网络威胁检测与防御关键技术研究
|
摘要
随着计算技术的不断发展和网络的不断普及,网络攻击形式越来越多,网络安全问题日益突出,造成的社会影响和经济损失越来越大,为网络威胁检测与防御提出了新的需求和挑战。网络安全是一个螺旋上升的过程,网络威胁检测、网络安全态势指标评估和网络安全动态免疫是网络安全防御的重要环节,采取科学有效的手段可以有效地遏制网络攻击,降低网络安全威胁,保护网络的健康有序的运行,通过对检测、评估和免疫三方面技术的研究,可以有效增强网络安全防御组织的应急响应能力。
网络流量异常和主机恶意代码传播是目前主要的网络安全威胁,也是网络安全监测的关键对象。实现对网络异常流量快速准确发现,对恶意代码及时准确捕获、分析、跟踪与监测,可以为网络安全态势指标评估和免疫决策提供知识支撑,从而提高网络安全应急组织的整体响应能力。
网络安全态势指标评估是网络安全状况评价的重要工具,是反映整体评估对象安全属性的指示标志,也称作网络安全态势指数;网络安全态势评估指标体系则是根据评估目标和评估内容的要求构建的一组反映网络安全水平的相关指标,据以搜集评估对象的有关信息资料,反映评估对象的网络安全的基本面貌、素质和水平。网络安全态势指数是反映网络安全状况的综合指标,网络安全态势评估指标体系是可以形成对网络安全评价的标准化客观定量分析结论的依据。
通过系统补丁、病毒查杀等手段均可以实现信息设备对部分恶意代码的免疫和恢复。从复杂网络的理论而言,全网节点应该采取怎样的免疫策略,从而兼顾免疫效果和实现代价是一个困难的问题。结合随机免疫、目标免疫等静态免疫与动态免疫,形成各类网络免疫手段时空组合的网络免疫策略,能有效缓解各类恶意代码的威胁。
本文主要研究了网络流量监测和拒绝服务攻击检测技术,提出了一种SIP VoIP系统泛洪攻击在线实时高速检测技术,设计了基于蜜网技术的恶意代码监测和分析平台,讨论了网络安全态势指标评估方案,分析了恶意代码的网络传播动力特性,结合复杂网络理论,提出了一种基于信息传播的恶意代码动态免疫模型。本文的主要成果如下:
1、提出一种针对SIP VoIP系统泛洪攻击的在线实时高速检测算法
目前的研究主要是针对协议属性元组和协议状态机的检测,由于没有考虑信令交互的有向性和通话时长的分布特征,从而可能通过伪造流量来欺骗检测系统,而且容易将正常的高话务量情景误判为攻击。通过深入分析SIP VoIP系统泛洪攻击过程,该方法利用了SIP信令交互的有向性和通话时长的统计分布特征,通过卡方值作为距离测度快速有效检测出泛洪攻击,并且能够与正常的高话务量情景进行区分。此方法具有普适性,还可以推广至其他具有会话特性的各类通信协议。
2、设计了一种基于蜜罐和蜜狗的大规模分布式恶意代码监测分析系统
针对恶意代码诱捕技术、恶意代码分析技术和恶意代码跟踪技术进行深入研究,实现了基于蜜罐站点的恶意代码诱捕技术,基于蜜罐网关的恶意代码网络行为分析技术,基于蜜狗的恶意代码控制服务器追踪技术,形成大规模分布式蜜罐网络,并通过在全国范围内的部署,能够快速捕获恶意代码传播与网络攻击行为,发现黑客网络攻击与恶意代码网络活动特征,追踪恶意代码控制服务器活动,为网络安全监测提供网络特征,为恶意代码免疫提供样本支持,为网络态势评估提供网络威胁基本数据。
3、提出基于监测的网络安全态势指标评估方法
通过感知信息系统漏洞风险、恶意代码感染威胁、主机资源使用稳定度三类基础数据,在数据归一化处理后,由基于BP神经网络的网络安全态势指数建模评估与预测,最后由主观赋值方法加权求得目标网络的网络安全评价指数,能够综合反映目标网络的整体安全状况,为网络安全管理与决策提供支撑。
4、提出一种基于信息传播的恶意代码动态免疫策略模型
通过深入分析恶意代码行为特征,在全网层面研究网络免疫策略对恶意代码传播动力的影响,结合复杂网络理论,提出了一种基于信息传播的动态免疫策略,这种免疫策略考虑了恶意代码传播过程和免疫过程的动态交互,实验结果表明,在不需要知道全网信息的情况下就可以达到较好的免疫效果。
With the continuous development of computing and spreading of network technology, network security issues become more prominent. More and more types of network attacks cause the growing social impact and economic losses, which bring new requirements and challenges of network security defense work. Network security is a process of spiral. Network security monitoring, security situational awareness, and network immunization are important parts of network defense. Scientific and effective measures can be taken to significantly curb attacks. Protect the network's healthy and normal orderly operation. By researching on these three techniques, we can enhance emergency response capacity of network security defense organizations.
Network traffic anomalies and malicious code are major threat to the network security, so they are the key object to the network security monitoring. To discovery abnormal traffic fast and accurate, to achieve malicious code on the timely and accurate capture, analysis, tracking and monitoring. Indicators for network security posture assessment and support immunization decision-making knowledge to enhance network security emergency response capacity of the organization as a whole.
Network security situation assessment index evaluation is an important tool for network security.Indicator reflects the overall assessment of the security properties of an object signage.Also known as network security posture index.Network security situation assessment index system is based on the evaluation objectives and assessment requirements of the contents of a group of construction reflect the level of network security related indicators.According to gather assessment information about the object, the object reflects the assessment of the basic aspects of network security, quality and level of.Network security posture index reflects the comprehensive index of network security situation.Network security situation assessment index system is formed on the standardization of network security assessment based on objective and quantitative analysis of findings.
Killing by the virus, patch information device can be realized by means of malicious code and restore the immune.Network immunization strategy is a means of space-time combination of the immune network.From the complex network theory, the whole network node immunization strategy should take what can be achieved both the effectiveness and costs of immunization.At present the main objectives of random immunization and passive immunization immunization strategy, less dynamic Immunity.
