入侵检测系统研究
|
摘要
入侵检测技术作为一种重要的安全技术,日益得到广泛的应用和深入的研究。存储级入侵检测是入侵检测体系重要的组成部分之一,是目前具有一定挑战性的研究热点,它通过收集计算机存储器的操作数据,尽可能实时地发现非法入侵。
攻击模型和匹配方法是存储级入侵检测系统研究中最重要的两个方面,因此本文主要针对这两方面进行研究工作。研究内容主要包括:基于判定树分类的攻击模式自动生成、基于D-S证据理论的异常检测特征融合算法,以及不同种类IDS之间基于协作的联合防御,从而提高存储级入侵检测系统的检测能力、检测精度和检测效率。
本文主要工作如下:
1、提出判定树分类生成算法,进而给出攻击模式自动生成的方法。
攻击模型是误用检测的重要因素,决定着存储级IDS的检测率和误报率。为获得合理有效的攻击模型,本文将攻击模型化理论应用于存储级IDS攻击模型的建立,扩展判定树模型,使得攻击模型更准确、全面地描述攻击,并能够重用、共享。进而提出判定树分类生成算法,使得模型可以自动产生。为验证模型和算法的有效性,分别以模拟平台收集的存储操作数据进行实验,实验结果表明,模型和算法是有效的,此外,模型还具有可重用、自动生成等优点。
2、提出六组计算代价小特征,采用D-S证据理论进行融合,从而做出评判。
异常检测的研究核心在于建立完备、准确的正常行为模型。在对系统正常运行和异常运行条件下采集到的数据进行综合分析的基础上,本文提出了六组存储操作数据的计算代价较小的关键特征,并采用D-S证据理论融合在这些特征上得到的观察从而做出综合评判。选取计算代价小的特征以及高效的融合规则,保证了算法的性能满足高速检测的要求。
3、提出一种不同层级IDS间联合防御方法。
本文提出一种IDS间通过协作进行联合防御的方法,模拟人类社会解决问题的过程。协作分为两种模式:主动防御模式是指入侵受害者所属的管辖IDS将入侵情况发送给入侵者所属的管辖IDS,由后者采取措施阻止攻击行为的继续;通知预警模式是指当一个IDS发现某种攻击行为后,将这种情况通知其熟人IDS,使后者能够提前采取措施,采取预防措施。
除此以外,针对入侵检测系统的研究特点,本文进行了存储级入侵检测研究框架的研究、采集和分析了存储操作数据。最后,本文设计实验进一步验证了提出模型、算法等的正确性。
存储入侵检测技术还有许多问题值得探讨,本文的工作只是一个探索,还有待今后进一步的深入研究。
As an important security technology, Intrusion Detection System (IDS) is used more and more widely. Storage-based Intrusion Detection is one of the most important parts in the intrusion detection field. The aim of Storage-based Intrusion Detection is to detect unauthorized intrusion as quickly as possible by analyzing the operation data collected from storage devices.
Attack model and analysis method are two important aspects in storage-based intrusion detection system research and therefore become the focus of this paper. The research mainly involves building attack pattern automatically based on decision classification tree; detecting abnormal behaviors fused multiple data features using the D-S Evidence Theory; and coordinated protection among different types of IDSes to improve the detection ability, accuracy and efficiency of Storage-based IDS.
The main achievements of this thesis can be summarized as follows:
1. An algorithm of decision classification tree generating algorithm is proposed. Based on the model and the algorithm, the method of attack pattern automatically building is given.
Attack model is one of the most important elements in misuse detection, and can decide Storage-based IDS performance. Based on the theory of attack model, the extended attack tree model is presented, aiming at describing attack exactly. Moreover, the model can be reused and shared. Based on the model, the algorithm of decision classification tree generating is presented. Experiments are given using the dataset of storage operation collected from stimulated experiment to verify the effort and efficiency of the model and the algorithm.
2. Six groups of light-computation features of storage operation data are proposed. A storage anomaly detector fusing these features based on Dempster-Shafer (D-S) evidence theory is presented.
The detector fuses multiple features of storage operation data to decide whether the flow is normal, and by such fusion it achieves low false alarm rate and missing rate. Furthermore, six light-computation features are used to develop an efficient fusion mechanism to guarantee high performance of the algorithm.
3. An inter-IDS at various levels collaboration method is proposed.
Collaboration among different IDSes can construct a united defense model and therefore increase the security of whole system. The collaboration method proposed here simulates acquaintance relation in human society. The collaboration can be implemented in two ways. On of them is sending the intrusion information from the victim to the attacker and asking it to stop further attack. The other one is sending alarm from one IDS when it finds some novel intrusion to its acquaintance IDS.
In addition, according to characteristics of IDS, the framework and architecture of Storage-based IDS are discussed in this thesis. Experimental data are collected and analyzed. At last, the models, algorithms and methods presented in this thesis have been further verified in designed experiments.
There are still many aspects of the storage-based IDS technologies and relevant technologies need to be discussed and researched. The work of this thesis is only simple attempt and further research is needed.
攻击模型和匹配方法是存储级入侵检测系统研究中最重要的两个方面,因此本文主要针对这两方面进行研究工作。研究内容主要包括:基于判定树分类的攻击模式自动生成、基于D-S证据理论的异常检测特征融合算法,以及不同种类IDS之间基于协作的联合防御,从而提高存储级入侵检测系统的检测能力、检测精度和检测效率。
本文主要工作如下:
1、提出判定树分类生成算法,进而给出攻击模式自动生成的方法。
攻击模型是误用检测的重要因素,决定着存储级IDS的检测率和误报率。为获得合理有效的攻击模型,本文将攻击模型化理论应用于存储级IDS攻击模型的建立,扩展判定树模型,使得攻击模型更准确、全面地描述攻击,并能够重用、共享。进而提出判定树分类生成算法,使得模型可以自动产生。为验证模型和算法的有效性,分别以模拟平台收集的存储操作数据进行实验,实验结果表明,模型和算法是有效的,此外,模型还具有可重用、自动生成等优点。
2、提出六组计算代价小特征,采用D-S证据理论进行融合,从而做出评判。
异常检测的研究核心在于建立完备、准确的正常行为模型。在对系统正常运行和异常运行条件下采集到的数据进行综合分析的基础上,本文提出了六组存储操作数据的计算代价较小的关键特征,并采用D-S证据理论融合在这些特征上得到的观察从而做出综合评判。选取计算代价小的特征以及高效的融合规则,保证了算法的性能满足高速检测的要求。
3、提出一种不同层级IDS间联合防御方法。
本文提出一种IDS间通过协作进行联合防御的方法,模拟人类社会解决问题的过程。协作分为两种模式:主动防御模式是指入侵受害者所属的管辖IDS将入侵情况发送给入侵者所属的管辖IDS,由后者采取措施阻止攻击行为的继续;通知预警模式是指当一个IDS发现某种攻击行为后,将这种情况通知其熟人IDS,使后者能够提前采取措施,采取预防措施。
除此以外,针对入侵检测系统的研究特点,本文进行了存储级入侵检测研究框架的研究、采集和分析了存储操作数据。最后,本文设计实验进一步验证了提出模型、算法等的正确性。
存储入侵检测技术还有许多问题值得探讨,本文的工作只是一个探索,还有待今后进一步的深入研究。
As an important security technology, Intrusion Detection System (IDS) is used more and more widely. Storage-based Intrusion Detection is one of the most important parts in the intrusion detection field. The aim of Storage-based Intrusion Detection is to detect unauthorized intrusion as quickly as possible by analyzing the operation data collected from storage devices.
