新型蜜网体系结构及告警聚类的关键技术研究
|
摘要
随着互联网技术的飞速发展,其应用已经融入到各行各业,网络已经成为人们日常生活的基础设施。同时由于网络的开放性,伴随着各种安全威胁,被木马、病毒和僵尸程序感染的主机数量逐年大幅增加,危害信息安全的事件不断发生,形势相当严峻。传统的被动网络防御技术可以在一定程度上防护我们的网络,却只能在攻击发生之后进行弥补,无法扭转攻防两端在时间、信息获取、代价上极不对称的局面。
传统的网络安全防御系统主要是建立在网络隔离、安全检测、安全恢复等技术基础之上,只能进行被动防御,无法对未知的攻击进行主动防御。面对如此严重的威胁和攻防的不对称,急需一种新型的主动网络防御技术,它能够提供虚假信息吸引黑客对其进行攻击,主动了解攻击者使用的技术与方法。同时减小真实网络遭受的攻击强度,以便给管理员足够的反应时间来防御攻击,尽最大努力保护网络并减少损失。这种新兴的主动网络防御技术就是蜜网技术,主要研究如何伪装真实的目标环境,对网络攻击进行诱骗,以便收集攻击信息进行分析和研究。
网络处理器是新一代专用网络数据处理和转发的高速处理器,对数据处理能力强,能够较好地实现数据控制、数据采集和路由模拟的功能。本文基于IXP2400搭建了新型高速蜜网系统,解决了新型蜜网体系架构和部署、大规模网络拓扑仿真、高速路由查找、入侵检测告警聚类等问题。本文主要创新工作如下:
1.提出了基于网络处理器的新型蜜网体系架构。对蜜网的关键技术进行了研究和总结,针对现有蜜网体系的不足之处,提出了基于网络处理器的新型蜜网体系结构。解决了蜜网网关部署、大规模网络的伪装、服务映射蜜罐、数据捕获和分析等问题。该系统能够动态部署蜜网,模拟大规模网络拓扑和高交互服务,提供可视化的攻击场景以减少人工分析。提高了蜜网系统的自动化和智能化程度,同时具有高速处理性能、较好的安全性和可控性。
2.基于高性能网络处理器提出了一种大规模网络拓扑实时仿真模型,以用于伪装蜜网系统中的虚拟网络拓扑。实时仿真要求仿真系统的时钟与外界时钟同步,使得虚拟网络能够与真实网络协议、服务和应用进行交互。该方案利用离散事件仿真模型来模拟大规模网络,并描述了基于IXP2400平台的实现。实验结果表明该模型能够模拟大规模网络拓扑,能够对探测数据包进行响应,能够自动学习路由条目和线速转发网络数据包。
3.为了提高蜜网网关的路由查找速度,提出了一种新的BFBP路由查找算法。现有的基于神经网络的路由查找算法需要学习路由条目包含的所有IP地址,学习量巨大,在训练阶段收敛时间长,阻碍了神经网络在路由查找中的应用。为了解决这个问题,本文结合Bloom-Filter算法和并行反向传播神经网络,提出基于并行神经网络的路由查找算法(BFBP)。 Bloom-Filter算法将神经网络分解为多个并行的神经网络,每个神经网络只需学习路由条目的网络ID,而不需要学习路由条目包含的所有IP地址,从而加速路由学习过程。研究结果表明,相比于已有的神经网络路由查找方法,BFBP算法需要学习的条目数平均减少了520倍,提高了学习效率,为神经网络应用于路由查找创造了有利条件。
4.提出了一种新的混沌粒子群算法,以用于蜜网告警优化问题。传统粒子群优化算法初期收敛速度快,但在后期容易陷入局部最优和早熟。为了解决这个问题,本文提出了一种新的混沌粒子群优化算法,不同于现有的混沌粒子群算法的简单粒子序列替换,该算法将混沌融入到粒子运动过程中,使粒子群在混沌与稳定之间交替运动,逐步向最优点靠近。并提出了一种新的混沌粒子群数学模型,进行了非线性动力学分析。数值测试结果表明该方法能跳出局部最优,极大提高了计算精度,进一步提高了全局寻优能力。
5.提出了基于混沌粒子群的蜜网告警聚类算法。由于现有的蜜网系统告警数量过多,使网络安全分析人员淹没在大量无用的告警中。为了提高蜜网中入侵检测系统(IDS)的告警质量,减少冗余报警,提出了一种基于混沌粒子群的IDS告警聚类算法。该算法能够克服粒子群算法的早熟、局部最优等缺点,指导聚类中心寻找到全局最优解。通过分析与实验测试,验证了该算法在入侵检测系统中能够减少告警数量,提高告警质量,具有较高的检测率和较低的误报率。
With the rapid development of Internet technology, its application has been integrated into all trades and professions. The network has become one of the infrastructures of daily life. At the same time, network is under a variety of security threats due to its openness, such as Trojans, viruses and zombies program. The situation is extremely severe because more and more hosts are infected every year and information security incidents have never stopped. Traditional passive network defense technologies can protect our network to some degree, but they cannot reverse the imbalanced situation between the attack and defense in terms of time, information acquisition and costs.
Traditional passive network defense systems are often built on network isolation, security detection, security recovery and other technologies, which appear to be inadequate when faced with unknown attacks. Faced with such serious threats and the imbalance between the attack and defense, it's urgent to excogitate a new active network defense technology, which is able to provide virtual network for inducing hackers to attack, and learn the newest techniques and methods of attackers. At the same time, it should be able to protect the real network by reducing the attack strength real network would suffer and give administrators adequate time to defend against attacks. Honeynet emerges as such an active network defense technology, which focuses on camouflaging real network environment to induce attackers so as to collect attack information for further analysis.
Network processor is a high-speed dedicated processor for network data processing and forwarding, which specializes in data control, data acquisition and network simulation. A novel high-speed honeynet system was built on top of IXP2400. This system solved issues of honeynet architecture and deployment, the simulation of large-scale network topology, high-speed routing lookup and alarm clustering of intrusion detection system. The main innovations of the present thesis are as follows:
1. A new architecture of honeynet was put forward based on network processor. Through the deep research and discussion on the key technologies of honeynet, this thesis proposed a novel architecture of honeynet based on network processor to make up the disadvantages of exiting honeynet system. This novel architecture solved issues of how to disguise a large-scale network, the deployment of honeynet gateway, mapping services to high-interactive honeypot, data capture and analysis etc. The honeynet system can be deployed dynamically to camouflage a large-scale network with high-interactive services. It provides a visualization of the attack scene in order to reduce the manual analysis. The research improves the automation and intelligence of the honeynet system. It also equips the system with high-speed processing performance, excellent security and controllability.
2. A model for real-time simulation of large-scale networks was brought forward to camouflage network topology in the honeynet system based on powerful network processor. Real-time network simulation refers to simulating computer networks in real time so that the virtual network can interact with real implementations of network protocols, network services, and distributed applications. This scheme took advantage of discrete event simulation model to simulate large-scale network. It also described the implementation of network simulation technology based on Intel IXP2400platform. The simulation results show that the model is able to simulate large-scale network, respond to probe packets, learn routing entries automatically and forward packets at wire-speed.
3. A new routing lookup algorithm BFBP (Bloom-Filter algorithm and parallel Back-Propagation neural networks) was proposed for high-speed routing lookup of honeynet gateway. For existing routing lookup algorithms based on neural networks, all IP addresses need to be learned. The training time is very costly which badly affects its application in routing lookup. To solve this problem, Bloom-Filter algorithm was employed to divide neural network into several parallel sub-neural networks. Within each sub-neural network, only network IDs had to be learned rather than all the IP addresses contained in routes. The results show that:compared to other routing lookup algorithms based on neural network, BFBP algorithm reduces the average number of items neural network has to learn by520times. Therefore BFBP algorithm improves learning efficiency of neural networks, and creates favorable conditions for the application of neural network in the area of routing lookup.
4. A new chaos-particle swarm optimization algorithm was brought forward to optimize alerts of honeynet. The original particle swarm optimization(PSO) algorithm has the advantages of fast convergence, but PSO is prone to be premature and locally converged. The new chaos-particle swarm optimization algorithm presented in this thesis is able to overcome this problem. Different from conventional methods of replacing pre-particle, this new algorithm adjusted the motion of particles along with the characteristics of chaos, so as to make the movement of particles is between the state of chaos and stable, which would gradually converge to the optimal value. The nonlinear dynamics of the proposed mathematical model were analyzed, and the experiment results show that the proposed algorithm can result in encouraging results.
5. A honeynet alert clustering algorithm was advanced based on chaotic particle swarm optimization. Due to an excessive number of alarms from existing honeynet system, network security analysts are often submerged by a lot of useless alarms. In order to improve the quality of alerts in intrusion detection system(IDS) and reduce the large number of redundant alarms, the thesis proposed an IDS alerts clustering algorithm based on chaotic particle swarm optimization. This algorithm can overcome the problem of prematurity and local optimization, and guide the center of clusters to find the global optimal solution. The analysis and experiments show that this algorithm can significantly reduce the number of alerts and improve its quality, while providing a higher detection rate and lower false detection rate.
