基于拓扑·流量挖掘的网络态势感知技术研究
|
摘要
网络态势感知是指在大规模网络环境中,对能够引起网络态势发生变化的要素进行获取、理解、评估、显示以及对未来发展趋势的预测。作为网络管理发展的必然方向,网络态势感知能够融合多源多属性信息,对由各种网络设备运行状况、网络行为以及用户行为等因素所构成的整个网络的当前状态和变化趋势进行评估和预测,并提供决策支持。有关网络态势感知的研究才刚刚起步,主要集中在安全领域,没有体现态势宏观性和整体性的特点;采用的方法以层次结构、权重分析为主,缺少理论依据;而且多数研究停留在数据层面上,没有上升到态势的高度,没有实现从数据到信息再到知识的抽象。
针对网络态势感知中的典型问题与共性需求,深入研究了关键技术以及应用部署的发展现状,提出了基于拓扑·流量挖掘的网络态势感知模型,重点研究了面向态势模式划分的网络数据流聚类算法、基于粗集分析的态势评估方法以及基于广义回归神经网络的态势预测方法,并在此基础上设计实现了一个原型系统。主要贡献包括以下几个方面:
深入分析了流量分析的不足以及数据挖掘的优势,在此基础上提出了基于拓扑·流量挖掘的网络态势感知模型——TTM(TopologyTrafficMining)模型。TTM模型明确了网络态势感知的功能以及功能的划分与组织,定义了数据结构和功能函数,并且给出了建模过程和感知过程。TTM模型突破了安全态势的局限,以网络流量数据和拓扑数据作为态势感知的数据来源,综合考虑各种影响网络态势的因素作为态势因子建立指标体系,以流量挖掘和拓扑推理为基本思想,提供更高层次、更加抽象的综合态势,实现对网络全局态势的评估与展现,充分体现了态势整体性和宏观性的特点。此外,TTM模型引入数据挖掘的思想,具备获取知识、揭示规律的能力,既能够全面揭示网络中存在的各种异常事件,又有理论支持,科学客观。
针对态势模式划分缺少先验知识的现状,确定聚类作为流量挖掘的手段。在分析现有聚类算法和流量数据特点的基础上,提出了面向态势模式划分的网络数据流聚类算法——NetStream。算法在数据空间网格划分和态势因子选择的基础上,进行全空间聚类,通过合并相连密集网格形成簇;然后对不满足密度阈值的簇采用自顶向下的策略、兼顾密度与维度双重标准进行子空间聚类,搜索最优投影簇;并且通过Chernoff界判断概念漂移,采用双窗调整策略自适应调整窗口大小和更新间隔,增量更新聚类结果。NetStream是一种高速子空间聚类算法,能够处理高维、混合属性、带有突发特性的网络数据,并且满足一遍扫描、顺序访问、有限内存、可扩展、易理解、噪声不敏感等多种要求;更重要的是,自顶向下策略充分利用网络突发性在数据分布上产生的特点,能够发现不同维度的不同子空间中的投影簇,实现快速子空间聚类;而基于Chernoff界的概念漂移检测能够发现网络突发行为,结合跳动窗口双窗调整增量更新策略,实现数据流在线聚类及动态维护。
针对态势评估不够科学客观的现状,提出了基于粗集分析的态势评估方法——RSSA(Situation Assessment based on Rough Set Analysis)。RSSA在态势模式划分的基础上,通过粗集分析自动生成网元态势评估规则;进一步考虑态势模式发生的频率以及时序变化规律,制定评估规则调整策略;同时以容量理论为依据,综合分析网元的拓扑贡献和传输能力,确定网元的权值;最后融合各个网元的态势及权重,完成全网态势评估。RSSA一方面借助粗集分析,将知识的表达、学习和分析纳入统一的框架之中,兼具表达、学习与分类能力,能够从模式中发现隐含知识、揭示潜在规律并转化为逻辑规则,而且无须任何先验信息,科学客观。另一方面通过图论分析综合考虑网络拓扑结构、网元传输能力对全网态势的影响,融合拓扑数据和流量数据,真正实现全局视角的网络态势评估。
针对非线性系统预测的问题,将态势预测看作时间序列进行分析,提出了基于广义回归神经网络的态势预测方法——GRNNSF(Situation Forecast based onGeneralized Regression Neural Network)。GRNNSF根据历史数据训练广义回归神经网络,自适应选择网络参数,建立预测模型,并且随数据的到达动态更新预测模型。GRNNSF学习速度快,预测精度高,非线性映射能力强,同时具有结构自适应确定、输出与初始权值无关等特点,在逼近能力、分类能力和学习速度上较反向传播网络和径向基网络有着较强的优势,并且在样本数据缺乏时,预测效果也比较好。
基于上述关键技术的研究,设计并实现了网络态势管理原型系统(NetworkSituation Management System, NSMS)。原型系统集成了拓扑发现和流量采集两大单元网管功能,提出了多视图、超体积态势可视化方案MVHV(multi-view,hypervolume),实现了网络数据流聚类算法NetStream、态势评估方法RSSA以及态势预测方法GRNNSF,验证了网络态势感知模型TTM。
本文是对网络态势感知的一次有益探索,研究成果对于促进综合网络态势管理具有良好的理论价值和实践意义。本文所作工作已在承研的预研课题和实际工程项目中得到了应用。
CyberspaceSituationalAwareness(CSA)referstotheacquirement,comprehension,assessment, visualization of the factors which can bring changes in network situationand the forecast of the development trend in the large-scale network. As thedevelopmentdirectionofnetworkmanagementinthefuture,CSAcanfusemulti-sourceand multi-attribute information, assess and forecast the current state and trend of thewhole-network which is composed of the operating status of various networkequipments, network behaviors, user behaviors and other situation factors, and providethe decision support. Currently the research on CSAis just at thebeginning. There aremany problems to be solved: the current research mainly focuses on security, whichcouldn’treflectthesituationcharacteristicsofintegrityandmacroscopy;themainstreamassessment methods are based on hierarchical structure or weight function, which lackthe theoretical basis; most researches remain at the data level, not up to the situationlevel,whichcan’trealizetheabstractfromdatatoinformationagaintoknowledge.According to the typical problems and common requirements of CSA, we studiedthe current key technologies and the application deployment, proposed a CSA model,and mainly researched the network data stream clustering algorithm, situationassessment method and situation forecast method. We also designed and implemented aprototype system to validate our work. The major contributions of this thesis are asfollowing:
Considering the shortcomingof traffic analysis and the advantage of data mining,we proposed aCyberspace Situational Awareness model based on Topologyand TrafficMining (TTM). TTM model specifies the CSA functions as well as their division andorganization, defines the data structure, and gives the modeling process and awarenessprocess. The basic idea of TTM model integrates traffic mining and topologyinference,so TTM breaks through the limitations of the security situation, and takes the networktraffic and topology as data source to establish the index system including varioussituation factors which can affect the network situation. TTM provides a higher-levelmore-abstract comprehensive situation, realizes the whole-network assessment andvisualization,and fullyreflects the situationcharacteristics ofintegrityandmacroscopy.In addition, introducing the data mining, TTM is theoretical, scientific and objectivewith the capability of knowledge acquisition, law discovery and known/unknownanomaliesdetection.