This paper studies the network traffic monitoring and denial of service attack detection technology, a SIP VoIP system, high-speed flooding attack line real-time detection technology, design techniques based on malicious code Honeynet monitoring and analysis platform to discuss the indicators of network security situation Assessment, analysis of the spread of malicious code, network dynamic properties, combined with complex network theory, a malicious based on information dissemination source dynamic immune model.The main results of this paper is as follows:
1.A system for the SIP VoIP flooding attack detection algorithm for online real-time high
The current study focuses on the agreement property per group and the protocol state machine testing.Without considering the interaction of directional signaling and call time distribution.Which may flow through forged to deceive the inspection system.And easy to misjudge the normal high telephone traffic for the attack scenario.By analyzing the INVITE for SIP VoIP system flooding attack,a call duration of VoIP-based flooding attack detectionmethod CDVFD. The method uses the SIP signalinginteraction with isotropic and call the statistical distribution of long, fast and efficient through the Chi-square value to detect flooding attacks, and can be normal to distinguish between high telephone traffic scenarios, experimental results show effectiveness of the method.
2.Designed based on honey honey pot sites and malicious code on the dog's large-scale distributed monitoring and analysis system
Trapping techniques for the malicious code, malicious code and malicious code analysis technology tracking in-depth study.Honeypot site based on the realization of malicious code trapping technology, based on gateway malware honeypot network behavior analysis technology, malicious code based on honey dog control server tracking technology, the formation of large scale distributed honeypot network, and through a nationwide the deployment, to quickly capture the spread of malicious code and network attacks, hacker attacks and found that network activity characteristic of malicious code, malicious code control server to track activities, provide network monitoring for network security features, to provide immunity for the malicious code samples support for Situation Assessment Network to provide basic data network threats.
3.Proposed based on monitoring of network security posture assessment indicators
By perceived risk information system vulnerabilities, malicious code infection threat to the stability of three types of host resources based on the use of data.After the normalization.Based on BP neural network by the network security posture assessment and prediction modeling Index.Finally obtained by the subjective weight assignment method of the target network of network security assessment index. Can reflect the network's overall security goals for network security management and decision-making support.
4. A malicious code based on the information dissemination model of dynamic immunization strategy
A dynamic immunization model based on alarm information mail spreading was proposed to suppress email worms propagation. This model considers interaction between immunization process and worm infection process other than static immunization strategies. The simulation results show that the model can suppress infection process more effectively without understanding the whole network information than target immunization.
网络流量异常和主机恶意代码传播是目前主要的网络安全威胁,也是网络安全监测的关键对象。实现对网络异常流量快速准确发现,对恶意代码及时准确捕获、分析、跟踪与监测,可以为网络安全态势指标评估和免疫决策提供知识支撑,从而提高网络安全应急组织的整体响应能力。
网络安全态势指标评估是网络安全状况评价的重要工具,是反映整体评估对象安全属性的指示标志,也称作网络安全态势指数;网络安全态势评估指标体系则是根据评估目标和评估内容的要求构建的一组反映网络安全水平的相关指标,据以搜集评估对象的有关信息资料,反映评估对象的网络安全的基本面貌、素质和水平。网络安全态势指数是反映网络安全状况的综合指标,网络安全态势评估指标体系是可以形成对网络安全评价的标准化客观定量分析结论的依据。
通过系统补丁、病毒查杀等手段均可以实现信息设备对部分恶意代码的免疫和恢复。从复杂网络的理论而言,全网节点应该采取怎样的免疫策略,从而兼顾免疫效果和实现代价是一个困难的问题。结合随机免疫、目标免疫等静态免疫与动态免疫,形成各类网络免疫手段时空组合的网络免疫策略,能有效缓解各类恶意代码的威胁。
本文主要研究了网络流量监测和拒绝服务攻击检测技术,提出了一种SIP VoIP系统泛洪攻击在线实时高速检测技术,设计了基于蜜网技术的恶意代码监测和分析平台,讨论了网络安全态势指标评估方案,分析了恶意代码的网络传播动力特性,结合复杂网络理论,提出了一种基于信息传播的恶意代码动态免疫模型。本文的主要成果如下:
1、提出一种针对SIP VoIP系统泛洪攻击的在线实时高速检测算法
目前的研究主要是针对协议属性元组和协议状态机的检测,由于没有考虑信令交互的有向性和通话时长的分布特征,从而可能通过伪造流量来欺骗检测系统,而且容易将正常的高话务量情景误判为攻击。通过深入分析SIP VoIP系统泛洪攻击过程,该方法利用了SIP信令交互的有向性和通话时长的统计分布特征,通过卡方值作为距离测度快速有效检测出泛洪攻击,并且能够与正常的高话务量情景进行区分。此方法具有普适性,还可以推广至其他具有会话特性的各类通信协议。
2、设计了一种基于蜜罐和蜜狗的大规模分布式恶意代码监测分析系统
针对恶意代码诱捕技术、恶意代码分析技术和恶意代码跟踪技术进行深入研究,实现了基于蜜罐站点的恶意代码诱捕技术,基于蜜罐网关的恶意代码网络行为分析技术,基于蜜狗的恶意代码控制服务器追踪技术,形成大规模分布式蜜罐网络,并通过在全国范围内的部署,能够快速捕获恶意代码传播与网络攻击行为,发现黑客网络攻击与恶意代码网络活动特征,追踪恶意代码控制服务器活动,为网络安全监测提供网络特征,为恶意代码免疫提供样本支持,为网络态势评估提供网络威胁基本数据。
3、提出基于监测的网络安全态势指标评估方法
通过感知信息系统漏洞风险、恶意代码感染威胁、主机资源使用稳定度三类基础数据,在数据归一化处理后,由基于BP神经网络的网络安全态势指数建模评估与预测,最后由主观赋值方法加权求得目标网络的网络安全评价指数,能够综合反映目标网络的整体安全状况,为网络安全管理与决策提供支撑。
4、提出一种基于信息传播的恶意代码动态免疫策略模型
通过深入分析恶意代码行为特征,在全网层面研究网络免疫策略对恶意代码传播动力的影响,结合复杂网络理论,提出了一种基于信息传播的动态免疫策略,这种免疫策略考虑了恶意代码传播过程和免疫过程的动态交互,实验结果表明,在不需要知道全网信息的情况下就可以达到较好的免疫效果。
With the continuous development of computing and spreading of network technology, network security issues become more prominent. More and more types of network attacks cause the growing social impact and economic losses, which bring new requirements and challenges of network security defense work. Network security is a process of spiral. Network security monitoring, security situational awareness, and network immunization are important parts of network defense. Scientific and effective measures can be taken to significantly curb attacks. Protect the network's healthy and normal orderly operation. By researching on these three techniques, we can enhance emergency response capacity of network security defense organizations.
Network traffic anomalies and malicious code are major threat to the network security, so they are the key object to the network security monitoring. To discovery abnormal traffic fast and accurate, to achieve malicious code on the timely and accurate capture, analysis, tracking and monitoring. Indicators for network security posture assessment and support immunization decision-making knowledge to enhance network security emergency response capacity of the organization as a whole.
