基于主动获取的计算机取证方法及实现技术研究
|
摘要
随着危害通信网络与信息安全的犯罪活动日趋增多,计算机取证逐渐成为人们关注与研究的焦点。计算机取证,主要研究如何为调查计算机犯罪提供彻底、有效和安全的技术、程序及方法,其关键在于确保证据的真实性、可靠性、完整性和合法性。
本文研究了计算机取证中侦查主体及相关对象在多种方式下针对不同目的的需求,提出了一种基于主动获取的动态取证、蜜网取证和远程取证相结合的计算机取证框架,通过将计算机取证技术与防火墙、入侵检测系统相结合实现动态取证,对可能的计算机犯罪行为进行实时数据获取和分析,并做出及时的响应,在保证系统安全的情况下获取最大量的证据。蜜网取证系统构成了一个黑客诱捕网络体系架构,可以学习黑客执行的攻击过程,获得大量的有用信息,从而对新攻击发出预警,延缓攻击和转移攻击目标,并实施模拟回应和触发警告进行响应。远程取证可以远程获取犯罪嫌疑人主机上的电子证据,在犯罪实施前获得其犯罪证据,同时根据攻击主机上的相关信息获取常与犯罪嫌疑人联系的人员及主机列表,判断此攻击行为是个人作案或团伙作案,从而达到侦破的目的。
本文提出了基于主动获取的计算机取证模型(A2CFM),扩大了计算机取证源的范围并定义了取证源的不同层次,将取证范围延伸至攻击的前、中、后全过程。提出了安全审计辅助管理系统(UPAM),丰富了取证信息源。并通过对取证源分层过滤,加大了取证分析的力度。
本文设计并实现了基于主动获取的远程取证系统(A2RFS),系统模拟了两种网络环境,可以对特定情况下的并不连通网络的计算机进行取证。在进行远程取证时自定义驱动程序在核心层的不同层次进行穿越,不仅能成功穿越当前主流的防火墙,而且对基于IMD技术进行网络监控的防火墙也有较好的穿越能力。
本文还提出了一种通过关系图建立攻击群模型的方法,在时间特征及因果关系的约束条件下,判断攻击序列,重构复合攻击行为的攻击过程,在无须考虑攻击群中个体的响应成本与损失成本的比例的情况下,及时对攻击行为做出响应,从而达到最大程度地减少响应成本的目的。
另外,本文还提出了一种多层次压缩决策树算法,克服了C4.5算法在构造树过程中对数据多次扫描和排序的缺点,从树的规模和分类精度上进行了优化,使决策效率明显提高。利用决策的分类来建立多层次决策树,不但可以加快决策树的生长,而且可以得到结构好的决策树,便于从中挖掘好的规则信息。
Along with the popularization of computer and network application, the people rely on the computer and network more and more. The computer more and more participates in the work and life of people, and computer-related court cases also continue to appear. The computer-related crime with high tech is a new crime, which has the characteristics of criminal behavior more rampant and criminal means more secretive. Rely on traditional network security technologies, such as access control, network isolation and intrusion detection etc. to fight against computer crime is not very effective, therefore to strengthen law enforcement means and increase law enforcement efforts are needed to fight against computer crime. Under this kind of situation, the computer forensics is proposed, which is not only effective application of the law in computer science, but also the powerful supplement of the existing network security architecture. Computer forensics mainly research how to provide thorough, effective and safe technologies, procedures and methods for the investigation of computer crime, and the key is to ensure the evidence’s true, reliable, complete and legitimate.
The existing technologies and products of computer forensics are mostly designed for static forensics. In recent years, as the development trend of computer forensics, dynamic forensics technologies has obtained the fast development, but also focus on the research of real-time monitoring, and rarely come down to forensics technologies of initiative obtainment. In this instance, this paper proposes computer forensics method based on initiative obtainment, which has very strong pertinence to discover computer-related crime, especially organized computer-related crime.
In this paper, the primary research works include:
1、Research of computer forensics model based on active acquisition. This paper researches in computer forensics requirements of investigation subject and related objects under a variety of ways for different purposes. By the combination of policy control, operation control and technology control and the enforcement of law, a framework for computer forensics based on active acquisition is given, which includes dynamic forensics, honeynet forensics and remote forensics. Combine computer forensics technology to firewall, intrusion detection system for the implementation of dynamic forensics. Obtain and analysis data in real-time to possible computer criminal acts, to identify the intruder's purpose to take measures to cut off the link or other response method, under ensuring the system security, gain the most substantial evidence, and identify, preserve, submit the evidence. Honey net forensics system constitutes a network architecture of hacker entrap. It can learn hackers' attack processes and obtain a lot of useful information, thereby it can forewarn new attacks, delay attacks and transfer target of attack, and implement simulation response and trigger warning to response attacks. Remote forensics can remotely get electronic evidence in the suspect's hosts. To obtain crime evidences of suspect before crimes, at the same time acquire the list of persons and hosts who contact with criminal in accordance with the relevant information, to determine whether the aggressive behavior is a personal crime or gang crime, so as to achieve the purpose of detection.
2、This paper presents a active acquisition computer forensics model (A2CFM), expanding the scope of computer forensics sources and defining the different levels of forensics sources, in order to extend the forensics scope to the whole attacking process including before, during and after attack. A security audit assistance management system (UPAM) is proposed, which provides write operation monitoring to physical ports, and gives a detailed log function, enhancing effective information sources for the computer forensics and making up for the disadvantage of current forensics sources. Furthermore filter forensics sources by layers to increase the strength of forensics analysis.
3、This paper designs and implements a remote forensics system based on active acquisition (A2RFS). This system simulates two types of network environments, and it can obtain evidence for computer that can not access the computer network in specific circumstance. When carrying on the remote forensics, custom driver can traverse in different levels of the core layer, which not only can successfully traverse current mainstream firewalls, but also can preferably traverse IMD-based firewalls of carrying on network monitoring.
4、A method for establishing the attack group model by means of the relationship graph of various attacks has been proposed. Under the constraints of time characteristics as well as the causality relation it can determine the attack sequence and reconstruct the attack sequence of the network compound attacks. Beside, make a timely response without considering the ratio of damage cost and response cost of the individual attack, so as to achieve the maximal reduction of the response cost.
5、A multi-level compression based on decision tree algorithm has been proposed, which overcomes the disadvantage of C4.5 when constructing tree through several times data scanning and sorting. Optimize the size and classification accuracy of tree, improve the efficiency of decision-making. Use the classification decision-making to set up multi-level decision tree, which not only can speed up the growth of trees, but also get tree with good structures, to get better rule information.
Innovations of this paper are mainly reflected in the following aspects:
1、In this paper, when carrying on the remote forensics, custom driver can traverse in different levels of the core layer, which not only can successfully traverse current mainstream firewalls, but also can preferably traverse IMD-based firewalls of carrying on network monitoring.
