入侵检测中的机器学习方法及其应用研究
|
摘要
入侵检测是一种用于检测计算机网络中入侵行为的信息安全技术,是网络信息安全主动防护技术的基石。针对目前越来越频繁出现的分布式、多目标、多阶段的组合式网络攻击事件,以及下一代互联网可能会出现的未知安全问题,要求提高入侵检测系统的检出效率和智能化的呼声也越来越高。机器学习方法是用于分类和预测的一类方法。近来也在入侵检测领域得到不同程度的应用,但这些方法对于诸如样本相关性大、重复训练样本多、训练时间长以及入侵样本标记困难等问题并没有得到很好的解决。
针对入侵检测特征数据中的重复或相似样本以及各特征参量之间可能存在的相关性,本文提出了一种集成主元分析和免疫聚类算法的特征数据压缩算法——PCA-IC。PCA-IC算法在不损失数据隐含的特征知识的前提下,进行数据压缩,以减少机器学习的样本数。PCA-IC算法先用基于主元分析方法,去除各特征参量之间的相关性,再用免疫聚类方法去除相似样本。在KDDCUP99入侵检测数据集上进行仿真实验,样本的压缩率达到89%。
误用入侵检测是对已知网络系统和应用软件的弱点进行入侵建模,从而对观测到的用户行为和资源使用情况进行模式匹配而达到检测的目的,属于多模式分类识别问题。针对普通多类支持向量机需要使用所有的两类分类器进行计算,重复训练样本多、速度慢、实时性差的问题,提出了一种快速的、带入侵优先级的二叉树结构支持向量机误用检测分类算法——BTPM-SVM。BTPM-SVM方法引入优先级的概念,将多个支持向量机按优先级构成不对称分级二叉树结构,每一级的SVM训练样本数目,随级数的增加而迅速减少,极大地减少了重复训练样本,提高训练速度。在KDDCUP99的误用入侵检测数据集上进行仿真试验,样本的识别率为96%,在相同数据量下节约57%的计算时间。
异常入侵检测是根据网络流量特征和主机审计记录等观测数据来区分系统的正常行为和异常行为。针对异常入侵检测中训练样本是未标定的不均衡数据集的情况,将其视为一个孤立点发现问题。提出了适用于孤立点检测的超球面One-class SVM的异常检测算法。在新墨西哥大学提供的“MIT lpr”系统调用数据集样本上进行仿真试验,在1001个异常样本中被正确识别1000个。
用户异常检测是对系统中一些合法用户的行为进行监察,以防止这些合法用户进行非授权操作,或者防止其他用户冒用这些合法用户的账号进行非法或恶意操作。采用相关出现矩阵的二维建模方法来模拟用户行为,同时针对样本维数庞大的特点,采用主元分析法进行样本的降维处理,再对处理的样本采用多分类支持向量机方法进行识别。通过SEA数据集进行性能测试,样本的识别率为80.4%。
为了实现IPv4网络向IPv6网络的顺利过渡,以保障下一代互联网安全有序的运转。基于上述算法,设计并实现一个基于机器学习技术的入侵检测原型系统——MLIDS。MLIDS原型系统在IPv4和IPv6环境下的仿真试验的检测率分别达到97%和98%,有较高的检测准确度,证明了所提出的BTPM-SVM和超球面One-class SVM算法的有效性和实用性。
Intrusion Detection, essential for the initiative protection of network information security, is an information security technology used to detect any incursions into a computer network. In view of the unknown security issues which the next generation internet may encounter, as well as the increasingly frequent distributed, multi-objective, multi-stage network attacks confronting us nowadays, it is imperative that Intrusion Detection System enhance its detection efficiency and intelligence. The Machine Learning Method is used in classification and prediction,which have come into use in the field of intrusion detection. Nevertheless, many problems have not been satisfactorily resolved including the heavy correlation between sample data, big number of duplicated training samples, long term of training and the difficulty in identifying the intrusion samples.
PCA-IC algorithm, the features compression algorithm integrated by Principal Component Analysis and Immune Clustering algorithm, is designed in view of the potential relevance between the duplicated or similar samples of the features in intrusion detection and the feature parameters. This algorithm compresses data without losing their implied feature knowledge so as to deduce the number of samples for machine learning. In this algorithm, principal component analysis is employed before hand to remove the relevance between various parameters, following by immune clustering algorithm to eliminate similar samples. In the simulation experiments conducted over the KDDCUP99 intrusion detection data sets, sample compression rate reached 89%.
Misuse detection is a modeling for the weaknesses of the known network systems and application software, so as to pattern match the observed users’behavior and their use of resources, which falls into the group of multi-pattern classification. As for the problems that the general multi-class support vector machines, which have to use both the classifier for calculation, deal with too many duplicated samples at a low speed with unsatisfactory real-time-ness, the paper presents Binary Tree with Priority for Multi-class Support Vector Machine (BTPM-SVM) algorithm. BTPM-SVM introduces in the concept of priority, according to which multiple support vector machines are structured into an asymmetric graded Binary Tree, where the number of SVM training samples decreases rapidly with the ascending of grades, thus greatly reducing the number of duplicated samples and enhancing the training speed. In the simulation experiments conducted over the KDDCUP99 misuse detection data sets, sample detection rate reached 96%, saving 57% of calculating time with the same number of data.
Anomaly Detection distinguishes between normal and abnormal behavior of a system according to the network traffic characteristics and the host audit data. As for the problem that training samples in anomaly detection are unlabelled and unbalanced data sets, attack detection is treated as outlier detection and one-class SVM of hypersphere can be utilized to solve it. In the simulating experiment conducted over the sample data sets called by the "MIT lpr" system, which is provided by University of New Mexico, 1000 of the 1001 abnormal samples were correctly identified.
Masquerader Detection conducts surveillance over the behaviors of the legitimated users in the system, preventing them from any non-authorized operation, or preventing other users from fraudulent use of these legitimate users’account for illegal or malicious acts. In this paper, a co-occurrence matrix two-dimensional modeling method is employed to accurately simulate the users’behavior. At the same time, principal component analysis is conducted to reduce the dimensions of the samples, which have so many of them. After that, the multi-class Support Vector Machine is used to identify the samples under processing. According to the performance test by SEA data sets, the sample identification rate reached 80.4%.
To achieve a smooth transition from IPv4 networks to IPv6 networks and to ensure the safe and orderly operation of the next generation internet system, this paper, based on the abovementioned algorithms, designs and realizes an Intrusion Detection Prototype System based on Machine-Learning technology--MLIDS. This MLIDS prototype system, in simulating tests in IPv4 and IPv6 environment, have the detection rate of 97% and 98% respectively. This relatively high detection accuracy proves the effectiveness and practicality of the BTPM-SVM and hypersphere One-class SVM, as proposed in this paper.
针对入侵检测特征数据中的重复或相似样本以及各特征参量之间可能存在的相关性,本文提出了一种集成主元分析和免疫聚类算法的特征数据压缩算法——PCA-IC。PCA-IC算法在不损失数据隐含的特征知识的前提下,进行数据压缩,以减少机器学习的样本数。PCA-IC算法先用基于主元分析方法,去除各特征参量之间的相关性,再用免疫聚类方法去除相似样本。在KDDCUP99入侵检测数据集上进行仿真实验,样本的压缩率达到89%。
误用入侵检测是对已知网络系统和应用软件的弱点进行入侵建模,从而对观测到的用户行为和资源使用情况进行模式匹配而达到检测的目的,属于多模式分类识别问题。针对普通多类支持向量机需要使用所有的两类分类器进行计算,重复训练样本多、速度慢、实时性差的问题,提出了一种快速的、带入侵优先级的二叉树结构支持向量机误用检测分类算法——BTPM-SVM。BTPM-SVM方法引入优先级的概念,将多个支持向量机按优先级构成不对称分级二叉树结构,每一级的SVM训练样本数目,随级数的增加而迅速减少,极大地减少了重复训练样本,提高训练速度。在KDDCUP99的误用入侵检测数据集上进行仿真试验,样本的识别率为96%,在相同数据量下节约57%的计算时间。
异常入侵检测是根据网络流量特征和主机审计记录等观测数据来区分系统的正常行为和异常行为。针对异常入侵检测中训练样本是未标定的不均衡数据集的情况,将其视为一个孤立点发现问题。提出了适用于孤立点检测的超球面One-class SVM的异常检测算法。在新墨西哥大学提供的“MIT lpr”系统调用数据集样本上进行仿真试验,在1001个异常样本中被正确识别1000个。
用户异常检测是对系统中一些合法用户的行为进行监察,以防止这些合法用户进行非授权操作,或者防止其他用户冒用这些合法用户的账号进行非法或恶意操作。采用相关出现矩阵的二维建模方法来模拟用户行为,同时针对样本维数庞大的特点,采用主元分析法进行样本的降维处理,再对处理的样本采用多分类支持向量机方法进行识别。通过SEA数据集进行性能测试,样本的识别率为80.4%。
为了实现IPv4网络向IPv6网络的顺利过渡,以保障下一代互联网安全有序的运转。基于上述算法,设计并实现一个基于机器学习技术的入侵检测原型系统——MLIDS。MLIDS原型系统在IPv4和IPv6环境下的仿真试验的检测率分别达到97%和98%,有较高的检测准确度,证明了所提出的BTPM-SVM和超球面One-class SVM算法的有效性和实用性。
Intrusion Detection, essential for the initiative protection of network information security, is an information security technology used to detect any incursions into a computer network. In view of the unknown security issues which the next generation internet may encounter, as well as the increasingly frequent distributed, multi-objective, multi-stage network attacks confronting us nowadays, it is imperative that Intrusion Detection System enhance its detection efficiency and intelligence. The Machine Learning Method is used in classification and prediction,which have come into use in the field of intrusion detection. Nevertheless, many problems have not been satisfactorily resolved including the heavy correlation between sample data, big number of duplicated training samples, long term of training and the difficulty in identifying the intrusion samples.
PCA-IC algorithm, the features compression algorithm integrated by Principal Component Analysis and Immune Clustering algorithm, is designed in view of the potential relevance between the duplicated or similar samples of the features in intrusion detection and the feature parameters. This algorithm compresses data without losing their implied feature knowledge so as to deduce the number of samples for machine learning. In this algorithm, principal component analysis is employed before hand to remove the relevance between various parameters, following by immune clustering algorithm to eliminate similar samples. In the simulation experiments conducted over the KDDCUP99 intrusion detection data sets, sample compression rate reached 89%.
Misuse detection is a modeling for the weaknesses of the known network systems and application software, so as to pattern match the observed users’behavior and their use of resources, which falls into the group of multi-pattern classification. As for the problems that the general multi-class support vector machines, which have to use both the classifier for calculation, deal with too many duplicated samples at a low speed with unsatisfactory real-time-ness, the paper presents Binary Tree with Priority for Multi-class Support Vector Machine (BTPM-SVM) algorithm. BTPM-SVM introduces in the concept of priority, according to which multiple support vector machines are structured into an asymmetric graded Binary Tree, where the number of SVM training samples decreases rapidly with the ascending of grades, thus greatly reducing the number of duplicated samples and enhancing the training speed. In the simulation experiments conducted over the KDDCUP99 misuse detection data sets, sample detection rate reached 96%, saving 57% of calculating time with the same number of data.
