基于扩展有向图的复合攻击模型及检测方法研究
|
摘要
网络告警关联是立足于“网络攻击行为间的相关性必然反映在其告警信息间的某种相关性中”这一基本认知,通过对大量告警信息的综合分析,发现各种离散告警信息间的某些联系,进而识别出真实攻击行为或意图的过程。目前的关联方法绝大部分致力于提高告警质量和离线分析告警之间关系,得到的结果缺乏统一的形式化描述,无法形成有效的知识,难以直接用于攻击检测和预测。
复合攻击是由多个不可分解的攻击步骤按照一定的逻辑关系组合而成的完整攻击过程。复合攻击的前后步骤之间普遍存在着的因果或逻辑关系,通过告警反映出来,使得复合攻击检测成为可能。建立合适的复合攻击形式化描述模型,并以此为基础进行复合攻击检测和后续攻击的预测,能够有效指导安全管理员及时采取针对性防御措施,防止对受保护网络造成更大的危害,这比事后的分析更有意义,更加合乎人们的期望。
针对上述目标,提出了基于扩展有向图的复合攻击模型和检测方法。该方法在自动提取攻击行为抽象模式的基础上,选择扩展有向图作为表达复合攻击行为及其约束关系的模型。这样,当某个复合攻击的序列部分重现的时候,就可以根据该模型检测出复合攻击,从而达到在极具威胁的攻击步骤到来之前提前预测的目的。
复合攻击特征和攻击行为抽象模式提取来自于对历史数据的分析。告警属性之间的规律性正是复合攻击行为模式的体现,一旦找到便可以作为复合攻击检测的依据,因此如何获得告警属性之间的规律成为建立模型的关键。基于频繁情节模式挖掘算法的改进思路建立在对告警数据特点分析之上:安全设备产生的告警是复杂数据类型,由多个属性组成,每个属性都对攻击模式具有约束意义。因此对告警进行序列分析时,重点考察类型属性和其它属性之间的相互关系。挖掘得到的情节模式蕴含了不同攻击行为之间的因果关系,并预示一个攻击发生伴随另外一攻击发生的可能性,而属性约束体现了攻击步骤之间的关联逻辑。实验结果表明,该方法能够揭示攻击行为之间的联系,自动形成攻击行为模式。
基于扩展有向图的复合攻击模型中,节点表示告警类型,有向边表示告警类之间可能存在的因果关系,边上的约束条件体现了告警之间确实存在某种因果关联时需要满足的条件,节点的权值表示不同类型告警的严重程度。该模型能够有效表达攻击行为之间的逻辑关系,可作为复合攻击检测和匹配的框架。
实时检测以扩展有向图为基础,按照向后匹配和缺项匹配的方式对告警之间的关联关系进行分析,并使用检测度和匹配度两个检测指标,来衡量复合攻击被检测到的比率、复合攻击进行到当前步骤时与整个攻击场景的匹配程度。当新的告警到来时,根据图中有向边,确定可能存在因果关联的告警集;分析集合中告警与当前告警对之间的关联关系,确定两者属于同一攻击场景的相邻两步的可能性;在此基础上计算复合攻击的检测度和匹配度,并根据得到的结果预测下一步可能发生的攻击。该方法克服了通过匹配规则建立匹配链、而匹配链随着数据增加可能指数增加的弊端,可以动态、完整地恢复攻击流程。
系统采用JAVA实现。实验使用了DARPA 2000数据集和从蜜网和局域网采集到的真实数据对方法进行验证,结果显示系统对多步攻击的检测率达到93%,对多步攻击平均可以提前至少一步做出判断并将结果通知管理员。
The alert correlation complies with the principles that the relationship between alerts indicates in a sense the relationship between attack actions.The correlation can be discovered by comprehensive analysis: the number of alerts can be reduced by alert aggregation, false positive can be eliminated by cross correlation with background knowledge, and logical relationship between various alert types can be disclosed by multistage attack correlation.Most approaches presented focuses on discovering correlation relationship rather than predicting attacks. In fact, it is more significant to predict the coming next step attack action than post analysis because the former can help take appropriate actions to prevent network for further compromise.
To address this problem, alert correlation and multistage attack prediction based on extended directed graph is proposed,which can represent attack features and abstract patterns of the multistage attacks.Whenever a certain attack sequence matched with a part of the graph partly appears, the corresponding pattern can be recognized and the successive steps can be predicted.
The extraction of attack features and abstract action patterns of multistage attack results from the analysis of historical data. The regularity between alert attributes indicates the patterns of attack actions.An alert is comprised of several attributes with different data types.The algorithm for discovery of frequent episodes in event sequences needed to be adapted for alert sequence analysis.During the mining process, more attentions are pay to the relationship between alert type attribute and other attributes.The patterns in the results represent the transient relation between various attack types.The attribute constraints represent the correlation relations. This approach can exact attack action patterns and constraints effectively, especially for automatic attack.
Extended directed graph is presented to model the relations of attack actions, in which the nodes represent attack type and directed edge represent the transient relation between attack types.The newly alerts is matched with the graph.Firstly, the sets of possible alerts that satisfy constraints are collected according to the directed edges.Secondly, the correlation relationship between alert pair is judged.Thirdly,the completeness and matching degree is computed.Finally, the next attack action is predicted according to the results of the two indictors.
The approaches are evaluated with DARPA 2000 data sets and live data collected from our honey net and local test network. Experiments show that the approach can effectively construct attack scenarios and can accordingly predict the attack action at least one steps ahead at an average level.The detection rate reaches to 93%.