Attack model and analysis method are two important aspects in storage-based intrusion detection system research and therefore become the focus of this paper. The research mainly involves building attack pattern automatically based on decision classification tree; detecting abnormal behaviors fused multiple data features using the D-S Evidence Theory; and coordinated protection among different types of IDSes to improve the detection ability, accuracy and efficiency of Storage-based IDS.
The main achievements of this thesis can be summarized as follows:
1. An algorithm of decision classification tree generating algorithm is proposed. Based on the model and the algorithm, the method of attack pattern automatically building is given.
Attack model is one of the most important elements in misuse detection, and can decide Storage-based IDS performance. Based on the theory of attack model, the extended attack tree model is presented, aiming at describing attack exactly. Moreover, the model can be reused and shared. Based on the model, the algorithm of decision classification tree generating is presented. Experiments are given using the dataset of storage operation collected from stimulated experiment to verify the effort and efficiency of the model and the algorithm.
2. Six groups of light-computation features of storage operation data are proposed. A storage anomaly detector fusing these features based on Dempster-Shafer (D-S) evidence theory is presented.
The detector fuses multiple features of storage operation data to decide whether the flow is normal, and by such fusion it achieves low false alarm rate and missing rate. Furthermore, six light-computation features are used to develop an efficient fusion mechanism to guarantee high performance of the algorithm.
3. An inter-IDS at various levels collaboration method is proposed.
Collaboration among different IDSes can construct a united defense model and therefore increase the security of whole system. The collaboration method proposed here simulates acquaintance relation in human society. The collaboration can be implemented in two ways. On of them is sending the intrusion information from the victim to the attacker and asking it to stop further attack. The other one is sending alarm from one IDS when it finds some novel intrusion to its acquaintance IDS.
In addition, according to characteristics of IDS, the framework and architecture of Storage-based IDS are discussed in this thesis. Experimental data are collected and analyzed. At last, the models, algorithms and methods presented in this thesis have been further verified in designed experiments.
There are still many aspects of the storage-based IDS technologies and relevant technologies need to be discussed and researched. The work of this thesis is only simple attempt and further research is needed.
引文
[1]宋献涛,芦康俊,李祥和.入侵检测系统的分类学研究[J].计算机工程与应用,2002,8:132-134.
[2]薛静锋,曹元大.贝叶斯分类在入侵检测中的应用研究[J].计算机科学,2005,32(8):60-63.
[3]靳超,郑纬民,张悠慧.主动存储系统结构,计算机学报.2005,28(6):1013-1020.
[4]孙玉霞.检查存储变动的入侵检测技术研究,计算机工程与设计.2006,27(3):382-432.
[5]Eric Cole著,苏雷译.黑客攻击透析和防范[M].北京:电子工业出版社,2002.
[6]Bruce Schneier著,吴世忠,马芳译.网络信息安全的真相[M].北京:机械工业出版社,2001.
[7]陈伟,彭文灵,杨敏.基于数据挖掘的入侵检测系统中挖掘效率的研究[J].赣南师范学院学报.2003(6):52-55.
[8]Daniel P. Bovet & Marco cesati著,陈莉君,冯锐,牛欣源译.深入理解Linux内核[M].北京:中国电力出版社.2004:460-464.
[9]楚狂人.Windows文件系统过滤驱动开发教程(第二版)[M].[10]薛静锋,曹元大.基于数据挖掘的入侵检测[J].计算机工程.2003(9):17-41.
[11]吴际,黄传河,王丽娜,吴小兵.基于数据挖掘的入侵检测系统研究[J].计算机工程与应用,2003,4:166-196.
[12]向尕,曹元大,周旭,基于攻击树的IDS攻击模式自动建立研究,中国科协首届博士生学术交流大会.深圳,2002.
[13]刘海峰,卿斯汉,蒙杨,刘文清,一种基于审计的入侵检测模型及其实现机制,电子学报,2002,8.
[14]唐屹.基于CIDF的入侵检测原型的设计与实现[J].广州大学学报(自然 科学版),2002,1(3):35-38.
[1]CERT/CC. CERT/CC Statistics 1988-2003 [EB/OL]. http://www.cert.org/ stats/cert_stats.html.
[2]Wenke Lee, Salvatore J.Stolfo. Data Mining Approach for Intrusion Detection. http://www.cs.columbia.edu/~sal/hpapers/USENIX/usenix.html
[3]Anderson J P. Computer security threat monitoring and surveillance. Anderson Corporation.1980. http://seclab.cs.ucdavis.edu/projects/history/ CD/ande80.pdf.
[4]Dorothy E Denning. An intrusion detection model. IEEE Transaction on Software Engg.,1987, vol. SE-13,222-232.
[5]Anderson J. Computer Security Threat Monitoring and surveilance[R]. Washington:Fort Washington, PA,1980.
[6]Denning D. An Intrusion-detection Model [J]. IEEE Transactions on Software Engineering,1987,13(2):222-232.
[7]Crosbie M, Spafford E. Defending a Computer System using Autonomous Agents [R]. West Lafayette:COAST Laboratory, Purdue University,1994.
[8]White G, Fisch E, Pooch U. Cooperating Security Managers:A Peer-based Intrusion Detection System[J]. IEEE Networks,1994,10(1):20-23.
[9]Staniford-Chen S, Cheung S, Crawford R, et al. GrIDS-A Graph-Based Intrusion Detection System for Large Networks[A]. In:Proceedings of the 19th National Information Systems Security Conference [C]. The National Institute of Standards and Technology and the National Computer Security Center,1996. 361-370.
[10]Gordon F. Hughes. Wise Drives[J]. IEEE, http://cmrr.ucsd.edu/homeset.htm.
[11]Gregory R. Ganger and David F. Nagle. Better Security via Smarter Devices. IEEE Workshop on Hot Topics in Operating Systems (HotOS-Ⅷ) May 2001.
[12]Ganger G.R., Strunk J. D., Klosterman A. J. Self-storage:Brick-based storage with automated administration. Carnegie Mellon University:Technical Report CMU-CS-03-178,2003.
[13]Aurobindo Sundaram, An Introduction to Intrusion Detection, http://www. acm. org/crossroads/xrds2-4/intrus. html,2002-6-10.
[14]宋献涛,芦康俊,李祥和.入侵检测系统的分类学研究[J].计算机工程与应用,2002,8:132-134.
[15]Lunt Teresa F. Lunt, "Automated Audit Trail Analysis and Intrusion Detection:A Survey, " 11th National Computer Security Conference, Baltimore MD, October 1988.
[16]Abdelaziz Mounji, Baudouin Le Charlier, Naji Habra, Denis Zampunieris. Distributed Audit Trail Analysis. Proceedings of the Internet Society Symposium on Network and Distributed System Security (SNDSS'95), San Diego, California, February 1995. IEEE.
