基于网络的攻击特征自动提取技术研究
|
摘要
基于特征的入侵检测是当前最行之有效且应用最为广泛的一种攻击检测技术。但是,目前攻击特征主要依靠安全专家以事后分析的方式来提取,缺点是过程长、速度慢,往往是新攻击出现几天甚至几周后相应的特征才被发布。这与当前新攻击层出不穷、蠕虫传播极快破坏极大、攻击变形技术不断发展和完善的安全现状不相适应。为了能够快速准确地提取新攻击的特征,攻击特征自动提取技术应运而生。根据发现攻击的位置不同,攻击特征自动提取可以分为基于网络的攻击特征自动提取(NSG)和基于主机的攻击特征自动提取(HSG)两大类。NSG系统一般部署在网络上,通过分析网络上的可疑数据来提取字符型的特征。HSG系统一般部署在主机上,检测主机的异常并利用在主机上采集的信息来提取攻击特征。本文对NSG技术及其应用开展了系统的研究,特别是对以变形蠕虫为代表的变形攻击的特征提取问题进行了深入的研究。本文的创造性研究成果主要有:
(1)提出SRE特征以及NSG的问题模型。作为一种新的特征描述类型,SRE(Simplified Regular Expression Signature)特征不仅可以准确地表达攻击的字符特征,还可以很容易地转化为现有IDS的检测规则。通过定义两个SRE特征之间的更精确比较关系,本文从理论上回答了对于变形攻击“什么是更精确的特征”和“什么是最精确的特征”。本文将NSG方法建模为MSSG(the Most SpecificSignature Generation)问题,即NSG的目标是要提取攻击的“最精确特征“,并证明了MSSG问题是一个NP难(NP-hard)问题。
(2)提出攻击样本噪声过滤模型。能够快速有效地捕获到新攻击的样本是特征提取的前提和基础。本文设计和实现了一个分布式Honeypot系统—HonIDS用于捕获新攻击样本。与通常将所有访问Honeypot的数据都当作攻击样本进行特征提取的做法不同,本文首次提出在Honeypot系统中加入攻击样本的噪声过滤模型,以去除来自正常数据的噪声:提出了TFRPP和贝叶斯这两种攻击检测模型,并在这两种检测模型的基础上构建三种攻击样本噪声过滤方法。实验表明,利用这些噪声过滤方法可以有效地过滤掉Honeypot系统产生的一些攻击样本噪声。
(3)提出基于多序列联配的特征提取方法。针对现有NSG方法在提取特征准确性上的不足,本文借鉴序列联配算法在生物信息学中的应用,提出了基于多序列联配的特征提取方法。面向不同的特征提取应用情况,本文分别提出了一系列创新性的序列联配算法,包括CSR和ECSR等两种双序列联配算法,以及PDRP_MSA、HP_MSA和T-Coffee+CSR等三种多序列联配算法。实验表明,在没有噪声的情况下,利用PDRP_MSA算法可以提取一种变形攻击的特征,特征准确性优于目前常用的方法;在攻击样本含有噪声的情况下,利用HP_MSA算法和T-Coffee+CSR算法仍然能够准确地提取出变形攻击的特征,具有良好的抗噪能力。
(4)提出攻击特征树的概念以及增量式攻击特征树生成方法。现实中攻击之间具有的联系在很多时候会反映为它们特征的相似性。但是当前NSG方法所输出的特征是孤立的,不能通过特征之间的关系来反映攻击之间的联系。针对这一问题,借助于SRE特征之间更精确比较关系,本文提出攻击特征树的概念。也就是,将提取的SRE特征组织成树形结构,使得子节点特征一定比它的父节点特征“精确”。攻击特征树可以反映攻击之间的联系以及攻击如何随时间衍生变化,并且使特征选择、特征库的维护和管理变得简单。NSG应用最复杂的一种情况是,需要进行特征提取的样本混合来自于多个(变形)攻击,其中可能还含有噪声。针对这种情况,本文基于攻击特征树的概念提出一种NSG系统PolyTree,它利用ISTG算法增量生成多种攻击的攻击特征树。PolyTree是当前唯一采用增量式工作的NSG系统。实验结果表明,PolyTree生成的攻击特征树具有良好的性质。首先,来自不同攻击的样本能够在攻击特征树中有效的聚类;其次,如果样本充分,每一个攻击的最精确特征都会被提取出来并包含在攻击特征树中。本文证明了ISTG算法的正确性,并分析了它的抗恶意攻击能力。
(5)基于BSCM模型的NSG应用系统设计。为了应用本文的技术和方法,本文最后研究了NSG应用系统的设计,在设计过程中我们重点考虑了安全协作。本文首先从抽象层次上提出了一种通用的网络安全协作模型—基于黑板模型的安全协作模型BSCM;然后在BSCM模型的基础上,设计了一种分布式NSG应用系统。
A signature-based detection is the most common and effective way to detect attacks due to its simplicity and online response. The efficient and accurate signature generation is critical in the signature-based detection systems. So far, the signatures that used by signature-based intrusion detection systems (IDSs) are produced manually by security experts, a process too slow. In this way, signatures can be only provided by security experts after a worm has already attacked systems and caused damages, which will miss the best defending time. So, they do not fit for the requirements for the Internet safety, since the new attacks nowdays are produced timely and the spread speed of worms is extraordinarily faster than human beings can respond. Besides, the polymorphism techniques can be used by attackers to evade detections. To support the automatic and speedy generation of signatures, a number of automatic signature generation approaches and systems has been proposed. These approaches and systems can be broadly classified as either the host-based or network-based. The Network-based signature generation (NSG) systems produce the content-based signatures only through analyzing the suspicious network traffics. And the host-based signature generation (HSG) systems generate the signatures based on the informations get from the protected hosts. Our researches systematically study NSG techniques and their applications. Especially we deeply study the signature generation for polymorphic attacks, such as polymorphic worms. The main contributions of this paper are summarized as follows.
(1) A new signature type—SRE (Simplified Regular Expression) signature is proposed and the NSG problem is modeled. SRE signatures can be easily transformed to the rules in current IDSs to accurately detect attacks. Based on SRE, we provide formal definitions of what is "a more specific signature" and what is "the most specific signature" of a polymorphic attack such that we can compare the accuracy of two SRE signatures. We prove that the most specific signature generation of a polymorphic attack is NP-hard.
(2) Noise filtering methods for attack sample collection are proposed. To capture the samples of new attacks for signature generation, we design and implement a distributed Honeypot system—HonIDS. In contrast to the traditional approaches, which take all traffics visiting the honeypot as attack samples, we propose to filter the noisy attack samples out of the traffics visiting the honeypot, where a noisy attack sample means a network flow from a benign user instead of an attacker. Two detection models are proposed and integrated in HonIDS, TFRPP model and Bayes model. Based on these two detection model, we propose three methods for filtering noises from attack samples.