复合攻击是由多个不可分解的攻击步骤按照一定的逻辑关系组合而成的完整攻击过程。复合攻击的前后步骤之间普遍存在着的因果或逻辑关系,通过告警反映出来,使得复合攻击检测成为可能。建立合适的复合攻击形式化描述模型,并以此为基础进行复合攻击检测和后续攻击的预测,能够有效指导安全管理员及时采取针对性防御措施,防止对受保护网络造成更大的危害,这比事后的分析更有意义,更加合乎人们的期望。
针对上述目标,提出了基于扩展有向图的复合攻击模型和检测方法。该方法在自动提取攻击行为抽象模式的基础上,选择扩展有向图作为表达复合攻击行为及其约束关系的模型。这样,当某个复合攻击的序列部分重现的时候,就可以根据该模型检测出复合攻击,从而达到在极具威胁的攻击步骤到来之前提前预测的目的。
复合攻击特征和攻击行为抽象模式提取来自于对历史数据的分析。告警属性之间的规律性正是复合攻击行为模式的体现,一旦找到便可以作为复合攻击检测的依据,因此如何获得告警属性之间的规律成为建立模型的关键。基于频繁情节模式挖掘算法的改进思路建立在对告警数据特点分析之上:安全设备产生的告警是复杂数据类型,由多个属性组成,每个属性都对攻击模式具有约束意义。因此对告警进行序列分析时,重点考察类型属性和其它属性之间的相互关系。挖掘得到的情节模式蕴含了不同攻击行为之间的因果关系,并预示一个攻击发生伴随另外一攻击发生的可能性,而属性约束体现了攻击步骤之间的关联逻辑。实验结果表明,该方法能够揭示攻击行为之间的联系,自动形成攻击行为模式。
基于扩展有向图的复合攻击模型中,节点表示告警类型,有向边表示告警类之间可能存在的因果关系,边上的约束条件体现了告警之间确实存在某种因果关联时需要满足的条件,节点的权值表示不同类型告警的严重程度。该模型能够有效表达攻击行为之间的逻辑关系,可作为复合攻击检测和匹配的框架。
实时检测以扩展有向图为基础,按照向后匹配和缺项匹配的方式对告警之间的关联关系进行分析,并使用检测度和匹配度两个检测指标,来衡量复合攻击被检测到的比率、复合攻击进行到当前步骤时与整个攻击场景的匹配程度。当新的告警到来时,根据图中有向边,确定可能存在因果关联的告警集;分析集合中告警与当前告警对之间的关联关系,确定两者属于同一攻击场景的相邻两步的可能性;在此基础上计算复合攻击的检测度和匹配度,并根据得到的结果预测下一步可能发生的攻击。该方法克服了通过匹配规则建立匹配链、而匹配链随着数据增加可能指数增加的弊端,可以动态、完整地恢复攻击流程。
系统采用JAVA实现。实验使用了DARPA 2000数据集和从蜜网和局域网采集到的真实数据对方法进行验证,结果显示系统对多步攻击的检测率达到93%,对多步攻击平均可以提前至少一步做出判断并将结果通知管理员。
The alert correlation complies with the principles that the relationship between alerts indicates in a sense the relationship between attack actions.The correlation can be discovered by comprehensive analysis: the number of alerts can be reduced by alert aggregation, false positive can be eliminated by cross correlation with background knowledge, and logical relationship between various alert types can be disclosed by multistage attack correlation.Most approaches presented focuses on discovering correlation relationship rather than predicting attacks. In fact, it is more significant to predict the coming next step attack action than post analysis because the former can help take appropriate actions to prevent network for further compromise.
To address this problem, alert correlation and multistage attack prediction based on extended directed graph is proposed,which can represent attack features and abstract patterns of the multistage attacks.Whenever a certain attack sequence matched with a part of the graph partly appears, the corresponding pattern can be recognized and the successive steps can be predicted.
The extraction of attack features and abstract action patterns of multistage attack results from the analysis of historical data. The regularity between alert attributes indicates the patterns of attack actions.An alert is comprised of several attributes with different data types.The algorithm for discovery of frequent episodes in event sequences needed to be adapted for alert sequence analysis.During the mining process, more attentions are pay to the relationship between alert type attribute and other attributes.The patterns in the results represent the transient relation between various attack types.The attribute constraints represent the correlation relations. This approach can exact attack action patterns and constraints effectively, especially for automatic attack.
Extended directed graph is presented to model the relations of attack actions, in which the nodes represent attack type and directed edge represent the transient relation between attack types.The newly alerts is matched with the graph.Firstly, the sets of possible alerts that satisfy constraints are collected according to the directed edges.Secondly, the correlation relationship between alert pair is judged.Thirdly,the completeness and matching degree is computed.Finally, the next attack action is predicted according to the results of the two indictors.
The approaches are evaluated with DARPA 2000 data sets and live data collected from our honey net and local test network. Experiments show that the approach can effectively construct attack scenarios and can accordingly predict the attack action at least one steps ahead at an average level.The detection rate reaches to 93%.
