基于行为的P2P流量及异常流量检测技术研究
|
摘要
随着互联网技术与对等网络(Peer-to-Peer,P2P)应用的迅速发展,对网络的管理与控制日益重要,流量检测技术也因此成为了一门重要学科。目前的绝大部分流量检测方法的研究成果仍然停留在理论阶段,不能很好地应用于实际,而且许多相关技术存在着缺陷,有待优化和改进。本文在前人研究的基础之上,围绕P2P流量检测与异常流量检测等问题进行研究,对基于数据包内容的检测方法进行了优化,深入分析了基于节点的流量行为特征、主体网络流量行为特征以及异常流量中的拒绝服务攻击行为特征,并基于此构建流量检测方法。
论文主要研究内容如下:
(1)在基于数据包内容的检测方法方面,为弥补现有方法在检测速度和准确率等方面的不足,提出一种基于可信列表的优化检测方法。该方法利用数据包载荷部分的特征进行分析,通过将已识别信息加入到一组可信列表中,使用标识会话访问频率的活性参数对列表进行优化和控制,保证可信列表中访问频率较高的记录被优先检测,降低搜索列表所带来的系统消耗。同时采用一种基于TCP数据包sequence number的加速检测方法来提高检测效率。该部分的另一贡献是提出一种协议特征提取方法,并在特征提取方面做了大量工作,修改了前人在协议特征方面的错误,增加了目前较为流行的应用软件特征。通过实验证明,基于可信列表的检测方法弥补了现有基于数据包的检测算法在性能方面的不足,有效提高了检测准确率,降低了误识别率。
(2)为弥补基于数据包内容部分的检测方法在“未知”应用检测和数据包加密检测等方面的弱点,提出一种基于节点行为的P2P流量检测方法,简称之为NBTI(Traffic Identification based on Node's Behavior)方法。该方法通过对特定应用引发的节点连接情况、定长时间内的连接总量以及一些其他行为特征进行分析,根据分析结果建立检测模型。该方法不依靠数据包载荷特征,因此可以有效地检测加密后的网络流量或者具有某类行为特征的“未知”网络应用,同时也避开了网络数据的隐私权问题。基于UDP数据包的启发式检测方法进一步增强了NBTI方法的检测效果,结合其基于节点进行检测的特点,使NBTI方法在大流量网络环境下的检测效果更佳。
(3)针对极少部分网络流占据了绝大部分流量比特数这一现象,提出基于行为的主体流量检测方法,简称之为BMTI(Behavior-based MaiorityTraffic Identification)方法。BMTI方法的分析对象主要是那些对网络带宽消耗较大的应用,如P2P流传输类应用、P2P文件共享类应用、拒绝服务攻击、蠕虫、扫描等行为。通过对不同应用的节点流量占有率、应用原理、行为特征等方面的异同点分析,获取可以用于检测的特征,利用这些特征的组合来检测特定应用。BMTI方法采取了一些特殊策略来提高检测效率。其一,定义数据包个数门限值和比特数门限值,对检测列表进行限定;其二,采用基于TCP数据包加速算法和UDP数据包启发式算法来提高检测效率和准确率。
(4)针对异常流量中威胁较大的拒绝服务攻击,提出一种基于行为的拒绝服务攻击检测方法。通过对单位时间内拒绝服务攻击所产生的数据包连接情况、数据包长度分布特征、外部节点分布情况及端口分布情况等特征进行分析,给出发生拒绝服务攻击时的七点流量异常表现,并根据分析结果,提出了基于数据包长度范围、节点及端口的变化情况、上下行流量比例的变化情况、数据包间隙以及数据包内容相似度等五点要素的拒绝服务攻击检测方法。通过P2P、FTP以及拒绝服务攻击的混合实验,证明了算法的有效性。
综上所述,本文提出的基于行为的流量检测方法具有模型简单、适用范围广、易于工程人员理解等特点,不仅在理论上值得深入研究,而且还具有较大的工程应用价值。
With the rapid development of Internet technology and P2P applications, network management and control has become increasingly important, and traffic identification technology has also become an important subject. At present, most traffic identification methods still remain in the theoretical stage, so they cannot be applied to reality. On the basis of previous studies, this paper focuses on P2P traffic identification and anomaly detection, and optimizes the payload-based identification methods. Meanwhile, behavior characteristics of node-based traffic, the majority of the total traffic behavior and denial of service behavior on anomaly traffic are thoroughly analyzed.
The main work and contributions of the thesis are as follows:
(1) On the aspect of payload-based identification methods, to make up limitations in identification speed and accuracy rate of the existing methods, a heuristic traffic identification method based on trusted list was proposed. This method first analyzes packets payload characteristics, then adds the discerned connection into a trusted list, and finally uses an active parameter to optimize and control the trusted list. This parameter labels the frequency that a session has been visited, which ensures that a record with a high frequency in the trusted list can be identified by a high priority. This parameter can help to reduce the system costs caused by searching of the list. Furthermore, a method that uses sequence number of TCP packets to accelerate the identification speed was proposed. Also, a plenty of work on protocol characteristics has been conducted, according to which, mistakes on old characteristics were modified and new regular expressions of popular applications were introduced. The experiments results show that this method can make up the drawbacks of the original algorithm and effectively improve the identification accuracy.
(2) To avoidthe powerlessness of payload-based methods on identifying "unknown" applications and encryption packets, a diffused traffic identification method based on node behavior analysis (NBTI for short) was proposed. NBTI method focuses on the node connection characteristics incurred by one P2P application, as well as total connection number in a specific period, and builds an identification model on the basis of the analysis results. For NBTI method does not rely on packet payload characteristics, it can effectively identify encrypted traffic and those "unknown" applications, which sometimes exhibit certain types of behavior characteristics. NBTI method can also avoid privacy issues of network traffic. By means of UDP packets based heuristics method; performance of NBTI method can be further enhanced. Combining with node-based characteristics, NBTI is suitable for network environment.with large traffic.
(3) For the phenomenon that most part of the total bytes is occupied by a small part of flows, a behavior-based majority traffic identification method (BMTI for short) was proposed. BMTI method focuses on five types of heavy traffic applications such as P2P streaming, P2P file sharing, denial-of-service (DoS), worms and scan behavior etc. It mainly analyzes the similarities and differences of these applications in percentage of communication nodes, principles of applications and other behavior aspects, by which we can obtain different features to identify specific applications. This method adopts some special strategies to improve the efficiency of identification. One is to define the thresholds of packet number and bytes number to restrict the identification list, the other is to employ TCP packet based accelerate method and UDP packets based heuristics method to improve identification efficiency and accuracy.
(4) As to the denial-of-service which is one of the major origin of anomaly traffic, a DoS attacks identification method based on behavior analysis was proposed. This method mainly analyzes the packets connections; packets length distribution, remote nodes and ports number distribution caused by DoS attacks, and concludes seven types of different features. Based on the analysis results, five factors were proposed to identify DoS attacks, which include packet length range, variation conditions of nodes and ports number, the ratio of upload-to-download bytes, the interval of packets and the similarity of packets. By the results of P2P, FTP, as well as denial of service attacks hybrid experiment, the effectiveness of this algorithm is proved.
Taken as a collection, the proposed traffic identification method based on behavior analysis has model simplicity, and it is easier to be understood by engineers. Not only does it deserve deep research in theory, but also does it have better application values for engineering.