[17]F. Cuppens et A. Miege. HAlert correlation in a cooperative intrusion detection framework, H IEEE Symposium on Research in Security and Privacy, 2002.
[18]Y. Liao and R. Vemuri. Use of Text Categorization Techniques for Intrusion Detection.11th USENIX Security Symposium,2002.
[19]D. Barbara, N. Wu & S. Jajodia. HDetecting Novel Network Intrusions Using Bayes EstimatorsH, SIAM Intl. Conf. Data Mining,2001.
[20]P. Porras & A. Valdes. HLive Traffic Analysis of TCP/IP GatewaysH, Internet Society's Networks and Distributed Systems Security Symposium,1998.
[21]Porras, A. Ph.; Neumann, P. G.:EMERALD:Event Monitoring Enabling Responses to Anomalous Live Disturbances, Proc. of the National Information Systems Security Conference,1997.
[22]Alfonso Valdes and Keith Skinner, HProbabilistic Alert CorrelationH, Lecture Notes in Computer Science, Number 2212. From Recent Advances in Intrusion Detection (RAID 2001). Springer-Verlag.2001.
[23]Alfonso Valdes and Keith Skinner, Adaptive, Model-based Monitoring for Cyber Attack Detection, Lecture Notes in Computer Science, Number 1907. From Recent Advances in Intrusion Detection (RAID 2000). Edited by H. Debar and L. Me and F. Wu. Springer-Verlag, Toulouse, France. October,2000. Pages 80-92.
[24]G. Neumann & P. Porras. Experience with EMERALD to Date, First USENIX Workshop on Intrusion Detection and Network Monitoring, p.73-80,1999.
[25]S Staniford Chen, Cheung S. Gr IDS—A graph based intrusion detection system for large networks. The 19th National Information Systems Security Conference. Baltimore, Maryland, USA,1996.361-370. http://seclab.cs.ucdavis.edu/papers/nissc96.pdf.
[26]S. Hangal and M. Lam, HTracking down software bugs using automatic anomaly detectionH Intl Conf Soft Eng,2002.
[27]N. Jiang, K. Hua & S. Sheu, HConsidering Both Intra-pattern and Inter-pattern Anomalies in Intrusion DetectionH, ICDM,2002.
[28]Service Specific Anomaly Detection for Network Intrusion Detection, C. Krugel, T. Toth & E. Kirda, ACM Symposium on Applied Computing,2002.
[29]Specification Based Anomaly Detection:A New Approach for Detecting Network Intrusions, R. Sekar, A. Gupta, J. Frullo, T. Shanbhag, A. Tiwari, H. Yang & S. Zhou, ACM CCS,2002.
[30]M. Christodorescu & S. Jha, Static Analysis of Executables to Detect Malicious Patterns, USENIX Security Symp.,2003.
[31]Detecting Service Violations and DoS Attacks, A. Habib, M. Hefeeda & B. Bhargava, NDSS,2003.
[32]A. Pennington, J. Strunk, J. Griffin, C. Soules, G. Goodson & G. Ganger, Storage-based Intrusion Detection:Watching Storage Activity for Suspicious Behavior, CMU-CS-02-179,2002 (USENIX Security Symp.03).
[33]R. Maxion & T. Townsend, Masquerade Detection Using Truncated Command Lines, Intl. Conf. on Dependable Systems and Networks (DSN-02), pp.219-228, 2002.
[34]薛静锋,曹元大.贝叶斯分类在入侵检测中的应用研究[J].计算机科学,2005,32(8):60-63.
[35]Lee W, Stolfo S. Data Mining Approaches for Intrusion Detection. Proc of the Seventh USENIX Security Symposium, Colorado, USA,1998,79-94.
[36]Prahlad Fogla, Wenke Lee:Evading network anomaly detection systems:formal reasoning and practical techniques. ACM Conference on Computer and Communications Security 2006; 59-68.
[37]Konstantinos Xinidis, Ioannis Charitakis, Spyros Antonatos, etal:An Active Splitter Architecture for Intrusion Detection and Prevention. IEEE Trans. Dependable Sec. Computer.3(1):31-44 (2006)
[38]Stefan Axelsson, Intrusion Detection Systems:A Survey and Taxonomy, http://citeseer. nj.nec.com/axelsson00intrusion.html.
[39]Erik Riedel, Christos Faloutsos, Garth A. Gibson, David Nagle, Active Disks for Large-Scale Data Processing, Computer,2001,34(6):68-74.
[40]Sivathanu Muthian, Prabhakaran Vijayan, et al. Semantically-smart disk systems. Proceedings of the 2nd USENIX Conference on File and Storage Technologies (FAST' 03), CA, USA,2003.
[41]IBM. Storage Tank, a distributed storage system. IBM White Paper, http://www.almaden.ibm.com/StorageSystems/filesystems/storagetank/papers. shtml.
[42]EMC Corporation. Symmetrix 3000 and 5000 Enterprise Storage Systems product description guide.,1999.
[43]E. K. Lee and C. A. Thekkath. Petal:distributed virtual disks. In Proceedings of the seventh international conference on Architectural support for programming languages and operating systems, pages 84-92. ACM Press, 1996.
[44]G. H. Anthes. Storage virtualization:The next step. Computerworld, January 28,2002.
[45]靳超,郑纬民,张悠慧.主动存储系统结构,计算机学报.2005,28(6):1013-1020.
[46]Gregory R. Ganger and David F. Nagle. Better Security via Smarter Devices. IEEE Workshop on Hot Topics in Operating Systems (HotOS-Ⅷ) May 2001.
[47]Ganger G.R., Strunk J. D., Klosterman A. J. Self-storage:Brick-based storage with automated administration. Carnegie Mellon University:Technical Report CMU-CS-03-178,2003.
[48]J. Molina, W. A. Arbaugh. Using Independent Auditors as Intrusion Detection Systems. Proceedings of the Fourth International Conference on Information and Communications. Security,2002.
[49]John Linwood Griffin, Adam Pennington, John S. Bucy, etal. On the Feasibility of Intrusion Detection inside Workstation Disks. Carnegie Mellon University Parallel Data Lab Technical Report CMU-PDL-03-106. December,2003.
[50]孙玉霞.检查存储变动的入侵检测技术研究,计算机工程与设计.2006,27(3):382-432.
[51]Adam Pennington, John Strunk, John Griffin, etal. Storage-based Intrusion Detection:Watching Storage Activity for Suspicious Behavior.12th USENIX Security Symposium, Washington, D. C., Aug 4-8,2003. Also available as Carnegie Mellon University Technical Report CMU-CS-02-179, September 2002.
[52]Mohammad Banikazemi, Dan Poff, Bulent Abali, Storage-Based Intrusion Detection for Storage Area Networks (SANs), Proceedings of the 22nd IEEE/ 13th NASA Goddard Conference on Mass Storage Systems and Technologies (MSST' 05), p.118-127, April 11-14,2005.
[53]Mohammad Banikazemi, Dan Poff, Bulent Abali, Storage-based file system integrity checker, Proceedings of the 2005 ACM workshop on Storage security and survivability, November 11-11,2005, Fairfax, VA, USA.