2、This paper presents a active acquisition computer forensics model (A2CFM), expanding the scope of computer forensics sources and defining the different levels of forensics sources, in order to extend the forensics scope to the whole attacking process including before, during and after attack. Describe main sources of computer forensics by unified knowledge representation, and define the different levels of sources. The output of forensics system depends on the available type, quantity and quality of the input data. So for a computer forensics system, how to acquire forensics information sources is the first issue to solve. This paper uses UPAM logs, honeynet logs and intrusion detection information sources as direct inputs of forensics information sources. Other information such as outside belt information, firewall logs, host data, network data etc. as intrusion detection information sources, first of all, execute the filter analysis of intrusion detection. The benefits of doing so are:
1) Enhance safety and efficiency of forensics. The computer forensics is different from the intrusion detection, and the biggest difference is the requirement to the legitimacy. For evidences generated by the forensics, its extraction, storage and transmission process have special request in the confidentiality, integrity and availability compared to the process to generate intrusion logs. The use of hierarchical filtering and the use of filtering redundant log information by intrusion detection doesn't only guarantee the diversity of forensics sources, but the minimum input of the forensics system.
2) Intrusion detection is a more mature technology. Compared to computer forensics technology called a new technology, its technical means are rich and target-oriented. Using intrusion detection to filter information means to use mature technologies to complete the analysis and extraction of logs, providing the basic guarantee to the accuracy of crime analysis of the whole system.
3、This paper designs and implements a remote forensics system based on active acquisition (A2RFS). This system simulates two types of network environments, and it can obtain evidence for computer that can not access the computer network in specific circumstance.
4、Propose intrusion response method based on cost. It researches the calculation method of the response cost under coordinated attack situation. Following by minimizing the cost to obtain the goal of maximum security. Using methods of graph theory establishes the attack group model, under constraints of time characteristic and causal relation, to determine the course of coordinated intrusion attack, and consider the overall relationship between the individual response cost and the coordinated attack whole response cost, to determine whether needs to make the response, thus achieve the goal of maximum reduction response cost.
To sum up, this paper conducts the systematic research to the computer dynamic forensics methods of initiative obtainment, and proposes the computer dynamic forensics model base on initiative obtainment, through real-time monitoring attack occurrence, on the one hand may carry on the real-time synchronized forensics, to make the detailed records of intrusion behavior; On the other hand may activate the response system to call firewall or IRS to implement corresponding response to the intrusion behavior of different intensity. The dynamic computer forensics model makes forensics more real-time and continuous, and reduces the damage to the forensics system as much as possible by the interaction of firewalls and intrusion detection system, and can see the steps and methods of network attacks by the honeynet technologies thereby can know weaknesses and cracks of the system, in order to update the intrusion characteristics treasury and call the corresponding measures to response. Under the authority of the public security organs, long-distance forensics technologies can obtain electronic evidence in hosts of criminal suspects remotely. Before or during the crime, obtain evidence of the crime, at the same time acquire list of hosts who often contact with criminal suspects in accordance with the relevant information of attack hosts to determine that the attack is a personal crime or gang crime, and achieve the purpose of detection. Partial contents of this paper are very effective in practice. The research has a more important theoretical significance and application value.
本文研究了计算机取证中侦查主体及相关对象在多种方式下针对不同目的的需求,提出了一种基于主动获取的动态取证、蜜网取证和远程取证相结合的计算机取证框架,通过将计算机取证技术与防火墙、入侵检测系统相结合实现动态取证,对可能的计算机犯罪行为进行实时数据获取和分析,并做出及时的响应,在保证系统安全的情况下获取最大量的证据。蜜网取证系统构成了一个黑客诱捕网络体系架构,可以学习黑客执行的攻击过程,获得大量的有用信息,从而对新攻击发出预警,延缓攻击和转移攻击目标,并实施模拟回应和触发警告进行响应。远程取证可以远程获取犯罪嫌疑人主机上的电子证据,在犯罪实施前获得其犯罪证据,同时根据攻击主机上的相关信息获取常与犯罪嫌疑人联系的人员及主机列表,判断此攻击行为是个人作案或团伙作案,从而达到侦破的目的。
本文提出了基于主动获取的计算机取证模型(A2CFM),扩大了计算机取证源的范围并定义了取证源的不同层次,将取证范围延伸至攻击的前、中、后全过程。提出了安全审计辅助管理系统(UPAM),丰富了取证信息源。并通过对取证源分层过滤,加大了取证分析的力度。
本文设计并实现了基于主动获取的远程取证系统(A2RFS),系统模拟了两种网络环境,可以对特定情况下的并不连通网络的计算机进行取证。在进行远程取证时自定义驱动程序在核心层的不同层次进行穿越,不仅能成功穿越当前主流的防火墙,而且对基于IMD技术进行网络监控的防火墙也有较好的穿越能力。
本文还提出了一种通过关系图建立攻击群模型的方法,在时间特征及因果关系的约束条件下,判断攻击序列,重构复合攻击行为的攻击过程,在无须考虑攻击群中个体的响应成本与损失成本的比例的情况下,及时对攻击行为做出响应,从而达到最大程度地减少响应成本的目的。
另外,本文还提出了一种多层次压缩决策树算法,克服了C4.5算法在构造树过程中对数据多次扫描和排序的缺点,从树的规模和分类精度上进行了优化,使决策效率明显提高。利用决策的分类来建立多层次决策树,不但可以加快决策树的生长,而且可以得到结构好的决策树,便于从中挖掘好的规则信息。
Along with the popularization of computer and network application, the people rely on the computer and network more and more. The computer more and more participates in the work and life of people, and computer-related court cases also continue to appear. The computer-related crime with high tech is a new crime, which has the characteristics of criminal behavior more rampant and criminal means more secretive. Rely on traditional network security technologies, such as access control, network isolation and intrusion detection etc. to fight against computer crime is not very effective, therefore to strengthen law enforcement means and increase law enforcement efforts are needed to fight against computer crime. Under this kind of situation, the computer forensics is proposed, which is not only effective application of the law in computer science, but also the powerful supplement of the existing network security architecture. Computer forensics mainly research how to provide thorough, effective and safe technologies, procedures and methods for the investigation of computer crime, and the key is to ensure the evidence’s true, reliable, complete and legitimate.
The existing technologies and products of computer forensics are mostly designed for static forensics. In recent years, as the development trend of computer forensics, dynamic forensics technologies has obtained the fast development, but also focus on the research of real-time monitoring, and rarely come down to forensics technologies of initiative obtainment. In this instance, this paper proposes computer forensics method based on initiative obtainment, which has very strong pertinence to discover computer-related crime, especially organized computer-related crime.
In this paper, the primary research works include:
1、Research of computer forensics model based on active acquisition. This paper researches in computer forensics requirements of investigation subject and related objects under a variety of ways for different purposes. By the combination of policy control, operation control and technology control and the enforcement of law, a framework for computer forensics based on active acquisition is given, which includes dynamic forensics, honeynet forensics and remote forensics. Combine computer forensics technology to firewall, intrusion detection system for the implementation of dynamic forensics. Obtain and analysis data in real-time to possible computer criminal acts, to identify the intruder's purpose to take measures to cut off the link or other response method, under ensuring the system security, gain the most substantial evidence, and identify, preserve, submit the evidence. Honey net forensics system constitutes a network architecture of hacker entrap. It can learn hackers' attack processes and obtain a lot of useful information, thereby it can forewarn new attacks, delay attacks and transfer target of attack, and implement simulation response and trigger warning to response attacks. Remote forensics can remotely get electronic evidence in the suspect's hosts. To obtain crime evidences of suspect before crimes, at the same time acquire the list of persons and hosts who contact with criminal in accordance with the relevant information, to determine whether the aggressive behavior is a personal crime or gang crime, so as to achieve the purpose of detection.