(3) Signature generation methods based on multiple sequence alignment are proposed. The generated signatures by previous NSG systems are not accurate enough since two kinds of information are lost. First, some invariant parts in polymorphic worms can not be extracted, like one-byte invariant parts. Second, all distance restrictions between invariant parts are neglected. Referring to some related algorithms in bioinformatics, we propose a signature generation approach based on multiple sequence alignment (MSA). Motivated by different signature generation applications, we propose a series of sequence alignment algorithms, including the CSR algorithm and the ECSR algorithm for pairwise sequence alignment, the MSA algorithm HP_MSA for noise-sensitive signature generation, and two MSA algorithms HP_MSA and T-Coffee+CSR for noise-tolerant signature generation. Experiment results show that our signature generation approaches based on multiple sequence alignment can produce more accurate and precise signatures for polymorphic attacks, comparing to previous approaches.
(4) The idea of signature tree and an incremental signature tree generation approach are proposed. We observe that signatures from worms and their variants are relevant and a tree structure can properly reflect their polymorphism relationship. Rather than generating isolated signatures for multiple polymorphic worms in current NSG approaches, we propose to use the "more specific than" relation to organize generated signatures hierarchically into a tree, so-called signature tree. In this signature tree, each node is labeled with a signature and a signature of a child node must be "more specific than" the one of its parent node. The signature tree gives insight on how the worm variants evolve in time, and makes it simpler to balance the false positive rate and generalization ability of signatures and makes it easier to organize and maintain the generated signatures. The most complicated situation of signature generation is when the suspicious flows captured by an NSG system contain mixed samples of multiple polymorphic attacks (perhaps accompanied by noises). Based on the idea of signature tree, we propose an NSG system—PolyTree, which uses the ISTG algorithm to incrementally generate a signature tree for multiple attacks. Upon encountering a new suspicious flow, the ISTG algorithm will be called to generate more specific signatures using the PDRP_MSA algorithm in a fixed signature tree and to update this signature tree. Experiment results show that the generated signature tree through the ISTG algorithm has two significant properties. First, the samples from the same attack can be well clustered into one node in the signature tree; second, the final generated signature tree contains the most specific signature for each encountered polymorphic attack given adequate worm samples collected from it. This thesis proves the correctness of ISTG algorithm and analyzes potential malicious attacks on ISTG algorithm.
(5) In order to integrate the algorithms and techniques presented in this thesis, an NSG application system is designed. In this design, we focus on security collaboration. Since there is no unified model to ensure interoperability and collaboration within different security components and systems, we first propose an abstract-level security collaboration model BSCM (Blackboard based Security Collaboration Model). In this model, network security components don't directly communicate with each other, but via a common blackboard which serves as the platform of information-sharing and events-responding. Based on BSCM model, a distributed NSG application system is designed.
(1)提出SRE特征以及NSG的问题模型。作为一种新的特征描述类型,SRE(Simplified Regular Expression Signature)特征不仅可以准确地表达攻击的字符特征,还可以很容易地转化为现有IDS的检测规则。通过定义两个SRE特征之间的更精确比较关系,本文从理论上回答了对于变形攻击“什么是更精确的特征”和“什么是最精确的特征”。本文将NSG方法建模为MSSG(the Most SpecificSignature Generation)问题,即NSG的目标是要提取攻击的“最精确特征“,并证明了MSSG问题是一个NP难(NP-hard)问题。
(2)提出攻击样本噪声过滤模型。能够快速有效地捕获到新攻击的样本是特征提取的前提和基础。本文设计和实现了一个分布式Honeypot系统—HonIDS用于捕获新攻击样本。与通常将所有访问Honeypot的数据都当作攻击样本进行特征提取的做法不同,本文首次提出在Honeypot系统中加入攻击样本的噪声过滤模型,以去除来自正常数据的噪声:提出了TFRPP和贝叶斯这两种攻击检测模型,并在这两种检测模型的基础上构建三种攻击样本噪声过滤方法。实验表明,利用这些噪声过滤方法可以有效地过滤掉Honeypot系统产生的一些攻击样本噪声。
(3)提出基于多序列联配的特征提取方法。针对现有NSG方法在提取特征准确性上的不足,本文借鉴序列联配算法在生物信息学中的应用,提出了基于多序列联配的特征提取方法。面向不同的特征提取应用情况,本文分别提出了一系列创新性的序列联配算法,包括CSR和ECSR等两种双序列联配算法,以及PDRP_MSA、HP_MSA和T-Coffee+CSR等三种多序列联配算法。实验表明,在没有噪声的情况下,利用PDRP_MSA算法可以提取一种变形攻击的特征,特征准确性优于目前常用的方法;在攻击样本含有噪声的情况下,利用HP_MSA算法和T-Coffee+CSR算法仍然能够准确地提取出变形攻击的特征,具有良好的抗噪能力。
(4)提出攻击特征树的概念以及增量式攻击特征树生成方法。现实中攻击之间具有的联系在很多时候会反映为它们特征的相似性。但是当前NSG方法所输出的特征是孤立的,不能通过特征之间的关系来反映攻击之间的联系。针对这一问题,借助于SRE特征之间更精确比较关系,本文提出攻击特征树的概念。也就是,将提取的SRE特征组织成树形结构,使得子节点特征一定比它的父节点特征“精确”。攻击特征树可以反映攻击之间的联系以及攻击如何随时间衍生变化,并且使特征选择、特征库的维护和管理变得简单。NSG应用最复杂的一种情况是,需要进行特征提取的样本混合来自于多个(变形)攻击,其中可能还含有噪声。针对这种情况,本文基于攻击特征树的概念提出一种NSG系统PolyTree,它利用ISTG算法增量生成多种攻击的攻击特征树。PolyTree是当前唯一采用增量式工作的NSG系统。实验结果表明,PolyTree生成的攻击特征树具有良好的性质。首先,来自不同攻击的样本能够在攻击特征树中有效的聚类;其次,如果样本充分,每一个攻击的最精确特征都会被提取出来并包含在攻击特征树中。本文证明了ISTG算法的正确性,并分析了它的抗恶意攻击能力。
(5)基于BSCM模型的NSG应用系统设计。为了应用本文的技术和方法,本文最后研究了NSG应用系统的设计,在设计过程中我们重点考虑了安全协作。本文首先从抽象层次上提出了一种通用的网络安全协作模型—基于黑板模型的安全协作模型BSCM;然后在BSCM模型的基础上,设计了一种分布式NSG应用系统。
A signature-based detection is the most common and effective way to detect attacks due to its simplicity and online response. The efficient and accurate signature generation is critical in the signature-based detection systems. So far, the signatures that used by signature-based intrusion detection systems (IDSs) are produced manually by security experts, a process too slow. In this way, signatures can be only provided by security experts after a worm has already attacked systems and caused damages, which will miss the best defending time. So, they do not fit for the requirements for the Internet safety, since the new attacks nowdays are produced timely and the spread speed of worms is extraordinarily faster than human beings can respond. Besides, the polymorphism techniques can be used by attackers to evade detections. To support the automatic and speedy generation of signatures, a number of automatic signature generation approaches and systems has been proposed. These approaches and systems can be broadly classified as either the host-based or network-based. The Network-based signature generation (NSG) systems produce the content-based signatures only through analyzing the suspicious network traffics. And the host-based signature generation (HSG) systems generate the signatures based on the informations get from the protected hosts. Our researches systematically study NSG techniques and their applications. Especially we deeply study the signature generation for polymorphic attacks, such as polymorphic worms. The main contributions of this paper are summarized as follows.