传统的网络安全防御系统主要是建立在网络隔离、安全检测、安全恢复等技术基础之上,只能进行被动防御,无法对未知的攻击进行主动防御。面对如此严重的威胁和攻防的不对称,急需一种新型的主动网络防御技术,它能够提供虚假信息吸引黑客对其进行攻击,主动了解攻击者使用的技术与方法。同时减小真实网络遭受的攻击强度,以便给管理员足够的反应时间来防御攻击,尽最大努力保护网络并减少损失。这种新兴的主动网络防御技术就是蜜网技术,主要研究如何伪装真实的目标环境,对网络攻击进行诱骗,以便收集攻击信息进行分析和研究。
网络处理器是新一代专用网络数据处理和转发的高速处理器,对数据处理能力强,能够较好地实现数据控制、数据采集和路由模拟的功能。本文基于IXP2400搭建了新型高速蜜网系统,解决了新型蜜网体系架构和部署、大规模网络拓扑仿真、高速路由查找、入侵检测告警聚类等问题。本文主要创新工作如下:
1.提出了基于网络处理器的新型蜜网体系架构。对蜜网的关键技术进行了研究和总结,针对现有蜜网体系的不足之处,提出了基于网络处理器的新型蜜网体系结构。解决了蜜网网关部署、大规模网络的伪装、服务映射蜜罐、数据捕获和分析等问题。该系统能够动态部署蜜网,模拟大规模网络拓扑和高交互服务,提供可视化的攻击场景以减少人工分析。提高了蜜网系统的自动化和智能化程度,同时具有高速处理性能、较好的安全性和可控性。
2.基于高性能网络处理器提出了一种大规模网络拓扑实时仿真模型,以用于伪装蜜网系统中的虚拟网络拓扑。实时仿真要求仿真系统的时钟与外界时钟同步,使得虚拟网络能够与真实网络协议、服务和应用进行交互。该方案利用离散事件仿真模型来模拟大规模网络,并描述了基于IXP2400平台的实现。实验结果表明该模型能够模拟大规模网络拓扑,能够对探测数据包进行响应,能够自动学习路由条目和线速转发网络数据包。
3.为了提高蜜网网关的路由查找速度,提出了一种新的BFBP路由查找算法。现有的基于神经网络的路由查找算法需要学习路由条目包含的所有IP地址,学习量巨大,在训练阶段收敛时间长,阻碍了神经网络在路由查找中的应用。为了解决这个问题,本文结合Bloom-Filter算法和并行反向传播神经网络,提出基于并行神经网络的路由查找算法(BFBP)。 Bloom-Filter算法将神经网络分解为多个并行的神经网络,每个神经网络只需学习路由条目的网络ID,而不需要学习路由条目包含的所有IP地址,从而加速路由学习过程。研究结果表明,相比于已有的神经网络路由查找方法,BFBP算法需要学习的条目数平均减少了520倍,提高了学习效率,为神经网络应用于路由查找创造了有利条件。
4.提出了一种新的混沌粒子群算法,以用于蜜网告警优化问题。传统粒子群优化算法初期收敛速度快,但在后期容易陷入局部最优和早熟。为了解决这个问题,本文提出了一种新的混沌粒子群优化算法,不同于现有的混沌粒子群算法的简单粒子序列替换,该算法将混沌融入到粒子运动过程中,使粒子群在混沌与稳定之间交替运动,逐步向最优点靠近。并提出了一种新的混沌粒子群数学模型,进行了非线性动力学分析。数值测试结果表明该方法能跳出局部最优,极大提高了计算精度,进一步提高了全局寻优能力。
5.提出了基于混沌粒子群的蜜网告警聚类算法。由于现有的蜜网系统告警数量过多,使网络安全分析人员淹没在大量无用的告警中。为了提高蜜网中入侵检测系统(IDS)的告警质量,减少冗余报警,提出了一种基于混沌粒子群的IDS告警聚类算法。该算法能够克服粒子群算法的早熟、局部最优等缺点,指导聚类中心寻找到全局最优解。通过分析与实验测试,验证了该算法在入侵检测系统中能够减少告警数量,提高告警质量,具有较高的检测率和较低的误报率。
With the rapid development of Internet technology, its application has been integrated into all trades and professions. The network has become one of the infrastructures of daily life. At the same time, network is under a variety of security threats due to its openness, such as Trojans, viruses and zombies program. The situation is extremely severe because more and more hosts are infected every year and information security incidents have never stopped. Traditional passive network defense technologies can protect our network to some degree, but they cannot reverse the imbalanced situation between the attack and defense in terms of time, information acquisition and costs.
Traditional passive network defense systems are often built on network isolation, security detection, security recovery and other technologies, which appear to be inadequate when faced with unknown attacks. Faced with such serious threats and the imbalance between the attack and defense, it's urgent to excogitate a new active network defense technology, which is able to provide virtual network for inducing hackers to attack, and learn the newest techniques and methods of attackers. At the same time, it should be able to protect the real network by reducing the attack strength real network would suffer and give administrators adequate time to defend against attacks. Honeynet emerges as such an active network defense technology, which focuses on camouflaging real network environment to induce attackers so as to collect attack information for further analysis.
Network processor is a high-speed dedicated processor for network data processing and forwarding, which specializes in data control, data acquisition and network simulation. A novel high-speed honeynet system was built on top of IXP2400. This system solved issues of honeynet architecture and deployment, the simulation of large-scale network topology, high-speed routing lookup and alarm clustering of intrusion detection system. The main innovations of the present thesis are as follows:
1. A new architecture of honeynet was put forward based on network processor. Through the deep research and discussion on the key technologies of honeynet, this thesis proposed a novel architecture of honeynet based on network processor to make up the disadvantages of exiting honeynet system. This novel architecture solved issues of how to disguise a large-scale network, the deployment of honeynet gateway, mapping services to high-interactive honeypot, data capture and analysis etc. The honeynet system can be deployed dynamically to camouflage a large-scale network with high-interactive services. It provides a visualization of the attack scene in order to reduce the manual analysis. The research improves the automation and intelligence of the honeynet system. It also equips the system with high-speed processing performance, excellent security and controllability.
2. A model for real-time simulation of large-scale networks was brought forward to camouflage network topology in the honeynet system based on powerful network processor. Real-time network simulation refers to simulating computer networks in real time so that the virtual network can interact with real implementations of network protocols, network services, and distributed applications. This scheme took advantage of discrete event simulation model to simulate large-scale network. It also described the implementation of network simulation technology based on Intel IXP2400platform. The simulation results show that the model is able to simulate large-scale network, respond to probe packets, learn routing entries automatically and forward packets at wire-speed.
3. A new routing lookup algorithm BFBP (Bloom-Filter algorithm and parallel Back-Propagation neural networks) was proposed for high-speed routing lookup of honeynet gateway. For existing routing lookup algorithms based on neural networks, all IP addresses need to be learned. The training time is very costly which badly affects its application in routing lookup. To solve this problem, Bloom-Filter algorithm was employed to divide neural network into several parallel sub-neural networks. Within each sub-neural network, only network IDs had to be learned rather than all the IP addresses contained in routes. The results show that:compared to other routing lookup algorithms based on neural network, BFBP algorithm reduces the average number of items neural network has to learn by520times. Therefore BFBP algorithm improves learning efficiency of neural networks, and creates favorable conditions for the application of neural network in the area of routing lookup.
4. A new chaos-particle swarm optimization algorithm was brought forward to optimize alerts of honeynet. The original particle swarm optimization(PSO) algorithm has the advantages of fast convergence, but PSO is prone to be premature and locally converged. The new chaos-particle swarm optimization algorithm presented in this thesis is able to overcome this problem. Different from conventional methods of replacing pre-particle, this new algorithm adjusted the motion of particles along with the characteristics of chaos, so as to make the movement of particles is between the state of chaos and stable, which would gradually converge to the optimal value. The nonlinear dynamics of the proposed mathematical model were analyzed, and the experiment results show that the proposed algorithm can result in encouraging results.
5. A honeynet alert clustering algorithm was advanced based on chaotic particle swarm optimization. Due to an excessive number of alarms from existing honeynet system, network security analysts are often submerged by a lot of useless alarms. In order to improve the quality of alerts in intrusion detection system(IDS) and reduce the large number of redundant alarms, the thesis proposed an IDS alerts clustering algorithm based on chaotic particle swarm optimization. This algorithm can overcome the problem of prematurity and local optimization, and guide the center of clusters to find the global optimal solution. The analysis and experiments show that this algorithm can significantly reduce the number of alerts and improve its quality, while providing a higher detection rate and lower false detection rate.
引文
[1]Mendyk-Krajewska T, Mazur Z. Problem of network security threats[C]. In:3rd Conference on Human System Interactions (HSI). Rzeszow Poland, May 2010, P 436-443.
[2]美国计算机紧急情况反应小组,CERT 2010 Research Reports [EB/OL],2011.9, http://www.cert.org/research/researchreport.html.
[3]中国互联网络信息中心,2010年中国互联网网络安全报告[EB/OL],2011.4, http://www.cert.org.cn/articles/docs/common/2011042225342.shtml.
[4]中国互联网络信息中心,2011年我国互联网网络安全态势综述[EB/OL],2012.3, http://www.cert.org.cn/articles/docs/common/2012031925806.shtml.
[5]Schonwalder J, Marinov V. On the Impact of Security Protocols on the Performance of SNMP[J]. IEEE Transactions on Network and Service Management,8(1), March 2011, P 52-64.