[54]Zhenmin Li, Zhifeng Chen, Sudarshan M. Srinivasan, etal. C-Miner:Mining Block Correlations in Storage Systems.3rd USENIX Conference on File and Storage Technologies (FAST 2004):173-186.
[55]Xin Zhao, Kevin Borders, and Atul Prakash. Towards protecting sensitive Files in a compromised system. In 3rd International IEEE Security in Storage Workshop,2005.
[56]Arati Baliga, Liviu Iftode, Xiaoxin Chen. Automated Defense From Rootkit Attacks. Rutgers University, Department of Computer Science, Technical Report DCS-TR-593, Jan 2006.
[57]Nathanael Paul, Sudhanva Gurumurthi, David Evans. Towards Disk-Level Malware Detection. The First International Workshop on Code Based Software Security Assessments (CoBaSSA). Nov 2005, Pittsburgh, PA.
[58]Tal Garfinkel, Mendel Rosenblum:A Virtual Machine Introspection Based Architecture for Intrusion Detection. Proceedings of the Network and Distributed System Security Symposium, NDSS 2003, San Diego, California, USA.
[59]张悠慧,Yu Gu, Hongyi Wang, 汪东升. Virtual-Machine-based Intrusion Detection on File-aware Block Level Storage.18TH International Symposium on Computer Architecture and High Performance Computing (SBAC-PAD'06),2006.
[60]G. R. Ganger, G. Economou, and S. M. Bielski. Finding and Containing Enemies Within the Walls with Selfsecuring Network Interfaces. Carnegie Mellon University Technical Report CMU-CS-03-109. January 2003.
[61]Richard P. Lippmann, David J. Fried, Isaac Graf etc. Evaluating Intrusion Detection Systems:The 1998 DARPA Off-line Intrusion Detection Evaluation[R]. In Proceedings of the 2000 DARPA Information Survivability Conference and Exposition.2000.
[62]Eric Cole著,苏雷译.黑客攻击透析和防范[M].北京:电子工业出版社,2002.
[63]Bruce Schneier著,吴世忠,马芳译.网络信息安全的真相[M].北京:机械工业出版社,2001.
[64]陈伟,彭文灵,杨敏.基于数据挖掘的入侵检测系统中挖掘效率的研究[J].赣南师范学院学报.2003(6):52-55.
[65]Daniel P. Bovet & Marco cesati著,陈莉君,冯锐,牛欣源译.深入理解Linux内核[M].北京:中国电力出版社.2004:460-464.
[66]IRP Major Function Codes. http://msdn2.microsoft.com/en-us/library/ms806157.aspx
[67]楚狂人.Windows文件系统过滤驱动开发教程(第二版)[M].http://dl.feitengsoft.com/books/wwjst2.pdf.
[68]薛静锋,曹元大.基于数据挖掘的入侵检测[J].计算机工程.2003(9):17-41.
[69]R. Agrwaal, T. lmielinski, A. N. Swmai. Mining assoeiation urles bewteen sets of items in large data bases. in:P. Buneman and S. Jajodia, eds. Proceedings of the 1993 ACM SIGMOD International Conference on Management of Data. Washington, D. C.1993. NY USA:ACM Press.1993. SIGMOD record 22(2): 207-216.
[70]Lee W, Stolfo S J. Data Mining Approaches for Intrusion Detection. Proc. 7th USENIX Security Symposium (1998).
[71]吴际,黄传河,王丽娜,吴小兵.基于数据挖掘的入侵检测系统研究[J].计算机工程与应用,2003,4:166-196.
[72]Andrew P. Moore, Robert J. Ellison, Richard C. Linger, Attack Modeling for Information Security and Survivability, Technical Note, CMU/SEI-2001-TN-001,2001,3, http://www.cert.org/archive/pdf/01tn001.pdf。
[73]Bruce Schneier, Attack Trees, Dr. Dobb's Journal of Software Tools 24, 12 (Dec.1999),21-29. http://www.counterpane.com/attacktrees-ddj-ft.html.
[74]XiangGa, CaoYuanda, Building IDS Attack Pattern Automatically Based on Attack Tree, Journal of Beijing Institute of Technology, Vol 23, No 3,2003.
[75]向尕,曹元大,周旭,基于攻击树的IDS攻击模式自动建立研究,中国科协首届博士生学术交流大会.深圳,2002.
[76]Valdes A, Skinner K. Adaptive, model-based monitoring for cyber attack detection. In:Debar H, Me L, Wu SF, eds. Proc. of the 3rd Int'1 Workshop on the Recent Advances in Intrusion Detection (RAID 2000). LNCS 1907, Heidelberg:Springer-Verlag,2000.80-92.
[77]Lee W, Stolfo SJ. A framework for constructing features and models for intrusion detection systems. ACM Trans, on Information and System Security, 2000,3 (4):227-261.
[78]Manikopoulos C, Papavassiliou S. Network intrusion and fault detection: A statistical anomaly approach. IEEE Communications Magazine, 2002,40 (10):76-82.
[79]Zhang J, Gong J. An anomaly detection method based on fuzzy judgment. Journal of Computer Research and Development,2003,40(6):776-783 (in Chinese with English abstract).
[80]Aickelin U, Greensmith J, Twycross J. Immune system approaches to intrusion detection—A review. In:Nicosia G, et al., eds. Proc. of the 3rd Int'l Conf. on Artificial Immune Systems. LNCS 3239, Heidelberg: Springer-Verlag,2004.316-329.
[81]Rao X, Dong CX, Yang SQ. An intrusion detection system based on support vector machine. Journal of Software,2003,14(4):798-803 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/14/798.htm
[82]Li KL, Huang HK, Tian SF, Liu ZP, Liu ZQ. Fuzzy multi-class support vector machine and application in intrusion detection. Chinese Journal of Computers, 2005,28(2):274-280 (in Chinese with English abstract).
[83]McHugh J. Testing intrusion detection systems:A critique of the 1998 and 1999 DARPA offline intrusion detection system evaluation as performed by lincoln laboratory. ACM Trans. on Information and System Security, 2000,3 (4):262-294.
[84]Porras PA, Neumann PG. EMERALD:Event monitoring enabling responses to anomalous live disturbances. In:Proc. of the 20th National Information Systems Security Conf. Baltimore.1997.353-365. http://www.csl.sri.com/papers/emerald-niss97/
[85]Staniford S, Hoagland JA, McAlerney JM. Practical automated detection of stealthy portscans. Journal of Computer Security,2002,10(1/2):105-136.
[86]Krugel C, Toth T, Kirda E. Service specific anomaly detection for network intrusion detection. In:Lamont GB, Haddad H, Papadopoulos G, Panda B, eds. Proc. of the 2002 ACM Symp. on Applied Computing. New York:ACM Press,2002. 201-208.
[87]Mahoney VM. A machine learning approach to detecting attacks by identifying anomalies in network traffic [Ph.D. Thesis]. Melbourne:Florida Institute of Technology,2003.
[88]George Fink, Karl Levitt, Property-based testing of privileged programs, http://citeseer.nj.nec.com/cache/papers/cs/2104/http:zSzzSzseclab.cs.ucda vis.eduzSzp aperszSzfl94.pdf/property-based-testing-of.pdf,1994.
