安全操作系统的访问控制与实时报警
|
摘要
随着计算机和Internet技术的飞速发展,信息资源的共享程度进一步加强,但是随着社会网络化程度的增加,开放式网络体系的安全性隐患开始日益明显的暴露出来。新的漏洞,新的病毒几乎每天都在主流计算机平台上发现。不但如此,不断涌现的计算机新技术也可能使得计算机系统的安全性比以前更难以控制。这两个因素,互连性和复杂性,使得用户对计算机的信任度降低。在开放的网络环境和系统环境下,信息安全技术亟待发展。随着计算机远程终端存取、通信和网络工程等新技术的发展,硬件安全是目前硬件水平所能达到的。因此,计算机软件安全就显得越来越重要了。
操作系统是唯一紧靠硬件的系统软件,其安全职能是其他软件安全职能的根基,缺乏这个安全根基,构筑在其上的应用系统以及安全系统的安全性就根本得不到保障。因此,操作系统作为信息安全的基础支撑平台,其安全性和性能直接影响着信息系统安全的实施,是计算机信息系统安全的必要条件。设计安全操作系统时,支持与配合的其他网络安全技术,如入侵检测等,也是安全操作系统的研究重点。一般来说,用户对信息系统有以下安全需求:机密性,完整性,可用性,可记帐性等。因此需要操作系统具有以下安全功能:身份鉴别、访问控制、安全审计、入侵检测等。其中,访问控制是安全操作系统研究的核心,基于程序行为的异常检测已经被证明是最成功、最有效的基于主机的异常检测方法。
基于程序行为异常检测的关键是构建一个高效、准确的程序行为模型。基于动态学习或者静态分析或者两种方法结合,研究者已经提出了若干上下文敏感或者上下文非敏感的异常检测模型。本文根据进程从系统调用抽取的信息,异常检测中使用的原子单位的粒度以及异常检测器记录的原子单位信息这3个方向研究了已经提出的各种异常检测模型,根据汇聚时间,错误报警,检测能力,空间需求,运行时间等评价标准对这些模型进行了比较。
经典的安全操作系统访问控制模型有BLP模型、DTE模型以及RBAC模型,但这些模型的限制太严格,BLP仅考虑机密性,DTE仅考虑完整性,RBAC侧重访问控制角色的授权管理,而且,在模型的实现中,进程的标识由用户标识(UID)继承而来,不考虑进程的可靠性,不能确保用户和引用监控器之间的可信路径,从而造成信息泄露或篡改。实际的网络环境对系统的安全需求是多方面的,因此必须研究新的访问控制模型。本文在深入理解以往模型的基础上,提出了MACM策略,它的本质特征是:同时满足机密性、完整性以及特权分离原则,同时考虑系统的可用性。在Linux上的实现与性能分析表明,该方法的负载较低。
基于静态分析构建上下文敏感的异常检测模型是准确度与效率的折衷。已经提出的模型有Abstract Stack模型,VpStatic模型,Dyck模型以及HPDA模型。这些模型的主要缺点是单个模型都不能获得完备的上下文信息,可能导致模型允许一些异常行为,而且也仅处理静态连接的程序代码。本论文提出的CPDA模型基于优化的堆栈遍历和代码改写技术获得完备的系统调用上下文信息。对于静态链接的程序部分,递归,DLL基于堆栈遍历技术处理,循环和非标准控制流使用代码改写技术处理。因此,CPDA模型改进了模型的准确度。其次,CPDA模型不需要维持内部堆栈,所以有较少的转移。由于Null调用插入有限,而堆栈遍历仅仅在系统调用点引发监视,引起的负载较小。在Linux程序上的实验表明:CPDA模型效率较高。
为了检测更多针对安全关键数据的攻击,必须在控制流信息的基础上考虑数据流属性,即系统调用参数信息。本论文主要讨论数据流属性上的二元关系学习。已经提出的研究系统调用参数二元关系的方法有基于动态学习的MCC和Improving方法、基于静态分析的Environment-Sensitive方法以及PAID方法。本论文提出了一种合并动态学习与静态分析来高效学习系统调用参数属性的2PA(Two-Phrase Analyzing,2PA)方法。静态阶段,根据数据依赖图通过符号执行恢复静态可以确定的参数值,分析事件之间的关联;动态阶段,获得不能静态确定的参数值以及学习具体的关系。2PA方法的主要贡献有:首先,提出了无关参数和无用关系的概念;其次,给出了根据数据依赖图构建关系依赖图的算法;第三,提出了一种两阶段的关系依赖分析方法。在Linux上的实验表明,基于2PA方法的异常检测的准确度得到改进,检测效率较高,而异常检测负载较低。
People can obtain more and more information via computer due to the evolvement of Internet. On the other hand, the open network system exposes more and more security hidden trouble. New holes and new viruses can be discovered inn the main computer platform almost everyday. Also, the new information technology makes the security of the computer system harder to control than before. Network and computer system’s evolution indicate that information security becomes no time to delay. With the development of computer remote access, communication and network engineering, hardware security can be attained. Software security plays an important role in the field of information security.
Operating system is the only system software interacting with computer hardware, whose security is the basis of other application software’s security. Without it, the security of information system has no guarantee. Other network security techniques, such as, intrusion detection, are also key to the design of a secure operating system. To enhance its security, operating system needs the following security functions: authentication, access control, security audit, intrusion detection, etc. Access control is central to secure operating system; program behavior-based anomaly detection has been proved to be perhaps the most successful and effective host-based anomaly detection method.
Constructing an efficient and precise program behavior model is pivotal to accurate program behavior-based anomaly detection. Based on dynamic learning or static analysis or combination of both, researchers have proposed several program behavior-based anomaly detection models, which are either context-insensitive or context-sensitive. They are studied from three dimensions: the information extracted from system call, the system call level used in anomaly detection and the information recorded by anomaly detector. Also, they are compared based on convergence time, false positive, detection capability, space requirement and runtime overhead.
The classical access control models of secure operating system consist of BLP model, DTE model and RBAC model, etc. But, single security model can only meet one aspect of security requirement. BLP is an efficient security model for system’s confidentiality protection. DTE is a good way to protect the system’s integrity. RBAC is better to manage the system’s security policy authorization. Also, in realization, user label is inherited from UID without taking into account process reliability, which can’t ensure trusted path between user and reference monitor, so therefore could be information disclosure or modification threat. In real network environment, security requirement for secure operating system is multi-aspects, such as confidentiality, integrity, reliability and availability due to its complex applications, there is need to develop a new access control method. A new access control method, called MACM, is proposed after deeply studying above models. The new method makes use of virtues of single security model, at the same time the system’s reliability and availability are also taken into account. Formal description of the new method is given and its implementation on Linux kernel is investigated. Performance tests on Linux show that there is little overhead introduced by the method.