Anomaly Detection distinguishes between normal and abnormal behavior of a system according to the network traffic characteristics and the host audit data. As for the problem that training samples in anomaly detection are unlabelled and unbalanced data sets, attack detection is treated as outlier detection and one-class SVM of hypersphere can be utilized to solve it. In the simulating experiment conducted over the sample data sets called by the "MIT lpr" system, which is provided by University of New Mexico, 1000 of the 1001 abnormal samples were correctly identified.
Masquerader Detection conducts surveillance over the behaviors of the legitimated users in the system, preventing them from any non-authorized operation, or preventing other users from fraudulent use of these legitimate users’account for illegal or malicious acts. In this paper, a co-occurrence matrix two-dimensional modeling method is employed to accurately simulate the users’behavior. At the same time, principal component analysis is conducted to reduce the dimensions of the samples, which have so many of them. After that, the multi-class Support Vector Machine is used to identify the samples under processing. According to the performance test by SEA data sets, the sample identification rate reached 80.4%.
To achieve a smooth transition from IPv4 networks to IPv6 networks and to ensure the safe and orderly operation of the next generation internet system, this paper, based on the abovementioned algorithms, designs and realizes an Intrusion Detection Prototype System based on Machine-Learning technology--MLIDS. This MLIDS prototype system, in simulating tests in IPv4 and IPv6 environment, have the detection rate of 97% and 98% respectively. This relatively high detection accuracy proves the effectiveness and practicality of the BTPM-SVM and hypersphere One-class SVM, as proposed in this paper.
引文
[1] cert.安全事件. http://www. cert. org/stats/cert_stats. html#inciden, 2006
[2] Spafford, E. H. Crisis and aftermath. Communications of the ACM, 1989, 32(6): 678-687
[3] White, C. E. J. Viruses and worms: a campus under attack. Computers & Security, 1989, 8(4): 283-290
[4]董小玲.信息安全的分水岭——2000年世界信息安全问题回顾.计算机安全, 2001, 1: 36-42
[5] Tanker. 2003年网络安全回顾.中国电子与网络出版社, 2003, 44(12): 70-71
[6] Anderson, J. P., Computer Security Threat Monitoring and Surveillance, Technical Report, 1980
[7] Denning, D. E. INTRUSION-DETECTION MODEL. IEEE Transactions on Software Engineering, 1987, SE-13(2): 222-232
[8] Lunt, T. F., Jagannathan, R. PROTOTYPE REAL-TIME INTRUSION-DETECTION EXPERT SYSTEM. in: Proceedings - 1988 IEEE Symposium on Security and Privacy. Oakland, CA, USA: IEEE, USA., Avail from IEEE Service Cent (cat n 88CH2558-5), New York, NY, USA, 1988: 59-66
[9] Lunt, T. F., Jagannathan, R., Lee, R., Whitehurst, A., et al. Knowledge-based intrusion detection. in: Proceedings of the Annual AI Systems in Government Conference, Mar 27-31 1989. Washington, DC, USA, 1989: 102-107
[10] Lunt, T. F. Real-time intrusion detection. in: Compcon '89: Thirty-Fourth IEEE Computer Society International Conference, Feb 27-3 1989. San Francisco, CA, USA: Publ by IEEE, Piscataway, NJ, USA, 1989: 348-353
[11] Smaha, S. E. Haystack: An intrusion detection system. in: Fourth Aerospace Computer Security Applications Conference, Dec 12-16 1988. Orlando, FL, USA: Publ by IEEE, New York, NY, USA, vol. 4th, 1988: 37-44
[12] Heberlein, L. T., Dias, G. V., Levitt, K. N., Mukherjee, B., et al. A network security monitor. in: 1990 IEEE Computer Society Symposium on Research in Security andPrivacy, May 7-Sep 90. Oakland, CA, USA: Publ by IEEE, Piscataway, NJ, USA, 1990: 296-304
[13] Tipton, H. Intrusion detection in networks of networks. in: Wescon '90 - Conference Record, Nov 13-15 1990. Anaheim, CA, USA: Publ by Western Periodicals Co, North Hollywood, CA, USA, vol. 34, 1990: 750-753
[14] Mukherjee, B., Heberlein, L. T., Levitt, K. N. Network intrusion detection. IEEE Network, 1994, 8(3): 26-41
[15] Snapp, S. R., Brentano, J., Dias, G. V., Goan, T. L., et al. A system for distributed intrusion detection. in: 36th IEEE Computer Society International Conference - COMPCON Sping '91, Feb 25-Mar 1 1991. San Francisco, CA, USA: Publ by IEEE, Piscataway, NJ, USA, 1991: 170-176
[16] Snapp, S. R., Smaha, S. E., Teal, D. M., Grance, T. The DIDS (distributed intrusion detection system) prototype. in: USENIX Association. Proceedings of the Summer 1992 USENIX Conference, 8-12 June 1992. San Antonio, TX, USA: USENIX Assoc, 1992: 227-233
[17] Forrest, S., Perelson, A. S., Allen, L., Cherukuri, R. Self-nonself discrimination in a computer. in: Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy, 16-18 May 1994. Oakland, CA, USA: IEEE Comput. Soc. Press, 1994: 202-212
[18] Forrest, S., Hofmeyr, S. A., Somayaji, A., Longstaff, T. A. Sense of self for unix processes. in: Proceedings of the 1996 17th IEEE Symposium on Security and Privacy, May 6-8 1996. Oakland, CA, USA: IEEE, Piscataway, NJ, USA, 1996: 120-128
[19] Groups, C. W. Common Intrusion Detection Framework http://gost. isi. edu/cidf/, 2006
[20] Groups, I. W. The Intrusion Detection Exchange Protocol (IDXP). http://www. ietf. org/rfc/rfc4767. txt, 2006
[21] Groups, I. W. The Intrusion Detection Message Exchange Format (IDMEF). http://www. ietf. org/rfc/rfc4765. txt, 2006
[22] Groups, I. W. Intrusion Detection Message Exchange Requirements. http://www.ietf. org/rfc/rfc4766. txt, 2006
[23] Sinclair, C., Pierce, L., Matzner, S. An application of machine learning to network intrusion detection. in: Proceedings of 15th Annual Computer Security Applications Conference, 6-10 Dec. 1999. Phoenix, AZ, USA: IEEE Comput. Soc, 1999: 371-377
[24] Shipley, G. ISS RealSecure pushes past newer IDS players. Network Computing, 1999, 10(10): 95-96
[25] Paxson, V. Bro: A system for detecting network intruders in real-time. Computer Networks, 1999, 31(23): 2435-2463
[26] Lindqvist, U., Porras, P. A. Detecting computer and network misuse through the production-based expert system toolset (P-BEST). Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, 1999: 146-161
[27] Garcia, R. C., Cannady, J. Boundary expansion of expert systems: incorporating evolutionary computation with intrusion detection solutions. in: Proceedings. IEEE SoutheastCon 2001. Clemson, SC, USA: IEEE, 2001: 96-99
[28] Lindqvist, U., Porras, P. A. eXpert-BSM: a host-based intrusion detection solution for Sun Solaris. in: Proceedings 17th Annual Computer Security Applications Conference. New Orleans, LA, USA: IEEE Comput. Soc, 2001: 240-251
[29] Almgren, M., Jonsson, E. Using active learning in intrusion detection. in: Proceedings of 17th IEEE Computer Security Foundations Workshop. Pacific Grove, CA, USA: IEEE Comput. Soc, 2004: 88-98
[30]李之棠,杨红云.模糊入侵检测模型.计算机工程与科学, 2000, 22(2): 49-53
[31]李家春,李之棠.入侵检测系统计算机应用研究, 2001, 18(12): 5-9
[32]凌军,曹阳,尹建华.一种实时入侵检测专家系统的设计与实现.计算机工程与应用, 2002, 38(9): 9-10, 43
[33]张琨,李千目.第一级认知系统在基于专家系统入侵检测中的应用研究.计算机工程与应用, 2002, 38(19): 30-32,102
[34]张剑,龚俭.一种基于非单调逻辑理论的入侵检测系统.计算机学报, 2003, 26(9): 1060-1067
[35]关健,刘大昕.一种基于遗传算法的误用检测模型自适应建立算法.哈尔滨工程大学学报, 2004, 25(1): 80-84
[36] Ilgun, K. USTAT: a real-time intrusion detection system for UNIX. in: Proceedings of the 1993 IEEE Computer Society Symposium on Research in Security and Privacy, May 24-26 1993. Oakland, CA, USA: Publ by IEEE, Piscataway, NJ, USA, 1993: 16-40
[37] Vigna, G., Kemmerer, R. A. NetSTAT: a network-based intrusion detection system. Journal of Computer Security, 1999, 7(1): 37-71
[38] Dit-Yan, Y., Yuxin, D. User profiling for intrusion detection using dynamic and static behavioral models. in: Advances in Knowledge Discovery and Data Mining. 6th Pacific-Asia Conference, PAKDD 2002. Taipei, Taiwan: Springer-Verlag, 2002: 494-505
[39] Hyuk-Jang, P., Sung-Bae, C. An effective HMM-based intrusion detection system with privilege change event modeling. in: 7th Pacific Rim International Conference on Artificial Intelligence, PRICAI 2002. Tokyo, Japan: Springer-Verlag, 2002: 617-618
[40] Yeung, D. -Y., Ding, Y. Host-based intrusion detection using dynamic and static behavioral models. Pattern Recognition, 2003, 36(1): 229-243
[41] Hixon, R., Gruenbacher, D. M. Markov chains in network intrusion detection. in: Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop. West Point, NY, USA: IEEE, 2004: 432-433
[42] Kwak, M., Cho, D. -S. Modeling host status transition for network intrusion detection. in: Proceedings of the International Conference on Security and Management, SAM'04. Las Vegas, NV, United States: CSREA Press, Bogart, GA 30622, United States, 2004: 421-426
[43]谭小彬,王卫平,奚宏生,殷保群.基于隐马尔可夫模型的异常检测.小型微型计算机系统, 2004, 25(8): 1546-1549
[44]谭小彬,王卫平.计算机系统入侵检测的隐马尔可夫模型.计算机研究与发展, 2003, 40(2): 245-250
[45]孙宏伟,田新广,邹涛,张尔扬.基于隐马尔可夫模型的IDS程序行为异常检测.国防科技大学学报, 2003, 25(2): 63-67
[46]闫巧,谢维信,宋歌,喻建平.基于HMM的系统调用异常检测.电子学报, 2003, 31(10): 1486-1490
[47] Wright, C., Monrose, F., Massen, G. M. HMM profiles for network traffic classification (extended abstract). in: Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security. Washington, DC, United States: Association for Computing Machinery, 2004: 9-15
[48] Ja-Min, K., Sung-Bae, C. Effective intrusion type identification with edit distance for HMM-based anomaly detection system. in: Pattern Recognition and Machine Intelligence. First International Conference, PReMI 2005. Kolkata, India: Springer-Verlag, 2005: 222-228
[49] Jong Sou, P., Shazzad, K. M., Dong Seong, K. Toward modeling lightweight intrusion detection system through correlation-based hybrid feature selection. in: Information Security and Cryptology. First SKLOIS Conference, CISC 2005. Beijing, China: Springer-Verlag, 2005: 279-289
