大规模网络系统的动态安全防御体系研究——信息对抗下的控制与决策问题
|
摘要
在信息技术高速发展的时代,网络安全已不再是单纯的防御技术,而越来越成为安全管理员(Security Officers,SO)与虚拟攻击者(Virtual Attackers,VA)之间信息与知识的对抗。目前的动态防御系统虽然在安全技术集成、安全管理协调等方面给出了整体防御的技术框架,但仍缺乏对完整信息对抗过程的理解,不能有效地解决安全管理员所面临的信息控制与决策问题。另一方面,在大规模网络环境下,动态防御系统往往还存在管理控制粒度、海量信息处理、动态适应能力等方面的问题。
本论文以大规模网络系统为研究对象,从信息对抗的角度出发,研究了系统的安全趋势以及动态防御过程。从动态安全部署、攻击信息决策、公共知识获取等三个方面的研究,构建了大规模网络环境下动态防御系统模型。论文最后给出了一个基于多代理实现的系统,该系统具有很好的系统集成能力、动态适应能力和知识更新能力,为安全管理员提供一个信息决策支持与安全控制管理的环境平台。本论文的主要创新与贡献如下:
(1)详细研究了信息对抗过程,提出了对抗的基本环节与动态过程的博弈模型。基本环节是SO与VA之间围绕目标系统漏洞信息所展开的基于两个非对称条件下信息分层、双向的对抗方式;动态过程是由公共对抗、目标管理系统、SO与VA之间形成的一个四方动态重复博弈过程。该信息对抗模型以信息驱动的方式描述了目标系统安全的动态趋势,提出了动态防御所面临的控制和决策问题,为动态防御体系建立了基本的技术框架。最后在结合大规模网络防御中所面临的问题,提出了一种自主研发的、创新的动态安全防御系统模型。
(2)研究了大规模网络环境下的动态安全部署。观测能力和控制能力是动态安全部署的两个要求,论文中针对大规模网络环境中存在的控制与观测粒度问题,提出了子域分割管理方法。通过子域边界保护以解决子网安全需求不同,以及内部保护的针对性问题;利用子网隔离、全局策略、子域协作等方式有效地解决不同控制域之间的协作问题,为大规模网络系统防御提供灵活的反击机制。
(3)研究了信息对抗下的攻击信息决策技术。攻击信息决策对抗是信息对抗中从信息到知识的过程,只有从信息优势转换成知识优势,才能最终得到决策成功。针对海量报警信号的处理,信息融合技术是关键。本论文在子域分割管理基础上,提出子域攻击信息融合与主域攻击知识融合相结合的安全信息分析方法。给出了三层攻击知识表达模型以及对应的知识融合算法。该算法综合考虑了不完整信息分析问题、误报警问题以及“新误报警问题”等,提高了攻击行为的知识认知能力。根据信息融合
摘要西北工业人学博卜学位论文
提出了异常分析目标,利用陷阱主机的信息采样方式,结合异常查询方
法,在攻击信息融合中成功地提出了攻击异常分析的解决途径。攻击知
识认知的结果是要为决策分析提供支持,根据入侵反击的目标要求,在
主域范围内提出了:攻击路线分析、攻击频率分析与攻击能力分析等三
个阶段的决策支持分析。
(4)研究了信息对抗下的公共知识获取与安全趋势分析技术。公共知识获取
与安全趋势分析是完整信息对抗模型中,从知识获取到信息发现的过程。
本论文首次从信息对抗的角度分析了公共知识获取和安全趋势分析的意
义,系统总结了公共知识分类、标准与知识描述等方面问题,给出动态
防御系统中公共知识获取的方法,提出了权限图与攻击树相结合的目标
系统安全趋势分析方法。
In the age of information, security system does not mean a simple pure protection, but the great rivalship between the Security Officers(SO) and Virtual Attackers(VA). Some cyberspace security systems only give the defense framework, which is the integration of different protection technologies based on the system security management requirements, but not based on the understanding of information rivalry. So, these systems can't solve effectively the problems of the decision-making which the SOs face in the infowar, and also the problems of distributed security management granularity, massive information processing and dynaic adaptive ability, which SOs face in the large-scale networks.
In this dissertation, system dynamic defense and security trend are studied, based on cyberspace countermeasure, in order to solve the problems of control and decision in the large-scale dynamic defence systems. A new dynamic defence model is proposed under the knowledge of info-rivalry, and considering the three aspects: defense measure deployment, attack information decision-making support system, common competition knowledge. A multiagent-based implementation is also given in the dissertation. The system offer SO a extendible, adaptive, intelligent environment for security information and knowledge handling. The major contributions of the dissertation are summarized as follows.
(1) The rivalship model is presented to study the security defence problem. The basic aspect is the rivalship between SO and VA, through different layers of information, under two unsymmetrical information conditions, including two reverse-direction information handling processes. We also use game theory to analyze the dynamic process of the defence system in large-scale network. A new architecture of dynamic security system is presented based on the model of information rivalry.
(2) A new method of defense measure deployment, based on subdomains segmentation, is presented. In large-scale security system, subdomain segmentation can effectively improve the granularities of control and observation. By setting border protection in each subdomain, special custom protection is achieved. Subdomain auto-isolation, global policy management, subdomain cooperation protection, can make the defense system more controllable, self-adaptive.
(3) Based on rivalship model, the process of attack information handling is studied.
As for massive, noisy and volatile data, information fusion is the key technology. In the dissertation, a new attack information handling algorithm, combining subdomain alert information fusion and global attack knowledge fusion, is presented. In attack knowledge fusion, a new correlation algorithm, based on the three layer representations of attack knowledge, is proposed. The problems of information handling, including incomplete information for decision making, incorrect information for analyzing and uncertainty information for filtering, are considered in the new algorithm. Analysis on anomaly alerts provides an opportunity to learn the new attack, but the related detail information about that attack is lacked. In our algorithm, a method combining trap-node attack information gathering with anomaly alerts query is presented to create a new way to learn novel attack mode. In our decision-support system, a analysis framework, including attack path analysis, attack frequency analysis and attack capability analysis, is proposed to accomplish the Intrusion Response requirement.
(4) The concenjt of common rivalry knowledge is put forward, which depicts the process from common security knowledge obtained to local system critical information discovery. Representation, classification and global reference name standard of the common security knowledge, are summarized. Then a new model of system security trend analysis is presented, which combines vulnerability analysis (using privilege graph analysis method) and attack knowledge analysis(using goal tree analysis method).
