基于异常挖掘的网络入侵检测系统研究
|
摘要
在信息化大浪潮席卷全球的今天,互联网获得迅速发展。网络信息已经应用在国家和社会各个部门,人们在进行资源共享同时,也感受到信息安全问题日益突出。如何保证网络信息安全已成为互联网发展中十分重要的课题。从最初访问控制机制到结合包过滤及应用层网关的防火墙技术等这些被动的、静态的安全防御体系已经无法满足当前安全状况的需要。在这种情况下,促使了入侵检测系统的诞生,它以主动方式,通过检查网络和系统内部数据异常情况来发现可能入侵行为,并进行报警或主动切断入侵通道,弥补其它静态防御系统的不足。
论文首先介绍异常挖掘理论,将其作为一种新的入侵检测技术引入到入侵检测系统中。文中对异常挖掘技术进行分析与研究,结合异常挖掘技术特点和入侵检测系统的检测目标,提出基于异常挖掘网络入侵检测系统,该系统通过运用异常挖掘技术挖掘异常数据的高效性,及时挖掘出新的未知入侵行为,用以更新入侵规则库,并采用高效率模式匹配算法进行实时入侵检测,从而使系统能够高效准确地检测到已知或新的未知的入侵行为,并具备自动构建和更新入侵规则库的智能化功能。随后,论文详细分析和综述入侵检测系统发展现状及存在问题,构建基于异常挖掘网络入侵检测系统模型,并根据功能需求,对模型进行模块划分,阐述各子模块需要实现的功能。文中还对算法进行了例证分析,并对数据预处理过程作了深入研究。最后,论文运用形式化语言对入侵检测系统各子模块进行结构化分析与描述,为系统进一步实现奠定基础。论文主要创新,首次将基于密度异常挖掘方法应用于入侵检测系统中,提出并构建系统原始模型,并对系统进行形式语言描述。
论文提出并构建的基于异常挖掘网络入侵检测系统与既有检测系统相比,具有自动创建并及时自动更新入侵规则库的智能化功能,在实时检测速度及检测准确性方面也有较大改进,因此能够高效准确地检测已知和新的未知的网络入侵行为,提高了网络安全性能并减少管理人员的工作量。
Today, the tide of informationization is sweeping across the globe and Internet has been getting fast development. The network information has been applied to every department of countries and society. While people share the network information together, they feel that the question of information safety is becoming more and more serious. It has been a very important for us to guarantee the security of network information. The passive and static security-defense system from the initial access control mechanism to packets filter and the firewall techniques of application layer gateway has been already unable to meet the demands of present security state. In this case, the birth of the intrusion detection system has been impelled. It takes initiative approaches to detect the possible intrusion behaviors through checking the abnormal state of network and system interior data, and gives warnings or cuts off the intrusion ways. Therefore it remedies the deficiencies of other static defense systems.The thesis introduces firstly the theory of outliers mining which is applied to the intrusion detection system as a kind of new intrusion detection technique. In this thesis, the outliers mining technique is analyzed and researched. Combining the characteristics of the outliers mining technique with the aim of intrusion detection system, the author proposes the network intrusion detection system based on outliers mining. Through applying the efficiency of outliers mining technique to mine the outliers data, the system finds timely those new and unknown intrusion behaviors, thus renews the intrusion rules database. At the same time it carries on real-time intrusion detection by using efficient pattern matching algorithm, which makes the system detect efficiently and accurately those known or new and unknown intrusion behaviors, and possess the intelligent function of constructing and renewing automatically intrusion rules database. Later, the thesis analyzes detailedly and summaries the current developing situation and existing problems of intrusion detection
system, constructs a model of network intrusion detection system based on outliers mining, and divides module to the model according to the function demands. At the same time it expatiates on the function what every submodule realizes. The thesis also makes an exemplification to the algorithm and a thorough research to the process of data pretreatment. Finally, using the formalized language, the thesis analyzes and describes structurally every submodule of intrusion detection system which establishes the foundation to realize further the system. In the thesis, main innovations include that it applies the method of density-based outliers mining to intrusion detection system for the first time, proposes and constructs the original model of system, and applies formalized language to describe the system.Compared with other intrusion detection system, the network intrusion detection system based on outliers mining possesses the intelligent function of constructing and renewing automatically intrusion rules database, at the same time the real-time detection velocity and accuracy are greatly enhanced. Thus it can detect efficiently and accurately those known and new-unknown network intrusion behavior, improve the network security performance and reduce the workload of administrators.