Aiming at the lack of prior knowledge of situation pattern, clustering wasdetermined as the means oftraffic mining.Analyzing the existing clusteringalgorithmsand thecharacteristics of traffic data, we put forward a network data stream clusteringalgorithm for situation pattern partition -- NetStream. On the basis of clustering space grid partition and situation factor selection, NetStreamfirst merges the connected gridstoformclustersinfull-dimensional space;andthensearchesdenseprojectionclustersinthe clusters unsatisfied density threshold by means of top-down subspace clustering;finallydetects concept drift based onChernoff Bound,dynamically adjusts the windowsize and update interval of jumping windows, and incrementally modifies clusteringmodel. NetStream is a fast subspace clustering algorithm, which can deal withhigh-dimension, burst nature, heterogeneous attributes data and satisfy all of therequirements including: one-pass,ordinal access input data, limitedmemory,scalability,comprehensibility, insensitivity to noise and so on. More importantly, the top-downstrategy, which realizes the fast subspace clustering, takes full advantage of the datadistribution characteristic caused by the burst nature of network, and can find theprojectionclusters with different dimensionalityin different subspaces; theconcept driftdetection based on Chernoff Bound, combining with incremental update strategy, canfind the network burst behavior and realize the online clustering and dynamicalmaintenanceofdatastream.
To enhance the theoretical basis of situation assessment, we proposed a SituationAssessment method based on Rough Set Analysis (RSSA). On the basis of situationpattern partition,RSSA generates the situation assessmentrules of the network elementsautomatically through Rough Set analysis; further designs the adjustment strategy forassessmentrules according to the appearancefrequency of situation pattern; meanwhileanalyzesthetopologycontributionandtransmissioncapacityofthenetworkelementstodeterminetheirweights basedonthecapacitynetworktheory; finally fuses thesituationand weight of each network element and completes the whole-network situationassessment. On one hand, with the aid of Rough Set analysis, RSSA integrates theknowledge expression, learning and analysis into a uniform framework, and has theabilityof expression, learning and classification. RSSA has superiorities at the aspect ofdiscovering connotative knowledge, revealing potential law and designing logical rulesfrom massivehistoricaldataorcases. RSSA does not needanypriorinformation,so itisscientificandobjective.Ontheotherhand,withtheaidofGraph Theoryanalysis,RSSAintegrates topology and traffic data, analyzes the effect of network topology structureand network element transmission capacity on the whole-network situationcomprehensively, and realizes the network situation assessment from a globalperspective.
Aiming at the problem of nonlinear system forecast, we proposed a SituationForecast method based on Generalized Regression Neural Network (GRNNSF).GRNNSF regards situation forecast as the time series analysis, trains GRNN usinghistorical data, selects network parameters adaptively, and updates the forecast modeldynamically with the arrival of new data. GRNNSF is fast, accuracy, and hassuperiorities in approximation ability, classification ability and learning speed over Back-Propagation Network or Radial Basis Function Network. Even if the sample dataislacking,theforecastresultisalsogood.
Tovalidatethesekeytechnologiesdescribedupon,wedesignedandimplementedanetwork situation management prototype system -- NSMS. NSMS integrates twonetwork management functions: topology discovery and traffic collection,puts forwarda multi-view hypervolume visualization scheme, implements NetStream, RSSA andGRNNSF,anddemonstrates TTMmodel.
Our research is a beneficial exploration of Cyberspace Situational Awareness. Itprovides essential support to network situation management environment.The researchis valuable to facilitate network management and has been integrated into our actualproject.
针对网络态势感知中的典型问题与共性需求,深入研究了关键技术以及应用部署的发展现状,提出了基于拓扑·流量挖掘的网络态势感知模型,重点研究了面向态势模式划分的网络数据流聚类算法、基于粗集分析的态势评估方法以及基于广义回归神经网络的态势预测方法,并在此基础上设计实现了一个原型系统。主要贡献包括以下几个方面:
深入分析了流量分析的不足以及数据挖掘的优势,在此基础上提出了基于拓扑·流量挖掘的网络态势感知模型——TTM(TopologyTrafficMining)模型。TTM模型明确了网络态势感知的功能以及功能的划分与组织,定义了数据结构和功能函数,并且给出了建模过程和感知过程。TTM模型突破了安全态势的局限,以网络流量数据和拓扑数据作为态势感知的数据来源,综合考虑各种影响网络态势的因素作为态势因子建立指标体系,以流量挖掘和拓扑推理为基本思想,提供更高层次、更加抽象的综合态势,实现对网络全局态势的评估与展现,充分体现了态势整体性和宏观性的特点。此外,TTM模型引入数据挖掘的思想,具备获取知识、揭示规律的能力,既能够全面揭示网络中存在的各种异常事件,又有理论支持,科学客观。
针对态势模式划分缺少先验知识的现状,确定聚类作为流量挖掘的手段。在分析现有聚类算法和流量数据特点的基础上,提出了面向态势模式划分的网络数据流聚类算法——NetStream。算法在数据空间网格划分和态势因子选择的基础上,进行全空间聚类,通过合并相连密集网格形成簇;然后对不满足密度阈值的簇采用自顶向下的策略、兼顾密度与维度双重标准进行子空间聚类,搜索最优投影簇;并且通过Chernoff界判断概念漂移,采用双窗调整策略自适应调整窗口大小和更新间隔,增量更新聚类结果。NetStream是一种高速子空间聚类算法,能够处理高维、混合属性、带有突发特性的网络数据,并且满足一遍扫描、顺序访问、有限内存、可扩展、易理解、噪声不敏感等多种要求;更重要的是,自顶向下策略充分利用网络突发性在数据分布上产生的特点,能够发现不同维度的不同子空间中的投影簇,实现快速子空间聚类;而基于Chernoff界的概念漂移检测能够发现网络突发行为,结合跳动窗口双窗调整增量更新策略,实现数据流在线聚类及动态维护。
针对态势评估不够科学客观的现状,提出了基于粗集分析的态势评估方法——RSSA(Situation Assessment based on Rough Set Analysis)。RSSA在态势模式划分的基础上,通过粗集分析自动生成网元态势评估规则;进一步考虑态势模式发生的频率以及时序变化规律,制定评估规则调整策略;同时以容量理论为依据,综合分析网元的拓扑贡献和传输能力,确定网元的权值;最后融合各个网元的态势及权重,完成全网态势评估。RSSA一方面借助粗集分析,将知识的表达、学习和分析纳入统一的框架之中,兼具表达、学习与分类能力,能够从模式中发现隐含知识、揭示潜在规律并转化为逻辑规则,而且无须任何先验信息,科学客观。另一方面通过图论分析综合考虑网络拓扑结构、网元传输能力对全网态势的影响,融合拓扑数据和流量数据,真正实现全局视角的网络态势评估。
针对非线性系统预测的问题,将态势预测看作时间序列进行分析,提出了基于广义回归神经网络的态势预测方法——GRNNSF(Situation Forecast based onGeneralized Regression Neural Network)。GRNNSF根据历史数据训练广义回归神经网络,自适应选择网络参数,建立预测模型,并且随数据的到达动态更新预测模型。GRNNSF学习速度快,预测精度高,非线性映射能力强,同时具有结构自适应确定、输出与初始权值无关等特点,在逼近能力、分类能力和学习速度上较反向传播网络和径向基网络有着较强的优势,并且在样本数据缺乏时,预测效果也比较好。
基于上述关键技术的研究,设计并实现了网络态势管理原型系统(NetworkSituation Management System, NSMS)。原型系统集成了拓扑发现和流量采集两大单元网管功能,提出了多视图、超体积态势可视化方案MVHV(multi-view,hypervolume),实现了网络数据流聚类算法NetStream、态势评估方法RSSA以及态势预测方法GRNNSF,验证了网络态势感知模型TTM。
本文是对网络态势感知的一次有益探索,研究成果对于促进综合网络态势管理具有良好的理论价值和实践意义。本文所作工作已在承研的预研课题和实际工程项目中得到了应用。
CyberspaceSituationalAwareness(CSA)referstotheacquirement,comprehension,assessment, visualization of the factors which can bring changes in network situationand the forecast of the development trend in the large-scale network. As thedevelopmentdirectionofnetworkmanagementinthefuture,CSAcanfusemulti-sourceand multi-attribute information, assess and forecast the current state and trend of thewhole-network which is composed of the operating status of various networkequipments, network behaviors, user behaviors and other situation factors, and providethe decision support. Currently the research on CSAis just at thebeginning. There aremany problems to be solved: the current research mainly focuses on security, whichcouldn’treflectthesituationcharacteristicsofintegrityandmacroscopy;themainstreamassessment methods are based on hierarchical structure or weight function, which lackthe theoretical basis; most researches remain at the data level, not up to the situationlevel,whichcan’trealizetheabstractfromdatatoinformationagaintoknowledge.According to the typical problems and common requirements of CSA, we studiedthe current key technologies and the application deployment, proposed a CSA model,and mainly researched the network data stream clustering algorithm, situationassessment method and situation forecast method. We also designed and implemented aprototype system to validate our work. The major contributions of this thesis are asfollowing:
Considering the shortcomingof traffic analysis and the advantage of data mining,we proposed aCyberspace Situational Awareness model based on Topologyand TrafficMining (TTM). TTM model specifies the CSA functions as well as their division andorganization, defines the data structure, and gives the modeling process and awarenessprocess. The basic idea of TTM model integrates traffic mining and topologyinference,so TTM breaks through the limitations of the security situation, and takes the networktraffic and topology as data source to establish the index system including varioussituation factors which can affect the network situation. TTM provides a higher-levelmore-abstract comprehensive situation, realizes the whole-network assessment andvisualization,and fullyreflects the situationcharacteristics ofintegrityandmacroscopy.In addition, introducing the data mining, TTM is theoretical, scientific and objectivewith the capability of knowledge acquisition, law discovery and known/unknownanomaliesdetection.