2、This paper presents a active acquisition computer forensics model (A2CFM), expanding the scope of computer forensics sources and defining the different levels of forensics sources, in order to extend the forensics scope to the whole attacking process including before, during and after attack. A security audit assistance management system (UPAM) is proposed, which provides write operation monitoring to physical ports, and gives a detailed log function, enhancing effective information sources for the computer forensics and making up for the disadvantage of current forensics sources. Furthermore filter forensics sources by layers to increase the strength of forensics analysis.
3、This paper designs and implements a remote forensics system based on active acquisition (A2RFS). This system simulates two types of network environments, and it can obtain evidence for computer that can not access the computer network in specific circumstance. When carrying on the remote forensics, custom driver can traverse in different levels of the core layer, which not only can successfully traverse current mainstream firewalls, but also can preferably traverse IMD-based firewalls of carrying on network monitoring.
4、A method for establishing the attack group model by means of the relationship graph of various attacks has been proposed. Under the constraints of time characteristics as well as the causality relation it can determine the attack sequence and reconstruct the attack sequence of the network compound attacks. Beside, make a timely response without considering the ratio of damage cost and response cost of the individual attack, so as to achieve the maximal reduction of the response cost.
5、A multi-level compression based on decision tree algorithm has been proposed, which overcomes the disadvantage of C4.5 when constructing tree through several times data scanning and sorting. Optimize the size and classification accuracy of tree, improve the efficiency of decision-making. Use the classification decision-making to set up multi-level decision tree, which not only can speed up the growth of trees, but also get tree with good structures, to get better rule information.
Innovations of this paper are mainly reflected in the following aspects:
1、In this paper, when carrying on the remote forensics, custom driver can traverse in different levels of the core layer, which not only can successfully traverse current mainstream firewalls, but also can preferably traverse IMD-based firewalls of carrying on network monitoring.
2、This paper presents a active acquisition computer forensics model (A2CFM), expanding the scope of computer forensics sources and defining the different levels of forensics sources, in order to extend the forensics scope to the whole attacking process including before, during and after attack. Describe main sources of computer forensics by unified knowledge representation, and define the different levels of sources. The output of forensics system depends on the available type, quantity and quality of the input data. So for a computer forensics system, how to acquire forensics information sources is the first issue to solve. This paper uses UPAM logs, honeynet logs and intrusion detection information sources as direct inputs of forensics information sources. Other information such as outside belt information, firewall logs, host data, network data etc. as intrusion detection information sources, first of all, execute the filter analysis of intrusion detection. The benefits of doing so are:
1) Enhance safety and efficiency of forensics. The computer forensics is different from the intrusion detection, and the biggest difference is the requirement to the legitimacy. For evidences generated by the forensics, its extraction, storage and transmission process have special request in the confidentiality, integrity and availability compared to the process to generate intrusion logs. The use of hierarchical filtering and the use of filtering redundant log information by intrusion detection doesn't only guarantee the diversity of forensics sources, but the minimum input of the forensics system.
2) Intrusion detection is a more mature technology. Compared to computer forensics technology called a new technology, its technical means are rich and target-oriented. Using intrusion detection to filter information means to use mature technologies to complete the analysis and extraction of logs, providing the basic guarantee to the accuracy of crime analysis of the whole system.
3、This paper designs and implements a remote forensics system based on active acquisition (A2RFS). This system simulates two types of network environments, and it can obtain evidence for computer that can not access the computer network in specific circumstance.
4、Propose intrusion response method based on cost. It researches the calculation method of the response cost under coordinated attack situation. Following by minimizing the cost to obtain the goal of maximum security. Using methods of graph theory establishes the attack group model, under constraints of time characteristic and causal relation, to determine the course of coordinated intrusion attack, and consider the overall relationship between the individual response cost and the coordinated attack whole response cost, to determine whether needs to make the response, thus achieve the goal of maximum reduction response cost.
To sum up, this paper conducts the systematic research to the computer dynamic forensics methods of initiative obtainment, and proposes the computer dynamic forensics model base on initiative obtainment, through real-time monitoring attack occurrence, on the one hand may carry on the real-time synchronized forensics, to make the detailed records of intrusion behavior; On the other hand may activate the response system to call firewall or IRS to implement corresponding response to the intrusion behavior of different intensity. The dynamic computer forensics model makes forensics more real-time and continuous, and reduces the damage to the forensics system as much as possible by the interaction of firewalls and intrusion detection system, and can see the steps and methods of network attacks by the honeynet technologies thereby can know weaknesses and cracks of the system, in order to update the intrusion characteristics treasury and call the corresponding measures to response. Under the authority of the public security organs, long-distance forensics technologies can obtain electronic evidence in hosts of criminal suspects remotely. Before or during the crime, obtain evidence of the crime, at the same time acquire list of hosts who often contact with criminal suspects in accordance with the relevant information of attack hosts to determine that the attack is a personal crime or gang crime, and achieve the purpose of detection. Partial contents of this paper are very effective in practice. The research has a more important theoretical significance and application value.
引文
[1]蒋平,黄淑华,杨莉莉,数字取证[M],清华大学出版社,中国人民公安大学出版社, 2007.
[2]蒋卫华,网络安全检测与协同控制技术[M],机械工业出版社, 2008.
[3]殷联甫,计算机取证技术[M],科学出版社, 2008.
[4] Charles P. Pfleeger, Shari Lawrence Pfleeger,信息安全原理与应用(第三版)[M],电子工业出版社, 2004.
[5]熊华,郭世泽等,网络安全:取证与蜜罐[M],人民邮电出版社, 2003.
[6]王玲,钱华林,计算机取证技术及其发展趋势[J],软件学报, (2003)14(9), pp. 1635 -1644.
[7]赵小敏,陈庆章,计算机取证的研究现状及趋势[J],网络安全技术与应用, (2003)9, pp. 32 - 35.
[8]殷联甫,计算机取证技术研究[J],计算机系统应用, (2004)7, pp. 25 - 28.
[9]蒋平,杨莉莉,电子证据[M],清华大学出版社,中国人民公安大学出版社, 2007.
[10]何家弘,电子证据法研究[M],法律出版社, 2002.
[11] Eoghan Casey,数字证据与计算机犯罪(第二版)[M],电子工业出版社, 2004.
[12] Michael E. Whitman, Herbert J. Mattord,信息安全原理(第2版)[M],清华大学出版社, 2006.
[13]薛质,苏波,李建华,信息安全技术技术和安全策略[M],清华大学出版社, 2007.
[14]陈龙,麦永浩,黄传河,计算机取证技术[M],武汉大学出版社, 2007.
[15]杨远红,刘飞,王旭,赵彦卓,通信网络安全技术[M],机械工业出版社, 2006.
[16] Paul D. Williams, Eugene H. Spafford, CuPIDS: An exploration of highly focused, co-processor-based information system protection[J], Computer Networks, 51(2007), pp. 1284–1298.
[17] Weiping Wang, Wenhui Chen, Zhepeng Li, Huaping Chen, Comparison Model and Algorithm for Distributed Firewall Policy[J], ICIC 2006, LNAI 4114, pp. 545–556, 2006.
[18] Nelson Baloian, Jose A. Pino, Marc Jansen, Implementing the Coupled Objects Paradigm for Synchronizing Distributed Applications Through Firewalls[J], CSCWD 2006, LNCS 4402, pp. 599–608, 2007.