本论文以大规模网络系统为研究对象,从信息对抗的角度出发,研究了系统的安全趋势以及动态防御过程。从动态安全部署、攻击信息决策、公共知识获取等三个方面的研究,构建了大规模网络环境下动态防御系统模型。论文最后给出了一个基于多代理实现的系统,该系统具有很好的系统集成能力、动态适应能力和知识更新能力,为安全管理员提供一个信息决策支持与安全控制管理的环境平台。本论文的主要创新与贡献如下:
(1)详细研究了信息对抗过程,提出了对抗的基本环节与动态过程的博弈模型。基本环节是SO与VA之间围绕目标系统漏洞信息所展开的基于两个非对称条件下信息分层、双向的对抗方式;动态过程是由公共对抗、目标管理系统、SO与VA之间形成的一个四方动态重复博弈过程。该信息对抗模型以信息驱动的方式描述了目标系统安全的动态趋势,提出了动态防御所面临的控制和决策问题,为动态防御体系建立了基本的技术框架。最后在结合大规模网络防御中所面临的问题,提出了一种自主研发的、创新的动态安全防御系统模型。
(2)研究了大规模网络环境下的动态安全部署。观测能力和控制能力是动态安全部署的两个要求,论文中针对大规模网络环境中存在的控制与观测粒度问题,提出了子域分割管理方法。通过子域边界保护以解决子网安全需求不同,以及内部保护的针对性问题;利用子网隔离、全局策略、子域协作等方式有效地解决不同控制域之间的协作问题,为大规模网络系统防御提供灵活的反击机制。
(3)研究了信息对抗下的攻击信息决策技术。攻击信息决策对抗是信息对抗中从信息到知识的过程,只有从信息优势转换成知识优势,才能最终得到决策成功。针对海量报警信号的处理,信息融合技术是关键。本论文在子域分割管理基础上,提出子域攻击信息融合与主域攻击知识融合相结合的安全信息分析方法。给出了三层攻击知识表达模型以及对应的知识融合算法。该算法综合考虑了不完整信息分析问题、误报警问题以及“新误报警问题”等,提高了攻击行为的知识认知能力。根据信息融合
摘要西北工业人学博卜学位论文
提出了异常分析目标,利用陷阱主机的信息采样方式,结合异常查询方
法,在攻击信息融合中成功地提出了攻击异常分析的解决途径。攻击知
识认知的结果是要为决策分析提供支持,根据入侵反击的目标要求,在
主域范围内提出了:攻击路线分析、攻击频率分析与攻击能力分析等三
个阶段的决策支持分析。
(4)研究了信息对抗下的公共知识获取与安全趋势分析技术。公共知识获取
与安全趋势分析是完整信息对抗模型中,从知识获取到信息发现的过程。
本论文首次从信息对抗的角度分析了公共知识获取和安全趋势分析的意
义,系统总结了公共知识分类、标准与知识描述等方面问题,给出动态
防御系统中公共知识获取的方法,提出了权限图与攻击树相结合的目标
系统安全趋势分析方法。
In the age of information, security system does not mean a simple pure protection, but the great rivalship between the Security Officers(SO) and Virtual Attackers(VA). Some cyberspace security systems only give the defense framework, which is the integration of different protection technologies based on the system security management requirements, but not based on the understanding of information rivalry. So, these systems can't solve effectively the problems of the decision-making which the SOs face in the infowar, and also the problems of distributed security management granularity, massive information processing and dynaic adaptive ability, which SOs face in the large-scale networks.
In this dissertation, system dynamic defense and security trend are studied, based on cyberspace countermeasure, in order to solve the problems of control and decision in the large-scale dynamic defence systems. A new dynamic defence model is proposed under the knowledge of info-rivalry, and considering the three aspects: defense measure deployment, attack information decision-making support system, common competition knowledge. A multiagent-based implementation is also given in the dissertation. The system offer SO a extendible, adaptive, intelligent environment for security information and knowledge handling. The major contributions of the dissertation are summarized as follows.
(1) The rivalship model is presented to study the security defence problem. The basic aspect is the rivalship between SO and VA, through different layers of information, under two unsymmetrical information conditions, including two reverse-direction information handling processes. We also use game theory to analyze the dynamic process of the defence system in large-scale network. A new architecture of dynamic security system is presented based on the model of information rivalry.
(2) A new method of defense measure deployment, based on subdomains segmentation, is presented. In large-scale security system, subdomain segmentation can effectively improve the granularities of control and observation. By setting border protection in each subdomain, special custom protection is achieved. Subdomain auto-isolation, global policy management, subdomain cooperation protection, can make the defense system more controllable, self-adaptive.
(3) Based on rivalship model, the process of attack information handling is studied.
As for massive, noisy and volatile data, information fusion is the key technology. In the dissertation, a new attack information handling algorithm, combining subdomain alert information fusion and global attack knowledge fusion, is presented. In attack knowledge fusion, a new correlation algorithm, based on the three layer representations of attack knowledge, is proposed. The problems of information handling, including incomplete information for decision making, incorrect information for analyzing and uncertainty information for filtering, are considered in the new algorithm. Analysis on anomaly alerts provides an opportunity to learn the new attack, but the related detail information about that attack is lacked. In our algorithm, a method combining trap-node attack information gathering with anomaly alerts query is presented to create a new way to learn novel attack mode. In our decision-support system, a analysis framework, including attack path analysis, attack frequency analysis and attack capability analysis, is proposed to accomplish the Intrusion Response requirement.
(4) The concenjt of common rivalry knowledge is put forward, which depicts the process from common security knowledge obtained to local system critical information discovery. Representation, classification and global reference name standard of the common security knowledge, are summarized. Then a new model of system security trend analysis is presented, which combines vulnerability analysis (using privilege graph analysis method) and attack knowledge analysis(using goal tree analysis method).
引文
[1] http://www.angelaw.com/weblaw/c_case45.htm
[2] http://www.pladaily.com.cn/gb/jskj/2002/01/30/20020130001165_jsrdts.html
[3] http://www.tbsn.org/chinese/journal/TBN2/233/p07-04.htm
[4] http://www.infosyssec.org/infosyssec/milsec1.htm
[5] http://210.79.226.16:81/cetin2/qk/yw/yw2000/jx20002505.htm
[6] http://www.people.com.cn/GB/junshi/1934703.html
[7] Ming-Yuh Huang and Robert J. Jasper and Thomas M. Wicks. "A large scale distributed intrusion detection framework based on attack strategy analysis". Computer Networks (Amsterdam, Netherlands),1999 Vol.31: 2465-2475
[8] Tim Bass, "Intrusion detection systems and multisensor data fusion", Communications of the ACM, 2000 Vol.43(4): 99—105
[9] G. Mansfield, K. Ohta, Y. Takei, N. Kato, and Y. Nemoto. "Towards trapping wily intruders in the large". In Proceedings of the Second Annual Workshop in Recent Advances in Intrusion Detection (RAID), West Lafayette, IN, September 1999.
[10] Robert A. Martin, "Managing Vulnerabilities in Networked Systems", 2001 IEEE.
[11] http://www.insecure.org/nmap/
[12] http://210. 79.226.16:81/cetin2/qk/yw/yw2000/jx20002505.htm
[13] www.parallaxresearch.com/dataclips/pub/infosec/guidelines/Internet%20Securi ty%20Professional/373-376.txt
[14] W.A. Arbaugh, "Active Systems Management: The Evolution of Firewalls," in Invited paper to the Third International Workshop on Information Security Applications, pp. 19-30, August 2002.
[15] D.E.. "An intrusion-detection model". IEEE Transactions on Software Engineering, 13(2), February. ,
[16] Luis J. Gonzalez, "Current approaches to detecting intrusions", http://citeseer.nj.nec.com/gonzalez02current.html
[17] Florian Kerschbaum, Eugene H. Spafford, Diego Zamboni, "Using embedded sensors for detecting network attacks", Proceedings of the 1st ACM Workshop on Intrusion Detection Systems,Nov.2000.
[18] Diego Zamboni, "Doing intrusion detection using embedded sensors",CERIAS Technical reports 2000-21,2000.
[19] M..Sebring, E. Shellhouse, M. Hanna, R. Whitehurst. "Expert Systems in Intrusion Detection: A Case Study". In Proceedings of the 11th National Computer Security
Conference, October 1988.
[20] David S. Bauer, Michael E. Koblentz. "NIDX -An Expert System for Real-Time Network Intrusion Detection". In Proceedings of Computer Networking Symposium, pages 98-106. IEEE, New York, NY, April 1988.