Network security situation assessment index evaluation is an important tool for network security.Indicator reflects the overall assessment of the security properties of an object signage.Also known as network security posture index.Network security situation assessment index system is based on the evaluation objectives and assessment requirements of the contents of a group of construction reflect the level of network security related indicators.According to gather assessment information about the object, the object reflects the assessment of the basic aspects of network security, quality and level of.Network security posture index reflects the comprehensive index of network security situation.Network security situation assessment index system is formed on the standardization of network security assessment based on objective and quantitative analysis of findings.
Killing by the virus, patch information device can be realized by means of malicious code and restore the immune.Network immunization strategy is a means of space-time combination of the immune network.From the complex network theory, the whole network node immunization strategy should take what can be achieved both the effectiveness and costs of immunization.At present the main objectives of random immunization and passive immunization immunization strategy, less dynamic Immunity.
This paper studies the network traffic monitoring and denial of service attack detection technology, a SIP VoIP system, high-speed flooding attack line real-time detection technology, design techniques based on malicious code Honeynet monitoring and analysis platform to discuss the indicators of network security situation Assessment, analysis of the spread of malicious code, network dynamic properties, combined with complex network theory, a malicious based on information dissemination source dynamic immune model.The main results of this paper is as follows:
1.A system for the SIP VoIP flooding attack detection algorithm for online real-time high
The current study focuses on the agreement property per group and the protocol state machine testing.Without considering the interaction of directional signaling and call time distribution.Which may flow through forged to deceive the inspection system.And easy to misjudge the normal high telephone traffic for the attack scenario.By analyzing the INVITE for SIP VoIP system flooding attack,a call duration of VoIP-based flooding attack detectionmethod CDVFD. The method uses the SIP signalinginteraction with isotropic and call the statistical distribution of long, fast and efficient through the Chi-square value to detect flooding attacks, and can be normal to distinguish between high telephone traffic scenarios, experimental results show effectiveness of the method.
2.Designed based on honey honey pot sites and malicious code on the dog's large-scale distributed monitoring and analysis system
Trapping techniques for the malicious code, malicious code and malicious code analysis technology tracking in-depth study.Honeypot site based on the realization of malicious code trapping technology, based on gateway malware honeypot network behavior analysis technology, malicious code based on honey dog control server tracking technology, the formation of large scale distributed honeypot network, and through a nationwide the deployment, to quickly capture the spread of malicious code and network attacks, hacker attacks and found that network activity characteristic of malicious code, malicious code control server to track activities, provide network monitoring for network security features, to provide immunity for the malicious code samples support for Situation Assessment Network to provide basic data network threats.
3.Proposed based on monitoring of network security posture assessment indicators
By perceived risk information system vulnerabilities, malicious code infection threat to the stability of three types of host resources based on the use of data.After the normalization.Based on BP neural network by the network security posture assessment and prediction modeling Index.Finally obtained by the subjective weight assignment method of the target network of network security assessment index. Can reflect the network's overall security goals for network security management and decision-making support.
4. A malicious code based on the information dissemination model of dynamic immunization strategy
A dynamic immunization model based on alarm information mail spreading was proposed to suppress email worms propagation. This model considers interaction between immunization process and worm infection process other than static immunization strategies. The simulation results show that the model can suppress infection process more effectively without understanding the whole network information than target immunization.
引文
[1]中国互联网络信息中心,中国互联网络发展状况统计报告[EB/OL],2010.1, http://www.cnnic.cn/
[2]国家计算机网络应急技术处理协调中心,CNCERT/CC 2009年网络安全工作报告[EB/OL],2009.12, http://www.cert.org.cn/
[3]V. Paxson. Bro:A System for Detecting Network Intruders in Real-time. In: Proceedings of the 7th conference on USENIX Security Symposium,1998-Volume 7 table of contents (USENIX Association Berkeley, CA, USA,1998),3-3.
[4]M. Roesch. Snort:Lightweight Intrusion Detection for Networks. In Proc. USENIX Lisa'99, Seattle, WA, November 1999.
[5]HAWKINS D M, QQUI P, KANG C W. The change point model for statistical process control [J]. Journal of Quality Technology,2003,35(4).
[6]THOTTAN M, JI C. Anomaly detection in IP networks [J]. IEEE Transactions on Signal Processing,2003,51 (8):2191-2204.
[7]BARFORD P, KLINE J, PLONKA D, et al. A signal analysis of network traffic anomalies [C]//Proceedings of ACM SIGCOMM Internet Measurement Workshop (IMW 2002), Nov 6-8,2002, Marseilles, France. New York, NY,USA:ACM, 2002:71-82..
[8]LAKHINA A, CROVELLA M, DIOT C. Mining anomalies using traffic feature distributions [C]//Proceedings of SIGCOMM, Aug 22-25,2005, Philadelphia, PA, USA. New York, NY,USA:ACM,2005:217-228.
[9]LAKHINA A, CROVELLA M, DIOT C. Diagnosing network-wide traffic anomalies [C]//Proceedings of ACM SIGCOMM, Aug 30-Sep 3,2004, Portland, OR, USA. New York, NY,USA:ACM,2004:219-230.
[10]SCHWELLER R, GUPTA A, PARSONS E, et al. Reversible sketches for efficient and accurate change detection over network data streams [C]//Proceedings of ACM SIGCOMM Internet Measurement Conference (IMC'04), Oct 25-27,2004, Taormina, Sicily, Italy. New York, NY,USA:ACM,2004:207-212.
[11]MAHONEY M V, CHAN P K. Learning rules for anomaly detection of hostile network traffic [C]//Proceedings of International Conference on Data Mining (ICDM'03), Nov 19-22, Melbourne, FL, USA. Los Alamitos, CA, USA:IEEE Computer Society, 2003:601-604.
[12]XU K, ZHANG Z L, BHATTACHARYYA S. Profiling Internet backbone traffic: Behavior models and applications [C]//Proceedings of ACM SIGCOMM, Aug 22-25, 2005, Philadelphia, PA, USA. New York, NY,USA:ACM,2005:169-180.
[13]Reynolds B, Ghosal D. Secure IP Telephony Using Multi-Layered Protection[C]// NDSS 2003. USA:ISOC,2003:218-221.
[14]Sengar H, Wang H, Wijesekera D, et al. Detecting VoIP Floods Using the Hellinger Distance[J]. IEEE Transactions on Parallel and Distributed Systems,2008, 19(6):794-805.