[6]Wenliang Du. SEED:Hands-On Lab Exercises for Computer Security Education[J]. IEEE Security & Privacy,9(5), Sept-Oct 2011, P70-73.
[7]Sobel Ann E K, McGraw Gary. Interview:Software Security in the Real World[J], Computer,43(9), Sept 2010, P47-53
[8]Al-Shaer E, Alsaleh M N. ConfigChecker:A tool for comprehensive security configuration analytics[C]. In:4th Symposium on Configuration Analytics and Automation (SAFECONFIG), Arlington VA, Nov 2011, P1-2.
[9]Pele Li, Salour, M, Xiao Su. A survey of internet worm detection and containment [J]. IEEE Communications Surveys & Tutorials,10(1), April 2008, P20-35.
[10]诸葛建伟,吴智发,张芳芳等.利用蜜网技术深入剖析互联网安全威胁[C].CNCC'2005,2005, P1-6.
[11]Hongxia Li, Junming Chen, Xin Jin. An outlook on network honeypot[C]. In:2011 International Conference on Computer Science and Service System (CSSS), Nanjing China, August 2011, P1102-1105.
[12]Carroll Thomas E, Grosu Daniel. A game theoretic investigation of deception in network security[J]. SECURITY AND COMMUNICATION NETWORKS, OCT 2011, P1162-1172.
[13]Clifford Stoll. The Cuckoo's Egg:Tracking a Spy Through the Maze of Computer Espionage[M]. The Bodley Head Ltd,1990.
[14]Fred Cohen, Dave Lambert, Charles Preston, et al. A Framework for Deception[R]. http://www.all.net/journal/deception/Framework/Framework.html,2001.
[15]梁知音Honeyd软件框架介绍.北京大学狩猎女神项目组技术报告[R],2004:4-7.
[16]Yeh Chao-His, Yang Chung-Huang. Design and implementation of honeypot systems based on open-source software[C]. In:IEEE International Conference on Intelligence and Security Informatics (ISI 2008), Taipei China, Jun 2008, P265-266.
[17]李宁波.虚拟蜜罐软件honeyd[R],北京大学狩猎女神项目组技术报告[R],2005:1-8
[18]Lance Spitzner, Honeypot Definitions and Value of Honeypots[OL].17 May,2002. URL:http://www.enteract.com/-lspitz/honeypot.html.
[19]Thonnard Olivier, Dacier Marc. A framework for attack patterns'discovery in honeynet data[J]. DIGITAL INVESTIGATION,5(1), SEP 2008, P S128-S139..
[20]Cai Jin-Yi, Yegneswaran Vinod, Alfeld Chris, et al. Honeynet games:a game theoretic approach to defending network monitors[J]. JOURNAL OF COMBINATORIAL OPTIMIZATION,22(3), OCT 2011,P 305-324.
[21]Chen Wang, Zhenguo Ding. Research on the interaction of honeynet and IDS[C], In: 2011 International Conference on Computer Science and Service System (CSSS), Nanjing China, June 2011, P1649-1652.
[22]诸葛建伟.蜜罐及蜜网技术简介[R].北京大学狩猎女神项目组技术报告,2004:1-15
[23]Lance Spitzner. The Honeynet Project:Trapping the Hackers[J]. IEEE Security & Privacy, vol.1, no.2,pp.15-23,2003.
[24]诸葛建伟.狩猎女神项目组[EB/OL].http://www.icst.pku.edu.cn/honeynetweb/honeynetcn.
[25]Lance Spitzner. Know Your Enemy:Honeywall CDROM Roo——3rd Generation Technology[M]. Honeynet Project & Research Alliance,17 May,2005. http://www.honeynet.org.
[26]诸葛建伟,韩心慧,周勇林等.HoneyBow:一个基于高交互式蜜罐技术的恶意代码自动捕获器[J].通信学报,2007,28(12),P8-13.
[27]Lance Spitzner. Know Your Enemy:Trend Analysis[M]. Honeynet Project & Research Alliance.17 December,2004. http://www.honeynet.org.
[28]Sqalli M H, Firdous S N, Salah K, et al. Identifying network traffic features suitable for honeynet data analysis[C]. In:24th Canadian Conference on Electrical and Computer Engineering (CCECE), Niagara America, May 2011, P 1044-1048.
[29]Lance Spitzner. Know your Enemy:Phishing——Behind the Scenes of Phishing Attacks[M]. The Honeynet Project & Research Alliance.16th May 2005. http://www.honeynet.org.
[30]Honeynet Research Alliance. Honeynet Research Alliance releases report on online credit card fraud[J]. COMPUTERS & SECURITY,22(6),2003, P471-471
[31]T Lance Spitzner. Know your Enemy:Tracking Botnets——Using honeynets to learn more about Bots[M]. The Honeynet Project & Research Alliance,13 March 2005. http://www.honeynet.org.
[32]Goyal A, Yan Chen, Paxson V. Towards Situational Awareness of Large-Scale Botnet Probing Events[J], IEEE Transactions on Information Forensics and Security,6(1), March 2011, P175-188.
[33]Yu Yao, Jun-wei Lv, Fu-xiang Gao, et al. Detecting and Defending against Worm Attacks Using Bot-honeynet[C]. In:Second International Symposium on Electronic Commerce and Security, Nanchang China, Oct 2009, P260-264.
[34]诸葛建伟,韩心慧,叶志远等.僵尸网络的发现与跟踪[C].全国网络与信息安全技术研讨会,中国北京,2005.P1-7.
[35]Sqalli Mohammed, Al Shaikh Raed, Ahmed Ezzat. A Distributed Honeynet at KFUPM:A Case Study[C]. In:13th International Symposium on Recent Advances in Intrusion Detection Systems, Ottawa Canada, Sep 2010, P486-487.
[36]柳亚鑫,吴智发,诸葛建伟.基于Vmware的第三代虚拟Honeynet部署以及攻击实例分析[R].北京大学计算机科学技术研究所,2005.
[37]Chih-Hung Chang, Tzu-Chien Hsiao. A low-cost Green IT concept design of VHSP based on virtualization technology[C], IEEE International Conference on Systems, Man and Cybernetics(SMC), San Antonio TX, Oct 2009, P4858-4863.
[38]Abbasi F H, Harris R J. Experiences with a Generation III virtual Honeynet[C]. Telecommunication Networks and Applications Conference (ATNAC), Canberra Australasian, May 2010, P1-6.
[39]诸葛建伟.蜜罐与蜜网技术[R].北京大学计算机科学技术研究所,2005
[40]诸葛建伟.VMWare基于WIN32的入侵检测实例[R].北京大学计算机科学技术研究所,2005.
[41]Liu Tian-Hua, Yi Xiu-Shuang, Ma Shi-Wei. Core Functions Analysis and Example Deployment of Virtual Honeynet[C].In:First International Conference on Robot, Vision and Signal Processing (RVSP), Kaohsiung China, Nov.2011. P212-215.
[42]Jiang Xuxian, Xu Dongyan, Wang Yi-Min. Collapsar:A VM-based honeyfarm and reverse honeyfarm architecture for network attack capture and detention[J]. JOURNAL OF PARALLEL AND DISTRIBUTED COMPUTING,66(9), SEP 2006, P1165-1180.
[43]Leita C, Dacier M. SGNET:A Worldwide Deployable Framework to Support the Analysis of Malware Threat Models[C]. Seventh European Dependable Computing Conference(EDCC), Kaunas Lithuania, May 2008, P99-109.
[44]Wang Haifeng, Chen Qingkui. Design of cooperative deployment in distributed Honeynet system[C]. In:14th International Conference on Computer Supported Cooperative Work in Design (CSCWD), Shanghai China, May 2010, P711-716.
[45]Kim M, Kim M, Mun Y. Design and implementation of the HoneyPot system with focusing on the session redirection[C]. In:International Conference on Computational Science and Its Applications (ICCSA 2004), Assisi Italy, May 2004, P262-269.
[46]Kim M, Kim M, Lee HK. Design of active HoneyPot system [J], COMPUTATIONAL SCIENCE AND ITS APPLICATIONS-ICCSA 2003,2668, MAY 2003, P356-364.
[47]Shi Leyi, Li Jie, Han Xu. Design and Implementation of Distributed Self-Election Dynamic Array Honeypot System[J]. CHINA COMMUNICATIONS,8(4), Jul 2011, P109-115.
[48]张宏科,苏伟,网络处理器原理与技术[M],北京:北京邮电大学出版社,2004.11,1-74
[49]Zhuang Xiaotong, Pande Santosh. Compiler-Supported Thread Management for Multithreaded Network Processors[J], ACM TRANSACTIONS ON EMBEDDED COMPUTING SYSTEMS,10(4), NOV 2011, P4401-4431.
[50]Kim M, Kim M, Mun Y. Design and implementation of the HoneyPot system with focusing on the session redirection[C]. International Conference on Computational Science and Its Applications (ICCSA 2004), Assisi ITALY, MAY 2004, P262-269.
[51]陆腾飞,陈志杰,诸葛建伟等.面向蜜场环境的网络攻击流重定向机制的研究与实现[J].南京邮电大学学报(自然科学版),2009,29(03),P14-20.
[52]乔佩利,岳洋.蜜罐技术在网络安全中的应用研究[J].哈尔滨理工大学学报,14(3),2009.6,P37-41.