[21] K.Jackson, D.DuBois, C.Stallings. "An expert system application for network intrusion detection". In Proceedings of the Fourteenth Computer Security Group Conference. Department of Energy, 1991.
[22] T.F. Lunt, A.Tamaru, EGilham, R.Jagannathan, C.Jalali, EG. Neumann, H.S. Javitz, and A.Valdes. "A real-time intrusion-detection expert system (IDES)". Technical report, Computer Science Laboratory, SRI International, Menlo Park, CA, 28 February 1992.
[23] D.Anderson, T.Frivold, and A.Valdes. "Next-generation intrusion-detection expert system (NIDES): Final technical report". Technical report, Computer Science Laboratory, SRI International, Menlo Park, CA, 16 November 1994.
[24] Koral Ilgun. "USTAT: A Real-Time Intrusion Detection System for UNIX". Master's thesis, Computer Science Department, University of California, Santa Barbara, July 1992.
[25] Phillip A. Porras and Richard A. Kemmerer. "Penetration State Transition Analysis A Rule-Based Intrusion Detection Approach". In Eighth Annual Computer Security Applications Conference, pages 220-229. IEEE Computer Society press, IEEE Computer Society press, November 30-December 4 1992.
[26] [vigna98netstat] Giovanni Vigna and Richard A. Kemmerer, "NetSTAT: A Network-Based Intrusion Detection Approach", ACSAC, p25-, 1998
[27] Sandeep Kumar and Eugene H. Spafford. "A Pattern Matching Model for Misuse Intrusion Detection". In Proceedings of the 17th National Computer Security Conference,pages 11~21, October 1994..
[28] Wenke Lee, Salvatore Stolfo, "Data mining approaches for intrusion detection", Proceedings of the 7th USENIX Security Symposium, 1998.
[29] Wenke Lee, Salvatore J. Stolfo, Philip K. Chan, Eleazar Eskin, Wei Fan, Matthew Miller, Shlomo Hershkop, Junxin Zhang, "Real Time Data Mining-based Intrusion Detection", Proc. Second DARPA Information Survivability Conference and Exposition, p85-100, 2001.
[30] Marcus Ranum. "Thinking About Firewalls". In SANS-Ⅱ Conference, April 1993.
[31] http://www.2hackers.org/net110/satan/s01.htm
[32] William R. Cheswick and Steven M. Bellovin. "Firewalls and Interact Security".
Addison-Wesley, Reading, MA, 1994.
[33] 周武,卿斯汉,冯登国.“立体型黑客防御机制”.第一届中国信息利通信安全会议学术会议论文集(CCICS’99).
[34] George Cybenko and Guofei Jiang, Developing a Distributed System for Infrastructure Protection, IEEE IT Professional, vol. 4, pp. 17-22, July/August,2000
[35] Dan Farmer and Wietse Venema. "Improving the Security of Your Site by Breaking Into it". Original at: ftp://ftp.win.tue.nl/pub/security/admin-guide-to-cracking. 101.Z
[36] 沈禹钧,“黑客:微软的噩梦”,Original at: http://www.people.com.cn/GB/channe15/745/20001108/304411.html
[37] Justin Jay Lister, "intrusion detection systems: an introduction to the detection and prevention of computer abuse", thesis, January 1995, department of computer science, university of Wollongong.
[38] T. Shimomum and J. Markoff, Takedown: "The Pursuit and Capture of Kevin Mitnick, America's MostWanted Computer Outlaw-By the Man Who Did It", Hyperion, 1996,
[39] Guofei Jiang, "Inside the IIS Extended Unicode Vulnerabilit"y, SANS Windows Security Digest, vol.4, no. 10, 2001.
[40] Qualys, "Understanding Vulnerability Assessment :A Guide to Managing Network Vulnerabilities", Business Briefing Global Info-security 2002.
[41] Welch, Joseph A., "State of the Art of C2 Assessment." Proceedings for Quantitative Assessment of the Utility of Command and Control System, MTR 80W00025 (January 1980): 11.
[42] W. Phister, "C2 of Space: The Key to Full Spectrum Dominance".
[43] Fred Cohen, "50 Ways to Defeat Your Intrusion Detection System" Secure Networks, Inc., October 16, 2002.
[44] T. Ptacek and T. Newsham, "Insertion, Evasion, and Denial of Service: Eluding Network".
[45] Tim Bass, "CC2 and Cyberspace Situational Awareness", CSSPAB Meeting, Dec. 1999.
[46] "Intrusion Detection", Secure Networks, Inc., Original at: http://www.aciri.org/vern/Ptacek-Newsham-Evasion-
[47] J. Bums, A. Cheng, P. Gurung, S. Rajagopalan, P. Rao, D. Rosenbluth, A.V. Surendran, D.
M. Martin, Jr., "Automatic Management of Network Security Policy"
[48] 《ISO/IEC 15408 Information technology-security techniques—Evaluation criteria for IT security》.
[49] Peter Stephenson, "Intrusion Management: A Top Level Model for Securing Information Assets in an Enterprise Environment", Proceedings of EICAR 2000, Brussels, Belgium, March 2000.
[50] Bruce Sterling, "the Hacker Crackdown", Law and Disorder on the Electronic Frontier, Texinfo Edition 1.2, February 1994
[51] William Arbaugh, "Active Systems Management: The Evolution of Firewalls", "citeseer.nj.nec.com/560818.html"
[52] T. Bass, "Multisensor data fusion for next generation distributed intrusion detection systems", Proceedings 1999 IRIS National Symposium on Sensor and Data Fusion, May 1999.
[53] 李明让,“确立信息对抗观念”Original at:http://www.pladaily.com.cn/pladaily/yanlun/20001017/gb/20001017001067_lilun.html
[54] Waltz, E. "Information Warfare Principles and Operations". 1998. Artech House, Boston, MA.
[55] Kovacich, Gerald L. "Information Warfare and the Information Systems Security Professional", Information Systems Security, 6:45-56 (1997).
[56] Libicki, Martin C. "Information Warfare: A Brief Guide to Defense Preparedness", Physics Today, 40-45 (September 1997).
[57] Tim Bass, "Intrusion detection systems and multisensor data fusion", Communications of the ACM, vol43(4), p99-105,2000.
[58] Jim Yuill and S. Felix Wu and Fengmin Gong and Ming-Yuh Huang, "Intrusion Detection for an On-Going Attack".
[59] W.Lee and S.J.Stolfo, "Data Mining Approaches for Intrusion Detection", in Proceedings of the Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, January 26-29, 1998, pp. 79-94.
[60] Waltz, E. and Llinas, "Multisensor Data Fusion", Artech House, Boston, MA, 1990.
[61] "Intrusion Detection Message Exchange Forma", http://search, ietf. org/intemet-drafts/draft-ietf-idwg-idmef-xml-01.txt.
[62] Clifford Kahn Phillip A. Porras Stuart Staniford-Chen Brian Tung, "A Common Intrusion Detection Framework", http://www.gidos.org
[63] R.Feiertag, C.Kahn, P.Porras, S.Schnackenberg, S.Staniford, and B.Tung, "A Common Intrusion Detection Language (CISL)", Available at: http://www.gidos.org/drafts/language.txt.
[64] Jeremy Frank. "Artificial Intelligence and Intrusion Detection: Current and Future Directions". Division of Computer Science, University of California at Davis, CA 95616.