[50] Koo, J. -M., Cho, S. -B. Effective intrusion type identification with edit distance for HMM-based anomaly detection system. in: 1st International Conference on Pattern Recognition and Machine Intelligence, PReMI 2005. Kolkata, India: Springer Verlag, Heidelberg, D-69121, Germany, vol. 3776 LNCS, 2005: 222-228
[51] Giordana, A., Galassi, U., Saitta, L. Experimental evaluation of hierarchical hidden Markov models. in: 9th Congress of the Italian Association for Artificial Intelligence. Milan, Italy: Springer-Verlag, 2005: 249-257
[52] Gao, D., Reiter, M. K., Song, D. Behavioral distance measurement using hidden Markov models. in: Recent Advances in Intrusion Detection - 9th International Symposium, RAID 2006. Hamburg, Germany: Springer, 2006: 19-40
[53] Paschalidis, I. C., Smaragdakis, G. A large deviations approach to statistical traffic anomaly detection. in: Proceedings of the 45th IEEE Conference on Decision and Control. San Diego, CA, USA: IEEE, 2006: 6-16
[54] Al-Subaie, M., Zulkernine, M. Efficacy of hidden Markov models over neural networks in anomaly intrusion detection. in: 30th Annual International ComputerSoftware and Applications Conference COMPSAC 2006. Chicago, IL, USA: IEEE, 2006: 8-18
[55] Lee, W., Stolfo, S. J., Mok, K. W. Data mining framework for building intrusion detection models. Proceedings of the 1999 IEEE Symposium on Security and Privacy, May 9- 12 1999: 120-132
[56] Luo, J., Bridges, S. M., Vaughn Jr, R. B. Fuzzy frequent episodes for real-time intrusion detection. in: IEEE International Conference on Fuzzy Systems. Melbourne, Australia: Institute of Electrical and Electronics Engineers Inc., 2001, 1: 368-371
[57] Bala, J., Baik, S., Hadjarian, A., Gogia, B. K., et al. Application of a distributed data mining approach to network intrusion detection. in: Proceedings of the International Conference on Autonomous Agents. Bologna, Italy: Association for Computing Machinery, New York, NY 10036-5701, United States, 2002: 1419-1420
[58] Sequeira, K., Zaki, M. ADMIT: Anomaly-based data mining for intrusions. in: Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. Edmonton, Alta, Canada: Association for Computing Machinery, 2002: 386-395
[59] Leu, F. -Y., Yang, T. -Y. A host-based real-time intrusion detection system with data mining and forensic techniques. in: IEEE Annual International Carnahan Conference on Security Technology. Taipei, Taiwan: Institute of Electrical and Electronics Engineers Inc., 2003: 580-586
[60] Shah, H., Undercoffer, J., Joshi, A. Fuzzy clustering for intrusion detection. in: IEEE International Conference on Fuzzy Systems. St. Louis, MO, United States: Institute of Electrical and Electronics Engineers Inc., 2003, 2: 1274-1278
[61] Bhaskar, T., Kamath, B. N. A rough neuro data mining approach for network intrusion detection. in: Distributed Computing-6th International Workshop, IWDC 2004. Kolkata, India: Springer Verlag, 2004: 534-546
[62] Ye, N., Li, X. Application of decision tree classifiers to computer intrusion detection. in: Second International Conference on Data Mining. Cambridge,United Kingdom: WIT Press, Southampton, SO40 7AA, United Kingdom, 2000, 2: 381-390
[63] Burbeck, K., Nadjm-Tehrani, S. ADWICE - Anomaly detection with real-time incremental clustering. in: Information Security and Cryptology - ICISC 2004, 7th International Conference. Seoul, South Korea: Springer Verlag, Heidelberg, D-69121, Germany, 2005, 3506: 407-424
[64] Stolfo, S. J., Hershkop, S., Bui, L. H., Ferster, R., et al. Anomaly detection in computer security and an application to file system accesses. in: Foundations of Intelligent Systems. 15th International Symposium, ISMIS 2005. Saratoga Springs, NY, USA: Springer-Verlag, 2005: 14-28
[65] Guang, X., Xiaomei, D., Ge, Y. Correlating alerts with a data mining based approach. in: The 2005 IEEE International Conference on e-Technology, e-Commerce and e-Service. Hong Kong, China: IEEE Comput. Soc, 2005: 341-346
[66] Ozyer, T., Alhajj, R., Barker, K. Intrusion detection: A novel approach that combines boosting genetic fuzzy classifier and data mining techniques. in: Proceedings of SPIE - The International Society for Optical Engineering. Orlando, FL, United States: International Society for Optical Engineering, Bellingham WA, WA 98227-0010, United States, 2005, 5812: 13-22
[67] El-Semary, A., Edmonds, J., Gonzalez-Pino, J., Papa, M. Applying data mining of fuzzy association rules to network intrusion detection. in: Proceedings of the 2006 IEEE Workshop on Information Assurance. West Point, NY, USA: IEEE, 2006: 100-107
[68] Gonzalez-Pino, J., Edmonds, J., Papa, M. Attribute selection using information gain for a fuzzy logic intrusion detection system. in: Proceedings of SPIE - The International Society for Optical Engineering. Kissimmee, FL, United States: International Society for Optical Engineering, Bellingham WA, WA 98227-0010, United States, 2006, 6241: 10-20
[69] Anoop, S., Sushil, J. Data warehousing and data mining techniques for intrusion detection systems. Distributed and Parallel Databases, 2006, 20(2): 149-166
[70] Singhal, A., Jajodia, S. Data warehousing and data mining techniques for intrusion detection systems. Distributed and Parallel Databases, 2006, 20(2): 149-166
[71] Long, J., Schwartz, D., Stoecklin, S. Distinguishing false from true alerts in Snort by data mining patterns of alerts. in: Proceedings of SPIE - The International Society for Optical Engineering. Kissimmee, FL, United States: International Society for Optical Engineering, Bellingham WA, WA 98227-0010, United States, 2006, , 6241: 100-110
[72] Agarwal, D. Detecting anomalies in cross-classified streams: a Bayesian approach. Knowledge and Information Systems, 2007, 11(1): 29-44
[73] Yoo, T. -S., Garcia, H. E. An anomaly detection and isolation scheme with instance-based learning and sequential analysis. in: 5th International Topical Meeting on Nuclear Plant Instrumentation Controls, and Human Machine Interface Technology. Albuquerque, NM, United States: American Nuclear Society, La Grange Park, IL 60526, United States, 2006, 2006: 1106-1109
[74] Wee, K., Kim, S. Construction of finite automata for intrusion detection from system call sequences by genetic algorithms. in: Advances in Knowledge Discovery and Data Mining - 10th Pacific-Asia Conference, PAKDD 2006. Singapore, Singapore: Springer Verlag, Heidelberg, D-69121, GermanyNAI, 2006, 3918: 594-602
[75] Srinoy, S., Kurutach, W., Chimphlee, W., Chimphlee, S., et al. Intrusion detection via independent component analysis based on rough fuzzy. WSEAS Transactions on Computers, 2006, 5(1): 43-48
[76] Srinoy, S., Chimphlee, W., Chimphlee, S., Poopaibool, Y. An approach to solve computer attacks based on hybrid model. WSEAS Transactions on Computers, 2006, 5(6): 1280-1284
[77] Li, D., Kefei, W., Deogun, J. S. A fuzzy anomaly detection system. in: Intelligence and Security Informatics - International Workshop, WISI 2006. Singapore: Springer-Verlag, 2006: 167-168
[78]邹仕洪,阙喜戎.基于数据挖掘与CIDF的自适应入侵检测系统.计算机工程与应用, 2002, 38(11): 184-186
[79]关健,刘大昕.基于主成分分析的无监督异常检测.计算机研究与发展, 2004, 41(9): 1474-1480
[80]罗守山,陈亚娟,宋传恒.基于用户击键数据的异常入侵检测模型.北京邮电大学学报, 2003, 26(4): 85-89
[81]宋世杰,胡华平,胡笑蕾,金士尧.数据挖掘技术在网络型误用入侵检测系统中的应用.计算机工程与应用, 2004, 30(16): 126-127, 175
[82]赵峰,李庆华,赵彦斌.网络入侵检测中序列模式挖掘技术研究.计算机科学, 2004, 31(3): 75-79
[83]崔国华,侯澄志.审计日志的关联规则挖掘华中科技大学学报(自然科学版), 2002, 30(9): 28-30
[84]李之棠,刘颉.入侵检测中的模糊数据挖掘技术.计算机工程与科学, 2002, 24(2): 18-21
[85] Fox, K. L., Henning, R. R., Reed, J. H., Simonian, R. P. A neural network approach towards intrusion detection. in: 13th National Computer Security Conference. Proceedings. Information Systems Security. Standards - the Key to the Future, 1-4 Oct. 1990. Washington, DC, USA: NIST, 1990: 125-134
[86] Ghosh, A. K., Schwartzbard, A. A study in using neural networks for anomaly and misuse detection. in: Proceedings of 8th Security Symposium, 23-26 Aug. 1999. Washington, DC, USA: USENIX Assoc, 1999: 141-151
[87] Lichodzijewski, P., Zincir-Heywood, A. N., Heywood, M. I. Host-based intrusion detection using self-organizing maps. in: 2002 International Joint Conference on Neural Networks (IJCNN '02), May 12-17 2002. Honolulu, HI: Institute of Electrical and Electronics Engineers Inc., 2002, 2: 1714-1719
[88] Lee, S. C., Heinbuch, D. V. Training a neural-network based intrusion detector to recognize novel attacks. IEEE Transactions on Systems, Man & Cybernetics, Part A (Systems & Humans), 2001, 31(4): 294-299
[89] Bonifacio, J. M. J., Cansian, A. M., de Carvalho, A. C. P. L. F., Moreira, E. S. Neural networks applied in intrusion detection systems. in: Proceedings of the 1998 IEEE International Joint Conference on Neural Networks. Part 1 (of 3), May 4-9 1998. Anchorage, AK, USA: IEEE, Piscataway, NJ, USA, 1998, 1: 205-210
[90] Hoglund, A. J., Hatonen, K. Computer network user behaviour visualisation using self organising maps. in: Proceedings of the 8th International Conference on Artificial Neural Networks. Skovde, Sweden: Springer-Verlag London, 1998, 2: 899-904
[91] Hoglund, A. J., Hatonen, K., Sorvari, A. S. A computer host-based user anomaly detection system using the self-organizing map. in: Proceedings of the IEEE-INNS-ENNS International Joint Conference on Neural Networks. IJCNN 2000. Como, Italy: IEEE Comput. Soc, 2000, 5: 411-416
[92] Lichodzijewski, P., Nur Zincir-Heywood, A., Heywood, M. I. Host-based intrusion detection using self-organizing maps. in: Proceedings of the 2002 International Joint Conference on Neural Networks. Honolulu, HI, USA: IEEE, 2002, 2: 1714-1719