In the context of context-sensitive models constructed from static analysis, there is tradeoff between accuracy and efficiency. Several models have been proposed. They include Abstract Stack model, VpStatic model, Dyck model, and HPDA model, etc. The disadvantages of them are: each of them alone has no sufficient context information, and deals only with statically-linked program code, which may lead to extraneous behaviors. A new accurate efficient anomaly detection model, called Combined Pushdown Automaton (CPDA) model is presented. It generates by analyzing the binary executable code of a program. It combines optimized call stack walk and limited code instrumentation to gain complete context information. According to its construction, it can efficiently operate. Experiments on Linux show that CPDA model has high efficiency.
To detect more attacks aiming at key security data attacks, it is necessary to take into account data flow information pertaining system call arguments. We concentrate on learning the more complex binary relations because they focus on the property between two system call arguments. Dynamic learning based approach of Improving and MCC methods are able to utilize control-flow context to improve the precision of data flow relationships. There are also static analysis techniques incorporating system call arguments information into control flow model, such as Dyck and Environment-Sensitive methods. An efficient data flow attribute analyzing method, called 2PA (Two-Phrase Analyzing), is proposed. It analyzes data flow attributes through two phases: offline static analysis and online dynamic learning. Static analysis is to recover the statically determined arguments through symbolic execution and analyzes the dependency between arguments according to Data Dependency Graph; Dynamic learning is to get arguments values which can’t be determined statically and learns specified binary relations according to the results of static analysis. In 2PA method, it proposes the notion of unrelated event and useless relation. Also, it presents an algorithm to construct relation dependency graph from data dependency graph. Performance evaluations on Linux programs show that anomaly detection based on 2PA method can efficiently operate, while introduces low overhead.
操作系统是唯一紧靠硬件的系统软件,其安全职能是其他软件安全职能的根基,缺乏这个安全根基,构筑在其上的应用系统以及安全系统的安全性就根本得不到保障。因此,操作系统作为信息安全的基础支撑平台,其安全性和性能直接影响着信息系统安全的实施,是计算机信息系统安全的必要条件。设计安全操作系统时,支持与配合的其他网络安全技术,如入侵检测等,也是安全操作系统的研究重点。一般来说,用户对信息系统有以下安全需求:机密性,完整性,可用性,可记帐性等。因此需要操作系统具有以下安全功能:身份鉴别、访问控制、安全审计、入侵检测等。其中,访问控制是安全操作系统研究的核心,基于程序行为的异常检测已经被证明是最成功、最有效的基于主机的异常检测方法。
基于程序行为异常检测的关键是构建一个高效、准确的程序行为模型。基于动态学习或者静态分析或者两种方法结合,研究者已经提出了若干上下文敏感或者上下文非敏感的异常检测模型。本文根据进程从系统调用抽取的信息,异常检测中使用的原子单位的粒度以及异常检测器记录的原子单位信息这3个方向研究了已经提出的各种异常检测模型,根据汇聚时间,错误报警,检测能力,空间需求,运行时间等评价标准对这些模型进行了比较。
经典的安全操作系统访问控制模型有BLP模型、DTE模型以及RBAC模型,但这些模型的限制太严格,BLP仅考虑机密性,DTE仅考虑完整性,RBAC侧重访问控制角色的授权管理,而且,在模型的实现中,进程的标识由用户标识(UID)继承而来,不考虑进程的可靠性,不能确保用户和引用监控器之间的可信路径,从而造成信息泄露或篡改。实际的网络环境对系统的安全需求是多方面的,因此必须研究新的访问控制模型。本文在深入理解以往模型的基础上,提出了MACM策略,它的本质特征是:同时满足机密性、完整性以及特权分离原则,同时考虑系统的可用性。在Linux上的实现与性能分析表明,该方法的负载较低。
基于静态分析构建上下文敏感的异常检测模型是准确度与效率的折衷。已经提出的模型有Abstract Stack模型,VpStatic模型,Dyck模型以及HPDA模型。这些模型的主要缺点是单个模型都不能获得完备的上下文信息,可能导致模型允许一些异常行为,而且也仅处理静态连接的程序代码。本论文提出的CPDA模型基于优化的堆栈遍历和代码改写技术获得完备的系统调用上下文信息。对于静态链接的程序部分,递归,DLL基于堆栈遍历技术处理,循环和非标准控制流使用代码改写技术处理。因此,CPDA模型改进了模型的准确度。其次,CPDA模型不需要维持内部堆栈,所以有较少的转移。由于Null调用插入有限,而堆栈遍历仅仅在系统调用点引发监视,引起的负载较小。在Linux程序上的实验表明:CPDA模型效率较高。
为了检测更多针对安全关键数据的攻击,必须在控制流信息的基础上考虑数据流属性,即系统调用参数信息。本论文主要讨论数据流属性上的二元关系学习。已经提出的研究系统调用参数二元关系的方法有基于动态学习的MCC和Improving方法、基于静态分析的Environment-Sensitive方法以及PAID方法。本论文提出了一种合并动态学习与静态分析来高效学习系统调用参数属性的2PA(Two-Phrase Analyzing,2PA)方法。静态阶段,根据数据依赖图通过符号执行恢复静态可以确定的参数值,分析事件之间的关联;动态阶段,获得不能静态确定的参数值以及学习具体的关系。2PA方法的主要贡献有:首先,提出了无关参数和无用关系的概念;其次,给出了根据数据依赖图构建关系依赖图的算法;第三,提出了一种两阶段的关系依赖分析方法。在Linux上的实验表明,基于2PA方法的异常检测的准确度得到改进,检测效率较高,而异常检测负载较低。
People can obtain more and more information via computer due to the evolvement of Internet. On the other hand, the open network system exposes more and more security hidden trouble. New holes and new viruses can be discovered inn the main computer platform almost everyday. Also, the new information technology makes the security of the computer system harder to control than before. Network and computer system’s evolution indicate that information security becomes no time to delay. With the development of computer remote access, communication and network engineering, hardware security can be attained. Software security plays an important role in the field of information security.
Operating system is the only system software interacting with computer hardware, whose security is the basis of other application software’s security. Without it, the security of information system has no guarantee. Other network security techniques, such as, intrusion detection, are also key to the design of a secure operating system. To enhance its security, operating system needs the following security functions: authentication, access control, security audit, intrusion detection, etc. Access control is central to secure operating system; program behavior-based anomaly detection has been proved to be perhaps the most successful and effective host-based anomaly detection method.
Constructing an efficient and precise program behavior model is pivotal to accurate program behavior-based anomaly detection. Based on dynamic learning or static analysis or combination of both, researchers have proposed several program behavior-based anomaly detection models, which are either context-insensitive or context-sensitive. They are studied from three dimensions: the information extracted from system call, the system call level used in anomaly detection and the information recorded by anomaly detector. Also, they are compared based on convergence time, false positive, detection capability, space requirement and runtime overhead.