[65] J.Yuill and F.Wu and J.Settle and F.Gong and R.Forno and M.Huang and J.Asbery, "Intrusion-Detection for Incident-Response, using a military battlefield-intelligence process", Computer Networks 10/2000.
[66] Curtis A. Carver, John M.D. Hill, "Limiting Uncertainty in Intrusion Response".
[67] Whitebread, K.R. and Jameson, S.M., "Information Discovery in High-Volume, Frequently Changing Data", IEEE Expert, 51-33 (October, 1995).
[68] Tactical HUMINT Battalion Tactics, Techniques, and Procedures. http://call.army.mil/call/tmgqtr/tq198/humint.htm
[69] Andrew J. Stewart, "Distributed Metastasis: A Computer Network Penetration Methodology", Phrack Magazine, September 09, 1999.
[70] Tim Bass, "Intrusion detection systems and multisensor data fusion", Communications of the ACM, vol43(4),p99-105,2000.
[71] Huang, M.-Y. and Wicks, T. M.. "A Large-scale Distributed Intrusion Detection Framework Based on Attack Strategy Analysis". Web proceedings of the First International Workshop on Recent Advances in Intrusion Detection (RAID'98), http://www.raid-symposium.org/raid98.
[72] Baumard, P. "From Infowar to Knowledge Warfare: Preparing for the Paradigm Shift" .http://netec.mcc.ac.uk/BibEc/data/Papers/fthinrege96-08.html
[73] W.A. Arbaugh, W.L. Fithen, and J.McHugh, "Windows of Vulnerability: A Case Study Analysis" IEEE Computer, vol.33, pp.52-59, December 2000.
[74] 张勇,张德运,李胜磊,蒋旭宪,“基于分层结构的网络入侵检测技术的研究和实现”,小型微型计算机系统Vol.22No.1 Jan.2001
[75] S.R. Snapp, J.Brentano, G.V. Dias, T.L Goan, L.T. Heberlein, C.-L. Ho, K.N. Levitt, B.Mukherjee, S.Smaha, T.Grance, D.M. Teal, and D.Mansur. "DIDS (Distributed Intrusion Detection System)-motivation, architecture, and an early,prototype". In Proceedings of the Fourteenth National Computer Security Conference, pages 167-176, Washington, D.C., 1-4 October 1991. NIST/NCSC.
[76] Sotiris Ioannidis and Angelos D. Keromytis and Steven M. Bellovin and Jonathan M. Smith, "Implementing a distributed firewall", ACM Conference on Computer and Communications Security, p190-199, 2000.
[77] Dan Schnackenberg, Kelly Djahandari, "Infrastructure for Intrusion Detection and Response", in the Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX) 2000.
[78] Jeremy Epstein Linda Thomas Eric Monteith, "Using Operating System Wrappers to
Increase the Resiliency of Commercial Firewalls".
[79] P.Galiasso and O.Bremer and J.Hale and S.Shenoi, "Policy Mediation for Multi-Enterprise Environments".
[80] J.Burns, A.Cheng, P.Gurung, D.M. Martin, "Automatic Management of Network Security Policy".
[81] E.A. Fisch, "Intrusion Damage Control and Assessment: A Taxonomy and Implementation of Automated Responses to Intrusive Behavior", Ph.D. Dissertation, Department of Computer Science, Texas A&M University, College Station, TX, 1996.
[82] G.B. White, E.A.Fisch, and U.W.Pooch, "Cooperating Security Managers: A Peer-based Intrusion Detection System", IEEE Network, vol. 10, no. 1, January/February, 1996, pp.20-23.
[83] C.A.Carver and U.W.Pooch, "An Intrusion Response Taxonomy and its Role in Automatic Intrusion Response", in Proceedings of the IEEE Systems, Man, and Cybemetics Information Assurance and Security Workshop, West Point, NY, June 6-7, 2000.
[84] A.Valdes,, K.Skinner,: "Probabilistic alert correlation". In: Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001). (2001) 54-68.
[85] Templeton, S., Levit, K.: "A requires/provides model for computer attacks". In: Proceedings of New Security Paradigms Workshop, ACM Press (2000) 31-38.
[86] Peng Ning, Yun Cui, and Douglas S. Reeves, "Analyzing Intensive Intrusion Alerts Via Correlation".
[87] Ning, P., Cui, Y.: "An intrusion alert correlator based on prerequisites of intrusions". Technical Report TR-2002-01, North Carolina State University, Department of Computer Science (2002).
[88] H. Debar, A. Wespi, "Aggregation and Correlation of Intrusion-Detection Alerts", RAID 2001, LNCS 2212, pp.85-103, 2001.
[89] H.Debar, A.Wespi,: "Aggregation and correlation of intrusion-detection alerts". In: Recent Advances in Intrusion Detection. LNCS 2212 (2001) 85-103.
[90] ECuppens. "Managing alerts in a multiintrusion detection environment". 17th Annual Computer Security Applications Conference (ACSAC). New-Orleans, December 2001.
[91] M.Blaze, J.Feigenbaum, A.Keromytis, "KeyNote: Trust Management for Public-Key Infrastructures", In Proceedings of the 1998 Cambridge Security Protocols International Workshop, pages 59-63. Springer, LNCS vol. 1550, 1999.
[92] M.Blaze, J.Feigenbaum, J.Ioannidis. "The KeyNote Trust Management System Version 2", Network Working Group RFC 2704. http://www.crypto.com/papes/rfc2704.txt
[93] J.Tille, O.Niggemann, "Supporting Intrusion Detection by Graph Clustering and Graph
Drawing" Presentation at RAID (Recent Advantages of Intrusion Detection), Toulouse, October 2000.
[94] Phillip A. Porras, Alfonso Valdes,"Live Traffic Analysis of TCP/IP Gateways", Interact Society's Networks and Distributed Systems Security Symposium, March 1998.
[95] StephenNorthcutt,《网络入侵检测分析员手册》,人民邮电,ISBN:8372,2002.
[96] Asaka M. "Information gathering with mobile agents for an intrusion detection system". Systems & Computers in Japan, vol.30, no.2, Feb. 1999, pp.31-7. Publisher: Scripta Technica, USA.
[97] Frrdrric Cuppens, "Managing Alerts in a Multi-Intrusion Detection Environment"
[98] Thomas Rude and CISSP, "Knockin' At Your Backdoor-A Guide to Penetration Testing", October 2000-First Draft, http://www.crazytrain.com/penetration.html
[99] Andrew P. Moore, Robert J. Ellison, Richard C. Linger, "Attack Modeling for Information Security and Survivability", Technical Note CMU/SEI-2001-TN-001,
[100] Moore, A.P., R.J. Ellison, and R.C. Linger. "Attack modeling for information security and survivability". Software Engineering Institute Technical Report CMU/SEI-2001
[101] F. Cuppens and R. Ortalo. "LAMBDA: A Language to Model a Database for Detection of Attacks". In Proc. of RAID' 00, LNCS vol. 1907, Springer, 2000.
[102] Frédéric Cuppens Alexandre Midge, "Alert correlation in a cooperative intrusion detection framework".
[103] Frédéric Cuppens AND Alexandre Midge, "Alert Correlation in a Cooperative Intrusion Detection Framework".
[104] Moore, A.P., R.J. Ellison, and R.C. Linger. "Attack modeling for information security and survivability". Software Engineering Institute Technical Report CMU/SEI-2001
[105] STUART GRESLEY STANIFORD-CHEN, "Distributed Tracing of Intruders", THESIS 1995
[106] Alberto Apostolico, "Compact Recognizers of Episode Sequences", COAST, Computer Sciences Department, Purdue University, TR 97-20, 1997.
