion Detection System and Multisensor Data Fusion: Creating Cyberspace Situational Awareness. Communications of The ACM. 2000, 43(4): 90-105.
[4]李辉,郑庆华,韩崇昭.基于多假设跟踪的入侵场景构建研究[J].通信学报. 2005, 26(4): 70-79.
[5] Julisch, K. Mining Alarm Clusters to Improve Alarm Handling Efficiency. in: Proceedings 17th Annual Computer Security Applications Conference. New Orleans, LA, USA: IEEE Comput. Soc, 2001. 12.
[6] Goodall, J. R., Lutters, W. G., Komlodi, A. The Work of Intrusion Detection:Rethinking the Role of Security Analyst. in: Proceedings of the Tenth Americas Conference on Information Systems. New York: 2004.
[7] Ammann, P., Wijesekera, D., Kaushik, S. Scalable, Graph-based Network Vulnerability Analysis. in: Proceedings of 9th ACM Conference on Computer and Communications Security (CCS 2002): 2002.
[8]张涛,胡铭曾,云晓春等.计算机网络安全性分析建模研究[J].通信学报. 20065, 26(12): 100-109.
[9]张永铮,方滨兴,迟悦.用于评估网络信息系统的风险传播模型[J].软件学报. 2007, 18(1): 137-145.
[10]肖道举,杨素娟,周开锋等.网络安全评估模型研究[J].华中科技大学学报(自然科学版). 2002, 30(4): 37-39.
[11]冯登国,张阳,张玉清.信息安全风险评估综述[J].通信学报. 2004, 25(7): 10-18.
[12]李涛.网络安全概论.北京:电子工业出版社, 2004.
[13] ARDA. Advanced Research and Development Activity. Exploratory Program Call for Proposals 2006. USA. 2005.
[14]赖积保.网络安全态势感知系统关键技术研究. [硕士学位论文].哈尔滨工程大学. 2006.12.
[15]陈秀真,郑庆华,管晓宏等.层次化网络安全威胁态势量化评估方法[J].软件学报. 2006, 17(4): 885-897.
[16]雷英杰.基于直觉模糊推理的态势与威胁评估研究. [博士学位论文].西安电子科技大学. 2005.
[17]梅海彬,龚俭.一种基于时间序列面向预警的警报分析方法[J].计算机科学. 2007, 34(12): 68-72.
[18]李涛.基于免疫的网络安全风险检测[J].中国科学E辑. 2005, 35(8): 798-816.
[19] Porras, P. A., Fong, M. W., Valdes, A. A Mission-Impact-based Approach to INFOSEC Alarm Correlation. in: Poceedings of the 5th International Symposium on Recent Advances in Intrusion Detection(RAID2002). Zurich, Switzerland: Springer-Verlag, 2002. 95.
[20] Valdes, A., Skinner, K. Probabilistic Alert Correlation. in: Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID2001): Springer-Verlag, 2001. 54~68.
[21] Ning, P., Cui, Y., Reeves, S., Xu, D. Techniques and Tools for Analyzing Intrusion Alerts. ACM Transactions on Information and System Security. 2004, 7(2): 274.
[22] Lee, W., Qin, X. Statistical Causality Analysis of INFOSEC Alert Data. in: Poceedings of the 6th International Symposium on Recent Advances in Intrusion Detection(RAID2003): Springer-Verlag, 2003. 73-94.
[23] Cuppens, F., Miege, A. Alert Correlation in a Cooperative Intrusion Detection Framework. in: Proceedings 2002 IEEE Symposium on Security and Privacy, 12-15 May 2002. Berkeley, CA, USA: IEEE Comput. Soc, 2002. 202.
[24] Debar, H., Wespi, A. Aggregation and Correlation of Intrusion-Detection Alerts. in: Poceedings of the 4th International Symposium on Recent Advances in Intrusion Detection(RAID2001): 2001.
[25] Roesch, M. Snort - Lightweight Intrusion Detection for Networks. in: Proceedings of the USENIX LISA’99 Conference: 1999.