[19] Olivier Paul, Improving Distributed Firewalls Performance through Vertical Load Balancing[J], NETWORKING 2004, LNCS 3042, pp. 25–37, 2004.
[20] Morton Swimmer, Using the danger model of immune systems for distributed defense in modern data networks[J], Computer Networks, 51(2007), pp. 1315–1333.
[21] M. Zakia, Tarek S. Sobh, A cooperative agent-based model for active security systems[J], Computer Applications, 27 (2004), pp. 201–220.
[22] Peter Langendoerfer, Krzysztof Piotrowski, Steffen Peter, Martin Lehmann, Crosslayer firewall interaction as a means to provide effective and efficient protection at mobile devices, Computer Communications[J], 30(2007), pp.1487–1497.
[23] Sebastian Kiesel, Michael Scharf, Modeling and performance evaluation of transport protocols for firewall control[J], Computer Networks, 51 (2007), pp. 3232–3251.
[24] Mohamed G. Gouda, Alex X. Liu, Structured firewall design[J], Computer Networks, 51 (2007), pp. 1106–1120.
[25] B.A. Fessi, M. Hamdi, S. Benabdallah, N. Boudriga, A decisional framework system for computer network intrusion detection[J], European Journal of Operational Research, 177 (2007), pp. 1824–1838.
[26] Guisong Liu, Zhang Yi, Shangming Yang, A hierarchical intrusion detection model based on the PCA neural networks[J], Neurocomputing, 70(2007), pp.1561–1568.
[27] John C. McEachen, Cheng Wai Kah, An analysis of distributed sensor data aggregation for network intrusion detection[J], Microprocessors and Microsystems, 31(2007), PP. 263–272.
[28] Lih-Chyau Wuu, Chi-Hsiang Hung, Sout-Fong Chen, Building intrusion pattern miner for Snort network intrusion detection system[J], The Journal of Systems and Software, 80(2007), pp. 1699–1715.
[29] Mohammed Hussein, Mohammad Zulkernine, Intrusion detection aware component-based systems:A specification-based framework[J], The Journal of Systems and Software, 80(2007), pp. 700–710.
[30] Tansel Ozyer, Reda Alhajj, Ken Barker, Intrusion detection by integrating boosting genetic fuzzy classifier and data mining criteria for rule pre-screening[J], Journal of Network and Computer Applications, 30(2007), pp. 99–113.
[31] Juan Jose Garcia Adeva, Juan Manuel Pikatza Atxa, Intrusion detection in web applications using text mining[J], Engineering Applications of Artificial Intelligence, 20(2007), pp. 555–566.
[32] M. Saniee Abadeha, J. Habibia, C. Lucas, Intrusion detection using a fuzzy genetics-based learning algorithm[J], Journal of Network and Computer Applications, 30(2007), pp.414–428.
[33] Sandhya Peddabachigari, Ajith Abraham, Crina Grosan, Johnson Thomas, Modeling intrusion detection system using hybrid intelligent systems, Journal of Network and Computer Applications[J], 30(2007), pp. 114–132.
[34] Shuyuan Jin, Daniel So Yeung, XizhaoWang, Network intrusion detection in covariance feature space, Pattern Recognition[J], 40(2007), pp. 2185– 2197.
[35] Vasilios Katos, Network intrusion detection: Evaluating cluster, discriminant, and logit analysis, Information Sciences[J], 177(2007), pp. 3060–3073.
[36] M. Laureano, C. Maziero, E. Jamhour, Protecting host-based intrusion detectors through virtual machines, Computer Networks[J], 51(2007), pp. 1275–1283.
[37] B.A. Fessi, M. Hamdi, S. Benabdallah, N. Boudriga, A decisional framework system for computer network intrusion detection[J], European Journal of Operational Research, 177(2007), pp. 1824–1838.
[38] Joaquin Garcia, FabienAutrel, Joan Borrell, Sergio Castillo, Frederic Cuppens, Guillermo Navarro, Decentralized Publish-Subscribe System to Prevent Coordinated Attacks via Alert Correlation[J], ICICS 2004, LNCS 3269, pp. 223–235, 2004.
[39] B.A. Fessi, M. Hamdi, S. Benabdallah , N. Boudriga, A decisional framework system for computer network intrusion detection[J], European Journal of Operational Research, 2007, Volume 177, Issue 3, pp. 1824-1838.
[40] Joshua W. Haines, Lee M. Rossey, Richard P. Lippmann, Robert K.Cunningham, Extending the DARPA Off-Line Intrusion Detection Evaluations[J], DARPA Information Survivability Conference & Exposition II, 2001. DISCEX apos;01. Proceedings, Volume 1, 2001 pp. 35-45.
[41] ZHENG Ting, HU Hua-ping, Design and Implementation of Intrusion Detection System Alerts Fusion Model[J], Application Research of Computers, 2004 Vol.21 No.8 pp. 95-98.
[42] WANG Chanyan, LI Qiaoliang, Research on Matrix Analytical Method Based on Cost for Intrusion Detection Systems Evaluation[J], Science Technology and Engineering, 2006 Vol.6 No.23 pp. 4733-4736.
[43] Byoung-Koo Kim, Jong-Su Jang, Tai M. Chung, Design of Network Security Control System for Cooperative Intrusion Detection[J], ICOIN 2002, LNCS 2344, pp. 389–398, 2002.
[44] Birger Todtmann, Erwin P. Rathgeb, Anticipatory distributed packet filter configurations for carrier-grade IP networks[J], Computer Networks, 51(2007), pp. 2565–2579.
[45] Srinivas Mukkamala, Andrew H. Sung, Ajith Abraham, Hybrid multi-agent framework for detection of stealthy probes[J], Applied Soft Computing, 7 (2007), pp. 631–641.
[46] Benjamin Armbruster, J. Cole Smith , Kihong Park, A packet filter placement problemwith application to defense against spoofed denial of service attacks[J], European Journal of Operational Research, 176 (2007), pp. 1283–1292.
[47] Animesh Patcha, Jung-Min Park, Network anomaly detection with incomplete audit data, Computer Networks, 51(2007), pp. 3935–3955.
[48] Oleksiy Mazhelis, Seppo Puuronen, A framework for behavior-based detection of user substitution in a mobile context[J], computers & security, 26(2007), pp. 154–176.
[49] Kalle Burbeck, Simin Nadjm-Tehrani, Adaptive real-time anomaly detection with incrementalclustering[J], Information security technicalreport, 12(2007), pp. 56–67.
[50] Animesh Patcha, Jung-Min Park, An overview of anomaly detection techniques: Existing solutions and latest technological trends[J], Computer Networks, 51(2007), 3448–3470.
[51] Hassan Artail, Haidar Safa, Malek Sraj, Iyad Kuwatly, Zaid Al-Masri, A hybrid honeypot framework for improving intrusion detection systems in protecting organizational networks[J], computers&security, 25(2006), pp. 274–288.
[52]张宇翔,孙继银,基于HoneyNet的军事信息网络主动防御能力实现[J],电脑与信息技术, (2008)16, pp. 17 - 20.
[53] Tom Wanyama, Behrouz Homayoun Far, A protocol for multi-agent negotiation in a group-choice decision making process[J], Computer Applications, 30(2007), pp. 1173–1195.