The classical access control models of secure operating system consist of BLP model, DTE model and RBAC model, etc. But, single security model can only meet one aspect of security requirement. BLP is an efficient security model for system’s confidentiality protection. DTE is a good way to protect the system’s integrity. RBAC is better to manage the system’s security policy authorization. Also, in realization, user label is inherited from UID without taking into account process reliability, which can’t ensure trusted path between user and reference monitor, so therefore could be information disclosure or modification threat. In real network environment, security requirement for secure operating system is multi-aspects, such as confidentiality, integrity, reliability and availability due to its complex applications, there is need to develop a new access control method. A new access control method, called MACM, is proposed after deeply studying above models. The new method makes use of virtues of single security model, at the same time the system’s reliability and availability are also taken into account. Formal description of the new method is given and its implementation on Linux kernel is investigated. Performance tests on Linux show that there is little overhead introduced by the method.
In the context of context-sensitive models constructed from static analysis, there is tradeoff between accuracy and efficiency. Several models have been proposed. They include Abstract Stack model, VpStatic model, Dyck model, and HPDA model, etc. The disadvantages of them are: each of them alone has no sufficient context information, and deals only with statically-linked program code, which may lead to extraneous behaviors. A new accurate efficient anomaly detection model, called Combined Pushdown Automaton (CPDA) model is presented. It generates by analyzing the binary executable code of a program. It combines optimized call stack walk and limited code instrumentation to gain complete context information. According to its construction, it can efficiently operate. Experiments on Linux show that CPDA model has high efficiency.
To detect more attacks aiming at key security data attacks, it is necessary to take into account data flow information pertaining system call arguments. We concentrate on learning the more complex binary relations because they focus on the property between two system call arguments. Dynamic learning based approach of Improving and MCC methods are able to utilize control-flow context to improve the precision of data flow relationships. There are also static analysis techniques incorporating system call arguments information into control flow model, such as Dyck and Environment-Sensitive methods. An efficient data flow attribute analyzing method, called 2PA (Two-Phrase Analyzing), is proposed. It analyzes data flow attributes through two phases: offline static analysis and online dynamic learning. Static analysis is to recover the statically determined arguments through symbolic execution and analyzes the dependency between arguments according to Data Dependency Graph; Dynamic learning is to get arguments values which can’t be determined statically and learns specified binary relations according to the results of static analysis. In 2PA method, it proposes the notion of unrelated event and useless relation. Also, it presents an algorithm to construct relation dependency graph from data dependency graph. Performance evaluations on Linux programs show that anomaly detection based on 2PA method can efficiently operate, while introduces low overhead.
引文
[1] Linde R.R. Operating System Penetration. Proceedings of National Computer Conference, Vol. 44, AFIPS Press, Montvale, N.J., 1975:361-368
[2] Sandhu R.S, Samarati P. Authentication, Access control, Detection. In: ACM Computing Surveys, 50th anniversary commemorative issue, Vol. 28(1), 1996
[3] C. Weismann. Security Penetration Testing Guideline, Chapter 10, Handbook for the Computer Security Certification of Trusted Systems, TM 5540:082A, Naval Research Laboratory, Washington, DC, January 1995
[4] Klein, Daniel V. Foiling the Cracker: A Survey of and Improvements to Password Security. Proc. UNIX Security Workshop II, USENIX Assoc., August 1990: 5-14
[5] Tanenbaum, A.S. Operating System: Design and Implementation, Second Edition. Beijing: China Publishing House of Electronics Industry, 1998.
[6] Stefanac, Suzanne. “Mad Macs”, in Rogue Programs: Viruses, Worms, and Trojan Horses, Van Nostrand Reinhold Co. New York, NY, USA, 1990: 180-193
[7] Neumann, P.G., D.B.Parker. A Summary of Computer Misuse Techniques. Proc. of the 12th National Computer Conference, National Institute of Standards, Oct.1998: 396-407
[8] Parker, D.B. Computer Abuse Perpetrators and Vulnerabilities of Computer Systems. Stanford Research Institute, Menlo Park, Calif., December 1975.
[9] Schell, R.R. the Future of Trusted Computer System, Computer Security: A Global Challenge, Proceedings of the 2nd IFIP international conference on Computer security: a global challenge. Toronto, Ontario, Canada 1984:55-67
[10] Hollingworth, D., S.Glaseman, M.Hopwood. Security Test and Evaluation Tools: An Approach to Operating System Security Analysis., Rand Corp., Santa Monica, Calif., September 1974:52-98
[11] Abbott, R.P., et al. Security Analysis and Enhancement of Computer Systems. NBSIR76-1041, National Bureau of Standards Report NBSIR 76-1041, April 1976.
[12] Butler Wlampson. Requirement and Technology for Computer Security. Computer at Risk. Washington: National Academy Press, 1991:74-101
[13] Kohnfelder, L.M. “A Method for Certification.” MIT Laboratory for Computer Science, Cambridge, Mass., May 1978.
[14] Needham, R.M., M.D. Schroeder, “Using Encryption for Authentication in Large Networks of Computers.” ACM, Vol.21, No.12, Dec.1978: 993-999.
[15] LM. Olson, M.D.Abrams, “Computer Access Control Policy Choices.” Computers and Security, Vol.9, NO.8, Dec.1990:699-714
[16] R.S. Sandhu, P.Samarati. Access Control: Principles and Practice. IEEE Communications Magazine, September 1994:40-48
[17] R.S.Sandhu. Access Control: The Neglected Frontier. In 1st Australian Conference on Information Security and Privacy(ACISP), Australia, Vol 1172 of LNCS, 1996: 219–227
[18] Nat 1 Computer Security Center, A Guide to Understanding Audit in Trusted Systems. June 1, 1988
[19] 刘海峰,卿思汉,刘文清。安全操作系统的实时报警。 计算机学报,2003(3):287-293
[20] 刘海峰。安全操作系统若干关键技术的研究[D]。北京:中国科学院软件研究所,2002年
[21] Bell D.E., L.J.LaPadula. Secure Computer Systems: Unified Exposition and Multics Interpretation. MTR-1997, MITRE Corp., Bedford, Mass., July 1975.
[22] Bell D.E., L.J.LaPadula. Secure Computer Systems: Mathematical Foundations. Technical ReportM74-244, The MITRE Corporation, Bedford, Massachusetts, May 1973.
[23] Bell D.E., L.J.LaPadula. Secure Computer Systems: A Mathematical Model. Technical ReportM74-244, The MITRE Corporation, Bedford, Massachusetts, May 1973.
[24] Department of Defense Standard, Department of Defense Trusted Computer SystemEvaluation Criteria. DOD5200.28-STD, GPO 1986-623-923, 6430, Dec.26, 1985
[25] Commission of the European Communities, Information Technology Security Evaluation Criteria(ITSEC). Provisional Harmonized Criteria: Version1.2, Office for Official Publications of the European Communities, Luxembourg, June 1991.