(1) A new signature type—SRE (Simplified Regular Expression) signature is proposed and the NSG problem is modeled. SRE signatures can be easily transformed to the rules in current IDSs to accurately detect attacks. Based on SRE, we provide formal definitions of what is "a more specific signature" and what is "the most specific signature" of a polymorphic attack such that we can compare the accuracy of two SRE signatures. We prove that the most specific signature generation of a polymorphic attack is NP-hard.
(2) Noise filtering methods for attack sample collection are proposed. To capture the samples of new attacks for signature generation, we design and implement a distributed Honeypot system—HonIDS. In contrast to the traditional approaches, which take all traffics visiting the honeypot as attack samples, we propose to filter the noisy attack samples out of the traffics visiting the honeypot, where a noisy attack sample means a network flow from a benign user instead of an attacker. Two detection models are proposed and integrated in HonIDS, TFRPP model and Bayes model. Based on these two detection model, we propose three methods for filtering noises from attack samples.
(3) Signature generation methods based on multiple sequence alignment are proposed. The generated signatures by previous NSG systems are not accurate enough since two kinds of information are lost. First, some invariant parts in polymorphic worms can not be extracted, like one-byte invariant parts. Second, all distance restrictions between invariant parts are neglected. Referring to some related algorithms in bioinformatics, we propose a signature generation approach based on multiple sequence alignment (MSA). Motivated by different signature generation applications, we propose a series of sequence alignment algorithms, including the CSR algorithm and the ECSR algorithm for pairwise sequence alignment, the MSA algorithm HP_MSA for noise-sensitive signature generation, and two MSA algorithms HP_MSA and T-Coffee+CSR for noise-tolerant signature generation. Experiment results show that our signature generation approaches based on multiple sequence alignment can produce more accurate and precise signatures for polymorphic attacks, comparing to previous approaches.
(4) The idea of signature tree and an incremental signature tree generation approach are proposed. We observe that signatures from worms and their variants are relevant and a tree structure can properly reflect their polymorphism relationship. Rather than generating isolated signatures for multiple polymorphic worms in current NSG approaches, we propose to use the "more specific than" relation to organize generated signatures hierarchically into a tree, so-called signature tree. In this signature tree, each node is labeled with a signature and a signature of a child node must be "more specific than" the one of its parent node. The signature tree gives insight on how the worm variants evolve in time, and makes it simpler to balance the false positive rate and generalization ability of signatures and makes it easier to organize and maintain the generated signatures. The most complicated situation of signature generation is when the suspicious flows captured by an NSG system contain mixed samples of multiple polymorphic attacks (perhaps accompanied by noises). Based on the idea of signature tree, we propose an NSG system—PolyTree, which uses the ISTG algorithm to incrementally generate a signature tree for multiple attacks. Upon encountering a new suspicious flow, the ISTG algorithm will be called to generate more specific signatures using the PDRP_MSA algorithm in a fixed signature tree and to update this signature tree. Experiment results show that the generated signature tree through the ISTG algorithm has two significant properties. First, the samples from the same attack can be well clustered into one node in the signature tree; second, the final generated signature tree contains the most specific signature for each encountered polymorphic attack given adequate worm samples collected from it. This thesis proves the correctness of ISTG algorithm and analyzes potential malicious attacks on ISTG algorithm.
(5) In order to integrate the algorithms and techniques presented in this thesis, an NSG application system is designed. In this design, we focus on security collaboration. Since there is no unified model to ensure interoperability and collaboration within different security components and systems, we first propose an abstract-level security collaboration model BSCM (Blackboard based Security Collaboration Model). In this model, network security components don't directly communicate with each other, but via a common blackboard which serves as the platform of information-sharing and events-responding. Based on BSCM model, a distributed NSG application system is designed.
引文
[1]Provos N.honeyd service scripts[Z],http://www.honeyd.org/contrib.php:2008.
[2]Idc.IDC Enterprise Security Survey,2005[R],2005.
[3]公安部公共信息网络安全监察局.2006年全国信息网络安全状况与计算机病毒疫情调查分析报告[R],2006.
[4]Kreibich C,Crowcroft J.Honeycomb - Creating Intrusion Detection Signatures Using Honeypots[C].Boston:2003.
[5]蒋建春,马恒太.网络安全入侵检测:研究综述[J].软件学报.2000:1460-1466.
[6]Kabiri P,Ghorbani A A.Research on Intrusion Detection and Response:A Survey[J].International Journal of Network Security.2005,1(2):84--102.
[7]Corporation S.Symantec Network Security.http://www.symantec.com,2007.
[8]Iss.Realsecure.http:/www.iss.net/,2007.
[9]Snort.SNORT:The Open Source Network Intrusion Detection System.[J].2002.
[10]Paxson V.Bro:a system for detecting network intruders in real-time[J].Computer Networks(Amsterdam,Netherlands:1999).1999,31(23--24):2435--2463.
[11]Moore D,Paxson V,Savage S,et al.The Spread of the Sapphire/Slammer Worm[R],2003.
[12]Shannon C,Moore D.The Spread of the Witty Worm[J].IEEE Security and Privacy.2004,2(4):46-50.
[13]Moore D,Shannon,Colleen,et al.Internet Quarantine:Requirements for Containing Self-Propagating Code[C].2003.
[14]Vigna G,Robertson W,Balzarotti D.Testing network-based intrusion detection signatures using mutant exploits[C].New York,NY,USA:ACM Press,2004.
[15]Sommer R,Paxson V.Enhancing byte-level network intrusion detection signatures with context[C].New York,NY,USA:ACM Press,2003.
[16]Szor P.Advanced code evolution techniques and computer virus generator kits[M].The Art of Computer Virus Research and Defense,2005.
[17]Yetiser T.viruses:Implementation,detection,and protection[R],1993.
[18]Ktwo.Admmutate:Shellcode mutation engine[Z].2001.
[19]Group T I.Phatbot trojan analysis[Z].2006.
[20]Sedalo M.Jempiscodes:Polymorphic shellcode generator[Z].2006.
[21]van Gundy M,Balzarotti D,Fieldschema G V.Catch Me,If You Can:Evading Network Signatures with Web-based Polymorphic Worms[C].Boston,MA:2007.
[22]detristan T,ulenspiegel T,malcom Y,et al.Polymorphic Shellcode Engine Using Spectrum Analysis[Z].
[23]Bania P.TAPiON Polymorphic Decryptor Generator[Z].2005.
[24]Team M D.Metasploit Project[Z].2007.
[25]Kolesnikov O,lee W.Advanced Polymorphic Worms:Evading IDS by Blending in with Normal Traffic[R],2004.
[26]Song Y,Locasto M E,Stavrou A,et al.On the Infeasibility of Modeling Polymorphic Shellcode[C].2007.
[27]Newsome J,Karp B,Song D.Polygraph:Automatically Generating Signatures for Polymorphic Worms[C].Washington,DC,USA:IEEE Computer Society,2005.