论文首先介绍异常挖掘理论,将其作为一种新的入侵检测技术引入到入侵检测系统中。文中对异常挖掘技术进行分析与研究,结合异常挖掘技术特点和入侵检测系统的检测目标,提出基于异常挖掘网络入侵检测系统,该系统通过运用异常挖掘技术挖掘异常数据的高效性,及时挖掘出新的未知入侵行为,用以更新入侵规则库,并采用高效率模式匹配算法进行实时入侵检测,从而使系统能够高效准确地检测到已知或新的未知的入侵行为,并具备自动构建和更新入侵规则库的智能化功能。随后,论文详细分析和综述入侵检测系统发展现状及存在问题,构建基于异常挖掘网络入侵检测系统模型,并根据功能需求,对模型进行模块划分,阐述各子模块需要实现的功能。文中还对算法进行了例证分析,并对数据预处理过程作了深入研究。最后,论文运用形式化语言对入侵检测系统各子模块进行结构化分析与描述,为系统进一步实现奠定基础。论文主要创新,首次将基于密度异常挖掘方法应用于入侵检测系统中,提出并构建系统原始模型,并对系统进行形式语言描述。
论文提出并构建的基于异常挖掘网络入侵检测系统与既有检测系统相比,具有自动创建并及时自动更新入侵规则库的智能化功能,在实时检测速度及检测准确性方面也有较大改进,因此能够高效准确地检测已知和新的未知的网络入侵行为,提高了网络安全性能并减少管理人员的工作量。
Today, the tide of informationization is sweeping across the globe and Internet has been getting fast development. The network information has been applied to every department of countries and society. While people share the network information together, they feel that the question of information safety is becoming more and more serious. It has been a very important for us to guarantee the security of network information. The passive and static security-defense system from the initial access control mechanism to packets filter and the firewall techniques of application layer gateway has been already unable to meet the demands of present security state. In this case, the birth of the intrusion detection system has been impelled. It takes initiative approaches to detect the possible intrusion behaviors through checking the abnormal state of network and system interior data, and gives warnings or cuts off the intrusion ways. Therefore it remedies the deficiencies of other static defense systems.The thesis introduces firstly the theory of outliers mining which is applied to the intrusion detection system as a kind of new intrusion detection technique. In this thesis, the outliers mining technique is analyzed and researched. Combining the characteristics of the outliers mining technique with the aim of intrusion detection system, the author proposes the network intrusion detection system based on outliers mining. Through applying the efficiency of outliers mining technique to mine the outliers data, the system finds timely those new and unknown intrusion behaviors, thus renews the intrusion rules database. At the same time it carries on real-time intrusion detection by using efficient pattern matching algorithm, which makes the system detect efficiently and accurately those known or new and unknown intrusion behaviors, and possess the intelligent function of constructing and renewing automatically intrusion rules database. Later, the thesis analyzes detailedly and summaries the current developing situation and existing problems of intrusion detection
system, constructs a model of network intrusion detection system based on outliers mining, and divides module to the model according to the function demands. At the same time it expatiates on the function what every submodule realizes. The thesis also makes an exemplification to the algorithm and a thorough research to the process of data pretreatment. Finally, using the formalized language, the thesis analyzes and describes structurally every submodule of intrusion detection system which establishes the foundation to realize further the system. In the thesis, main innovations include that it applies the method of density-based outliers mining to intrusion detection system for the first time, proposes and constructs the original model of system, and applies formalized language to describe the system.Compared with other intrusion detection system, the network intrusion detection system based on outliers mining possesses the intelligent function of constructing and renewing automatically intrusion rules database, at the same time the real-time detection velocity and accuracy are greatly enhanced. Thus it can detect efficiently and accurately those known and new-unknown network intrusion behavior, improve the network security performance and reduce the workload of administrators.
引文
[1] William R C, Steven M B, Firewall and Internet security repelling the wily Hacker, Reading[M]. MA: Addison-Wesley, 1994
[2] Anderson J P. Computer security thread monitoring and surveillance[R]. Fort Washington, PA: James P Anderson Co, 1980
[3] Denning D E. An intrusion-detection model[J]. IEEE Transaction on Software Engineering, 1987, SE-13:222~232
[4] Teresa L, Jagannathan R, Lee R, et al. IDES: Theen-hanced prototype, a real-time intrusion detection system[R]. MenloPark, CA: SRI International, Computer Science lab, 1988