引文
[1] S. M. Bellovin. Security Problems in the TCP/IP Protocol Suite. Computer Communication Review, 1989, 19(2): 32-48
[2] J. Anderson. Computer security technology planning study. Report Technical Report ESD-TR-73-51, Hanscom AFB, MA: United States Air Force Elect. Systems Div. , 1972
[3] Lampson, W. Butler. Dynamic protection structures. AFIPS Conference Proceedings, Fall Joint Computer Conference, AFIPS Press, Montvale, N. J. , 1969, 35: 27-38
[4] Lampson, W. Butler . Protection. ACM Operating Systems Rev, 1974, 8(1):18-24
[5] C. P. Pfleeger. Security In Computing. Prentice Hall International, Inc. ISBN 0-13-185794-0, 1997
[6] Office for Official Publications of the European Communities. Information Technology Security Evaluation Criteria, 1991
[7] J P Anderson. Computer security thread monitoring and surveillance. Technical Report, Jame P Anderson Co. , Fort Washington, Pennsylvania, 1980
[8] E. H. Spafford. Crisis and aftermath. Communications of the ACM, 1989, 32(6): 678-687
[9] Cabrera J, Ravichandran B, Mehra R K. Statistical Traffic Modeling for Network intrustion detection. PROC IEEE INT WORKSHOP MODEL ANAL SIMUL COMPUT TELECOMMUN SYST . Washington, DC: IEEE Computer Society Press, 2000: 466-473
[10] Balthrop J, Esponda F, Forrest S et al. Coverage and Generalization in an Artificial Immune System. Proceedings of the Genetic and Evolutionary Computation Conference (GECCO 2002). New York: Morgan Kaufmann, 2002: 3-10
[11] Chao D L, Forrest S. Information Immune Systems. Proceedings of the First International Conference on Artificial Immune Systems (ICARIS), 2002: 132-140
[12] Joo D, Hong T, Han I. The neural network models for IDS based on the asymmetric costs of false negative errors and false positive errors. Expert Systems withApplications, 2003, 25(1): 69-75
[13] Klaus J, Marc D. Minings Detection Fetection Alarms for Actionable Knowlefge. Proceedins of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining. New York:ACM Press, 2002: 366-375
[14]张志斌.网络安全信息亟需整合.中国计算机报, 2003 (1257)
[15] L. Wald. Definitions and Terms of Reference in Data Fusion. International Archives of Photogrammetry and Remote Sensing. Valladolid, Spain, 1999, 32(6): 3-4
[16] Jakobson G, Weissman M D. Alarm Correlation. IEEE Network, 1993, 7(11): 52-59
[17]国家计算机网络应急技术处理协调中心,"CNCERT/CC2006年网络安全工作报", http://www.cert.org.cn/
[18] G. Jakobson, A. Lemmon and M. Weissman. Knowledge-based GUI for network surveillance and fault analysis. in: Proceedings of NOMS '94 - IEEE Network Operations and Management Symposium. Kissimmee, FL, USA. Netherlands: Springer, 1994: 52-59
[19] G. Jakobson, M. Weissman and L. Brenner et al. GRACE: building next generation event correlation services. in: NOMS'2000 - IEEE/IFIP Network Operations and Management Symposium 'The Networked Planet: Management Beyond 2000'. Honolulu, HI, USA , 2000. 4: 701-714
[20] K. R. Sheers. HP OpenView Event Correlation Services. in: Hewlett-Packard Journal, 1996, 47: 31
[21] S. Staniford-Chen, S. Cheung, R. Crawford et al. GrIDS - a graph based intrusion detection system for large networks. Proceedings of the 19th National Information Systems Security Conference, 1996, 1: 361-370
[22] R. D. Gardner, D. A. Harle. Pattern discovery and specification techniques for alarm correlation. NOMS'98 1998 IEEE Network Operations and Management Symposium. New Orleans, LA, USA, 1998, 3: 713-722
[23] L. Perrochon, J. Eunhei , S. Kasriel et al. Enlisting event patterns for cyber battlefield awareness. Proceedings DARPA Information Survivability Conference and Exposition(DISCEX'00). Hilton Head, SC, USA, 2000, 2: 411-422
[24] S. J. Templeton, K. Levitt. A requires/provides model for computer attacks.Proceedings of the New Security Paradigms Workshop, 2000: 31-38
[25] P. Ning, Y. Cui, D. S. Reeves. Constructing attack scenarios through correlation of intrusion alerts. Proc. Of the ACM Symposium on Computer and Communications Security (CCS 2002). Washington, DC, United States, 2002 : 245-254
[26] P. Ning, Y. Cui, D. S. Reeves, D. Xu. Techniques and tools for analyzing intrusion alerts. ACM Transactions on Information and System Security, 2004, 7: 274
[27] F. Cuppens. Managing alerts in multi-intrusion detection environment. Proceedings 17th annual computer security applications conference. New Orleans: 2001: 22-31
[28] F. Cuppens, Alexandre Mie`ge. Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the 2002 IEEE symposium on security and privacy, 2002: 202-215
[29] F. Cuppens, Fabien Autrel, Alexandre Mie`ge, Salem Benferhat. Correlation in an intrusion detection process. Proceedings SE′curite′des communications sur internet (SECI02), 2002: 153-171
[30] S. Cheung, U. Lindqvist, M. W. Fong. Modeling multistep cyber attacks for scenario recognition. Washington, DC, USA, 2003, 1: 284–292