Aiming at the lack of prior knowledge of situation pattern, clustering wasdetermined as the means oftraffic mining.Analyzing the existing clusteringalgorithmsand thecharacteristics of traffic data, we put forward a network data stream clusteringalgorithm for situation pattern partition -- NetStream. On the basis of clustering space grid partition and situation factor selection, NetStreamfirst merges the connected gridstoformclustersinfull-dimensional space;andthensearchesdenseprojectionclustersinthe clusters unsatisfied density threshold by means of top-down subspace clustering;finallydetects concept drift based onChernoff Bound,dynamically adjusts the windowsize and update interval of jumping windows, and incrementally modifies clusteringmodel. NetStream is a fast subspace clustering algorithm, which can deal withhigh-dimension, burst nature, heterogeneous attributes data and satisfy all of therequirements including: one-pass,ordinal access input data, limitedmemory,scalability,comprehensibility, insensitivity to noise and so on. More importantly, the top-downstrategy, which realizes the fast subspace clustering, takes full advantage of the datadistribution characteristic caused by the burst nature of network, and can find theprojectionclusters with different dimensionalityin different subspaces; theconcept driftdetection based on Chernoff Bound, combining with incremental update strategy, canfind the network burst behavior and realize the online clustering and dynamicalmaintenanceofdatastream.
To enhance the theoretical basis of situation assessment, we proposed a SituationAssessment method based on Rough Set Analysis (RSSA). On the basis of situationpattern partition,RSSA generates the situation assessmentrules of the network elementsautomatically through Rough Set analysis; further designs the adjustment strategy forassessmentrules according to the appearancefrequency of situation pattern; meanwhileanalyzesthetopologycontributionandtransmissioncapacityofthenetworkelementstodeterminetheirweights basedonthecapacitynetworktheory; finally fuses thesituationand weight of each network element and completes the whole-network situationassessment. On one hand, with the aid of Rough Set analysis, RSSA integrates theknowledge expression, learning and analysis into a uniform framework, and has theabilityof expression, learning and classification. RSSA has superiorities at the aspect ofdiscovering connotative knowledge, revealing potential law and designing logical rulesfrom massivehistoricaldataorcases. RSSA does not needanypriorinformation,so itisscientificandobjective.Ontheotherhand,withtheaidofGraph Theoryanalysis,RSSAintegrates topology and traffic data, analyzes the effect of network topology structureand network element transmission capacity on the whole-network situationcomprehensively, and realizes the network situation assessment from a globalperspective.
Aiming at the problem of nonlinear system forecast, we proposed a SituationForecast method based on Generalized Regression Neural Network (GRNNSF).GRNNSF regards situation forecast as the time series analysis, trains GRNN usinghistorical data, selects network parameters adaptively, and updates the forecast modeldynamically with the arrival of new data. GRNNSF is fast, accuracy, and hassuperiorities in approximation ability, classification ability and learning speed over Back-Propagation Network or Radial Basis Function Network. Even if the sample dataislacking,theforecastresultisalsogood.
Tovalidatethesekeytechnologiesdescribedupon,wedesignedandimplementedanetwork situation management prototype system -- NSMS. NSMS integrates twonetwork management functions: topology discovery and traffic collection,puts forwarda multi-view hypervolume visualization scheme, implements NetStream, RSSA andGRNNSF,anddemonstrates TTMmodel.
Our research is a beneficial exploration of Cyberspace Situational Awareness. Itprovides essential support to network situation management environment.The researchis valuable to facilitate network management and has been integrated into our actualproject.
引文
[1] Bass T. Multisensor Data Fusion for Next Generation Distributed IntrusionDetection Systems [C]. 1999 IRIS National Symposium on Sensor and Data Fusion,1999:24~27.
[2] Bass T. Intrusion Systems and Multisensor Data Fusion [C].CommunicationsoftheACM,2000, 43(4):99~105.
[3]王慧强,赖积保.网络态势感知系统研究综述[J].计算机科学,2006,33(10):6~10.
[4] Salermo J. Information Fusion: A High-Level Architecture Overview [C].InternationalConferenceonInformationFusion(FUSION),2002:680~686.
[5] Bass T, Gruber D. A Glimpse into the Future of ID [EB/OL].https://www.usenix.org/publications/login/1999-9/features/future.html,1999.
[6] Bass T, Robichaux R. Defense-in-Depth Revisited: Qualitative RiskAnalysis Methodology for Complex Network-Centric Operations [C]. MilitaryCommunications Conference (MILCOM), Communications for Network-CentricOperations:CreatingtheInformationForce,IEEE,2001: 64~70.
[7] Ortalo R, DeswarteY. Experimenting with quantitative evaluation tools formonitoring operational security[J].IEEE Transactions on Software Engineering, 1999,25(5):633~651.
[8]陈秀真,郑庆华,管晓宏,林晨光.层次化网络安全威胁态势量化评估方法[J].软件学报,2006,17(4):885~897.
[9]韦勇,连一峰,冯国登.基于信息融合的网络安全态势评估模型[J].计算机研究与发展,2009,46(3):353~362.
[10]韦勇,连一峰.基于日志审计与性能修正算法的网络安全态势评估模型[J].计算机学报,2009,32(4):763~772.
[11] Zhuo Y, Zhang Q, Gong ZH. Research and Implementation of NetworkTransmissionSituationAwareness[C].CSIE,LosAngeles,USA,2009:210~214.
[12]刘东坡,费爱国,李革.C4ISR系统信息优势度量研究[J].计算机仿真,2007,24(6):27~30.
[13]赵策,刘千里.C4ISR通信分系统信息优势评估指标研究[J].指挥控制与仿真,2006,28(6):79~82.