[89]Tal Garfinkel, TTraps and Pitfalls:Practical Problems in System Call Interposition Based Security Tools,TProc. Network and Distributed Systems Security Symposium,2003. http://citeseer.nj.nec.com/garfinkel03traps.html.
[90]Henry Hanping Feng, Oleg M. Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong, TAnomaly Detection Using Call Stack InformationT, W. Lee & W. Gong, IEEE S&P,2003. http://citeseer.nj.nec.com/573548.html.
[91]W. Lee and W. Fan, Mining System Audit Data:Opportunities and Challenges, SIGMOD Record 30(4):33-44,2001.
[92]刘海峰,卿斯汉,蒙杨,刘文清,一种基于审计的入侵检测模型及其实现机制,电子学报,2002,8.
[93]Kymie Tan, The Application of Neural Networks To UNIX Computer Security, http://citeseer.nj.nec.com/tan95application.html,1995.
[94]R. Chinchani, S. Upadhyaya & K. Kwiat, HA Tamper-Resistant Framework for Unambiguous Detection of Attacks in User Space Using Process MonitorsH, IEEE International Workshop on Information Assurance, Darmstadt, Germany, March 2003.
[95]C. Michael, Finding the vocabulary of program behavior data for anomaly detection, Proc. DISCEX,2003.
[96]S. Robertson, E. Siegel, M. Miller & S. Stolfo, HSurveillance detection in high bandwidth environmentsH, Proc. DISCEX,2003.
[97]F. Apap, A. Honig, S. Hershkop, E. Eskin & S. Stolfo. HDetecting malicious software by monitoring anomlaous windows registry accessesH, In Proc. Fifth Intl. Symp. Recent Advances in Intrusion Detection (RAID),2002.
[98]S. Axelsson (1999), "Research in Intrusion Detection Systems:A Survey", TR 98-17, Chalmers University of Technology.
[99]M. Tyson, P. Berry, N. Williams, D. Moran,& D. Blei (2000), "DERBI: Diagnosis, Explanation and Recovery from computer Break-Ins", http://www.ai.sri.com/~derbi/
[100]S. Forrest (2002), Computer Immune Systems, Data Sets and Software, http://www.cs.unm.edu/~immsec/data-sets. htm
[101]A. K. Ghosh & A. Schwartzbard (1999), "A Study in Using Neural Networks for Anomaly and Misuse Detection", Proc.8'th USENIX Security Symposium.
[102]A. Schwartzbard & A.K. Ghosh (1999), "A Study in the Feasibility of Performing Host-based Anomaly Detection on Windows NT", Proc.2nd Recent Advances in Intrusion Detection (RAID).
[103]D. Anderson,. et. al. (1995), "Detecting Unusual Program Behavior using the Statistical Component of the Next-generation Intrusion Detection Expert System (NIDES)", Computer Science Laboratory SRI-CSL 95-06.
[104]J. Hoagland (2000), SPADE, Silicon Defense, http://www.silicondefense.com/software/spice/Horizon (1998), "Defeating Sniffers and Intrusion Detection Systems", Phrack 54(8), http://www.phrack.org
[105]D. Barbara, J. Couto, S. Jajodia, L. Popyack,& N. Wu (2001a), "ADAM: Detecting Intrusions by Data Mining", Proc. IEEE Workshop on Information Assurance and Security,'11-16.
[106]D. Barbara, N. Wu,& S. Jajodia (2001b), "Detecting Novel Network Attacks using Bayes Estimators", Proc. SIAM Intl. Data Mining Conference.
[107]A. Valdes & K. Skinner (2000), "Adaptive, Model-based Monitoring for Cyber Attack Detection", Proc. RAID, LNCS 1907,80-92, Springer Verlag. http://www.sdl.sri.com/projects/emerald/adaptbn-paper/adaptbn.html
[108]P. G. Neumann & P. A. Porras (1999), "Experience with EMERALD to DATE", Proc.1st USENIX Workshop on Intrusion Detection and Network Monitoring, 73-80.
[109]Dempster A. Upper and lower probabilities induced by multivalued mapping. Annals of Mathematical Statistics,1967,38(2):325-339.
[110]Orponen P.Dempster rule of combination is P-complete. Artificial Intelligence,1990,44(1-2):245?253.
[111]DARPA. The Common Intrusion Detection Framework [EB/OL]. http://gost.isi.edu/cidf/.
[112]Feiertag R, Kahn C, Porras P, et al. Common Intrusion Specification Language (CISL) [EB/OL]. http://www.gidos.org/drafts/language.txt.2001-06
[113]IETF Intrusion Detection Working Group. Intrusion Detection Exchange Format [EB/OL]. http://www.ietf.org.
[114]Feiertag R, Rho S, Benzinger L, etc al. Intrusion Detection Inter-component Adaptive Negotiation [J]. Computer Networks,2000,34(4): 605-621.
[115]唐屹.基于CIDF的入侵检测原型的设计与实现[J].广州大学学报(自然科学版),2002,1(3):35-38.
[2]薛静锋,曹元大.贝叶斯分类在入侵检测中的应用研究[J].计算机科学,2005,32(8):60-63.
[3]靳超,郑纬民,张悠慧.主动存储系统结构,计算机学报.2005,28(6):1013-1020.
[4]孙玉霞.检查存储变动的入侵检测技术研究,计算机工程与设计.2006,27(3):382-432.
[5]Eric Cole著,苏雷译.黑客攻击透析和防范[M].北京:电子工业出版社,2002.
[6]Bruce Schneier著,吴世忠,马芳译.网络信息安全的真相[M].北京:机械工业出版社,2001.
[7]陈伟,彭文灵,杨敏.基于数据挖掘的入侵检测系统中挖掘效率的研究[J].赣南师范学院学报.2003(6):52-55.
[8]Daniel P. Bovet & Marco cesati著,陈莉君,冯锐,牛欣源译.深入理解Linux内核[M].北京:中国电力出版社.2004:460-464.
[9]楚狂人.Windows文件系统过滤驱动开发教程(第二版)[M].[10]薛静锋,曹元大.基于数据挖掘的入侵检测[J].计算机工程.2003(9):17-41.
[11]吴际,黄传河,王丽娜,吴小兵.基于数据挖掘的入侵检测系统研究[J].计算机工程与应用,2003,4:166-196.
[12]向尕,曹元大,周旭,基于攻击树的IDS攻击模式自动建立研究,中国科协首届博士生学术交流大会.深圳,2002.
[13]刘海峰,卿斯汉,蒙杨,刘文清,一种基于审计的入侵检测模型及其实现机制,电子学报,2002,8.
[14]唐屹.基于CIDF的入侵检测原型的设计与实现[J].广州大学学报(自然 科学版),2002,1(3):35-38.
[1]CERT/CC. CERT/CC Statistics 1988-2003 [EB/OL]. http://www.cert.org/ stats/cert_stats.html.
[2]Wenke Lee, Salvatore J.Stolfo. Data Mining Approach for Intrusion Detection. http://www.cs.columbia.edu/~sal/hpapers/USENIX/usenix.html
[3]Anderson J P. Computer security threat monitoring and surveillance. Anderson Corporation.1980. http://seclab.cs.ucdavis.edu/projects/history/ CD/ande80.pdf.