[53]Pham Van-Hau, Dacier Marc. Honeypot trace forensics:The observation viewpoint matters[J]. FUTURE GENERATION COMPUTER SYSTEMS-THE INTERNATIONAL JOURNAL OF GRID COMPUTING AND ESCIENCE,27(5), MAY 2011, P539-546.
[54]Akiyama Mitsuaki, Iwamura Makoto, Kawakoya Yuhei,et al. Design and Implementation of High Interaction Client Honeypot for Drive-by-Download Attacks[J]. IEICE TRANSACTIONS ON COMMUNICATIONS, E93B(5), MAY 2010, P1131-1139.
[55]Yagi Takeshi, Tanimoto Naoto, Hariu Takeo, et al. Intelligent High-Interaction Web Honeypots Based on URL Conversion Scheme[J], IEICE TRANSACTIONS ON COMMUNICATIONS, E94B(5), MAY 2011, P1339-1347.
[56]Marchese Mario, Surlinelli Roberto, Zappatore Sandro. Monitoring unauthorized internet accesses through a 'honeypot' system[J]. INTERNATIONAL JOURNAL OF COMMUNICATION SYSTEMS,24(1), JAN 2011, P75-93.
[57]Quynh Nguyen Anh, Takefuji Yoshiyasu. Towards an invisible honeypot monitoring system[J], INFORMATION SECURITY AND PRIVACY,4058, JUL 2006, P111-122.
[58]何可,李晓红,冯志勇等.基于攻击场景的安全测试生成方法[J].天津大学学报,44(4),2011.4,P344-352.
[59]Rosyid Nur Rohman, Ohrui Masayuki, Kikuchi Hiroaki, et al. Analysis on the Sequential Behavior of Malware Attacks[J], IEICE TRANSACTIONS ON INFORMATION AND SYSTEMS, E94D(11), NOV 2011, P2139-2149.
[60]Kim YG, Cha S. Threat scenario-based security risk analysis using use case modeling in information systems[J]. SECURITY AND COMMUNICATION NETWORKS.5(3), MAR 2012, P293-300.
[61]Rosyid Nur Rohman, Ohrui Masayuki, Kikuchi Hiroaki, et al. Analysis on the Sequential Behavior of Malware Attacks[J]. IEICE TRANSACTIONS ON INFORMATION AND SYSTEMS, E94D(11), NOV 2011, P2139-2149.
[62]Jian Tang, Xiang Li, Liang Ming. A method for classifying network security threats[C]. In:2nd International Conference on Information Science and Engineering (ICISE). Hangzhou China, Dec 2010, P4269-4272.
[63]Mahrenholz D, Ivanov S. Real-Time Network Emulation with ns-2[C]. In:Eighth IEEE International Symposium on Distributed Simulation and Real-Time Applications (DSRT-2004), IEEE Press, Oct 2004, P29-36.
[64]Qadeer Mohammed A, Sharma Vikas, Agarwal Ankit, et al. Differentiated Services with Multiple Random Early Detection Algorithm using ns2 Simulator[C]. In:2nd IEEE international conference on computer science and information technology, IEEE Press, Beijing China, Aug 2009, P144-148.
[65]Chen Weiwei, Huang Ning, Liu Yuqing, et al. Analysis and verification of network profile[J], Journal of Systems Engineering and Electronics,21(5), Oct 2010, P784-790.
[66]李洪鑫,张传富,范超.OPNET半实物仿真机制研究[J],信息工程大学学报,12(4),2011.8,P509-512.
[67]李越,钱德沛,张兴军等.并行离散事件网络仿真系统的研究与实现[J].电子学报,134(2),2006.2,P365-370.
[68]Gntichi A, Di Pietro A, Ficara D, et al. BRUNO:A high performance traffic generator for network processor[C], In:IEEE Symposium on Performance Evaluation of Computer and Telecommunication Systems(SPECTS-2008), Edinburgh Scotland, June 2008, P526-533.
[69]Moy J. RFC 2328:OSPF Version 2[S]. RFC 2328, Internet IETF, April 1998.
[70]Crawley E,Nair R, Rajagopalan B, et al. RFC 2386:A Framework for QoS-based Routing in the Internet[S]. RFC 2386, Internet RFC, August 1998.
[71]Mouftah H T, Sturgeon R P. Distributed discrete event simulation for communication networks[J]. IEEE Journal on Selected Areas in Communications, 8(9), Dec 1990, P1723-1734.
[72]Subramani K, Madduri Kamesh. Two-level heaps:a new priority queue structure with applications to the single source shortest path problem [J]. COMPUTING, 90(3),2010, P113-130.
[73]Liu J, Mann S, Van Vorst N, et al. An Open and Scalable Emulation Infrastructure for Large-Scale Real-Time Network Simulations[C], In:IEEE Symposium on International Conference on Computer Communications (INFOCOM-2007), IEEE Press, May 2007, P2476-2480.
[74]IxChariot datasheets[EB/OL]. http://www.ixchariot.com/products/datasheets/ixchariot.html.
[75]Liu J. Immersive real-time large-scale network simulation:A research summary[C]. In:IEEE Symposium on Parallel and Distributed Processing (IPDPS-2008), IEEE Press, April 2008, P1-5.
[76]HENNESSY J L, PATTERSON D A. Computer Architecture:A Quantitative Approach[M].5, Beijing China:The China Machine Press,2011, P288-289.
[77]Huang Zhuo, Peir Jih-Kwon, Chen Shigang. Approximately-Perfect Hashing: Improving Network Throughput through Efficient Off-chip Routing Table Lookup[J], IEEE INFOCOM Conference, Shanghai China, APR 2011, P311-315.
[78]孙光,张媛媛,李勇等.基于虚拟化片上网络的二级优先维序路由算法[J].清华大学学报(自然科学版),51(3),2011.3,P416-419.
[79]Park Hyuntae, Hong Hyejeong, Kang Sungho. An efficient IP address lookup algorithm based on a small balanced tree using entry reduction[J], COMPUTER NETWORKS,56(1), JAN 2012,P231-243.
[80]SHAFFER C A. A Practical Introduction to Data Structures and Algorithm Analysis[M].3, New Jersey:Prentice Hall,2010, P123-135.
[81]LIM H, KIM H, YIM C. IP Address Lookup for Internet Routers Using Balanced Binary Search with Prefix Vector[J]. IEEE Trans Comm,57(3),2009, P618-621
[82]LIM H, YIM C. Priority Tries for IP Address Lookup[J]. IEEE Trans Compu,59(6), 2010, P784-794
[83]Reddy P M. Fast Updating Algorithm for TCAMs using Prefix Distribution Prediction[C], In:International Conference on Electronics and Information Engineering (ICEIE), Kyoto Japan, Aug 2010, Pv1400-v1404.
[84]Heeyeol Yu, A Memory and Time-efficient On-chip TCAM Minimizer for IP Lookup[C]. In:Design, Automation & Test in Europe Conference & Exhibition (DATE), Dresden Germany, March 2010, P926-931.
[85]张琛.BP神经网络模型优化研究[J],吉林省教育学院学报,27(7),2011.7,P149-152.
[86]艾尼瓦尔.努尔买买提.RBF神经网络在Web分类挖掘中的应用[J].长春师范学院学报(自然科学版),28(2),2009.4,P32-35.
[87]姜家涛,刘志杰,谢晓尧.基于模糊神经网络集成的入侵检测模型[J].山东大学学报(理学版),46(9),2011.9,P95-105.
[88]SONG H, DHARMAPURIKAR S, TURNER J, et al. Fast Hash Table Lookup Using Extended Bloom Filter:An Aid to Network Processing[J]. COMPUTER COMMUNICATION REVIEW,35(4), OCT 2005, P181-192.
[89]DHARMAPURIKAR S, KRISHMAMURTHY P, DAVID E. Longest Prefix Matching Using Bloom Filters[J], IEEE-ACM Trans on Networking,14(2), April 2006, P397-409
[90]Matsumoto Yoshihide, Hazeyama Hiroaki, Kadobayashi Youki. Adaptive Bloom Filter:A space-efficient counting algorithm for unpredictable network traffic[J], IEICE TRANSACTIONS ON INFORMATION AND SYSTEMS, E91D(5), MAY 2008, P1292-1299.
[91]张慧档,吕娜,贺昱曜等.基于混沌神经网络的QoS组播路由算法[J],空军工程大学学报(自然科学版),19(1),2008.2,P70-73.
[92]聂仁灿,周冬明,赵东风等.竞争型脉冲耦合神经网络及用于多约束QoS路由求解[J].通信学报,31(1),2010.1,P65-72.
[93]MAHRAMIAN M M, YAZDANI N, TAHERI H, et al. A Multilayer Neural Network for IP Lookup and Packet Classification[C]. The 9th Asia-Pacific Conference on communications, Malaysia:IEEE press, Sept 2003, P924-928.
[94]MAHRAMIAN M M, YAZDANI N, TAHERI H, et al. Three new neural network based algorithms for IP lookup and packet classification [J]. Iranian Journal of Science and Technology,29(B1), FEB 2005, P11-22.
[95]Li Fan, Pei Cao, Almeida J, et al. Summary cache:A scalable wide-area web cache sharing protocol [J]. IEEE/ACM Transactions on Networking,8(3), June 2000, P281-293.
[96]BLOOM B H. Space/time trade-offs in hash coding with allowable errors [J]. Communications of the ACM,13(7),1970, P422-426.
[97]DHARMAPURIKAR S, KRISHNAMURTHY P, TAYLOR D E. Deep packet inspection using parallel Bloom filters[C]. In:Proceedings of ACM SIGCOMM'03, Karlsruhe Germany, Aug 2003, P201-212.
[98]Tom Mitchell. Machine Learning[M]. McGraw Hill Press,3,2008, P60-90.
[99]FAUSETT L. Fundamentals of neural networks Architectures, Algorithms and Applications[M]. Prentice Hall,1993.
[100]BGP Routing Table Analysis Report [EB/OL].2012.3, Http://bgp. potaroo.net/.
[101]Kennedy J, Eberhart R C. Particle swarm optimization[C].In:Proc of the first IEEE International Conference on Neural Networks, Perth Australia, IEEE Press, Dec 1995. P1942-1948.
[102]Modares H, Alfi A, Naghibi-Sistani M B. Parameter estimation of bilinear systems based on an adaptive particle swarm optimization[J]. Engineering Applications of Artificial Intelligence,23(7), OCT 2010, P1105-1111.
[103]Karakuzu C. Parameter tuning of fuzzy sliding mode controller using particle swarm optimization[J]. International Journal of Innovative Computing, Information and Control,6(10), OCT 2010, P4755-4770.
[104]Tavakkoli-Moghaddam Reza, Azarkish Mozhgan, Sadeghnejad-Barkousaraie Azar. Solving a multi-objective job shop scheduling problem with sequence-dependent setup times by a Pareto archive PSO combined with genetic operators and VNS[J]. INTERNATIONAL JOURNAL OF ADVANCED MANUFACTURING TECHNOLOGY,53(5), MAR 2011, P733-750
[105]阳凯,赵志钦,聂在平.基于模糊离散粒子群算法的非均匀阵列优化[J].电子科技大学学报,41(1),2012.1,P43-47.
[106]Kulkarni R V,Venayagamoorthy G K.Bio-inspired Algorithms for Autonomous Deployment and Localization of Sensor Nodes[J].IEEE transactions on systems,man,and cybernetics,40(6), NOV 2010, P663-675.
[107]Zhang W, Liu J, Niu Y Q. Quantitative prediction of MHC-II binding affinity using particle swarm optimization [J]. Artificial Intelligence in Medicine,50(2), OCT 2010, P127-132.
[108]Gheitanchi S, Ali F, Stipidis E. Particle Swarm Optimization for Adaptive Resource Allocation in Communication Networks[J]. EURASIP Journal on Wireless Communications and Networking,2010, P1-13.
[109]Ganguly S, Sahoo N C, Das D. Mono-and multi-objective planning of electrical distribution networks using particle swarm optimization[J]. APPLIED SOFT COMPUTING,11(2), MAR 2011, P2391-2405.
[110]高峰,王连国.基于粒子群组合神经网络的原岩应力预测研究[J].西北农林科技大学学报(自然科学版),40(2),2012.2,P211-218.
[111]Bergh F. An Analysis of particle swarm optimizers [D]. PhD thesis. Department of Computer Science, University of Pretoria, South Africa,2006. P118-123
[112]Jiao B,Lian Z G,Gu X S. A dynamic inertia weight particle swarm optimization algorithm[J], Chaos, Solitons & Fractals,37(3), Aug 2008, P698-705.
[113]Meng H J, Zheng P, Wu R Y, et al. A hybrid particle swarm algorithm with embedded chaotic search[C]. In:Proceedings of the 2004 IEEE Conference on Cybernetics and Intelligent Systems, Singapore, Dec 2004, P367-371.
[114]Xiang T, Liao X F, Wong K. An improved particle swarm optimization algorithm combined with piecewise linear chaotic map[J]. Applied Mathematics and Computation,190(2), JUL 2007, P1637-1645
[115]Alatas B,Akin E,Ozer A B. Chaos embedded particle swarm optimization algorithms [J]. CHAOS SOLITONS&FRACTALS.40(4), MAY 2009, P1715-1734.
[116]Coelho LD, Mariani VC. A novel chaotic particle swarm optimization approach using Henon map and implicit filtering local search for economic load dispatch[J], CHAOS SOLITONS&FRACTALS,39(2), JAN 2009, P510-518
[117]Zhang YD,Jun Y,Wei G,et al. Find multi-objective paths in stochastic networks via chaotic immune PSO[J]. EXPERT SYSTEMS WITH APPLICATIONS.37(3), MAR 2010, P1911-1919
[118]高飞,童恒庆.基于改进粒子群优化算法的混沌系统参数估计方法[J].物理学报,55(2),2006,P577-582
[119]Li LX, Peng HP, Wang XD, Yang YX, An Optimization method inspired by chaotic ant behavior[J], International Journal of Bifurcation and Chaos,16(8), AUG 2006, P2351-2364.
[120]Sole R V, Miramontes O, Goodwin B C, Oscillations and chaos in ant societies [J], Journal of Theoretical Biology,161(3), April 1993, P343-357.
[121]Monson C K, Seppi K D. The Kalman swarm[C]. In:Genetic and Evolutionary Computation Conference, Seattle Washington, June 2004, P140-150
[122]Vaarandi R. Real-time Classification of IDS Alerts with Data Mining Techniques [C]. In:IEEE Military Communications Conference (MILCOM). Boston Massachusetts, IEEE press, OCT 2009, P1-7.
[123]AI-Mamory S O, Zhang H L, Abbas A R. IDS Alarms Reduction Using Data Mining [C]. In:International Joint Conference on Neural Networks, Hong Kong China, IEEE press, JUN 2008, P3564-3570.
[124]Pietraszek T. Using adaptive alert classification to reduce false positives in intrusion detection [C].7th International Symposium on Recent Advances in Intrusion Detection, Sophia Antipolis, France:Springer-Verlag, SEP 2004, P102-124.
[125]Noda Masaru, Higuchi Fumitaka, Takai Tsutomu. Event correlation analysis for alarm system rationalization[J], ASIA-PACIFIC JOURNAL OF CHEMICAL ENGINEERING,6(3), JUN 2011, P497-502.
[126]Elshoush Huwaida Tagelsir, Osman Izzeldin Mohamed. Alert correlation in collaborative intelligent intrusion detection systems-A survey[J],11(7), OCT 2011, P4349-4365
[127]田家瑞,张文政,周颖杰等.骨干通信网络流量告警信息关联分析[J].计算机应用研究,28(1),计算机应用研究,2011.1,P287-297.
[128]周飞,金可音,杨武等.使用网络拓扑消除冗余告警方法的研究及实现[J].湖南工业大学学报,25(2),2011.2,P51-54.
[129]Viinikka J, Debar H, Anssi Lehikoinen, et al. Processing intrusion detection alert aggregates with time series modeling[J], Information Fusion Journal,10(4), OCT 2009, P312-324.
[130]Vaarandi R, Podins K. Network IDS Alert Classification with Frequent Item-set Mining and Data Clustering [C].2010 International Conference on Network and Service Management (CNSM), Niagara Falls, Canada, IEEE press, OCT 2010, P451-456.
[131]Njogu H W, Luo J W. Using Alert Cluster to reduce IDS Alerts[C]. In:3rd IEEE International Conference on Computer Science and Information Technology (ICCSIT), Chengdu China, IEEE press, JUL 2010:467-471.
[132]Fei Aiguo, Dong Xiaoli. Hierarchically Clustering IDS Alarms Using a GA with Vary-lengthed Chromosomes [C].In:Third International Symposium on Information Processing (ISIP), China:IEEE press, OCT 2010:172-177.
[133]李永忠,杨鸽,徐静等.基于粒子群优化的聚类入侵检测算法[J],江苏科技大学学报(自然科学版),23(1),2009.2,P51-55.
[134]温重伟,李荣钧.改进的粒子群优化模糊C均值聚类算法[J],计算机应用研究,27(7),2010.7,P2520-2522..
[135]Dunn J C, A fuzzy relative o f the ISODAT process and its use in Detecting compact, well-separated clusters [J], Cybernetics 1994,3(3), P32-57.
[136]Bezdek J C, Pattern Recognition with Fuzzy Objective Function Algorithms[M], New York:Plenum Press,1981, P121-136.
[137]高新波,模糊聚类分析及其应用[M],西安:西安电子科技大学出版社,2004.1,49-60
[138]Debar H, Wes pi A. Aggregation and correlation of intrusion detection alerts [C], In:Proc of the 4th Workshop on Recent Advances in Intrusion Detection(PPLNCS). Berlin, Springer,2001, P85-103.
[139]董晓梅,于戈,孙晶茹等.基于频繁模式挖掘的报警关联与分析算法[J].电子学报,33(8),2005.8,,P1356-1359.
[140]田志宏,张永铮,张伟哲等.基于模式挖掘和聚类分析的自适应告警关联[J],计算机研究与发展,46(8),2009.8,P1304-1315.
[2]美国计算机紧急情况反应小组,CERT 2010 Research Reports [EB/OL],2011.9, http://www.cert.org/research/researchreport.html.
[3]中国互联网络信息中心,2010年中国互联网网络安全报告[EB/OL],2011.4, http://www.cert.org.cn/articles/docs/common/2011042225342.shtml.
[4]中国互联网络信息中心,2011年我国互联网网络安全态势综述[EB/OL],2012.3, http://www.cert.org.cn/articles/docs/common/2012031925806.shtml.
[5]Schonwalder J, Marinov V. On the Impact of Security Protocols on the Performance of SNMP[J]. IEEE Transactions on Network and Service Management,8(1), March 2011, P 52-64.
[6]Wenliang Du. SEED:Hands-On Lab Exercises for Computer Security Education[J]. IEEE Security & Privacy,9(5), Sept-Oct 2011, P70-73.
[7]Sobel Ann E K, McGraw Gary. Interview:Software Security in the Real World[J], Computer,43(9), Sept 2010, P47-53
[8]Al-Shaer E, Alsaleh M N. ConfigChecker:A tool for comprehensive security configuration analytics[C]. In:4th Symposium on Configuration Analytics and Automation (SAFECONFIG), Arlington VA, Nov 2011, P1-2.
[9]Pele Li, Salour, M, Xiao Su. A survey of internet worm detection and containment [J]. IEEE Communications Surveys & Tutorials,10(1), April 2008, P20-35.
[10]诸葛建伟,吴智发,张芳芳等.利用蜜网技术深入剖析互联网安全威胁[C].CNCC'2005,2005, P1-6.
[11]Hongxia Li, Junming Chen, Xin Jin. An outlook on network honeypot[C]. In:2011 International Conference on Computer Science and Service System (CSSS), Nanjing China, August 2011, P1102-1105.
[12]Carroll Thomas E, Grosu Daniel. A game theoretic investigation of deception in network security[J]. SECURITY AND COMMUNICATION NETWORKS, OCT 2011, P1162-1172.
[13]Clifford Stoll. The Cuckoo's Egg:Tracking a Spy Through the Maze of Computer Espionage[M]. The Bodley Head Ltd,1990.
[14]Fred Cohen, Dave Lambert, Charles Preston, et al. A Framework for Deception[R]. http://www.all.net/journal/deception/Framework/Framework.html,2001.
[15]梁知音Honeyd软件框架介绍.北京大学狩猎女神项目组技术报告[R],2004:4-7.
[16]Yeh Chao-His, Yang Chung-Huang. Design and implementation of honeypot systems based on open-source software[C]. In:IEEE International Conference on Intelligence and Security Informatics (ISI 2008), Taipei China, Jun 2008, P265-266.
[17]李宁波.虚拟蜜罐软件honeyd[R],北京大学狩猎女神项目组技术报告[R],2005:1-8
[18]Lance Spitzner, Honeypot Definitions and Value of Honeypots[OL].17 May,2002. URL:http://www.enteract.com/-lspitz/honeypot.html.
[19]Thonnard Olivier, Dacier Marc. A framework for attack patterns'discovery in honeynet data[J]. DIGITAL INVESTIGATION,5(1), SEP 2008, P S128-S139..
[20]Cai Jin-Yi, Yegneswaran Vinod, Alfeld Chris, et al. Honeynet games:a game theoretic approach to defending network monitors[J]. JOURNAL OF COMBINATORIAL OPTIMIZATION,22(3), OCT 2011,P 305-324.
[21]Chen Wang, Zhenguo Ding. Research on the interaction of honeynet and IDS[C], In: 2011 International Conference on Computer Science and Service System (CSSS), Nanjing China, June 2011, P1649-1652.
[22]诸葛建伟.蜜罐及蜜网技术简介[R].北京大学狩猎女神项目组技术报告,2004:1-15
[23]Lance Spitzner. The Honeynet Project:Trapping the Hackers[J]. IEEE Security & Privacy, vol.1, no.2,pp.15-23,2003.
[24]诸葛建伟.狩猎女神项目组[EB/OL].http://www.icst.pku.edu.cn/honeynetweb/honeynetcn.
[25]Lance Spitzner. Know Your Enemy:Honeywall CDROM Roo——3rd Generation Technology[M]. Honeynet Project & Research Alliance,17 May,2005. http://www.honeynet.org.
[26]诸葛建伟,韩心慧,周勇林等.HoneyBow:一个基于高交互式蜜罐技术的恶意代码自动捕获器[J].通信学报,2007,28(12),P8-13.
[27]Lance Spitzner. Know Your Enemy:Trend Analysis[M]. Honeynet Project & Research Alliance.17 December,2004. http://www.honeynet.org.
[28]Sqalli M H, Firdous S N, Salah K, et al. Identifying network traffic features suitable for honeynet data analysis[C]. In:24th Canadian Conference on Electrical and Computer Engineering (CCECE), Niagara America, May 2011, P 1044-1048.
[29]Lance Spitzner. Know your Enemy:Phishing——Behind the Scenes of Phishing Attacks[M]. The Honeynet Project & Research Alliance.16th May 2005. http://www.honeynet.org.
[30]Honeynet Research Alliance. Honeynet Research Alliance releases report on online credit card fraud[J]. COMPUTERS & SECURITY,22(6),2003, P471-471
[31]T Lance Spitzner. Know your Enemy:Tracking Botnets——Using honeynets to learn more about Bots[M]. The Honeynet Project & Research Alliance,13 March 2005. http://www.honeynet.org.
[32]Goyal A, Yan Chen, Paxson V. Towards Situational Awareness of Large-Scale Botnet Probing Events[J], IEEE Transactions on Information Forensics and Security,6(1), March 2011, P175-188.
[33]Yu Yao, Jun-wei Lv, Fu-xiang Gao, et al. Detecting and Defending against Worm Attacks Using Bot-honeynet[C]. In:Second International Symposium on Electronic Commerce and Security, Nanchang China, Oct 2009, P260-264.
[34]诸葛建伟,韩心慧,叶志远等.僵尸网络的发现与跟踪[C].全国网络与信息安全技术研讨会,中国北京,2005.P1-7.
[35]Sqalli Mohammed, Al Shaikh Raed, Ahmed Ezzat. A Distributed Honeynet at KFUPM:A Case Study[C]. In:13th International Symposium on Recent Advances in Intrusion Detection Systems, Ottawa Canada, Sep 2010, P486-487.
[36]柳亚鑫,吴智发,诸葛建伟.基于Vmware的第三代虚拟Honeynet部署以及攻击实例分析[R].北京大学计算机科学技术研究所,2005.
[37]Chih-Hung Chang, Tzu-Chien Hsiao. A low-cost Green IT concept design of VHSP based on virtualization technology[C], IEEE International Conference on Systems, Man and Cybernetics(SMC), San Antonio TX, Oct 2009, P4858-4863.
[38]Abbasi F H, Harris R J. Experiences with a Generation III virtual Honeynet[C]. Telecommunication Networks and Applications Conference (ATNAC), Canberra Australasian, May 2010, P1-6.
[39]诸葛建伟.蜜罐与蜜网技术[R].北京大学计算机科学技术研究所,2005
[40]诸葛建伟.VMWare基于WIN32的入侵检测实例[R].北京大学计算机科学技术研究所,2005.
[41]Liu Tian-Hua, Yi Xiu-Shuang, Ma Shi-Wei. Core Functions Analysis and Example Deployment of Virtual Honeynet[C].In:First International Conference on Robot, Vision and Signal Processing (RVSP), Kaohsiung China, Nov.2011. P212-215.
[42]Jiang Xuxian, Xu Dongyan, Wang Yi-Min. Collapsar:A VM-based honeyfarm and reverse honeyfarm architecture for network attack capture and detention[J]. JOURNAL OF PARALLEL AND DISTRIBUTED COMPUTING,66(9), SEP 2006, P1165-1180.
[43]Leita C, Dacier M. SGNET:A Worldwide Deployable Framework to Support the Analysis of Malware Threat Models[C]. Seventh European Dependable Computing Conference(EDCC), Kaunas Lithuania, May 2008, P99-109.
[44]Wang Haifeng, Chen Qingkui. Design of cooperative deployment in distributed Honeynet system[C]. In:14th International Conference on Computer Supported Cooperative Work in Design (CSCWD), Shanghai China, May 2010, P711-716.
[45]Kim M, Kim M, Mun Y. Design and implementation of the HoneyPot system with focusing on the session redirection[C]. In:International Conference on Computational Science and Its Applications (ICCSA 2004), Assisi Italy, May 2004, P262-269.
[46]Kim M, Kim M, Lee HK. Design of active HoneyPot system [J], COMPUTATIONAL SCIENCE AND ITS APPLICATIONS-ICCSA 2003,2668, MAY 2003, P356-364.
[47]Shi Leyi, Li Jie, Han Xu. Design and Implementation of Distributed Self-Election Dynamic Array Honeypot System[J]. CHINA COMMUNICATIONS,8(4), Jul 2011, P109-115.
[48]张宏科,苏伟,网络处理器原理与技术[M],北京:北京邮电大学出版社,2004.11,1-74
[49]Zhuang Xiaotong, Pande Santosh. Compiler-Supported Thread Management for Multithreaded Network Processors[J], ACM TRANSACTIONS ON EMBEDDED COMPUTING SYSTEMS,10(4), NOV 2011, P4401-4431.
[50]Kim M, Kim M, Mun Y. Design and implementation of the HoneyPot system with focusing on the session redirection[C]. International Conference on Computational Science and Its Applications (ICCSA 2004), Assisi ITALY, MAY 2004, P262-269.
[51]陆腾飞,陈志杰,诸葛建伟等.面向蜜场环境的网络攻击流重定向机制的研究与实现[J].南京邮电大学学报(自然科学版),2009,29(03),P14-20.
[52]乔佩利,岳洋.蜜罐技术在网络安全中的应用研究[J].哈尔滨理工大学学报,14(3),2009.6,P37-41.
[53]Pham Van-Hau, Dacier Marc. Honeypot trace forensics:The observation viewpoint matters[J]. FUTURE GENERATION COMPUTER SYSTEMS-THE INTERNATIONAL JOURNAL OF GRID COMPUTING AND ESCIENCE,27(5), MAY 2011, P539-546.
[54]Akiyama Mitsuaki, Iwamura Makoto, Kawakoya Yuhei,et al. Design and Implementation of High Interaction Client Honeypot for Drive-by-Download Attacks[J]. IEICE TRANSACTIONS ON COMMUNICATIONS, E93B(5), MAY 2010, P1131-1139.
[55]Yagi Takeshi, Tanimoto Naoto, Hariu Takeo, et al. Intelligent High-Interaction Web Honeypots Based on URL Conversion Scheme[J], IEICE TRANSACTIONS ON COMMUNICATIONS, E94B(5), MAY 2011, P1339-1347.
[56]Marchese Mario, Surlinelli Roberto, Zappatore Sandro. Monitoring unauthorized internet accesses through a 'honeypot' system[J]. INTERNATIONAL JOURNAL OF COMMUNICATION SYSTEMS,24(1), JAN 2011, P75-93.
[57]Quynh Nguyen Anh, Takefuji Yoshiyasu. Towards an invisible honeypot monitoring system[J], INFORMATION SECURITY AND PRIVACY,4058, JUL 2006, P111-122.
[58]何可,李晓红,冯志勇等.基于攻击场景的安全测试生成方法[J].天津大学学报,44(4),2011.4,P344-352.
[59]Rosyid Nur Rohman, Ohrui Masayuki, Kikuchi Hiroaki, et al. Analysis on the Sequential Behavior of Malware Attacks[J], IEICE TRANSACTIONS ON INFORMATION AND SYSTEMS, E94D(11), NOV 2011, P2139-2149.
[60]Kim YG, Cha S. Threat scenario-based security risk analysis using use case modeling in information systems[J]. SECURITY AND COMMUNICATION NETWORKS.5(3), MAR 2012, P293-300.
[61]Rosyid Nur Rohman, Ohrui Masayuki, Kikuchi Hiroaki, et al. Analysis on the Sequential Behavior of Malware Attacks[J]. IEICE TRANSACTIONS ON INFORMATION AND SYSTEMS, E94D(11), NOV 2011, P2139-2149.
[62]Jian Tang, Xiang Li, Liang Ming. A method for classifying network security threats[C]. In:2nd International Conference on Information Science and Engineering (ICISE). Hangzhou China, Dec 2010, P4269-4272.
[63]Mahrenholz D, Ivanov S. Real-Time Network Emulation with ns-2[C]. In:Eighth IEEE International Symposium on Distributed Simulation and Real-Time Applications (DSRT-2004), IEEE Press, Oct 2004, P29-36.
[64]Qadeer Mohammed A, Sharma Vikas, Agarwal Ankit, et al. Differentiated Services with Multiple Random Early Detection Algorithm using ns2 Simulator[C]. In:2nd IEEE international conference on computer science and information technology, IEEE Press, Beijing China, Aug 2009, P144-148.
[65]Chen Weiwei, Huang Ning, Liu Yuqing, et al. Analysis and verification of network profile[J], Journal of Systems Engineering and Electronics,21(5), Oct 2010, P784-790.
[66]李洪鑫,张传富,范超.OPNET半实物仿真机制研究[J],信息工程大学学报,12(4),2011.8,P509-512.
[67]李越,钱德沛,张兴军等.并行离散事件网络仿真系统的研究与实现[J].电子学报,134(2),2006.2,P365-370.
[68]Gntichi A, Di Pietro A, Ficara D, et al. BRUNO:A high performance traffic generator for network processor[C], In:IEEE Symposium on Performance Evaluation of Computer and Telecommunication Systems(SPECTS-2008), Edinburgh Scotland, June 2008, P526-533.
[69]Moy J. RFC 2328:OSPF Version 2[S]. RFC 2328, Internet IETF, April 1998.
[70]Crawley E,Nair R, Rajagopalan B, et al. RFC 2386:A Framework for QoS-based Routing in the Internet[S]. RFC 2386, Internet RFC, August 1998.
[71]Mouftah H T, Sturgeon R P. Distributed discrete event simulation for communication networks[J]. IEEE Journal on Selected Areas in Communications, 8(9), Dec 1990, P1723-1734.
[72]Subramani K, Madduri Kamesh. Two-level heaps:a new priority queue structure with applications to the single source shortest path problem [J]. COMPUTING, 90(3),2010, P113-130.
[73]Liu J, Mann S, Van Vorst N, et al. An Open and Scalable Emulation Infrastructure for Large-Scale Real-Time Network Simulations[C], In:IEEE Symposium on International Conference on Computer Communications (INFOCOM-2007), IEEE Press, May 2007, P2476-2480.
[74]IxChariot datasheets[EB/OL]. http://www.ixchariot.com/products/datasheets/ixchariot.html.
[75]Liu J. Immersive real-time large-scale network simulation:A research summary[C]. In:IEEE Symposium on Parallel and Distributed Processing (IPDPS-2008), IEEE Press, April 2008, P1-5.
[76]HENNESSY J L, PATTERSON D A. Computer Architecture:A Quantitative Approach[M].5, Beijing China:The China Machine Press,2011, P288-289.
[77]Huang Zhuo, Peir Jih-Kwon, Chen Shigang. Approximately-Perfect Hashing: Improving Network Throughput through Efficient Off-chip Routing Table Lookup[J], IEEE INFOCOM Conference, Shanghai China, APR 2011, P311-315.
[78]孙光,张媛媛,李勇等.基于虚拟化片上网络的二级优先维序路由算法[J].清华大学学报(自然科学版),51(3),2011.3,P416-419.
[79]Park Hyuntae, Hong Hyejeong, Kang Sungho. An efficient IP address lookup algorithm based on a small balanced tree using entry reduction[J], COMPUTER NETWORKS,56(1), JAN 2012,P231-243.
[80]SHAFFER C A. A Practical Introduction to Data Structures and Algorithm Analysis[M].3, New Jersey:Prentice Hall,2010, P123-135.
[81]LIM H, KIM H, YIM C. IP Address Lookup for Internet Routers Using Balanced Binary Search with Prefix Vector[J]. IEEE Trans Comm,57(3),2009, P618-621
[82]LIM H, YIM C. Priority Tries for IP Address Lookup[J]. IEEE Trans Compu,59(6), 2010, P784-794
[83]Reddy P M. Fast Updating Algorithm for TCAMs using Prefix Distribution Prediction[C], In:International Conference on Electronics and Information Engineering (ICEIE), Kyoto Japan, Aug 2010, Pv1400-v1404.
[84]Heeyeol Yu, A Memory and Time-efficient On-chip TCAM Minimizer for IP Lookup[C]. In:Design, Automation & Test in Europe Conference & Exhibition (DATE), Dresden Germany, March 2010, P926-931.
[85]张琛.BP神经网络模型优化研究[J],吉林省教育学院学报,27(7),2011.7,P149-152.
[86]艾尼瓦尔.努尔买买提.RBF神经网络在Web分类挖掘中的应用[J].长春师范学院学报(自然科学版),28(2),2009.4,P32-35.
[87]姜家涛,刘志杰,谢晓尧.基于模糊神经网络集成的入侵检测模型[J].山东大学学报(理学版),46(9),2011.9,P95-105.
[88]SONG H, DHARMAPURIKAR S, TURNER J, et al. Fast Hash Table Lookup Using Extended Bloom Filter:An Aid to Network Processing[J]. COMPUTER COMMUNICATION REVIEW,35(4), OCT 2005, P181-192.
[89]DHARMAPURIKAR S, KRISHMAMURTHY P, DAVID E. Longest Prefix Matching Using Bloom Filters[J], IEEE-ACM Trans on Networking,14(2), April 2006, P397-409
[90]Matsumoto Yoshihide, Hazeyama Hiroaki, Kadobayashi Youki. Adaptive Bloom Filter:A space-efficient counting algorithm for unpredictable network traffic[J], IEICE TRANSACTIONS ON INFORMATION AND SYSTEMS, E91D(5), MAY 2008, P1292-1299.
[91]张慧档,吕娜,贺昱曜等.基于混沌神经网络的QoS组播路由算法[J],空军工程大学学报(自然科学版),19(1),2008.2,P70-73.
[92]聂仁灿,周冬明,赵东风等.竞争型脉冲耦合神经网络及用于多约束QoS路由求解[J].通信学报,31(1),2010.1,P65-72.
[93]MAHRAMIAN M M, YAZDANI N, TAHERI H, et al. A Multilayer Neural Network for IP Lookup and Packet Classification[C]. The 9th Asia-Pacific Conference on communications, Malaysia:IEEE press, Sept 2003, P924-928.
[94]MAHRAMIAN M M, YAZDANI N, TAHERI H, et al. Three new neural network based algorithms for IP lookup and packet classification [J]. Iranian Journal of Science and Technology,29(B1), FEB 2005, P11-22.
[95]Li Fan, Pei Cao, Almeida J, et al. Summary cache:A scalable wide-area web cache sharing protocol [J]. IEEE/ACM Transactions on Networking,8(3), June 2000, P281-293.
[96]BLOOM B H. Space/time trade-offs in hash coding with allowable errors [J]. Communications of the ACM,13(7),1970, P422-426.
[97]DHARMAPURIKAR S, KRISHNAMURTHY P, TAYLOR D E. Deep packet inspection using parallel Bloom filters[C]. In:Proceedings of ACM SIGCOMM'03, Karlsruhe Germany, Aug 2003, P201-212.
[98]Tom Mitchell. Machine Learning[M]. McGraw Hill Press,3,2008, P60-90.
[99]FAUSETT L. Fundamentals of neural networks Architectures, Algorithms and Applications[M]. Prentice Hall,1993.
[100]BGP Routing Table Analysis Report [EB/OL].2012.3, Http://bgp. potaroo.net/.
[101]Kennedy J, Eberhart R C. Particle swarm optimization[C].In:Proc of the first IEEE International Conference on Neural Networks, Perth Australia, IEEE Press, Dec 1995. P1942-1948.
[102]Modares H, Alfi A, Naghibi-Sistani M B. Parameter estimation of bilinear systems based on an adaptive particle swarm optimization[J]. Engineering Applications of Artificial Intelligence,23(7), OCT 2010, P1105-1111.
[103]Karakuzu C. Parameter tuning of fuzzy sliding mode controller using particle swarm optimization[J]. International Journal of Innovative Computing, Information and Control,6(10), OCT 2010, P4755-4770.
[104]Tavakkoli-Moghaddam Reza, Azarkish Mozhgan, Sadeghnejad-Barkousaraie Azar. Solving a multi-objective job shop scheduling problem with sequence-dependent setup times by a Pareto archive PSO combined with genetic operators and VNS[J]. INTERNATIONAL JOURNAL OF ADVANCED MANUFACTURING TECHNOLOGY,53(5), MAR 2011, P733-750
[105]阳凯,赵志钦,聂在平.基于模糊离散粒子群算法的非均匀阵列优化[J].电子科技大学学报,41(1),2012.1,P43-47.
[106]Kulkarni R V,Venayagamoorthy G K.Bio-inspired Algorithms for Autonomous Deployment and Localization of Sensor Nodes[J].IEEE transactions on systems,man,and cybernetics,40(6), NOV 2010, P663-675.
[107]Zhang W, Liu J, Niu Y Q. Quantitative prediction of MHC-II binding affinity using particle swarm optimization [J]. Artificial Intelligence in Medicine,50(2), OCT 2010, P127-132.
[108]Gheitanchi S, Ali F, Stipidis E. Particle Swarm Optimization for Adaptive Resource Allocation in Communication Networks[J]. EURASIP Journal on Wireless Communications and Networking,2010, P1-13.
[109]Ganguly S, Sahoo N C, Das D. Mono-and multi-objective planning of electrical distribution networks using particle swarm optimization[J]. APPLIED SOFT COMPUTING,11(2), MAR 2011, P2391-2405.
[110]高峰,王连国.基于粒子群组合神经网络的原岩应力预测研究[J].西北农林科技大学学报(自然科学版),40(2),2012.2,P211-218.
[111]Bergh F. An Analysis of particle swarm optimizers [D]. PhD thesis. Department of Computer Science, University of Pretoria, South Africa,2006. P118-123
[112]Jiao B,Lian Z G,Gu X S. A dynamic inertia weight particle swarm optimization algorithm[J], Chaos, Solitons & Fractals,37(3), Aug 2008, P698-705.
[113]Meng H J, Zheng P, Wu R Y, et al. A hybrid particle swarm algorithm with embedded chaotic search[C]. In:Proceedings of the 2004 IEEE Conference on Cybernetics and Intelligent Systems, Singapore, Dec 2004, P367-371.
[114]Xiang T, Liao X F, Wong K. An improved particle swarm optimization algorithm combined with piecewise linear chaotic map[J]. Applied Mathematics and Computation,190(2), JUL 2007, P1637-1645
[115]Alatas B,Akin E,Ozer A B. Chaos embedded particle swarm optimization algorithms [J]. CHAOS SOLITONS&FRACTALS.40(4), MAY 2009, P1715-1734.
[116]Coelho LD, Mariani VC. A novel chaotic particle swarm optimization approach using Henon map and implicit filtering local search for economic load dispatch[J], CHAOS SOLITONS&FRACTALS,39(2), JAN 2009, P510-518
[117]Zhang YD,Jun Y,Wei G,et al. Find multi-objective paths in stochastic networks via chaotic immune PSO[J]. EXPERT SYSTEMS WITH APPLICATIONS.37(3), MAR 2010, P1911-1919
[118]高飞,童恒庆.基于改进粒子群优化算法的混沌系统参数估计方法[J].物理学报,55(2),2006,P577-582
[119]Li LX, Peng HP, Wang XD, Yang YX, An Optimization method inspired by chaotic ant behavior[J], International Journal of Bifurcation and Chaos,16(8), AUG 2006, P2351-2364.
[120]Sole R V, Miramontes O, Goodwin B C, Oscillations and chaos in ant societies [J], Journal of Theoretical Biology,161(3), April 1993, P343-357.
[121]Monson C K, Seppi K D. The Kalman swarm[C]. In:Genetic and Evolutionary Computation Conference, Seattle Washington, June 2004, P140-150
[122]Vaarandi R. Real-time Classification of IDS Alerts with Data Mining Techniques [C]. In:IEEE Military Communications Conference (MILCOM). Boston Massachusetts, IEEE press, OCT 2009, P1-7.
[123]AI-Mamory S O, Zhang H L, Abbas A R. IDS Alarms Reduction Using Data Mining [C]. In:International Joint Conference on Neural Networks, Hong Kong China, IEEE press, JUN 2008, P3564-3570.
[124]Pietraszek T. Using adaptive alert classification to reduce false positives in intrusion detection [C].7th International Symposium on Recent Advances in Intrusion Detection, Sophia Antipolis, France:Springer-Verlag, SEP 2004, P102-124.
[125]Noda Masaru, Higuchi Fumitaka, Takai Tsutomu. Event correlation analysis for alarm system rationalization[J], ASIA-PACIFIC JOURNAL OF CHEMICAL ENGINEERING,6(3), JUN 2011, P497-502.
[126]Elshoush Huwaida Tagelsir, Osman Izzeldin Mohamed. Alert correlation in collaborative intelligent intrusion detection systems-A survey[J],11(7), OCT 2011, P4349-4365
[127]田家瑞,张文政,周颖杰等.骨干通信网络流量告警信息关联分析[J].计算机应用研究,28(1),计算机应用研究,2011.1,P287-297.
[128]周飞,金可音,杨武等.使用网络拓扑消除冗余告警方法的研究及实现[J].湖南工业大学学报,25(2),2011.2,P51-54.
[129]Viinikka J, Debar H, Anssi Lehikoinen, et al. Processing intrusion detection alert aggregates with time series modeling[J], Information Fusion Journal,10(4), OCT 2009, P312-324.
[130]Vaarandi R, Podins K. Network IDS Alert Classification with Frequent Item-set Mining and Data Clustering [C].2010 International Conference on Network and Service Management (CNSM), Niagara Falls, Canada, IEEE press, OCT 2010, P451-456.
[131]Njogu H W, Luo J W. Using Alert Cluster to reduce IDS Alerts[C]. In:3rd IEEE International Conference on Computer Science and Information Technology (ICCSIT), Chengdu China, IEEE press, JUL 2010:467-471.
[132]Fei Aiguo, Dong Xiaoli. Hierarchically Clustering IDS Alarms Using a GA with Vary-lengthed Chromosomes [C].In:Third International Symposium on Information Processing (ISIP), China:IEEE press, OCT 2010:172-177.
[133]李永忠,杨鸽,徐静等.基于粒子群优化的聚类入侵检测算法[J],江苏科技大学学报(自然科学版),23(1),2009.2,P51-55.
[134]温重伟,李荣钧.改进的粒子群优化模糊C均值聚类算法[J],计算机应用研究,27(7),2010.7,P2520-2522..
[135]Dunn J C, A fuzzy relative o f the ISODAT process and its use in Detecting compact, well-separated clusters [J], Cybernetics 1994,3(3), P32-57.
[136]Bezdek J C, Pattern Recognition with Fuzzy Objective Function Algorithms[M], New York:Plenum Press,1981, P121-136.
[137]高新波,模糊聚类分析及其应用[M],西安:西安电子科技大学出版社,2004.1,49-60
[138]Debar H, Wes pi A. Aggregation and correlation of intrusion detection alerts [C], In:Proc of the 4th Workshop on Recent Advances in Intrusion Detection(PPLNCS). Berlin, Springer,2001, P85-103.
[139]董晓梅,于戈,孙晶茹等.基于频繁模式挖掘的报警关联与分析算法[J].电子学报,33(8),2005.8,,P1356-1359.
[140]田志宏,张永铮,张伟哲等.基于模式挖掘和聚类分析的自适应告警关联[J],计算机研究与发展,46(8),2009.8,P1304-1315.