[28] Crandall J R, Su Z, Wu S F, et al. On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits[C]. New York, NY, USA: ACM Press, 2005.
[29] Perdisci R, Dagon D, Lee W, et al. Misleading Worm Signature Generators Using Deliberate Noise Injection[C]. Washington, DC, USA: IEEE Computer Society, 2006.
[30] Newsome J, Karp, Brad, et al. Paragraph: Thwarting Signature Learning by Training Maliciously.[C]. 2006.
[31] Fogla P, Sharif M, Perdisci R, et al. Polymorphic blending attacks[C]. Berkeley, CA, USA: USENIX Association, 2006.
[32] Crandall J R, Wu S F, Chong F T. Experiences using Minos as a tool for capturing and analyzing novel worms for unknown vulnerabilities[C]. 2005.
[33] Singh S, Estan C, Varghese G, et al. Automated Worm Fingerprinting[C]. San Francisco, {CA}: 2004.
[34] Wang K, Cretu G, Stolfo S J. Anomalous payload-based worm detection and signature generation[C]. 2003.
[35] Ukkonen E. On-Line Construction of Suffix Trees[J]. Algorithmica. 1995, 14(3): 249--260.
[36] Kim H A, Karp B. Autograph: Toward Automated, Distributed Worm Signature Detection[C]. 2004.
[37] Rabin M O. Fingerprinting by Random Polynomials[R], 1981.
[38] Tang Y, Chen S. Defending against internet worms: A signature-based approach[C]. 2005.
[39] Lawrence C E, Reilly A A. An Expectation Maximization (EM) Algorithm for the Identification and Characterization of Common Sites[J]. PROTEINS:Structure, Function and Genetics. 1990: 41 - 51.
[40] Lawrence C E, Altschul S F, Boguski M S, et al. Detecting subtle sequence signals: a Gibbs sampling strategy for multiple alignment.[J]. Science. 1993, 262(5131): 208-214.
[41] Hui L. Color set size problem with applications to string matching[C]. 1992.
[42] Manzini G, Ferragina P. Engineering a Lightweight Suffix Array Construction Algorithm[C]. London, UK: Springer-Verlag, 2002.
[43] Li Z, Sanghi M, Chen Y, et al. Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience[C]. Washington, DC, USA: IEEE Computer Society, 2006.
[44] Yegneswaran V, Giffin J T, Barford P, et al. An Architecture for Generating Semantics-Aware Signatures[C]. Baltimore, MD, USA: 2005.
[45] Raman A, Patrick J. The sk-strings method for inferring PFSA[C]. 1997.
[46] Li Z, Wang L, Chen Y, et al. Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms[C]. 2007.
[47] 唐勇,卢锡城,胡华平,et al.基于多序列联配的攻击特征自动提取技术研究 [J].计算机学报.2006:1533—1541.
[48] Tang Y, Lu X, Xiao B. Generating Simplified Regular Expression Signatures for Polymorphic Worms[C]. 2007.
[49] Barrantes E G, Ackley D H, Forrest S, et al. Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks[C]. 2003.
[50] Locasto M E, Wang, Ke, et al. FLIPS: Hybrid Adaptive Intrusion Prevention.[C]. 2005.
[51] Sidiroglou S, Locasto M E, Boyd S W, et al. Building a Reactive Immune System for Software Services[C]. 2005.
[52] Anagnostakis K G, Sidiroglou S, Akritidis P, et al. Detecting Targeted Attacks Using Shadow Honeypots[C]. 2005.
[53] Newsome J, Song D. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software[C]. 2005.
[54] Costa M, Crowcroft J, Castro M, et al. Vigilante: end-to-end containment of internet worms[C]. New York, NY, USA: ACM Press, 2005.
[55] Bhatkar S, Duvarney D C, Sekar R. Address Obfuscation: an Efficient Approach to Combat a Broad Range of Memory Error Exploits [C]. 2003.
[56] Bhatkar S, Sekar R, Du D C. Efficient Techniques for Comprehensive Protection from Memory Error Exploits[C]. Baltimore, MD: 2005.
[57] Liang Z, Sekar R. Automatic Generation of Buffer Overflow Attack Signatures: An Approach Based on Program Behavior Models[C]. Washington, DC, USA: IEEE Computer Society, 2005.
[58] Xu J, Ning P, Kil C, et al. Automatic diagnosis and response to memory corruption vulnerabilities[C]. New York, NY, USA: ACM Press, 2005.
[59] Liang Z, Sekar R. Fast and automated generation of attack signatures: a basis for building self-protecting servers[C]. New York, NY, USA: ACM Press, 2005.
[60] Reynolds J C, Just J, Clough L, et al. On-Line Intrusion Detection and Attack Prevention Using Diversity, Genrate-and-Test, and Generalization[C]. 2003.
[61] Wang X F, Li Z, Xu J, et al. Packet vaccine: black-box exploit detection and signature generation[C]. New York, NY, USA: ACM Press, 2006.
[62] Brumley D, Newsome J, Song D, et al. Towards Automatic Generation of Vulnerability-Based Signatures[C]. Washington, DC, USA: IEEE Computer Society, 2006.
[63] Akritidis P, Anagnostakis K, Markatos E. Efficient Content-Based Detection of Zero-Day Worms[C]. Seoul, Korea: 2005.
[64] Tang Y, Chen S. An Automated Signature-Based Approach against Polymorphic Internet Worms[J]. Transactions on Parallel and Distributed Systems. 2007, 18(7): 879-892.
[65] Kumar S, Dharmapurikar S, Yu F, et al. Algorithms to accelerate multiple regular expressions matching for deep packet inspection[C]. New York, NY, USA: ACM Press, 2006.
[66] Sommer R, Paxson V. Enhancing byte-level network intrusion detection signatures with context[C]. New York, NY, USA: ACM Press, 2003.
[67] Lawson M V. Finite Automata[M]. Chapman & Hall/CRC, 2004.
[68] Yu F, Chen Z, Diao Y, et al. Fast and memory-efficient regular expression matching for deep packet inspection[C]. New York, NY, USA: ACM Press, 2006.
[69] Thakar U. HoneyAnalyzer- Analysis and Extraction of Intrusion Detction Patterns & Signatures using Honeypot[C]. 2005.
[70] Levenshtein V I. Binary codes capable of correcting deletions, insertions, and reversals[J]. Soviet Physics Doklady. 1966, 10(8): 707-710.
[71] Lance S. Honeypots-Definition and Values of Honeypots[Z]. http://www.spizner.net/honeypot.html: 2003.
[72] Spitzner L. Honeytokens: The Other Honeypot[Z]. SecurityFocus InFocus Article:2003.
[73] 唐勇, 卢锡城, 胡华平, et al. 计算机系统.2007(8).
[74]User-Mode-Linux[Z].http://user-mode-linux.sourceforge.net/:2006.
[75]Symantec Decoy Server[Z].http://enterprisesecurity.symantec.com.cn/products/products.cfm:2006.
[76]SmokeDetector[Z].http://www.palisade.com:2007.
[77]KFSensor[Z].http://www.keyfocus.net/kfsensor/:2007.