[14] Lau S. The Spinning Cube of Potential Doom [EB/OL].http://www.nersc.gov/nusers/security/TheSpinningCube.php,2003.
[15] Carnegie Mellon’s SEI. System for Internet Level Knowledge (SILK)[EB/OL].http://silktools.sourceforge.net,2005.
[16] Conti G, Abdullah K. Passive visual fingerprinting of network attack tools[C]. Proceedings of 2004 ACM workshop on visualization and data mining forcomputersecurity,NewYork,USA,2004: 45~54.
[17] KrasserS,Conti G,GrizzardJ.Real-timeandforensicnetworkdata analysisusing animated and coordinated visualization [C]. Proceedings of the 2005 IEEEworkshoponInformationAssurance,UnitedStatesMilitaryAcademy,WestPoint,NewYork,2005: 42~49.
[18]朱亮,王慧强,郑丽君.网络安全态势可视化研究评述[DB/OL].中国科技论文在线,http://www.paper.edu.cn/index.php/default/releasepaper/content/200607-36.
[19]杨雅辉,李小东.IP网络性能指标体系的研究[J].通信学报,2002,23(11):1~7.
[20]江勇,林闯,吴建平.网络传输控制的综合性能评价标准[J].计算机学报,2002,25(8):869~877.
[21]林闯,周文江,田立勤.IP网络传输控制的性能评价标准研究[J].电子学报,2002,30(12A):1973~1977.
[22]张冬艳,胡铭曾,张宏莉.基于测量的网络性能评价方法研究[J].通信学报,2006,27(10):74~79.
[23]蒋序平.网络性能综合评估方法IEMoNP的设计和实现[J].海军工程大学学报,2006,18(5):74~78.
[24] BlaschE, PribilskiM, DaughteryB,Roscoe B,Gunsett J.FusionMetricsforDynamic SituationAnalysis[C]. Kadar I, Signal Processing, Sensor Fusion, and TargetRecognition XIII, Proceedings of SPIE Vol.5429(SPIE, Bellingham, WA, 2004):428~438.
[25] Salerno J, Blasch E, Hinmana M, Boulwarea D. Evaluating AlgorithmicTechniques in Supporting Situation Awareness [C]. Belur V,Multisensor, MultisourceInformation Fusion: Architectures, Algorithms, and Applications 2005, Proceedings ofSPIEVol.5813(SPIE,Bellingham,WA,2005):96~104.
[26] Gad A, Farooq M. Data Fusion Architecture for Maritime Surveillance [C].InternationalSocietyonInformationFusion(ISIF),2002: 448~455.
[27] Shulsky A. Silent Warfare: Understanding the World of Intelligence [M].WashingtonUS:Brassey's,1993.
[28] Boyd J. A Discourse on Winning and Losing [M]. Maxwell AFB Lecture,1987.
[29] Endsley M. Situayion Awareness Global Assessment Technique (SAGAT)[C]. IEEE 1988 National Aerospace and Electronics Conference (NAECON), 1988:789~795.
[30] Dasarathy B. Sensor Fusion Potential Exploitation Innovative ArchitecturesandIllustrativeApplications[J].ProceedingsoftheIEEE,1997,85(1):24~38.
[31] Bedworth M, O’Brien J. The Omnibus Model: A New Model of DataFusion[J].ProceedingIEEEAESSystemsMagazine, 2000,(4):30~36.
[32] Shahabzian E, Blodgett D. The Extended ODDA Model for Data FusionSystems[C].InternationalConferenceonInformationFusion(FUSION),2001:19~25.
[33] Kadar I. Knowledge Representation Issues in Perceptual ReasoningManaged Situation Assessment [C]. International Conference on Information Fusion(FUSION),2005:13~15.
[34] Llinas J, Hall D. An Introduction to Multi-Sensor Data Fusion [C]. IEEEInternationalSymposiumonCircuitsandSystems(ISCAS),1998,VI:537~540.
[35] BlaschE,PlanoS. JDLLevel5FusionModel“UserRefinement”IssuesandApplications in Group Tracking [J]. Signal Processing, Sensor Fusion, and TargetRecognitionXI,ProceedingsofSPIEVol.4729(2002): 270~279.
[36] BlaschE,Plano S. Level 5: Userrefinement toaidthefusion process[C].B.Dasarathy, Ed., Multisensor, Multisource Information Fusion: Architectures,Algorithms,andApplications,2003:288~297.
[37] Blasch E, Plano S. DFIG Level 5 (User Refinement) issues supportingSituational Assessment Reasoning [C].International Conference on Information Fusion(FUSION),2005:35~43.
[38] Salerno J, Hinman M, Boulware D. Building A Framework for SituationAwareness[C].International Conferenceon InformationFusion(FUSION),Stockholm,Sweden,2004:1~8.
[39] Tadda G, Salerno J, Boulwarea D, Hinmana M, Gorton S. RealizingSituation Awareness in a Cyber Environment [C]. Belur V, Multisensor, MultisourceInformation Fusion: Architectures, Algorithms, and Applications 2006, Proceedings ofSPIEVol.6242,624204(2006):1~8.
[40] Zhuo Y, Zhang Q, GongZH. Cyberspace Situation Representation Based onNicheTheory[C].ICIA,Zhangjiajie,China,2008:1400~1405.
[41] Klir G, Yuan B. Fuzzy sets and fuzzy logic [M]. New York: Prentice Hall,1995.
[42]陈理渊,黄进.不确定度问题研究情况综述[J].电路与系统学报,2004,9(3):105~111.
[43] ZadehL.FuzzySets[J].InformationandControl, 1965,(8):338~353.
[44] Barry Smith. Logic and Formal Ontology [EB/OL].http://ontology.buffalo.edu/smith/articles/lfo.html.
[45] Grenon P, Smith B. SNAP and SPAN: Towards Dynamic Spatial Ontoloty[C].SpatialCognitionandComputation,2003:137~171.
[46] Little E, Rogova G. Ontology Meta-Model foe Building A SituationalPicture of Catastrophic Events [C]. International Conference on Information Fusion(FUSION),2005:796~803.
[47]蔡文.可拓工程方法[M].北京:科学出版社,1997.
[48] Hinman M. Some Computational Approaches for Situation Assessment andImpactAssessment[C].ISIF,2002:687~693.
[49]王娟,张凤荔,傅翀,陈丽莎.网络态势感知中的指标体系研究[J].计算机应用,2007,27(8):1907~1909.
[50] Ticha B, Ranchin T. A Case Based Reasoning Data Fusion Scheme:Application to Offshore Wind EnergyResource Mapping [C]. International ConferenceonInformationFusion(FUSION),2006:1~5.
[51] Lanchester, William F. Mathematics in Warfare [J]. New York: Simon &Schuster,the WorldofMathematics,1916.
[52]赵克勤.集对分析及其初步应用[M].杭州:浙江科技出版社,2000.
[53]张琳,陈绍顺.基于集对分析的战场态势分析模型[J].情报指挥控制系统与仿真技术,2005,27(5):55~59.
[54]雷英杰,王宝树.基于直觉模糊决策的战场态势评估方法[J].电子学报,2006,34(12):2175~2179.
[55] Das S, Lawless D, Ng B, Pfeffer A. Factored Particle Filtering for DataFusion and Situation Assessment in Urban Environments [C]. International ConferenceonInformationFusion(FUSION),2005:955~962.
[56] Zhang Y, Ji Q, Loonet C. Active Information Fusion for Decision MakingUnderUncertainty[C].ISIF,2002:643~650.