[107] Asaka M, Onabuta T, Inoue T, Goto S. "The use of mobile agents in tracing an intruder in a local area network". PRICAI 2000.
[108] Ho-Yen Chang, "on real-time intrusion detection and source identification", phd thesis, North Carolina State University, 2000.
[109] Asaka M, Onabuta T, Nakasuka S. "Intrusion detection and intrusion route tracing by use of mobile agents". Proceedings of the 1st Asia-Pacific Conference on IAT.
[110] Luis A. Sanchez,2 Walter C. Milliken, Alex C. Snoeren, Fabrice Tchakountio, Christine, E. Jones, Stephen T. Kent, Craig Partridge, and W. Timothy Strayer, "Hardware Support for a Hash-Based IP Traceback".
[111] S.Staniford-Chen, S.Cheung, R.Crawford, M.Dilger, J.Frank, J.Hoagland, K.Levitt, C.Wee, R.Yip, and D.Zerkle. "GrlDS-a graph based intrusion detection system for large
networks". In Proceedings of the Nineteenth National Information Systems Security Conference, pages 361-370 (Volume I), Washington. D.C., October 1996. NIST/NCSC.
[112] Zerkle. "Data-Mining Analysis of RTID". Proceedings of the Second International Workshop on the Recent Advances in Intrusion Detection (RAID'99), Purdue, USA, October 1999.
[113] 陈硕,安常青,李学农,“分布式入侵检测系统及其认知能力”软件学报2001年02期.
[114] National Infrastructure Protection Center (NIPC), http://www.nipc.gov/.
[115] http://www.angelaw.com/weblaw/c_case45.htm
[116] Mark Crosbie, "Active Defense of a Computer System Using Autonomous Agents", Purdue Univ., http://www.purdue.cs.edu/homes/spaf/tech-reps/9508.ps. http://citeseer.nj.nec.com/138521.html.
[117] Gordon R. Meyer, "The Social Organization of the Computer Underground", Master thesis, AUGUST 1989.
[118] Virus Creation Lab, http://vx.netlux.org/dat/tv03.shtml.
[119] Rootshell, http://www.rootshell.com.
[120] D. Alessandri and M. Dacier. Vulda: A Vulnerability Database. Technical report, IBM Zurich, 1999. 3.
[121] CERT Coordination Center. Cert/CC Advisories Carnegie Mellon, Software Engineering Institute. Online. http://www.cert.org/advisories/.
[122] CIAC. Computer Incident Advisory Capability. http://ciac.llnl.gov/,2000.2.
[123] COAST, Intrusion Detection, Original at: http://www.cerias.purdue.edu/coast/intrusion-detection/detection.html.
[124] Ulf Lindqvist and Erland Jonsson, "How to Systematically Classify Computer Security Intrusions", Published in Proceedings of the 1997 IEEE Symposium on Security & Privacy, pages 154-163, Oakland, California, USA, May 4-7,1997. IEEE Computer Society Press.
[125] "creating a hacker database", http://www.cybertrace.com/papers/hackdbdesign.html.
[126] Ivan Victor Krsul. "Computer Vulnerability Analysis". PhD thesis, Purdue University, 1998. http://citeseer.nj.nec.com/krsul97computer.html.
[127] Peter Mell, "Understanding the Global Attack Toolkit: Using a Database of Dependent Classifiers", 2nd Workshop on Research with Security Vulnerability Databases, January 21-22, 1998.
[128] http://icat.nist.gov.
[129] 绿盟科技,www.nsfocus.com.
[130] Peter Mell, Understanding the Global Attack Toolkit: "Using a Database of Dependent Classifiers", 2nd Workshop on Research with Security Vulnerability Databases, January 21-22, 1998.
[131] Common Vulnerabilities and Exposures, The MITRE Corporation, http://www.cve.mitre.org.
[132] Howard, J.& Longstaff, T. "A Common Language for Computer Security Incidents". (SAND98-8667). Livermore, CA: Sandia National Laboratories, 1998.
[133] G. A. Office, "Information security: Computer attacks at department of defense pose increasing risks", Tech. Rep. GAO/AIMD-96-84, U.S. Government Accounting Office, 1996.
[134] J. Howard, "An Analysis Of Security Incidents On The Intemet: 1989-1995". PhD thesis, Camegie Mellon University, April 1997.
[135] H. K. Browne and W. A. Arbaugh and J.McHugh and W. L. Fithen, "A trend analysis of exploitations", CS-TR-4200 UMIACS-TR-2000-76 P214-231.
[136] http://informant.dartmouth.edu.
[137] Cybenko and Guofei Jiang, "Developing a Distributed System for Infrastructure Protection", IT Pro July. August 2000 IEEE.
[138] William A.Arbaugh and William L. Fithen and John McHugh, "Windows of Vulnerability: A Case Study Analysis", IEEE Computer 2000 p52-59.
[139] John R. Sciandra, "Holistic Vulnerability Assessment Methodologies", July 10, 2001, Version 010710.a, NACON Consulting, LLC.
[140] Tim Shimeall, Phil Williams, "Models of Information Security Trend Analysis".
[141] M. Dacier, Y. Deswarte, "Privilege graph: an extension to the Typed Access Matrix model", European Symposium on Research in Computer Security (ESORICS 94), Brighton (UK), 7-9 November 1994, pp.319-334.
[142] Yves Deswarte, "Experimental Validation of a Security Metrics".
[143] Schneier, B., "Attack Trees," Secrets and Lies. pp. 31,8-333, John Wiley and Sons, New York, 2000.
[144] tcpdump(8) Version 2.2. 1, Van Jacobson, Craig Leres, Steven Berkeley, University of California, Berkeley, CA.
[145] S. McCanne and V. Jacobson, "The BSD Packet Filter: A New Architecture for User-level Packet Capture", Proc. 1993 Winter USENIX Conference, San Diego, CA.
[146] "An Introduction to Internet Attack & Penetration", technique report on securityfocus, http://www.securityfocus.com/data/library/Matta_Attack_and_Penetration_Introduction.pdf.
[2] http://www.pladaily.com.cn/gb/jskj/2002/01/30/20020130001165_jsrdts.html
[3] http://www.tbsn.org/chinese/journal/TBN2/233/p07-04.htm
[4] http://www.infosyssec.org/infosyssec/milsec1.htm
[5] http://210.79.226.16:81/cetin2/qk/yw/yw2000/jx20002505.htm
[6] http://www.people.com.cn/GB/junshi/1934703.html
[7] Ming-Yuh Huang and Robert J. Jasper and Thomas M. Wicks. "A large scale distributed intrusion detection framework based on attack strategy analysis". Computer Networks (Amsterdam, Netherlands),1999 Vol.31: 2465-2475
[8] Tim Bass, "Intrusion detection systems and multisensor data fusion", Communications of the ACM, 2000 Vol.43(4): 99—105
[9] G. Mansfield, K. Ohta, Y. Takei, N. Kato, and Y. Nemoto. "Towards trapping wily intruders in the large". In Proceedings of the Second Annual Workshop in Recent Advances in Intrusion Detection (RAID), West Lafayette, IN, September 1999.
[10] Robert A. Martin, "Managing Vulnerabilities in Networked Systems", 2001 IEEE.