论文主要研究内容如下:
(1)在基于数据包内容的检测方法方面,为弥补现有方法在检测速度和准确率等方面的不足,提出一种基于可信列表的优化检测方法。该方法利用数据包载荷部分的特征进行分析,通过将已识别信息加入到一组可信列表中,使用标识会话访问频率的活性参数对列表进行优化和控制,保证可信列表中访问频率较高的记录被优先检测,降低搜索列表所带来的系统消耗。同时采用一种基于TCP数据包sequence number的加速检测方法来提高检测效率。该部分的另一贡献是提出一种协议特征提取方法,并在特征提取方面做了大量工作,修改了前人在协议特征方面的错误,增加了目前较为流行的应用软件特征。通过实验证明,基于可信列表的检测方法弥补了现有基于数据包的检测算法在性能方面的不足,有效提高了检测准确率,降低了误识别率。
(2)为弥补基于数据包内容部分的检测方法在“未知”应用检测和数据包加密检测等方面的弱点,提出一种基于节点行为的P2P流量检测方法,简称之为NBTI(Traffic Identification based on Node's Behavior)方法。该方法通过对特定应用引发的节点连接情况、定长时间内的连接总量以及一些其他行为特征进行分析,根据分析结果建立检测模型。该方法不依靠数据包载荷特征,因此可以有效地检测加密后的网络流量或者具有某类行为特征的“未知”网络应用,同时也避开了网络数据的隐私权问题。基于UDP数据包的启发式检测方法进一步增强了NBTI方法的检测效果,结合其基于节点进行检测的特点,使NBTI方法在大流量网络环境下的检测效果更佳。
(3)针对极少部分网络流占据了绝大部分流量比特数这一现象,提出基于行为的主体流量检测方法,简称之为BMTI(Behavior-based MaiorityTraffic Identification)方法。BMTI方法的分析对象主要是那些对网络带宽消耗较大的应用,如P2P流传输类应用、P2P文件共享类应用、拒绝服务攻击、蠕虫、扫描等行为。通过对不同应用的节点流量占有率、应用原理、行为特征等方面的异同点分析,获取可以用于检测的特征,利用这些特征的组合来检测特定应用。BMTI方法采取了一些特殊策略来提高检测效率。其一,定义数据包个数门限值和比特数门限值,对检测列表进行限定;其二,采用基于TCP数据包加速算法和UDP数据包启发式算法来提高检测效率和准确率。
(4)针对异常流量中威胁较大的拒绝服务攻击,提出一种基于行为的拒绝服务攻击检测方法。通过对单位时间内拒绝服务攻击所产生的数据包连接情况、数据包长度分布特征、外部节点分布情况及端口分布情况等特征进行分析,给出发生拒绝服务攻击时的七点流量异常表现,并根据分析结果,提出了基于数据包长度范围、节点及端口的变化情况、上下行流量比例的变化情况、数据包间隙以及数据包内容相似度等五点要素的拒绝服务攻击检测方法。通过P2P、FTP以及拒绝服务攻击的混合实验,证明了算法的有效性。
综上所述,本文提出的基于行为的流量检测方法具有模型简单、适用范围广、易于工程人员理解等特点,不仅在理论上值得深入研究,而且还具有较大的工程应用价值。
With the rapid development of Internet technology and P2P applications, network management and control has become increasingly important, and traffic identification technology has also become an important subject. At present, most traffic identification methods still remain in the theoretical stage, so they cannot be applied to reality. On the basis of previous studies, this paper focuses on P2P traffic identification and anomaly detection, and optimizes the payload-based identification methods. Meanwhile, behavior characteristics of node-based traffic, the majority of the total traffic behavior and denial of service behavior on anomaly traffic are thoroughly analyzed.
The main work and contributions of the thesis are as follows:
(1) On the aspect of payload-based identification methods, to make up limitations in identification speed and accuracy rate of the existing methods, a heuristic traffic identification method based on trusted list was proposed. This method first analyzes packets payload characteristics, then adds the discerned connection into a trusted list, and finally uses an active parameter to optimize and control the trusted list. This parameter labels the frequency that a session has been visited, which ensures that a record with a high frequency in the trusted list can be identified by a high priority. This parameter can help to reduce the system costs caused by searching of the list. Furthermore, a method that uses sequence number of TCP packets to accelerate the identification speed was proposed. Also, a plenty of work on protocol characteristics has been conducted, according to which, mistakes on old characteristics were modified and new regular expressions of popular applications were introduced. The experiments results show that this method can make up the drawbacks of the original algorithm and effectively improve the identification accuracy.
(2) To avoidthe powerlessness of payload-based methods on identifying "unknown" applications and encryption packets, a diffused traffic identification method based on node behavior analysis (NBTI for short) was proposed. NBTI method focuses on the node connection characteristics incurred by one P2P application, as well as total connection number in a specific period, and builds an identification model on the basis of the analysis results. For NBTI method does not rely on packet payload characteristics, it can effectively identify encrypted traffic and those "unknown" applications, which sometimes exhibit certain types of behavior characteristics. NBTI method can also avoid privacy issues of network traffic. By means of UDP packets based heuristics method; performance of NBTI method can be further enhanced. Combining with node-based characteristics, NBTI is suitable for network environment.with large traffic.
(3) For the phenomenon that most part of the total bytes is occupied by a small part of flows, a behavior-based majority traffic identification method (BMTI for short) was proposed. BMTI method focuses on five types of heavy traffic applications such as P2P streaming, P2P file sharing, denial-of-service (DoS), worms and scan behavior etc. It mainly analyzes the similarities and differences of these applications in percentage of communication nodes, principles of applications and other behavior aspects, by which we can obtain different features to identify specific applications. This method adopts some special strategies to improve the efficiency of identification. One is to define the thresholds of packet number and bytes number to restrict the identification list, the other is to employ TCP packet based accelerate method and UDP packets based heuristics method to improve identification efficiency and accuracy.
(4) As to the denial-of-service which is one of the major origin of anomaly traffic, a DoS attacks identification method based on behavior analysis was proposed. This method mainly analyzes the packets connections; packets length distribution, remote nodes and ports number distribution caused by DoS attacks, and concludes seven types of different features. Based on the analysis results, five factors were proposed to identify DoS attacks, which include packet length range, variation conditions of nodes and ports number, the ratio of upload-to-download bytes, the interval of packets and the similarity of packets. By the results of P2P, FTP, as well as denial of service attacks hybrid experiment, the effectiveness of this algorithm is proved.
Taken as a collection, the proposed traffic identification method based on behavior analysis has model simplicity, and it is easier to be understood by engineers. Not only does it deserve deep research in theory, but also does it have better application values for engineering.
引文
[1]http://www.cert.org.cn/upload/2005CNCERTCCAnnualReport.pdf
[2]eMule,http://www.emule.org.cn.
[3]BitTorrent.http://www.bittorrent.com.
[4]Gnutella.http://www.gnutella.com.
[5]http://www.ipoque.com.
[6]CacheLogic.http://www.cachelogic.com/home/pages/research/p2p2005.php.
[7]A.Parker.The true picture of peer-to-peer filesharing,http://www.cachelogic.com/,July 2004.
[8]BitComet.http://www.bitcomet.com.
[9]K.Gummadi,R.Dunn,S.Saroiu,S.Gribble,H.Levy,and J.Zahorjan.Measurement,Modeling,and Analysis of a Peer-to-Peer File Sharing Workload.Proceedings of the 10th ACM Symposium on Operating Systems Principles (SOSP-10) 2003,NY,USA,October 2003,Page(s):314-310.
[10]夏春和,石昀平,李肖坚.基于应用识别的P2P蠕虫检测.北京航空航天大学学报,32(8),2006,Page(s):998-1002.
[11]张冶江,李之棠,陆垂伟等.P2P蠕虫的分析与对策.华中科技大学学报,35卷,2007.3,Page(s):228-231.
[12]Napster.http://www.napster.com
[13]QQ 直播.http://tv.qq.com.