[26] The International Organization for Standardization, Common Criteria for Information Technology Security Evaluation–Part 1: Introduction and General Model. ISO/IEC 15408-1:1999(E), 1999
[27] The International Organization for Standardization, Common Criteria for Information Technology Security Evaluation–Part 2: Security Functional Requirements. ISO/IEC 15408-1:1999(E), 1999
[28] The International Organization for Standardization, Common Criteria for Information Technology Security Evaluation–Part3: Security Assurance Requirements. ISO/IEC 15408-1:1999(E), 1999
[29] GJB2646096,中华人民共和国国家军用标准,军用计算机安全评估准则,中国国防科学技术工业委员会,1996 年 6 月 4 日发布,1996 年 12 月 1 日实施。
[30] GB17859-1999,中华人民共和国国家标准,“计算机信息系统安全保护等级划分准则” 中国国家质量技术监督局,1999 年 9 月 13 日发布,2001 年 1 月 1 日实施。
[31] GBT18836.1-2001,中华人民共和国国家推荐标准,“信息技术 安全技术 信息技术安全性评估准则-第一部分:简介和一般模型”。 中国国家质量技术监督局,2001 年 3 月 8 日发布,2001 年 12 月 1 日实施。
[32] GBT 18836.1-2001,中华人民共和国国家推荐标准,“信息技术 安全技术 信息技术安全性评估准则-第二部分:安全功能要求”。 中国国家质量技术监督局,2001 年 3 月 8 日发布,2001 年 12 月 1 日实施。
[33] GBT 18836.1-2001,中华人民共和国国家推荐标准,“信息技术 安全技术 信息技术安全性评估准则-第三部分:安全保证要求”。 中国国家质量技术监督局,2001 年 3 月 8 日发布,2001 年 12 月 1 日实施.
[34] D.Gollman. Computer Security, Jone Wiley and Sons, 1999.
[35] Edward G. Amoroso. Fundamentals of Computer Security Technology. Prentice Hall, 1994.
[36] Carl E.Landwehr. Formal Models for Computer Security, ACM Computing Surveys, Vol.13, No.3, 1981:247-278
[37] John McLean. The Specification and Modeling of Computer Security, Computer, Vol.23, Issue:I, January 1990: 9-16
[38] Len Lapadula. Secure Computer Systems: Mathematical Foundations, MITRE Technical Report, Vol. 1, 1996
[39] 訾小超,姚立红,曾庆凯等。操作系统安全增强技术研究进展。高技术通讯,2003(7):106-110
[40] S.Forrest, S.A.Hofmeyr, A.Somayaji, et al. A Sense of Self for UNIX Processes. In IEEE Symposium on Security and Privacy, Washington,DC: IEEE Computer Society Press, 1996:120-128
[41] Harrison M. Protection in operating systems. Communications of the ACM, August 1976, 19(8):461-471
[42] Amman P E, Sandhu R S. The extended schematic protection model. Journal of Computer Security, 1992, 1(4)
[43] Snyder L. Formal models of capability-based protection systems. IEEE Transactions on Computers, 1981, C-30(3):172-181
[44] Benson G S, Akyildiz I F, Appelbe W F. A formal protection model of security in centralized, parallel and distributed systems. ACM Transactions on Computer systems, 1990, 8(3):183-213
[45] Sandhu R S. The typed access matrix model. In: Proc. of IEEE Symposium on Security and Privacy. Oakland, California, 1992.122-136
[46] Sandhu R S. Transformation of Access Rights. In: Proc. of IEEE Symposium on Security andPrivacy, Oakland, California, 1989. 259-268
[47] Sandhu R S, Suri G S. Non-monotonic transformations of access rights, In: Proc. of IEEE Symposium on Research in Security and Privacy. Oakland, California, 1992. 148-161
[48] Sandhu R S, Ganta S. On the minimality of testing for rights in transformation models. In Proc. of IEEE Symposium on Research in Security and Privacy. Oakland, California, 1994. 230-241
[49] Sandhu R S, Ganta S. On the expressive power of the unary transformation model. In: European Symposium on Research in Security and Privacy, 1994.
[50] Ferraiolo D, Kuhn R. Role-based access controls. In: Proc. of 15th NIST-NCSC National Computer Security Conference. Baltimore, MD, 1992. 554-563
[51] Bertino E, Ferrari E, Atluri V. An Approach for the Specification and Enforcement of Authorization Constraints in Workflow Management Systems. ACM Trans. on Information and Systems Security, 1999, 2(1):65-104
[52] Ferraiolo D, Cugini J, Kuhn R. Role-based Access Control (RBAC): Features and Motivations. In: Proc. of 11th Annual Computer Security Application Conference. New Orleans, LA, 1995. 241-248
[53] Ferraiolo D, Kuhn R. Role-based Access Controls. In Proceedings of 15th NIST-NCSC National Computer Security Conference. Baltimore, MD, 1992: 554-563
[54] Bertino E, Ferrari E, Atluri V. An Approach for the Specification and Enforcement of Authorization Constraints in Workflow Management Systems. ACM Trans. on Information and Systems Security, 1999, 2(1):65-104
[55] Kenneth Walker, Danial Fsterne. Confining root program with Domain and Type Enforcement. Proceedings of the sixth USENIX UNIX Security Symposium. Sanjose, California, 1996: 21-36
[56] WEBoebert, RYKain. A Practical Alternative to Hierarchical Integrity Policies. Proc. 8th DOD/NBSC Computer Security Initiative Conference. Gaithersburg, MD, September 1985: 18-27
[57] R O’Brien, Crogers. Developing applications on LOCK. Proc.of 14th National Computer Security Conference. Washington, DC, October 1991: 147-156
[58] 刘文清,卿斯汉,刘海峰。 一个修改的 BLP 安全模型的设计及在 SecLinux 上的应用[J],软件学报,Vol. 13, No.4, 2002 LIU Wen-qin, QING Si-han, LIU Hai-feng. Design of a Modified BLP model and Its Application to SecLinux [J], Journal of Software, Vol.13, No.4, 2002
[59] Jung-Min Kang, Wook Shin, Chun-Gu Park, et al. Extended BLP Model based on Process Reliability, Proceedings of Pacific Rim International Symposium, Dec. 2001: 299-303
[60] Ray Spencer, Stephen Smalley, Peter Loscocco, et al. The Flask Security Architecture: System Support for Diverse Security Policies. Proceedings of the Eighth Usenix Security Symposium, Berkeley, CA: USENIX Press, August 1999:123~139
[61] Stephen Smalley, Chris Vance, Wayne Salamon. Implementing SELinux as a Linux Security Module, NAI Labs Report #01-043, May 2002
[62] S.Hofmeyr, A.Somayaji, S.Forrest. Intrusion Detection System using Sequences of System Calls. Journal of Computer Security, 1998, 6(3):151-180
[63] R.Sekar, M.Bendre, D.Dhurjati, et al. A Fast Automaton-based Method for Detecting Anomalous Program Behaviors. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, Los Alamitos, Calif., 2000: 144–155
[64] H.Feng, O.Kolesnikov, P.Fogla, et al. Anomaly Detection using Call Stack Information. In IEEE Symposium on Security and Privacy, Oakland, California, May 2003: 62-75
[65] D.Gao, M.K.Reiter, D.Song. Gray-box Extraction of Execution Graphs for Anomaly Detection. In Usenix Security Symposium, San Diego, CA, USA, August 2004: 103–118
[66] D.Wagner. Static Analysis and Computer Security: New Techniques for Software Assurance [D]. Berkeley: University of California, Fall 2000.