[31] S. T. Eckmann, G. Vigna, R. A. Kemmerer. STATL: an attack language for state-based intrusion detection. Journal of Computer Security, 2002, 10: 71
[32] J. L. Hellerstein, S. Ma, C. -S. Perng, Discovering actionable patterns in event data. IBM Systems Journal, 2002, 41: 475
[33] O. Dain , R. Cunningham. Fusing a heterogeneous alert stream into scenarios. Proc. of the 2001 ACM Workshop on Data Mining for Security Applications, 2001: 1-13
[34] C. Araujo, A. Biazetti, A. Bussani, J. Dinger, M. Feridun, A. Tanner. Simplifying correlation rule creation for effective systems monitoring. Utility Computing. 15th IFIP/IEEE International Workshop on Distributed Systems: Operations and Management, 2004: 266-268
[35] Lee. Wenke, Qin X.. Statistical Causality Analysis of INFOSEC Alert Data. G. Vigna, E. Jonsson and C. Kruegel, Editors, RAID, Springer, Berlin, Heidelberg , 2003: 73–93
[36] Qin X., Lee. Wenke. Discovering novel attack strategies from INFOSEC alerts.Sophia Antipolis, France, ESORICS 2004: 439-456
[37] Qin X., Lee. Wenke. Causal discovery-based alert correlation. the 21th Annual Computer Security Applications Conference. Tucson, AZ, 2005: 33-40
[38]李辉,韩崇昭,郑庆华等.一种基于交互式知识发现的入侵事件关联方法研究.计算机研究与发展, 2004, 11: 1911-1918
[39] L. Z. -t. Li Jia-chun. Novel Model for Intrusion Detection. Wuhan University Journal of Natural Sciences, 2003, 8: 46-50
[40]李家春,李之棠.入侵检测系统.计算机应用研究, 2001, 18: 5-9
[41]李家春,李之棠.动态网络安全模型的研究.华中科技大学学报(自然科学版), 2003, 31: 44-46
[42]李之棠,李家春.模糊神经网络在入侵检测中的应用.小型微型计算机系统, 2002, 23: 1235-1238
[43] F. Valeur, G. Vigna. A Comprehensive Approach to Intrusion Detection Alert Correlation. IEEE Transaction on Dependable and Secure Computing, 2004, 1(3): 146-168
[44] Zhang T, Ramakrishnan R, Livny M. B. IRCH: An efficient data clustering method for very large databases. Proceedings of the 1996 ACM SIGMOD International Conference on Management of Data. Quebec: ACM Press, 1996: 103-114
[45] Guha S, Rastogi R, Shim K. ROCK: A robust clustering algorithm for categorical attributes. In Proceedings of the 15th International Conference on Data Engineering. Sydney: IEEE Computer Society Press, 1999: 512-521
[46] A. Valdes, K. Skinner. An Approach to Sensor Correlation. Recent Advances in Intrusion Detection, 2000
[47] A. Valdes, K. Skinner. Adaptive Model-Based Monitoring for Cyber Attack Detection. Proc. of the 3rd Int'l Workshop on the Recent Advances in Intrusion Detection (RAID 2000). LNCS 1907, Heidelberg: Springer-Verlag, 2000: 80-92
[48] A. Valdes, K. Skinner. Probabilistic Alert Correlation In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), UC, Davis, USA, October, 2001: 54-68
[49] P. Ning, Y. Cui, D. S. Reeves. Constructing attack scenarios through correlation ofintrusion alerts. Proc. Of the ACM Symposium on Computer and Communications Security (CCS 2002). Washington, DC, United States, 2002: 245-254
[50] H. a. W. Debar, A. . Aggregation and correlation of intrusion-detection alerts. Recent Advances in Intrusion Detection (RAID 2001), 2001: 73-94
[51] C. Kruegel, W. Robertson. Alert Verification: Determining the Success of Intrusion Attempts. 1st Workshop on the Detection of Intrusions and Mal-ware & Vulnerability Assessment (DIMVA), 2004: 1-14
[52] G. Eschelbeck, M. Krieger. Eliminating noise from intrusion detection systems. Information Security Technical Report, 2003, 8(4): 26-33
[53] N. Desai. IDS Correlation of VA Data and IDS Alerts. http://www. securityfocus. com/infocus/1708, 2003
[54] B. Morin, L. Me, H. Debar, M. Ducasse. M2D2: a formal data model for IDS alert correlation. Recent Advances in Intrusion Detection. 5th International Symposium, 2002: 15 -137
[55] T. Pietraszek, A. Tanner, Data mining and machine learning-Towards reducing false positives in intrusion detection. Information Security Technical Report, 2005, 10: 169-183
[56] K. Julisch. Clustering intrusion detection alarms to support root cause analysis . ACM Transactions on Information and System Security (TISSEC). New York, NY, USA:ACM Press, 2003: 443-471
[57] K. Julisch. Mining alarm clusters to improve alarm handling efficiency. Proceedings 17th Annual Computer Security Applications Conference. New Orleans, LA, USA, 2001. (ACSAC), Dec. 2001: 12-21
[58] McClure S, Scambray J. Kurtz G. Hacking Exposed: Network Security Secrets and Solutions. 2nd edition. McGraw-Hill/Osborne Media, 2001,67-88
[59] M. H. Kang and T. Mayfield.A cyber-event correlation framework and metrics. In Proceedings of the SPIE - The International Society for Optical Engineering, 2003,5107: 72
[60] R. P. Goldman, W. Heimerdinger, S. A. Harp, et al. Information modnelig for intrusion report aggregation, In Proc of DARPA Information Survivability Conference and Exposition. Los Alamitos,CA:IEEE Computer Society Press, 2001.329-342.