[26] CVE. Common Vulnerabilities and Exposures, http://www.cve.mitre.org/. 2008.
[27] Bugtraq. http://www.securityfocus.com/archive/1, 2008.
[28] CVSS. Common Vulnerability Scoring System. http://nvd.nist.gov/cvss.cfm, 2008.
[29] Kruegel, C., Robertson, W. Alert Verification: Determining the Success of Intrusion Attempts. in: Proc. First Workshop the Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA 2004): 2004.
[30] Deraison, R. Nessus Vulnerability Scanner. http://www.nessus.org/. 2008.
[31] Koike, H., Ohno, K. SnortView: Visualization systems of snort logs. in: 2004 ACM workshop on Visulization and data mining for computer security. Washington DC, USA: 2004. 143-147.
[32] Danyliw, R. ACID: Analysis Console for Intrusion Databases. http://acidlab.sourceforge.net. 2001.
[33] Hariri, S., Qu, G., Dharmagadda, T. Impact Analysis of Faults and Attacks in Large-scale Networks. in: IEEE Security & Privacy: vol. 1, 2003. 49-54.
[34]张义荣,鲜明,王国玉.一种基于网络熵的计算机网络攻击效果定量评估方法[J].通信学报. 2004, 25(11): 159-165.
[35] Blyth, A. Footprinting for intrusion detection and threat assessment. Information Security Technical Report. 1999, 4(3): 43-53.
[36] Mehta, V., Bartzis, C., Zhu, H., Clarke, E., et al. Ranking Attack Graphs. in: Proceedings of the International Symposium on the Recent Advances in Intrusion Detection(RAID 2006): Springer-Verlag, 2006. 127-144.
[37] Arnes, A., Valeur, F., Vigna, G., Kemmerer, R. A. Using Hidden Markov Models to Evaluate the Risk of Intrusions. in: Proceedings of the International Symposium on the Recent Advances in Intrusion Detection(RAID 2006): Springer-Verlag, vol. LNCS, 2006. 145-164.
[38] Sunu Mathew, C. S., Shambhu Upadhyaya. An Alert Fusion Framework for Situation Awareness of Coordinated Multistage Attacks. in: Proceedings of the Third IEEE International Workshop on Information Assurance (IWIA'05): 2005.
[39] Holsopplea, J., Yanga, S. J., Suditb, M. TANDI: Threat Assessment of Network Data and Information. in: Multisensor, Multisource Information Fusion: Architectures, Algorithms, and Applications 2006: Proc. of SPIE Vol. 6242, 2006.
[40]吴世忠.基于风险管理的信息安全保障的研究. [博士学位论文].四川大学. 2002.
[41] Ramkumar Chinchani, A. I., Hung Q. Ngo, Shambhu Upadhyaya. Towards A Theory Of Insider Threat Assessment. in: Proceedings of the 2005 International Conference on Dependable Systems and Networks (DSN’05): IEEE, 2005.
[42] Cukier, R. M. a. M. Assessing the Attack Threat due to IRC Channels. in: Proceedings of the 2006 International Conference on Dependable Systems and Networks (DSN’06): 2006.
[43] OSSIM. Open Source Security Information Management. http://www.ossim.net/, 2008.
[44] Wing, J. M., Manadhata. Measuring a System's Attack Surface. in: 13th USENIX Security Symposium. San Diego, CA: 2004.
[45] Jonsson, E., Olovsson, T. An Empirical Model of the Security Intrusion Process. in: 11th Ann. Conf. Computer Assurance. Gaithersburg: 1996. 176-186.
[46] Jonsson, E., Olovsson, T. A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior. IEEE Transactions on Software Engineering. April 1997 23(4): 235-245.
[47] Gehani, A., Kedem, G., Rheostat. Real-time Risk Management. in: the 7th International Symposium on Recent Advances in Intrusion Detection(RAID2004): 2004.
[48] Arnes, A., Valeur, F., Vigna, G., Kemmerer, R. A. Using Hidden Markov Models to Evaluate the Risk of Intrusions. in: Proceedings of the International Symposium on the Recent Advances in Intrusion Detection(RAID 2006): Springer-Verlag, 2006. 145-164.