[67] D.Wagner, D.Dean. Intrusion Detection via Static Analysis. In IEEE Symposium on Securityand Privacy, Oakland, California, May 2001: 156-169
[68] H.Feng, J.Giffin, Y.Huang, et al. Formalizing Sensitivity in Static Analysis for Intrusion Detection. In Proceedings of the 2004 IEEE Symposium on Security and Privacy, Oakland, May 2004: 194-208
[69] J.Giffin, S.Jha, B.Miller. Efficient Context-sensitive Intrusion Detection. In 11th Annual Network and Distributed Systems Security Symposium(NDSS), San Diego, California, February 2004
[70] Jonathon T. Giffin, David Dagon, Somesh Jha, et al. Environment-Sensitive Intrusion Detection. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection(RAID), Seattle, Washington, September 2005, Vol 3858 of LNCS: 185-206
[71] Zhen Liu, Susan M.Bridges, Rayford B.Vaughn. Combing Static Analysis and Dynamic Learning to Build Accurate Intrusion Detection Models. Proceeding of the Third IEEE International Workshop on Information Assurance(IWIA), 2005: 164-177
[72] Terran Lane, Carla E. Brodley. Approaches to Online Learning and Concept Drift for User Identification in Computer Security. In 4th International Conference on Knowledge Discovery and Data Mining, New York, New York, August 1998: 259-263
[73] Stefan Axelsson. The Base-rate Fallacy and its Implications for the Difficulty of Intrusion Detection. In 6th ACM Conference on Computer and Communications Security (CCS), Singapore, November 1999: 1-7
[74] D. Gao, M. K. Reiter, D. Song. On Gray-box Program Tracking for Anomaly Detection. In Proceedings of the 13th USENIX Security Symposium, August 2004: 103-118
[75] Christina Warrender, Stephanie Forrest, Barak Pearlmutter. Detecting Intrusions using System Calls: Alternative Data Models. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, Calif., 1999: 133–145
[76] Yoshinori Okazaki, Izuru Sato, Shigeki Goto. A New Intrusion Detection Method based onProcess Profiling. SAINT Proceedings, IEEE Computer Society Press, 2002: 82?90
[77] Shoji Muramatsu, Yoshiki Kobayashi. Image Pattern Search Method based on DP Matching method for Detecting Accurate Pattern Position. IEICE Transaction of Information, Vol 29, No.4, 1998: 22-32
[78] C.C.Michael, Anup Ghosh. Two State-Based Approaches to Program-Based Anomaly Detection. ACM Transactions on Information and System Security(TISSEC), Volume 5, Issue 3, August 2002
[79] L.R.Rabiner. A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition. Proceedings of the IEEE, 1989, 77(2): 257-285
[80] Ghosh A. Schwartzbard. A Study in Using Neural Networks for Anomaly and Misuse Detection. In Proceedings of the 8th USENIX Security Symposium, 1999: 141-151
[81] D.Endler. Intrusion Detection: Applying Machine Learning to Solaris Audit Data. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), Los Alamitos, CA, December 1998: 268-279
[82] W. Lee, S. Stolfo. Data Mining Approaches for Intrusion Detection. Proc of the Seventh USENIX Security Symposium, Colorado, USA, 1998: 79-94
[83] D.Wagner, P.Soto. Mimicry Attacks on Host-Based Intrusion Detection Systems. In 9th ACM Conference on Computer and Communications Security(CCS),New York, ACM Press, 2002: 255-264
[84] Wespi A., Dacier M., Debar H. Intrusion Detection using Variable-length Audit Trail Patterns. In Recent Advances in Intrusion Detection(RAID), Toulouse, France, 2000: 110~129
[85] Carla Marceau. Characterizing the Behavior of a Program Using Multiple-Length N-grams. Proceedings of the new security paradigm workshop, September 2000: 101-110
[86] Eleazar Eskin, Wenke Lee. Modeling System Call for Intrusion Detection with Dynamic Windows Sizes. Proceedings of DISCEX II, June 2001
[87] K.Tan, R.Maxion. “Why 6?”—Defining the Operational Limits of stide, an Anomaly-based Intrusion Detector. In Proceedings of the IEEE Symposium on Security and Privacy, May 2002: 188-201
[88] K.Tan, K.Killourhy, R.Maxion. Undermining an Anomaly-based Intrusion Detection System using Common Exploits. In Recent Advances in Intrusion Detection(RAID). Zurich, Switzerland, Springer-Verlag, October 2002: LNCS #2516, 54-73
[89] R.Sekar, V.Venkatakrishnan, S.Basu, et al. Model-carrying code: A Practical Approach for Safe Execution of Untrusted Applications. In ACM Symposium on Operating Systems Principles (SOSP), 2003: 15–28
[90] Abhishek Chaturvedi, Sandeep Bhatkar R. Sekar. Improving Attack Detection in Host-Based IDS by Learning Properties of System Call Arguments. Technical Report SECLAB-05-03, Department of Computer Science, Stony Brook University, July 2005
[91] Suresh N.Chari, Pau-Chen Cheng. BlueBox: A Policy-driven, Host-Based Intrusion Detection System. ACM Transactions on Information and System Security (TISSEC),2003, 6(2):173-200
[92] N. Provos. Improving Host Security with System Call Policies. In 12th Usenix Security Symposium, Washington, DC, USENIX Association, 2003: 257-272
[93] G. Tandon, P.Chan. Learning Rules from System Call Arguments and Sequences for Anomaly Detection. ICDM Workshop on Data Mining for Computer Security(DMSEC), Melbourne, FL: ACM Press, 2003: 20-29
[94] C.Kruegel, D.Mutz, F.Valeur, et al. On the Detection of Anomalous System Call Arguments. In 8th European Symposium on Research in Computer Security(ESORICS),Gjovik, Norway, Springer Press, 2003: 326-343
[95] K.Ottenstein. Data-Flow Graphs as an Intermediate Program Form [D]. West Lafayette: Department of Computer Sciences, Purdue University, August 1978
[96] L. C. Lam, T. cker Chiueh. Automatic Extraction of Accurate Application-specificSandboxing Policy. In Recent Advances in Intrusion Detection, Sophia Antipolis, France, September 2004: 1-20
[97] Lap-Chung Lam, Wei Li, Tzi-cker Chiueh. Accurate and Automated System Call Policy-Based Intrusion Prevention. In Proceedings of 2006 International Conference on Dependable Systems and Networks(DSN), June 2006: 413-424
[98] Amon Ott, Simone Fischer-Hübner. The ‘Rule Set Based Access Control’ Framework for Linux [EB/OL]. (2007-02-23)[2007-08-26], www.cs.kau.se/~simone/rsbac-framework.pdf.