[54] Shuliang Li, AgentStra: an Internet-based multi-agent intelligent system for strategic decision-making[J], Expert Systems with Applications, 33(2007), pp. 565–571.
[55] Tae-Hyoung Kim, Toshiharu Sugie, Cooperative control for target-capturing task based on a cyclic pursuit strategy[J], Automatica, 43(2007), pp. 1426 - 1431.
[56] Shitong WANG, Korris F. L. CHUNG, Jieping LU, Bin HAN, Dewen HU, Fuzzy inference systems with no any rule base and linearly parameter growth[J], Journal of Control Theory and Applications, 2(2004), pp. 185-192.
[57] Larry Korba, Yuefei Xu, Ronggong Song, George Yee, Environmentally-Aware Security Enforcement (EASE) for Cooperative Design and Engineering[J], CDVE 2005, LNCS 3675, pp. 140– 148, 2005.
[58] Ludovic Courtes, Marc-Olivier Killijian, David Powell, Security Rationale for a Cooperative Backup Service for Mobile Devices[J], LADC 2007, LNCS 4746, pp. 212–230, 2007.
[59] John R. Lange, Peter A. Dinda, Fabian E. Bustamante, Vortex: Enabling Cooperative Selective Wormholing for Network Security Systems[J], RAID 2007, LNCS 4637, pp. 317–336, 2007.
[60] Wu Yaorui, Liu Shufen: A model of network forewarning system for pervasive computing, 2007 2nd International Conference on Pervasive Computing and Applications, ICPCA'07, p179-182, 2007.
[61] Matthias Bossardt, Thomas Dubendorfer, Bernhard Plattner, Enhanced Internet security by a distributed traffic control service based on traffic ownership[J], Journal of Network and Computer Applications, 30(2007), pp. 841–857.
[62] Derek Pao, Cutson Liu, Parallel tree search: An algorithmic approach for multi-field packet classification[J], Computer Communications, 30 (2007), pp. 302–314.
[63] Bogdan C. Popescu, Bruno Crispo, Andrew S. Tanenbaum, Arno Bakker, Design and implementation of a secure wide-area object middleware[J], Computer Networks, 51 (2007), pp. 2484–2513.
[64] Wu Yaorui, Liu Shufen: A Cost-Sensitive Method for Distributed Intrusion Response, Proceedings of the 2008 12th International Conference on Computer Supported Cooperative Work in Design, CSCWD, v2, p760-764, 2008.
[65] Natalia Stakhanova, Samik Basu, JohnnyWong, A Cost-Sensitive Model for Preemptive Intrusion Response Systems[J], Advanced Information Networking and Applications, 2007. AINA '07. 21st International Conference on, 21-23 May 2007, pp. 428-435.
[66] ZHANG Ning, ZENG Fan-ping, JIANG Fan, Research on the Intrusion Response System Based on Cost-Sensitive Model, Computer Simulation, 2006 Vol.23 No.5 pp. 249-253.
[67] Dimitris Geneiatakis, Costas Lambrinoudakis, An ontology description for SIP security flaws[J], Computer Communications, 30(2007), pp. 1367–1374.
[68] Brian Chin, Shane Markstrum, Todd Millstein, and Jens Palsberg, Inference of User-Defined Type Qualifiers and Qualifier Rules[J],ESOP 2006, LNCS 3924, pp. 264–278, 2006.
[69] Guizhen Yang, Michael Kifer, Inheritance in Rule-Based Frame Systems:Semantics and Inference[J], Journal on Data Semantics VII, LNCS 4244, pp. 79–135, 2006.
[70] Murat Osman Unalhr, Tugba Ozacar, Ovunc Ozturk, Reordering Query and Rule Patterns for Query Answering in a Rete-Based Inference Engine[J], WISE 2005 Workshops, LNCS 3807, pp. 255–265, 2005.
[71] Catalin Grigoras, Applications of ENF criterion in forensic audio, video, computer and telecommunication analysis[J], Forensic Science International, 167(2007), pp. 136–145.
[72] Claire LaVelle, Almudena Konrad, FriendlyRoboCopy: A GUI to RoboCopy for computer forensic investigators[J], Digitalinvestigation, 4(2007), pp. 16–23.
[73] Mark Taylor, John Haggerty, David Gresty, The legal aspects of corporate computer forensic investigations[J], computer law & security report, 23(2007), pp. 562 - 566.
[74] Vicki Miller Luoma, Computer forensics and electronic discovery: The new management challenge[J], computers & security, 25(2006), pp. 91 - 96.
[75] Eric Thompson, MD5 collisions and the impact on computer forensics[J], DigitalInvestigation, (2005)2, pp. 36 - 40.
[76] Yun Wang, James Cannady, James Rosenbluth, Foundations of computer forensics: A technology for the fight against computer crime[J], Computer Law & Security Report, (2005)21, pp. 119 - 127.
[77] Marcus K. Rogers, Kate Seigfried, The future of computer forensics: a needs analysis survey[J], Computers & Security, (2004)23, pp. 12 - 16.
[78] Jim Bates, Fundamentals of Computer Forensics[J], Information Security Technical Report, Vol.3, No.4(1998), pp. 75-78.
[79] Andrew Sheldon, The future of forensic computing[J], Digital Investigation, (2005)2, pp. 31 - 35.
[80] R. BouHaidar, Forensic webwatch: Forensic computing[J], Journal of Clinical Forensic Medicine, 12(2005), pp. 47–49.
[81] Eric Freyssinet, Zeno Geradts, Future issues in forensic computing and an introduction to ENSFI[J], Digital Investigation, (2004)1, pp. 112-113.
[82] Chris Boyd, Pete Forster, Time and date issues in forensic computing a case study[J], Digital Investigation, (2004)1, pp. 18 - 23.
[83] Florian Buchholz, Eugene H. Spafford, Run-time label propagation for forensic audit data[J], computers&security, 26(2007), pp. 496–513.
[84] Mohamed Saleh, Ali Reza Arasteh, Assaad Sakha, Mourad Debbabi, Forensic analysis of logs: Modeling and verification[J], Knowledge-Based Systems, 20(2007), pp. 671–682.
[85] A. Castiglione, A. De Santis, C. Soriente, Taking advantages of a disadvantage: Digital forensics and steganography using document metadata[J], The Journal of Systems and Software, 80(2007), pp. 750–764.
[86] Dimitris Geneiatakis, Georgios Kambourakis, Costas Lambrinoudakis, Tasos Dagiuklas, Stefanos Gritzalis, A framework for protecting a SIP-based infrastructure against malformed message attacks[J], Computer Networks, 51(2007), pp. 2580–2593.
[87] Marcus K. Rogers, A two-dimensional circumplex approach to the development of a hacker taxonomy[J], digitalinvestigation, 3(2006), pp.97–102.
[88] Meng-Yen Hsieh, Yueh-Min Huang, Han-Chieh Chao, Adaptive security design with malicious node detection in cluster-based sensor networks[J], Computer Communications, 30(2007), pp. 2385–2400.
[89] Shigang Chen, Yibei Ling, Randy Chow, Ye Xia, AID: A global anti-DoS service[J], Computer Networks, 51(2007), pp. 4252–4269.
[90] Zhi-hong Zuo, Qing-xin Zhu, Ming-tian Zhou, Infection, imitation and a hierarchy of computer viruses[J], computers&security, 25(2006), pp. 469 - 473.