[57] Russell S, Norvig P. Artificial Intelligence: A Modern Approach [M].PrenticeHall,2002.
[58] Mirmoeini F, Krishnamurthy V. Reconfigurable Bayesian Networks forHierarchical Multi-Stage Situation Assessment in Battlespace [C]. Conference Recordof the Thirty-Ninth Asilomar Conference on Signals, Systems and Computers, 2005:104~108.
[59] Shafer G. A Mathematical Theory of Evidence [M]. Princeton: PrincetonUniversityPress,1976.
[60]徐晓辉,刘作良.基于D-S证据理论的态势评估方法[J].电光与控制,2005,12(5):36~37.
[61]魏守智,赵海,王刚,张晓丹.复杂系统态势评估模型及其本体论实现方法[J].系统仿真学报,2005,17(5):1200~1202.
[62]李伟生,王宝树.基于模糊逻辑和D-S证据理论的一种态势估计方法[J].系统工程与电子技术,2003,25(10):1278~1280.
[63] Yager R R. On the Dempster-Shafer framework and new combination rules[J].InformationSciences,1987,41(2):93~137.
[64] Toshiyuk Ii. Interdependence between Safety-Control Policy andMultiple-Sensor Schemes via Dempster-Shafer Theory [J]. IEEE Transactions onReliability,1991,40(2):182~188.
[65] Du WJ, Chen YH, Xie WX. Weighted Dempster evidence combinationalgorithms[J].JournalofXidianUniversity,1999,26(5):1~5.
[66]张山鹰,潘泉,张洪才.一种新的证据推理组合规则[J].控制与决策,2000,15(5):540~544.
[67]邢清华,雷英杰,刘付显.一种按比例分配冲突度的证据推理组合规则[J].控制与决策,2004,19(12):1387~1390.
[68]邓聚龙.灰色控制系统[M].武汉:华中理工大学出版社,1985.
[69]赵国生,王慧强,王健.基于灰色关联分析的网络可生存性态势评估研究[J].小型微型计算机系统,2006,27(10):1861~1864.
[70] Pawlak Z. Rough Sets [J]. International Journal of Computer andInformationSciences,1982,11:341~356.
[71] Pawlak Z. Rough Sets: Theoretical Aspects of Reasoning about Data [J].Boston:KluwerAcademicPublishers,1991:1~10.
[72]张守志,许彦.糙集中近似质量的新认识[J].计算机研究与发展,2003,40(9):1357~1360.
[73] WeiSZ, Jin ND, Hui XJ, Liu H, Zhang XD. A Situation Assessment Modeland Its ApplicationBasedonDataMining[C]. International Conferenceon InformationFusion(FUSION),2006: 1~7.
[74]叶东毅,陈昭.一个新的差别矩阵及其求核方法[J].电子学报,2002,30(7):1086~1088.
[75]孙吉贵,刘杰,赵连宇.聚类算法研究[J].软件学报,2008,19(1):48~61.
[76] Lakkaraju K. NVisionIP: Net Flow Visualizations of System State forSecurity Situational Awareness [C]. New York, USA: ACM Press, ACM WorkshopVisualizationandDataMiningforComputerSecurity(VizSEC/DMSEC),2004:65~72.
[77] Lakhina A, Crovella M, Diot C. Mining Anomalies Using Traffic FeatureDistributions[C].ACMSIGCOMM,USA,2005:217~228.
[78] Wang H, Gong ZH, Guan Q, Wang BS. Detection Network AnomaliesBased on Packet and Flow Analysis[C]. Cancun, Mexico: 7th International ConferenceonNetworking,2008:497~502.
[79] Crovella M, Kolaczyk E. Graph wavelets for spatial traffic analysis [C].Infocom,2003: 1848~1857.
[80]孙即祥.信息融合中的有关熵理论[J].计算机学报,2003,26(7):796~801.
[81] AgrawalR. Automatic subspace clusteringof high dimensional data fordataminingapplications[C].SIGMOD,1998:94~105.
[82]徐燕,李锦涛,王斌.基于区分类别能力的高性能特征选择方法[J].软件学报,2008,19(1):82~89.
[83]王宏,龚正虎.一种基于信息熵的关键流量矩阵发现算法[J].软件学报,2009,20(5):1377~1383.
[84] Kosala R, Blocked H. Web mining research: A survey[C]. ACM SIGKDDExplorations,2000,2(1):1~15.
[85] Dhillon I, Guan Y, Kogan J. Iterative Clustering of High Dimensional TextData Augmented by Local Search [C]. Proceedings of the 2002 IEEE InternationalConferenceonDataMining,2002:131~138.
[86] Guha S. Clustering Data Stream [C]. IEEE FOCS Conference, 2000:359~366.
[87] O’CallaghanL.Streaming-DataAlgorithmsforHigh-QualityClustering[C].ICDEConference,2002:685~704.
[88] Aggarwal C. A Framework for Clustering Evolving Data Streams [C]. SanFrancisco: Morgan Kaufmann, Proc of the 29th Int’l Conference on Very Large DataBase(VLDB),2003: 81~92.
[89] Zhang T. BIRCH: An Efficient Data Clustering Method for Very LargeDatabases [C]. ACM SIGMOD Int. Conference on Management of Data, 1996:103~l14.
[90] Aggarwal C. A Framework for Projected Clustering of High DimensionalDataStream[C].Toronto,Canada:VLDB,2004:852~863.
[91] Ester M. A Density-Based Algorithm for Discovering Clusters in LargeSpatial Databases with Noise [C]. Portland, Oregon: Proceedings of 2nd InternationalConferenceonKnowledgeDiscoveryandDataMining(KDD96),1996:226~231.
[92] Ester M. Incremental Clustering for Mining in a Data WarehousingEnvironment [C]. Proceedings of the 24th VLDB Conference, New York, USA, 1998:323~333.
[93] Wang W. Sting: A statistical information grid approach to spatial datamining[C].Proceedingsofthe23rdConferenceonVLDB,Athens,1997:186~195.
[94] Wang W. STING+: An Approach to Active Spatial Data Mining [C].Proceedingsofthe15thICDE,Sydney,1999:116~122.
[95] Aggarwal C. Fast algorithms for projected clustering [C]. ACM SIGMODConference,1999:61~72.
[96] Procopiuc C. A Monte Carlo Algorithm for Fast Projective Clustering [C].Proceedings.IntelConferenceDataMining(ICDM 03),2003:418~427.
[97]周晓云.高维数据流子空间聚类发现及维护算法[J].计算机研究与发展,2006,43(5):834~840.
[98]杨春宇,周杰.一种混合属性数据流聚类算法[J].计算机学报,2007,30(8):1364~1371.
[99] Lu Y. A Grid-Based Clustering Algorithm for High-Dimensional DataStreams[C].LectureNotesinComputerScience,2005,3584/2005:824~831.
[100] Goil S. Mafia: Efficient and Scalable Subspace Clustering for Very LargeDataSets[R].TechnicalReportCPDC-TR-9906-010,NorthwesternUniversity,1999.
[101] Liu B.ClusteringthroughDecisionTreeConstruction[C].ProceedingoftheninthinternationalconferenceonInformationandKnowledgeManagement,ACMPress,2000:20~29.
[102] Park N. Statistical Grid-based Clustering over Data Streams [C]. SIGMODRecord,2004,3,33(1):32~37.
[103] http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html [DB/OL].
[104]王涛,李舟军.数据流挖掘分类技术综述[J].计算机研究与发展,2007,44(11):1809~1815.
[105] WatanabeO. SimpleSamplingTechniques forDiscoveryScience[J].IEICETransactionsonInformationandSystems,2000,E83-D(1):19~26.