[61] J. Yu, Y. V. R. Reddy, S. Sentil, K. Srinivas, ea.al, TRINETR: an intrusion detection alert management systems, in Proceedings. Thirteenth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, Modena, Italy, 2004. 235-240
[62] F. Valeur, G. Vigna, C. Kruegel, and R. A. Kemmerer. Comprehensive approach to intrusion detection alert correlation, IEEE Transactions on Dependable and Secure Computing, 2004(1):146-168
[63] Y. Dong and D. Frinckel, A novel framework for alert correlation and understanding, in Second International Conference Proceedings of Applied Cryptography and Network Security. Yello Mountain, China, 2004: 452-466
[64] C. Krugel, T. Toth, and C. Kerer, Decentralized event correlation for intrusion detection, 4th International Conference. Proceedings of Information Security and CryptologySeoul, South Korea, 2002. 114-131
[65] N. Chatprechakul and P. Nobles, Using mobile agents for data collection, data correlation and response in an intrusion detection and response system, Fourth International Symposium of Communication Systems, Networks and Digital Signal Processing. Newcastle upon Tyne, UK, 2004. 223-232
[66] G. Jiang and G. Cybenko, Temporal and spatial distributed event correlation for network security, in Proceedings of the 2004 American Control Conference, Boston, MA, USA, 2004. 996-1001
[67] C. Abad, J. Taylor, C. Sengul, W. Yurcik, Y. Zhou, and K. Rowe, Log correlation for intrusion detection: a proof of concept, in Proceedings. 19th Annual Computer Security Applications Conference. Las Vegas, NV, USA:IEEE CS Press, 2003. 255-264
[68] N. Carey, A. Clark, and G. Mohay. IDS interoperability and correlation using IDMEF and commodity systems, in Information and Communications Security. 4th International Conference ProceedingsSingapore, 2002. LNCS 2513: 252-264
[69] Z. Dong and A. S. Sethi, SEL, a new event pattern specification language for event correlation, in Proceedings Tenth International Conference on ComputerCommunications and Networks, Scottsdale, AZ, USA, 2001. 45-66
[70] L. Guangtian, A. K. Mok, and E. J. Yang, Composite events for network event correlation.in proceedings of IM'99 6th IFIP/IEEE International Symposium on Integrated Network Management, Boston, MA, USA, 1999. 99-113
[71] L. Guangtian and M. Russina. ECA + SQL: a practical event correlation approach. In proceedings of 16th International Conference on Communication Technology Beijing, China, 2000( 1):76 -82
[72] D. V. Fort., The Art of log correlation. Computer Fraud and Security, 2004: 15
[73] S. W. Neville, Necessary conditions for determining a robust time threshold in standard INFOSEC alert clustering algorithms, ICSMC.2005. Waikoloa, HI, USA, 2005( 1): 791- 797
[74] Xinzhou, Lee Wenke. Attack Plan Recognition and Prediction Using Causal Networks. In 20th Annual Computer Security Applications Conference, Tucson, Arizon. 2004. 370-379
[75] Agrawal Rakesh. SrikantRamakrishnan. Fast algorithms formining association rules. In:Proceedings of the 20th International Conference on Very Large DataBases. VLDB, Morgan Kaufmann, 1994: 487-499
[76] Agrawal Rakesh, Srikant Ramakrishnan. Mining sequential patterns. Proceedings of the 11th International Conference on Data Engineering, Taipei, 1995: 3-14
[77] Srikant Ramakrishnan. Agrawal Rakesh. Mining sequential patterns: Generalizations and performance improvements. Proceedings of the 5th International on Extending Database Technology. EDBT. Avigon, France, 1996, 1057: 3-17
[78] ZakiM. J.. SPADE:An efficient algorithm formining frequent sequences. Machine Learning, 2001, 42(1/2):31-60
[79] Han Jiawei, PeiJian, Mortazavi-AslBehzad et al. Freespan: Frequent pattern projected sequential pattern mining. Proceedings of the 6th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, 2000: 355-359
[80] PeiJian, HanJian-Wei, Mortazavi-AslB. , PintoH. . PrefixSpan: Mining sequential patterns efficiently by prefix-projected pattern growth. Proceedings of the 17thInternational Conference on Data Engineering. Heidelberg, Germany, 2001: 215-226
[81] LinMing-Yen, LeeSuh-Yin. Fast discovery of sequential patterns by memory in dexing. Proceedings of DaWaK, Germany, 2002: 150-160
[82] GarofalakisM. N. , RajeevRastogi, KyuseokShim. SPRIT: Sequential pattern mining with regular expression constraints. Proceedings of the 25th International Conference onVery Large DataBases. Edinburgh, Scotland, UK, 1999: 223-234
[83] M annila H, Toivonen H, V erkamo A I. Discovery of frequent episodes in event sequences [J ]. Data Mining and Knowledge Discovery, 1997, 1 (3): 259- 289
[84] MIT Lincoln Lab. 2000 DARPA Intrusion Detection Scenario Specific Data Sets. http://www. ll. mit. edu/IST/ideval/data/2000/2000_data_index. html
[85] Aaron Turner, TCPreplay32 tools. http://tcpreplay. synfin. net/trac/