[11] http://www.insecure.org/nmap/
[12] http://210. 79.226.16:81/cetin2/qk/yw/yw2000/jx20002505.htm
[13] www.parallaxresearch.com/dataclips/pub/infosec/guidelines/Internet%20Securi ty%20Professional/373-376.txt
[14] W.A. Arbaugh, "Active Systems Management: The Evolution of Firewalls," in Invited paper to the Third International Workshop on Information Security Applications, pp. 19-30, August 2002.
[15] D.E.. "An intrusion-detection model". IEEE Transactions on Software Engineering, 13(2), February. ,
[16] Luis J. Gonzalez, "Current approaches to detecting intrusions", http://citeseer.nj.nec.com/gonzalez02current.html
[17] Florian Kerschbaum, Eugene H. Spafford, Diego Zamboni, "Using embedded sensors for detecting network attacks", Proceedings of the 1st ACM Workshop on Intrusion Detection Systems,Nov.2000.
[18] Diego Zamboni, "Doing intrusion detection using embedded sensors",CERIAS Technical reports 2000-21,2000.
[19] M..Sebring, E. Shellhouse, M. Hanna, R. Whitehurst. "Expert Systems in Intrusion Detection: A Case Study". In Proceedings of the 11th National Computer Security
Conference, October 1988.
[20] David S. Bauer, Michael E. Koblentz. "NIDX -An Expert System for Real-Time Network Intrusion Detection". In Proceedings of Computer Networking Symposium, pages 98-106. IEEE, New York, NY, April 1988.
[21] K.Jackson, D.DuBois, C.Stallings. "An expert system application for network intrusion detection". In Proceedings of the Fourteenth Computer Security Group Conference. Department of Energy, 1991.
[22] T.F. Lunt, A.Tamaru, EGilham, R.Jagannathan, C.Jalali, EG. Neumann, H.S. Javitz, and A.Valdes. "A real-time intrusion-detection expert system (IDES)". Technical report, Computer Science Laboratory, SRI International, Menlo Park, CA, 28 February 1992.
[23] D.Anderson, T.Frivold, and A.Valdes. "Next-generation intrusion-detection expert system (NIDES): Final technical report". Technical report, Computer Science Laboratory, SRI International, Menlo Park, CA, 16 November 1994.
[24] Koral Ilgun. "USTAT: A Real-Time Intrusion Detection System for UNIX". Master's thesis, Computer Science Department, University of California, Santa Barbara, July 1992.
[25] Phillip A. Porras and Richard A. Kemmerer. "Penetration State Transition Analysis A Rule-Based Intrusion Detection Approach". In Eighth Annual Computer Security Applications Conference, pages 220-229. IEEE Computer Society press, IEEE Computer Society press, November 30-December 4 1992.
[26] [vigna98netstat] Giovanni Vigna and Richard A. Kemmerer, "NetSTAT: A Network-Based Intrusion Detection Approach", ACSAC, p25-, 1998
[27] Sandeep Kumar and Eugene H. Spafford. "A Pattern Matching Model for Misuse Intrusion Detection". In Proceedings of the 17th National Computer Security Conference,pages 11~21, October 1994..
[28] Wenke Lee, Salvatore Stolfo, "Data mining approaches for intrusion detection", Proceedings of the 7th USENIX Security Symposium, 1998.
[29] Wenke Lee, Salvatore J. Stolfo, Philip K. Chan, Eleazar Eskin, Wei Fan, Matthew Miller, Shlomo Hershkop, Junxin Zhang, "Real Time Data Mining-based Intrusion Detection", Proc. Second DARPA Information Survivability Conference and Exposition, p85-100, 2001.
[30] Marcus Ranum. "Thinking About Firewalls". In SANS-Ⅱ Conference, April 1993.
[31] http://www.2hackers.org/net110/satan/s01.htm
[32] William R. Cheswick and Steven M. Bellovin. "Firewalls and Interact Security".
Addison-Wesley, Reading, MA, 1994.
[33] 周武,卿斯汉,冯登国.“立体型黑客防御机制”.第一届中国信息利通信安全会议学术会议论文集(CCICS’99).
[34] George Cybenko and Guofei Jiang, Developing a Distributed System for Infrastructure Protection, IEEE IT Professional, vol. 4, pp. 17-22, July/August,2000
[35] Dan Farmer and Wietse Venema. "Improving the Security of Your Site by Breaking Into it". Original at: ftp://ftp.win.tue.nl/pub/security/admin-guide-to-cracking. 101.Z
[36] 沈禹钧,“黑客:微软的噩梦”,Original at: http://www.people.com.cn/GB/channe15/745/20001108/304411.html
[37] Justin Jay Lister, "intrusion detection systems: an introduction to the detection and prevention of computer abuse", thesis, January 1995, department of computer science, university of Wollongong.
[38] T. Shimomum and J. Markoff, Takedown: "The Pursuit and Capture of Kevin Mitnick, America's MostWanted Computer Outlaw-By the Man Who Did It", Hyperion, 1996,
[39] Guofei Jiang, "Inside the IIS Extended Unicode Vulnerabilit"y, SANS Windows Security Digest, vol.4, no. 10, 2001.
[40] Qualys, "Understanding Vulnerability Assessment :A Guide to Managing Network Vulnerabilities", Business Briefing Global Info-security 2002.
[41] Welch, Joseph A., "State of the Art of C2 Assessment." Proceedings for Quantitative Assessment of the Utility of Command and Control System, MTR 80W00025 (January 1980): 11.
[42] W. Phister, "C2 of Space: The Key to Full Spectrum Dominance".
[43] Fred Cohen, "50 Ways to Defeat Your Intrusion Detection System" Secure Networks, Inc., October 16, 2002.
[44] T. Ptacek and T. Newsham, "Insertion, Evasion, and Denial of Service: Eluding Network".
[45] Tim Bass, "CC2 and Cyberspace Situational Awareness", CSSPAB Meeting, Dec. 1999.
[46] "Intrusion Detection", Secure Networks, Inc., Original at: http://www.aciri.org/vern/Ptacek-Newsham-Evasion-
[47] J. Bums, A. Cheng, P. Gurung, S. Rajagopalan, P. Rao, D. Rosenbluth, A.V. Surendran, D.
M. Martin, Jr., "Automatic Management of Network Security Policy"
[48] 《ISO/IEC 15408 Information technology-security techniques—Evaluation criteria for IT security》.
[49] Peter Stephenson, "Intrusion Management: A Top Level Model for Securing Information Assets in an Enterprise Environment", Proceedings of EICAR 2000, Brussels, Belgium, March 2000.
[50] Bruce Sterling, "the Hacker Crackdown", Law and Disorder on the Electronic Frontier, Texinfo Edition 1.2, February 1994
[51] William Arbaugh, "Active Systems Management: The Evolution of Firewalls", "citeseer.nj.nec.com/560818.html"
[52] T. Bass, "Multisensor data fusion for next generation distributed intrusion detection systems", Proceedings 1999 IRIS National Symposium on Sensor and Data Fusion, May 1999.
[53] 李明让,“确立信息对抗观念”Original at:http://www.pladaily.com.cn/pladaily/yanlun/20001017/gb/20001017001067_lilun.html
[54] Waltz, E. "Information Warfare Principles and Operations". 1998. Artech House, Boston, MA.
[55] Kovacich, Gerald L. "Information Warfare and the Information Systems Security Professional", Information Systems Security, 6:45-56 (1997).
[56] Libicki, Martin C. "Information Warfare: A Brief Guide to Defense Preparedness", Physics Today, 40-45 (September 1997).