[78]Honeynet projec[Z],http://www.honeynet.org/:2007.
[79]Niels P.Honeyd - A Virtual Honeypot Daemon[J].2003.
[80]LEURRE.COM Honeypot Project[Z].http://www.leurrecom.org/:2006.
[81]Kuwatly I,Sraj M,Al M Z,et al.A dynamic honeypot design for intrusion detection[J].Proceeding of The IEEE International Conference on Pervasive Service(ICPS 2004).2004:95-104.
[82]Miyoung K.Design and Implementation of the HoneyPot System with Focusing on the Session Redirection[J].ICCSA 2004,LNCS 3043.2004:262-269.
[83]Dagon D,Qin,Xinzhou,et al.HoneyStat:Local Worm Detection Using Honeypots[C].2004.
[84]Yin C,Li M,Ma J,et al.honeypot and scan detection in intrusion detection system[J].2004.
[85]W R C.The Use of Honeypots and Packet Sniffers for Intrusion Detection[J].SANS Institute,http://www.giac.org/practical/gsec/Michael_Sink_GSEC.pdf.2005.
[86]高俊峰,胡华平,唐勇.一种基于honeypot和朴素贝叶斯分类器的扫描攻击检测方法[J].计算机科学.2005(9A).
[87]Freiling F C,Holz,Thorsten,et al.Botnet Tracking:Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks[C].2005.
[88]Nathalie W.Honeypots for Distributed Denial of Service Attacks[J].2002.
[89]Khattab S M,Sangpachatanaruk C,Moss D,et al.Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks[C].Washington,DC,USA:IEEE Computer Society,2004.
[90]Vargiya R,Chart P.Boundary detection in tokenizing network application payload for anomaly detection[C].ICDM Workshop on Data Mining for Computer Security(DMSEC),2003.
[91]Kruegel C,Toth T,Kirda E.Service specific anomaly detection for network intrusion detection[C].New York,NY,USA:ACM Press,2002.
[92]T L C.Temporal sequence learning and data reduction for anomaly detection[J].ACM Transactions on Information and System Security.1999.
[93]Philip K C.A Machine Learning Approach to Anomaly Detection[J].Workshop on Statistical and MachineLearning Techniques in Computer.2003.
[94]Witten,Ian H.And Frank E.Data Mining:Practical Machine Learning Tools and Techniques with Java Implementations[M].Morgan Kaufmann,1999.
[95]Steinbach M,Karypis G,Kumar V.A Comparison of Document Clustering Techniques[C].2000.
[96]汪洁,胡华平,唐勇.分布式虚拟陷阱网络的设计与实现[J].计算机工程与科学.2006(2).
[97]Leita C,Dacier M,Massicotte F.Automatic Handling of Protocol Dependencies and Reaction to 0-Day Attacks with ScriptGen Based Honeypots[C].2006.
[98]Leita C,Mermoud K,Dacier M.ScriptGen:an automated script generation tool for honeyd[C]. Washington, DC, USA: IEEE Computer Society, 2005.
[99] Newsome J, Brumley D, Franklin J, et al. Replayer: automatic protocol replay by binary analysis[C]. New York, NY, USA: ACM, 2006.
[100] Sebek[Z]. http://www.honeynet.org/tools/sebek/: 2008.
[101] Needleman S B, Wunsch C D. A general method applicable to the search for similarities in the amino acid sequence of two proteins[J]. J. Mol. Biol. 1970, 48,: 443-453.
[102] Smith T F, Waterman M S. Identification of common molecular subsequences [J]. Journal of Molecular Biology. 1981,147: 195—197.
[103] Wang L, Jiang, Tao. On the Complexity of Multiple Sequence Alignment[J]. Journal of Computational Biology. 1994,1(4): 337-348.
[104] Notredame C. Recent progress in multiple sequence alignment: a survey[J]. Pharmacogenomics. 2002, 3: 131--144.
[105] Morgenstern B, Dress A, Werner T. Multiple DNA and protein sequence alignment based on segment-to-segment comparison.[J]. Proc Natl Acad Sci U S A. 1996, 93(22): 12098-12103.
[106] Thompson J D, Higgins D G, Gibson T J. CLUSTAL W: improving the sensitivity of progressive multiple sequence alignment through sequence weighting, position-specific gap penalties and weight matrix choice [J]. Nucl. Acids Res. Nucleic Acids Research. 1994, 22(22): 4673-4680.
[107] Notredame C, Higgins D G, Heringa J. T-coffee: a novel method for fast and accurate multiple sequence alignment[J], Journal of Molecular Biology. 2000, 302(1): 205-217.
[108] Notredame C, Higgins D G. SAGA: sequence alignment by genetic algorithm.[J]. Nucleic Acids Res. 1996,24(8): 1515-1524.
[109] Heringa J. Two Strategies for Sequence Comparison: Profile-preprocessed and Secondary Structure-induced Multiple Alignment[J]. Computers & Chemistry. 1999, 23(3-4): 341-364.
[110] Carrillo H, Lipman D. The multiple sequence alignment problem in biology[J]. SIAM J. Appl. Math. 1988, 48(5): 1073-1082.
[111] Stoye J, Moulton V, W A. DCA: an efficient implementation of the divide-and-conquer approach to simultaneous multiple sequence alignment[J]. Computer Applications in the Biosciences. 1997, 13(6): 625-626.
[112] Apache APRPSPrintf Memory Corruption Vulnerability. http://www.securityfocus.com/bid/7723/discussion/, 2003.
[113] TSIG vulnerability. http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2073, 2001.
[114] atphttpd security advisorie. http://www.security.nnov.ru/docs3634.html, 2002.
[115] Lippmann R, Haines J W, Fried D J, et al. The 1999 DARPA off-line intrusion detection evaluation[J]. Comput. Networks. 2000, 34(4): 579-595.
[116] Saitou N, Nei M. The neighbor-joining method: a new method for reconstructing phylogenetic trees.[J]. Mol Biol Evol. 1987, 4(4): 406-425.
[117] Bugtraq vulnerability database. http://www.iss.net/security_center/advice/Concordance/BugtraqID/default.htm,2008.
[118] Common Vulnerabilities and Exposures. http://cve.mitre.org/, 2008.
[119] Hughey R. Parallel Sequence Comparison and Alignment[C]. Washington, DC, USA: IEEE Computer Society, 1995.
[120] Grice J A, Hughey R, Speck D. Parallel Sequence Alignment in Limited Space.[C].1995.
[121]Lin X,Peiheng Z,Dongbo B,et al.To Accelerate Multiple Sequence Alignment using FPGAs[C].Washington,DC,USA:IEEE Computer Society,2005.
[122]Oliver T,Schmidt B,Nathan D,et al.Using reconfigurable hardware to accelerate multiple sequence alignment with ClustalW[J].Bioinformatics.2005,21(16):3431--3432.
[123]Larsen B,Aone C.Fast and effective text mining using linear-time document clustering[C].New York,NY,USA:ACM Press,1999.
[124]Wang K,J,Salvatore.Anomalous Payload-Based Network Intrusion Detection.[C].2004.