[106] Ghosh AK, Michael C, Schatz M. A Real-time Intrusion Detection SystemBasedonLearningProgramBehavior[C].RAID,2000:93~109.
[107]诸葛建伟,王大为,陈昱,叶志远,邹维.基于D-S证据理论的网络异常检测方法[J].软件学报,2006,17(3):463~471.
[108]蔡忠闽,管晓宏,邵萍,彭勤科,孙国基.基于粗糙集理论的入侵检测新方法[J].计算机学报,2003,26(3):361~366.
[109]饶鲜,董春曦,杨绍全.基于支持向量机的入侵检测系统[J].软件学报,2003,14(4):798~803.
[110]赵国生,王慧强,王健.基于灰色关联分析的网络可生存性态势评估研究[J].小型微型计算机系统,2006,27(10):1861~1864.
[111]张文修,吴伟志,梁吉业,李德玉.粗糙集理论与方法[M].北京:科学出版社,2001.
[112]曾黄麟.智能计算——关于粗集理论、模糊逻辑、神经网络的理论及其应用[M].重庆:重庆大学出版社,2004.
[113]许俊明.图论及其应用[M].合肥:中国科学技术大学出版社,2004.
[114] Ford L R Jr, Fulkerson D R. A Simple Algorithm for Finding MaximalNetwork Flowsandan Applicationto the Hitchcock Problem [J].Canada J Math,1957,9:210~218.
[115] Edmonds J, Karp R M. Theoretical improvements [J]. J Assoc ComputeMath,1972,19:248~264.
[116]袁小坊,陈楠楠,王东,谢高岗,张大方.城域网应用层流量预测模型[J].计算机研究与发展,2009,46(3):434~442.
[117]张翔,胡昌振,刘胜航,唐成华.基于支持向量机的网络攻击态势预测技术研究[J].计算机工程,2007,33(11):10~12.
[118]尹清波,张汝波,李雪耀,王慧强.基于线性预测与马尔可夫模型的入侵检测技术研究[J].计算机学报,2005,28(5):900~907.
[119]陈涛,龚正虎,胡宁.基于改进BP算法的网络态势预测模型[J].通信市场,2009,3:1~4.
[120]任伟,蒋兴浩,孙锬锋.基于RBF神经网络的网络安全态势预测方法[J].计算机工程与应用,2006,31:136~138.
[121]周开利,康耀红.神经网络模型及其MATLAB仿真程序设计[M].北京:清华大学出版社,2005.
[122]葛哲学,孙志强.神经网络理论与MATLAB R2007实现[M].北京:电子工业出版社,2007.
[123] http://www.mathworks.com/access/helpdesk/help/toolbox/nnet/radial_5.html[M/OL].
[124] http://pma.nlanr.net/Traces/Traces/long/auck/8/[DB/OL].
[125] http://www.internet2.edu[EB/OL].
[2] Bass T. Intrusion Systems and Multisensor Data Fusion [C].CommunicationsoftheACM,2000, 43(4):99~105.
[3]王慧强,赖积保.网络态势感知系统研究综述[J].计算机科学,2006,33(10):6~10.
[4] Salermo J. Information Fusion: A High-Level Architecture Overview [C].InternationalConferenceonInformationFusion(FUSION),2002:680~686.
[5] Bass T, Gruber D. A Glimpse into the Future of ID [EB/OL].https://www.usenix.org/publications/login/1999-9/features/future.html,1999.
[6] Bass T, Robichaux R. Defense-in-Depth Revisited: Qualitative RiskAnalysis Methodology for Complex Network-Centric Operations [C]. MilitaryCommunications Conference (MILCOM), Communications for Network-CentricOperations:CreatingtheInformationForce,IEEE,2001: 64~70.
[7] Ortalo R, DeswarteY. Experimenting with quantitative evaluation tools formonitoring operational security[J].IEEE Transactions on Software Engineering, 1999,25(5):633~651.
[8]陈秀真,郑庆华,管晓宏,林晨光.层次化网络安全威胁态势量化评估方法[J].软件学报,2006,17(4):885~897.
[9]韦勇,连一峰,冯国登.基于信息融合的网络安全态势评估模型[J].计算机研究与发展,2009,46(3):353~362.
[10]韦勇,连一峰.基于日志审计与性能修正算法的网络安全态势评估模型[J].计算机学报,2009,32(4):763~772.
[11] Zhuo Y, Zhang Q, Gong ZH. Research and Implementation of NetworkTransmissionSituationAwareness[C].CSIE,LosAngeles,USA,2009:210~214.
[12]刘东坡,费爱国,李革.C4ISR系统信息优势度量研究[J].计算机仿真,2007,24(6):27~30.
[13]赵策,刘千里.C4ISR通信分系统信息优势评估指标研究[J].指挥控制与仿真,2006,28(6):79~82.
[14] Lau S. The Spinning Cube of Potential Doom [EB/OL].http://www.nersc.gov/nusers/security/TheSpinningCube.php,2003.
[15] Carnegie Mellon’s SEI. System for Internet Level Knowledge (SILK)[EB/OL].http://silktools.sourceforge.net,2005.
[16] Conti G, Abdullah K. Passive visual fingerprinting of network attack tools[C]. Proceedings of 2004 ACM workshop on visualization and data mining forcomputersecurity,NewYork,USA,2004: 45~54.
[17] KrasserS,Conti G,GrizzardJ.Real-timeandforensicnetworkdata analysisusing animated and coordinated visualization [C]. Proceedings of the 2005 IEEEworkshoponInformationAssurance,UnitedStatesMilitaryAcademy,WestPoint,NewYork,2005: 42~49.
[18]朱亮,王慧强,郑丽君.网络安全态势可视化研究评述[DB/OL].中国科技论文在线,http://www.paper.edu.cn/index.php/default/releasepaper/content/200607-36.
[19]杨雅辉,李小东.IP网络性能指标体系的研究[J].通信学报,2002,23(11):1~7.
[20]江勇,林闯,吴建平.网络传输控制的综合性能评价标准[J].计算机学报,2002,25(8):869~877.
[21]林闯,周文江,田立勤.IP网络传输控制的性能评价标准研究[J].电子学报,2002,30(12A):1973~1977.
[22]张冬艳,胡铭曾,张宏莉.基于测量的网络性能评价方法研究[J].通信学报,2006,27(10):74~79.
[23]蒋序平.网络性能综合评估方法IEMoNP的设计和实现[J].海军工程大学学报,2006,18(5):74~78.
[24] BlaschE, PribilskiM, DaughteryB,Roscoe B,Gunsett J.FusionMetricsforDynamic SituationAnalysis[C]. Kadar I, Signal Processing, Sensor Fusion, and TargetRecognition XIII, Proceedings of SPIE Vol.5429(SPIE, Bellingham, WA, 2004):428~438.
[25] Salerno J, Blasch E, Hinmana M, Boulwarea D. Evaluating AlgorithmicTechniques in Supporting Situation Awareness [C]. Belur V,Multisensor, MultisourceInformation Fusion: Architectures, Algorithms, and Applications 2005, Proceedings ofSPIEVol.5813(SPIE,Bellingham,WA,2005):96~104.
[26] Gad A, Farooq M. Data Fusion Architecture for Maritime Surveillance [C].InternationalSocietyonInformationFusion(ISIF),2002: 448~455.
[27] Shulsky A. Silent Warfare: Understanding the World of Intelligence [M].WashingtonUS:Brassey's,1993.
[28] Boyd J. A Discourse on Winning and Losing [M]. Maxwell AFB Lecture,1987.
[29] Endsley M. Situayion Awareness Global Assessment Technique (SAGAT)[C]. IEEE 1988 National Aerospace and Electronics Conference (NAECON), 1988:789~795.
[30] Dasarathy B. Sensor Fusion Potential Exploitation Innovative ArchitecturesandIllustrativeApplications[J].ProceedingsoftheIEEE,1997,85(1):24~38.
[31] Bedworth M, O’Brien J. The Omnibus Model: A New Model of DataFusion[J].ProceedingIEEEAESSystemsMagazine, 2000,(4):30~36.
[32] Shahabzian E, Blodgett D. The Extended ODDA Model for Data FusionSystems[C].InternationalConferenceonInformationFusion(FUSION),2001:19~25.
[33] Kadar I. Knowledge Representation Issues in Perceptual ReasoningManaged Situation Assessment [C]. International Conference on Information Fusion(FUSION),2005:13~15.
[34] Llinas J, Hall D. An Introduction to Multi-Sensor Data Fusion [C]. IEEEInternationalSymposiumonCircuitsandSystems(ISCAS),1998,VI:537~540.
[35] BlaschE,PlanoS. JDLLevel5FusionModel“UserRefinement”IssuesandApplications in Group Tracking [J]. Signal Processing, Sensor Fusion, and TargetRecognitionXI,ProceedingsofSPIEVol.4729(2002): 270~279.
[36] BlaschE,Plano S. Level 5: Userrefinement toaidthefusion process[C].B.Dasarathy, Ed., Multisensor, Multisource Information Fusion: Architectures,Algorithms,andApplications,2003:288~297.
[37] Blasch E, Plano S. DFIG Level 5 (User Refinement) issues supportingSituational Assessment Reasoning [C].International Conference on Information Fusion(FUSION),2005:35~43.
[38] Salerno J, Hinman M, Boulware D. Building A Framework for SituationAwareness[C].International Conferenceon InformationFusion(FUSION),Stockholm,Sweden,2004:1~8.
[39] Tadda G, Salerno J, Boulwarea D, Hinmana M, Gorton S. RealizingSituation Awareness in a Cyber Environment [C]. Belur V, Multisensor, MultisourceInformation Fusion: Architectures, Algorithms, and Applications 2006, Proceedings ofSPIEVol.6242,624204(2006):1~8.
[40] Zhuo Y, Zhang Q, GongZH. Cyberspace Situation Representation Based onNicheTheory[C].ICIA,Zhangjiajie,China,2008:1400~1405.
[41] Klir G, Yuan B. Fuzzy sets and fuzzy logic [M]. New York: Prentice Hall,1995.
[42]陈理渊,黄进.不确定度问题研究情况综述[J].电路与系统学报,2004,9(3):105~111.
[43] ZadehL.FuzzySets[J].InformationandControl, 1965,(8):338~353.
[44] Barry Smith. Logic and Formal Ontology [EB/OL].http://ontology.buffalo.edu/smith/articles/lfo.html.
[45] Grenon P, Smith B. SNAP and SPAN: Towards Dynamic Spatial Ontoloty[C].SpatialCognitionandComputation,2003:137~171.
[46] Little E, Rogova G. Ontology Meta-Model foe Building A SituationalPicture of Catastrophic Events [C]. International Conference on Information Fusion(FUSION),2005:796~803.
[47]蔡文.可拓工程方法[M].北京:科学出版社,1997.
[48] Hinman M. Some Computational Approaches for Situation Assessment andImpactAssessment[C].ISIF,2002:687~693.
[49]王娟,张凤荔,傅翀,陈丽莎.网络态势感知中的指标体系研究[J].计算机应用,2007,27(8):1907~1909.
[50] Ticha B, Ranchin T. A Case Based Reasoning Data Fusion Scheme:Application to Offshore Wind EnergyResource Mapping [C]. International ConferenceonInformationFusion(FUSION),2006:1~5.
[51] Lanchester, William F. Mathematics in Warfare [J]. New York: Simon &Schuster,the WorldofMathematics,1916.
[52]赵克勤.集对分析及其初步应用[M].杭州:浙江科技出版社,2000.
[53]张琳,陈绍顺.基于集对分析的战场态势分析模型[J].情报指挥控制系统与仿真技术,2005,27(5):55~59.
[54]雷英杰,王宝树.基于直觉模糊决策的战场态势评估方法[J].电子学报,2006,34(12):2175~2179.
[55] Das S, Lawless D, Ng B, Pfeffer A. Factored Particle Filtering for DataFusion and Situation Assessment in Urban Environments [C]. International ConferenceonInformationFusion(FUSION),2005:955~962.
[56] Zhang Y, Ji Q, Loonet C. Active Information Fusion for Decision MakingUnderUncertainty[C].ISIF,2002:643~650.
[57] Russell S, Norvig P. Artificial Intelligence: A Modern Approach [M].PrenticeHall,2002.
[58] Mirmoeini F, Krishnamurthy V. Reconfigurable Bayesian Networks forHierarchical Multi-Stage Situation Assessment in Battlespace [C]. Conference Recordof the Thirty-Ninth Asilomar Conference on Signals, Systems and Computers, 2005:104~108.
[59] Shafer G. A Mathematical Theory of Evidence [M]. Princeton: PrincetonUniversityPress,1976.
[60]徐晓辉,刘作良.基于D-S证据理论的态势评估方法[J].电光与控制,2005,12(5):36~37.
[61]魏守智,赵海,王刚,张晓丹.复杂系统态势评估模型及其本体论实现方法[J].系统仿真学报,2005,17(5):1200~1202.
[62]李伟生,王宝树.基于模糊逻辑和D-S证据理论的一种态势估计方法[J].系统工程与电子技术,2003,25(10):1278~1280.
[63] Yager R R. On the Dempster-Shafer framework and new combination rules[J].InformationSciences,1987,41(2):93~137.
[64] Toshiyuk Ii. Interdependence between Safety-Control Policy andMultiple-Sensor Schemes via Dempster-Shafer Theory [J]. IEEE Transactions onReliability,1991,40(2):182~188.
[65] Du WJ, Chen YH, Xie WX. Weighted Dempster evidence combinationalgorithms[J].JournalofXidianUniversity,1999,26(5):1~5.
[66]张山鹰,潘泉,张洪才.一种新的证据推理组合规则[J].控制与决策,2000,15(5):540~544.
[67]邢清华,雷英杰,刘付显.一种按比例分配冲突度的证据推理组合规则[J].控制与决策,2004,19(12):1387~1390.
[68]邓聚龙.灰色控制系统[M].武汉:华中理工大学出版社,1985.
[69]赵国生,王慧强,王健.基于灰色关联分析的网络可生存性态势评估研究[J].小型微型计算机系统,2006,27(10):1861~1864.
[70] Pawlak Z. Rough Sets [J]. International Journal of Computer andInformationSciences,1982,11:341~356.
[71] Pawlak Z. Rough Sets: Theoretical Aspects of Reasoning about Data [J].Boston:KluwerAcademicPublishers,1991:1~10.
[72]张守志,许彦.糙集中近似质量的新认识[J].计算机研究与发展,2003,40(9):1357~1360.
[73] WeiSZ, Jin ND, Hui XJ, Liu H, Zhang XD. A Situation Assessment Modeland Its ApplicationBasedonDataMining[C]. International Conferenceon InformationFusion(FUSION),2006: 1~7.
[74]叶东毅,陈昭.一个新的差别矩阵及其求核方法[J].电子学报,2002,30(7):1086~1088.
[75]孙吉贵,刘杰,赵连宇.聚类算法研究[J].软件学报,2008,19(1):48~61.