[86] Joshi Malesh, Karpis George, Kumar Vipin. Auniversal formulation of sequential patterns. Department of Computer Science. University of Minnesota: Technical Report, 1999: 99-121
[87] Schneier B. Attack Trees [J] . Dr Dobb’s Journal of Software Tools , 1999 , 24(12): 21-29
[88]严芬,黄皓.基于CTPN的复合攻击检测方法研究.计算机学报, 2006, 8(8): 1383-1390
[2] J. Anderson. Computer security technology planning study. Report Technical Report ESD-TR-73-51, Hanscom AFB, MA: United States Air Force Elect. Systems Div. , 1972
[3] Lampson, W. Butler. Dynamic protection structures. AFIPS Conference Proceedings, Fall Joint Computer Conference, AFIPS Press, Montvale, N. J. , 1969, 35: 27-38
[4] Lampson, W. Butler . Protection. ACM Operating Systems Rev, 1974, 8(1):18-24
[5] C. P. Pfleeger. Security In Computing. Prentice Hall International, Inc. ISBN 0-13-185794-0, 1997
[6] Office for Official Publications of the European Communities. Information Technology Security Evaluation Criteria, 1991
[7] J P Anderson. Computer security thread monitoring and surveillance. Technical Report, Jame P Anderson Co. , Fort Washington, Pennsylvania, 1980
[8] E. H. Spafford. Crisis and aftermath. Communications of the ACM, 1989, 32(6): 678-687
[9] Cabrera J, Ravichandran B, Mehra R K. Statistical Traffic Modeling for Network intrustion detection. PROC IEEE INT WORKSHOP MODEL ANAL SIMUL COMPUT TELECOMMUN SYST . Washington, DC: IEEE Computer Society Press, 2000: 466-473
[10] Balthrop J, Esponda F, Forrest S et al. Coverage and Generalization in an Artificial Immune System. Proceedings of the Genetic and Evolutionary Computation Conference (GECCO 2002). New York: Morgan Kaufmann, 2002: 3-10
[11] Chao D L, Forrest S. Information Immune Systems. Proceedings of the First International Conference on Artificial Immune Systems (ICARIS), 2002: 132-140
[12] Joo D, Hong T, Han I. The neural network models for IDS based on the asymmetric costs of false negative errors and false positive errors. Expert Systems withApplications, 2003, 25(1): 69-75
[13] Klaus J, Marc D. Minings Detection Fetection Alarms for Actionable Knowlefge. Proceedins of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining. New York:ACM Press, 2002: 366-375
[14]张志斌.网络安全信息亟需整合.中国计算机报, 2003 (1257)
[15] L. Wald. Definitions and Terms of Reference in Data Fusion. International Archives of Photogrammetry and Remote Sensing. Valladolid, Spain, 1999, 32(6): 3-4
[16] Jakobson G, Weissman M D. Alarm Correlation. IEEE Network, 1993, 7(11): 52-59
[17]国家计算机网络应急技术处理协调中心,"CNCERT/CC2006年网络安全工作报", http://www.cert.org.cn/
[18] G. Jakobson, A. Lemmon and M. Weissman. Knowledge-based GUI for network surveillance and fault analysis. in: Proceedings of NOMS '94 - IEEE Network Operations and Management Symposium. Kissimmee, FL, USA. Netherlands: Springer, 1994: 52-59
[19] G. Jakobson, M. Weissman and L. Brenner et al. GRACE: building next generation event correlation services. in: NOMS'2000 - IEEE/IFIP Network Operations and Management Symposium 'The Networked Planet: Management Beyond 2000'. Honolulu, HI, USA , 2000. 4: 701-714
[20] K. R. Sheers. HP OpenView Event Correlation Services. in: Hewlett-Packard Journal, 1996, 47: 31
[21] S. Staniford-Chen, S. Cheung, R. Crawford et al. GrIDS - a graph based intrusion detection system for large networks. Proceedings of the 19th National Information Systems Security Conference, 1996, 1: 361-370
[22] R. D. Gardner, D. A. Harle. Pattern discovery and specification techniques for alarm correlation. NOMS'98 1998 IEEE Network Operations and Management Symposium. New Orleans, LA, USA, 1998, 3: 713-722
[23] L. Perrochon, J. Eunhei , S. Kasriel et al. Enlisting event patterns for cyber battlefield awareness. Proceedings DARPA Information Survivability Conference and Exposition(DISCEX'00). Hilton Head, SC, USA, 2000, 2: 411-422
[24] S. J. Templeton, K. Levitt. A requires/provides model for computer attacks.Proceedings of the New Security Paradigms Workshop, 2000: 31-38
[25] P. Ning, Y. Cui, D. S. Reeves. Constructing attack scenarios through correlation of intrusion alerts. Proc. Of the ACM Symposium on Computer and Communications Security (CCS 2002). Washington, DC, United States, 2002 : 245-254
[26] P. Ning, Y. Cui, D. S. Reeves, D. Xu. Techniques and tools for analyzing intrusion alerts. ACM Transactions on Information and System Security, 2004, 7: 274
[27] F. Cuppens. Managing alerts in multi-intrusion detection environment. Proceedings 17th annual computer security applications conference. New Orleans: 2001: 22-31
[28] F. Cuppens, Alexandre Mie`ge. Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the 2002 IEEE symposium on security and privacy, 2002: 202-215
[29] F. Cuppens, Fabien Autrel, Alexandre Mie`ge, Salem Benferhat. Correlation in an intrusion detection process. Proceedings SE′curite′des communications sur internet (SECI02), 2002: 153-171