[15]Sher M, Magedanz T. Secure Service Provisioning Framework (SSPF) for IP Multimedia System and Next Generation Mobile Networks[C]//IWWST 2005. USA:IEEE,2005:101-106.
[16]Endler D, Collier M. Hacking Exposed VoIP:Voice Over IP Security Secrets& Solutions[EB/OL].2006. http://hackingvoipexposed.com/sec_tools.html
[17]Ohta M, Overload Protection in a SIP Signaling Network[C]//ICISP 2006. USA:IEEE, 2006:11-11.
[18]Deng X L, Shore M. Advanced Flooding Attack on a SIP Server[C]//ARES 2009. Tokyo:IEEE 2009:647-651.
[19]Ehlert S, Wang C J, Magedanz T, et al. Specification-based Denial-of-Service Detection for SIP Voice-over-IP Networks[C]//ICIMP 2008. Atlanta:ieee computer society,2008:59-66.
[20]Chen E Y. Detecting DoS Attacks on SIP Systems[C]//1st IEEE Workshop on VoIP Management and Security. Canada:IEEE,2006:53-58.
[21]Sengar H, Wijesekera D, Wang H, et al. VoIP Intrusion Detection Through Interacting Protocol State Machines[C]//DSN 2006. USA:IEEE Computer Society, 2006:393-402.
[22]Niccolini S, Garroppo R S, Giordano S, et al. SIP Intrusion Detection and Prevention: Recommendations and Prototype Implementation[C]//1st IEEE Workshop on VoIP Management and Security. USA:IEEE,2006:47-52.
[23]Nassar M, State R, Festor O. Intrusion Detection Mechanisms for VoIP Applications[C]//VSW 2006. Berlin:HAL,2006:233-238.
[24]Rebahi Y, Sisalem D. Change-Point Detection for Voice over IP Denial of Service Attacks[C]//KiVS 2007. Bern:VDE,2007:39-44.
[25]殷茜.基于排队论的SIP DoS攻击防御机制的研究[J].重庆邮电大学学报,2008,20(4):471-474.YIN Qian. Research of S IP DoS a ttack defense mechan ism ba sed on queue theory [J]. Journal of Chongqing University of Posts and Telecommunications(Natural Science Edition),2008,20(4):471-474.
[26]张兆心,杜跃进,李斌,等.SIP代理服务器抗拒绝服务攻击自防御模型[J],通信学报,2009,30(4)Zhang Zhaoxin, Du Yuejin, Li Bin, et al. Self-defence model of SIP proxy server for against DoS attack[J]. Journal on Communications,2009,30(4):93-99
[27]Baecher P., Koetter M., Holz T., Dornseif M., Freiling F., The Nepenthes Platform:An Efficient Approach to Collect Malware, RAID 2006, Lecture Notes in Computer Science 4219, Springer-Verlag Berlin Heidelberg, pp.165-184,2006.
[28]Zimmer D., Multipot, http://labs.idefense.com/software/malcode.php,2006.
[29]诸葛建伟,韩心慧,周勇林,宋程导,郭晋鹏,邹维HoneyBow:一个基于高交互式蜜罐技术的恶意代码自动捕获器.中国网络与信息安全技术研讨会,青岛,2007.
[30]韩心慧,郭晋鹏,周勇林,诸葛建伟,曹东志,邹维.僵尸网络活动调查分析.中国网络与信息安全技术研讨会,青岛,2007.
[31]Levine, J. Grizzard, J., Owen, H., Application of a Methodology to Characterize Rootkits Retrieved from Honeynets, Proceedings from the Fifth Annual Information Assurance Workshop, IEEE SMC, Page(s):15-21,2004.
[32]C. Willems, R. Aachen "Description of the CWSandbox," 2006.
[33]C. Willems, T. Holz, F. Freiling, "Towards Automated Dynamic Malware Analysis Using CWSandbox, " IEEE Privacy& Security,2007.
[34]G. Hoglund, J. Butler, "Rootkit:Subverting the Windows Kernel, " Addison Wesley Professional,2005.
[35]G. Hunt, D. Brubacher, "Detours:Binary Interception of Win32 Functions, " Microsoft Research,1999.
[36]U. Bayer, C. Kruegel and E. Kirda "TTAnalyze:A Tool for Analyzing Malware," EICAR Conference,2006.
[37]Lee WK, Wang C, Dagon D. Botnet detection:countering the largest security threat. Springer Verlag, July 2007.
[38]Arce I, Levy E, An analysis of the Slapper worm, IEEE Security& Privacy,2003, 1(1):82~87.
[39]LURHQ Threat Intelligence Group, Sinit P2P trojan analysis.2003. http://www.lurhq.com/sinit.html.
[40]Lemos R, Bot software looks to improve peerage. May 2006. http://www.securityfocus.com/news/11390.
[41]Grizzard JB, Sharma V, Nunnery C, Peer-to-Peer botnets:overview and case study. In: Proc. of First Workshop on Hot Topics in Understanding Botnets (HotBots'07), Boston, MA.2007.
[42]Wang P, Sparks S, Zou CC, An advanced hybrid Peer-to-Peer botnet. In:Proc. of the First Workshop on Hot Topics in Understanding Botnets (HotBots'07), Boston, MA. 2007.
[43]Vogt R, Aycock J, and Jacobson MJ. Army of Botnets. In:Proc. of the 14th Annual Network& Distributed System Security Conference (NDSS), San Diego, CA.2007.
[44]Bacher P, Holz T, Kotter M, Wicherski G Know your enemy:tracking botnets, March 2005. http://www.honeynet.org/papers/bots.
[45]Freiling F, Holz T, Wicherski G, Botnet tracking:exploring a root-cause methodology to prevent distributed denial-of-service attacks. In:Proc. of the 10th European Symposium on Research in Computer Security (ESORICS'05), Milan, Italy, Lecture Notes in Computer Science 3679, Springer, September 2005.319-335.
[46]Rajab MA, Zarfoss J, Monrose F, et al, A multifaceted approach to understanding the botnet phenomenon, In:Proc. of the 6th ACM Internet Measurement Conference (IMC'06), Rio de Janeriro, Brazil,2006.41~52.
[47]Rajab MA, Zarfoss J, Monrose F, Terzis A, My botnet is bigger than yours (maybe, better than yours):why size estimates remain challenging. In:Proc. of the First Workshop on Hot Topics in Understanding Botnets (HotBots'07), Boston, MA.2007.
[48]Trusted Computer System Evaluation Criteria(TCSCE), US DoD 5200.28-STD,December1985.