[49] Niedermayer, D. An Introduction to Bayesian Networks and their Contemporary Applications. in: 1998.
[50] Das, S., Grey, R., Gonsalves, P. Situation Assessment via Bayesian BeliefNetworks. in: the Fifth International Conference on Information Fusion: vol. 1, 2002. 664-671.
[51] Stover, J. A., Hall, D., Gibson, R. A Fuzzy-logic Architecture for Autonomous Multisensor Data Fusion. IEEE Transations on Industrial Electronics. 1996, 43(3): 403-410.
[52] P.L.Bogler. Shafer-Dempster Reasoning with Application on Multisensor Target Identification System. IEEE Trans on System, Man and Cybernetics. 1987, 17: 968-977.
[53] Ballard, D., Rippy, L. A knowledge-based Decision Aid for Enhanced Situational Awareness. in: AIAA/IEEE 13th Digital Avionic Systems Conference: 1994. 340-347.
[54] Geib, C. W., Goldman, R. P. Plan Recognition in Intrusion Detection Systems. in: Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX II' 01): 2001.
[55] Schmidt, C., Sridharan, N., Goodson, J. The Plan Recognition Problem: an Intersection of Psychology and Artificial Intelligence. Artificial Intelligence. 1978, 11: 45-83.
[56] Kautz, H., Allen, J. F. Generalized Plan Recognition. in: Proceedings of the Fifth National Conference on Artificial Intelligence: 1986. 32-38.
[57] Charniak, E., Goldman, R. P. A Probabilistic Model of Plan Recognition. in: the Ninth National Conference on Artificial Intelligence: 1991. 160–165.
[58] Qin.X, Lee.W. Attack Plan Recognition and Prediction Using Causal Networks. in: Proceedings of The 20th Annual Computer Security Applications Conference (ACSAC 2004): 2004. 370-379.
[59] Wang, L., Liu, A., Jajodia, S. Using Attack Graphs for Correlating, Hypothesizing, and Predicting intrusion alerts. Computer Communications. 2006, 29: 2917-2933.
[60] Cunningham, W. H. Optimal Attack and Reinforcement of A Network. Journal of the ACM(JACM). 1985, 32(3): 549-561.
[61] Ritchey, R., Ammann, P. Using Model Checking to Analyze Network Vulnerabilities. in: Proceedings of the IEEE Symposim on Security and Privacy. Berkeley: IEEE Computer Society Press, 2000.
[62] Sheyner, O., Haines, J., Jha, S., Lippmann, R., et al. Automated Generation and Analysis of Attack Graphs. in: Proceedings of the 2002 IEEE Symposium on Security and Privacy (SP 2002): 2002. 273-284.
[63] Wing, Sheyner, O., Jeannette. Tools for Generating and Analyzing Attack Graphs. in: Proceedings of Workshop on Formal Methods for Components and Objects: Springer-Verlag, vol. 3188, 2004. 344-371.
[64] Hellerstein, J. L., Ma, S., Perng, C.-S. Discovering Actionable Patterns in Event Data. IBM Systems Journal. 2002, 41(3): 475.
[65] Templeton, S. J., Levitt, K. A requires/provides model for computer attacks. in: Proceedings New Security Paradigm Workshop. Ballycotton, Ireland: ACM, 2001. 31.
[66] Cuppens, F., Miege, A. Alert Correlation in a Cooperative Intrusion Detection Framework. in: Proceedings 2002 IEEE Symposium on Security and Privacy (SP 2002). Berkeley, CA, USA: IEEE Comput. Soc, 2002. 202.
[67] Dain, O. a. C., R. . Fusing a Heterogeneous alert stream into scenarios. in: Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications: 2001.
[68] Lincoln Laboratory, Lincoln Laboratory DDoS Attack Scenario 1.0. http://www.ll.mit.edu/SST/ideval/data/2000/2000_data_index.html 2000.