[57] Tim Bass, "Intrusion detection systems and multisensor data fusion", Communications of the ACM, vol43(4), p99-105,2000.
[58] Jim Yuill and S. Felix Wu and Fengmin Gong and Ming-Yuh Huang, "Intrusion Detection for an On-Going Attack".
[59] W.Lee and S.J.Stolfo, "Data Mining Approaches for Intrusion Detection", in Proceedings of the Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, January 26-29, 1998, pp. 79-94.
[60] Waltz, E. and Llinas, "Multisensor Data Fusion", Artech House, Boston, MA, 1990.
[61] "Intrusion Detection Message Exchange Forma", http://search, ietf. org/intemet-drafts/draft-ietf-idwg-idmef-xml-01.txt.
[62] Clifford Kahn Phillip A. Porras Stuart Staniford-Chen Brian Tung, "A Common Intrusion Detection Framework", http://www.gidos.org
[63] R.Feiertag, C.Kahn, P.Porras, S.Schnackenberg, S.Staniford, and B.Tung, "A Common Intrusion Detection Language (CISL)", Available at: http://www.gidos.org/drafts/language.txt.
[64] Jeremy Frank. "Artificial Intelligence and Intrusion Detection: Current and Future Directions". Division of Computer Science, University of California at Davis, CA 95616.
[65] J.Yuill and F.Wu and J.Settle and F.Gong and R.Forno and M.Huang and J.Asbery, "Intrusion-Detection for Incident-Response, using a military battlefield-intelligence process", Computer Networks 10/2000.
[66] Curtis A. Carver, John M.D. Hill, "Limiting Uncertainty in Intrusion Response".
[67] Whitebread, K.R. and Jameson, S.M., "Information Discovery in High-Volume, Frequently Changing Data", IEEE Expert, 51-33 (October, 1995).
[68] Tactical HUMINT Battalion Tactics, Techniques, and Procedures. http://call.army.mil/call/tmgqtr/tq198/humint.htm
[69] Andrew J. Stewart, "Distributed Metastasis: A Computer Network Penetration Methodology", Phrack Magazine, September 09, 1999.
[70] Tim Bass, "Intrusion detection systems and multisensor data fusion", Communications of the ACM, vol43(4),p99-105,2000.
[71] Huang, M.-Y. and Wicks, T. M.. "A Large-scale Distributed Intrusion Detection Framework Based on Attack Strategy Analysis". Web proceedings of the First International Workshop on Recent Advances in Intrusion Detection (RAID'98), http://www.raid-symposium.org/raid98.
[72] Baumard, P. "From Infowar to Knowledge Warfare: Preparing for the Paradigm Shift" .http://netec.mcc.ac.uk/BibEc/data/Papers/fthinrege96-08.html
[73] W.A. Arbaugh, W.L. Fithen, and J.McHugh, "Windows of Vulnerability: A Case Study Analysis" IEEE Computer, vol.33, pp.52-59, December 2000.
[74] 张勇,张德运,李胜磊,蒋旭宪,“基于分层结构的网络入侵检测技术的研究和实现”,小型微型计算机系统Vol.22No.1 Jan.2001
[75] S.R. Snapp, J.Brentano, G.V. Dias, T.L Goan, L.T. Heberlein, C.-L. Ho, K.N. Levitt, B.Mukherjee, S.Smaha, T.Grance, D.M. Teal, and D.Mansur. "DIDS (Distributed Intrusion Detection System)-motivation, architecture, and an early,prototype". In Proceedings of the Fourteenth National Computer Security Conference, pages 167-176, Washington, D.C., 1-4 October 1991. NIST/NCSC.
[76] Sotiris Ioannidis and Angelos D. Keromytis and Steven M. Bellovin and Jonathan M. Smith, "Implementing a distributed firewall", ACM Conference on Computer and Communications Security, p190-199, 2000.
[77] Dan Schnackenberg, Kelly Djahandari, "Infrastructure for Intrusion Detection and Response", in the Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX) 2000.
[78] Jeremy Epstein Linda Thomas Eric Monteith, "Using Operating System Wrappers to
Increase the Resiliency of Commercial Firewalls".
[79] P.Galiasso and O.Bremer and J.Hale and S.Shenoi, "Policy Mediation for Multi-Enterprise Environments".
[80] J.Burns, A.Cheng, P.Gurung, D.M. Martin, "Automatic Management of Network Security Policy".
[81] E.A. Fisch, "Intrusion Damage Control and Assessment: A Taxonomy and Implementation of Automated Responses to Intrusive Behavior", Ph.D. Dissertation, Department of Computer Science, Texas A&M University, College Station, TX, 1996.
[82] G.B. White, E.A.Fisch, and U.W.Pooch, "Cooperating Security Managers: A Peer-based Intrusion Detection System", IEEE Network, vol. 10, no. 1, January/February, 1996, pp.20-23.
[83] C.A.Carver and U.W.Pooch, "An Intrusion Response Taxonomy and its Role in Automatic Intrusion Response", in Proceedings of the IEEE Systems, Man, and Cybemetics Information Assurance and Security Workshop, West Point, NY, June 6-7, 2000.
[84] A.Valdes,, K.Skinner,: "Probabilistic alert correlation". In: Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001). (2001) 54-68.
[85] Templeton, S., Levit, K.: "A requires/provides model for computer attacks". In: Proceedings of New Security Paradigms Workshop, ACM Press (2000) 31-38.
[86] Peng Ning, Yun Cui, and Douglas S. Reeves, "Analyzing Intensive Intrusion Alerts Via Correlation".
[87] Ning, P., Cui, Y.: "An intrusion alert correlator based on prerequisites of intrusions". Technical Report TR-2002-01, North Carolina State University, Department of Computer Science (2002).
[88] H. Debar, A. Wespi, "Aggregation and Correlation of Intrusion-Detection Alerts", RAID 2001, LNCS 2212, pp.85-103, 2001.
[89] H.Debar, A.Wespi,: "Aggregation and correlation of intrusion-detection alerts". In: Recent Advances in Intrusion Detection. LNCS 2212 (2001) 85-103.
[90] ECuppens. "Managing alerts in a multiintrusion detection environment". 17th Annual Computer Security Applications Conference (ACSAC). New-Orleans, December 2001.
[91] M.Blaze, J.Feigenbaum, A.Keromytis, "KeyNote: Trust Management for Public-Key Infrastructures", In Proceedings of the 1998 Cambridge Security Protocols International Workshop, pages 59-63. Springer, LNCS vol. 1550, 1999.
[92] M.Blaze, J.Feigenbaum, J.Ioannidis. "The KeyNote Trust Management System Version 2", Network Working Group RFC 2704. http://www.crypto.com/papes/rfc2704.txt
[93] J.Tille, O.Niggemann, "Supporting Intrusion Detection by Graph Clustering and Graph
Drawing" Presentation at RAID (Recent Advantages of Intrusion Detection), Toulouse, October 2000.
[94] Phillip A. Porras, Alfonso Valdes,"Live Traffic Analysis of TCP/IP Gateways", Interact Society's Networks and Distributed Systems Security Symposium, March 1998.
[95] StephenNorthcutt,《网络入侵检测分析员手册》,人民邮电,ISBN:8372,2002.
[96] Asaka M. "Information gathering with mobile agents for an intrusion detection system". Systems & Computers in Japan, vol.30, no.2, Feb. 1999, pp.31-7. Publisher: Scripta Technica, USA.