[49]ITSEC, Information Technology Security Evaluation Criteria Version 1.2[s],Office for Official Publicaitions of the European Communities,June 1991.
[50]Common Criteria for Information Technology Security Evaluation,Version 2.0,
[51]Common Criteria Editing Board,May 1998.
[52]ISO/IEC 15408-1(1999-12), Information Technology-Security c Technology-Common Criteria for IT Security Evaluation(CCITSE)-Part 1:Ceneral Model.
[53]ISO/IEC 15408-2(1999-12),Information Technology-Security c Technology-Common Criteria for IT Security Evaluation(CCITSE)-Part 2:Security Functional Requirements.
[54]ISO/IEC 15408-3(1999-12),Information Technology-Security c Technology-Common Criteria for IT Security Evaluation(CCITSE)-Part 3:Security Assurance Requirements.
[55]BS7799-1:1999, Information Security Management. Code of Practice for Information Security Management Systems, British Standards Institute.
[56]BS7799-2:1999, Information Security Management. Specification for Information Security Management Systems, British Standards Institute.
[57]ISO/IEC 17799:2000, Information Technology-code of Practice for Information Security Management[S].2000.12.
[58]ISO/IEC 13335-1(1997-01), Information Technology-Guidelines for the Management of IT Security-Part 1:Concepts and Models for IT Security.
[59]ISO/IEC 13335-2(1998-01), Information Technology-Guidelines for the Management of IT Security-Part 2:Managing and Planning IT Security.
[60]ISO/IEC 13335-3(1998-06), Information Technology-Guidelines for the Management of IT Security-Part 3:Technique for the Management of IT Security.
[61]ISO/IEC 13335-4(2000-03), Information Technology-Guidelines for the Management of IT Security-Part 4:Selection of safeguards.
[62]LATF, Information Assurance Technical Framework, National Security Agency IA Solutions Technical Directos,Release3.0[S],September 2000.
[63]GB/T 18336.1-2001,信息技术安全技术信息技术安全性评估准则第1部分:简介和一般模型[S],中华人民共和国国家标准,2001.12.
[64]GB/T 18336.2-2001,信息技术安全技术信息技术安全性评估准则第2部分:简介和一般模型[S],中华人民共和国国家标准,2001.12.
[65]GB/T 18336.3-2001,信息技术安全技术信息技术安全性评估准则第3部分:简介和一般模型[S],中华人民共和国国家标准,2001.12.
[66]GB17895-1999,计算机信息系统安全保护等级划分准则[S].北京:中国标准出版社,1999-9.
[67]陈秀真,郑庆华,管晓宏,等.层次化网络安全威胁态势量化评估方法[J].软件学报,2006,17(4):885-897
[68]龙百元,谢东清,万里平.基于近似权重计算的网络安全威胁评估方法[J].计算技术与自动化,2008,27(1):88-91
[69]Hariri S, Qu GZ, Dharmagadda T, et al. Impact analysis of faults and attacks in large-scale networks[J]. IEEE Security& Privacy,2003,1(5):49-54.
[70]赵阳,陈运清,范红,等.面向等级保护的大规模网络动态风险评估方法研究[J].NETINFO SECURITY,2007,(8):19—21
[71]Chen Y, Paul G, etc, Phys Rev Lett.101(2008)058701.
[72]Madar, N.; Kalisky, T.; Cohen, R.; Ben-Avraham, D, etc.Eur.Phys.J.B, 38(2004):269-276
[73]Bruce Hendrickson, Robert Leland, A multilevel algorithm for partitioning graphs, Supercomputing, Tech. report SAND93-1301, Sandia National Laboratories, Albuquerque, NM,1993
[74]L.-C. Chen and K. M. Carley, "The Impact of Countermeasure Spreading on the Propagation of Computer Viruses", IEEE Transactions on Systems, Man and Cybernetics, Part B:Cybernetics, Vol.34, No.2,2004, pp.823-833.
[75]F. Castaneda, E. C. Sezer, and J. Xu, "WORM vs. WORM:Preliminary Study of an Active Counter-Attack Mechanism", Proc.2004 ACM Workshop Rapid Malcode (WORM'04), ACM Press,2004, pp.83-93.
[76]Goode B. Voice over Internet protocol (VoIP). Proc. of the IEEE, 2002,90(9)-:11459157.
[77]Rosenberg J. SIP:Session Initiation Protocol[EB/OL].2002. http://www.ietf.org/rfc/rfc3261,txt
[78]SIP Stack. HTTP://www.vovida.org/protocols/downloads/sip/
[79]Arkko J, Torvinen V, Camarillo G, Niemi A, Haukka T. Security mechanism agreement for the session initiation protocol (SIP). Internet RFC 3329,2003
[80]韩心慧,郭晋鹏,周勇林,诸葛建伟,曹东志,邹维.僵尸网络活动调查分析.中国网络与信息安全技术研讨会,青岛,2007.
[81]Bacher P, Holz T, Kotter M, Wicherski G. Know your enemy:tracking botnets, March 2005. http://www.honeynet.org/papers/bots
[82]N. Kumar and V. Kumar. Vboot Kit:Compromising Windows Vista Security. In Black Hat Europe, Amsterdam,March 2007
[83]J. Heasman. Implementing and Detecting a PCI Rootkit.Technical report, Next Generation Security Software Ltd, November 2006.
[84]J. Heasman. Implementing and Detecting an ACPI BIOS Rootkit. In Black Hat Europe, Amsterdam, March 2006.
[85]S. T. King, P. M. Chen, Y.-M. Wang, C. Verbowski, H. J.Wang, and J. R. Lorch. SubVirt:Implementing malware with virtual machines. In Proceedings of the IEEE Symposium on Security and Privacy, pages 314-327, Washington, DC, USA,2006. IEEE Computer Society.
[86]J. Rutkowska. Subverting Vista Kernel For Fun And Profit. In SyScan 2006, Singapore, July 2006.
[87]Francis M. David, Ellick M. Chan, Jeffrey C. Carlyle, Roy H. Campbell. Cloaker: Hardware Supported Rootkit Concealment, IEEE Symposium on Security and Privacy Tal Garfinkel Mendel Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection,2008
[88]G. H. Kim and E. H. Spafford. Experiences with Tripwire:Using Integrity Checkers for Intrusion Detection. Technical Report CSD-TR-93-071, Purdue,1993.
[89]N. Murilo and K. Steding-Jessen. chkrootkit. http://www.chkrootkit.org.
[90]J. Rutkowska. Detecting Windows Server Compromises. In HiverCon Security Conference, Dublin, Ireland, November 2003.
[91]T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Pro-ceedings of the Network and Distributed Systems Security Symposium, February 2003.