[93] Abdi, A. M., Harold, S. Independent component analysis (ICA) and self-organizing map (SOM) approach to multi detection system for network intruders. in: Proceedings of SPIE - The International Society for Optical Engineering. Orlando, FL, United States: The International Society for Optical Engineering, 2003, 5102: 348-353
[94] Jiang, J., Zhang, C., Kamel, M. RBF-Based Real-Time Hierarchical Intrusion Detection Systems. in: Proceedings of the International Joint Conference on Neural Networks. Portland, OR, United States: Institute of Electrical and Electronics Engineers Inc., 2003, 2: 1512-1516
[95] Lu, K., Chen, Z.,Jin, Zh. An adaptive real-time intrusion detection system using sequences of system call. in: Canadian Conference on Electrical and Computer Engineering. Montreal, Canada: Institute of Electrical and Electronics Engineers Inc., 2003, 2: 789-792
[96] Chan, A. P. P., Yeung, D. S., Tsang, E. C. C., Ng, W. W. Y. Empirical study on fusion methods using ensemble of RBFNN for network intrusion detection. in: Advances in Machine Learning and Cybernetics - 4th International Conference, ICMLC 2005. Guangzhou, China: Springer Verlag, Heidelberg, D-69121, Germany, vol. 3930 NAI, 2006: 682-690
[97] Cannady, J., Garcia, R. C. The application of fuzzy ARTMAP in the detection of computer network attacks. in: Artificial Neural Networks - ICANN 2001, International Conference. Vienna, Austria: Springer-Verlag, 2001: 225-230
[98] Sang-Jun, H., Sung-Bae, C. Evolutionary neural networks for anomaly detection based on the behavior of a program. IEEE Transactions on Systems, Man and Cybernetics, Part B (Cybernetics), 2005, 36(3): 559-570
[99] Cha, B.,Vaidya, B.,Han, S. Anomaly intrusion detection for system call using the soundex algorithm and neural networks. in: Proceedings - IEEE Symposium on Computers and Communications. Murcia, Spain: Institute of Electrical and Electronics Engineers Inc, 2005: 427-433
[100] Zanero, S. Analyzing TCP traffic patterns using self organizing maps. in: Image Analysis and Processing - ICIAP 2005, 13th International Conference. Cagliari, Italy: Springer Verlag, Heidelberg, D-69121, Germany, LNCS, 2005, 3617: 83-90
[101] Mitrokotsa, A., Douligeris, C. Intrusion detection using emergent self-organizing maps. in: Advances in Artificial Intelligence, 4th Helenic Conference on AI, SETN 2006. Crete, Greece: Springer-Verlag, 2006: 559-562
[102]王景新,戴葵,宋辉,王志英.基于神经网络的入侵检测系统.计算机工程与科学, 2003, 25(6): 28-31
[103]汪立东,李亚平,方滨兴,贺龙涛.一个基于神经网络的入侵检测系统.计算机工程, 1999, 25(SI): 56-58
[104]李之棠,李家春.模糊神经网络在入侵检测中的应用.小型微型计算机系统2002, 23(10): 1235-1238
[105]唐正军,刘代志.径向基函数(RBF)网络在入侵检测中的应用.计算机工程, 2003, 29(8): 39-41
[106]李战春,李之棠,黎耀.基于径向基函数的入侵检测系统.计算机应用, 2006, 26(5): 1075-1076, 1080
[107] Scholkopf, B., Smola, A., Muller, K. -R. Kernel principal component analysis. in: Artificial Neural Networks - ICANN '97, 7th International Conference. Proceedings, 8-10 Oct. 1997. Lausanne, Switzerland: Springer-Verlag, 1997: 583-588
[108] Amari, S., Wu, S. Improving support vector machine classifiers by modifying kernel functions. Neural Networks, 1999, 12(6): 783-789
[109] Siolas, G., d'Alche-Buc, F. Support Vector Machines based on a semantic kernel for text categorization. in: Proceedings of IEEE-INNS-ENNS International Joint Conference on Neural Networks, 24-27 July 2000. Como, Italy: IEEE Comput. Soc, 2000, 5: 205-209
[110] Ahmad, A. R., Khalid, M., Yusof, R. Kernel methods and support vector machines for handwriting recognition. in: 2002 Student Conference on Research and Development. SCOReD2002. Proceedings. Global Research and Development in Electrical and Electronics Engineering, 16-17 July 2002. Shah Alam, Malaysia: IEEE, 2002: 309-312
[111] Bahlmann, C., Haasdonk, B., Burkhardt, H. Online handwriting recognition with support vector machines - a kernel approach. in: Proceedings Eighth International Workshop on Frontiers in Handwriting Recognition, 6-8 Aug. 2002. Niagara on the Lake, Ont., Canada: IEEE Comput. Soc, 2002: 49-54
[112] Chung, K. -M., Kao, W. -C., Sun, T., Wang, L. -L., et al. Radius margin bounds for support vector machines with the RBF kernel. in: 9th International Conference on Neural Information Processing, 18-22 Nov. 2002. Singapore: Nanyang Technol. Univ, 2002, 2: 893-897
[113] Mukkamala, S., Janoski, G., Sung, A. Intrusion detection using neural networks and support vector machines. in: Proceedings of 2002 International Joint Conference on Neural Networks (IJCNN), 12-17 May 2002. Honolulu, HI, USA: IEEE, 2002, 2: 1702-1707
[114] Sung, A. H., Mukkamala, S. Identifying important features for intrusion detection using support vector machines and neural networks. in: 2003 Symposium on Applications and the Internet (SAINT 2003), 27-31 Jan. 2003. Orlando, FL, USA: IEEE Comput. Soc, 2003: 209-216
[115] DS, K., JS, P. Network-based intrusion detection with support vector machines. in: HK, K., editor. International Conference on Information Networking (ICOIN 2003), FEB 12-14, 2003. CHEJU ISL, SOUTH KOREA: SPRINGER-VERLAGBERLIN, HEIDELBERGER PLATZ 3, D-14197 BERLIN, GERMANY, 2003: 747-756
[116] Luo, M., Wang, L., Zhang, H., Chen, J. A research on intrusion detection based on unsupervised clustering and support vector machine. in: Information and Communications Security. 5th International Conference, ICICS 2003. Proceedings, 10-13 Oct. 2003. Huhehaote, China: Springer-Verlag, 2003: 325-336
[117] Sohn, T., Seo, J., Moon, J. A study on the covert channel detection of TCP/IP header using support vector machine. in: Information and Communications Security. 5th International Conference, ICICS 2003. Proceedings, 10-13 Oct. 2003. Huhehaote, China: Springer-Verlag, 2003: 313-324
[118]陈光英,张千里,李星.特征选择和SVM训练模型的联合优化.清华大学学报(自然科学版), 2004, 44(1): 9-12
[119]陈光英,张千里.基于SVM分类机的入侵检测系统通信学报, 2002, 23(5): 51-56
[120]饶鲜,董春曦,杨绍全.应用支持向量机实现计算机入侵检测.西安电子科技大学学报, 2003, 30(3): 353-356, 373
[121]饶鲜,董春曦.基于支持向量机的入侵检测系统.软件学报, 2003, 14(4): 798-803
[122]李辉,管晓宏,昝鑫,韩崇昭.基于支持向量机的网络入侵检测.计算机研究与发展, 2003, 40(6): 799-807
[123]谭小彬,奚宏生,王卫平,殷保群.基于支持向量机的异常检测.中国科学技术大学学报, 2003, 33(5): 599-605
[124] Jiaqi, W., Xindong, W., Chengqi, Z. Support vector machines based on K-means clustering for real-time business intelligence systems. International Journal of Business Intelligence and Data Mining, 2005, 1(1): 54-64
[125] Taeshik, S., Yongdae, K., Cheolwon, L., Jongsub, M. A machine learning framework for network anomaly detection using SVM and GA. in: Proceedings from the Sixth Annual IEEE Systems, Man and Cybernetics (SMC) Information Assurance Workshop. West Point, NY, USA: IEEE, 2005: 176-183
[126] Kim, B. -J., Kim, I. -K. Kernel based intrusion detection system. in: Proceedings -Fourth Annual ACIS International Conference on Computer and Information Science, ICIS 2005. Jeju Island, South Korea: Institute of Electrical and Electronics Engineers Computer Society, Piscataway, NJ 08855-1331, United States, 2005, 2005: 13-18
[127] Kim, B. -J., Kim, I. K. Improved kernel based intrusion detection system. in: Artificial Neural Networks - ICANN 2006, 16th International Conference. Athens, Greece: Springer Verlag, Heidelberg, D-69121, Germany, vol. 4132 NCS - II, 2006: 863-871
[128] Yao, J., Zhao, S., Fan, L. An enhanced support vector machine model for intrusion detection. in: Rough Sets and Knowledge Technology, First International Conference, RSKT 2006. Chongqing, China: Springer Verlag, Heidelberg, D-69121, Germany, vol. 4062 NAI, 2006: 538-543
[129] Lee, H., Song, J., Park, D. Intrusion detection system based on multi-class SVM. in: Proceedings of SPIE - The International Society for Optical Engineering. San Jose, CA, United States: International Society for Optical Engineering, Bellingham WA, WA 98227-0010, United States, 2006, 6105: 511-519
[130] Gil-Han, K., Hyung-Woo, L. SVM based false alarm minimization scheme on intrusion prevention system. in: Computational Science and its Applications-ICCSA 2006, International Conference. Glasgow, UK: Springer-Verlag, 2006: 284-293
[131] Peddabachigari, S., Abraham, A., Grosan, C., Thomas, J. Modeling intrusion detection system using hybrid intelligent systems. Journal of Network and Computer Applications, 2007, 30(1): 114-132
[132] Bannour, S., Azimi-Sadjadi, M. R. Principal component extraction using recursive least squares learning. IEEE Transactions on Neural Networks, 1995, 6(2): 457-469
[133] Cichocki, A., Kasprzak, W., Skarbek, W. Adaptive learning algorithm for principal component analysis with partial data. in: Proceedings of the Thirteenth European Meeting on Cybernetics and Systems Research. Vienna, Austria: Austrian Soc. Cybernetic Studies, 1996, 2: 1014-1019
[134] Cichocki, A., Unbehauen, R. Robust estimation of principal components by using neural network learning algorithms. Electronics Letters, 1993, 29(21): 1869-1870
[135] Foldiak, P. Adaptive network for optimal linear feature extraction. in: International Joint Conference on Neural Networks.Washington, DC, USA: Publ by IEEE, Piscataway, NJ, USA, 1989: 401-405
[136] Hecht-Nielsen, R. Replicator neural networks for universal optimal source coding. Science, 1995, 269(5232): 1860-1866
[137] Krishnapuram, R., Keller, J. M. Possibilistic C-means algorithm: insights and recommendations. IEEE Transactions on Fuzzy Systems, 1996, 4(3): 385-393
[138] Razaz, M. Fuzzy C-means clustering placement algorithm. in: Proceedings - IEEE International Symposium on Circuits and Systems. Chicago, IL, USA: Publ by IEEE, Piscataway, NJ, USA, 1993, 3: 2051-2054