[4]Dorothy E Denning. An intrusion detection model. IEEE Transaction on Software Engg.,1987, vol. SE-13,222-232.
[5]Anderson J. Computer Security Threat Monitoring and surveilance[R]. Washington:Fort Washington, PA,1980.
[6]Denning D. An Intrusion-detection Model [J]. IEEE Transactions on Software Engineering,1987,13(2):222-232.
[7]Crosbie M, Spafford E. Defending a Computer System using Autonomous Agents [R]. West Lafayette:COAST Laboratory, Purdue University,1994.
[8]White G, Fisch E, Pooch U. Cooperating Security Managers:A Peer-based Intrusion Detection System[J]. IEEE Networks,1994,10(1):20-23.
[9]Staniford-Chen S, Cheung S, Crawford R, et al. GrIDS-A Graph-Based Intrusion Detection System for Large Networks[A]. In:Proceedings of the 19th National Information Systems Security Conference [C]. The National Institute of Standards and Technology and the National Computer Security Center,1996. 361-370.
[10]Gordon F. Hughes. Wise Drives[J]. IEEE, http://cmrr.ucsd.edu/homeset.htm.
[11]Gregory R. Ganger and David F. Nagle. Better Security via Smarter Devices. IEEE Workshop on Hot Topics in Operating Systems (HotOS-Ⅷ) May 2001.
[12]Ganger G.R., Strunk J. D., Klosterman A. J. Self-storage:Brick-based storage with automated administration. Carnegie Mellon University:Technical Report CMU-CS-03-178,2003.
[13]Aurobindo Sundaram, An Introduction to Intrusion Detection, http://www. acm. org/crossroads/xrds2-4/intrus. html,2002-6-10.
[14]宋献涛,芦康俊,李祥和.入侵检测系统的分类学研究[J].计算机工程与应用,2002,8:132-134.
[15]Lunt Teresa F. Lunt, "Automated Audit Trail Analysis and Intrusion Detection:A Survey, " 11th National Computer Security Conference, Baltimore MD, October 1988.
[16]Abdelaziz Mounji, Baudouin Le Charlier, Naji Habra, Denis Zampunieris. Distributed Audit Trail Analysis. Proceedings of the Internet Society Symposium on Network and Distributed System Security (SNDSS'95), San Diego, California, February 1995. IEEE.
[17]F. Cuppens et A. Miege. HAlert correlation in a cooperative intrusion detection framework, H IEEE Symposium on Research in Security and Privacy, 2002.
[18]Y. Liao and R. Vemuri. Use of Text Categorization Techniques for Intrusion Detection.11th USENIX Security Symposium,2002.
[19]D. Barbara, N. Wu & S. Jajodia. HDetecting Novel Network Intrusions Using Bayes EstimatorsH, SIAM Intl. Conf. Data Mining,2001.
[20]P. Porras & A. Valdes. HLive Traffic Analysis of TCP/IP GatewaysH, Internet Society's Networks and Distributed Systems Security Symposium,1998.
[21]Porras, A. Ph.; Neumann, P. G.:EMERALD:Event Monitoring Enabling Responses to Anomalous Live Disturbances, Proc. of the National Information Systems Security Conference,1997.
[22]Alfonso Valdes and Keith Skinner, HProbabilistic Alert CorrelationH, Lecture Notes in Computer Science, Number 2212. From Recent Advances in Intrusion Detection (RAID 2001). Springer-Verlag.2001.
[23]Alfonso Valdes and Keith Skinner, Adaptive, Model-based Monitoring for Cyber Attack Detection, Lecture Notes in Computer Science, Number 1907. From Recent Advances in Intrusion Detection (RAID 2000). Edited by H. Debar and L. Me and F. Wu. Springer-Verlag, Toulouse, France. October,2000. Pages 80-92.
[24]G. Neumann & P. Porras. Experience with EMERALD to Date, First USENIX Workshop on Intrusion Detection and Network Monitoring, p.73-80,1999.
[25]S Staniford Chen, Cheung S. Gr IDS—A graph based intrusion detection system for large networks. The 19th National Information Systems Security Conference. Baltimore, Maryland, USA,1996.361-370. http://seclab.cs.ucdavis.edu/papers/nissc96.pdf.
[26]S. Hangal and M. Lam, HTracking down software bugs using automatic anomaly detectionH Intl Conf Soft Eng,2002.
[27]N. Jiang, K. Hua & S. Sheu, HConsidering Both Intra-pattern and Inter-pattern Anomalies in Intrusion DetectionH, ICDM,2002.
[28]Service Specific Anomaly Detection for Network Intrusion Detection, C. Krugel, T. Toth & E. Kirda, ACM Symposium on Applied Computing,2002.
[29]Specification Based Anomaly Detection:A New Approach for Detecting Network Intrusions, R. Sekar, A. Gupta, J. Frullo, T. Shanbhag, A. Tiwari, H. Yang & S. Zhou, ACM CCS,2002.
[30]M. Christodorescu & S. Jha, Static Analysis of Executables to Detect Malicious Patterns, USENIX Security Symp.,2003.
[31]Detecting Service Violations and DoS Attacks, A. Habib, M. Hefeeda & B. Bhargava, NDSS,2003.
[32]A. Pennington, J. Strunk, J. Griffin, C. Soules, G. Goodson & G. Ganger, Storage-based Intrusion Detection:Watching Storage Activity for Suspicious Behavior, CMU-CS-02-179,2002 (USENIX Security Symp.03).
[33]R. Maxion & T. Townsend, Masquerade Detection Using Truncated Command Lines, Intl. Conf. on Dependable Systems and Networks (DSN-02), pp.219-228, 2002.
[34]薛静锋,曹元大.贝叶斯分类在入侵检测中的应用研究[J].计算机科学,2005,32(8):60-63.
[35]Lee W, Stolfo S. Data Mining Approaches for Intrusion Detection. Proc of the Seventh USENIX Security Symposium, Colorado, USA,1998,79-94.
[36]Prahlad Fogla, Wenke Lee:Evading network anomaly detection systems:formal reasoning and practical techniques. ACM Conference on Computer and Communications Security 2006; 59-68.
[37]Konstantinos Xinidis, Ioannis Charitakis, Spyros Antonatos, etal:An Active Splitter Architecture for Intrusion Detection and Prevention. IEEE Trans. Dependable Sec. Computer.3(1):31-44 (2006)
[38]Stefan Axelsson, Intrusion Detection Systems:A Survey and Taxonomy, http://citeseer. nj.nec.com/axelsson00intrusion.html.
[39]Erik Riedel, Christos Faloutsos, Garth A. Gibson, David Nagle, Active Disks for Large-Scale Data Processing, Computer,2001,34(6):68-74.
[40]Sivathanu Muthian, Prabhakaran Vijayan, et al. Semantically-smart disk systems. Proceedings of the 2nd USENIX Conference on File and Storage Technologies (FAST' 03), CA, USA,2003.
[41]IBM. Storage Tank, a distributed storage system. IBM White Paper, http://www.almaden.ibm.com/StorageSystems/filesystems/storagetank/papers. shtml.
[42]EMC Corporation. Symmetrix 3000 and 5000 Enterprise Storage Systems product description guide.,1999.