[92]J. Butler and G. Hoglund. VICE-Catch the hookers! In Black Hat USA, Las Vegas, July 2004
[93]S. Forrest, Steven A. Hofmeyr, Anil Somayaji, Thomas A. Longstaff, A Sense of Self for Unix Processes, Proceedings of the 1996 IEEE Symposium on Security and Privacy, IEEE Computer Society Press, Los Alamitos, CA, pp.120-128,1996
[94]Steven A. Hofmeyr,Stephanie Forrest,Anil Somayaji, Intrusion Detection using Sequences of System Calls,1998
[95]Henry Hanping Feng, Oleg M. Kolesnikov, etc, Anomaly Detection Using Call Stack, IEEE Symposium on Security and Privacy,2003
[96]R. Sekar M. Bendre, et al's, A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors. IEEE,2001
[97]"CERT advisory CA-2001-20:Continuing threats to home users,"July 2001,http://www.cert.org/advisories/CA-2001-20.html.
[98]J. C. Frauenthal. Mathematical Modeling in Epidemiology. Springer-Verlag, New York, 1980.
[99]Cliff C. Zou, Don Towsley, Weibo Gong. "Modeling and Simulation Study of the Propagation and Defense of Internet Email Worm," IEEE Transactions on Dependable and Secure Computing,4(2),105-118,2007.
[100]T. Bu and D. Towsley, "On distingishing between internet power law topology generators," in Proceedings of the IEEE INFOCOM, June 2002.
[101]R Albert, AL Barabasi, H Jeong," Mean-field theory for scale-free random networks", PhysicaA,1999
[l02]Yamir Moreno, Maziar Nekovee, and Amalio F. Pacheco," Dynamics of rumor spreading in complex networks", Phys. Rev. E 69,066130,2004
[2]国家计算机网络应急技术处理协调中心,CNCERT/CC 2009年网络安全工作报告[EB/OL],2009.12, http://www.cert.org.cn/
[3]V. Paxson. Bro:A System for Detecting Network Intruders in Real-time. In: Proceedings of the 7th conference on USENIX Security Symposium,1998-Volume 7 table of contents (USENIX Association Berkeley, CA, USA,1998),3-3.
[4]M. Roesch. Snort:Lightweight Intrusion Detection for Networks. In Proc. USENIX Lisa'99, Seattle, WA, November 1999.
[5]HAWKINS D M, QQUI P, KANG C W. The change point model for statistical process control [J]. Journal of Quality Technology,2003,35(4).
[6]THOTTAN M, JI C. Anomaly detection in IP networks [J]. IEEE Transactions on Signal Processing,2003,51 (8):2191-2204.
[7]BARFORD P, KLINE J, PLONKA D, et al. A signal analysis of network traffic anomalies [C]//Proceedings of ACM SIGCOMM Internet Measurement Workshop (IMW 2002), Nov 6-8,2002, Marseilles, France. New York, NY,USA:ACM, 2002:71-82..
[8]LAKHINA A, CROVELLA M, DIOT C. Mining anomalies using traffic feature distributions [C]//Proceedings of SIGCOMM, Aug 22-25,2005, Philadelphia, PA, USA. New York, NY,USA:ACM,2005:217-228.
[9]LAKHINA A, CROVELLA M, DIOT C. Diagnosing network-wide traffic anomalies [C]//Proceedings of ACM SIGCOMM, Aug 30-Sep 3,2004, Portland, OR, USA. New York, NY,USA:ACM,2004:219-230.
[10]SCHWELLER R, GUPTA A, PARSONS E, et al. Reversible sketches for efficient and accurate change detection over network data streams [C]//Proceedings of ACM SIGCOMM Internet Measurement Conference (IMC'04), Oct 25-27,2004, Taormina, Sicily, Italy. New York, NY,USA:ACM,2004:207-212.
[11]MAHONEY M V, CHAN P K. Learning rules for anomaly detection of hostile network traffic [C]//Proceedings of International Conference on Data Mining (ICDM'03), Nov 19-22, Melbourne, FL, USA. Los Alamitos, CA, USA:IEEE Computer Society, 2003:601-604.
[12]XU K, ZHANG Z L, BHATTACHARYYA S. Profiling Internet backbone traffic: Behavior models and applications [C]//Proceedings of ACM SIGCOMM, Aug 22-25, 2005, Philadelphia, PA, USA. New York, NY,USA:ACM,2005:169-180.
[13]Reynolds B, Ghosal D. Secure IP Telephony Using Multi-Layered Protection[C]// NDSS 2003. USA:ISOC,2003:218-221.
[14]Sengar H, Wang H, Wijesekera D, et al. Detecting VoIP Floods Using the Hellinger Distance[J]. IEEE Transactions on Parallel and Distributed Systems,2008, 19(6):794-805.
[15]Sher M, Magedanz T. Secure Service Provisioning Framework (SSPF) for IP Multimedia System and Next Generation Mobile Networks[C]//IWWST 2005. USA:IEEE,2005:101-106.
[16]Endler D, Collier M. Hacking Exposed VoIP:Voice Over IP Security Secrets& Solutions[EB/OL].2006. http://hackingvoipexposed.com/sec_tools.html
[17]Ohta M, Overload Protection in a SIP Signaling Network[C]//ICISP 2006. USA:IEEE, 2006:11-11.
[18]Deng X L, Shore M. Advanced Flooding Attack on a SIP Server[C]//ARES 2009. Tokyo:IEEE 2009:647-651.
[19]Ehlert S, Wang C J, Magedanz T, et al. Specification-based Denial-of-Service Detection for SIP Voice-over-IP Networks[C]//ICIMP 2008. Atlanta:ieee computer society,2008:59-66.
[20]Chen E Y. Detecting DoS Attacks on SIP Systems[C]//1st IEEE Workshop on VoIP Management and Security. Canada:IEEE,2006:53-58.
[21]Sengar H, Wijesekera D, Wang H, et al. VoIP Intrusion Detection Through Interacting Protocol State Machines[C]//DSN 2006. USA:IEEE Computer Society, 2006:393-402.
[22]Niccolini S, Garroppo R S, Giordano S, et al. SIP Intrusion Detection and Prevention: Recommendations and Prototype Implementation[C]//1st IEEE Workshop on VoIP Management and Security. USA:IEEE,2006:47-52.
[23]Nassar M, State R, Festor O. Intrusion Detection Mechanisms for VoIP Applications[C]//VSW 2006. Berlin:HAL,2006:233-238.
[24]Rebahi Y, Sisalem D. Change-Point Detection for Voice over IP Denial of Service Attacks[C]//KiVS 2007. Bern:VDE,2007:39-44.