[139] Venkateswarlu, N. B., Raju, P. S. V. S. K. Fast isodata clustering algorithms. Pattern Recognition, 1992, 25(3): 335-342
[140] Perelson, A. S. Immunology Review. Immune Network Theory, 1989, 110: 5-36
[141] Farmer, J. D., Packard, N. H., Perelson, A. S. The immune system, adaptation, and machine learning. in: Processdings of Evolution, Games and Learning. Models for Adaptation in Machines and Nature. Los Alamos, NM, USA: vol. 22D, 1986: 187-204
[142] Jun, J. -H., Lee, D. -W., Sim, K. -B. Realization of cooperative strategies and swarm behavior in distributed autonomous robotic systems using artificial immune system. in: Proceedings of the IEEE International Conference on Systems, Man and Cybernetics. Tokyo, Jpn: Institute of Electrical and Electronics Engineers Inc., USA, 1999, 6: 614-619
[143] KrishnaKumar, K., Neidhoefer, J. Immunized adaptive critics for level 2 intelligent control. in: Proceedings of the IEEE International Conference on Systems, Man and Cybernetics. Orlando, FL, USA: IEEE, Piscataway, NJ, USA, 1997, 1: 856-861
[144] Hunt, J. E., Cooke, D. E. Learning using an artificial immune system. Journal of Network and Computer Applications, 1996, 19(2): 189-212
[145] Kim, J., Bentley, P. Immune memory and gene library evolution in the dynamic clonal selection algorithm. Genetic Programming and Evolvable Machines, 2004, 5(4): 361-391
[146] L. Labs, M. Darpa intrusion detection evaluation. http://www. ll. mit. edu/IST/ideval/ index. html, 2005
[147] Vapnik, V. N., Chervonenkis, A. Y. Theory of uniform convergence of frequency of appearance, attributes to their probabilities and problems of defining optimal solution by empiric data. Avtomatika i Telemekhanika, 1971(2): 42-53
[148] Vapnik, V. N., Mikhal'skii, A. I. The search for dependencies by the method of ordered minimisation of risk. Automation and Remote Control. 1974, 35(10): 1615-1624
[149] Vapnik, V. N., Stefanyuk, A. R. Nonparametric methods for reconstructing probability densities. Automation and Remote Control. 1978, 39(8): 1127-1140
[150] Joachims, T. Transductive inference for text classification using support vector machines. in: Proceedings of ICML-99: Sixteenth International Conference on Machine Learning, 27-30 June 1999. Bled, Slovenia: Morgan Kaufmann, 1999: 200-209
[151] Tin-Yau Kwok, J. Support vector mixture for classification and regression problems. in: Proceedings Fourteenth International Conference on Pattern Recognition, 16-20 Aug. 1998. Brisbane, Qld., Australia: IEEE Comput. Soc, 1998, 1: 255-258
[152] Osuna, E., Freund, R., Girosit, F. Training support vector machines: an application to face detection. in: Proceedings of IEEE Computer Society Conference on Computer Vision and Pattern Recognition, 17-19 June 1997. San Juan, Puerto Rico: IEEE Comput. Soc, 1997: 130-136
[153] Scholkopf, B., Smola, A. J., Williamson, R. C., Bartlett, P. L. New support vector algorithms. Neural Computation, 2000, 12(5): 1207-1245
[154] Tax, D. M. J., Juszczak, P. Kernel whitening for one-class classification. in: Pattern Recognition with Support Vector Machines. First International Workshop, SVM 2002. Proceedings, 10 Aug. 2002. Niagara Falls, Ont., Canada: Springer-Verlag,2002: 40-52
[155] Manevitz, L. M., Yousef, M. One-class SVMs for document classification. Journal of Machine Learning Research, 2002, 2(2): 139-154
[156] Chen, Y., Zhou, X. S., Huang, T. S. One-class SVM for learning in image retrieval. in: Proceedings 2001 International Conference on Image Processing, 7-10 Oct. 2001. Thessaloniki, Greece: IEEE, 2001, 1: 34-37
[157] Wu, X., Srihari, R., Zheng, Z. Document representation for one-class SVM. in: 15th European Conference on Machine Learning, ECML 2004, Sep 20-24 2004. Pisa, Italy: Springer Verlag, Heidelberg, D-69121, Germany, 2004, 3201: 489-500
[158] Warrender, C., Forrest, S., Pearlmutter, B. Detecting intrusions using system calls: alternative data models. Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, 1999: 133-145
[159] Ye, N., Li, X., Chen, Q., Emran, S. M., et al. Probabilistic techniques for intrusion detection based on computer audit data. IEEE Transactions on Systems, Man, and Cybernetics Part A:Systems and Humans, 2001, 31(4): 266-274
[160] Hofmeyr, S. A., Forrest, S., Somayaji, A. Intrusion detection using sequences of system calls. Journal of Computer Security, 1998, 6(3): 151-180
[161] Maxion, R. A., Townsend, T. N. Masquerade detection using truncated command lines. in: Proceedings of the 2002 International Conference on Dependable Systems and Networks. Washington, DC, United States: IEEE Computer Society, 2002: 219-228
[162] Maxion, R. A. Masquerade Detection Using Enriched Command Lines. in: Proceedings of the International Conference on Dependable Systems and Networks. San Francisco, CA, United States: Institute of Electrical and Electronics Engineers Computer Society, 2003: 5-14
[163] Maxion, R. A., Townsend, T. N. Masquerade detection augmented with error analysis. IEEE Transactions on Reliability, 2004, 53(1): 124-147
[164] Schonlau, M., Theus, M. Detecting masquerades in intrusion detection based on unpopular commands. Information Processing Letters, 2000, 76(1-2): 33-38
[165] Schonlau, M. Computer Intrusion: Detecting Masquerades. Statistical Science,2001, 16(1): 58-74
[166] Lane, T., Brodley, C. E. An empirical study of two approaches to sequence learning for anomaly detection. Machine Learning, 2003, 51(1): 73-107
[167]连一峰,戴英侠,王航.基于模式挖掘的用户行为异常检测.计算机学报, 2002, 25(3): 325-330
[168]孙宏伟,邹涛,田新广,张尔扬.基于机器学习的入侵检测方法实验与分析.计算机工程与设计, 2004, 25(2): 694-696
[169] McCanne, S., Jacobson, V. The BSD packet filter: a new architecture for user-level packet capture. in: Proceedings of the Winter 1993 USENIX Conference. San Diego, CA, USA: USENIX Assoc, 1993: 259-269
[170]黎耀. IPv6环境下异常检测系统的关键技术研究: [博士学位论文].保存地点:华中科技大学图书馆, 2006
[2] Spafford, E. H. Crisis and aftermath. Communications of the ACM, 1989, 32(6): 678-687
[3] White, C. E. J. Viruses and worms: a campus under attack. Computers & Security, 1989, 8(4): 283-290
[4]董小玲.信息安全的分水岭——2000年世界信息安全问题回顾.计算机安全, 2001, 1: 36-42
[5] Tanker. 2003年网络安全回顾.中国电子与网络出版社, 2003, 44(12): 70-71
[6] Anderson, J. P., Computer Security Threat Monitoring and Surveillance, Technical Report, 1980
[7] Denning, D. E. INTRUSION-DETECTION MODEL. IEEE Transactions on Software Engineering, 1987, SE-13(2): 222-232
[8] Lunt, T. F., Jagannathan, R. PROTOTYPE REAL-TIME INTRUSION-DETECTION EXPERT SYSTEM. in: Proceedings - 1988 IEEE Symposium on Security and Privacy. Oakland, CA, USA: IEEE, USA., Avail from IEEE Service Cent (cat n 88CH2558-5), New York, NY, USA, 1988: 59-66
[9] Lunt, T. F., Jagannathan, R., Lee, R., Whitehurst, A., et al. Knowledge-based intrusion detection. in: Proceedings of the Annual AI Systems in Government Conference, Mar 27-31 1989. Washington, DC, USA, 1989: 102-107
[10] Lunt, T. F. Real-time intrusion detection. in: Compcon '89: Thirty-Fourth IEEE Computer Society International Conference, Feb 27-3 1989. San Francisco, CA, USA: Publ by IEEE, Piscataway, NJ, USA, 1989: 348-353
[11] Smaha, S. E. Haystack: An intrusion detection system. in: Fourth Aerospace Computer Security Applications Conference, Dec 12-16 1988. Orlando, FL, USA: Publ by IEEE, New York, NY, USA, vol. 4th, 1988: 37-44
[12] Heberlein, L. T., Dias, G. V., Levitt, K. N., Mukherjee, B., et al. A network security monitor. in: 1990 IEEE Computer Society Symposium on Research in Security andPrivacy, May 7-Sep 90. Oakland, CA, USA: Publ by IEEE, Piscataway, NJ, USA, 1990: 296-304
[13] Tipton, H. Intrusion detection in networks of networks. in: Wescon '90 - Conference Record, Nov 13-15 1990. Anaheim, CA, USA: Publ by Western Periodicals Co, North Hollywood, CA, USA, vol. 34, 1990: 750-753
[14] Mukherjee, B., Heberlein, L. T., Levitt, K. N. Network intrusion detection. IEEE Network, 1994, 8(3): 26-41
[15] Snapp, S. R., Brentano, J., Dias, G. V., Goan, T. L., et al. A system for distributed intrusion detection. in: 36th IEEE Computer Society International Conference - COMPCON Sping '91, Feb 25-Mar 1 1991. San Francisco, CA, USA: Publ by IEEE, Piscataway, NJ, USA, 1991: 170-176
[16] Snapp, S. R., Smaha, S. E., Teal, D. M., Grance, T. The DIDS (distributed intrusion detection system) prototype. in: USENIX Association. Proceedings of the Summer 1992 USENIX Conference, 8-12 June 1992. San Antonio, TX, USA: USENIX Assoc, 1992: 227-233
[17] Forrest, S., Perelson, A. S., Allen, L., Cherukuri, R. Self-nonself discrimination in a computer. in: Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy, 16-18 May 1994. Oakland, CA, USA: IEEE Comput. Soc. Press, 1994: 202-212
[18] Forrest, S., Hofmeyr, S. A., Somayaji, A., Longstaff, T. A. Sense of self for unix processes. in: Proceedings of the 1996 17th IEEE Symposium on Security and Privacy, May 6-8 1996. Oakland, CA, USA: IEEE, Piscataway, NJ, USA, 1996: 120-128
[19] Groups, C. W. Common Intrusion Detection Framework http://gost. isi. edu/cidf/, 2006
[20] Groups, I. W. The Intrusion Detection Exchange Protocol (IDXP). http://www. ietf. org/rfc/rfc4767. txt, 2006
[21] Groups, I. W. The Intrusion Detection Message Exchange Format (IDMEF). http://www. ietf. org/rfc/rfc4765. txt, 2006
[22] Groups, I. W. Intrusion Detection Message Exchange Requirements. http://www.ietf. org/rfc/rfc4766. txt, 2006
[23] Sinclair, C., Pierce, L., Matzner, S. An application of machine learning to network intrusion detection. in: Proceedings of 15th Annual Computer Security Applications Conference, 6-10 Dec. 1999. Phoenix, AZ, USA: IEEE Comput. Soc, 1999: 371-377
[24] Shipley, G. ISS RealSecure pushes past newer IDS players. Network Computing, 1999, 10(10): 95-96
[25] Paxson, V. Bro: A system for detecting network intruders in real-time. Computer Networks, 1999, 31(23): 2435-2463
[26] Lindqvist, U., Porras, P. A. Detecting computer and network misuse through the production-based expert system toolset (P-BEST). Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, 1999: 146-161
[27] Garcia, R. C., Cannady, J. Boundary expansion of expert systems: incorporating evolutionary computation with intrusion detection solutions. in: Proceedings. IEEE SoutheastCon 2001. Clemson, SC, USA: IEEE, 2001: 96-99
[28] Lindqvist, U., Porras, P. A. eXpert-BSM: a host-based intrusion detection solution for Sun Solaris. in: Proceedings 17th Annual Computer Security Applications Conference. New Orleans, LA, USA: IEEE Comput. Soc, 2001: 240-251
[29] Almgren, M., Jonsson, E. Using active learning in intrusion detection. in: Proceedings of 17th IEEE Computer Security Foundations Workshop. Pacific Grove, CA, USA: IEEE Comput. Soc, 2004: 88-98
[30]李之棠,杨红云.模糊入侵检测模型.计算机工程与科学, 2000, 22(2): 49-53
[31]李家春,李之棠.入侵检测系统计算机应用研究, 2001, 18(12): 5-9
[32]凌军,曹阳,尹建华.一种实时入侵检测专家系统的设计与实现.计算机工程与应用, 2002, 38(9): 9-10, 43
[33]张琨,李千目.第一级认知系统在基于专家系统入侵检测中的应用研究.计算机工程与应用, 2002, 38(19): 30-32,102
[34]张剑,龚俭.一种基于非单调逻辑理论的入侵检测系统.计算机学报, 2003, 26(9): 1060-1067
[35]关健,刘大昕.一种基于遗传算法的误用检测模型自适应建立算法.哈尔滨工程大学学报, 2004, 25(1): 80-84
[36] Ilgun, K. USTAT: a real-time intrusion detection system for UNIX. in: Proceedings of the 1993 IEEE Computer Society Symposium on Research in Security and Privacy, May 24-26 1993. Oakland, CA, USA: Publ by IEEE, Piscataway, NJ, USA, 1993: 16-40
[37] Vigna, G., Kemmerer, R. A. NetSTAT: a network-based intrusion detection system. Journal of Computer Security, 1999, 7(1): 37-71
[38] Dit-Yan, Y., Yuxin, D. User profiling for intrusion detection using dynamic and static behavioral models. in: Advances in Knowledge Discovery and Data Mining. 6th Pacific-Asia Conference, PAKDD 2002. Taipei, Taiwan: Springer-Verlag, 2002: 494-505
[39] Hyuk-Jang, P., Sung-Bae, C. An effective HMM-based intrusion detection system with privilege change event modeling. in: 7th Pacific Rim International Conference on Artificial Intelligence, PRICAI 2002. Tokyo, Japan: Springer-Verlag, 2002: 617-618
[40] Yeung, D. -Y., Ding, Y. Host-based intrusion detection using dynamic and static behavioral models. Pattern Recognition, 2003, 36(1): 229-243
[41] Hixon, R., Gruenbacher, D. M. Markov chains in network intrusion detection. in: Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop. West Point, NY, USA: IEEE, 2004: 432-433
[42] Kwak, M., Cho, D. -S. Modeling host status transition for network intrusion detection. in: Proceedings of the International Conference on Security and Management, SAM'04. Las Vegas, NV, United States: CSREA Press, Bogart, GA 30622, United States, 2004: 421-426
[43]谭小彬,王卫平,奚宏生,殷保群.基于隐马尔可夫模型的异常检测.小型微型计算机系统, 2004, 25(8): 1546-1549
[44]谭小彬,王卫平.计算机系统入侵检测的隐马尔可夫模型.计算机研究与发展, 2003, 40(2): 245-250
[45]孙宏伟,田新广,邹涛,张尔扬.基于隐马尔可夫模型的IDS程序行为异常检测.国防科技大学学报, 2003, 25(2): 63-67
[46]闫巧,谢维信,宋歌,喻建平.基于HMM的系统调用异常检测.电子学报, 2003, 31(10): 1486-1490
[47] Wright, C., Monrose, F., Massen, G. M. HMM profiles for network traffic classification (extended abstract). in: Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security. Washington, DC, United States: Association for Computing Machinery, 2004: 9-15
[48] Ja-Min, K., Sung-Bae, C. Effective intrusion type identification with edit distance for HMM-based anomaly detection system. in: Pattern Recognition and Machine Intelligence. First International Conference, PReMI 2005. Kolkata, India: Springer-Verlag, 2005: 222-228
[49] Jong Sou, P., Shazzad, K. M., Dong Seong, K. Toward modeling lightweight intrusion detection system through correlation-based hybrid feature selection. in: Information Security and Cryptology. First SKLOIS Conference, CISC 2005. Beijing, China: Springer-Verlag, 2005: 279-289
[50] Koo, J. -M., Cho, S. -B. Effective intrusion type identification with edit distance for HMM-based anomaly detection system. in: 1st International Conference on Pattern Recognition and Machine Intelligence, PReMI 2005. Kolkata, India: Springer Verlag, Heidelberg, D-69121, Germany, vol. 3776 LNCS, 2005: 222-228
[51] Giordana, A., Galassi, U., Saitta, L. Experimental evaluation of hierarchical hidden Markov models. in: 9th Congress of the Italian Association for Artificial Intelligence. Milan, Italy: Springer-Verlag, 2005: 249-257
[52] Gao, D., Reiter, M. K., Song, D. Behavioral distance measurement using hidden Markov models. in: Recent Advances in Intrusion Detection - 9th International Symposium, RAID 2006. Hamburg, Germany: Springer, 2006: 19-40
[53] Paschalidis, I. C., Smaragdakis, G. A large deviations approach to statistical traffic anomaly detection. in: Proceedings of the 45th IEEE Conference on Decision and Control. San Diego, CA, USA: IEEE, 2006: 6-16
[54] Al-Subaie, M., Zulkernine, M. Efficacy of hidden Markov models over neural networks in anomaly intrusion detection. in: 30th Annual International ComputerSoftware and Applications Conference COMPSAC 2006. Chicago, IL, USA: IEEE, 2006: 8-18
[55] Lee, W., Stolfo, S. J., Mok, K. W. Data mining framework for building intrusion detection models. Proceedings of the 1999 IEEE Symposium on Security and Privacy, May 9- 12 1999: 120-132
[56] Luo, J., Bridges, S. M., Vaughn Jr, R. B. Fuzzy frequent episodes for real-time intrusion detection. in: IEEE International Conference on Fuzzy Systems. Melbourne, Australia: Institute of Electrical and Electronics Engineers Inc., 2001, 1: 368-371
[57] Bala, J., Baik, S., Hadjarian, A., Gogia, B. K., et al. Application of a distributed data mining approach to network intrusion detection. in: Proceedings of the International Conference on Autonomous Agents. Bologna, Italy: Association for Computing Machinery, New York, NY 10036-5701, United States, 2002: 1419-1420
[58] Sequeira, K., Zaki, M. ADMIT: Anomaly-based data mining for intrusions. in: Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. Edmonton, Alta, Canada: Association for Computing Machinery, 2002: 386-395
[59] Leu, F. -Y., Yang, T. -Y. A host-based real-time intrusion detection system with data mining and forensic techniques. in: IEEE Annual International Carnahan Conference on Security Technology. Taipei, Taiwan: Institute of Electrical and Electronics Engineers Inc., 2003: 580-586
[60] Shah, H., Undercoffer, J., Joshi, A. Fuzzy clustering for intrusion detection. in: IEEE International Conference on Fuzzy Systems. St. Louis, MO, United States: Institute of Electrical and Electronics Engineers Inc., 2003, 2: 1274-1278
[61] Bhaskar, T., Kamath, B. N. A rough neuro data mining approach for network intrusion detection. in: Distributed Computing-6th International Workshop, IWDC 2004. Kolkata, India: Springer Verlag, 2004: 534-546
[62] Ye, N., Li, X. Application of decision tree classifiers to computer intrusion detection. in: Second International Conference on Data Mining. Cambridge,United Kingdom: WIT Press, Southampton, SO40 7AA, United Kingdom, 2000, 2: 381-390
[63] Burbeck, K., Nadjm-Tehrani, S. ADWICE - Anomaly detection with real-time incremental clustering. in: Information Security and Cryptology - ICISC 2004, 7th International Conference. Seoul, South Korea: Springer Verlag, Heidelberg, D-69121, Germany, 2005, 3506: 407-424
[64] Stolfo, S. J., Hershkop, S., Bui, L. H., Ferster, R., et al. Anomaly detection in computer security and an application to file system accesses. in: Foundations of Intelligent Systems. 15th International Symposium, ISMIS 2005. Saratoga Springs, NY, USA: Springer-Verlag, 2005: 14-28
[65] Guang, X., Xiaomei, D., Ge, Y. Correlating alerts with a data mining based approach. in: The 2005 IEEE International Conference on e-Technology, e-Commerce and e-Service. Hong Kong, China: IEEE Comput. Soc, 2005: 341-346
[66] Ozyer, T., Alhajj, R., Barker, K. Intrusion detection: A novel approach that combines boosting genetic fuzzy classifier and data mining techniques. in: Proceedings of SPIE - The International Society for Optical Engineering. Orlando, FL, United States: International Society for Optical Engineering, Bellingham WA, WA 98227-0010, United States, 2005, 5812: 13-22
[67] El-Semary, A., Edmonds, J., Gonzalez-Pino, J., Papa, M. Applying data mining of fuzzy association rules to network intrusion detection. in: Proceedings of the 2006 IEEE Workshop on Information Assurance. West Point, NY, USA: IEEE, 2006: 100-107
[68] Gonzalez-Pino, J., Edmonds, J., Papa, M. Attribute selection using information gain for a fuzzy logic intrusion detection system. in: Proceedings of SPIE - The International Society for Optical Engineering. Kissimmee, FL, United States: International Society for Optical Engineering, Bellingham WA, WA 98227-0010, United States, 2006, 6241: 10-20
[69] Anoop, S., Sushil, J. Data warehousing and data mining techniques for intrusion detection systems. Distributed and Parallel Databases, 2006, 20(2): 149-166
[70] Singhal, A., Jajodia, S. Data warehousing and data mining techniques for intrusion detection systems. Distributed and Parallel Databases, 2006, 20(2): 149-166
[71] Long, J., Schwartz, D., Stoecklin, S. Distinguishing false from true alerts in Snort by data mining patterns of alerts. in: Proceedings of SPIE - The International Society for Optical Engineering. Kissimmee, FL, United States: International Society for Optical Engineering, Bellingham WA, WA 98227-0010, United States, 2006, , 6241: 100-110
[72] Agarwal, D. Detecting anomalies in cross-classified streams: a Bayesian approach. Knowledge and Information Systems, 2007, 11(1): 29-44