[43]E. K. Lee and C. A. Thekkath. Petal:distributed virtual disks. In Proceedings of the seventh international conference on Architectural support for programming languages and operating systems, pages 84-92. ACM Press, 1996.
[44]G. H. Anthes. Storage virtualization:The next step. Computerworld, January 28,2002.
[45]靳超,郑纬民,张悠慧.主动存储系统结构,计算机学报.2005,28(6):1013-1020.
[46]Gregory R. Ganger and David F. Nagle. Better Security via Smarter Devices. IEEE Workshop on Hot Topics in Operating Systems (HotOS-Ⅷ) May 2001.
[47]Ganger G.R., Strunk J. D., Klosterman A. J. Self-storage:Brick-based storage with automated administration. Carnegie Mellon University:Technical Report CMU-CS-03-178,2003.
[48]J. Molina, W. A. Arbaugh. Using Independent Auditors as Intrusion Detection Systems. Proceedings of the Fourth International Conference on Information and Communications. Security,2002.
[49]John Linwood Griffin, Adam Pennington, John S. Bucy, etal. On the Feasibility of Intrusion Detection inside Workstation Disks. Carnegie Mellon University Parallel Data Lab Technical Report CMU-PDL-03-106. December,2003.
[50]孙玉霞.检查存储变动的入侵检测技术研究,计算机工程与设计.2006,27(3):382-432.
[51]Adam Pennington, John Strunk, John Griffin, etal. Storage-based Intrusion Detection:Watching Storage Activity for Suspicious Behavior.12th USENIX Security Symposium, Washington, D. C., Aug 4-8,2003. Also available as Carnegie Mellon University Technical Report CMU-CS-02-179, September 2002.
[52]Mohammad Banikazemi, Dan Poff, Bulent Abali, Storage-Based Intrusion Detection for Storage Area Networks (SANs), Proceedings of the 22nd IEEE/ 13th NASA Goddard Conference on Mass Storage Systems and Technologies (MSST' 05), p.118-127, April 11-14,2005.
[53]Mohammad Banikazemi, Dan Poff, Bulent Abali, Storage-based file system integrity checker, Proceedings of the 2005 ACM workshop on Storage security and survivability, November 11-11,2005, Fairfax, VA, USA.
[54]Zhenmin Li, Zhifeng Chen, Sudarshan M. Srinivasan, etal. C-Miner:Mining Block Correlations in Storage Systems.3rd USENIX Conference on File and Storage Technologies (FAST 2004):173-186.
[55]Xin Zhao, Kevin Borders, and Atul Prakash. Towards protecting sensitive Files in a compromised system. In 3rd International IEEE Security in Storage Workshop,2005.
[56]Arati Baliga, Liviu Iftode, Xiaoxin Chen. Automated Defense From Rootkit Attacks. Rutgers University, Department of Computer Science, Technical Report DCS-TR-593, Jan 2006.
[57]Nathanael Paul, Sudhanva Gurumurthi, David Evans. Towards Disk-Level Malware Detection. The First International Workshop on Code Based Software Security Assessments (CoBaSSA). Nov 2005, Pittsburgh, PA.
[58]Tal Garfinkel, Mendel Rosenblum:A Virtual Machine Introspection Based Architecture for Intrusion Detection. Proceedings of the Network and Distributed System Security Symposium, NDSS 2003, San Diego, California, USA.
[59]张悠慧,Yu Gu, Hongyi Wang, 汪东升. Virtual-Machine-based Intrusion Detection on File-aware Block Level Storage.18TH International Symposium on Computer Architecture and High Performance Computing (SBAC-PAD'06),2006.
[60]G. R. Ganger, G. Economou, and S. M. Bielski. Finding and Containing Enemies Within the Walls with Selfsecuring Network Interfaces. Carnegie Mellon University Technical Report CMU-CS-03-109. January 2003.
[61]Richard P. Lippmann, David J. Fried, Isaac Graf etc. Evaluating Intrusion Detection Systems:The 1998 DARPA Off-line Intrusion Detection Evaluation[R]. In Proceedings of the 2000 DARPA Information Survivability Conference and Exposition.2000.
[62]Eric Cole著,苏雷译.黑客攻击透析和防范[M].北京:电子工业出版社,2002.
[63]Bruce Schneier著,吴世忠,马芳译.网络信息安全的真相[M].北京:机械工业出版社,2001.
[64]陈伟,彭文灵,杨敏.基于数据挖掘的入侵检测系统中挖掘效率的研究[J].赣南师范学院学报.2003(6):52-55.
[65]Daniel P. Bovet & Marco cesati著,陈莉君,冯锐,牛欣源译.深入理解Linux内核[M].北京:中国电力出版社.2004:460-464.
[66]IRP Major Function Codes. http://msdn2.microsoft.com/en-us/library/ms806157.aspx
[67]楚狂人.Windows文件系统过滤驱动开发教程(第二版)[M].http://dl.feitengsoft.com/books/wwjst2.pdf.
[68]薛静锋,曹元大.基于数据挖掘的入侵检测[J].计算机工程.2003(9):17-41.
[69]R. Agrwaal, T. lmielinski, A. N. Swmai. Mining assoeiation urles bewteen sets of items in large data bases. in:P. Buneman and S. Jajodia, eds. Proceedings of the 1993 ACM SIGMOD International Conference on Management of Data. Washington, D. C.1993. NY USA:ACM Press.1993. SIGMOD record 22(2): 207-216.
[70]Lee W, Stolfo S J. Data Mining Approaches for Intrusion Detection. Proc. 7th USENIX Security Symposium (1998).
[71]吴际,黄传河,王丽娜,吴小兵.基于数据挖掘的入侵检测系统研究[J].计算机工程与应用,2003,4:166-196.
[72]Andrew P. Moore, Robert J. Ellison, Richard C. Linger, Attack Modeling for Information Security and Survivability, Technical Note, CMU/SEI-2001-TN-001,2001,3, http://www.cert.org/archive/pdf/01tn001.pdf。
[73]Bruce Schneier, Attack Trees, Dr. Dobb's Journal of Software Tools 24, 12 (Dec.1999),21-29. http://www.counterpane.com/attacktrees-ddj-ft.html.
[74]XiangGa, CaoYuanda, Building IDS Attack Pattern Automatically Based on Attack Tree, Journal of Beijing Institute of Technology, Vol 23, No 3,2003.
[75]向尕,曹元大,周旭,基于攻击树的IDS攻击模式自动建立研究,中国科协首届博士生学术交流大会.深圳,2002.
[76]Valdes A, Skinner K. Adaptive, model-based monitoring for cyber attack detection. In:Debar H, Me L, Wu SF, eds. Proc. of the 3rd Int'1 Workshop on the Recent Advances in Intrusion Detection (RAID 2000). LNCS 1907, Heidelberg:Springer-Verlag,2000.80-92.
[77]Lee W, Stolfo SJ. A framework for constructing features and models for intrusion detection systems. ACM Trans, on Information and System Security, 2000,3 (4):227-261.
[78]Manikopoulos C, Papavassiliou S. Network intrusion and fault detection: A statistical anomaly approach. IEEE Communications Magazine, 2002,40 (10):76-82.