[69]刘欣然.网络攻击分类技术综述[J].通信学报. 2004, 25(7): 30-37.
[70] J.HOWARD. An Analysis of Security Incidents on the Internet[D], USA: Carnegie Mellon University. 1997.
[71]诸葛建伟,叶志远,邹维.攻击技术分类研究[J].计算机工程. 2005, 31(21): 121-125.
[72] J.Christy. Cyber Threat & Legal Issues. in: Shadowcon Conference. USA: 1999.
[73] Carey, N., Clark, A., Mohay, G. IDS Interoperability and Correlation Using IDMEF and Commodity Systems. in: Information and Communications Security. 4th International Conference, ICICS 2002. Proceedings, 9-12 Dec. 2002. Singapore: Springer-Verlag, 2002. 252.
[74] Stephen Boyer, O. D., and Robert Cunningham. Stellar: A Fusion System forScenario Construction and Security Risk Assessment. in: Proceedings of the Third IEEE International Workshop on Information Assurance (IWIA05): IEEE, 2005.
[75] Eschelbeck, G., Krieger, M. Eliminating Noise from Intrusion Detection Systems. Information Security Technical Report. 2003, 8(4): 26.
[76] Morin, B., Me, L., Debar, H., Ducasse, M. M2D2: a Formal Data Model for IDS Alert Correlation. in: 5th International Symposium on Recent Advances in Intrusion Detection(RAID2002). Zurich, Switzerland: Springer-Verlag, 2002. 115.
[77] Gula, R. Correlating IDS Alerts with Vulnerability Information. technical report, Tenable Network Security. Dec. 2002.
[78] Stephenson, T. A. An Introduction to Bayesian Network Theory and Usage. IDIAP-PR00-03. Feb, 2000.
[79] Allen, R., Mills, D. Signal analysis: Time, Frequency, Scale, and Structure. New York: Wiley, 2004.
[80]王会梅,王永杰,张义荣等.粗糙集理论在网络攻击效果评估中的应用研究[J].计算机应用研究. 2007, 24(6): 118-120.
[81]李雄伟,于明,杨义先等. Fuzzy-AHP法在网络攻击效果评估中的应用[J].北京邮电大学学报. 2006, 29(1): 124-127.
[82] L.E.Baum, Petrie, T. Statistical Inference for Probabilistic Functions of Finite State Markov Chains. Ann. Math. Stat. 1966, 37: 1554-1563.
[83] Honeynet Project, http://wwww.honeynet.org/. 2008.
[84]国家计算机网络应急技术处理协调中心. CNCERT/CC2007年网络安全工作报告. 2007.
[85] Susmit Panjwani, S. T., Keith M. Jarrin, and Michel Cukier. An Experimental Evaluation to Determine if Port Scans are Precursors to an Attack. in: Proceedings of the 2005 International Conference on Dependable Systems and Networks (DSN’05): 2005.
[86] Dempster, A. P. A Generalization of Bayesian Inference. Journal of the Royal Statistical Society. Series B. 1968, 30: 205-247.
[87] Lee, W., Stolfo, S. Data Mining Approaches for Intrusion Detection. in: Proceedings of the 7th USENIX Security Symposium: 1998. 79-94.
[88] Treinen, J. J., Thurimella, R. A Framework for the Application of Association Rule Mining in Large Intrusion Detection Infrastructure. in: Proceedings of the International Symposium on the Recent Advances in Intrusion Detection(RAID 2006): Springer-Verlag, 2006. 1-18.
[89] Agrawal R., I. T., Swami A. Mining Association Rules Between Sets of Items in Large Databases. in: Proceedings of the ACM SIGMOD Conference on Management of Data: 1993. 207-216.
[90] Agrawal, R., Srikant, R. Mining Sequential Patterns. in: Eleventh International Conference on Data Engineering. Taipei, Taiwan: IEEE Computer Society Press, 1995. 3-14.
[91] Shafer, G. A Mathematical Theory of Evidence. Princeton, New Jersey: Princeton University Press, 1976.
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |