基于谱分析与统计机器学习的DDoS攻击检测技术研究
|
摘要
结合国家863项目“高可信网络业务管控系统”和“面向三网融合的统一安全管控网络”的研究需求,按照“分布式检测、层级化拦阻和集中态势感知”的总体思路,本文对DDoS攻击检测技术展开专门研究,从宏观攻击流感知与微观检测方法两个角度,提出了基于IP流序列谱分析的泛洪攻击与低速率拒绝服务(Low-rate Denial of Service, LDoS)攻击感知方法,在感知到攻击的基础上,将DDoS攻击检测转化为机器学习的二分类问题,利用隐马尔科夫模型、孪生支持向量机和条件随机场三种机器学习模型,实现概率点检测、分类超平面检测以及融合多特征处理优势的条件随机场检测方法。
针对宏观感知问题,提出了基于快速分数阶Fourier变换估计Hurst旨数的泛洪DDoS攻击感知方法,利用DDoS攻击对网络流量自相似性的影响,通过监测Hurst指数变化阈值判断是否存在DDoS攻击,相比于小波分析等方法,该方法计算复杂度低,Hurst旨数估计精度高;对于隐蔽性较强的低速率拒绝服务LDoS攻击,提出了基于巴特利特功率谱估计的感知方法,相比于矩形窗和三角窗方法,巴特利特功率谱估计一致性好,对低速率拒绝服务LDoS攻击检测率高。
针对微观的具体攻击特征检测问题,提出了基于隐马尔科夫模型、基于孪生支持向量机和基于条件随机场等三种统计机器学习方法的攻击检测策略。
首先,从概率点判别角度,提出了一种基于多特征并行隐马尔科夫模型(Multi-Feature Parallel Hidden Markov Model, MFP-HMM)的DDoS攻击检测方法。该方法利用HMM隐状态序列与特征观测序列的对应关系,将攻击引起的多维特征异常变化转化为离散型随机变量,通过概率计算来刻画当前滑动窗口序列与正常行为轮廓的偏离程度。MFP-HMM模型架构采用多维特征并行处理模式,有利于扩展新的特征模块。特征序列通过滑动窗口后形成观测序列送入HMM,可通过硬件实现多级流水加速,为可重构设计与分布式部署提供条件。实验结果表明,基于MFP-HMM的方法优于标准HMM等机器学习方法,检测准确率高,虚警率低。
其次,从分类超平面判别角度,提出了基于最小二乘孪生支持向量机(Least Square Twin Support Vector Machine, LSTSVM)的DDoS攻击分类超平面检测方法,该方法借助最优化方法来解决机器学习问题,利用支持向量机模型较好的非线性处理能力与泛化能力,采用IP包五元组熵、IP标识、TCP头标志和包速率等作为LSTSVM模型的多维检测特征向量,以体现DDoS攻击存在的流分布特性。基于DARPA2000数据集和TFN2K攻击采集数据集下的实验表明,该方法优于标准支持向量机(Support Vector Machine, SVM)等机器学习方法,对于正常突发流量与DDoS攻击流量检测准确率较高、虚警率较低。
最后,提出了一种融合多种判别规则的条件随机场DDoS攻击检测方法。该方法不要求各个特征量必须满足独立同分布的假设条件,在充分利用条件随机场综合处理多特征优势的基础上,将基于特征匹配与异常检测的方法有效地统一起来,实现高检测率与低误报率。DARPA2000数据集实验表明,基于条件随机场的方法优于传统SVM等方法,准确率高于99.5%,虚警率FPR低于0.6%,并且抗背景噪声能力强,鲁棒性好。
According to the fundamental technique research tasks of the "New Generation Network with High Trustability" and "Common Security and Control Framework in Tri-Network Convergence" projects of the National High-Tech Research and Development Program of China (863Program), this thesis studies the DDoS attacks detection methods under the unitary scheme of the "Distributed Detection, Hiberarchy Defence, and Centralized Situational Awareness". From the macrocosmic attacks awareness and the microcosmic specific detection methods, this thesis proposes the spectrum analysis based sensing methods for flooding attacks and low-rate attacks by IP packets seqence. At the same time, DDoS attacks detection is transformed into the binary classification problem in machine learning. With the use of the Hidden Markov Model, the Twin Support Vector Machine and the Conditional Random Fields, the DDoS attacks detection methods including are implemented.
To the macrocosmic awareness, this thesis proposes flooding DDoS attacks detection method based on the Hurst parameter estimation with fast fractional Fourier transform (FFrFT). Because DDoS attacks would influence the self-similarity characteristic of the network traffic, DDoS attacks can be estimated by monitoring the change threshold of Hurst parameter. The Hurst parameter estimation method based on FFrFT with low computation complexity and high estimation accuracy outperforms other well-known methods such as R/S, wavelet analysis, etc. Meanwhile, this thesis proposed a detection method based on the estimation of Bartlett power spectrum for low-rate DoS attacks. Our experiments reveal that the consistency and true positive rate of the Bartlett power spectrum method are better than the rectangular window based method and the triangular window based method.
For the specific detection methods of DDoS attacks, three detection strategies based on statistical machine learning models are proposed separately. The machine learning models are the Hidden Markov Model, the Twin Support Vector Machine and the Conditional Random Fields.
Firstly, based on the multi-feature parallel Hidden Markov Model (MFP-HMM), a DDoS attack detection method is proposed according to probability point discriminant. With the relationship between HMM hidden-state sequence and observed characteristics sequence, the multi-dimensional feature changes, which caused by the DDoS attacks, have been translated into discrete random variables. Then, the deviations between the current sliding window sequence and the normal behavior profile are characterized by calculating the probability of the sequence. The architecture of MFP-HMM model uses parallel processing mode for multi-dimensional characteristics, which is conducive to the expansion of new processing module. Meanwhile, the observation sequence, translated from characteristic sequence by passing the sliding window, could be accelerated by multi-level hardware pipeline. So, it established the foundation for reconfigurable design and distributed deployment. Our experiments reveal that the MFP-HMM based method with higher detection accuracy and lower false positive rate is better than the standard HMM.
Secondly, based on the Least Squares Twin Support Vector Machine (LSTSVM), a DDoS attack detection method with the classification of hyperplane discriminant is proposed. With the help of the optimization method in the solution of machine learning, this method improves the detection rate and reduces the false positive rate. The dispersion of source IP and the concentration of destination IP under DDoS attacks are reflected by taking the features such as the IP Flow Entropy, the IP identification, the TCP header flag, the packet rate and etc. Under the DARPA2000datasets and TFN2K-attack collection datasets, the experiment revealed that this method with the high detection accuracy and the low false positive rate is better than the Naive Bayes Algorithm, K-nearest neighborhood, the standard SVM and some other methods in the identification between normal burst traffic and DDoS attacks.
Finally, the Conditional Random Fields based method is proposed. It can make full use of the multi-feature fusion together, while it doesn't demand the characteristics are independent strictly. So, it could combine the pattern matching based methods and the anomaly detection based approach effectively. The detection rate and false positive rate have been improved under conditional random fields. The IP flow quintuple entropy conception is put forward as the DDoS attacks detection multi-feature vector. Our experiments reveal that CRF-based method has higher detection accuracy and lower false positive rate, as well as strong ability of anti-background-noise, and good robustness.
针对宏观感知问题,提出了基于快速分数阶Fourier变换估计Hurst旨数的泛洪DDoS攻击感知方法,利用DDoS攻击对网络流量自相似性的影响,通过监测Hurst指数变化阈值判断是否存在DDoS攻击,相比于小波分析等方法,该方法计算复杂度低,Hurst旨数估计精度高;对于隐蔽性较强的低速率拒绝服务LDoS攻击,提出了基于巴特利特功率谱估计的感知方法,相比于矩形窗和三角窗方法,巴特利特功率谱估计一致性好,对低速率拒绝服务LDoS攻击检测率高。
针对微观的具体攻击特征检测问题,提出了基于隐马尔科夫模型、基于孪生支持向量机和基于条件随机场等三种统计机器学习方法的攻击检测策略。
首先,从概率点判别角度,提出了一种基于多特征并行隐马尔科夫模型(Multi-Feature Parallel Hidden Markov Model, MFP-HMM)的DDoS攻击检测方法。该方法利用HMM隐状态序列与特征观测序列的对应关系,将攻击引起的多维特征异常变化转化为离散型随机变量,通过概率计算来刻画当前滑动窗口序列与正常行为轮廓的偏离程度。MFP-HMM模型架构采用多维特征并行处理模式,有利于扩展新的特征模块。特征序列通过滑动窗口后形成观测序列送入HMM,可通过硬件实现多级流水加速,为可重构设计与分布式部署提供条件。实验结果表明,基于MFP-HMM的方法优于标准HMM等机器学习方法,检测准确率高,虚警率低。
其次,从分类超平面判别角度,提出了基于最小二乘孪生支持向量机(Least Square Twin Support Vector Machine, LSTSVM)的DDoS攻击分类超平面检测方法,该方法借助最优化方法来解决机器学习问题,利用支持向量机模型较好的非线性处理能力与泛化能力,采用IP包五元组熵、IP标识、TCP头标志和包速率等作为LSTSVM模型的多维检测特征向量,以体现DDoS攻击存在的流分布特性。基于DARPA2000数据集和TFN2K攻击采集数据集下的实验表明,该方法优于标准支持向量机(Support Vector Machine, SVM)等机器学习方法,对于正常突发流量与DDoS攻击流量检测准确率较高、虚警率较低。
最后,提出了一种融合多种判别规则的条件随机场DDoS攻击检测方法。该方法不要求各个特征量必须满足独立同分布的假设条件,在充分利用条件随机场综合处理多特征优势的基础上,将基于特征匹配与异常检测的方法有效地统一起来,实现高检测率与低误报率。DARPA2000数据集实验表明,基于条件随机场的方法优于传统SVM等方法,准确率高于99.5%,虚警率FPR低于0.6%,并且抗背景噪声能力强,鲁棒性好。
According to the fundamental technique research tasks of the "New Generation Network with High Trustability" and "Common Security and Control Framework in Tri-Network Convergence" projects of the National High-Tech Research and Development Program of China (863Program), this thesis studies the DDoS attacks detection methods under the unitary scheme of the "Distributed Detection, Hiberarchy Defence, and Centralized Situational Awareness". From the macrocosmic attacks awareness and the microcosmic specific detection methods, this thesis proposes the spectrum analysis based sensing methods for flooding attacks and low-rate attacks by IP packets seqence. At the same time, DDoS attacks detection is transformed into the binary classification problem in machine learning. With the use of the Hidden Markov Model, the Twin Support Vector Machine and the Conditional Random Fields, the DDoS attacks detection methods including are implemented.
To the macrocosmic awareness, this thesis proposes flooding DDoS attacks detection method based on the Hurst parameter estimation with fast fractional Fourier transform (FFrFT). Because DDoS attacks would influence the self-similarity characteristic of the network traffic, DDoS attacks can be estimated by monitoring the change threshold of Hurst parameter. The Hurst parameter estimation method based on FFrFT with low computation complexity and high estimation accuracy outperforms other well-known methods such as R/S, wavelet analysis, etc. Meanwhile, this thesis proposed a detection method based on the estimation of Bartlett power spectrum for low-rate DoS attacks. Our experiments reveal that the consistency and true positive rate of the Bartlett power spectrum method are better than the rectangular window based method and the triangular window based method.
For the specific detection methods of DDoS attacks, three detection strategies based on statistical machine learning models are proposed separately. The machine learning models are the Hidden Markov Model, the Twin Support Vector Machine and the Conditional Random Fields.
Firstly, based on the multi-feature parallel Hidden Markov Model (MFP-HMM), a DDoS attack detection method is proposed according to probability point discriminant. With the relationship between HMM hidden-state sequence and observed characteristics sequence, the multi-dimensional feature changes, which caused by the DDoS attacks, have been translated into discrete random variables. Then, the deviations between the current sliding window sequence and the normal behavior profile are characterized by calculating the probability of the sequence. The architecture of MFP-HMM model uses parallel processing mode for multi-dimensional characteristics, which is conducive to the expansion of new processing module. Meanwhile, the observation sequence, translated from characteristic sequence by passing the sliding window, could be accelerated by multi-level hardware pipeline. So, it established the foundation for reconfigurable design and distributed deployment. Our experiments reveal that the MFP-HMM based method with higher detection accuracy and lower false positive rate is better than the standard HMM.
Secondly, based on the Least Squares Twin Support Vector Machine (LSTSVM), a DDoS attack detection method with the classification of hyperplane discriminant is proposed. With the help of the optimization method in the solution of machine learning, this method improves the detection rate and reduces the false positive rate. The dispersion of source IP and the concentration of destination IP under DDoS attacks are reflected by taking the features such as the IP Flow Entropy, the IP identification, the TCP header flag, the packet rate and etc. Under the DARPA2000datasets and TFN2K-attack collection datasets, the experiment revealed that this method with the high detection accuracy and the low false positive rate is better than the Naive Bayes Algorithm, K-nearest neighborhood, the standard SVM and some other methods in the identification between normal burst traffic and DDoS attacks.
Finally, the Conditional Random Fields based method is proposed. It can make full use of the multi-feature fusion together, while it doesn't demand the characteristics are independent strictly. So, it could combine the pattern matching based methods and the anomaly detection based approach effectively. The detection rate and false positive rate have been improved under conditional random fields. The IP flow quintuple entropy conception is put forward as the DDoS attacks detection multi-feature vector. Our experiments reveal that CRF-based method has higher detection accuracy and lower false positive rate, as well as strong ability of anti-background-noise, and good robustness.
引文
[1]中国互联网络信息中心CNNIC.第31次中国互联网络发展状况统计报告[EB/OL].http://www.cnnic.net.cn/hlwfzyj/hlwxzbg/hlwtjbg/201301/P020130122600399530412.pdf,2013-01-15.
[2]国家计算机网络应急技术处理协调中心.2012年我国互联网网络安全态势综述[EB/OL].http://www.cert.org.cn/publish/main/upload/File/201303212012CNCERTreport.pdf,2013-03-20.
[3]江健,诸葛建伟,段海新,等.僵尸网络机理与防御技术[J].软件学报,2012,23(1):82-96.
[4]张智江,张尼.下一代互联网的网络安全[J].ZTE TECHNOLOGY JOURNAL,2011:36.
[5]诸葛建伟,谷亮,段海新.中国互联网信息安全地下产业链调查[J].信息安全与通信保密,2012(9):54-71.
[6]Peng T, Leckie C, Ramamohanarao K. Survey of network-based defense mechanisms countering the DoS and DDoS problems [J]. ACM Computing Surveys,2007,39(1):1-42.
[7]Saltzer JH, Reed DP, Clark DD. End-to-End Arguments in System Design[C]. In:Proc. of the 2nd International Conf. on Dist systems,1981.
[8]Wang X, Pan CC, Liu P, et al. SigFree:A Signature-free Buffer Overflow Attack Blocker[C]. In:Proc. of the 15th USENIX Security Symposium,2006:225-240.
[9]杜跃进,崔翔.僵尸网络及其启发[J].中国数据通信,2005(05):9-13.
[10]张永铮,肖军,云晓春,王风宇.DDoS攻击检测和控制方法[J].软件学报,2012,23(8):2058-2072.
[11]刘运.DDoS Flooding攻击检测技术研究[D].长沙:国防科学技术大学,2011.
[12]CERT Incident Note IN-99-07. Distributed Denial of Service Tools [EB/OL]. http://www.CERT.org/incident_notes/IN-99-O7.html,1999.
[13]Dittrich D. The "Tribe Flood Network" distributed denial of service attack tool [EB/OL]. http://stafT.washington.edu/dittrich/misc/tfn.analysis.txt,1999.
[14]Dittrich D. The "stacheldraht" distributed denial of service attack tool [EB/OL], http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt,1999.
[15]CERT Incident Note IN-99-04. Distributed Denial of Service Tools [EB/OL]. http://www.cert.org/incidentnotes/IN-99-04.html,1999.
[16]Barlow J, Thrower W. TFN2K-An Analysis [EB/OL]. http://www.packetstormsecurity.org/distributed/TFN2K_analysis-1.3.txt,2000.
[17]李德全.拒绝服务攻击[M].北京:电子工业出版社,2007.
[18]Tamaru A, Gilham F, Jagannathan R, et al. A real-time intrusion detection expert system (IDES) [R]. CA: Computer Science Laboratory,1992.
[19]White G, Fisch E, Pooch U. Cooperating Security Managers:A Peer-Based Intrusion Detection System [J]. IEEE Network,1996:20-23.
[20]Anderson D, Frivold T, Valdes A. Next-generation Intrusion Detection Expert System (NIDES):A Summary[R]. SRI International Technical Report SRI-CSL-95-07,1995.
[21]唐勇,卢锡城,胡华平等.基于多序列联配的攻击特征自动提取技术研究[J].计算机学报,2006,29(9):1533-1541.
[22]Cannady J. Artificial Neural Networks for Misuse Detection[C]. In:Proc. of the 1998 National Information Systems Security Conference (NISSC),1998.
[23]Ilgun K, Kemmerer R, Porras P. State Transition Analysis:A Rule-Based Intrusion Detection System [J]. IEEE Transactions on Software Engineering,1995.
[24]Vigna G, Kemmerer RA. NetSTAT:A Network-based Intrusion Detection Approach[C]. In:Proc. of the 14th Annual Computer Security Conference,1998.
[25]Branch J, Bivens A, Chan C, et al. Denial of Service Intrusion Detection Using Time Dependent Deterministic Finite Automata[C]. In:Proc. of the Graduate Research Conference,2002.
[26]严芬,黄皓,殷新春.基于CTPN的复合攻击检测方法研究[J].计算机学报,2006,29(8):1383-1391.
[27]Denning D. An intrusion-detection model [J]. IEEE Transaction Software Engineering,1987, (13): 222-232.
[28]Blazek RB, Kim H, Rozovskii B, et al. A novel approach to detection of "denial-of-service" attacks via adaptive sequential and batch sequential change-point detection methods[C]. In:Proc. of IEEE Systems, Man and Cybernetics Information Assurance Workshop,2001.
[29]Vishwanath KV, Vahdat A. Swing:Realistic and responsive network traffic generation [J]. IEEE/ACM Transactions on Networking,2009,17(3):712-725.
[30]Leland W, Taqqu M, Willlinger W. On the self-similar nature of Ethernet traffic (ExtendedVersion) [J]. IEEE/ACM Trans, on Networking,1994,2(1):1-15.
[31]Paxson V, Floyd S. Wide area traffic:the failure of poisson modeling [J]. IEEE/ACM Trans on Networking,1995,3(3):226-244.
[32]蔡弘,陈惠民,李衍达.自相似业务模型—通信网络突发业务建模的新方法[J].通信学报,1997,18(11):51-58.
[33]Xiang Y, Lin Y, Lei W, et al. Detecting DDOS attack based on network self-similarity[C]. In:Proc. of IEEE Int'l Conf. on Communications,2004,151(3):292-295.
[34]任勋益,王汝传,王海艳.基于自相似检测DDoS攻击的小波分析方法[J].通信学报,2006,27(5):6-11.
[35]Gil TM, Poletto M. Multops:A data-structure for bandwidth attack detection[C]. In:Proc. of the 10th USENIX Security Symposium,2001.
[36]Abdelsyed S, Gilmsholtd, Leckie C, et al. An efficient filter for denial-of-service bandwidth attacks [C]. In:Proc.of the 46th IEEE Global Telecommunications Conference,2003:1353-1357.
[37]Mirkovic J, Prier G, Reiher P. Attacking DDoS at the Source[C]. In:Proc. of 10th IEEE International Conference on Network Protocols,2002.
[38]Mirkovic J, Prier G D-WARD:A Source-End Defense against Flooding Denial-of-Service Attacks [J]. IEEE Trans. on Dependable and Secure Computing,2005,2(3):216-232.
[39]Wang H, Zhang D, Shin K. Detecting SYN flooding attacks[C]. In:Proc. of IEEE INFOCOM, IEEE Computer Society,2002:1530-1539.
[40]Siris V, Papagalou F. Application of anomaly detection algorithms for detecting SYN flooding attacks [C]. In:Proc. of the Conf. on Global Telecommunications. IEEE,2004:2050-2054.
[41]Xiao B, Chen W, He Y, et al. An active detecting method against SYN flooding attack[C]. In:Proc. of the 11th IEEE Int'l Conf. on Parallel and Distributed Systems,2005:709-715.
[42]Ferguson P, Senie D. Network ingress filtering:Defeating denial of service attacks which employ IP source addres spoofing [EB/OL]. http://www.ietf.org/rfc/rfc2827.txt,1998.
[43]Park K, Lee H. On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law Internets[C]. In:Proc. of ACM SIGCOMM,2001:15-26.
[44]Li J, Mirkovic J, Wang M, et al. SAVE:Source address validity enforcement protocol[C]. In:Proc. of IEEE INFOCOM,2002:1557-1566.
[45]Bremler-Barr, Levy H. Spoofing Prevention Method[C]. In:Proc. of IEEE INFOCOM,2005.
[46]Yaar, Perrig A, Song D. Pi:A path identification mechanism to defend against DDoS attacks[C]. hi:Proc. of IEEE Symposium on Security and Privacy,2003:93-107.
[47]MAWI Working Group. Traffic archive [EB/OL]. http://tracer.csl.sony.co.jp/mawi/,2003.
[48]Jin S, Yeung D. A covariance analysis model for DDos attack detection[C]. In:Proc. of the Int'l Conf. on Communications. IEEE,2004:1882-1886.
[49]周东清,张海锋,张绍武等.基于HMM的分布式拒绝服务攻击检测方法[J].计算机研究与发展,2005,42(9):1594-1599.
[50]Kim Y, Lau WC, Chuah MC, et al. Packet Score-A Statistics-Based Packet Filtering Scheme against Distributed Denial-of-Service Attacks [J]. IEEE Transactions on Dependable and Secure Computing, 2006,3(2):141-155.
[51]谢逸,余顺争.基于Web用户浏览行为的统计异常检测[J].软件学报,2007,18(4):967-977.
[52]Xie Y, Yu SZ. A Large-Scale Hidden Semi-Markov Model for Anomaly Detection on User Browsing Behaviors [J]. IEEE/ACM Transaction on Networking,2009,17(1):54-65.
[53]Xie Y, Yu SZ. Monitoring the Application-Layer DDoS Attacks for Popular Websites [J]. IEEE/ACM Transaction on Networking,2009,17(1):15-25.
[54]Sanguk N, Gihyun J, Kyunghee C, et al. Compiling network traffic into rules using soft computing methods for the detection of flooding attacks[J]. Applied Soft Computing,2008,8(3):1200-1210.
[55]Jain M. Protecting the network from denial of service attacks:the captus networks TRaP technology [J]. Captus Networks,2004,2(1):1-17.
[56]Cheng C, Kung H, Tan K. Use of spectral analysis in defense against DoS attacks[C]. In:Proc. of IEEE GLOBECOM. IEEE Communications Society,2002:2143-2148.
[57]Peng T, Leckie C, Ramamohanarao K. Proactively detecting distributed denial of service attacks using source ip address monitoring[C]. In:Proc. of the Third International IFIP-TC6 Networking Conference, 2004:771-782.
[58]孙知信,李清东.基于源目的IP地址对数据库的防范DDos攻击策略[J].软件学报,2007,18(10):2613-2623.
[59]孙钦东,张德运,高鹏.基于时间序列分析的分布式拒绝服务攻击检测[J].计算机学报,2005,28(5):767-773.
[60]Lakhina A, Crovella M, Diont C. Mining anomalies using traffic feature distributions[C]. In:Proc. of ACM SIGCOMM,2005:217-228.
[61]Hakem B, Geert D. Analyzing well-known countermeasures against distributed denial of service attacks [J]. Computer Communications,2012,35(11):1312-1332.
[62]Christos D, Aikaterini M. DDoS attacks and defense mechanisms:classification and state-of-the-art [J]. Computer Networks,2004,44(5):643-666.
[63]Gupta H, Ribeiro VJ. Mahanti A. A Longitudinal Study of Small-Time Scaling Behavior of Internet Traffic [J]. NETWORKING 2010, LNCS 6091:83-95.
[64]Leland WE, Taqqu MS, Willinger W, et al. On the self-similar nature of Ethernet traffic [J]. ACM SIGCOMM Computer Communication Review,1993,23(4):183-193.
[65]BArulescu A, Serban C, Maftel C. Evaluation of Hurst exponent for precipitation time series [J]. LATEST TRENDS on COMPUTERS,2010,2:590-595.
[66]Rea W, Oxley L, Reale M, et al. Estimators for long range dependence:an empirical study [J]. arXiv preprint arXiv:0901.0762,2009.
[67]Almeida LB. The Fractional Fourier Transform and Time-frequency Representations [J]. IEEE Trans. Signal Processing,1994,42(11):3084-3091.
[68]Ozaktas HM, Arikan O, et al. Digital Computation of the Fractional Fourier Transform [J]. IEEE Trans. Signal Processing,1996,44(9):2141-2150.
[69]Bultheel A, Sulbaran HE. Computation of the Fractional Fourier Transform [J]. Applied and Computational Harmonic Analysis,2004,16(3):182-202.
[70]Chen Y, Sun R, Zhou A. An improved Hurst parameter estimator based on fractional Fourier transform [J]. Telecommun System,2010,43:197-206.
[71]Ciflikli C, Gezer A. Self similarity analysis via fractional Fourier transform [J]. Simulation Modeling Practice and Theory,2011,19:986-995.
[72]Campos RG, Rico-Melgoza J, Chavez E. A New Formulation of the Fast Fractional Fourier Transform [J]. SIAM Journal on Scientific Computing,2012,34(2):A1110-A1125.
[73]Chen Y, Hwang K, Kwok Y. Collaborative defense against periodic shrew DDoS attacks in frequency domain [EB/OL]. http://gridsec.usc.edu/files/TR/ACMTISSEC-LowRateAttack-May3-05.pdf
[74]Ably P, Flandrin P, Taqqu MS, et al. Self-similarity and long-range dependence through the wavelet lens [J]. In:Theory and Applications of Long Range Dependence, Boston:Birkhauser Press,2002:345-379.
[75]Park J, Park C. Robust estimation of the Hurst parameter and selection of an onset scaling [J]. Statistica Sinica,2009,19(4):1531-1555.
[76]Percival DB, Walden AT. Wavelet Methods for Time Series Analysis [D]. New York, USA:Cambridge University Press,2006:56-70.
[77]宣蕾,卢锡城,于瑞厚,等.网络威胁时序的自相似性分析[J].通信学报,2008,29(4):45-50.
[78]奥本海默.数字信号处理[M].北京:科学出版社,1980.
[79]MIT Lincoln Laboratory.2000 DARPA Intrusion Detection Evaluation Data Set [EB/OL]. http://www.ll.mit.edu/mission/communications/cyber/CSTcorpora/ideval/data/2000data.html.
[80]Ariu D, Tronci R, Giacinto G HMMPayl:An intrusion detection system based on Hidden Markov Models [J]. computers & security,2011,30:221-241.
[81]Dugad R, Desai UB. A Tutorial on Hidden Markov Models [EB/OL]. http://vision.ai.uiuc.edu/dugad/guestbook/addHMMguest.html.
[82]Hu J, Yu X, Qiu D, et al. A simple and efficient hidden Markov model scheme for host-based anomaly intrusion detection [J]. Network, IEEE,2009,23(1):42-47.
[83]Wright C, Monrose F, Masson G. HMM profiles for network traffic classification [C]. In:Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, New York,2004.
[84]Wright C, Monrose F, Masson G. Towards Better Protocol Identification Using Profile HMMs[R]. Technical Report JHUSPAR051201, Johns Hopkins University,2005.
[85]Alberto D, Walter D, Antonio P, et al. Classification of network traffic via packet-level hidden Markov models [C]. GLOBECOM 2008, New Orleans,2008.
[86]Rabiner LR, Juang BH. An introduction to hidden Markov models [J]. IEEE ASSP Magazine,1986,3(1): 4-16.
[87]Zhong AM, Jia CF. Study on the application of hidden Markov models to computer intrusion detection [C]. In:Proceedings of the 5th World Congress on Intelligent Control and Automation, Hangzhou,2004: 4352-4356.
[88]Fine S, Singer Y, Tishby N. The hierarchical Markov model:analysis and application [J]. Machine Learning,1998,32(1):41-62.
[89]Wang P, Shi L, Wang B, et al. Survey on HMM based anomaly intrusion detection using system calls [C]. In:5th International Conference on Computer Science and Education (ICCSE),2010:102-105.
[90]Rabiner LR. A tutorial on hidden Markov models and selected applications in speech recognition[C]. In: Proceedings of the IEEE,1989,77(2):257-286.
[91]Jain R, Abouzakhar NS. Hidden Markov Model based anomaly intrusion detection[C]. In:International Conferece for Internet Technology and Secured Transactions,2012:528-533.
[92]Xiao X, Zhai QB, Tian XG, et al. Masquerade Detection Based on Shell Commands and High-Order Markov Chain Models [J]. Acta Electronica Sinica,2011,5:038.
[931张响亮,王伟,管晓宏.基于隐马尔可夫模型的程序行为异常检测[J].西安交通大学学报,2005,39(10):1056-1059.
[94]Jing Z, Houkuan H, Shengfeng T. Protocol Anomaly Detection Based on Hidden Markov Model [J]. Journal of Computer Research and Development,2010,4:008.
[95]李航.统计学习方法[M].北京:清华大学出版社,2012.
[96]Pan H, Levinson S, Huang TS, et al. A fused Hidden Markov Model with Application to Bimodal Speech Processing [J]. IEEE Transaction on Signal Processing,2004,52(3):573-581.
[97]Brand M, Oliver N. Coupled hidden Markov models for complex action recognition [J]. Computer Vision Pattern Recognition,1997:201-206.
[98]Wang F, Zhu H, Tian B, et al. A HMM-based method for anomaly detection[C]. In:4th IEEE International Conference on Broadband Network and Multimedia Technology (IC-BNMT),2011:276-280.
[99]Esakkiraj S, Chidambaram S. A Predictive Approach for Fraud Detection Using Hidden Markov Model [J]. International Journal of Engineering,2013,2(1).
[100]Ye N, Zhang Y, Borror CM. Robustness of the markov-chain model for cyber-attack detection [J]. IEEE Transactions on Reliability,2004,53(1):116-123.
[101]Cho SB, Park HJ. Efficient anomaly detection by modeling privilege flows using hidden Markov model [J]. Computer & Security,2003,22(1):45-55.
[102]Kong DG, Tan XB, Xi HS, et al. Hidden Markov model for multi-thread programs time sequence analysis [J]. Journal of Software,2010,21(3):461-472.
[103]Lee D, Kim D, Jung J. Multi-Stage intrusion detection system using hidden Markov model algorithm[C]. In:International Conference on Information Science and Security,2008:12-11.
[104]闫巧,谢维信,宋歌,喻建平.基于HMM的系统调用异常检测[J].电子学报,2003,31(10):1486-1490.
[105]尹清波,张汝波,李雪耀,王慧强.基于动态马尔科夫模型的入侵检测技术研究[J].电子学报,2004,32(11):1785-1788.
[106]许博,陈鸣,魏祥麟.基于隐马尔科夫模型的P2P流识别技术[J].通信学报,2012,33(6):55-63.
[107]段雪涛,贾春福,刘春波.基于层次隐马尔科夫模型和变长语义模式的入侵检测方法[J].通信学报,2010,31(3):109-114.
[108]谭小彬,王卫平,奚宏生,殷保群.计算机系统入侵检测的隐马尔可夫模型[J].计算机研究与发展,2003,40(2):245-250.
[109]Xu X, Sun Y, Huang Z. Defending DDoS Attacks Using Hidden Markov Models and Cooperative Reinforcement Learning[C]. PAISI 2007, LNCS 4430,2007:196-207.
[110]Kang J, Zhang Y, Ju J-b. Detecting DDoS Attacks Based on Multi-stream Fused HMM in Source-End Network[C]. CANS 2006, LNCS 4301, pp.342-353.
[111]Shin S, Lee S, Kim H, Kim S. Advanced probabilistic approach for network intrusion forecasting and detection[J]. Expert Systems with Applications,2013,40:315-322.
[112]Kashyap HJ, Bhattacharyya DK. A DDoS Attack Detection Mechanism Based on Protocol Specific Traffic Features[C]. In:Proc. of the Second International Conference on Computational Science, Engineering and Information Technology,2012:194-200.
[113]徐图,罗瑜,何大可.多类支持向量机的DDoS攻击检测的方法[J].电子科技大学学报,2008,37(2):274-277.
[114]谢希仁.计算机网络(第5版)[M].北京:电子工业出版社,2008.
[115]Kang J, Li Q, Zhang Y, et al. An improvement on precision in DDoS source-end detection with multi-stream combined HMM[C]. In:International Conference on Computational Intelligence and Security Workshops (CISW 2007),2007:514-517.
[116]Man KF, Tang KS, Kwong S. Genetic algorithms:concepts and applications [J]. IEEE Transactions on Industrial Electronics,1996,43(5):519-534.
[117]Kwong S, Chau CW, Man KF, et al. Optimization of HMM topology and its model parameters by genetic algorithms [J]. Pattern Recognition,2001,34:509-522.
[118]Cristianini N, Schawe TJ. An Introduction to Support Vector Machines [M]. Cambridge:Cambridge University Press,2000.
[119]Vapnik VN. The Nature of Statistical Learning Theory [M]. Berlin:Springer-Verlag,1995.
[120]Suykens JAK, Vandewalle J. Least Square Support Vector Machine Classifiers [J]. Neural Processing Letters,1999,9(3):293-300.
[121]Fung G, Mangasarian OL. Proximal support vector machine classifiers [C]. In:Proc. of 7th ACM SIFKDD Int'l Conf. on Knowledge Discovery and Data Mining,2001:77-86.
[122]Mangasarian OL, Wild EW. Multisurface proximal support vector machine classification via generalized eigenvalues [J]. IEEE Trans, on Pattern Analysis and Machine Intelligence,2006,28(1):69-74.
[123]Khemchandni R, Suresh C. Twin support vector machines for pattern classification [J]. IEEE Trans, on Pattern Analysis and Machine Intelligence,2007,29(5):905-910.
[124]Kumar MA, Gopal M. Least squares twin support vector machines for pattern classification [J]. Expert Systems with Applications,2009,36(4):7535-7543.
[125]Mukkamala S, Janowski G, Sung AH. Intrusion detection using neural networks and support vector machines [C]. Proceedings of IEEE International Joint Conference on Neural Networks, Hawaii,2002: 1702-1707.
[126]Sotiris VA, Tse PW, Pecht MG. Anomaly detection through a Bayesian support vector machine [J]. Reliability, IEEE Transactions on,2010,59(2):277-286.
[127]徐鹏,刘琼,林森.基于支持向量机的Internet流量分类研究[J].计算机研究与发展,2009,46(3):407-414.
[128]Cortes C, Vapnik V. Support-vector networks [M]. Machine Learning,1995,20:273-297.
[129]Boser BE, Guyon IM, Vapnik VN. A training algorithm for optimal margin classifiers [C]. In:Haussler D, ed. Proc. of the 5th Annual ACM Workshop on COLT, Pittsburgh, PA,1992:144-152.
[130]Platt JC. Fast training of support vector machines using sequential minimal optimization [EB/OL]. http://research.microsoft.com/apps/pubs/?id=68391.
[131]Hou G, Ma X. A New Method for Distributed Denial of Service Attack Detection Using KPCA and PSO-SVM[C]. In:2011 International Conference in Electrics, Communication and Automatic Control Proceedings. Springer New York,2012:445-451.
[132]Chang C-C, Lin C-J. LIBSVM-A Library for Support Vector Machines [EB/OL]. http://www.csie.ntu.edu.tw/-cjlin/libsvm/.
[133]牟琦,陈艺坤,毕孝儒,向阳.一种基于快速增量SVM的入侵检测方法[J].计算机工程,2012,38(12):92-94.
[134]刘晔,王泽兵,冯雁,古红英.基于增量支持向量机的DoS入侵检测[J].计算机工程,2006,32(4):179-180,186.
[135]赵耀红,王快妮,钟萍,于来生.快速支持向量机增量学习算法[J].计算机工程与设计,2010,31(1):161-163,171.
[136]朱发,业宁,潘冬寅,向阳.基于最小样本平面距离的支持向量机增量学习算法[J].计算机工程与设计,2012,33(1):346-350.
[137]顾彬,郑关胜,王建东.增量和减量式标准支持向量机的分析[J].软件学报,2013,1-13.CNKI网络优先出版:2013-01-17 15:26, http://www.cnki.net/kcms/detail/11.2560.TP.20130117.1526.002.html
[138]李凯,李娜,卢霄霞.一种模糊加权的孪生支持向量机算法[J].计算机工程与应用,2013,49(4):162-165.
[139]高斌斌,刘霞,李秋林.改进孪生支持向量机的一种快速分类算法[J].重庆理工大学学报(自然科学),2012,26(11):98-103,108.
[140]Zuluaga MA, Leyton EJ, Hoyos MH, et al. Feature selection for SVM-based vascular anomaly detection [M]. Medical Computer Vision. Recognition Techniques and Applications in Medical Imaging. Springer Berlin Heidelberg,2011:141-152.
[141]穆晓霞,陈留院,李钧涛.最小二乘双支持向量机的在线学习算法[J].计算机仿真,2012,29(3):25-28.
[142]谢娟英,张兵权,汪万紫.基于双支持向量机的偏二叉树多类分类算法[J].南京大学学报(自然科学),2011,47(4):354-363.
[143]丁胜锋.一种改进的双支持向量机[J].辽宁石油化工大学学报,2011,32(4):77-79,82.
[144]胡光华,徐汝争.最小二乘双胞支持向量回归机的研究[J].云南大学学报(自然科学版),2011,33(6):621-626.
[145]邢建春,王荣浩,杨启亮,等.基于改进的加权最小二乘支持向量机在线训练算法研究[C].Proceedings of the 29th Chinese Control Conference,2010:5055-5060.
[146]杜喆,刘三阳.最小二乘支持向量机变型算法研究[J].西安电子科技大学学报(自然科学版),2009,36(2):331-337,372.
[147]张猛,付丽华,张维.一种新的最小二乘支持向量机算法[J].计算机工程与应用,2007,43(11):33-34,103.
[148]朱真峰,郭跃飞,薛向阳.增量式最小二乘法分类器与增量式支持向量机的对比[J].小型微型计算机系统,2011,32(3):493-498.
[149]Jayadeva and Khemchandani. Twin support vector machines for pattern classification [J]. IEEE Transaction on pattern analysis and machine intelligence,2007,29(5):905-910.
[150]Kumar M, Gopal M. Application of smoothing technique on twin support vector machines [J]. Pattern Recognition Lett,2008,29(8):1842-1848.
[151]Shao Y H, Zhang C H, Wang X B, et al. Improvements on twin support vector machines [J]. Neural Networks, IEEE Transactions on,2011,22(6):962-968.
[152]Ye Q, Zhao C, Ye N. Least squares twin support vector machine classification via maximum one-class within class variance [J]. Optimization Methods & Software,2012,27(1):53-69.
[153]杨新宇,李磊,张国栋.IPv6中的DoS/DDoS攻击流量突发检测算法[J].计算机工程,2008,34(14):23-25.
[154]Lakhina A, Crovella M, Diot C. Diagnosing network-wide traffic anomalies [C]. In:Proc. of ACM SIGCOMM,2004:219-230.
[155]Peng T, Leckie C, Kotagiri R. Proactively detecting distributed denial of service attacks using source IP address monitoring [C]. In:Proc. of the 3rd International IFFP-TC6 Networking Conference,2004: 771-782.
[156]杨建华,谢高岗,张广兴,等.一种高效的业务流分类算法[J].电子学报,2006,34(3):549-552
[157]Abdelsayed S, Glimsholt D, Leckie C, et al. An efficient filter for denial-of-service bandwidth attacks [C]. In:Proc. of the 46th IEEE GLOBECOM.2003:1353-1357.
[158]Mirkovic J, Reiher P. D-WARD:a source-end defense against flooding denial-of-service attacks [J]. IEEE Trans on Dependable and Secure Computing,2005,2(3):216-232.
[159]Kim Y, Lau WC, Chuah MC, Chao HJ. PacketScore-A statistics-based packet filtering scheme against distributed denial-of-service attacks [J]. IEEE Trans. on Dependable and Secure Computing,2006,3(2): 141-155.
[160]孙知信,姜举良,焦琳DDOS攻击检测和防御模型[J].软件学报,2007,18(9):2245-2258.
[161]孙钦东,张德运,郑卫斌,等.基于时频分析的分布式拒绝服务攻击的自动检测[J].西安交通大学学报,2004,38(12):39-42.
[162]Xu Tu, He Da-ke, Zheng Yu. Detecting DDoS attack based on one-way connection density[C]. In:Proc. of the Tenth IEEE International Conf. on Communications Systems,2006.
[163]程杰仁,殷建平,刘运,刘湘辉,蔡志平.基于攻击特征的ARMA预测模型的DDoS攻击检测方法[J].计算机工程与科学,2010,32(4):1-4.
[164]Gupta KK, Nathn B, Kotagiri R. Layered approach using conditional random fields for intrusion detection [J]. IEEE Trans, on Dependable and Secure Computing,2010,7(1):35-49.
[165]刘运,蔡志平,钟平,殷建平,程杰仁.基于条件随机场的DDoS攻击检测方法[J].软件学报,2011,22(8):1897-1910.
[166]Benferhat S, Kenaza T, Mokhtari A. A Naive Bayes Approach for Detecting Coordinated Attacks[C]. Annual IEEE International Computer Software and Applications Conference,2008:704-709.
[167]Wu YC, Tseng HR, Yang W, Jan RH. DDoS Detection and Traceback with Decision Tree and Grey Relational Analysis [C]. In:Third International Conference on Multimedia and Ubiquitous Engineering, 2009:306-314.
[168]Wang W, Guan XH, Zhang XL. Modeling program behaviors by hidden Markov models for intrusion detection[C]. In:Proc. of International Conference on Machine Learning and Cybernetics,2004(5): 2830-2835.
[169]Khan L, Awad M, Thuraisingham B. A new intrusion detection system using support vector machines and hierarchical clustering [J]. The VLDB Journal-The International Journal on Very Large Data Bases,2007, 16(4):507-521.
[170]Lafferty JD, McCallum A, Pereira FCN. Conditional random fields:Probabilistic models for segmenting and labeling sequence data[C]. In:Proc. of the 18th Int'l Conf. on Machine Learning (ICML 2001),2001: 282-289.
[171]王升辉,裘正定.结合多重分形的网络流量非线性预测[J].通信学报,2007,28(2):45-50.
[172]程月,陈小荷.基于条件随机场的汉语动宾搭配自动识别[J].中文信息学报,2009,23(1):9-15.
[173]Burr Settles. Biomedical named entity recognition using conditional random fields and rich feature sets[C]. In:Proc. of the International Joint Workshop on Natural Language Processing in Biomedicine and its Applications,2004:104-107.
[174]周俊生,戴新宇,尹存燕,陈家骏.基于层叠条件随机场模型的中文机构名自动识别[J].电子学报,2006,34(5):804-809.
[175]He X, Zemel RS, Carreira-Perpinan MA. Multiscale conditional random fields for image labeling[C]. In: Proc. of the IEEE Computer Society Conf. on Computer Vision and Pattern Recognition,2004(2): 695-702.
[176]Gupta KK, Nathn B, Kotagiri R. Conditional Random Fields for Intrusion Detection[C]. In:Proc.21st Int'l Conf. Advanced Information Networking and Applications Workshops (AINAW),2007:203-208.
[177]Sha F, Pereira F. Shallow parsing with conditional random fieldsfC]. In:Proc. of the Human Language Technology Conf. and North American Chapter of the Association for Computational Linguistics (HLT-NAACL 2003).2003:213-220.
[178]Liu DC, Nocedal J. On the limited memory BFGS method for large scale optimization [J]. Mathematical programming,1989(45):503-528.
[179]Kdd cup 1999 intrusion detection data [EB/OL]. http://kdd.ics.uci.edu/databases/kddcup99.
[180]Murphy K. CRF toolbox for matlab [EB/OL]. http://www.cs.ubc.ca/-murphyk/Software/CRF/crfGeneralOld.html,2004.
[181]Chang CC, Lin CJ. LIBSVM:A library for support vector machines [EB/OL]. http://www.csie.ntu.edu.tw/-cjlin/libsvm/,2001.
[182]Machine Learning Group at the University of Waikato. Weka [EB/OL]. http://www.cs.waikato.ac.nz/ml/weka.
[2]国家计算机网络应急技术处理协调中心.2012年我国互联网网络安全态势综述[EB/OL].http://www.cert.org.cn/publish/main/upload/File/201303212012CNCERTreport.pdf,2013-03-20.
[3]江健,诸葛建伟,段海新,等.僵尸网络机理与防御技术[J].软件学报,2012,23(1):82-96.
[4]张智江,张尼.下一代互联网的网络安全[J].ZTE TECHNOLOGY JOURNAL,2011:36.
[5]诸葛建伟,谷亮,段海新.中国互联网信息安全地下产业链调查[J].信息安全与通信保密,2012(9):54-71.
[6]Peng T, Leckie C, Ramamohanarao K. Survey of network-based defense mechanisms countering the DoS and DDoS problems [J]. ACM Computing Surveys,2007,39(1):1-42.
[7]Saltzer JH, Reed DP, Clark DD. End-to-End Arguments in System Design[C]. In:Proc. of the 2nd International Conf. on Dist systems,1981.
[8]Wang X, Pan CC, Liu P, et al. SigFree:A Signature-free Buffer Overflow Attack Blocker[C]. In:Proc. of the 15th USENIX Security Symposium,2006:225-240.
[9]杜跃进,崔翔.僵尸网络及其启发[J].中国数据通信,2005(05):9-13.
[10]张永铮,肖军,云晓春,王风宇.DDoS攻击检测和控制方法[J].软件学报,2012,23(8):2058-2072.
[11]刘运.DDoS Flooding攻击检测技术研究[D].长沙:国防科学技术大学,2011.
[12]CERT Incident Note IN-99-07. Distributed Denial of Service Tools [EB/OL]. http://www.CERT.org/incident_notes/IN-99-O7.html,1999.
[13]Dittrich D. The "Tribe Flood Network" distributed denial of service attack tool [EB/OL]. http://stafT.washington.edu/dittrich/misc/tfn.analysis.txt,1999.
[14]Dittrich D. The "stacheldraht" distributed denial of service attack tool [EB/OL], http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt,1999.
[15]CERT Incident Note IN-99-04. Distributed Denial of Service Tools [EB/OL]. http://www.cert.org/incidentnotes/IN-99-04.html,1999.
[16]Barlow J, Thrower W. TFN2K-An Analysis [EB/OL]. http://www.packetstormsecurity.org/distributed/TFN2K_analysis-1.3.txt,2000.
[17]李德全.拒绝服务攻击[M].北京:电子工业出版社,2007.
[18]Tamaru A, Gilham F, Jagannathan R, et al. A real-time intrusion detection expert system (IDES) [R]. CA: Computer Science Laboratory,1992.
[19]White G, Fisch E, Pooch U. Cooperating Security Managers:A Peer-Based Intrusion Detection System [J]. IEEE Network,1996:20-23.
[20]Anderson D, Frivold T, Valdes A. Next-generation Intrusion Detection Expert System (NIDES):A Summary[R]. SRI International Technical Report SRI-CSL-95-07,1995.
[21]唐勇,卢锡城,胡华平等.基于多序列联配的攻击特征自动提取技术研究[J].计算机学报,2006,29(9):1533-1541.
[22]Cannady J. Artificial Neural Networks for Misuse Detection[C]. In:Proc. of the 1998 National Information Systems Security Conference (NISSC),1998.
[23]Ilgun K, Kemmerer R, Porras P. State Transition Analysis:A Rule-Based Intrusion Detection System [J]. IEEE Transactions on Software Engineering,1995.
[24]Vigna G, Kemmerer RA. NetSTAT:A Network-based Intrusion Detection Approach[C]. In:Proc. of the 14th Annual Computer Security Conference,1998.
[25]Branch J, Bivens A, Chan C, et al. Denial of Service Intrusion Detection Using Time Dependent Deterministic Finite Automata[C]. In:Proc. of the Graduate Research Conference,2002.
[26]严芬,黄皓,殷新春.基于CTPN的复合攻击检测方法研究[J].计算机学报,2006,29(8):1383-1391.
[27]Denning D. An intrusion-detection model [J]. IEEE Transaction Software Engineering,1987, (13): 222-232.
[28]Blazek RB, Kim H, Rozovskii B, et al. A novel approach to detection of "denial-of-service" attacks via adaptive sequential and batch sequential change-point detection methods[C]. In:Proc. of IEEE Systems, Man and Cybernetics Information Assurance Workshop,2001.
[29]Vishwanath KV, Vahdat A. Swing:Realistic and responsive network traffic generation [J]. IEEE/ACM Transactions on Networking,2009,17(3):712-725.
[30]Leland W, Taqqu M, Willlinger W. On the self-similar nature of Ethernet traffic (ExtendedVersion) [J]. IEEE/ACM Trans, on Networking,1994,2(1):1-15.
[31]Paxson V, Floyd S. Wide area traffic:the failure of poisson modeling [J]. IEEE/ACM Trans on Networking,1995,3(3):226-244.
[32]蔡弘,陈惠民,李衍达.自相似业务模型—通信网络突发业务建模的新方法[J].通信学报,1997,18(11):51-58.
[33]Xiang Y, Lin Y, Lei W, et al. Detecting DDOS attack based on network self-similarity[C]. In:Proc. of IEEE Int'l Conf. on Communications,2004,151(3):292-295.
[34]任勋益,王汝传,王海艳.基于自相似检测DDoS攻击的小波分析方法[J].通信学报,2006,27(5):6-11.
[35]Gil TM, Poletto M. Multops:A data-structure for bandwidth attack detection[C]. In:Proc. of the 10th USENIX Security Symposium,2001.
[36]Abdelsyed S, Gilmsholtd, Leckie C, et al. An efficient filter for denial-of-service bandwidth attacks [C]. In:Proc.of the 46th IEEE Global Telecommunications Conference,2003:1353-1357.
[37]Mirkovic J, Prier G, Reiher P. Attacking DDoS at the Source[C]. In:Proc. of 10th IEEE International Conference on Network Protocols,2002.
[38]Mirkovic J, Prier G D-WARD:A Source-End Defense against Flooding Denial-of-Service Attacks [J]. IEEE Trans. on Dependable and Secure Computing,2005,2(3):216-232.
[39]Wang H, Zhang D, Shin K. Detecting SYN flooding attacks[C]. In:Proc. of IEEE INFOCOM, IEEE Computer Society,2002:1530-1539.
[40]Siris V, Papagalou F. Application of anomaly detection algorithms for detecting SYN flooding attacks [C]. In:Proc. of the Conf. on Global Telecommunications. IEEE,2004:2050-2054.
[41]Xiao B, Chen W, He Y, et al. An active detecting method against SYN flooding attack[C]. In:Proc. of the 11th IEEE Int'l Conf. on Parallel and Distributed Systems,2005:709-715.
[42]Ferguson P, Senie D. Network ingress filtering:Defeating denial of service attacks which employ IP source addres spoofing [EB/OL]. http://www.ietf.org/rfc/rfc2827.txt,1998.
[43]Park K, Lee H. On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law Internets[C]. In:Proc. of ACM SIGCOMM,2001:15-26.
[44]Li J, Mirkovic J, Wang M, et al. SAVE:Source address validity enforcement protocol[C]. In:Proc. of IEEE INFOCOM,2002:1557-1566.
[45]Bremler-Barr, Levy H. Spoofing Prevention Method[C]. In:Proc. of IEEE INFOCOM,2005.
[46]Yaar, Perrig A, Song D. Pi:A path identification mechanism to defend against DDoS attacks[C]. hi:Proc. of IEEE Symposium on Security and Privacy,2003:93-107.
[47]MAWI Working Group. Traffic archive [EB/OL]. http://tracer.csl.sony.co.jp/mawi/,2003.
[48]Jin S, Yeung D. A covariance analysis model for DDos attack detection[C]. In:Proc. of the Int'l Conf. on Communications. IEEE,2004:1882-1886.
[49]周东清,张海锋,张绍武等.基于HMM的分布式拒绝服务攻击检测方法[J].计算机研究与发展,2005,42(9):1594-1599.
[50]Kim Y, Lau WC, Chuah MC, et al. Packet Score-A Statistics-Based Packet Filtering Scheme against Distributed Denial-of-Service Attacks [J]. IEEE Transactions on Dependable and Secure Computing, 2006,3(2):141-155.
[51]谢逸,余顺争.基于Web用户浏览行为的统计异常检测[J].软件学报,2007,18(4):967-977.
[52]Xie Y, Yu SZ. A Large-Scale Hidden Semi-Markov Model for Anomaly Detection on User Browsing Behaviors [J]. IEEE/ACM Transaction on Networking,2009,17(1):54-65.
[53]Xie Y, Yu SZ. Monitoring the Application-Layer DDoS Attacks for Popular Websites [J]. IEEE/ACM Transaction on Networking,2009,17(1):15-25.
[54]Sanguk N, Gihyun J, Kyunghee C, et al. Compiling network traffic into rules using soft computing methods for the detection of flooding attacks[J]. Applied Soft Computing,2008,8(3):1200-1210.
[55]Jain M. Protecting the network from denial of service attacks:the captus networks TRaP technology [J]. Captus Networks,2004,2(1):1-17.
[56]Cheng C, Kung H, Tan K. Use of spectral analysis in defense against DoS attacks[C]. In:Proc. of IEEE GLOBECOM. IEEE Communications Society,2002:2143-2148.
[57]Peng T, Leckie C, Ramamohanarao K. Proactively detecting distributed denial of service attacks using source ip address monitoring[C]. In:Proc. of the Third International IFIP-TC6 Networking Conference, 2004:771-782.
[58]孙知信,李清东.基于源目的IP地址对数据库的防范DDos攻击策略[J].软件学报,2007,18(10):2613-2623.
[59]孙钦东,张德运,高鹏.基于时间序列分析的分布式拒绝服务攻击检测[J].计算机学报,2005,28(5):767-773.
[60]Lakhina A, Crovella M, Diont C. Mining anomalies using traffic feature distributions[C]. In:Proc. of ACM SIGCOMM,2005:217-228.
[61]Hakem B, Geert D. Analyzing well-known countermeasures against distributed denial of service attacks [J]. Computer Communications,2012,35(11):1312-1332.
[62]Christos D, Aikaterini M. DDoS attacks and defense mechanisms:classification and state-of-the-art [J]. Computer Networks,2004,44(5):643-666.
[63]Gupta H, Ribeiro VJ. Mahanti A. A Longitudinal Study of Small-Time Scaling Behavior of Internet Traffic [J]. NETWORKING 2010, LNCS 6091:83-95.
[64]Leland WE, Taqqu MS, Willinger W, et al. On the self-similar nature of Ethernet traffic [J]. ACM SIGCOMM Computer Communication Review,1993,23(4):183-193.
[65]BArulescu A, Serban C, Maftel C. Evaluation of Hurst exponent for precipitation time series [J]. LATEST TRENDS on COMPUTERS,2010,2:590-595.
[66]Rea W, Oxley L, Reale M, et al. Estimators for long range dependence:an empirical study [J]. arXiv preprint arXiv:0901.0762,2009.
[67]Almeida LB. The Fractional Fourier Transform and Time-frequency Representations [J]. IEEE Trans. Signal Processing,1994,42(11):3084-3091.
[68]Ozaktas HM, Arikan O, et al. Digital Computation of the Fractional Fourier Transform [J]. IEEE Trans. Signal Processing,1996,44(9):2141-2150.
[69]Bultheel A, Sulbaran HE. Computation of the Fractional Fourier Transform [J]. Applied and Computational Harmonic Analysis,2004,16(3):182-202.
[70]Chen Y, Sun R, Zhou A. An improved Hurst parameter estimator based on fractional Fourier transform [J]. Telecommun System,2010,43:197-206.
[71]Ciflikli C, Gezer A. Self similarity analysis via fractional Fourier transform [J]. Simulation Modeling Practice and Theory,2011,19:986-995.
[72]Campos RG, Rico-Melgoza J, Chavez E. A New Formulation of the Fast Fractional Fourier Transform [J]. SIAM Journal on Scientific Computing,2012,34(2):A1110-A1125.