[14]KaZaa.http://www.kazaa.com.
[15]Skype.http://www.skype.com
[16]BitSpirit.http://www.bitspirit.com.cn.
[17]迅雷.http://www.xunlei.com.
[18]脱兔.ttp://www.tuotu.com
[19]A.Gerber,J.Houle,H.Nguyen.P2P the Gorilla in the Cable.In NCTA2003National Show,Chicago,IL,June 2003.
[20]S.Saroiu,K.P.Gummadi,R.J.Dunn.An Analysis of Internet Content Delivery Systems.In Proceedings of the 5th Symposium on Operating Systems Design and Implementation,2002.Page(s):315-328.
[21]S.Sen,J.Wang.Analyzing peer-to-peer traffic across large networks.In Proceedings of ACM SIGCOMM Internet Measurement Workshop,Marseilles,France,November 2002,Page(s):137-150.
[22] Internet Assigned Numbers Authority, TCP/UDP Port Numbers,http://www.iana.org/assignments/port-numbers, 2005.
[23] Hun-Jeong Kang, Myung-Sup Kim, James Hong. A Method on Multimedia Service Traffic Monitoring and Analysis. LNCS 2867, 14th IFIP/IEEE International Workshop on DSOM 2003, Heidelberg, Germany, October, 2003,Page(s):93-105.
[24] T. Karagiannis, A. Broido, N. Brownlee, Kc Claffy, M. Faloutsos. Is p2p dying or just hiding? In Globecom, Dallas, TX, USA, November 2004,Page(s):1532-1538.
[25] M. Roughan, S. Sen, O. Spatscheck, N. Dufeld. Class-of-Service Mapping for QoS: A Statistical Signature-based Approach to IP Traffic Classification. In IMC'04, Taormina, Italy, October 2004, Page(s):135-148.
[26] Mong-Fong Horng, Chun-Wei Chen, Chin-Shun Chuang and Cheng-Yu Lin.Identification and Analysis of P2P Traffic-An Example of BitTorrent. In Proc.the First International Conference on Innovative Computing, Information and Control (ICICIC'06), Beijing,China, 2006, Page(s):266-269.
[27] S. Sen, O. Spatscheck and D. Wang. Accurate, Scalable In-Network Identification of P2P Traffic Using Application Signatures. Proceedings of World Wide Web Conference. NY, USA, May 2004, Page(s):512-521.
[28] eDonkey. http://www.edonkey2000.com.
[29] DirectConnect. http:// www.directconnecthome.com.
[30] M. Roughan, S. Sen, O. Spatscheck, N. Duffield. Class-of-service mapping for QoS: a statistical signature-based approach to ip traffic classification. In IMC'04:Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, New York, USA,2004.ACM Press. Page(s):135-148.
[31] T. Karagiannis, A. Broido, M. Faloutsos, and kc claffy. Transport layer identification of p2p traffic. In ACM SIGCOMM/USENIX Internet Measurement Conference, Italy, October, 2004, Page(s):121-134.
[32] T. Karagiannis, K. Papagiannaki, M. Faloutsos. Blinc: multilevel traffic classification in the dark. SIGCOMM Comput. Commun. Rev., 35(4):229-240,2005.
[33] F. Constantinou, P. Mavrommatis. Identifying Known and Unknown Peer-to-Peer Traffic. In Fifth IEEE International Symposium on Network Computing and Applications, 2006, Page(s):93-100.
[34] M. Izal, G. Urvoy-Keller, E.W. Biersack, P.A. Felber, A. Al Hamra, L. Garc'es-Erice.Dissecting BitTorrent:Five Months in a Torrent's Lifetime.In PAM,2004,Page(s):1-11.
[35]P.Karbhari,M.Ammar,A.Dhamdhere,H.Raj,G.Riley,E.Zegura.Bootstrapping in Gnutella:A Measurement Study.In PAM,2004.Page(s):22-32.
[36]Nathaniel Leibowitz,Matei Ripeanu,Adam Wierzbicki.Deconstructing the Kazaa Network.Available:http://www.globus.org/alliance/publications/papers/kazaa.pdf.
[37]D.H.Kang,N.S.Ko,H.S.Park,J.C.Kim.Application-level Traffic Identification using SET-based Flow in BcN.Proceedings of ICACT2007,2007,Page(s):1166-1170.
[38]Hui Liu,Wenfeng Feng,Yongfeng Huang,Xing Li.A Peer-To-Peer Traffic Identification Method Using Machine Learning.Proceedings of NAS2007,July 2007,Page(s):155-160.
[39]S.Zander,T.Nguyen,G.Armitage.Automated Traffic Classification and Application Identification using Machine Learning.Nov.2005,Page(s):250-257.
[40]N.Williams,S.Zander,and G.Armitrage.A Preliminary Performance Comparison of Five Machine Learning Algorithms for Practical IP Traffic Flow Classification.Computer Communication Review,vol 30,October 2006,Page(s):5-16.
[41]Hamza Dahmouni,A Markovian Signature-Based Approach to IP Traffic Classification to IP Traffic Classification.Proceedings of the Third Annual ACM Workshop on Mining Network Data.San Diego,CA,United States.June,2007.Page(s):29-34.
[42]杨岳湘,王锐等.基于双重特征的P2P流量检测方法.通信学报.2006.11,27(11A)134-138.
[43]S.Sen and J.Wang.Analyzing Peer-to-Peer Traffic Across Large Networks.Networking,IEEE/ACM Transations,April 2004,vol 12,Page(s):219-232
[44]S.Saroiu,P.K.Gummadi,and S.D.Gribble.A Measurement Study of Peer-to-Peer File Sharing Systems.In MMCN,2002,Page(s):156-170.
[45]N.Leibowitz,A.Bergman,R.Ben-Shaul,and A.Shavit.Are File Swapping Networks Cacheable? Characterizing P2P Traffic.In 7th IWCW,2002.
[46]A.Madhukar,C.Williamson.A Longitudinal Study of P2P Traffic Classification.In MASCOTS'06,Monterey,USA,August 2006.
[47]Denning DE.An intrusion-detection model.IEEE Transactions on Software Engineering. 1987 (13):222-232.
[48] J. Brutlag. A berrant behavior detection in time series for network monitoring. In Proceedings of the USENIX Fourteenth System Administration Conference LISA XIV. New Orleans, LA, Dec 2000.
[49] Stephane Mallat, Wen Liang Hwang, Singularity Detection and Processing with Wavelets. IEEE TRANSACTIONS ON INFORMATION THEORY. 1992(2),Page(s):617-643.
[50] P. Barford, J. Kline, D. Plonka. A Signal Analysis of Network Traffic Anomalies.ACM SIGCOMM Internet Measurement Workshop. Page(s):71-82. 2002.
[51] G. Androulidakis, S. Papavassiliou. Intelligent Flow-based Sampling for Effective Network Anomaly Detection. In Proceedings of IEEE GLOBECOM 2007. Washington, DC, United States. 2007, p 1948-1953.
[52] B. Y. Choi, J. Park, Z. L. Zhang. Adaptive Packet Sampling for Accurate and Scalable Flow Measurement. Global Telecommunications Conference (GLOBECOM'04), 2004, Page(s):1448-1452.
[53] Li-Bo Xu, Guo-Xin Wu, Jian-Fei Li. Packet-Level Adaptive Sampling on Multi-Fluctuation Scale Traffic. In Proceedings of International Conference on Communications, Circuits and Systems, pp. 604 - 608 Vol. 1, May 2005,Page(s):604-608.
[54] J. Mai, A. Sridharan, C.N. Chuah, H. Zang, T. Ye. Impact of Packet Sampling on Portscan Detection. IEEE Journal on Selected Areas in Communication, vol. 24,no 12.2006, Page(s):. 2285-2298.