[79]Zhang J, Gong J. An anomaly detection method based on fuzzy judgment. Journal of Computer Research and Development,2003,40(6):776-783 (in Chinese with English abstract).
[80]Aickelin U, Greensmith J, Twycross J. Immune system approaches to intrusion detection—A review. In:Nicosia G, et al., eds. Proc. of the 3rd Int'l Conf. on Artificial Immune Systems. LNCS 3239, Heidelberg: Springer-Verlag,2004.316-329.
[81]Rao X, Dong CX, Yang SQ. An intrusion detection system based on support vector machine. Journal of Software,2003,14(4):798-803 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/14/798.htm
[82]Li KL, Huang HK, Tian SF, Liu ZP, Liu ZQ. Fuzzy multi-class support vector machine and application in intrusion detection. Chinese Journal of Computers, 2005,28(2):274-280 (in Chinese with English abstract).
[83]McHugh J. Testing intrusion detection systems:A critique of the 1998 and 1999 DARPA offline intrusion detection system evaluation as performed by lincoln laboratory. ACM Trans. on Information and System Security, 2000,3 (4):262-294.
[84]Porras PA, Neumann PG. EMERALD:Event monitoring enabling responses to anomalous live disturbances. In:Proc. of the 20th National Information Systems Security Conf. Baltimore.1997.353-365. http://www.csl.sri.com/papers/emerald-niss97/
[85]Staniford S, Hoagland JA, McAlerney JM. Practical automated detection of stealthy portscans. Journal of Computer Security,2002,10(1/2):105-136.
[86]Krugel C, Toth T, Kirda E. Service specific anomaly detection for network intrusion detection. In:Lamont GB, Haddad H, Papadopoulos G, Panda B, eds. Proc. of the 2002 ACM Symp. on Applied Computing. New York:ACM Press,2002. 201-208.
[87]Mahoney VM. A machine learning approach to detecting attacks by identifying anomalies in network traffic [Ph.D. Thesis]. Melbourne:Florida Institute of Technology,2003.
[88]George Fink, Karl Levitt, Property-based testing of privileged programs, http://citeseer.nj.nec.com/cache/papers/cs/2104/http:zSzzSzseclab.cs.ucda vis.eduzSzp aperszSzfl94.pdf/property-based-testing-of.pdf,1994.
[89]Tal Garfinkel, TTraps and Pitfalls:Practical Problems in System Call Interposition Based Security Tools,TProc. Network and Distributed Systems Security Symposium,2003. http://citeseer.nj.nec.com/garfinkel03traps.html.
[90]Henry Hanping Feng, Oleg M. Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong, TAnomaly Detection Using Call Stack InformationT, W. Lee & W. Gong, IEEE S&P,2003. http://citeseer.nj.nec.com/573548.html.
[91]W. Lee and W. Fan, Mining System Audit Data:Opportunities and Challenges, SIGMOD Record 30(4):33-44,2001.
[92]刘海峰,卿斯汉,蒙杨,刘文清,一种基于审计的入侵检测模型及其实现机制,电子学报,2002,8.
[93]Kymie Tan, The Application of Neural Networks To UNIX Computer Security, http://citeseer.nj.nec.com/tan95application.html,1995.
[94]R. Chinchani, S. Upadhyaya & K. Kwiat, HA Tamper-Resistant Framework for Unambiguous Detection of Attacks in User Space Using Process MonitorsH, IEEE International Workshop on Information Assurance, Darmstadt, Germany, March 2003.
[95]C. Michael, Finding the vocabulary of program behavior data for anomaly detection, Proc. DISCEX,2003.
[96]S. Robertson, E. Siegel, M. Miller & S. Stolfo, HSurveillance detection in high bandwidth environmentsH, Proc. DISCEX,2003.
[97]F. Apap, A. Honig, S. Hershkop, E. Eskin & S. Stolfo. HDetecting malicious software by monitoring anomlaous windows registry accessesH, In Proc. Fifth Intl. Symp. Recent Advances in Intrusion Detection (RAID),2002.
[98]S. Axelsson (1999), "Research in Intrusion Detection Systems:A Survey", TR 98-17, Chalmers University of Technology.
[99]M. Tyson, P. Berry, N. Williams, D. Moran,& D. Blei (2000), "DERBI: Diagnosis, Explanation and Recovery from computer Break-Ins", http://www.ai.sri.com/~derbi/
[100]S. Forrest (2002), Computer Immune Systems, Data Sets and Software, http://www.cs.unm.edu/~immsec/data-sets. htm
[101]A. K. Ghosh & A. Schwartzbard (1999), "A Study in Using Neural Networks for Anomaly and Misuse Detection", Proc.8'th USENIX Security Symposium.
[102]A. Schwartzbard & A.K. Ghosh (1999), "A Study in the Feasibility of Performing Host-based Anomaly Detection on Windows NT", Proc.2nd Recent Advances in Intrusion Detection (RAID).
[103]D. Anderson,. et. al. (1995), "Detecting Unusual Program Behavior using the Statistical Component of the Next-generation Intrusion Detection Expert System (NIDES)", Computer Science Laboratory SRI-CSL 95-06.
[104]J. Hoagland (2000), SPADE, Silicon Defense, http://www.silicondefense.com/software/spice/Horizon (1998), "Defeating Sniffers and Intrusion Detection Systems", Phrack 54(8), http://www.phrack.org
[105]D. Barbara, J. Couto, S. Jajodia, L. Popyack,& N. Wu (2001a), "ADAM: Detecting Intrusions by Data Mining", Proc. IEEE Workshop on Information Assurance and Security,'11-16.
[106]D. Barbara, N. Wu,& S. Jajodia (2001b), "Detecting Novel Network Attacks using Bayes Estimators", Proc. SIAM Intl. Data Mining Conference.
[107]A. Valdes & K. Skinner (2000), "Adaptive, Model-based Monitoring for Cyber Attack Detection", Proc. RAID, LNCS 1907,80-92, Springer Verlag. http://www.sdl.sri.com/projects/emerald/adaptbn-paper/adaptbn.html
[108]P. G. Neumann & P. A. Porras (1999), "Experience with EMERALD to DATE", Proc.1st USENIX Workshop on Intrusion Detection and Network Monitoring, 73-80.
[109]Dempster A. Upper and lower probabilities induced by multivalued mapping. Annals of Mathematical Statistics,1967,38(2):325-339.
[110]Orponen P.Dempster rule of combination is P-complete. Artificial Intelligence,1990,44(1-2):245?253.
[111]DARPA. The Common Intrusion Detection Framework [EB/OL]. http://gost.isi.edu/cidf/.
[112]Feiertag R, Kahn C, Porras P, et al. Common Intrusion Specification Language (CISL) [EB/OL]. http://www.gidos.org/drafts/language.txt.2001-06
[113]IETF Intrusion Detection Working Group. Intrusion Detection Exchange Format [EB/OL]. http://www.ietf.org.
[114]Feiertag R, Rho S, Benzinger L, etc al. Intrusion Detection Inter-component Adaptive Negotiation [J]. Computer Networks,2000,34(4): 605-621.
[115]唐屹.基于CIDF的入侵检测原型的设计与实现[J].广州大学学报(自然科学版),2002,1(3):35-38.