[30] S. Cheung, U. Lindqvist, M. W. Fong. Modeling multistep cyber attacks for scenario recognition. Washington, DC, USA, 2003, 1: 284–292
[31] S. T. Eckmann, G. Vigna, R. A. Kemmerer. STATL: an attack language for state-based intrusion detection. Journal of Computer Security, 2002, 10: 71
[32] J. L. Hellerstein, S. Ma, C. -S. Perng, Discovering actionable patterns in event data. IBM Systems Journal, 2002, 41: 475
[33] O. Dain , R. Cunningham. Fusing a heterogeneous alert stream into scenarios. Proc. of the 2001 ACM Workshop on Data Mining for Security Applications, 2001: 1-13
[34] C. Araujo, A. Biazetti, A. Bussani, J. Dinger, M. Feridun, A. Tanner. Simplifying correlation rule creation for effective systems monitoring. Utility Computing. 15th IFIP/IEEE International Workshop on Distributed Systems: Operations and Management, 2004: 266-268
[35] Lee. Wenke, Qin X.. Statistical Causality Analysis of INFOSEC Alert Data. G. Vigna, E. Jonsson and C. Kruegel, Editors, RAID, Springer, Berlin, Heidelberg , 2003: 73–93
[36] Qin X., Lee. Wenke. Discovering novel attack strategies from INFOSEC alerts.Sophia Antipolis, France, ESORICS 2004: 439-456
[37] Qin X., Lee. Wenke. Causal discovery-based alert correlation. the 21th Annual Computer Security Applications Conference. Tucson, AZ, 2005: 33-40
[38]李辉,韩崇昭,郑庆华等.一种基于交互式知识发现的入侵事件关联方法研究.计算机研究与发展, 2004, 11: 1911-1918
[39] L. Z. -t. Li Jia-chun. Novel Model for Intrusion Detection. Wuhan University Journal of Natural Sciences, 2003, 8: 46-50
[40]李家春,李之棠.入侵检测系统.计算机应用研究, 2001, 18: 5-9
[41]李家春,李之棠.动态网络安全模型的研究.华中科技大学学报(自然科学版), 2003, 31: 44-46
[42]李之棠,李家春.模糊神经网络在入侵检测中的应用.小型微型计算机系统, 2002, 23: 1235-1238
[43] F. Valeur, G. Vigna. A Comprehensive Approach to Intrusion Detection Alert Correlation. IEEE Transaction on Dependable and Secure Computing, 2004, 1(3): 146-168
[44] Zhang T, Ramakrishnan R, Livny M. B. IRCH: An efficient data clustering method for very large databases. Proceedings of the 1996 ACM SIGMOD International Conference on Management of Data. Quebec: ACM Press, 1996: 103-114
[45] Guha S, Rastogi R, Shim K. ROCK: A robust clustering algorithm for categorical attributes. In Proceedings of the 15th International Conference on Data Engineering. Sydney: IEEE Computer Society Press, 1999: 512-521
[46] A. Valdes, K. Skinner. An Approach to Sensor Correlation. Recent Advances in Intrusion Detection, 2000
[47] A. Valdes, K. Skinner. Adaptive Model-Based Monitoring for Cyber Attack Detection. Proc. of the 3rd Int'l Workshop on the Recent Advances in Intrusion Detection (RAID 2000). LNCS 1907, Heidelberg: Springer-Verlag, 2000: 80-92
[48] A. Valdes, K. Skinner. Probabilistic Alert Correlation In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), UC, Davis, USA, October, 2001: 54-68
[49] P. Ning, Y. Cui, D. S. Reeves. Constructing attack scenarios through correlation ofintrusion alerts. Proc. Of the ACM Symposium on Computer and Communications Security (CCS 2002). Washington, DC, United States, 2002: 245-254
[50] H. a. W. Debar, A. . Aggregation and correlation of intrusion-detection alerts. Recent Advances in Intrusion Detection (RAID 2001), 2001: 73-94
[51] C. Kruegel, W. Robertson. Alert Verification: Determining the Success of Intrusion Attempts. 1st Workshop on the Detection of Intrusions and Mal-ware & Vulnerability Assessment (DIMVA), 2004: 1-14
[52] G. Eschelbeck, M. Krieger. Eliminating noise from intrusion detection systems. Information Security Technical Report, 2003, 8(4): 26-33
[53] N. Desai. IDS Correlation of VA Data and IDS Alerts. http://www. securityfocus. com/infocus/1708, 2003
[54] B. Morin, L. Me, H. Debar, M. Ducasse. M2D2: a formal data model for IDS alert correlation. Recent Advances in Intrusion Detection. 5th International Symposium, 2002: 15 -137
[55] T. Pietraszek, A. Tanner, Data mining and machine learning-Towards reducing false positives in intrusion detection. Information Security Technical Report, 2005, 10: 169-183
[56] K. Julisch. Clustering intrusion detection alarms to support root cause analysis . ACM Transactions on Information and System Security (TISSEC). New York, NY, USA:ACM Press, 2003: 443-471
[57] K. Julisch. Mining alarm clusters to improve alarm handling efficiency. Proceedings 17th Annual Computer Security Applications Conference. New Orleans, LA, USA, 2001. (ACSAC), Dec. 2001: 12-21
[58] McClure S, Scambray J. Kurtz G. Hacking Exposed: Network Security Secrets and Solutions. 2nd edition. McGraw-Hill/Osborne Media, 2001,67-88
[59] M. H. Kang and T. Mayfield.A cyber-event correlation framework and metrics. In Proceedings of the SPIE - The International Society for Optical Engineering, 2003,5107: 72
[60] R. P. Goldman, W. Heimerdinger, S. A. Harp, et al. Information modnelig for intrusion report aggregation, In Proc of DARPA Information Survivability Conference and Exposition. Los Alamitos,CA:IEEE Computer Society Press, 2001.329-342.