[55] A. Patcha, J. M. Park.. An overview of anomaly detection techniques: Existing solutions and latest technological trends. Computer Networks, vol. 51, no. 12,2007, Page(s):3448-3470.
[56] X. Li, F. Bian, M. Crovella, C. Diot, R. Govindan, and G. Iannaccone. Detection and identification of network anomalies using sketch subspaces. In Proceedings of ACM/SIGCOMM Internet Measurement Conference 2006, Page(s):147-152.
[57] Y. Gu, A. McCallum, and D. Towsley. Detecting anomalies in network traffic using maximum entropy estimation. In Proceedings of ACM/SIGCOMM Internet Measurement Conference 2005, Oct. 2005. Page(s):345-350.
[58] A. Lakhina, M. Crovella, and C. Diot. Mining anomalies using traffic feature distributions. In Proceedings of ACM SIGCOMM '2005, Aug. 2005,Page(s):217-228.
[59]J.Lemon.Resisting SYN flooding attacks with a SYN cache.Proceedings of USENIX Symposium on Internet Technologies and Systems'97,Berkeley,CA:USENIX Assoc,1997,Page(s):89-97.
[60]D.J.Bernstein.SYN Cookies.http://cr.yp.to/syncookies.html.
[61]T.M.Gil,M.Poletto.MULTOPS:A Data-Structure for Bandwidth Attack Detection.The 10th USENIX Security of Symposium.Washington,D.C.2001.Page(s):23-38.
[62]S.Abdelsayed,D.Glimsholt,C.Leckie.An Efficient Filter For Denial of Service Bandwidth Attacks.GLOBECOM2003,2003,Page(s):1353-1357.
[63]S.taniford-Chen,S.Cheung,R.Crawford,et.al.GRIDS - A graph-based intrusion detection system for large networks.In National Information Systems Security Conference,1996.Page(s):289-1296.
[64]S.Cheung,R.Crawford,M.Dilger,J.Frank,J.Hoagland,K.Levitt,J.Rowe,S.Staniford-Chen,R.Yip and D.Zerkle.The Design of GRIDS:A Graph-Based Intrusion Detection System.UCD Technical Report CSE-99-2,1999.
[65]D.Ellis,J.Aiken,K.Attwood,and S.Tenarglia.A Behavioral Approach to Worm Detection.In ACM CCS WORM,2004,Page(s):43-53.
[66]李胜利,王杰,韩宗芬,陶智飞.一种新的蠕虫检测和控制方法.华中科技大学学报(自然版).2007,35(3):38-41.
[67]罗浩,方滨兴,云晓春,王欣,辛毅.高速实时的一种邮件蠕虫异常检测模型.通信学报.2006,27(2):35-41.
[68]张甲,段海新,葛连升.基于事件序列的蠕虫网络行为分析算法.山东大学学报(理学版).2007,42(9):36-45.
[69]W.B.Norton.The evolution of the u.s.internet peering ecosystem,2003.http://www.equinix.com/pdf/whitepapers/PeeringEcosystem.pdf.
[70]P.Barford,J.Kline,D.Plonka,and A.Ron.A Signal Analysis of Network Traffic Anomalies.In Proceedings of ACM SIGCOMM Internet Measurement Workshop,November 2002,Page(s):71-82
[71]P.Barford and D.Plonka.Characteristics of Network Traffic Flow Anomalies.In Proceedings of ACM SIGCOMM.,2001,Page(s):69-73.
[72]D.Moore,G.Voelker,and S.Savage.Inferring Internet Denial of Service Activity.ACM Transactions on Computer Systems,v 24,n 2,2006,Page(s):115-139.
[73]K.P.Gummadi,R.J.Dunn,S.Saroiu.Measurement,modeling,and analysis of a peer-to-peer file-sharing workload.In Proceedings of the 19th ACM Symposium on Operating Systems Principles(SOSP- 19),October 2003,Page(s):314-329.
[74]Y.CHAWATHE,S.RATNASAMY,L.BRESLAU,N.LANHAM,S.SHENKER.Making gnutellalike p2p systems scalable.In Proceedings of SIGCOMM '03,Karlsruhe,Germany,Aug.2003.Page(s):407-418.
[75]CHU,J.,LABONTE,K.,AND LEVINE,B.N.Availability and locality measurements of peer-to-peer file systems.In Proceedings of ITCom '02,Boston,MA,July 2002,Page(s):310-321.
[76]S.Guha,N.Daswani,R.Jain.An Experimental Study of the Skype Peer-to-Peer VoIP System.In Proceedings of IPTPS,Feb.2006.
[77]Fasttrack.http://www.fasttrack.com.
[78]WinMX.http://www.winmxworld.com
[79]MP2P.http://www.mp2p.net.
[80]Cisco System Inc.Blocking Peer-to-Peer File Sharing Programs with the PIX Firewall.2006.
[81]Allot Communications Ltd.Http://www.allot.com
[82]Huawei Technologies Co.,Ltd.Eudemon Series Firewalls Technology White Paper.2005.
[83]SecPath 1800F 防火墙PZP流量(BT流量)监管技术白皮书.http://www.3com.com.cn/3com/pro/switch/paper/paper_p2p.htm.
[84]Layer 7 filter,http://17-filter.sourceforge.net.
[85]PPLive.http://www.pplive.com.
[86]PPStream.http://www.ppstream.com.
[87]王锐,王逸欣.一种跨层P2P流量检测方法.计算机应用,2006,Vol.26No.z2 Page(s):30-32.
[88]J.Erman,A.Mahanti,M.Arlitt,and C.Williamson.Identifying and Discriminating Between Web and Peer-to-Peer Traffic in the Network Core.In WWW'07,Ban,Canada,May 2007,Page(s):883-892.
[89]S.Sen,J.Wang.Analyzing peer-to-peer traffic across large networks[C].In ACM/SIGCOMM IMW,2002,volume 12,issue 2,Page(s):219-232.
[90]BitTorrent Protocol Encryptioin.http://en.wikipedia.org/wiki/protocol encryption.
[91]Bittorrent Protocol Specification v1.0.http://wiki.theory.org/BitTorrentSpecification
[92]tcpdump,http://www.tcpdump.org,2005.
[93]严蔚敏.《数据结构》第二版.清华大学出版社.1992年.Page(s):220-223.
[94]K.A.De Jong.An Analysis of the Behavior of a Class of Genetic Adaptive Systems.Ph.D.thesis,University of Michigan,1975.
[95]R.S.Boyer,J.S.Moore.Fast string searching algorithm.Communications of the ACM,v 20,n 10,Oct,1977,Page(s):762-772.
[96]J.Erman,A.Mahanti,and M.Arlitt.Internet Traffic Identification using Machine Learning.In GLOBECOM'06,San Francisco,USA,November 2006,Page(s):1-6.
[97]A.Moore,D.Zuev.Internet Traffic Classification Using Bayesian Analysis Techniques.Proceedings in SIGMETRICS'05,Banff,Canada,June 6-10,2005,Page(s):50-60.
[98]J.Erman,M.Arlitt,and A.Mahanti.Traffic Classification using Clustering Algorithms.In SIGCOMM'06 MineNet Workshop,Pisa,Italy,September 2006,Page(s):281-286.
[99]O.Chapelle,B.Sch olkopf,and A.Zien,editors.Semi-Supervised Learning.MIT Press,Cambridge,USA,2006.
[100]K.Xu,Z.Zhang,S.Bhattacharyya.Profiling Internet Backbone Traffic:Behavior Models and Applications.In SIGCOMM '05,Philadelphia,USA,August 2005,Page(s):169-180.