[125]张英朝,张维明等.基于智能协作技术的信息系统安全体系结构研究[J].10.2002.
[126]Gorodetski V,Pz I K.The Multi-Agent Systems for Computer Network Security Assurance:Frameworks and Case Studies[C].Washington,DC,USA:IEEE Computer Society,2002.
[127]陈科,李之棠.网络入侵检测系统和防火墙集成的框架模型[J].计算机工程与科学.2001(02).
[128]Schnackenberg D,Holliday H,Smith R,et al.Cooperative Intrusion Traceback and Response Architecture(CITRA)[J].discex.2001,01:0056.
[129]IATF document 3.0.http://www.iatf.net,2001.
[130]Deyoung T,Dykstra P,Hartel F.Collaborations On Internet Security.http://www.itrd.gov/fnc/cis/,2001.
[131]胡华平,黄遵国等.网络安全深度防御与保障体系研究[J].计算机工程与科学.2002.
[132]陈海涛,胡华平,徐传福,et al.动态网络安全的框架模型[J].国防科技大学学报.2003(2).
[133]Balasubramaniyan J S,Garcia-fernandez J O,Pattern D I,et al.An Architecture for Intrusion Detection Using Autonomous Agents[C].Washington,DC,USA:IEEE Computer Society,1998.
[134]Asaka M,Okazawa S,Taguchi A,et al.A Method of Tracing Intruders by Use of Mobile Agents[C].1999.
[135]史美林,何浩,董永乐.入侵检测系统负载问题的一种解决方案[J].计算机工程与应用.2001(20).
[136]OPSEC(Open Platform for Security).http://www.opsec.com/,2008.
[137]T-SCP(Topsec Security cooperationplatform).http://www.topsec.com.cn/,2008.
[138]Corkill D D,Gallagher K Q,Murray K.GBB:A Generic Blackboard Development System.[C].1986.
[139]Craig I D.Formal Techniques in the Development of Blackboard Systems[R],1991.
[140]张维明,姚莉等.智能协作信息技术[M].电子工业出版社,2002.
[2]Idc.IDC Enterprise Security Survey,2005[R],2005.
[3]公安部公共信息网络安全监察局.2006年全国信息网络安全状况与计算机病毒疫情调查分析报告[R],2006.
[4]Kreibich C,Crowcroft J.Honeycomb - Creating Intrusion Detection Signatures Using Honeypots[C].Boston:2003.
[5]蒋建春,马恒太.网络安全入侵检测:研究综述[J].软件学报.2000:1460-1466.
[6]Kabiri P,Ghorbani A A.Research on Intrusion Detection and Response:A Survey[J].International Journal of Network Security.2005,1(2):84--102.
[7]Corporation S.Symantec Network Security.http://www.symantec.com,2007.
[8]Iss.Realsecure.http:/www.iss.net/,2007.
[9]Snort.SNORT:The Open Source Network Intrusion Detection System.[J].2002.
[10]Paxson V.Bro:a system for detecting network intruders in real-time[J].Computer Networks(Amsterdam,Netherlands:1999).1999,31(23--24):2435--2463.
[11]Moore D,Paxson V,Savage S,et al.The Spread of the Sapphire/Slammer Worm[R],2003.
[12]Shannon C,Moore D.The Spread of the Witty Worm[J].IEEE Security and Privacy.2004,2(4):46-50.
[13]Moore D,Shannon,Colleen,et al.Internet Quarantine:Requirements for Containing Self-Propagating Code[C].2003.
[14]Vigna G,Robertson W,Balzarotti D.Testing network-based intrusion detection signatures using mutant exploits[C].New York,NY,USA:ACM Press,2004.
[15]Sommer R,Paxson V.Enhancing byte-level network intrusion detection signatures with context[C].New York,NY,USA:ACM Press,2003.
[16]Szor P.Advanced code evolution techniques and computer virus generator kits[M].The Art of Computer Virus Research and Defense,2005.
[17]Yetiser T.viruses:Implementation,detection,and protection[R],1993.
[18]Ktwo.Admmutate:Shellcode mutation engine[Z].2001.
[19]Group T I.Phatbot trojan analysis[Z].2006.
[20]Sedalo M.Jempiscodes:Polymorphic shellcode generator[Z].2006.
[21]van Gundy M,Balzarotti D,Fieldschema G V.Catch Me,If You Can:Evading Network Signatures with Web-based Polymorphic Worms[C].Boston,MA:2007.
[22]detristan T,ulenspiegel T,malcom Y,et al.Polymorphic Shellcode Engine Using Spectrum Analysis[Z].
[23]Bania P.TAPiON Polymorphic Decryptor Generator[Z].2005.
[24]Team M D.Metasploit Project[Z].2007.
[25]Kolesnikov O,lee W.Advanced Polymorphic Worms:Evading IDS by Blending in with Normal Traffic[R],2004.
[26]Song Y,Locasto M E,Stavrou A,et al.On the Infeasibility of Modeling Polymorphic Shellcode[C].2007.
[27]Newsome J,Karp B,Song D.Polygraph:Automatically Generating Signatures for Polymorphic Worms[C].Washington,DC,USA:IEEE Computer Society,2005.
[28] Crandall J R, Su Z, Wu S F, et al. On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits[C]. New York, NY, USA: ACM Press, 2005.
[29] Perdisci R, Dagon D, Lee W, et al. Misleading Worm Signature Generators Using Deliberate Noise Injection[C]. Washington, DC, USA: IEEE Computer Society, 2006.
[30] Newsome J, Karp, Brad, et al. Paragraph: Thwarting Signature Learning by Training Maliciously.[C]. 2006.
[31] Fogla P, Sharif M, Perdisci R, et al. Polymorphic blending attacks[C]. Berkeley, CA, USA: USENIX Association, 2006.
[32] Crandall J R, Wu S F, Chong F T. Experiences using Minos as a tool for capturing and analyzing novel worms for unknown vulnerabilities[C]. 2005.
[33] Singh S, Estan C, Varghese G, et al. Automated Worm Fingerprinting[C]. San Francisco, {CA}: 2004.
[34] Wang K, Cretu G, Stolfo S J. Anomalous payload-based worm detection and signature generation[C]. 2003.
[35] Ukkonen E. On-Line Construction of Suffix Trees[J]. Algorithmica. 1995, 14(3): 249--260.
[36] Kim H A, Karp B. Autograph: Toward Automated, Distributed Worm Signature Detection[C]. 2004.
[37] Rabin M O. Fingerprinting by Random Polynomials[R], 1981.
[38] Tang Y, Chen S. Defending against internet worms: A signature-based approach[C]. 2005.
[39] Lawrence C E, Reilly A A. An Expectation Maximization (EM) Algorithm for the Identification and Characterization of Common Sites[J]. PROTEINS:Structure, Function and Genetics. 1990: 41 - 51.
[40] Lawrence C E, Altschul S F, Boguski M S, et al. Detecting subtle sequence signals: a Gibbs sampling strategy for multiple alignment.[J]. Science. 1993, 262(5131): 208-214.
[41] Hui L. Color set size problem with applications to string matching[C]. 1992.