[61] J. Yu, Y. V. R. Reddy, S. Sentil, K. Srinivas, ea.al, TRINETR: an intrusion detection alert management systems, in Proceedings. Thirteenth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, Modena, Italy, 2004. 235-240
[62] F. Valeur, G. Vigna, C. Kruegel, and R. A. Kemmerer. Comprehensive approach to intrusion detection alert correlation, IEEE Transactions on Dependable and Secure Computing, 2004(1):146-168
[63] Y. Dong and D. Frinckel, A novel framework for alert correlation and understanding, in Second International Conference Proceedings of Applied Cryptography and Network Security. Yello Mountain, China, 2004: 452-466
[64] C. Krugel, T. Toth, and C. Kerer, Decentralized event correlation for intrusion detection, 4th International Conference. Proceedings of Information Security and CryptologySeoul, South Korea, 2002. 114-131
[65] N. Chatprechakul and P. Nobles, Using mobile agents for data collection, data correlation and response in an intrusion detection and response system, Fourth International Symposium of Communication Systems, Networks and Digital Signal Processing. Newcastle upon Tyne, UK, 2004. 223-232
[66] G. Jiang and G. Cybenko, Temporal and spatial distributed event correlation for network security, in Proceedings of the 2004 American Control Conference, Boston, MA, USA, 2004. 996-1001
[67] C. Abad, J. Taylor, C. Sengul, W. Yurcik, Y. Zhou, and K. Rowe, Log correlation for intrusion detection: a proof of concept, in Proceedings. 19th Annual Computer Security Applications Conference. Las Vegas, NV, USA:IEEE CS Press, 2003. 255-264
[68] N. Carey, A. Clark, and G. Mohay. IDS interoperability and correlation using IDMEF and commodity systems, in Information and Communications Security. 4th International Conference ProceedingsSingapore, 2002. LNCS 2513: 252-264
[69] Z. Dong and A. S. Sethi, SEL, a new event pattern specification language for event correlation, in Proceedings Tenth International Conference on ComputerCommunications and Networks, Scottsdale, AZ, USA, 2001. 45-66
[70] L. Guangtian, A. K. Mok, and E. J. Yang, Composite events for network event correlation.in proceedings of IM'99 6th IFIP/IEEE International Symposium on Integrated Network Management, Boston, MA, USA, 1999. 99-113
[71] L. Guangtian and M. Russina. ECA + SQL: a practical event correlation approach. In proceedings of 16th International Conference on Communication Technology Beijing, China, 2000( 1):76 -82
[72] D. V. Fort., The Art of log correlation. Computer Fraud and Security, 2004: 15
[73] S. W. Neville, Necessary conditions for determining a robust time threshold in standard INFOSEC alert clustering algorithms, ICSMC.2005. Waikoloa, HI, USA, 2005( 1): 791- 797
[74] Xinzhou, Lee Wenke. Attack Plan Recognition and Prediction Using Causal Networks. In 20th Annual Computer Security Applications Conference, Tucson, Arizon. 2004. 370-379
[75] Agrawal Rakesh. SrikantRamakrishnan. Fast algorithms formining association rules. In:Proceedings of the 20th International Conference on Very Large DataBases. VLDB, Morgan Kaufmann, 1994: 487-499
[76] Agrawal Rakesh, Srikant Ramakrishnan. Mining sequential patterns. Proceedings of the 11th International Conference on Data Engineering, Taipei, 1995: 3-14
[77] Srikant Ramakrishnan. Agrawal Rakesh. Mining sequential patterns: Generalizations and performance improvements. Proceedings of the 5th International on Extending Database Technology. EDBT. Avigon, France, 1996, 1057: 3-17
[78] ZakiM. J.. SPADE:An efficient algorithm formining frequent sequences. Machine Learning, 2001, 42(1/2):31-60
[79] Han Jiawei, PeiJian, Mortazavi-AslBehzad et al. Freespan: Frequent pattern projected sequential pattern mining. Proceedings of the 6th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, 2000: 355-359
[80] PeiJian, HanJian-Wei, Mortazavi-AslB. , PintoH. . PrefixSpan: Mining sequential patterns efficiently by prefix-projected pattern growth. Proceedings of the 17thInternational Conference on Data Engineering. Heidelberg, Germany, 2001: 215-226
[81] LinMing-Yen, LeeSuh-Yin. Fast discovery of sequential patterns by memory in dexing. Proceedings of DaWaK, Germany, 2002: 150-160
[82] GarofalakisM. N. , RajeevRastogi, KyuseokShim. SPRIT: Sequential pattern mining with regular expression constraints. Proceedings of the 25th International Conference onVery Large DataBases. Edinburgh, Scotland, UK, 1999: 223-234
[83] M annila H, Toivonen H, V erkamo A I. Discovery of frequent episodes in event sequences [J ]. Data Mining and Knowledge Discovery, 1997, 1 (3): 259- 289
[84] MIT Lincoln Lab. 2000 DARPA Intrusion Detection Scenario Specific Data Sets. http://www. ll. mit. edu/IST/ideval/data/2000/2000_data_index. html
[85] Aaron Turner, TCPreplay32 tools. http://tcpreplay. synfin. net/trac/
[86] Joshi Malesh, Karpis George, Kumar Vipin. Auniversal formulation of sequential patterns. Department of Computer Science. University of Minnesota: Technical Report, 1999: 99-121
[87] Schneier B. Attack Trees [J] . Dr Dobb’s Journal of Software Tools , 1999 , 24(12): 21-29
[88]严芬,黄皓.基于CTPN的复合攻击检测方法研究.计算机学报, 2006, 8(8): 1383-1390