[25]殷茜.基于排队论的SIP DoS攻击防御机制的研究[J].重庆邮电大学学报,2008,20(4):471-474.YIN Qian. Research of S IP DoS a ttack defense mechan ism ba sed on queue theory [J]. Journal of Chongqing University of Posts and Telecommunications(Natural Science Edition),2008,20(4):471-474.
[26]张兆心,杜跃进,李斌,等.SIP代理服务器抗拒绝服务攻击自防御模型[J],通信学报,2009,30(4)Zhang Zhaoxin, Du Yuejin, Li Bin, et al. Self-defence model of SIP proxy server for against DoS attack[J]. Journal on Communications,2009,30(4):93-99
[27]Baecher P., Koetter M., Holz T., Dornseif M., Freiling F., The Nepenthes Platform:An Efficient Approach to Collect Malware, RAID 2006, Lecture Notes in Computer Science 4219, Springer-Verlag Berlin Heidelberg, pp.165-184,2006.
[28]Zimmer D., Multipot, http://labs.idefense.com/software/malcode.php,2006.
[29]诸葛建伟,韩心慧,周勇林,宋程导,郭晋鹏,邹维HoneyBow:一个基于高交互式蜜罐技术的恶意代码自动捕获器.中国网络与信息安全技术研讨会,青岛,2007.
[30]韩心慧,郭晋鹏,周勇林,诸葛建伟,曹东志,邹维.僵尸网络活动调查分析.中国网络与信息安全技术研讨会,青岛,2007.
[31]Levine, J. Grizzard, J., Owen, H., Application of a Methodology to Characterize Rootkits Retrieved from Honeynets, Proceedings from the Fifth Annual Information Assurance Workshop, IEEE SMC, Page(s):15-21,2004.
[32]C. Willems, R. Aachen "Description of the CWSandbox," 2006.
[33]C. Willems, T. Holz, F. Freiling, "Towards Automated Dynamic Malware Analysis Using CWSandbox, " IEEE Privacy& Security,2007.
[34]G. Hoglund, J. Butler, "Rootkit:Subverting the Windows Kernel, " Addison Wesley Professional,2005.
[35]G. Hunt, D. Brubacher, "Detours:Binary Interception of Win32 Functions, " Microsoft Research,1999.
[36]U. Bayer, C. Kruegel and E. Kirda "TTAnalyze:A Tool for Analyzing Malware," EICAR Conference,2006.
[37]Lee WK, Wang C, Dagon D. Botnet detection:countering the largest security threat. Springer Verlag, July 2007.
[38]Arce I, Levy E, An analysis of the Slapper worm, IEEE Security& Privacy,2003, 1(1):82~87.
[39]LURHQ Threat Intelligence Group, Sinit P2P trojan analysis.2003. http://www.lurhq.com/sinit.html.
[40]Lemos R, Bot software looks to improve peerage. May 2006. http://www.securityfocus.com/news/11390.
[41]Grizzard JB, Sharma V, Nunnery C, Peer-to-Peer botnets:overview and case study. In: Proc. of First Workshop on Hot Topics in Understanding Botnets (HotBots'07), Boston, MA.2007.
[42]Wang P, Sparks S, Zou CC, An advanced hybrid Peer-to-Peer botnet. In:Proc. of the First Workshop on Hot Topics in Understanding Botnets (HotBots'07), Boston, MA. 2007.
[43]Vogt R, Aycock J, and Jacobson MJ. Army of Botnets. In:Proc. of the 14th Annual Network& Distributed System Security Conference (NDSS), San Diego, CA.2007.
[44]Bacher P, Holz T, Kotter M, Wicherski G Know your enemy:tracking botnets, March 2005. http://www.honeynet.org/papers/bots.
[45]Freiling F, Holz T, Wicherski G, Botnet tracking:exploring a root-cause methodology to prevent distributed denial-of-service attacks. In:Proc. of the 10th European Symposium on Research in Computer Security (ESORICS'05), Milan, Italy, Lecture Notes in Computer Science 3679, Springer, September 2005.319-335.
[46]Rajab MA, Zarfoss J, Monrose F, et al, A multifaceted approach to understanding the botnet phenomenon, In:Proc. of the 6th ACM Internet Measurement Conference (IMC'06), Rio de Janeriro, Brazil,2006.41~52.
[47]Rajab MA, Zarfoss J, Monrose F, Terzis A, My botnet is bigger than yours (maybe, better than yours):why size estimates remain challenging. In:Proc. of the First Workshop on Hot Topics in Understanding Botnets (HotBots'07), Boston, MA.2007.
[48]Trusted Computer System Evaluation Criteria(TCSCE), US DoD 5200.28-STD,December1985.
[49]ITSEC, Information Technology Security Evaluation Criteria Version 1.2[s],Office for Official Publicaitions of the European Communities,June 1991.
[50]Common Criteria for Information Technology Security Evaluation,Version 2.0,
[51]Common Criteria Editing Board,May 1998.
[52]ISO/IEC 15408-1(1999-12), Information Technology-Security c Technology-Common Criteria for IT Security Evaluation(CCITSE)-Part 1:Ceneral Model.
[53]ISO/IEC 15408-2(1999-12),Information Technology-Security c Technology-Common Criteria for IT Security Evaluation(CCITSE)-Part 2:Security Functional Requirements.
[54]ISO/IEC 15408-3(1999-12),Information Technology-Security c Technology-Common Criteria for IT Security Evaluation(CCITSE)-Part 3:Security Assurance Requirements.
[55]BS7799-1:1999, Information Security Management. Code of Practice for Information Security Management Systems, British Standards Institute.
[56]BS7799-2:1999, Information Security Management. Specification for Information Security Management Systems, British Standards Institute.
[57]ISO/IEC 17799:2000, Information Technology-code of Practice for Information Security Management[S].2000.12.
[58]ISO/IEC 13335-1(1997-01), Information Technology-Guidelines for the Management of IT Security-Part 1:Concepts and Models for IT Security.
[59]ISO/IEC 13335-2(1998-01), Information Technology-Guidelines for the Management of IT Security-Part 2:Managing and Planning IT Security.
[60]ISO/IEC 13335-3(1998-06), Information Technology-Guidelines for the Management of IT Security-Part 3:Technique for the Management of IT Security.
[61]ISO/IEC 13335-4(2000-03), Information Technology-Guidelines for the Management of IT Security-Part 4:Selection of safeguards.
[62]LATF, Information Assurance Technical Framework, National Security Agency IA Solutions Technical Directos,Release3.0[S],September 2000.