[76] Lakkaraju K. NVisionIP: Net Flow Visualizations of System State forSecurity Situational Awareness [C]. New York, USA: ACM Press, ACM WorkshopVisualizationandDataMiningforComputerSecurity(VizSEC/DMSEC),2004:65~72.
[77] Lakhina A, Crovella M, Diot C. Mining Anomalies Using Traffic FeatureDistributions[C].ACMSIGCOMM,USA,2005:217~228.
[78] Wang H, Gong ZH, Guan Q, Wang BS. Detection Network AnomaliesBased on Packet and Flow Analysis[C]. Cancun, Mexico: 7th International ConferenceonNetworking,2008:497~502.
[79] Crovella M, Kolaczyk E. Graph wavelets for spatial traffic analysis [C].Infocom,2003: 1848~1857.
[80]孙即祥.信息融合中的有关熵理论[J].计算机学报,2003,26(7):796~801.
[81] AgrawalR. Automatic subspace clusteringof high dimensional data fordataminingapplications[C].SIGMOD,1998:94~105.
[82]徐燕,李锦涛,王斌.基于区分类别能力的高性能特征选择方法[J].软件学报,2008,19(1):82~89.
[83]王宏,龚正虎.一种基于信息熵的关键流量矩阵发现算法[J].软件学报,2009,20(5):1377~1383.
[84] Kosala R, Blocked H. Web mining research: A survey[C]. ACM SIGKDDExplorations,2000,2(1):1~15.
[85] Dhillon I, Guan Y, Kogan J. Iterative Clustering of High Dimensional TextData Augmented by Local Search [C]. Proceedings of the 2002 IEEE InternationalConferenceonDataMining,2002:131~138.
[86] Guha S. Clustering Data Stream [C]. IEEE FOCS Conference, 2000:359~366.
[87] O’CallaghanL.Streaming-DataAlgorithmsforHigh-QualityClustering[C].ICDEConference,2002:685~704.
[88] Aggarwal C. A Framework for Clustering Evolving Data Streams [C]. SanFrancisco: Morgan Kaufmann, Proc of the 29th Int’l Conference on Very Large DataBase(VLDB),2003: 81~92.
[89] Zhang T. BIRCH: An Efficient Data Clustering Method for Very LargeDatabases [C]. ACM SIGMOD Int. Conference on Management of Data, 1996:103~l14.
[90] Aggarwal C. A Framework for Projected Clustering of High DimensionalDataStream[C].Toronto,Canada:VLDB,2004:852~863.
[91] Ester M. A Density-Based Algorithm for Discovering Clusters in LargeSpatial Databases with Noise [C]. Portland, Oregon: Proceedings of 2nd InternationalConferenceonKnowledgeDiscoveryandDataMining(KDD96),1996:226~231.
[92] Ester M. Incremental Clustering for Mining in a Data WarehousingEnvironment [C]. Proceedings of the 24th VLDB Conference, New York, USA, 1998:323~333.
[93] Wang W. Sting: A statistical information grid approach to spatial datamining[C].Proceedingsofthe23rdConferenceonVLDB,Athens,1997:186~195.
[94] Wang W. STING+: An Approach to Active Spatial Data Mining [C].Proceedingsofthe15thICDE,Sydney,1999:116~122.
[95] Aggarwal C. Fast algorithms for projected clustering [C]. ACM SIGMODConference,1999:61~72.
[96] Procopiuc C. A Monte Carlo Algorithm for Fast Projective Clustering [C].Proceedings.IntelConferenceDataMining(ICDM 03),2003:418~427.
[97]周晓云.高维数据流子空间聚类发现及维护算法[J].计算机研究与发展,2006,43(5):834~840.
[98]杨春宇,周杰.一种混合属性数据流聚类算法[J].计算机学报,2007,30(8):1364~1371.
[99] Lu Y. A Grid-Based Clustering Algorithm for High-Dimensional DataStreams[C].LectureNotesinComputerScience,2005,3584/2005:824~831.
[100] Goil S. Mafia: Efficient and Scalable Subspace Clustering for Very LargeDataSets[R].TechnicalReportCPDC-TR-9906-010,NorthwesternUniversity,1999.
[101] Liu B.ClusteringthroughDecisionTreeConstruction[C].ProceedingoftheninthinternationalconferenceonInformationandKnowledgeManagement,ACMPress,2000:20~29.
[102] Park N. Statistical Grid-based Clustering over Data Streams [C]. SIGMODRecord,2004,3,33(1):32~37.
[103] http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html [DB/OL].
[104]王涛,李舟军.数据流挖掘分类技术综述[J].计算机研究与发展,2007,44(11):1809~1815.
[105] WatanabeO. SimpleSamplingTechniques forDiscoveryScience[J].IEICETransactionsonInformationandSystems,2000,E83-D(1):19~26.
[106] Ghosh AK, Michael C, Schatz M. A Real-time Intrusion Detection SystemBasedonLearningProgramBehavior[C].RAID,2000:93~109.
[107]诸葛建伟,王大为,陈昱,叶志远,邹维.基于D-S证据理论的网络异常检测方法[J].软件学报,2006,17(3):463~471.
[108]蔡忠闽,管晓宏,邵萍,彭勤科,孙国基.基于粗糙集理论的入侵检测新方法[J].计算机学报,2003,26(3):361~366.
[109]饶鲜,董春曦,杨绍全.基于支持向量机的入侵检测系统[J].软件学报,2003,14(4):798~803.
[110]赵国生,王慧强,王健.基于灰色关联分析的网络可生存性态势评估研究[J].小型微型计算机系统,2006,27(10):1861~1864.
[111]张文修,吴伟志,梁吉业,李德玉.粗糙集理论与方法[M].北京:科学出版社,2001.
[112]曾黄麟.智能计算——关于粗集理论、模糊逻辑、神经网络的理论及其应用[M].重庆:重庆大学出版社,2004.
[113]许俊明.图论及其应用[M].合肥:中国科学技术大学出版社,2004.
[114] Ford L R Jr, Fulkerson D R. A Simple Algorithm for Finding MaximalNetwork Flowsandan Applicationto the Hitchcock Problem [J].Canada J Math,1957,9:210~218.
[115] Edmonds J, Karp R M. Theoretical improvements [J]. J Assoc ComputeMath,1972,19:248~264.
[116]袁小坊,陈楠楠,王东,谢高岗,张大方.城域网应用层流量预测模型[J].计算机研究与发展,2009,46(3):434~442.
[117]张翔,胡昌振,刘胜航,唐成华.基于支持向量机的网络攻击态势预测技术研究[J].计算机工程,2007,33(11):10~12.
[118]尹清波,张汝波,李雪耀,王慧强.基于线性预测与马尔可夫模型的入侵检测技术研究[J].计算机学报,2005,28(5):900~907.
[119]陈涛,龚正虎,胡宁.基于改进BP算法的网络态势预测模型[J].通信市场,2009,3:1~4.
[120]任伟,蒋兴浩,孙锬锋.基于RBF神经网络的网络安全态势预测方法[J].计算机工程与应用,2006,31:136~138.
[121]周开利,康耀红.神经网络模型及其MATLAB仿真程序设计[M].北京:清华大学出版社,2005.
[122]葛哲学,孙志强.神经网络理论与MATLAB R2007实现[M].北京:电子工业出版社,2007.
[123] http://www.mathworks.com/access/helpdesk/help/toolbox/nnet/radial_5.html[M/OL].
[124] http://pma.nlanr.net/Traces/Traces/long/auck/8/[DB/OL].
[125] http://www.internet2.edu[EB/OL].