[42] Manzini G, Ferragina P. Engineering a Lightweight Suffix Array Construction Algorithm[C]. London, UK: Springer-Verlag, 2002.
[43] Li Z, Sanghi M, Chen Y, et al. Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience[C]. Washington, DC, USA: IEEE Computer Society, 2006.
[44] Yegneswaran V, Giffin J T, Barford P, et al. An Architecture for Generating Semantics-Aware Signatures[C]. Baltimore, MD, USA: 2005.
[45] Raman A, Patrick J. The sk-strings method for inferring PFSA[C]. 1997.
[46] Li Z, Wang L, Chen Y, et al. Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms[C]. 2007.
[47] 唐勇,卢锡城,胡华平,et al.基于多序列联配的攻击特征自动提取技术研究 [J].计算机学报.2006:1533—1541.
[48] Tang Y, Lu X, Xiao B. Generating Simplified Regular Expression Signatures for Polymorphic Worms[C]. 2007.
[49] Barrantes E G, Ackley D H, Forrest S, et al. Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks[C]. 2003.
[50] Locasto M E, Wang, Ke, et al. FLIPS: Hybrid Adaptive Intrusion Prevention.[C]. 2005.
[51] Sidiroglou S, Locasto M E, Boyd S W, et al. Building a Reactive Immune System for Software Services[C]. 2005.
[52] Anagnostakis K G, Sidiroglou S, Akritidis P, et al. Detecting Targeted Attacks Using Shadow Honeypots[C]. 2005.
[53] Newsome J, Song D. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software[C]. 2005.
[54] Costa M, Crowcroft J, Castro M, et al. Vigilante: end-to-end containment of internet worms[C]. New York, NY, USA: ACM Press, 2005.
[55] Bhatkar S, Duvarney D C, Sekar R. Address Obfuscation: an Efficient Approach to Combat a Broad Range of Memory Error Exploits [C]. 2003.
[56] Bhatkar S, Sekar R, Du D C. Efficient Techniques for Comprehensive Protection from Memory Error Exploits[C]. Baltimore, MD: 2005.
[57] Liang Z, Sekar R. Automatic Generation of Buffer Overflow Attack Signatures: An Approach Based on Program Behavior Models[C]. Washington, DC, USA: IEEE Computer Society, 2005.
[58] Xu J, Ning P, Kil C, et al. Automatic diagnosis and response to memory corruption vulnerabilities[C]. New York, NY, USA: ACM Press, 2005.
[59] Liang Z, Sekar R. Fast and automated generation of attack signatures: a basis for building self-protecting servers[C]. New York, NY, USA: ACM Press, 2005.
[60] Reynolds J C, Just J, Clough L, et al. On-Line Intrusion Detection and Attack Prevention Using Diversity, Genrate-and-Test, and Generalization[C]. 2003.
[61] Wang X F, Li Z, Xu J, et al. Packet vaccine: black-box exploit detection and signature generation[C]. New York, NY, USA: ACM Press, 2006.
[62] Brumley D, Newsome J, Song D, et al. Towards Automatic Generation of Vulnerability-Based Signatures[C]. Washington, DC, USA: IEEE Computer Society, 2006.
[63] Akritidis P, Anagnostakis K, Markatos E. Efficient Content-Based Detection of Zero-Day Worms[C]. Seoul, Korea: 2005.
[64] Tang Y, Chen S. An Automated Signature-Based Approach against Polymorphic Internet Worms[J]. Transactions on Parallel and Distributed Systems. 2007, 18(7): 879-892.
[65] Kumar S, Dharmapurikar S, Yu F, et al. Algorithms to accelerate multiple regular expressions matching for deep packet inspection[C]. New York, NY, USA: ACM Press, 2006.
[66] Sommer R, Paxson V. Enhancing byte-level network intrusion detection signatures with context[C]. New York, NY, USA: ACM Press, 2003.
[67] Lawson M V. Finite Automata[M]. Chapman & Hall/CRC, 2004.
[68] Yu F, Chen Z, Diao Y, et al. Fast and memory-efficient regular expression matching for deep packet inspection[C]. New York, NY, USA: ACM Press, 2006.
[69] Thakar U. HoneyAnalyzer- Analysis and Extraction of Intrusion Detction Patterns & Signatures using Honeypot[C]. 2005.
[70] Levenshtein V I. Binary codes capable of correcting deletions, insertions, and reversals[J]. Soviet Physics Doklady. 1966, 10(8): 707-710.
[71] Lance S. Honeypots-Definition and Values of Honeypots[Z]. http://www.spizner.net/honeypot.html: 2003.
[72] Spitzner L. Honeytokens: The Other Honeypot[Z]. SecurityFocus InFocus Article:2003.
[73] 唐勇, 卢锡城, 胡华平, et al. 计算机系统.2007(8).
[74]User-Mode-Linux[Z].http://user-mode-linux.sourceforge.net/:2006.
[75]Symantec Decoy Server[Z].http://enterprisesecurity.symantec.com.cn/products/products.cfm:2006.
[76]SmokeDetector[Z].http://www.palisade.com:2007.
[77]KFSensor[Z].http://www.keyfocus.net/kfsensor/:2007.
[78]Honeynet projec[Z],http://www.honeynet.org/:2007.
[79]Niels P.Honeyd - A Virtual Honeypot Daemon[J].2003.
[80]LEURRE.COM Honeypot Project[Z].http://www.leurrecom.org/:2006.
[81]Kuwatly I,Sraj M,Al M Z,et al.A dynamic honeypot design for intrusion detection[J].Proceeding of The IEEE International Conference on Pervasive Service(ICPS 2004).2004:95-104.
[82]Miyoung K.Design and Implementation of the HoneyPot System with Focusing on the Session Redirection[J].ICCSA 2004,LNCS 3043.2004:262-269.
[83]Dagon D,Qin,Xinzhou,et al.HoneyStat:Local Worm Detection Using Honeypots[C].2004.
[84]Yin C,Li M,Ma J,et al.honeypot and scan detection in intrusion detection system[J].2004.
[85]W R C.The Use of Honeypots and Packet Sniffers for Intrusion Detection[J].SANS Institute,http://www.giac.org/practical/gsec/Michael_Sink_GSEC.pdf.2005.
[86]高俊峰,胡华平,唐勇.一种基于honeypot和朴素贝叶斯分类器的扫描攻击检测方法[J].计算机科学.2005(9A).
[87]Freiling F C,Holz,Thorsten,et al.Botnet Tracking:Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks[C].2005.
[88]Nathalie W.Honeypots for Distributed Denial of Service Attacks[J].2002.
[89]Khattab S M,Sangpachatanaruk C,Moss D,et al.Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks[C].Washington,DC,USA:IEEE Computer Society,2004.
[90]Vargiya R,Chart P.Boundary detection in tokenizing network application payload for anomaly detection[C].ICDM Workshop on Data Mining for Computer Security(DMSEC),2003.
[91]Kruegel C,Toth T,Kirda E.Service specific anomaly detection for network intrusion detection[C].New York,NY,USA:ACM Press,2002.
[92]T L C.Temporal sequence learning and data reduction for anomaly detection[J].ACM Transactions on Information and System Security.1999.