[73]Chen Y, Hwang K, Kwok Y. Collaborative defense against periodic shrew DDoS attacks in frequency domain [EB/OL]. http://gridsec.usc.edu/files/TR/ACMTISSEC-LowRateAttack-May3-05.pdf
[74]Ably P, Flandrin P, Taqqu MS, et al. Self-similarity and long-range dependence through the wavelet lens [J]. In:Theory and Applications of Long Range Dependence, Boston:Birkhauser Press,2002:345-379.
[75]Park J, Park C. Robust estimation of the Hurst parameter and selection of an onset scaling [J]. Statistica Sinica,2009,19(4):1531-1555.
[76]Percival DB, Walden AT. Wavelet Methods for Time Series Analysis [D]. New York, USA:Cambridge University Press,2006:56-70.
[77]宣蕾,卢锡城,于瑞厚,等.网络威胁时序的自相似性分析[J].通信学报,2008,29(4):45-50.
[78]奥本海默.数字信号处理[M].北京:科学出版社,1980.
[79]MIT Lincoln Laboratory.2000 DARPA Intrusion Detection Evaluation Data Set [EB/OL]. http://www.ll.mit.edu/mission/communications/cyber/CSTcorpora/ideval/data/2000data.html.
[80]Ariu D, Tronci R, Giacinto G HMMPayl:An intrusion detection system based on Hidden Markov Models [J]. computers & security,2011,30:221-241.
[81]Dugad R, Desai UB. A Tutorial on Hidden Markov Models [EB/OL]. http://vision.ai.uiuc.edu/dugad/guestbook/addHMMguest.html.
[82]Hu J, Yu X, Qiu D, et al. A simple and efficient hidden Markov model scheme for host-based anomaly intrusion detection [J]. Network, IEEE,2009,23(1):42-47.
[83]Wright C, Monrose F, Masson G. HMM profiles for network traffic classification [C]. In:Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, New York,2004.
[84]Wright C, Monrose F, Masson G. Towards Better Protocol Identification Using Profile HMMs[R]. Technical Report JHUSPAR051201, Johns Hopkins University,2005.
[85]Alberto D, Walter D, Antonio P, et al. Classification of network traffic via packet-level hidden Markov models [C]. GLOBECOM 2008, New Orleans,2008.
[86]Rabiner LR, Juang BH. An introduction to hidden Markov models [J]. IEEE ASSP Magazine,1986,3(1): 4-16.
[87]Zhong AM, Jia CF. Study on the application of hidden Markov models to computer intrusion detection [C]. In:Proceedings of the 5th World Congress on Intelligent Control and Automation, Hangzhou,2004: 4352-4356.
[88]Fine S, Singer Y, Tishby N. The hierarchical Markov model:analysis and application [J]. Machine Learning,1998,32(1):41-62.
[89]Wang P, Shi L, Wang B, et al. Survey on HMM based anomaly intrusion detection using system calls [C]. In:5th International Conference on Computer Science and Education (ICCSE),2010:102-105.
[90]Rabiner LR. A tutorial on hidden Markov models and selected applications in speech recognition[C]. In: Proceedings of the IEEE,1989,77(2):257-286.
[91]Jain R, Abouzakhar NS. Hidden Markov Model based anomaly intrusion detection[C]. In:International Conferece for Internet Technology and Secured Transactions,2012:528-533.
[92]Xiao X, Zhai QB, Tian XG, et al. Masquerade Detection Based on Shell Commands and High-Order Markov Chain Models [J]. Acta Electronica Sinica,2011,5:038.
[931张响亮,王伟,管晓宏.基于隐马尔可夫模型的程序行为异常检测[J].西安交通大学学报,2005,39(10):1056-1059.
[94]Jing Z, Houkuan H, Shengfeng T. Protocol Anomaly Detection Based on Hidden Markov Model [J]. Journal of Computer Research and Development,2010,4:008.
[95]李航.统计学习方法[M].北京:清华大学出版社,2012.
[96]Pan H, Levinson S, Huang TS, et al. A fused Hidden Markov Model with Application to Bimodal Speech Processing [J]. IEEE Transaction on Signal Processing,2004,52(3):573-581.
[97]Brand M, Oliver N. Coupled hidden Markov models for complex action recognition [J]. Computer Vision Pattern Recognition,1997:201-206.
[98]Wang F, Zhu H, Tian B, et al. A HMM-based method for anomaly detection[C]. In:4th IEEE International Conference on Broadband Network and Multimedia Technology (IC-BNMT),2011:276-280.
[99]Esakkiraj S, Chidambaram S. A Predictive Approach for Fraud Detection Using Hidden Markov Model [J]. International Journal of Engineering,2013,2(1).
[100]Ye N, Zhang Y, Borror CM. Robustness of the markov-chain model for cyber-attack detection [J]. IEEE Transactions on Reliability,2004,53(1):116-123.
[101]Cho SB, Park HJ. Efficient anomaly detection by modeling privilege flows using hidden Markov model [J]. Computer & Security,2003,22(1):45-55.
[102]Kong DG, Tan XB, Xi HS, et al. Hidden Markov model for multi-thread programs time sequence analysis [J]. Journal of Software,2010,21(3):461-472.
[103]Lee D, Kim D, Jung J. Multi-Stage intrusion detection system using hidden Markov model algorithm[C]. In:International Conference on Information Science and Security,2008:12-11.
[104]闫巧,谢维信,宋歌,喻建平.基于HMM的系统调用异常检测[J].电子学报,2003,31(10):1486-1490.
[105]尹清波,张汝波,李雪耀,王慧强.基于动态马尔科夫模型的入侵检测技术研究[J].电子学报,2004,32(11):1785-1788.
[106]许博,陈鸣,魏祥麟.基于隐马尔科夫模型的P2P流识别技术[J].通信学报,2012,33(6):55-63.
[107]段雪涛,贾春福,刘春波.基于层次隐马尔科夫模型和变长语义模式的入侵检测方法[J].通信学报,2010,31(3):109-114.
[108]谭小彬,王卫平,奚宏生,殷保群.计算机系统入侵检测的隐马尔可夫模型[J].计算机研究与发展,2003,40(2):245-250.
[109]Xu X, Sun Y, Huang Z. Defending DDoS Attacks Using Hidden Markov Models and Cooperative Reinforcement Learning[C]. PAISI 2007, LNCS 4430,2007:196-207.
[110]Kang J, Zhang Y, Ju J-b. Detecting DDoS Attacks Based on Multi-stream Fused HMM in Source-End Network[C]. CANS 2006, LNCS 4301, pp.342-353.
[111]Shin S, Lee S, Kim H, Kim S. Advanced probabilistic approach for network intrusion forecasting and detection[J]. Expert Systems with Applications,2013,40:315-322.
[112]Kashyap HJ, Bhattacharyya DK. A DDoS Attack Detection Mechanism Based on Protocol Specific Traffic Features[C]. In:Proc. of the Second International Conference on Computational Science, Engineering and Information Technology,2012:194-200.
[113]徐图,罗瑜,何大可.多类支持向量机的DDoS攻击检测的方法[J].电子科技大学学报,2008,37(2):274-277.
[114]谢希仁.计算机网络(第5版)[M].北京:电子工业出版社,2008.
[115]Kang J, Li Q, Zhang Y, et al. An improvement on precision in DDoS source-end detection with multi-stream combined HMM[C]. In:International Conference on Computational Intelligence and Security Workshops (CISW 2007),2007:514-517.
[116]Man KF, Tang KS, Kwong S. Genetic algorithms:concepts and applications [J]. IEEE Transactions on Industrial Electronics,1996,43(5):519-534.
[117]Kwong S, Chau CW, Man KF, et al. Optimization of HMM topology and its model parameters by genetic algorithms [J]. Pattern Recognition,2001,34:509-522.
[118]Cristianini N, Schawe TJ. An Introduction to Support Vector Machines [M]. Cambridge:Cambridge University Press,2000.
[119]Vapnik VN. The Nature of Statistical Learning Theory [M]. Berlin:Springer-Verlag,1995.
[120]Suykens JAK, Vandewalle J. Least Square Support Vector Machine Classifiers [J]. Neural Processing Letters,1999,9(3):293-300.
[121]Fung G, Mangasarian OL. Proximal support vector machine classifiers [C]. In:Proc. of 7th ACM SIFKDD Int'l Conf. on Knowledge Discovery and Data Mining,2001:77-86.
[122]Mangasarian OL, Wild EW. Multisurface proximal support vector machine classification via generalized eigenvalues [J]. IEEE Trans, on Pattern Analysis and Machine Intelligence,2006,28(1):69-74.
[123]Khemchandni R, Suresh C. Twin support vector machines for pattern classification [J]. IEEE Trans, on Pattern Analysis and Machine Intelligence,2007,29(5):905-910.
[124]Kumar MA, Gopal M. Least squares twin support vector machines for pattern classification [J]. Expert Systems with Applications,2009,36(4):7535-7543.
[125]Mukkamala S, Janowski G, Sung AH. Intrusion detection using neural networks and support vector machines [C]. Proceedings of IEEE International Joint Conference on Neural Networks, Hawaii,2002: 1702-1707.
[126]Sotiris VA, Tse PW, Pecht MG. Anomaly detection through a Bayesian support vector machine [J]. Reliability, IEEE Transactions on,2010,59(2):277-286.
[127]徐鹏,刘琼,林森.基于支持向量机的Internet流量分类研究[J].计算机研究与发展,2009,46(3):407-414.
[128]Cortes C, Vapnik V. Support-vector networks [M]. Machine Learning,1995,20:273-297.
[129]Boser BE, Guyon IM, Vapnik VN. A training algorithm for optimal margin classifiers [C]. In:Haussler D, ed. Proc. of the 5th Annual ACM Workshop on COLT, Pittsburgh, PA,1992:144-152.