[91] David B. Chang, Carl S. Young, Infection dynamics on the Internet[J], Computers &Security, (2005)24, pp. 280 - 286.
[92] Zhi-hong Zuo, Qing-xin Zhu, Ming-tian Zhou, Infection, imitation and a hierarchy of computer viruses[J], computers & security, 25(2006), pp. 469 - 473.
[93] John C. Wierman, DavidJ. Marchette, Modeling computer virus prevalence with a susceptible-infected-susceptible model with reintroduction[J], Computational Statistics & Data Analysis, 45(2004), pp. 3– 23.
[94] Richard Ford, Mark Bush, Alexander Bulatov, Predation and the cost of replication: New approaches to malware prevention, computers & security, 25(2006), pp. 257–264.
[95] Zonghua Zhang, Pin-Han Ho, Xiaodong Lin, Hong Shen, Janus: A Two-Sided Analytical Model for Multi-Stage Coordinated Attacks[J], ICISC 2006, LNCS 4296, pp. 136–154, 2006.
[96] Sung Ki Kim, Byoung Joon Min, Jin Chul Jung, and Seung Hwan Yoo, Cooperative Security Management Enhancing Survivability Against DDoS Attacks[J], ICCSA 2005, LNCS 3480, pp. 252– 260, 2005.
[97] Shigang Chen, Yong Tang, Wenliang Du, Stateful DDoS attacks and targeted filtering[J], Computer Applications, 30 (2007), pp. 823–840.
[98] Hui Song, Sencun Zhu, Guohong Cao, Attack-resilient time synchronization for wireless sensor networks[J], Ad Hoc Networks, 5 (2007), pp. 112–125.
[99]卿斯汉,蒋建春.网络攻防技术原理与实战[M].北京:科学出版社, 2004.
[100] Stallings W, Brown L. Computer Security: Principles and Practice[M]. New Jersey: Prentice Hall, 2008.
[101] LEE W, FAN W, MILLER M. Toward cost-sensitive modeling for intrusion detection and response[EB/OL]. Workshop on Intrusion Detection and Prevention, 7th ACM Conference on Computer Security, 2000.
[102]吴姚睿,刘淑芬:基于攻击群模型的协同入侵的响应方法[J],电子学报,已收录.
[103] Wu Yaorui, Liu Shufen, Zheng Wanbo, Zhang Zhengxiang: Deployment of Service Nodes on the Basis of User Groups in the Pervasive computing, 2008 3rd International Conference on Pervasive Computing and Applications, ICPCA08, v1, p216-220.
[2]蒋卫华,网络安全检测与协同控制技术[M],机械工业出版社, 2008.
[3]殷联甫,计算机取证技术[M],科学出版社, 2008.
[4] Charles P. Pfleeger, Shari Lawrence Pfleeger,信息安全原理与应用(第三版)[M],电子工业出版社, 2004.
[5]熊华,郭世泽等,网络安全:取证与蜜罐[M],人民邮电出版社, 2003.
[6]王玲,钱华林,计算机取证技术及其发展趋势[J],软件学报, (2003)14(9), pp. 1635 -1644.
[7]赵小敏,陈庆章,计算机取证的研究现状及趋势[J],网络安全技术与应用, (2003)9, pp. 32 - 35.
[8]殷联甫,计算机取证技术研究[J],计算机系统应用, (2004)7, pp. 25 - 28.
[9]蒋平,杨莉莉,电子证据[M],清华大学出版社,中国人民公安大学出版社, 2007.
[10]何家弘,电子证据法研究[M],法律出版社, 2002.
[11] Eoghan Casey,数字证据与计算机犯罪(第二版)[M],电子工业出版社, 2004.
[12] Michael E. Whitman, Herbert J. Mattord,信息安全原理(第2版)[M],清华大学出版社, 2006.
[13]薛质,苏波,李建华,信息安全技术技术和安全策略[M],清华大学出版社, 2007.
[14]陈龙,麦永浩,黄传河,计算机取证技术[M],武汉大学出版社, 2007.
[15]杨远红,刘飞,王旭,赵彦卓,通信网络安全技术[M],机械工业出版社, 2006.
[16] Paul D. Williams, Eugene H. Spafford, CuPIDS: An exploration of highly focused, co-processor-based information system protection[J], Computer Networks, 51(2007), pp. 1284–1298.
[17] Weiping Wang, Wenhui Chen, Zhepeng Li, Huaping Chen, Comparison Model and Algorithm for Distributed Firewall Policy[J], ICIC 2006, LNAI 4114, pp. 545–556, 2006.
[18] Nelson Baloian, Jose A. Pino, Marc Jansen, Implementing the Coupled Objects Paradigm for Synchronizing Distributed Applications Through Firewalls[J], CSCWD 2006, LNCS 4402, pp. 599–608, 2007.
[19] Olivier Paul, Improving Distributed Firewalls Performance through Vertical Load Balancing[J], NETWORKING 2004, LNCS 3042, pp. 25–37, 2004.
[20] Morton Swimmer, Using the danger model of immune systems for distributed defense in modern data networks[J], Computer Networks, 51(2007), pp. 1315–1333.
[21] M. Zakia, Tarek S. Sobh, A cooperative agent-based model for active security systems[J], Computer Applications, 27 (2004), pp. 201–220.
[22] Peter Langendoerfer, Krzysztof Piotrowski, Steffen Peter, Martin Lehmann, Crosslayer firewall interaction as a means to provide effective and efficient protection at mobile devices, Computer Communications[J], 30(2007), pp.1487–1497.
[23] Sebastian Kiesel, Michael Scharf, Modeling and performance evaluation of transport protocols for firewall control[J], Computer Networks, 51 (2007), pp. 3232–3251.
[24] Mohamed G. Gouda, Alex X. Liu, Structured firewall design[J], Computer Networks, 51 (2007), pp. 1106–1120.
[25] B.A. Fessi, M. Hamdi, S. Benabdallah, N. Boudriga, A decisional framework system for computer network intrusion detection[J], European Journal of Operational Research, 177 (2007), pp. 1824–1838.
[26] Guisong Liu, Zhang Yi, Shangming Yang, A hierarchical intrusion detection model based on the PCA neural networks[J], Neurocomputing, 70(2007), pp.1561–1568.
[27] John C. McEachen, Cheng Wai Kah, An analysis of distributed sensor data aggregation for network intrusion detection[J], Microprocessors and Microsystems, 31(2007), PP. 263–272.
[28] Lih-Chyau Wuu, Chi-Hsiang Hung, Sout-Fong Chen, Building intrusion pattern miner for Snort network intrusion detection system[J], The Journal of Systems and Software, 80(2007), pp. 1699–1715.
[29] Mohammed Hussein, Mohammad Zulkernine, Intrusion detection aware component-based systems:A specification-based framework[J], The Journal of Systems and Software, 80(2007), pp. 700–710.
[30] Tansel Ozyer, Reda Alhajj, Ken Barker, Intrusion detection by integrating boosting genetic fuzzy classifier and data mining criteria for rule pre-screening[J], Journal of Network and Computer Applications, 30(2007), pp. 99–113.
[31] Juan Jose Garcia Adeva, Juan Manuel Pikatza Atxa, Intrusion detection in web applications using text mining[J], Engineering Applications of Artificial Intelligence, 20(2007), pp. 555–566.