[101]F.Constantinou,P.Mavrommatis.Identifying Known and Unknown Peer-to-Peer Traffic.In NCA'06,Cambridge,USA,July,2006,Page(s):93-100.
[102]DHT.http://en.wikipedia.org/wiki/Distributed_hash_table.
[103]P.Haffner,S.Sen,O.Spatscheck,D.Wang.ACAS:Automated Construction of Application Signatures.In SIGCOMM'05 MineNet Workshop,Philadelphia,USA,August,2005,Page(s):197-202.
[104]A.Moore,K.Papagiannaki.Toward the Accurate Identification of Network Applications.In PAM'05,Boston,USA,March 2005,Page(s):41-54.
[105]M.Crotti,F.Gringoli,P.Pelosato,L.Salgarelli.A Statistics Approach to IP-level Classification of Network Traffic.In ICC'06,Istanbul,Turkey,June 2006.Page(s):170-176.
[106]M.Crotti,M.Dusi,F.Gringoli,and L.Salgarelli.Traffic Classification through Simple Statistical Fingerprinting.Computer Communications Review,2007,37(1):7-16.
[107]S.Dharmapurikar,P.Krishnamurthy,T.Sproull,J.Lockwood.Deep Packet Inspection Using Parallel bloom Filters.IEEE Micro,volume 24,issue 1,Feb. 2004.Page(s):52 - 61.
[108]S.Kumar,S.Dharmapurikar,F.Yu,P.Crowley.Algorithms to Accelerate Multiple Regular Expressions Matching for Deep Packet Inspection.ACM SIGCOMM Computer Communication Review,vol 36,n4,October,2006,Page(s):339-350.
[109]L.Bernaille,R.Teixeira,and K.Salamatian.Early Application Identification.In CoNEXT'06,Lisboa,Portugal,December 2006.Page(s):156-166.
[110]A.McGregor,M.Hall,P.Lorier,J.Brunskill.Flow Clustering Using Machine Learning Techniques.In PAM 2004,Antibes Juan-les-Pins,France,April 19-20,2004.Page(s):205-214.
[111]K.Lan and J.Heidemann.A Measurement Study of Correlations of Internet Flow Characteristics.Computer Networks,50(1),2006,Page(s):46-62
[112]J.Erman,A.Mahanti,M.Arlitt.Byte me:a case for byte accuracy in traffic classification.Proceedings of the 3rd annual ACM workshop on Mining network data,San Diego,California,USA,2007,Page(s):35-38.
[113]J.Erman,A.Mahanti,M.Arlitt,I.Cohen,C.Williamson.A Semi-Supervised Approach to Network Traffic Classification.In SIGMETRICS'07,San Diego,USA,June 2007.
[114]J.Erman,A.Mahanti,M.Arlitt,I.Cohen,C.Williamson.Offiine/Online Traffic Classification Using Semi-Supervised Learning.Technical report,University of Calgary,2007.
[115]Xia Chunhe,Shi Yunping,Li Xiaojian.P2P Worm Detection Based on Traffic Classification and Application Identification.Journal of Beijing University of Aeronautics and Astronautics,Vol.32,No.8,2006,Page(s):998-1002.
[116]http://www.gont.com.ar/drafts/icmp-attacks/draft-gont-tcpm-icmp-attacks-03.txt.
[117]W.Richard Stevens编.范建华译.TCP/IP详解.卷1:协议,北京:机械工业出版社.2004.
[118]L.Zhang,G B.White.Anomaly detection for application level network attacks using payload keywords.Proceedings of the 2007 IEEE Symposium on Computational Intelligence in Security and Defense Applications,CISDA 2007.Honolulu,United States,2007,Page(s):178-185.
[19]文伟平,卿斯汉,蒋建春等.网络蠕虫研究与进展[J].软件学报,15(8),2004,Page(s):1208-1219.
[120]李德全.拒绝服务攻击.北京:电子工业出版社.2007.
[121]Estevez-Tapiador,Juan M.Garcia-Teodoro,Pedro,Diaz-Verdejo,Jesus E.Anomaly detection methods in wired networks:a survey and taxonomy.Computer Communications,v 27,n16,Oct 15,2004,Page(s):1569-1584.
[122]卿斯汉,蒋建春,马恒太等.入侵检测技术研究综述[J].通信学报,2004,25(7),Page(s):19-29.
[123]E.ESKIN,A.ARNOLD,M.PRERAU.A geometric framework for unsupervised anomaly detection:detecting intrusions in unlabeled data[A].Applications of Data Mining in Computer Security[C].2002,Page(s):78-99.
[124]刘峰,胡昌振,帅艳民.基于分形特征的网络异常检测方法研究.计算机工程与应用.2004,第22期,Pages:34-36.
[125]诸葛建伟,王大为,陈昱,叶志远,邹维.基于D-S证据理论的网络异常检测方法.软件学报,28(12),2006,Page(s):60-66.
[126]王凤宇,云晓春,曹震中.多时间尺度同步的网络异常检测方法.通信学报,28(12),2007,Page(s):60-65.
[127]T.Shon,Y.Kim,C.Lee,and J.Moon.A Machine Learning Framework for Network Anomaly Detection using SVM and GA.Proceedings from the Sixth Annual IEEE SMC.June 2005 Page(s):176- 183.
[128]邬书跃,田新广.基于隐马尔可夫模型的用户行为异常检测新方法.通信学报,28(4),2007,Page(s):38-43.
[129]李洋,方滨兴,郭莉,田志宏,张永铮,姜伟.基于TCM-KNN和遗传算法的网络异常检测技术.通信学报.28(12),2007,Page(s):48-52.
[130]Qingtao Wu,Zhiqing Shao.Network Anomaly Detection Using Time Series Analysis.Proceedings from Autonomic and Autonomous Systems and International Conference on Networking and Services,2005.Page(s):42 - 42.
[131]L.Ricciulli,P.Lincoln,and P.Kakkar.TCP SYN Flooding Defense.In CNDS,1999.Page(s):17 - 20.
[132]H.Wang,D.Zhang,and KG Shin.Detecting syn flooding attacks.In Proceedings of IEEE INFOCOM '2002,vol 3,Page(s):1530-1539.
[133]David Moore,Colleen Shannon,Douglas J.Brown,Geoffrey M.Voelker,Stefan Savage.Inferring Internet Denial-of-Service Activity.ACM Transactions on Computer Systems.24(2),2006,Page(s):115 - 139.
[134]T.Gil and M.Poletto.MULTOPS:A Data-Structure for Bandwidth Attack Detection.In USENIX Security,2001.Page(s):23-38.
[135]L.Feinstein,D.Schnackenberg,R.Balupari,and D.Kindred.Statistical approaches to DDoS attack detection and response.In Proceedings of the DARPA Information Survivability Conference and Exposition,vol 1,2003,Page(s):303-314.
[136]L.Feinstein,D.Schnackenberg,R.Balupari,D.Kindred.Statistical Approaches to DDoS Attack Detection and Response.Proceedings of the DARPA Information Survivability Conference and Exposition(DISCEX'03),2003,Page(s):303-314.
[2]eMule,http://www.emule.org.cn.
[3]BitTorrent.http://www.bittorrent.com.
[4]Gnutella.http://www.gnutella.com.
[5]http://www.ipoque.com.
[6]CacheLogic.http://www.cachelogic.com/home/pages/research/p2p2005.php.
[7]A.Parker.The true picture of peer-to-peer filesharing,http://www.cachelogic.com/,July 2004.
[8]BitComet.http://www.bitcomet.com.