[99] M. Abrams, K. Eggers, L.LaPadula, I.Olson. A Generalized Framework for Access Control: An Informal Description, Proceedings of the 13th National Computer Security Conference, Washington, October 1990.
[100] Chris Wright, Stephen Smalley, James Morris, et al. Linux Security Modules: General Security Support for the Linux Kernel, USENIX Security Symposium, USENIX Association, 2002: 17-31
[101] Larry McVoy, Carl Staelin. Lmbench: Portable Tools for Performance Analysis. In USENIX Annual Technical Conference, USENIX Association, 1996: 279-295
[102] Jonathon T.Giffin. Model based Intrusion Detection System Design and Evaluation [D]. Madison: Department of Computer Science, University of Wisconsin, 2006
[103] E. Tsyrklevich, B.Yee. Dynamic Detection and Prevention of Race Conditions in File Accesses. In USENIX Security Symposium, Washington, DC, USA, August 2003: 243-256.
[104] P.Uppuluri, A.Ray, U.Joshi. Preventing Race Condition Attacks on File Systems. In ACM Symposium on Applied Computing(SAC), 2005
[105] Jeanne Ferrante, Karl J. Ottenstein, Joe D. Warren. The program dependence graph and its use in optimization. ACM Transactions on Programming Languages and Systems, 9(3), July 1987: 319–349
[2] Sandhu R.S, Samarati P. Authentication, Access control, Detection. In: ACM Computing Surveys, 50th anniversary commemorative issue, Vol. 28(1), 1996
[3] C. Weismann. Security Penetration Testing Guideline, Chapter 10, Handbook for the Computer Security Certification of Trusted Systems, TM 5540:082A, Naval Research Laboratory, Washington, DC, January 1995
[4] Klein, Daniel V. Foiling the Cracker: A Survey of and Improvements to Password Security. Proc. UNIX Security Workshop II, USENIX Assoc., August 1990: 5-14
[5] Tanenbaum, A.S. Operating System: Design and Implementation, Second Edition. Beijing: China Publishing House of Electronics Industry, 1998.
[6] Stefanac, Suzanne. “Mad Macs”, in Rogue Programs: Viruses, Worms, and Trojan Horses, Van Nostrand Reinhold Co. New York, NY, USA, 1990: 180-193
[7] Neumann, P.G., D.B.Parker. A Summary of Computer Misuse Techniques. Proc. of the 12th National Computer Conference, National Institute of Standards, Oct.1998: 396-407
[8] Parker, D.B. Computer Abuse Perpetrators and Vulnerabilities of Computer Systems. Stanford Research Institute, Menlo Park, Calif., December 1975.
[9] Schell, R.R. the Future of Trusted Computer System, Computer Security: A Global Challenge, Proceedings of the 2nd IFIP international conference on Computer security: a global challenge. Toronto, Ontario, Canada 1984:55-67
[10] Hollingworth, D., S.Glaseman, M.Hopwood. Security Test and Evaluation Tools: An Approach to Operating System Security Analysis., Rand Corp., Santa Monica, Calif., September 1974:52-98
[11] Abbott, R.P., et al. Security Analysis and Enhancement of Computer Systems. NBSIR76-1041, National Bureau of Standards Report NBSIR 76-1041, April 1976.
[12] Butler Wlampson. Requirement and Technology for Computer Security. Computer at Risk. Washington: National Academy Press, 1991:74-101
[13] Kohnfelder, L.M. “A Method for Certification.” MIT Laboratory for Computer Science, Cambridge, Mass., May 1978.
[14] Needham, R.M., M.D. Schroeder, “Using Encryption for Authentication in Large Networks of Computers.” ACM, Vol.21, No.12, Dec.1978: 993-999.
[15] LM. Olson, M.D.Abrams, “Computer Access Control Policy Choices.” Computers and Security, Vol.9, NO.8, Dec.1990:699-714
[16] R.S. Sandhu, P.Samarati. Access Control: Principles and Practice. IEEE Communications Magazine, September 1994:40-48
[17] R.S.Sandhu. Access Control: The Neglected Frontier. In 1st Australian Conference on Information Security and Privacy(ACISP), Australia, Vol 1172 of LNCS, 1996: 219–227
[18] Nat 1 Computer Security Center, A Guide to Understanding Audit in Trusted Systems. June 1, 1988
[19] 刘海峰,卿思汉,刘文清。安全操作系统的实时报警。 计算机学报,2003(3):287-293
[20] 刘海峰。安全操作系统若干关键技术的研究[D]。北京:中国科学院软件研究所,2002年
[21] Bell D.E., L.J.LaPadula. Secure Computer Systems: Unified Exposition and Multics Interpretation. MTR-1997, MITRE Corp., Bedford, Mass., July 1975.
[22] Bell D.E., L.J.LaPadula. Secure Computer Systems: Mathematical Foundations. Technical ReportM74-244, The MITRE Corporation, Bedford, Massachusetts, May 1973.
[23] Bell D.E., L.J.LaPadula. Secure Computer Systems: A Mathematical Model. Technical ReportM74-244, The MITRE Corporation, Bedford, Massachusetts, May 1973.
[24] Department of Defense Standard, Department of Defense Trusted Computer SystemEvaluation Criteria. DOD5200.28-STD, GPO 1986-623-923, 6430, Dec.26, 1985
[25] Commission of the European Communities, Information Technology Security Evaluation Criteria(ITSEC). Provisional Harmonized Criteria: Version1.2, Office for Official Publications of the European Communities, Luxembourg, June 1991.
[26] The International Organization for Standardization, Common Criteria for Information Technology Security Evaluation–Part 1: Introduction and General Model. ISO/IEC 15408-1:1999(E), 1999
[27] The International Organization for Standardization, Common Criteria for Information Technology Security Evaluation–Part 2: Security Functional Requirements. ISO/IEC 15408-1:1999(E), 1999
[28] The International Organization for Standardization, Common Criteria for Information Technology Security Evaluation–Part3: Security Assurance Requirements. ISO/IEC 15408-1:1999(E), 1999
[29] GJB2646096,中华人民共和国国家军用标准,军用计算机安全评估准则,中国国防科学技术工业委员会,1996 年 6 月 4 日发布,1996 年 12 月 1 日实施。
[30] GB17859-1999,中华人民共和国国家标准,“计算机信息系统安全保护等级划分准则” 中国国家质量技术监督局,1999 年 9 月 13 日发布,2001 年 1 月 1 日实施。
[31] GBT18836.1-2001,中华人民共和国国家推荐标准,“信息技术 安全技术 信息技术安全性评估准则-第一部分:简介和一般模型”。 中国国家质量技术监督局,2001 年 3 月 8 日发布,2001 年 12 月 1 日实施。
[32] GBT 18836.1-2001,中华人民共和国国家推荐标准,“信息技术 安全技术 信息技术安全性评估准则-第二部分:安全功能要求”。 中国国家质量技术监督局,2001 年 3 月 8 日发布,2001 年 12 月 1 日实施。
[33] GBT 18836.1-2001,中华人民共和国国家推荐标准,“信息技术 安全技术 信息技术安全性评估准则-第三部分:安全保证要求”。 中国国家质量技术监督局,2001 年 3 月 8 日发布,2001 年 12 月 1 日实施.