[32] M. Saniee Abadeha, J. Habibia, C. Lucas, Intrusion detection using a fuzzy genetics-based learning algorithm[J], Journal of Network and Computer Applications, 30(2007), pp.414–428.
[33] Sandhya Peddabachigari, Ajith Abraham, Crina Grosan, Johnson Thomas, Modeling intrusion detection system using hybrid intelligent systems, Journal of Network and Computer Applications[J], 30(2007), pp. 114–132.
[34] Shuyuan Jin, Daniel So Yeung, XizhaoWang, Network intrusion detection in covariance feature space, Pattern Recognition[J], 40(2007), pp. 2185– 2197.
[35] Vasilios Katos, Network intrusion detection: Evaluating cluster, discriminant, and logit analysis, Information Sciences[J], 177(2007), pp. 3060–3073.
[36] M. Laureano, C. Maziero, E. Jamhour, Protecting host-based intrusion detectors through virtual machines, Computer Networks[J], 51(2007), pp. 1275–1283.
[37] B.A. Fessi, M. Hamdi, S. Benabdallah, N. Boudriga, A decisional framework system for computer network intrusion detection[J], European Journal of Operational Research, 177(2007), pp. 1824–1838.
[38] Joaquin Garcia, FabienAutrel, Joan Borrell, Sergio Castillo, Frederic Cuppens, Guillermo Navarro, Decentralized Publish-Subscribe System to Prevent Coordinated Attacks via Alert Correlation[J], ICICS 2004, LNCS 3269, pp. 223–235, 2004.
[39] B.A. Fessi, M. Hamdi, S. Benabdallah , N. Boudriga, A decisional framework system for computer network intrusion detection[J], European Journal of Operational Research, 2007, Volume 177, Issue 3, pp. 1824-1838.
[40] Joshua W. Haines, Lee M. Rossey, Richard P. Lippmann, Robert K.Cunningham, Extending the DARPA Off-Line Intrusion Detection Evaluations[J], DARPA Information Survivability Conference & Exposition II, 2001. DISCEX apos;01. Proceedings, Volume 1, 2001 pp. 35-45.
[41] ZHENG Ting, HU Hua-ping, Design and Implementation of Intrusion Detection System Alerts Fusion Model[J], Application Research of Computers, 2004 Vol.21 No.8 pp. 95-98.
[42] WANG Chanyan, LI Qiaoliang, Research on Matrix Analytical Method Based on Cost for Intrusion Detection Systems Evaluation[J], Science Technology and Engineering, 2006 Vol.6 No.23 pp. 4733-4736.
[43] Byoung-Koo Kim, Jong-Su Jang, Tai M. Chung, Design of Network Security Control System for Cooperative Intrusion Detection[J], ICOIN 2002, LNCS 2344, pp. 389–398, 2002.
[44] Birger Todtmann, Erwin P. Rathgeb, Anticipatory distributed packet filter configurations for carrier-grade IP networks[J], Computer Networks, 51(2007), pp. 2565–2579.
[45] Srinivas Mukkamala, Andrew H. Sung, Ajith Abraham, Hybrid multi-agent framework for detection of stealthy probes[J], Applied Soft Computing, 7 (2007), pp. 631–641.
[46] Benjamin Armbruster, J. Cole Smith , Kihong Park, A packet filter placement problemwith application to defense against spoofed denial of service attacks[J], European Journal of Operational Research, 176 (2007), pp. 1283–1292.
[47] Animesh Patcha, Jung-Min Park, Network anomaly detection with incomplete audit data, Computer Networks, 51(2007), pp. 3935–3955.
[48] Oleksiy Mazhelis, Seppo Puuronen, A framework for behavior-based detection of user substitution in a mobile context[J], computers & security, 26(2007), pp. 154–176.
[49] Kalle Burbeck, Simin Nadjm-Tehrani, Adaptive real-time anomaly detection with incrementalclustering[J], Information security technicalreport, 12(2007), pp. 56–67.
[50] Animesh Patcha, Jung-Min Park, An overview of anomaly detection techniques: Existing solutions and latest technological trends[J], Computer Networks, 51(2007), 3448–3470.
[51] Hassan Artail, Haidar Safa, Malek Sraj, Iyad Kuwatly, Zaid Al-Masri, A hybrid honeypot framework for improving intrusion detection systems in protecting organizational networks[J], computers&security, 25(2006), pp. 274–288.
[52]张宇翔,孙继银,基于HoneyNet的军事信息网络主动防御能力实现[J],电脑与信息技术, (2008)16, pp. 17 - 20.
[53] Tom Wanyama, Behrouz Homayoun Far, A protocol for multi-agent negotiation in a group-choice decision making process[J], Computer Applications, 30(2007), pp. 1173–1195.
[54] Shuliang Li, AgentStra: an Internet-based multi-agent intelligent system for strategic decision-making[J], Expert Systems with Applications, 33(2007), pp. 565–571.
[55] Tae-Hyoung Kim, Toshiharu Sugie, Cooperative control for target-capturing task based on a cyclic pursuit strategy[J], Automatica, 43(2007), pp. 1426 - 1431.
[56] Shitong WANG, Korris F. L. CHUNG, Jieping LU, Bin HAN, Dewen HU, Fuzzy inference systems with no any rule base and linearly parameter growth[J], Journal of Control Theory and Applications, 2(2004), pp. 185-192.
[57] Larry Korba, Yuefei Xu, Ronggong Song, George Yee, Environmentally-Aware Security Enforcement (EASE) for Cooperative Design and Engineering[J], CDVE 2005, LNCS 3675, pp. 140– 148, 2005.
[58] Ludovic Courtes, Marc-Olivier Killijian, David Powell, Security Rationale for a Cooperative Backup Service for Mobile Devices[J], LADC 2007, LNCS 4746, pp. 212–230, 2007.
[59] John R. Lange, Peter A. Dinda, Fabian E. Bustamante, Vortex: Enabling Cooperative Selective Wormholing for Network Security Systems[J], RAID 2007, LNCS 4637, pp. 317–336, 2007.
[60] Wu Yaorui, Liu Shufen: A model of network forewarning system for pervasive computing, 2007 2nd International Conference on Pervasive Computing and Applications, ICPCA'07, p179-182, 2007.
[61] Matthias Bossardt, Thomas Dubendorfer, Bernhard Plattner, Enhanced Internet security by a distributed traffic control service based on traffic ownership[J], Journal of Network and Computer Applications, 30(2007), pp. 841–857.
[62] Derek Pao, Cutson Liu, Parallel tree search: An algorithmic approach for multi-field packet classification[J], Computer Communications, 30 (2007), pp. 302–314.
[63] Bogdan C. Popescu, Bruno Crispo, Andrew S. Tanenbaum, Arno Bakker, Design and implementation of a secure wide-area object middleware[J], Computer Networks, 51 (2007), pp. 2484–2513.
[64] Wu Yaorui, Liu Shufen: A Cost-Sensitive Method for Distributed Intrusion Response, Proceedings of the 2008 12th International Conference on Computer Supported Cooperative Work in Design, CSCWD, v2, p760-764, 2008.
[65] Natalia Stakhanova, Samik Basu, JohnnyWong, A Cost-Sensitive Model for Preemptive Intrusion Response Systems[J], Advanced Information Networking and Applications, 2007. AINA '07. 21st International Conference on, 21-23 May 2007, pp. 428-435.