[73] Yoo, T. -S., Garcia, H. E. An anomaly detection and isolation scheme with instance-based learning and sequential analysis. in: 5th International Topical Meeting on Nuclear Plant Instrumentation Controls, and Human Machine Interface Technology. Albuquerque, NM, United States: American Nuclear Society, La Grange Park, IL 60526, United States, 2006, 2006: 1106-1109
[74] Wee, K., Kim, S. Construction of finite automata for intrusion detection from system call sequences by genetic algorithms. in: Advances in Knowledge Discovery and Data Mining - 10th Pacific-Asia Conference, PAKDD 2006. Singapore, Singapore: Springer Verlag, Heidelberg, D-69121, GermanyNAI, 2006, 3918: 594-602
[75] Srinoy, S., Kurutach, W., Chimphlee, W., Chimphlee, S., et al. Intrusion detection via independent component analysis based on rough fuzzy. WSEAS Transactions on Computers, 2006, 5(1): 43-48
[76] Srinoy, S., Chimphlee, W., Chimphlee, S., Poopaibool, Y. An approach to solve computer attacks based on hybrid model. WSEAS Transactions on Computers, 2006, 5(6): 1280-1284
[77] Li, D., Kefei, W., Deogun, J. S. A fuzzy anomaly detection system. in: Intelligence and Security Informatics - International Workshop, WISI 2006. Singapore: Springer-Verlag, 2006: 167-168
[78]邹仕洪,阙喜戎.基于数据挖掘与CIDF的自适应入侵检测系统.计算机工程与应用, 2002, 38(11): 184-186
[79]关健,刘大昕.基于主成分分析的无监督异常检测.计算机研究与发展, 2004, 41(9): 1474-1480
[80]罗守山,陈亚娟,宋传恒.基于用户击键数据的异常入侵检测模型.北京邮电大学学报, 2003, 26(4): 85-89
[81]宋世杰,胡华平,胡笑蕾,金士尧.数据挖掘技术在网络型误用入侵检测系统中的应用.计算机工程与应用, 2004, 30(16): 126-127, 175
[82]赵峰,李庆华,赵彦斌.网络入侵检测中序列模式挖掘技术研究.计算机科学, 2004, 31(3): 75-79
[83]崔国华,侯澄志.审计日志的关联规则挖掘华中科技大学学报(自然科学版), 2002, 30(9): 28-30
[84]李之棠,刘颉.入侵检测中的模糊数据挖掘技术.计算机工程与科学, 2002, 24(2): 18-21
[85] Fox, K. L., Henning, R. R., Reed, J. H., Simonian, R. P. A neural network approach towards intrusion detection. in: 13th National Computer Security Conference. Proceedings. Information Systems Security. Standards - the Key to the Future, 1-4 Oct. 1990. Washington, DC, USA: NIST, 1990: 125-134
[86] Ghosh, A. K., Schwartzbard, A. A study in using neural networks for anomaly and misuse detection. in: Proceedings of 8th Security Symposium, 23-26 Aug. 1999. Washington, DC, USA: USENIX Assoc, 1999: 141-151
[87] Lichodzijewski, P., Zincir-Heywood, A. N., Heywood, M. I. Host-based intrusion detection using self-organizing maps. in: 2002 International Joint Conference on Neural Networks (IJCNN '02), May 12-17 2002. Honolulu, HI: Institute of Electrical and Electronics Engineers Inc., 2002, 2: 1714-1719
[88] Lee, S. C., Heinbuch, D. V. Training a neural-network based intrusion detector to recognize novel attacks. IEEE Transactions on Systems, Man & Cybernetics, Part A (Systems & Humans), 2001, 31(4): 294-299
[89] Bonifacio, J. M. J., Cansian, A. M., de Carvalho, A. C. P. L. F., Moreira, E. S. Neural networks applied in intrusion detection systems. in: Proceedings of the 1998 IEEE International Joint Conference on Neural Networks. Part 1 (of 3), May 4-9 1998. Anchorage, AK, USA: IEEE, Piscataway, NJ, USA, 1998, 1: 205-210
[90] Hoglund, A. J., Hatonen, K. Computer network user behaviour visualisation using self organising maps. in: Proceedings of the 8th International Conference on Artificial Neural Networks. Skovde, Sweden: Springer-Verlag London, 1998, 2: 899-904
[91] Hoglund, A. J., Hatonen, K., Sorvari, A. S. A computer host-based user anomaly detection system using the self-organizing map. in: Proceedings of the IEEE-INNS-ENNS International Joint Conference on Neural Networks. IJCNN 2000. Como, Italy: IEEE Comput. Soc, 2000, 5: 411-416
[92] Lichodzijewski, P., Nur Zincir-Heywood, A., Heywood, M. I. Host-based intrusion detection using self-organizing maps. in: Proceedings of the 2002 International Joint Conference on Neural Networks. Honolulu, HI, USA: IEEE, 2002, 2: 1714-1719
[93] Abdi, A. M., Harold, S. Independent component analysis (ICA) and self-organizing map (SOM) approach to multi detection system for network intruders. in: Proceedings of SPIE - The International Society for Optical Engineering. Orlando, FL, United States: The International Society for Optical Engineering, 2003, 5102: 348-353
[94] Jiang, J., Zhang, C., Kamel, M. RBF-Based Real-Time Hierarchical Intrusion Detection Systems. in: Proceedings of the International Joint Conference on Neural Networks. Portland, OR, United States: Institute of Electrical and Electronics Engineers Inc., 2003, 2: 1512-1516
[95] Lu, K., Chen, Z.,Jin, Zh. An adaptive real-time intrusion detection system using sequences of system call. in: Canadian Conference on Electrical and Computer Engineering. Montreal, Canada: Institute of Electrical and Electronics Engineers Inc., 2003, 2: 789-792
[96] Chan, A. P. P., Yeung, D. S., Tsang, E. C. C., Ng, W. W. Y. Empirical study on fusion methods using ensemble of RBFNN for network intrusion detection. in: Advances in Machine Learning and Cybernetics - 4th International Conference, ICMLC 2005. Guangzhou, China: Springer Verlag, Heidelberg, D-69121, Germany, vol. 3930 NAI, 2006: 682-690
[97] Cannady, J., Garcia, R. C. The application of fuzzy ARTMAP in the detection of computer network attacks. in: Artificial Neural Networks - ICANN 2001, International Conference. Vienna, Austria: Springer-Verlag, 2001: 225-230
[98] Sang-Jun, H., Sung-Bae, C. Evolutionary neural networks for anomaly detection based on the behavior of a program. IEEE Transactions on Systems, Man and Cybernetics, Part B (Cybernetics), 2005, 36(3): 559-570
[99] Cha, B.,Vaidya, B.,Han, S. Anomaly intrusion detection for system call using the soundex algorithm and neural networks. in: Proceedings - IEEE Symposium on Computers and Communications. Murcia, Spain: Institute of Electrical and Electronics Engineers Inc, 2005: 427-433
[100] Zanero, S. Analyzing TCP traffic patterns using self organizing maps. in: Image Analysis and Processing - ICIAP 2005, 13th International Conference. Cagliari, Italy: Springer Verlag, Heidelberg, D-69121, Germany, LNCS, 2005, 3617: 83-90
[101] Mitrokotsa, A., Douligeris, C. Intrusion detection using emergent self-organizing maps. in: Advances in Artificial Intelligence, 4th Helenic Conference on AI, SETN 2006. Crete, Greece: Springer-Verlag, 2006: 559-562
[102]王景新,戴葵,宋辉,王志英.基于神经网络的入侵检测系统.计算机工程与科学, 2003, 25(6): 28-31
[103]汪立东,李亚平,方滨兴,贺龙涛.一个基于神经网络的入侵检测系统.计算机工程, 1999, 25(SI): 56-58
[104]李之棠,李家春.模糊神经网络在入侵检测中的应用.小型微型计算机系统2002, 23(10): 1235-1238
[105]唐正军,刘代志.径向基函数(RBF)网络在入侵检测中的应用.计算机工程, 2003, 29(8): 39-41
[106]李战春,李之棠,黎耀.基于径向基函数的入侵检测系统.计算机应用, 2006, 26(5): 1075-1076, 1080
[107] Scholkopf, B., Smola, A., Muller, K. -R. Kernel principal component analysis. in: Artificial Neural Networks - ICANN '97, 7th International Conference. Proceedings, 8-10 Oct. 1997. Lausanne, Switzerland: Springer-Verlag, 1997: 583-588
[108] Amari, S., Wu, S. Improving support vector machine classifiers by modifying kernel functions. Neural Networks, 1999, 12(6): 783-789
[109] Siolas, G., d'Alche-Buc, F. Support Vector Machines based on a semantic kernel for text categorization. in: Proceedings of IEEE-INNS-ENNS International Joint Conference on Neural Networks, 24-27 July 2000. Como, Italy: IEEE Comput. Soc, 2000, 5: 205-209
[110] Ahmad, A. R., Khalid, M., Yusof, R. Kernel methods and support vector machines for handwriting recognition. in: 2002 Student Conference on Research and Development. SCOReD2002. Proceedings. Global Research and Development in Electrical and Electronics Engineering, 16-17 July 2002. Shah Alam, Malaysia: IEEE, 2002: 309-312
[111] Bahlmann, C., Haasdonk, B., Burkhardt, H. Online handwriting recognition with support vector machines - a kernel approach. in: Proceedings Eighth International Workshop on Frontiers in Handwriting Recognition, 6-8 Aug. 2002. Niagara on the Lake, Ont., Canada: IEEE Comput. Soc, 2002: 49-54
[112] Chung, K. -M., Kao, W. -C., Sun, T., Wang, L. -L., et al. Radius margin bounds for support vector machines with the RBF kernel. in: 9th International Conference on Neural Information Processing, 18-22 Nov. 2002. Singapore: Nanyang Technol. Univ, 2002, 2: 893-897
[113] Mukkamala, S., Janoski, G., Sung, A. Intrusion detection using neural networks and support vector machines. in: Proceedings of 2002 International Joint Conference on Neural Networks (IJCNN), 12-17 May 2002. Honolulu, HI, USA: IEEE, 2002, 2: 1702-1707
[114] Sung, A. H., Mukkamala, S. Identifying important features for intrusion detection using support vector machines and neural networks. in: 2003 Symposium on Applications and the Internet (SAINT 2003), 27-31 Jan. 2003. Orlando, FL, USA: IEEE Comput. Soc, 2003: 209-216
[115] DS, K., JS, P. Network-based intrusion detection with support vector machines. in: HK, K., editor. International Conference on Information Networking (ICOIN 2003), FEB 12-14, 2003. CHEJU ISL, SOUTH KOREA: SPRINGER-VERLAGBERLIN, HEIDELBERGER PLATZ 3, D-14197 BERLIN, GERMANY, 2003: 747-756
[116] Luo, M., Wang, L., Zhang, H., Chen, J. A research on intrusion detection based on unsupervised clustering and support vector machine. in: Information and Communications Security. 5th International Conference, ICICS 2003. Proceedings, 10-13 Oct. 2003. Huhehaote, China: Springer-Verlag, 2003: 325-336
[117] Sohn, T., Seo, J., Moon, J. A study on the covert channel detection of TCP/IP header using support vector machine. in: Information and Communications Security. 5th International Conference, ICICS 2003. Proceedings, 10-13 Oct. 2003. Huhehaote, China: Springer-Verlag, 2003: 313-324
[118]陈光英,张千里,李星.特征选择和SVM训练模型的联合优化.清华大学学报(自然科学版), 2004, 44(1): 9-12