[93]Philip K C.A Machine Learning Approach to Anomaly Detection[J].Workshop on Statistical and MachineLearning Techniques in Computer.2003.
[94]Witten,Ian H.And Frank E.Data Mining:Practical Machine Learning Tools and Techniques with Java Implementations[M].Morgan Kaufmann,1999.
[95]Steinbach M,Karypis G,Kumar V.A Comparison of Document Clustering Techniques[C].2000.
[96]汪洁,胡华平,唐勇.分布式虚拟陷阱网络的设计与实现[J].计算机工程与科学.2006(2).
[97]Leita C,Dacier M,Massicotte F.Automatic Handling of Protocol Dependencies and Reaction to 0-Day Attacks with ScriptGen Based Honeypots[C].2006.
[98]Leita C,Mermoud K,Dacier M.ScriptGen:an automated script generation tool for honeyd[C]. Washington, DC, USA: IEEE Computer Society, 2005.
[99] Newsome J, Brumley D, Franklin J, et al. Replayer: automatic protocol replay by binary analysis[C]. New York, NY, USA: ACM, 2006.
[100] Sebek[Z]. http://www.honeynet.org/tools/sebek/: 2008.
[101] Needleman S B, Wunsch C D. A general method applicable to the search for similarities in the amino acid sequence of two proteins[J]. J. Mol. Biol. 1970, 48,: 443-453.
[102] Smith T F, Waterman M S. Identification of common molecular subsequences [J]. Journal of Molecular Biology. 1981,147: 195—197.
[103] Wang L, Jiang, Tao. On the Complexity of Multiple Sequence Alignment[J]. Journal of Computational Biology. 1994,1(4): 337-348.
[104] Notredame C. Recent progress in multiple sequence alignment: a survey[J]. Pharmacogenomics. 2002, 3: 131--144.
[105] Morgenstern B, Dress A, Werner T. Multiple DNA and protein sequence alignment based on segment-to-segment comparison.[J]. Proc Natl Acad Sci U S A. 1996, 93(22): 12098-12103.
[106] Thompson J D, Higgins D G, Gibson T J. CLUSTAL W: improving the sensitivity of progressive multiple sequence alignment through sequence weighting, position-specific gap penalties and weight matrix choice [J]. Nucl. Acids Res. Nucleic Acids Research. 1994, 22(22): 4673-4680.
[107] Notredame C, Higgins D G, Heringa J. T-coffee: a novel method for fast and accurate multiple sequence alignment[J], Journal of Molecular Biology. 2000, 302(1): 205-217.
[108] Notredame C, Higgins D G. SAGA: sequence alignment by genetic algorithm.[J]. Nucleic Acids Res. 1996,24(8): 1515-1524.
[109] Heringa J. Two Strategies for Sequence Comparison: Profile-preprocessed and Secondary Structure-induced Multiple Alignment[J]. Computers & Chemistry. 1999, 23(3-4): 341-364.
[110] Carrillo H, Lipman D. The multiple sequence alignment problem in biology[J]. SIAM J. Appl. Math. 1988, 48(5): 1073-1082.
[111] Stoye J, Moulton V, W A. DCA: an efficient implementation of the divide-and-conquer approach to simultaneous multiple sequence alignment[J]. Computer Applications in the Biosciences. 1997, 13(6): 625-626.
[112] Apache APRPSPrintf Memory Corruption Vulnerability. http://www.securityfocus.com/bid/7723/discussion/, 2003.
[113] TSIG vulnerability. http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2073, 2001.
[114] atphttpd security advisorie. http://www.security.nnov.ru/docs3634.html, 2002.
[115] Lippmann R, Haines J W, Fried D J, et al. The 1999 DARPA off-line intrusion detection evaluation[J]. Comput. Networks. 2000, 34(4): 579-595.
[116] Saitou N, Nei M. The neighbor-joining method: a new method for reconstructing phylogenetic trees.[J]. Mol Biol Evol. 1987, 4(4): 406-425.
[117] Bugtraq vulnerability database. http://www.iss.net/security_center/advice/Concordance/BugtraqID/default.htm,2008.
[118] Common Vulnerabilities and Exposures. http://cve.mitre.org/, 2008.
[119] Hughey R. Parallel Sequence Comparison and Alignment[C]. Washington, DC, USA: IEEE Computer Society, 1995.
[120] Grice J A, Hughey R, Speck D. Parallel Sequence Alignment in Limited Space.[C].1995.
[121]Lin X,Peiheng Z,Dongbo B,et al.To Accelerate Multiple Sequence Alignment using FPGAs[C].Washington,DC,USA:IEEE Computer Society,2005.
[122]Oliver T,Schmidt B,Nathan D,et al.Using reconfigurable hardware to accelerate multiple sequence alignment with ClustalW[J].Bioinformatics.2005,21(16):3431--3432.
[123]Larsen B,Aone C.Fast and effective text mining using linear-time document clustering[C].New York,NY,USA:ACM Press,1999.
[124]Wang K,J,Salvatore.Anomalous Payload-Based Network Intrusion Detection.[C].2004.
[125]张英朝,张维明等.基于智能协作技术的信息系统安全体系结构研究[J].10.2002.
[126]Gorodetski V,Pz I K.The Multi-Agent Systems for Computer Network Security Assurance:Frameworks and Case Studies[C].Washington,DC,USA:IEEE Computer Society,2002.
[127]陈科,李之棠.网络入侵检测系统和防火墙集成的框架模型[J].计算机工程与科学.2001(02).
[128]Schnackenberg D,Holliday H,Smith R,et al.Cooperative Intrusion Traceback and Response Architecture(CITRA)[J].discex.2001,01:0056.
[129]IATF document 3.0.http://www.iatf.net,2001.
[130]Deyoung T,Dykstra P,Hartel F.Collaborations On Internet Security.http://www.itrd.gov/fnc/cis/,2001.
[131]胡华平,黄遵国等.网络安全深度防御与保障体系研究[J].计算机工程与科学.2002.
[132]陈海涛,胡华平,徐传福,et al.动态网络安全的框架模型[J].国防科技大学学报.2003(2).
[133]Balasubramaniyan J S,Garcia-fernandez J O,Pattern D I,et al.An Architecture for Intrusion Detection Using Autonomous Agents[C].Washington,DC,USA:IEEE Computer Society,1998.
[134]Asaka M,Okazawa S,Taguchi A,et al.A Method of Tracing Intruders by Use of Mobile Agents[C].1999.
[135]史美林,何浩,董永乐.入侵检测系统负载问题的一种解决方案[J].计算机工程与应用.2001(20).
[136]OPSEC(Open Platform for Security).http://www.opsec.com/,2008.
[137]T-SCP(Topsec Security cooperationplatform).http://www.topsec.com.cn/,2008.
[138]Corkill D D,Gallagher K Q,Murray K.GBB:A Generic Blackboard Development System.[C].1986.
[139]Craig I D.Formal Techniques in the Development of Blackboard Systems[R],1991.
[140]张维明,姚莉等.智能协作信息技术[M].电子工业出版社,2002.