[9]K.Gummadi,R.Dunn,S.Saroiu,S.Gribble,H.Levy,and J.Zahorjan.Measurement,Modeling,and Analysis of a Peer-to-Peer File Sharing Workload.Proceedings of the 10th ACM Symposium on Operating Systems Principles (SOSP-10) 2003,NY,USA,October 2003,Page(s):314-310.
[10]夏春和,石昀平,李肖坚.基于应用识别的P2P蠕虫检测.北京航空航天大学学报,32(8),2006,Page(s):998-1002.
[11]张冶江,李之棠,陆垂伟等.P2P蠕虫的分析与对策.华中科技大学学报,35卷,2007.3,Page(s):228-231.
[12]Napster.http://www.napster.com
[13]QQ 直播.http://tv.qq.com.
[14]KaZaa.http://www.kazaa.com.
[15]Skype.http://www.skype.com
[16]BitSpirit.http://www.bitspirit.com.cn.
[17]迅雷.http://www.xunlei.com.
[18]脱兔.ttp://www.tuotu.com
[19]A.Gerber,J.Houle,H.Nguyen.P2P the Gorilla in the Cable.In NCTA2003National Show,Chicago,IL,June 2003.
[20]S.Saroiu,K.P.Gummadi,R.J.Dunn.An Analysis of Internet Content Delivery Systems.In Proceedings of the 5th Symposium on Operating Systems Design and Implementation,2002.Page(s):315-328.
[21]S.Sen,J.Wang.Analyzing peer-to-peer traffic across large networks.In Proceedings of ACM SIGCOMM Internet Measurement Workshop,Marseilles,France,November 2002,Page(s):137-150.
[22] Internet Assigned Numbers Authority, TCP/UDP Port Numbers,http://www.iana.org/assignments/port-numbers, 2005.
[23] Hun-Jeong Kang, Myung-Sup Kim, James Hong. A Method on Multimedia Service Traffic Monitoring and Analysis. LNCS 2867, 14th IFIP/IEEE International Workshop on DSOM 2003, Heidelberg, Germany, October, 2003,Page(s):93-105.
[24] T. Karagiannis, A. Broido, N. Brownlee, Kc Claffy, M. Faloutsos. Is p2p dying or just hiding? In Globecom, Dallas, TX, USA, November 2004,Page(s):1532-1538.
[25] M. Roughan, S. Sen, O. Spatscheck, N. Dufeld. Class-of-Service Mapping for QoS: A Statistical Signature-based Approach to IP Traffic Classification. In IMC'04, Taormina, Italy, October 2004, Page(s):135-148.
[26] Mong-Fong Horng, Chun-Wei Chen, Chin-Shun Chuang and Cheng-Yu Lin.Identification and Analysis of P2P Traffic-An Example of BitTorrent. In Proc.the First International Conference on Innovative Computing, Information and Control (ICICIC'06), Beijing,China, 2006, Page(s):266-269.
[27] S. Sen, O. Spatscheck and D. Wang. Accurate, Scalable In-Network Identification of P2P Traffic Using Application Signatures. Proceedings of World Wide Web Conference. NY, USA, May 2004, Page(s):512-521.
[28] eDonkey. http://www.edonkey2000.com.
[29] DirectConnect. http:// www.directconnecthome.com.
[30] M. Roughan, S. Sen, O. Spatscheck, N. Duffield. Class-of-service mapping for QoS: a statistical signature-based approach to ip traffic classification. In IMC'04:Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, New York, USA,2004.ACM Press. Page(s):135-148.
[31] T. Karagiannis, A. Broido, M. Faloutsos, and kc claffy. Transport layer identification of p2p traffic. In ACM SIGCOMM/USENIX Internet Measurement Conference, Italy, October, 2004, Page(s):121-134.
[32] T. Karagiannis, K. Papagiannaki, M. Faloutsos. Blinc: multilevel traffic classification in the dark. SIGCOMM Comput. Commun. Rev., 35(4):229-240,2005.
[33] F. Constantinou, P. Mavrommatis. Identifying Known and Unknown Peer-to-Peer Traffic. In Fifth IEEE International Symposium on Network Computing and Applications, 2006, Page(s):93-100.
[34] M. Izal, G. Urvoy-Keller, E.W. Biersack, P.A. Felber, A. Al Hamra, L. Garc'es-Erice.Dissecting BitTorrent:Five Months in a Torrent's Lifetime.In PAM,2004,Page(s):1-11.
[35]P.Karbhari,M.Ammar,A.Dhamdhere,H.Raj,G.Riley,E.Zegura.Bootstrapping in Gnutella:A Measurement Study.In PAM,2004.Page(s):22-32.
[36]Nathaniel Leibowitz,Matei Ripeanu,Adam Wierzbicki.Deconstructing the Kazaa Network.Available:http://www.globus.org/alliance/publications/papers/kazaa.pdf.
[37]D.H.Kang,N.S.Ko,H.S.Park,J.C.Kim.Application-level Traffic Identification using SET-based Flow in BcN.Proceedings of ICACT2007,2007,Page(s):1166-1170.
[38]Hui Liu,Wenfeng Feng,Yongfeng Huang,Xing Li.A Peer-To-Peer Traffic Identification Method Using Machine Learning.Proceedings of NAS2007,July 2007,Page(s):155-160.
[39]S.Zander,T.Nguyen,G.Armitage.Automated Traffic Classification and Application Identification using Machine Learning.Nov.2005,Page(s):250-257.
[40]N.Williams,S.Zander,and G.Armitrage.A Preliminary Performance Comparison of Five Machine Learning Algorithms for Practical IP Traffic Flow Classification.Computer Communication Review,vol 30,October 2006,Page(s):5-16.
[41]Hamza Dahmouni,A Markovian Signature-Based Approach to IP Traffic Classification to IP Traffic Classification.Proceedings of the Third Annual ACM Workshop on Mining Network Data.San Diego,CA,United States.June,2007.Page(s):29-34.
[42]杨岳湘,王锐等.基于双重特征的P2P流量检测方法.通信学报.2006.11,27(11A)134-138.
[43]S.Sen and J.Wang.Analyzing Peer-to-Peer Traffic Across Large Networks.Networking,IEEE/ACM Transations,April 2004,vol 12,Page(s):219-232
[44]S.Saroiu,P.K.Gummadi,and S.D.Gribble.A Measurement Study of Peer-to-Peer File Sharing Systems.In MMCN,2002,Page(s):156-170.
[45]N.Leibowitz,A.Bergman,R.Ben-Shaul,and A.Shavit.Are File Swapping Networks Cacheable? Characterizing P2P Traffic.In 7th IWCW,2002.
[46]A.Madhukar,C.Williamson.A Longitudinal Study of P2P Traffic Classification.In MASCOTS'06,Monterey,USA,August 2006.
[47]Denning DE.An intrusion-detection model.IEEE Transactions on Software Engineering. 1987 (13):222-232.
[48] J. Brutlag. A berrant behavior detection in time series for network monitoring. In Proceedings of the USENIX Fourteenth System Administration Conference LISA XIV. New Orleans, LA, Dec 2000.
[49] Stephane Mallat, Wen Liang Hwang, Singularity Detection and Processing with Wavelets. IEEE TRANSACTIONS ON INFORMATION THEORY. 1992(2),Page(s):617-643.
[50] P. Barford, J. Kline, D. Plonka. A Signal Analysis of Network Traffic Anomalies.ACM SIGCOMM Internet Measurement Workshop. Page(s):71-82. 2002.
[51] G. Androulidakis, S. Papavassiliou. Intelligent Flow-based Sampling for Effective Network Anomaly Detection. In Proceedings of IEEE GLOBECOM 2007. Washington, DC, United States. 2007, p 1948-1953.