[119]陈光英,张千里.基于SVM分类机的入侵检测系统通信学报, 2002, 23(5): 51-56
[120]饶鲜,董春曦,杨绍全.应用支持向量机实现计算机入侵检测.西安电子科技大学学报, 2003, 30(3): 353-356, 373
[121]饶鲜,董春曦.基于支持向量机的入侵检测系统.软件学报, 2003, 14(4): 798-803
[122]李辉,管晓宏,昝鑫,韩崇昭.基于支持向量机的网络入侵检测.计算机研究与发展, 2003, 40(6): 799-807
[123]谭小彬,奚宏生,王卫平,殷保群.基于支持向量机的异常检测.中国科学技术大学学报, 2003, 33(5): 599-605
[124] Jiaqi, W., Xindong, W., Chengqi, Z. Support vector machines based on K-means clustering for real-time business intelligence systems. International Journal of Business Intelligence and Data Mining, 2005, 1(1): 54-64
[125] Taeshik, S., Yongdae, K., Cheolwon, L., Jongsub, M. A machine learning framework for network anomaly detection using SVM and GA. in: Proceedings from the Sixth Annual IEEE Systems, Man and Cybernetics (SMC) Information Assurance Workshop. West Point, NY, USA: IEEE, 2005: 176-183
[126] Kim, B. -J., Kim, I. -K. Kernel based intrusion detection system. in: Proceedings -Fourth Annual ACIS International Conference on Computer and Information Science, ICIS 2005. Jeju Island, South Korea: Institute of Electrical and Electronics Engineers Computer Society, Piscataway, NJ 08855-1331, United States, 2005, 2005: 13-18
[127] Kim, B. -J., Kim, I. K. Improved kernel based intrusion detection system. in: Artificial Neural Networks - ICANN 2006, 16th International Conference. Athens, Greece: Springer Verlag, Heidelberg, D-69121, Germany, vol. 4132 NCS - II, 2006: 863-871
[128] Yao, J., Zhao, S., Fan, L. An enhanced support vector machine model for intrusion detection. in: Rough Sets and Knowledge Technology, First International Conference, RSKT 2006. Chongqing, China: Springer Verlag, Heidelberg, D-69121, Germany, vol. 4062 NAI, 2006: 538-543
[129] Lee, H., Song, J., Park, D. Intrusion detection system based on multi-class SVM. in: Proceedings of SPIE - The International Society for Optical Engineering. San Jose, CA, United States: International Society for Optical Engineering, Bellingham WA, WA 98227-0010, United States, 2006, 6105: 511-519
[130] Gil-Han, K., Hyung-Woo, L. SVM based false alarm minimization scheme on intrusion prevention system. in: Computational Science and its Applications-ICCSA 2006, International Conference. Glasgow, UK: Springer-Verlag, 2006: 284-293
[131] Peddabachigari, S., Abraham, A., Grosan, C., Thomas, J. Modeling intrusion detection system using hybrid intelligent systems. Journal of Network and Computer Applications, 2007, 30(1): 114-132
[132] Bannour, S., Azimi-Sadjadi, M. R. Principal component extraction using recursive least squares learning. IEEE Transactions on Neural Networks, 1995, 6(2): 457-469
[133] Cichocki, A., Kasprzak, W., Skarbek, W. Adaptive learning algorithm for principal component analysis with partial data. in: Proceedings of the Thirteenth European Meeting on Cybernetics and Systems Research. Vienna, Austria: Austrian Soc. Cybernetic Studies, 1996, 2: 1014-1019
[134] Cichocki, A., Unbehauen, R. Robust estimation of principal components by using neural network learning algorithms. Electronics Letters, 1993, 29(21): 1869-1870
[135] Foldiak, P. Adaptive network for optimal linear feature extraction. in: International Joint Conference on Neural Networks.Washington, DC, USA: Publ by IEEE, Piscataway, NJ, USA, 1989: 401-405
[136] Hecht-Nielsen, R. Replicator neural networks for universal optimal source coding. Science, 1995, 269(5232): 1860-1866
[137] Krishnapuram, R., Keller, J. M. Possibilistic C-means algorithm: insights and recommendations. IEEE Transactions on Fuzzy Systems, 1996, 4(3): 385-393
[138] Razaz, M. Fuzzy C-means clustering placement algorithm. in: Proceedings - IEEE International Symposium on Circuits and Systems. Chicago, IL, USA: Publ by IEEE, Piscataway, NJ, USA, 1993, 3: 2051-2054
[139] Venkateswarlu, N. B., Raju, P. S. V. S. K. Fast isodata clustering algorithms. Pattern Recognition, 1992, 25(3): 335-342
[140] Perelson, A. S. Immunology Review. Immune Network Theory, 1989, 110: 5-36
[141] Farmer, J. D., Packard, N. H., Perelson, A. S. The immune system, adaptation, and machine learning. in: Processdings of Evolution, Games and Learning. Models for Adaptation in Machines and Nature. Los Alamos, NM, USA: vol. 22D, 1986: 187-204
[142] Jun, J. -H., Lee, D. -W., Sim, K. -B. Realization of cooperative strategies and swarm behavior in distributed autonomous robotic systems using artificial immune system. in: Proceedings of the IEEE International Conference on Systems, Man and Cybernetics. Tokyo, Jpn: Institute of Electrical and Electronics Engineers Inc., USA, 1999, 6: 614-619
[143] KrishnaKumar, K., Neidhoefer, J. Immunized adaptive critics for level 2 intelligent control. in: Proceedings of the IEEE International Conference on Systems, Man and Cybernetics. Orlando, FL, USA: IEEE, Piscataway, NJ, USA, 1997, 1: 856-861
[144] Hunt, J. E., Cooke, D. E. Learning using an artificial immune system. Journal of Network and Computer Applications, 1996, 19(2): 189-212
[145] Kim, J., Bentley, P. Immune memory and gene library evolution in the dynamic clonal selection algorithm. Genetic Programming and Evolvable Machines, 2004, 5(4): 361-391
[146] L. Labs, M. Darpa intrusion detection evaluation. http://www. ll. mit. edu/IST/ideval/ index. html, 2005
[147] Vapnik, V. N., Chervonenkis, A. Y. Theory of uniform convergence of frequency of appearance, attributes to their probabilities and problems of defining optimal solution by empiric data. Avtomatika i Telemekhanika, 1971(2): 42-53
[148] Vapnik, V. N., Mikhal'skii, A. I. The search for dependencies by the method of ordered minimisation of risk. Automation and Remote Control. 1974, 35(10): 1615-1624
[149] Vapnik, V. N., Stefanyuk, A. R. Nonparametric methods for reconstructing probability densities. Automation and Remote Control. 1978, 39(8): 1127-1140
[150] Joachims, T. Transductive inference for text classification using support vector machines. in: Proceedings of ICML-99: Sixteenth International Conference on Machine Learning, 27-30 June 1999. Bled, Slovenia: Morgan Kaufmann, 1999: 200-209
[151] Tin-Yau Kwok, J. Support vector mixture for classification and regression problems. in: Proceedings Fourteenth International Conference on Pattern Recognition, 16-20 Aug. 1998. Brisbane, Qld., Australia: IEEE Comput. Soc, 1998, 1: 255-258
[152] Osuna, E., Freund, R., Girosit, F. Training support vector machines: an application to face detection. in: Proceedings of IEEE Computer Society Conference on Computer Vision and Pattern Recognition, 17-19 June 1997. San Juan, Puerto Rico: IEEE Comput. Soc, 1997: 130-136
[153] Scholkopf, B., Smola, A. J., Williamson, R. C., Bartlett, P. L. New support vector algorithms. Neural Computation, 2000, 12(5): 1207-1245
[154] Tax, D. M. J., Juszczak, P. Kernel whitening for one-class classification. in: Pattern Recognition with Support Vector Machines. First International Workshop, SVM 2002. Proceedings, 10 Aug. 2002. Niagara Falls, Ont., Canada: Springer-Verlag,2002: 40-52
[155] Manevitz, L. M., Yousef, M. One-class SVMs for document classification. Journal of Machine Learning Research, 2002, 2(2): 139-154
[156] Chen, Y., Zhou, X. S., Huang, T. S. One-class SVM for learning in image retrieval. in: Proceedings 2001 International Conference on Image Processing, 7-10 Oct. 2001. Thessaloniki, Greece: IEEE, 2001, 1: 34-37
[157] Wu, X., Srihari, R., Zheng, Z. Document representation for one-class SVM. in: 15th European Conference on Machine Learning, ECML 2004, Sep 20-24 2004. Pisa, Italy: Springer Verlag, Heidelberg, D-69121, Germany, 2004, 3201: 489-500
[158] Warrender, C., Forrest, S., Pearlmutter, B. Detecting intrusions using system calls: alternative data models. Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, 1999: 133-145
[159] Ye, N., Li, X., Chen, Q., Emran, S. M., et al. Probabilistic techniques for intrusion detection based on computer audit data. IEEE Transactions on Systems, Man, and Cybernetics Part A:Systems and Humans, 2001, 31(4): 266-274
[160] Hofmeyr, S. A., Forrest, S., Somayaji, A. Intrusion detection using sequences of system calls. Journal of Computer Security, 1998, 6(3): 151-180
[161] Maxion, R. A., Townsend, T. N. Masquerade detection using truncated command lines. in: Proceedings of the 2002 International Conference on Dependable Systems and Networks. Washington, DC, United States: IEEE Computer Society, 2002: 219-228
[162] Maxion, R. A. Masquerade Detection Using Enriched Command Lines. in: Proceedings of the International Conference on Dependable Systems and Networks. San Francisco, CA, United States: Institute of Electrical and Electronics Engineers Computer Society, 2003: 5-14
[163] Maxion, R. A., Townsend, T. N. Masquerade detection augmented with error analysis. IEEE Transactions on Reliability, 2004, 53(1): 124-147
[164] Schonlau, M., Theus, M. Detecting masquerades in intrusion detection based on unpopular commands. Information Processing Letters, 2000, 76(1-2): 33-38
[165] Schonlau, M. Computer Intrusion: Detecting Masquerades. Statistical Science,2001, 16(1): 58-74
[166] Lane, T., Brodley, C. E. An empirical study of two approaches to sequence learning for anomaly detection. Machine Learning, 2003, 51(1): 73-107
[167]连一峰,戴英侠,王航.基于模式挖掘的用户行为异常检测.计算机学报, 2002, 25(3): 325-330
[168]孙宏伟,邹涛,田新广,张尔扬.基于机器学习的入侵检测方法实验与分析.计算机工程与设计, 2004, 25(2): 694-696
[169] McCanne, S., Jacobson, V. The BSD packet filter: a new architecture for user-level packet capture. in: Proceedings of the Winter 1993 USENIX Conference. San Diego, CA, USA: USENIX Assoc, 1993: 259-269
[170]黎耀. IPv6环境下异常检测系统的关键技术研究: [博士学位论文].保存地点:华中科技大学图书馆, 2006