[66] ZHANG Ning, ZENG Fan-ping, JIANG Fan, Research on the Intrusion Response System Based on Cost-Sensitive Model, Computer Simulation, 2006 Vol.23 No.5 pp. 249-253.
[67] Dimitris Geneiatakis, Costas Lambrinoudakis, An ontology description for SIP security flaws[J], Computer Communications, 30(2007), pp. 1367–1374.
[68] Brian Chin, Shane Markstrum, Todd Millstein, and Jens Palsberg, Inference of User-Defined Type Qualifiers and Qualifier Rules[J],ESOP 2006, LNCS 3924, pp. 264–278, 2006.
[69] Guizhen Yang, Michael Kifer, Inheritance in Rule-Based Frame Systems:Semantics and Inference[J], Journal on Data Semantics VII, LNCS 4244, pp. 79–135, 2006.
[70] Murat Osman Unalhr, Tugba Ozacar, Ovunc Ozturk, Reordering Query and Rule Patterns for Query Answering in a Rete-Based Inference Engine[J], WISE 2005 Workshops, LNCS 3807, pp. 255–265, 2005.
[71] Catalin Grigoras, Applications of ENF criterion in forensic audio, video, computer and telecommunication analysis[J], Forensic Science International, 167(2007), pp. 136–145.
[72] Claire LaVelle, Almudena Konrad, FriendlyRoboCopy: A GUI to RoboCopy for computer forensic investigators[J], Digitalinvestigation, 4(2007), pp. 16–23.
[73] Mark Taylor, John Haggerty, David Gresty, The legal aspects of corporate computer forensic investigations[J], computer law & security report, 23(2007), pp. 562 - 566.
[74] Vicki Miller Luoma, Computer forensics and electronic discovery: The new management challenge[J], computers & security, 25(2006), pp. 91 - 96.
[75] Eric Thompson, MD5 collisions and the impact on computer forensics[J], DigitalInvestigation, (2005)2, pp. 36 - 40.
[76] Yun Wang, James Cannady, James Rosenbluth, Foundations of computer forensics: A technology for the fight against computer crime[J], Computer Law & Security Report, (2005)21, pp. 119 - 127.
[77] Marcus K. Rogers, Kate Seigfried, The future of computer forensics: a needs analysis survey[J], Computers & Security, (2004)23, pp. 12 - 16.
[78] Jim Bates, Fundamentals of Computer Forensics[J], Information Security Technical Report, Vol.3, No.4(1998), pp. 75-78.
[79] Andrew Sheldon, The future of forensic computing[J], Digital Investigation, (2005)2, pp. 31 - 35.
[80] R. BouHaidar, Forensic webwatch: Forensic computing[J], Journal of Clinical Forensic Medicine, 12(2005), pp. 47–49.
[81] Eric Freyssinet, Zeno Geradts, Future issues in forensic computing and an introduction to ENSFI[J], Digital Investigation, (2004)1, pp. 112-113.
[82] Chris Boyd, Pete Forster, Time and date issues in forensic computing a case study[J], Digital Investigation, (2004)1, pp. 18 - 23.
[83] Florian Buchholz, Eugene H. Spafford, Run-time label propagation for forensic audit data[J], computers&security, 26(2007), pp. 496–513.
[84] Mohamed Saleh, Ali Reza Arasteh, Assaad Sakha, Mourad Debbabi, Forensic analysis of logs: Modeling and verification[J], Knowledge-Based Systems, 20(2007), pp. 671–682.
[85] A. Castiglione, A. De Santis, C. Soriente, Taking advantages of a disadvantage: Digital forensics and steganography using document metadata[J], The Journal of Systems and Software, 80(2007), pp. 750–764.
[86] Dimitris Geneiatakis, Georgios Kambourakis, Costas Lambrinoudakis, Tasos Dagiuklas, Stefanos Gritzalis, A framework for protecting a SIP-based infrastructure against malformed message attacks[J], Computer Networks, 51(2007), pp. 2580–2593.
[87] Marcus K. Rogers, A two-dimensional circumplex approach to the development of a hacker taxonomy[J], digitalinvestigation, 3(2006), pp.97–102.
[88] Meng-Yen Hsieh, Yueh-Min Huang, Han-Chieh Chao, Adaptive security design with malicious node detection in cluster-based sensor networks[J], Computer Communications, 30(2007), pp. 2385–2400.
[89] Shigang Chen, Yibei Ling, Randy Chow, Ye Xia, AID: A global anti-DoS service[J], Computer Networks, 51(2007), pp. 4252–4269.
[90] Zhi-hong Zuo, Qing-xin Zhu, Ming-tian Zhou, Infection, imitation and a hierarchy of computer viruses[J], computers&security, 25(2006), pp. 469 - 473.
[91] David B. Chang, Carl S. Young, Infection dynamics on the Internet[J], Computers &Security, (2005)24, pp. 280 - 286.
[92] Zhi-hong Zuo, Qing-xin Zhu, Ming-tian Zhou, Infection, imitation and a hierarchy of computer viruses[J], computers & security, 25(2006), pp. 469 - 473.
[93] John C. Wierman, DavidJ. Marchette, Modeling computer virus prevalence with a susceptible-infected-susceptible model with reintroduction[J], Computational Statistics & Data Analysis, 45(2004), pp. 3– 23.
[94] Richard Ford, Mark Bush, Alexander Bulatov, Predation and the cost of replication: New approaches to malware prevention, computers & security, 25(2006), pp. 257–264.
[95] Zonghua Zhang, Pin-Han Ho, Xiaodong Lin, Hong Shen, Janus: A Two-Sided Analytical Model for Multi-Stage Coordinated Attacks[J], ICISC 2006, LNCS 4296, pp. 136–154, 2006.
[96] Sung Ki Kim, Byoung Joon Min, Jin Chul Jung, and Seung Hwan Yoo, Cooperative Security Management Enhancing Survivability Against DDoS Attacks[J], ICCSA 2005, LNCS 3480, pp. 252– 260, 2005.
[97] Shigang Chen, Yong Tang, Wenliang Du, Stateful DDoS attacks and targeted filtering[J], Computer Applications, 30 (2007), pp. 823–840.
[98] Hui Song, Sencun Zhu, Guohong Cao, Attack-resilient time synchronization for wireless sensor networks[J], Ad Hoc Networks, 5 (2007), pp. 112–125.
[99]卿斯汉,蒋建春.网络攻防技术原理与实战[M].北京:科学出版社, 2004.
[100] Stallings W, Brown L. Computer Security: Principles and Practice[M]. New Jersey: Prentice Hall, 2008.
[101] LEE W, FAN W, MILLER M. Toward cost-sensitive modeling for intrusion detection and response[EB/OL]. Workshop on Intrusion Detection and Prevention, 7th ACM Conference on Computer Security, 2000.
[102]吴姚睿,刘淑芬:基于攻击群模型的协同入侵的响应方法[J],电子学报,已收录.
[103] Wu Yaorui, Liu Shufen, Zheng Wanbo, Zhang Zhengxiang: Deployment of Service Nodes on the Basis of User Groups in the Pervasive computing, 2008 3rd International Conference on Pervasive Computing and Applications, ICPCA08, v1, p216-220.