[52] B. Y. Choi, J. Park, Z. L. Zhang. Adaptive Packet Sampling for Accurate and Scalable Flow Measurement. Global Telecommunications Conference (GLOBECOM'04), 2004, Page(s):1448-1452.
[53] Li-Bo Xu, Guo-Xin Wu, Jian-Fei Li. Packet-Level Adaptive Sampling on Multi-Fluctuation Scale Traffic. In Proceedings of International Conference on Communications, Circuits and Systems, pp. 604 - 608 Vol. 1, May 2005,Page(s):604-608.
[54] J. Mai, A. Sridharan, C.N. Chuah, H. Zang, T. Ye. Impact of Packet Sampling on Portscan Detection. IEEE Journal on Selected Areas in Communication, vol. 24,no 12.2006, Page(s):. 2285-2298.
[55] A. Patcha, J. M. Park.. An overview of anomaly detection techniques: Existing solutions and latest technological trends. Computer Networks, vol. 51, no. 12,2007, Page(s):3448-3470.
[56] X. Li, F. Bian, M. Crovella, C. Diot, R. Govindan, and G. Iannaccone. Detection and identification of network anomalies using sketch subspaces. In Proceedings of ACM/SIGCOMM Internet Measurement Conference 2006, Page(s):147-152.
[57] Y. Gu, A. McCallum, and D. Towsley. Detecting anomalies in network traffic using maximum entropy estimation. In Proceedings of ACM/SIGCOMM Internet Measurement Conference 2005, Oct. 2005. Page(s):345-350.
[58] A. Lakhina, M. Crovella, and C. Diot. Mining anomalies using traffic feature distributions. In Proceedings of ACM SIGCOMM '2005, Aug. 2005,Page(s):217-228.
[59]J.Lemon.Resisting SYN flooding attacks with a SYN cache.Proceedings of USENIX Symposium on Internet Technologies and Systems'97,Berkeley,CA:USENIX Assoc,1997,Page(s):89-97.
[60]D.J.Bernstein.SYN Cookies.http://cr.yp.to/syncookies.html.
[61]T.M.Gil,M.Poletto.MULTOPS:A Data-Structure for Bandwidth Attack Detection.The 10th USENIX Security of Symposium.Washington,D.C.2001.Page(s):23-38.
[62]S.Abdelsayed,D.Glimsholt,C.Leckie.An Efficient Filter For Denial of Service Bandwidth Attacks.GLOBECOM2003,2003,Page(s):1353-1357.
[63]S.taniford-Chen,S.Cheung,R.Crawford,et.al.GRIDS - A graph-based intrusion detection system for large networks.In National Information Systems Security Conference,1996.Page(s):289-1296.
[64]S.Cheung,R.Crawford,M.Dilger,J.Frank,J.Hoagland,K.Levitt,J.Rowe,S.Staniford-Chen,R.Yip and D.Zerkle.The Design of GRIDS:A Graph-Based Intrusion Detection System.UCD Technical Report CSE-99-2,1999.
[65]D.Ellis,J.Aiken,K.Attwood,and S.Tenarglia.A Behavioral Approach to Worm Detection.In ACM CCS WORM,2004,Page(s):43-53.
[66]李胜利,王杰,韩宗芬,陶智飞.一种新的蠕虫检测和控制方法.华中科技大学学报(自然版).2007,35(3):38-41.
[67]罗浩,方滨兴,云晓春,王欣,辛毅.高速实时的一种邮件蠕虫异常检测模型.通信学报.2006,27(2):35-41.
[68]张甲,段海新,葛连升.基于事件序列的蠕虫网络行为分析算法.山东大学学报(理学版).2007,42(9):36-45.
[69]W.B.Norton.The evolution of the u.s.internet peering ecosystem,2003.http://www.equinix.com/pdf/whitepapers/PeeringEcosystem.pdf.
[70]P.Barford,J.Kline,D.Plonka,and A.Ron.A Signal Analysis of Network Traffic Anomalies.In Proceedings of ACM SIGCOMM Internet Measurement Workshop,November 2002,Page(s):71-82
[71]P.Barford and D.Plonka.Characteristics of Network Traffic Flow Anomalies.In Proceedings of ACM SIGCOMM.,2001,Page(s):69-73.
[72]D.Moore,G.Voelker,and S.Savage.Inferring Internet Denial of Service Activity.ACM Transactions on Computer Systems,v 24,n 2,2006,Page(s):115-139.
[73]K.P.Gummadi,R.J.Dunn,S.Saroiu.Measurement,modeling,and analysis of a peer-to-peer file-sharing workload.In Proceedings of the 19th ACM Symposium on Operating Systems Principles(SOSP- 19),October 2003,Page(s):314-329.
[74]Y.CHAWATHE,S.RATNASAMY,L.BRESLAU,N.LANHAM,S.SHENKER.Making gnutellalike p2p systems scalable.In Proceedings of SIGCOMM '03,Karlsruhe,Germany,Aug.2003.Page(s):407-418.
[75]CHU,J.,LABONTE,K.,AND LEVINE,B.N.Availability and locality measurements of peer-to-peer file systems.In Proceedings of ITCom '02,Boston,MA,July 2002,Page(s):310-321.
[76]S.Guha,N.Daswani,R.Jain.An Experimental Study of the Skype Peer-to-Peer VoIP System.In Proceedings of IPTPS,Feb.2006.
[77]Fasttrack.http://www.fasttrack.com.
[78]WinMX.http://www.winmxworld.com
[79]MP2P.http://www.mp2p.net.
[80]Cisco System Inc.Blocking Peer-to-Peer File Sharing Programs with the PIX Firewall.2006.
[81]Allot Communications Ltd.Http://www.allot.com
[82]Huawei Technologies Co.,Ltd.Eudemon Series Firewalls Technology White Paper.2005.
[83]SecPath 1800F 防火墙PZP流量(BT流量)监管技术白皮书.http://www.3com.com.cn/3com/pro/switch/paper/paper_p2p.htm.
[84]Layer 7 filter,http://17-filter.sourceforge.net.
[85]PPLive.http://www.pplive.com.
[86]PPStream.http://www.ppstream.com.
[87]王锐,王逸欣.一种跨层P2P流量检测方法.计算机应用,2006,Vol.26No.z2 Page(s):30-32.
[88]J.Erman,A.Mahanti,M.Arlitt,and C.Williamson.Identifying and Discriminating Between Web and Peer-to-Peer Traffic in the Network Core.In WWW'07,Ban,Canada,May 2007,Page(s):883-892.
[89]S.Sen,J.Wang.Analyzing peer-to-peer traffic across large networks[C].In ACM/SIGCOMM IMW,2002,volume 12,issue 2,Page(s):219-232.
[90]BitTorrent Protocol Encryptioin.http://en.wikipedia.org/wiki/protocol encryption.
[91]Bittorrent Protocol Specification v1.0.http://wiki.theory.org/BitTorrentSpecification
[92]tcpdump,http://www.tcpdump.org,2005.
[93]严蔚敏.《数据结构》第二版.清华大学出版社.1992年.Page(s):220-223.
[94]K.A.De Jong.An Analysis of the Behavior of a Class of Genetic Adaptive Systems.Ph.D.thesis,University of Michigan,1975.
[95]R.S.Boyer,J.S.Moore.Fast string searching algorithm.Communications of the ACM,v 20,n 10,Oct,1977,Page(s):762-772.
[96]J.Erman,A.Mahanti,and M.Arlitt.Internet Traffic Identification using Machine Learning.In GLOBECOM'06,San Francisco,USA,November 2006,Page(s):1-6.
[97]A.Moore,D.Zuev.Internet Traffic Classification Using Bayesian Analysis Techniques.Proceedings in SIGMETRICS'05,Banff,Canada,June 6-10,2005,Page(s):50-60.