[63]GB/T 18336.1-2001,信息技术安全技术信息技术安全性评估准则第1部分:简介和一般模型[S],中华人民共和国国家标准,2001.12.
[64]GB/T 18336.2-2001,信息技术安全技术信息技术安全性评估准则第2部分:简介和一般模型[S],中华人民共和国国家标准,2001.12.
[65]GB/T 18336.3-2001,信息技术安全技术信息技术安全性评估准则第3部分:简介和一般模型[S],中华人民共和国国家标准,2001.12.
[66]GB17895-1999,计算机信息系统安全保护等级划分准则[S].北京:中国标准出版社,1999-9.
[67]陈秀真,郑庆华,管晓宏,等.层次化网络安全威胁态势量化评估方法[J].软件学报,2006,17(4):885-897
[68]龙百元,谢东清,万里平.基于近似权重计算的网络安全威胁评估方法[J].计算技术与自动化,2008,27(1):88-91
[69]Hariri S, Qu GZ, Dharmagadda T, et al. Impact analysis of faults and attacks in large-scale networks[J]. IEEE Security& Privacy,2003,1(5):49-54.
[70]赵阳,陈运清,范红,等.面向等级保护的大规模网络动态风险评估方法研究[J].NETINFO SECURITY,2007,(8):19—21
[71]Chen Y, Paul G, etc, Phys Rev Lett.101(2008)058701.
[72]Madar, N.; Kalisky, T.; Cohen, R.; Ben-Avraham, D, etc.Eur.Phys.J.B, 38(2004):269-276
[73]Bruce Hendrickson, Robert Leland, A multilevel algorithm for partitioning graphs, Supercomputing, Tech. report SAND93-1301, Sandia National Laboratories, Albuquerque, NM,1993
[74]L.-C. Chen and K. M. Carley, "The Impact of Countermeasure Spreading on the Propagation of Computer Viruses", IEEE Transactions on Systems, Man and Cybernetics, Part B:Cybernetics, Vol.34, No.2,2004, pp.823-833.
[75]F. Castaneda, E. C. Sezer, and J. Xu, "WORM vs. WORM:Preliminary Study of an Active Counter-Attack Mechanism", Proc.2004 ACM Workshop Rapid Malcode (WORM'04), ACM Press,2004, pp.83-93.
[76]Goode B. Voice over Internet protocol (VoIP). Proc. of the IEEE, 2002,90(9)-:11459157.
[77]Rosenberg J. SIP:Session Initiation Protocol[EB/OL].2002. http://www.ietf.org/rfc/rfc3261,txt
[78]SIP Stack. HTTP://www.vovida.org/protocols/downloads/sip/
[79]Arkko J, Torvinen V, Camarillo G, Niemi A, Haukka T. Security mechanism agreement for the session initiation protocol (SIP). Internet RFC 3329,2003
[80]韩心慧,郭晋鹏,周勇林,诸葛建伟,曹东志,邹维.僵尸网络活动调查分析.中国网络与信息安全技术研讨会,青岛,2007.
[81]Bacher P, Holz T, Kotter M, Wicherski G. Know your enemy:tracking botnets, March 2005. http://www.honeynet.org/papers/bots
[82]N. Kumar and V. Kumar. Vboot Kit:Compromising Windows Vista Security. In Black Hat Europe, Amsterdam,March 2007
[83]J. Heasman. Implementing and Detecting a PCI Rootkit.Technical report, Next Generation Security Software Ltd, November 2006.
[84]J. Heasman. Implementing and Detecting an ACPI BIOS Rootkit. In Black Hat Europe, Amsterdam, March 2006.
[85]S. T. King, P. M. Chen, Y.-M. Wang, C. Verbowski, H. J.Wang, and J. R. Lorch. SubVirt:Implementing malware with virtual machines. In Proceedings of the IEEE Symposium on Security and Privacy, pages 314-327, Washington, DC, USA,2006. IEEE Computer Society.
[86]J. Rutkowska. Subverting Vista Kernel For Fun And Profit. In SyScan 2006, Singapore, July 2006.
[87]Francis M. David, Ellick M. Chan, Jeffrey C. Carlyle, Roy H. Campbell. Cloaker: Hardware Supported Rootkit Concealment, IEEE Symposium on Security and Privacy Tal Garfinkel Mendel Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection,2008
[88]G. H. Kim and E. H. Spafford. Experiences with Tripwire:Using Integrity Checkers for Intrusion Detection. Technical Report CSD-TR-93-071, Purdue,1993.
[89]N. Murilo and K. Steding-Jessen. chkrootkit. http://www.chkrootkit.org.
[90]J. Rutkowska. Detecting Windows Server Compromises. In HiverCon Security Conference, Dublin, Ireland, November 2003.
[91]T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Pro-ceedings of the Network and Distributed Systems Security Symposium, February 2003.
[92]J. Butler and G. Hoglund. VICE-Catch the hookers! In Black Hat USA, Las Vegas, July 2004
[93]S. Forrest, Steven A. Hofmeyr, Anil Somayaji, Thomas A. Longstaff, A Sense of Self for Unix Processes, Proceedings of the 1996 IEEE Symposium on Security and Privacy, IEEE Computer Society Press, Los Alamitos, CA, pp.120-128,1996
[94]Steven A. Hofmeyr,Stephanie Forrest,Anil Somayaji, Intrusion Detection using Sequences of System Calls,1998
[95]Henry Hanping Feng, Oleg M. Kolesnikov, etc, Anomaly Detection Using Call Stack, IEEE Symposium on Security and Privacy,2003
[96]R. Sekar M. Bendre, et al's, A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors. IEEE,2001
[97]"CERT advisory CA-2001-20:Continuing threats to home users,"July 2001,http://www.cert.org/advisories/CA-2001-20.html.
[98]J. C. Frauenthal. Mathematical Modeling in Epidemiology. Springer-Verlag, New York, 1980.
[99]Cliff C. Zou, Don Towsley, Weibo Gong. "Modeling and Simulation Study of the Propagation and Defense of Internet Email Worm," IEEE Transactions on Dependable and Secure Computing,4(2),105-118,2007.
[100]T. Bu and D. Towsley, "On distingishing between internet power law topology generators," in Proceedings of the IEEE INFOCOM, June 2002.
[101]R Albert, AL Barabasi, H Jeong," Mean-field theory for scale-free random networks", PhysicaA,1999
[l02]Yamir Moreno, Maziar Nekovee, and Amalio F. Pacheco," Dynamics of rumor spreading in complex networks", Phys. Rev. E 69,066130,2004