[130]Platt JC. Fast training of support vector machines using sequential minimal optimization [EB/OL]. http://research.microsoft.com/apps/pubs/?id=68391.
[131]Hou G, Ma X. A New Method for Distributed Denial of Service Attack Detection Using KPCA and PSO-SVM[C]. In:2011 International Conference in Electrics, Communication and Automatic Control Proceedings. Springer New York,2012:445-451.
[132]Chang C-C, Lin C-J. LIBSVM-A Library for Support Vector Machines [EB/OL]. http://www.csie.ntu.edu.tw/-cjlin/libsvm/.
[133]牟琦,陈艺坤,毕孝儒,向阳.一种基于快速增量SVM的入侵检测方法[J].计算机工程,2012,38(12):92-94.
[134]刘晔,王泽兵,冯雁,古红英.基于增量支持向量机的DoS入侵检测[J].计算机工程,2006,32(4):179-180,186.
[135]赵耀红,王快妮,钟萍,于来生.快速支持向量机增量学习算法[J].计算机工程与设计,2010,31(1):161-163,171.
[136]朱发,业宁,潘冬寅,向阳.基于最小样本平面距离的支持向量机增量学习算法[J].计算机工程与设计,2012,33(1):346-350.
[137]顾彬,郑关胜,王建东.增量和减量式标准支持向量机的分析[J].软件学报,2013,1-13.CNKI网络优先出版:2013-01-17 15:26, http://www.cnki.net/kcms/detail/11.2560.TP.20130117.1526.002.html
[138]李凯,李娜,卢霄霞.一种模糊加权的孪生支持向量机算法[J].计算机工程与应用,2013,49(4):162-165.
[139]高斌斌,刘霞,李秋林.改进孪生支持向量机的一种快速分类算法[J].重庆理工大学学报(自然科学),2012,26(11):98-103,108.
[140]Zuluaga MA, Leyton EJ, Hoyos MH, et al. Feature selection for SVM-based vascular anomaly detection [M]. Medical Computer Vision. Recognition Techniques and Applications in Medical Imaging. Springer Berlin Heidelberg,2011:141-152.
[141]穆晓霞,陈留院,李钧涛.最小二乘双支持向量机的在线学习算法[J].计算机仿真,2012,29(3):25-28.
[142]谢娟英,张兵权,汪万紫.基于双支持向量机的偏二叉树多类分类算法[J].南京大学学报(自然科学),2011,47(4):354-363.
[143]丁胜锋.一种改进的双支持向量机[J].辽宁石油化工大学学报,2011,32(4):77-79,82.
[144]胡光华,徐汝争.最小二乘双胞支持向量回归机的研究[J].云南大学学报(自然科学版),2011,33(6):621-626.
[145]邢建春,王荣浩,杨启亮,等.基于改进的加权最小二乘支持向量机在线训练算法研究[C].Proceedings of the 29th Chinese Control Conference,2010:5055-5060.
[146]杜喆,刘三阳.最小二乘支持向量机变型算法研究[J].西安电子科技大学学报(自然科学版),2009,36(2):331-337,372.
[147]张猛,付丽华,张维.一种新的最小二乘支持向量机算法[J].计算机工程与应用,2007,43(11):33-34,103.
[148]朱真峰,郭跃飞,薛向阳.增量式最小二乘法分类器与增量式支持向量机的对比[J].小型微型计算机系统,2011,32(3):493-498.
[149]Jayadeva and Khemchandani. Twin support vector machines for pattern classification [J]. IEEE Transaction on pattern analysis and machine intelligence,2007,29(5):905-910.
[150]Kumar M, Gopal M. Application of smoothing technique on twin support vector machines [J]. Pattern Recognition Lett,2008,29(8):1842-1848.
[151]Shao Y H, Zhang C H, Wang X B, et al. Improvements on twin support vector machines [J]. Neural Networks, IEEE Transactions on,2011,22(6):962-968.
[152]Ye Q, Zhao C, Ye N. Least squares twin support vector machine classification via maximum one-class within class variance [J]. Optimization Methods & Software,2012,27(1):53-69.
[153]杨新宇,李磊,张国栋.IPv6中的DoS/DDoS攻击流量突发检测算法[J].计算机工程,2008,34(14):23-25.
[154]Lakhina A, Crovella M, Diot C. Diagnosing network-wide traffic anomalies [C]. In:Proc. of ACM SIGCOMM,2004:219-230.
[155]Peng T, Leckie C, Kotagiri R. Proactively detecting distributed denial of service attacks using source IP address monitoring [C]. In:Proc. of the 3rd International IFFP-TC6 Networking Conference,2004: 771-782.
[156]杨建华,谢高岗,张广兴,等.一种高效的业务流分类算法[J].电子学报,2006,34(3):549-552
[157]Abdelsayed S, Glimsholt D, Leckie C, et al. An efficient filter for denial-of-service bandwidth attacks [C]. In:Proc. of the 46th IEEE GLOBECOM.2003:1353-1357.
[158]Mirkovic J, Reiher P. D-WARD:a source-end defense against flooding denial-of-service attacks [J]. IEEE Trans on Dependable and Secure Computing,2005,2(3):216-232.
[159]Kim Y, Lau WC, Chuah MC, Chao HJ. PacketScore-A statistics-based packet filtering scheme against distributed denial-of-service attacks [J]. IEEE Trans. on Dependable and Secure Computing,2006,3(2): 141-155.
[160]孙知信,姜举良,焦琳DDOS攻击检测和防御模型[J].软件学报,2007,18(9):2245-2258.
[161]孙钦东,张德运,郑卫斌,等.基于时频分析的分布式拒绝服务攻击的自动检测[J].西安交通大学学报,2004,38(12):39-42.
[162]Xu Tu, He Da-ke, Zheng Yu. Detecting DDoS attack based on one-way connection density[C]. In:Proc. of the Tenth IEEE International Conf. on Communications Systems,2006.
[163]程杰仁,殷建平,刘运,刘湘辉,蔡志平.基于攻击特征的ARMA预测模型的DDoS攻击检测方法[J].计算机工程与科学,2010,32(4):1-4.
[164]Gupta KK, Nathn B, Kotagiri R. Layered approach using conditional random fields for intrusion detection [J]. IEEE Trans, on Dependable and Secure Computing,2010,7(1):35-49.
[165]刘运,蔡志平,钟平,殷建平,程杰仁.基于条件随机场的DDoS攻击检测方法[J].软件学报,2011,22(8):1897-1910.
[166]Benferhat S, Kenaza T, Mokhtari A. A Naive Bayes Approach for Detecting Coordinated Attacks[C]. Annual IEEE International Computer Software and Applications Conference,2008:704-709.
[167]Wu YC, Tseng HR, Yang W, Jan RH. DDoS Detection and Traceback with Decision Tree and Grey Relational Analysis [C]. In:Third International Conference on Multimedia and Ubiquitous Engineering, 2009:306-314.
[168]Wang W, Guan XH, Zhang XL. Modeling program behaviors by hidden Markov models for intrusion detection[C]. In:Proc. of International Conference on Machine Learning and Cybernetics,2004(5): 2830-2835.
[169]Khan L, Awad M, Thuraisingham B. A new intrusion detection system using support vector machines and hierarchical clustering [J]. The VLDB Journal-The International Journal on Very Large Data Bases,2007, 16(4):507-521.
[170]Lafferty JD, McCallum A, Pereira FCN. Conditional random fields:Probabilistic models for segmenting and labeling sequence data[C]. In:Proc. of the 18th Int'l Conf. on Machine Learning (ICML 2001),2001: 282-289.
[171]王升辉,裘正定.结合多重分形的网络流量非线性预测[J].通信学报,2007,28(2):45-50.
[172]程月,陈小荷.基于条件随机场的汉语动宾搭配自动识别[J].中文信息学报,2009,23(1):9-15.
[173]Burr Settles. Biomedical named entity recognition using conditional random fields and rich feature sets[C]. In:Proc. of the International Joint Workshop on Natural Language Processing in Biomedicine and its Applications,2004:104-107.
[174]周俊生,戴新宇,尹存燕,陈家骏.基于层叠条件随机场模型的中文机构名自动识别[J].电子学报,2006,34(5):804-809.
[175]He X, Zemel RS, Carreira-Perpinan MA. Multiscale conditional random fields for image labeling[C]. In: Proc. of the IEEE Computer Society Conf. on Computer Vision and Pattern Recognition,2004(2): 695-702.
[176]Gupta KK, Nathn B, Kotagiri R. Conditional Random Fields for Intrusion Detection[C]. In:Proc.21st Int'l Conf. Advanced Information Networking and Applications Workshops (AINAW),2007:203-208.
[177]Sha F, Pereira F. Shallow parsing with conditional random fieldsfC]. In:Proc. of the Human Language Technology Conf. and North American Chapter of the Association for Computational Linguistics (HLT-NAACL 2003).2003:213-220.
[178]Liu DC, Nocedal J. On the limited memory BFGS method for large scale optimization [J]. Mathematical programming,1989(45):503-528.
[179]Kdd cup 1999 intrusion detection data [EB/OL]. http://kdd.ics.uci.edu/databases/kddcup99.
[180]Murphy K. CRF toolbox for matlab [EB/OL]. http://www.cs.ubc.ca/-murphyk/Software/CRF/crfGeneralOld.html,2004.
[181]Chang CC, Lin CJ. LIBSVM:A library for support vector machines [EB/OL]. http://www.csie.ntu.edu.tw/-cjlin/libsvm/,2001.
[182]Machine Learning Group at the University of Waikato. Weka [EB/OL]. http://www.cs.waikato.ac.nz/ml/weka.