[34] D.Gollman. Computer Security, Jone Wiley and Sons, 1999.
[35] Edward G. Amoroso. Fundamentals of Computer Security Technology. Prentice Hall, 1994.
[36] Carl E.Landwehr. Formal Models for Computer Security, ACM Computing Surveys, Vol.13, No.3, 1981:247-278
[37] John McLean. The Specification and Modeling of Computer Security, Computer, Vol.23, Issue:I, January 1990: 9-16
[38] Len Lapadula. Secure Computer Systems: Mathematical Foundations, MITRE Technical Report, Vol. 1, 1996
[39] 訾小超,姚立红,曾庆凯等。操作系统安全增强技术研究进展。高技术通讯,2003(7):106-110
[40] S.Forrest, S.A.Hofmeyr, A.Somayaji, et al. A Sense of Self for UNIX Processes. In IEEE Symposium on Security and Privacy, Washington,DC: IEEE Computer Society Press, 1996:120-128
[41] Harrison M. Protection in operating systems. Communications of the ACM, August 1976, 19(8):461-471
[42] Amman P E, Sandhu R S. The extended schematic protection model. Journal of Computer Security, 1992, 1(4)
[43] Snyder L. Formal models of capability-based protection systems. IEEE Transactions on Computers, 1981, C-30(3):172-181
[44] Benson G S, Akyildiz I F, Appelbe W F. A formal protection model of security in centralized, parallel and distributed systems. ACM Transactions on Computer systems, 1990, 8(3):183-213
[45] Sandhu R S. The typed access matrix model. In: Proc. of IEEE Symposium on Security and Privacy. Oakland, California, 1992.122-136
[46] Sandhu R S. Transformation of Access Rights. In: Proc. of IEEE Symposium on Security andPrivacy, Oakland, California, 1989. 259-268
[47] Sandhu R S, Suri G S. Non-monotonic transformations of access rights, In: Proc. of IEEE Symposium on Research in Security and Privacy. Oakland, California, 1992. 148-161
[48] Sandhu R S, Ganta S. On the minimality of testing for rights in transformation models. In Proc. of IEEE Symposium on Research in Security and Privacy. Oakland, California, 1994. 230-241
[49] Sandhu R S, Ganta S. On the expressive power of the unary transformation model. In: European Symposium on Research in Security and Privacy, 1994.
[50] Ferraiolo D, Kuhn R. Role-based access controls. In: Proc. of 15th NIST-NCSC National Computer Security Conference. Baltimore, MD, 1992. 554-563
[51] Bertino E, Ferrari E, Atluri V. An Approach for the Specification and Enforcement of Authorization Constraints in Workflow Management Systems. ACM Trans. on Information and Systems Security, 1999, 2(1):65-104
[52] Ferraiolo D, Cugini J, Kuhn R. Role-based Access Control (RBAC): Features and Motivations. In: Proc. of 11th Annual Computer Security Application Conference. New Orleans, LA, 1995. 241-248
[53] Ferraiolo D, Kuhn R. Role-based Access Controls. In Proceedings of 15th NIST-NCSC National Computer Security Conference. Baltimore, MD, 1992: 554-563
[54] Bertino E, Ferrari E, Atluri V. An Approach for the Specification and Enforcement of Authorization Constraints in Workflow Management Systems. ACM Trans. on Information and Systems Security, 1999, 2(1):65-104
[55] Kenneth Walker, Danial Fsterne. Confining root program with Domain and Type Enforcement. Proceedings of the sixth USENIX UNIX Security Symposium. Sanjose, California, 1996: 21-36
[56] WEBoebert, RYKain. A Practical Alternative to Hierarchical Integrity Policies. Proc. 8th DOD/NBSC Computer Security Initiative Conference. Gaithersburg, MD, September 1985: 18-27
[57] R O’Brien, Crogers. Developing applications on LOCK. Proc.of 14th National Computer Security Conference. Washington, DC, October 1991: 147-156
[58] 刘文清,卿斯汉,刘海峰。 一个修改的 BLP 安全模型的设计及在 SecLinux 上的应用[J],软件学报,Vol. 13, No.4, 2002 LIU Wen-qin, QING Si-han, LIU Hai-feng. Design of a Modified BLP model and Its Application to SecLinux [J], Journal of Software, Vol.13, No.4, 2002
[59] Jung-Min Kang, Wook Shin, Chun-Gu Park, et al. Extended BLP Model based on Process Reliability, Proceedings of Pacific Rim International Symposium, Dec. 2001: 299-303
[60] Ray Spencer, Stephen Smalley, Peter Loscocco, et al. The Flask Security Architecture: System Support for Diverse Security Policies. Proceedings of the Eighth Usenix Security Symposium, Berkeley, CA: USENIX Press, August 1999:123~139
[61] Stephen Smalley, Chris Vance, Wayne Salamon. Implementing SELinux as a Linux Security Module, NAI Labs Report #01-043, May 2002
[62] S.Hofmeyr, A.Somayaji, S.Forrest. Intrusion Detection System using Sequences of System Calls. Journal of Computer Security, 1998, 6(3):151-180
[63] R.Sekar, M.Bendre, D.Dhurjati, et al. A Fast Automaton-based Method for Detecting Anomalous Program Behaviors. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, Los Alamitos, Calif., 2000: 144–155
[64] H.Feng, O.Kolesnikov, P.Fogla, et al. Anomaly Detection using Call Stack Information. In IEEE Symposium on Security and Privacy, Oakland, California, May 2003: 62-75
[65] D.Gao, M.K.Reiter, D.Song. Gray-box Extraction of Execution Graphs for Anomaly Detection. In Usenix Security Symposium, San Diego, CA, USA, August 2004: 103–118
[66] D.Wagner. Static Analysis and Computer Security: New Techniques for Software Assurance [D]. Berkeley: University of California, Fall 2000.