[97] Frrdrric Cuppens, "Managing Alerts in a Multi-Intrusion Detection Environment"
[98] Thomas Rude and CISSP, "Knockin' At Your Backdoor-A Guide to Penetration Testing", October 2000-First Draft, http://www.crazytrain.com/penetration.html
[99] Andrew P. Moore, Robert J. Ellison, Richard C. Linger, "Attack Modeling for Information Security and Survivability", Technical Note CMU/SEI-2001-TN-001,
[100] Moore, A.P., R.J. Ellison, and R.C. Linger. "Attack modeling for information security and survivability". Software Engineering Institute Technical Report CMU/SEI-2001
[101] F. Cuppens and R. Ortalo. "LAMBDA: A Language to Model a Database for Detection of Attacks". In Proc. of RAID' 00, LNCS vol. 1907, Springer, 2000.
[102] Frédéric Cuppens Alexandre Midge, "Alert correlation in a cooperative intrusion detection framework".
[103] Frédéric Cuppens AND Alexandre Midge, "Alert Correlation in a Cooperative Intrusion Detection Framework".
[104] Moore, A.P., R.J. Ellison, and R.C. Linger. "Attack modeling for information security and survivability". Software Engineering Institute Technical Report CMU/SEI-2001
[105] STUART GRESLEY STANIFORD-CHEN, "Distributed Tracing of Intruders", THESIS 1995
[106] Alberto Apostolico, "Compact Recognizers of Episode Sequences", COAST, Computer Sciences Department, Purdue University, TR 97-20, 1997.
[107] Asaka M, Onabuta T, Inoue T, Goto S. "The use of mobile agents in tracing an intruder in a local area network". PRICAI 2000.
[108] Ho-Yen Chang, "on real-time intrusion detection and source identification", phd thesis, North Carolina State University, 2000.
[109] Asaka M, Onabuta T, Nakasuka S. "Intrusion detection and intrusion route tracing by use of mobile agents". Proceedings of the 1st Asia-Pacific Conference on IAT.
[110] Luis A. Sanchez,2 Walter C. Milliken, Alex C. Snoeren, Fabrice Tchakountio, Christine, E. Jones, Stephen T. Kent, Craig Partridge, and W. Timothy Strayer, "Hardware Support for a Hash-Based IP Traceback".
[111] S.Staniford-Chen, S.Cheung, R.Crawford, M.Dilger, J.Frank, J.Hoagland, K.Levitt, C.Wee, R.Yip, and D.Zerkle. "GrlDS-a graph based intrusion detection system for large
networks". In Proceedings of the Nineteenth National Information Systems Security Conference, pages 361-370 (Volume I), Washington. D.C., October 1996. NIST/NCSC.
[112] Zerkle. "Data-Mining Analysis of RTID". Proceedings of the Second International Workshop on the Recent Advances in Intrusion Detection (RAID'99), Purdue, USA, October 1999.
[113] 陈硕,安常青,李学农,“分布式入侵检测系统及其认知能力”软件学报2001年02期.
[114] National Infrastructure Protection Center (NIPC), http://www.nipc.gov/.
[115] http://www.angelaw.com/weblaw/c_case45.htm
[116] Mark Crosbie, "Active Defense of a Computer System Using Autonomous Agents", Purdue Univ., http://www.purdue.cs.edu/homes/spaf/tech-reps/9508.ps. http://citeseer.nj.nec.com/138521.html.
[117] Gordon R. Meyer, "The Social Organization of the Computer Underground", Master thesis, AUGUST 1989.
[118] Virus Creation Lab, http://vx.netlux.org/dat/tv03.shtml.
[119] Rootshell, http://www.rootshell.com.
[120] D. Alessandri and M. Dacier. Vulda: A Vulnerability Database. Technical report, IBM Zurich, 1999. 3.
[121] CERT Coordination Center. Cert/CC Advisories Carnegie Mellon, Software Engineering Institute. Online. http://www.cert.org/advisories/.
[122] CIAC. Computer Incident Advisory Capability. http://ciac.llnl.gov/,2000.2.
[123] COAST, Intrusion Detection, Original at: http://www.cerias.purdue.edu/coast/intrusion-detection/detection.html.
[124] Ulf Lindqvist and Erland Jonsson, "How to Systematically Classify Computer Security Intrusions", Published in Proceedings of the 1997 IEEE Symposium on Security & Privacy, pages 154-163, Oakland, California, USA, May 4-7,1997. IEEE Computer Society Press.
[125] "creating a hacker database", http://www.cybertrace.com/papers/hackdbdesign.html.
[126] Ivan Victor Krsul. "Computer Vulnerability Analysis". PhD thesis, Purdue University, 1998. http://citeseer.nj.nec.com/krsul97computer.html.
[127] Peter Mell, "Understanding the Global Attack Toolkit: Using a Database of Dependent Classifiers", 2nd Workshop on Research with Security Vulnerability Databases, January 21-22, 1998.
[128] http://icat.nist.gov.
[129] 绿盟科技,www.nsfocus.com.
[130] Peter Mell, Understanding the Global Attack Toolkit: "Using a Database of Dependent Classifiers", 2nd Workshop on Research with Security Vulnerability Databases, January 21-22, 1998.
[131] Common Vulnerabilities and Exposures, The MITRE Corporation, http://www.cve.mitre.org.
[132] Howard, J.& Longstaff, T. "A Common Language for Computer Security Incidents". (SAND98-8667). Livermore, CA: Sandia National Laboratories, 1998.
[133] G. A. Office, "Information security: Computer attacks at department of defense pose increasing risks", Tech. Rep. GAO/AIMD-96-84, U.S. Government Accounting Office, 1996.
[134] J. Howard, "An Analysis Of Security Incidents On The Intemet: 1989-1995". PhD thesis, Camegie Mellon University, April 1997.
[135] H. K. Browne and W. A. Arbaugh and J.McHugh and W. L. Fithen, "A trend analysis of exploitations", CS-TR-4200 UMIACS-TR-2000-76 P214-231.
[136] http://informant.dartmouth.edu.
[137] Cybenko and Guofei Jiang, "Developing a Distributed System for Infrastructure Protection", IT Pro July. August 2000 IEEE.
[138] William A.Arbaugh and William L. Fithen and John McHugh, "Windows of Vulnerability: A Case Study Analysis", IEEE Computer 2000 p52-59.
[139] John R. Sciandra, "Holistic Vulnerability Assessment Methodologies", July 10, 2001, Version 010710.a, NACON Consulting, LLC.
[140] Tim Shimeall, Phil Williams, "Models of Information Security Trend Analysis".
[141] M. Dacier, Y. Deswarte, "Privilege graph: an extension to the Typed Access Matrix model", European Symposium on Research in Computer Security (ESORICS 94), Brighton (UK), 7-9 November 1994, pp.319-334.
[142] Yves Deswarte, "Experimental Validation of a Security Metrics".
[143] Schneier, B., "Attack Trees," Secrets and Lies. pp. 31,8-333, John Wiley and Sons, New York, 2000.
[144] tcpdump(8) Version 2.2. 1, Van Jacobson, Craig Leres, Steven Berkeley, University of California, Berkeley, CA.
[145] S. McCanne and V. Jacobson, "The BSD Packet Filter: A New Architecture for User-level Packet Capture", Proc. 1993 Winter USENIX Conference, San Diego, CA.
[146] "An Introduction to Internet Attack & Penetration", technique report on securityfocus, http://www.securityfocus.com/data/library/Matta_Attack_and_Penetration_Introduction.pdf.