[98]J.Erman,M.Arlitt,and A.Mahanti.Traffic Classification using Clustering Algorithms.In SIGCOMM'06 MineNet Workshop,Pisa,Italy,September 2006,Page(s):281-286.
[99]O.Chapelle,B.Sch olkopf,and A.Zien,editors.Semi-Supervised Learning.MIT Press,Cambridge,USA,2006.
[100]K.Xu,Z.Zhang,S.Bhattacharyya.Profiling Internet Backbone Traffic:Behavior Models and Applications.In SIGCOMM '05,Philadelphia,USA,August 2005,Page(s):169-180.
[101]F.Constantinou,P.Mavrommatis.Identifying Known and Unknown Peer-to-Peer Traffic.In NCA'06,Cambridge,USA,July,2006,Page(s):93-100.
[102]DHT.http://en.wikipedia.org/wiki/Distributed_hash_table.
[103]P.Haffner,S.Sen,O.Spatscheck,D.Wang.ACAS:Automated Construction of Application Signatures.In SIGCOMM'05 MineNet Workshop,Philadelphia,USA,August,2005,Page(s):197-202.
[104]A.Moore,K.Papagiannaki.Toward the Accurate Identification of Network Applications.In PAM'05,Boston,USA,March 2005,Page(s):41-54.
[105]M.Crotti,F.Gringoli,P.Pelosato,L.Salgarelli.A Statistics Approach to IP-level Classification of Network Traffic.In ICC'06,Istanbul,Turkey,June 2006.Page(s):170-176.
[106]M.Crotti,M.Dusi,F.Gringoli,and L.Salgarelli.Traffic Classification through Simple Statistical Fingerprinting.Computer Communications Review,2007,37(1):7-16.
[107]S.Dharmapurikar,P.Krishnamurthy,T.Sproull,J.Lockwood.Deep Packet Inspection Using Parallel bloom Filters.IEEE Micro,volume 24,issue 1,Feb. 2004.Page(s):52 - 61.
[108]S.Kumar,S.Dharmapurikar,F.Yu,P.Crowley.Algorithms to Accelerate Multiple Regular Expressions Matching for Deep Packet Inspection.ACM SIGCOMM Computer Communication Review,vol 36,n4,October,2006,Page(s):339-350.
[109]L.Bernaille,R.Teixeira,and K.Salamatian.Early Application Identification.In CoNEXT'06,Lisboa,Portugal,December 2006.Page(s):156-166.
[110]A.McGregor,M.Hall,P.Lorier,J.Brunskill.Flow Clustering Using Machine Learning Techniques.In PAM 2004,Antibes Juan-les-Pins,France,April 19-20,2004.Page(s):205-214.
[111]K.Lan and J.Heidemann.A Measurement Study of Correlations of Internet Flow Characteristics.Computer Networks,50(1),2006,Page(s):46-62
[112]J.Erman,A.Mahanti,M.Arlitt.Byte me:a case for byte accuracy in traffic classification.Proceedings of the 3rd annual ACM workshop on Mining network data,San Diego,California,USA,2007,Page(s):35-38.
[113]J.Erman,A.Mahanti,M.Arlitt,I.Cohen,C.Williamson.A Semi-Supervised Approach to Network Traffic Classification.In SIGMETRICS'07,San Diego,USA,June 2007.
[114]J.Erman,A.Mahanti,M.Arlitt,I.Cohen,C.Williamson.Offiine/Online Traffic Classification Using Semi-Supervised Learning.Technical report,University of Calgary,2007.
[115]Xia Chunhe,Shi Yunping,Li Xiaojian.P2P Worm Detection Based on Traffic Classification and Application Identification.Journal of Beijing University of Aeronautics and Astronautics,Vol.32,No.8,2006,Page(s):998-1002.
[116]http://www.gont.com.ar/drafts/icmp-attacks/draft-gont-tcpm-icmp-attacks-03.txt.
[117]W.Richard Stevens编.范建华译.TCP/IP详解.卷1:协议,北京:机械工业出版社.2004.
[118]L.Zhang,G B.White.Anomaly detection for application level network attacks using payload keywords.Proceedings of the 2007 IEEE Symposium on Computational Intelligence in Security and Defense Applications,CISDA 2007.Honolulu,United States,2007,Page(s):178-185.
[19]文伟平,卿斯汉,蒋建春等.网络蠕虫研究与进展[J].软件学报,15(8),2004,Page(s):1208-1219.
[120]李德全.拒绝服务攻击.北京:电子工业出版社.2007.
[121]Estevez-Tapiador,Juan M.Garcia-Teodoro,Pedro,Diaz-Verdejo,Jesus E.Anomaly detection methods in wired networks:a survey and taxonomy.Computer Communications,v 27,n16,Oct 15,2004,Page(s):1569-1584.
[122]卿斯汉,蒋建春,马恒太等.入侵检测技术研究综述[J].通信学报,2004,25(7),Page(s):19-29.
[123]E.ESKIN,A.ARNOLD,M.PRERAU.A geometric framework for unsupervised anomaly detection:detecting intrusions in unlabeled data[A].Applications of Data Mining in Computer Security[C].2002,Page(s):78-99.
[124]刘峰,胡昌振,帅艳民.基于分形特征的网络异常检测方法研究.计算机工程与应用.2004,第22期,Pages:34-36.
[125]诸葛建伟,王大为,陈昱,叶志远,邹维.基于D-S证据理论的网络异常检测方法.软件学报,28(12),2006,Page(s):60-66.
[126]王凤宇,云晓春,曹震中.多时间尺度同步的网络异常检测方法.通信学报,28(12),2007,Page(s):60-65.
[127]T.Shon,Y.Kim,C.Lee,and J.Moon.A Machine Learning Framework for Network Anomaly Detection using SVM and GA.Proceedings from the Sixth Annual IEEE SMC.June 2005 Page(s):176- 183.
[128]邬书跃,田新广.基于隐马尔可夫模型的用户行为异常检测新方法.通信学报,28(4),2007,Page(s):38-43.
[129]李洋,方滨兴,郭莉,田志宏,张永铮,姜伟.基于TCM-KNN和遗传算法的网络异常检测技术.通信学报.28(12),2007,Page(s):48-52.
[130]Qingtao Wu,Zhiqing Shao.Network Anomaly Detection Using Time Series Analysis.Proceedings from Autonomic and Autonomous Systems and International Conference on Networking and Services,2005.Page(s):42 - 42.
[131]L.Ricciulli,P.Lincoln,and P.Kakkar.TCP SYN Flooding Defense.In CNDS,1999.Page(s):17 - 20.
[132]H.Wang,D.Zhang,and KG Shin.Detecting syn flooding attacks.In Proceedings of IEEE INFOCOM '2002,vol 3,Page(s):1530-1539.
[133]David Moore,Colleen Shannon,Douglas J.Brown,Geoffrey M.Voelker,Stefan Savage.Inferring Internet Denial-of-Service Activity.ACM Transactions on Computer Systems.24(2),2006,Page(s):115 - 139.
[134]T.Gil and M.Poletto.MULTOPS:A Data-Structure for Bandwidth Attack Detection.In USENIX Security,2001.Page(s):23-38.
[135]L.Feinstein,D.Schnackenberg,R.Balupari,and D.Kindred.Statistical approaches to DDoS attack detection and response.In Proceedings of the DARPA Information Survivability Conference and Exposition,vol 1,2003,Page(s):303-314.
[136]L.Feinstein,D.Schnackenberg,R.Balupari,D.Kindred.Statistical Approaches to DDoS Attack Detection and Response.Proceedings of the DARPA Information Survivability Conference and Exposition(DISCEX'03),2003,Page(s):303-314.