[67] D.Wagner, D.Dean. Intrusion Detection via Static Analysis. In IEEE Symposium on Securityand Privacy, Oakland, California, May 2001: 156-169
[68] H.Feng, J.Giffin, Y.Huang, et al. Formalizing Sensitivity in Static Analysis for Intrusion Detection. In Proceedings of the 2004 IEEE Symposium on Security and Privacy, Oakland, May 2004: 194-208
[69] J.Giffin, S.Jha, B.Miller. Efficient Context-sensitive Intrusion Detection. In 11th Annual Network and Distributed Systems Security Symposium(NDSS), San Diego, California, February 2004
[70] Jonathon T. Giffin, David Dagon, Somesh Jha, et al. Environment-Sensitive Intrusion Detection. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection(RAID), Seattle, Washington, September 2005, Vol 3858 of LNCS: 185-206
[71] Zhen Liu, Susan M.Bridges, Rayford B.Vaughn. Combing Static Analysis and Dynamic Learning to Build Accurate Intrusion Detection Models. Proceeding of the Third IEEE International Workshop on Information Assurance(IWIA), 2005: 164-177
[72] Terran Lane, Carla E. Brodley. Approaches to Online Learning and Concept Drift for User Identification in Computer Security. In 4th International Conference on Knowledge Discovery and Data Mining, New York, New York, August 1998: 259-263
[73] Stefan Axelsson. The Base-rate Fallacy and its Implications for the Difficulty of Intrusion Detection. In 6th ACM Conference on Computer and Communications Security (CCS), Singapore, November 1999: 1-7
[74] D. Gao, M. K. Reiter, D. Song. On Gray-box Program Tracking for Anomaly Detection. In Proceedings of the 13th USENIX Security Symposium, August 2004: 103-118
[75] Christina Warrender, Stephanie Forrest, Barak Pearlmutter. Detecting Intrusions using System Calls: Alternative Data Models. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, Calif., 1999: 133–145
[76] Yoshinori Okazaki, Izuru Sato, Shigeki Goto. A New Intrusion Detection Method based onProcess Profiling. SAINT Proceedings, IEEE Computer Society Press, 2002: 82?90
[77] Shoji Muramatsu, Yoshiki Kobayashi. Image Pattern Search Method based on DP Matching method for Detecting Accurate Pattern Position. IEICE Transaction of Information, Vol 29, No.4, 1998: 22-32
[78] C.C.Michael, Anup Ghosh. Two State-Based Approaches to Program-Based Anomaly Detection. ACM Transactions on Information and System Security(TISSEC), Volume 5, Issue 3, August 2002
[79] L.R.Rabiner. A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition. Proceedings of the IEEE, 1989, 77(2): 257-285
[80] Ghosh A. Schwartzbard. A Study in Using Neural Networks for Anomaly and Misuse Detection. In Proceedings of the 8th USENIX Security Symposium, 1999: 141-151
[81] D.Endler. Intrusion Detection: Applying Machine Learning to Solaris Audit Data. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), Los Alamitos, CA, December 1998: 268-279
[82] W. Lee, S. Stolfo. Data Mining Approaches for Intrusion Detection. Proc of the Seventh USENIX Security Symposium, Colorado, USA, 1998: 79-94
[83] D.Wagner, P.Soto. Mimicry Attacks on Host-Based Intrusion Detection Systems. In 9th ACM Conference on Computer and Communications Security(CCS),New York, ACM Press, 2002: 255-264
[84] Wespi A., Dacier M., Debar H. Intrusion Detection using Variable-length Audit Trail Patterns. In Recent Advances in Intrusion Detection(RAID), Toulouse, France, 2000: 110~129
[85] Carla Marceau. Characterizing the Behavior of a Program Using Multiple-Length N-grams. Proceedings of the new security paradigm workshop, September 2000: 101-110
[86] Eleazar Eskin, Wenke Lee. Modeling System Call for Intrusion Detection with Dynamic Windows Sizes. Proceedings of DISCEX II, June 2001
[87] K.Tan, R.Maxion. “Why 6?”—Defining the Operational Limits of stide, an Anomaly-based Intrusion Detector. In Proceedings of the IEEE Symposium on Security and Privacy, May 2002: 188-201
[88] K.Tan, K.Killourhy, R.Maxion. Undermining an Anomaly-based Intrusion Detection System using Common Exploits. In Recent Advances in Intrusion Detection(RAID). Zurich, Switzerland, Springer-Verlag, October 2002: LNCS #2516, 54-73
[89] R.Sekar, V.Venkatakrishnan, S.Basu, et al. Model-carrying code: A Practical Approach for Safe Execution of Untrusted Applications. In ACM Symposium on Operating Systems Principles (SOSP), 2003: 15–28
[90] Abhishek Chaturvedi, Sandeep Bhatkar R. Sekar. Improving Attack Detection in Host-Based IDS by Learning Properties of System Call Arguments. Technical Report SECLAB-05-03, Department of Computer Science, Stony Brook University, July 2005
[91] Suresh N.Chari, Pau-Chen Cheng. BlueBox: A Policy-driven, Host-Based Intrusion Detection System. ACM Transactions on Information and System Security (TISSEC),2003, 6(2):173-200
[92] N. Provos. Improving Host Security with System Call Policies. In 12th Usenix Security Symposium, Washington, DC, USENIX Association, 2003: 257-272
[93] G. Tandon, P.Chan. Learning Rules from System Call Arguments and Sequences for Anomaly Detection. ICDM Workshop on Data Mining for Computer Security(DMSEC), Melbourne, FL: ACM Press, 2003: 20-29
[94] C.Kruegel, D.Mutz, F.Valeur, et al. On the Detection of Anomalous System Call Arguments. In 8th European Symposium on Research in Computer Security(ESORICS),Gjovik, Norway, Springer Press, 2003: 326-343
[95] K.Ottenstein. Data-Flow Graphs as an Intermediate Program Form [D]. West Lafayette: Department of Computer Sciences, Purdue University, August 1978
[96] L. C. Lam, T. cker Chiueh. Automatic Extraction of Accurate Application-specificSandboxing Policy. In Recent Advances in Intrusion Detection, Sophia Antipolis, France, September 2004: 1-20
[97] Lap-Chung Lam, Wei Li, Tzi-cker Chiueh. Accurate and Automated System Call Policy-Based Intrusion Prevention. In Proceedings of 2006 International Conference on Dependable Systems and Networks(DSN), June 2006: 413-424
[98] Amon Ott, Simone Fischer-Hübner. The ‘Rule Set Based Access Control’ Framework for Linux [EB/OL]. (2007-02-23)[2007-08-26], www.cs.kau.se/~simone/rsbac-framework.pdf.
[99] M. Abrams, K. Eggers, L.LaPadula, I.Olson. A Generalized Framework for Access Control: An Informal Description, Proceedings of the 13th National Computer Security Conference, Washington, October 1990.
[100] Chris Wright, Stephen Smalley, James Morris, et al. Linux Security Modules: General Security Support for the Linux Kernel, USENIX Security Symposium, USENIX Association, 2002: 17-31
[101] Larry McVoy, Carl Staelin. Lmbench: Portable Tools for Performance Analysis. In USENIX Annual Technical Conference, USENIX Association, 1996: 279-295
[102] Jonathon T.Giffin. Model based Intrusion Detection System Design and Evaluation [D]. Madison: Department of Computer Science, University of Wisconsin, 2006
[103] E. Tsyrklevich, B.Yee. Dynamic Detection and Prevention of Race Conditions in File Accesses. In USENIX Security Symposium, Washington, DC, USA, August 2003: 243-256.
[104] P.Uppuluri, A.Ray, U.Joshi. Preventing Race Condition Attacks on File Systems. In ACM Symposium on Applied Computing(SAC), 2005
[105] Jeanne Ferrante, Karl J. Ottenstein, Joe D. Warren. The program dependence graph and its use in optimization. ACM Transactions on Programming Languages and Systems, 9(3), July 1987: 319–349