[5] Heberlein L T. A network security monitor[A]. Proceeding of the IEEE Symposium on Researching Security and Privacy[C]. Oakland, CA: IEEE,1990,296~304
[6] Jackson K, Dubois D, Stallings C. An expert system application for network intrusion detection[A].Proceeding of the 14th Department of Energy Computer Security Group Conference[C], Concord, CA: Unite States Department of Energy(DOE), 1991
[7] Snapp S R, Brentano J, Dias G V, et al. A system for distributed intrusion detection[A]. Proceedings ofthe IEEE COMPCON91 [C]. San Francisco, CA: IEEE, 1991. 170~176
[8] Mark Crosbie, Gene Spafford. Defending a computer system using autonomous agents[R]. Purdue University:COAST Laboratory, Department of Computer Sciences, 1994
[9] S. Stanifor-Chen, S. Cheung, R. Crawford, etc. Grids: a graph-based intrusion detection system for large networks. In 19th National Information Systems Security Conference, Baltimore, MD, October 1996, 361~370
[10] Cheung S, Craford R, Dilger M, et al. The design of GrIDS: A graph-based intrusion detection system[R]. University of California, Davis: Department of Computer Science, 1999
[11] 戴云,范平志.入侵检测系统研究综述.计算机工程与应用,2002(4):17~21
[12] 蒋建春,马恒太,任党恩等.网络安全入侵检测:研究综述.软件学报,2000,11(11):146-1467
[13] 张瑞霞,王勇.入侵检测研究综述.计算机科学与工程2002,24(6):27~31
[14] 卢勇,曹阳,凌军等.基于数据挖掘的入侵检测系统框架.武汉大学学报(理学版),2002,148(1):63~66
[15] 盛思源,战守义,石耀斌.基于数据挖掘的入侵检测系统.计算机工程,2003,129(1):156~ 158
[16] 赵铭,罗均周.基于agent入侵检测系统框架研究.计算机工程与应用,2002(18):176~181
[17] 杨向容,宋擒豹,沈均毅.基于数据挖掘的智能化入侵检测系统.计算机工程,2001,127(9):17~19
[18] 宁玉杰,郭小淳.基于数据挖掘技术的网络入侵检测系统.计算机测量与控制,2002,10(3):189~190
[19] 徐著,刘宝旭,许榕生.基于数据挖掘技术的入侵检测系统设计与实现.计算机工程2002,28(6):9~11
[20] 邹仕宏,网喜戎,龚向阳等.基于数据挖掘与CIDF的自适应入侵检测系统.计算机工程与应用,2002(11):184~186
[21] 詹瑾瑜,熊光泽,孙明.基于DM的入侵检测系统结构方案.电子科技大学学报,2002,31(5):504~508
[22] Forrest S, Hofmeyr S, Somayaji A. Computer immunology[J]. Communications of the ACM, 1997,40(10):88~96
[23] Ross Anderson, Abida Khattak.The use of information retrieval techniques for intrusion detection[R].Louvain-la-691
[24] Crosbie M, Dole B, Ellis T, Krsul I, Spafford E.IDIOT: Users Guide. Technical Report TR-96-050, Purdue University, COAST Laboratory, Sept. 1996.
[25] Me L. Genetic Algorithms,a biologically inspired approach for security audit trails analysis, short paper,presented at the 1996 IEEE Symposium on Security and Privacy, Oakland, CA, May 1996.
[26] 蒋孝良,蔡之华.异常挖掘方法研究,计算机工程与应用,2003(19):189~191
[27] Rakesh, Agrawal, Prabhakar, Ragaran. A Linear Method for Deviation Detection in Large Databases[C].In: KDD Conference Proceedings, 1995
[28] C. C. Aggarwal, P. Yu. Outlier Detection for High Dimensional Data[C]. In: Proc of ACM SIGMOD'2001
[29] E. Knorr, R.Ng. Finding In tensional Knowledge of Distance-based Outliers[C]. In: VLDB Conference Proceedings, 1999
[30] D. Hawkins. Identification of Outliers[M]. London: Chapman and Hall, 1980
[31] V. Barnett, T. Lewis. Outliers in Statistical Data[M]. New York: John Wiley&Sons, 1994
[32] E. Knorr,R.Ng. Algorithms for Mining Distance-Based Outliers in Large Datasets[C]. In: Pro 1998 Int Conf Very Large Data Bases VLDB98, New York, 1998-08:392~403
[33] A. Aming, R. Agrawal, P. Raghavan. A linear method for deviation detection in large databases[C]. In: Proc 1996 Int Conf Data Mining and Knowledge Discovery KDD'96, Portland, OR, 1996-08: 164~169
[34] 范明,孟小峰等译.数据挖掘—概念与技术.机械工业出版社,2001年8月
[35] 闪四清,陈茵,程雁等译.数据挖掘—概念、模型、方法和算法.清华大学出版社,2003年8月
[36] 朱明.数据挖掘.中国科学技术大学出版社,2002年5月
[37] 张银奎,廖丽,宋俊.数据挖掘原理,机械工业出版社,2003年4月
[38] W. Lee, S. Stolfo, K. Mok. A Data Mining Framework for Adaptive Intrusion Detection. Artificial Intelligence Review, 1999
[39] R. Heady, G Luger, A. Maccabe, etc. The architecture of a network level intrusion detection system. Technical report, Computer Science Department, University of New Mexico, August 1990
[40] B.Padmanabhan, A. Tuzhilin. A belief-driven method for discovering unexpected patterns.In proceedings of the 4th International Conference on Knowledge Discovery and Data Mining, New York, NY, August 1998.AAA1 Press
[41] T. Lunt. Detecting intruders in computer systems[A]. In: Proceedings of the 1993 Conference on Auditing and Computer Technology[C], 1993.
[42] K. Ilgun,R.A. Kemmerer, P. A. Porras. State transition analysis: A role-based intrusion detection approach[J]. IEEE Transactions on Software Engineering, 1995, 21(3):181~199
[43] 朱明,明鸣,王军.基于异类挖掘的网络入侵检测方法[J],计算机工程,2003,(13):125~128
[44] 唐正军.网络入侵检测系统的设计与实现.电子工业出版社,2002年4月
[45] 范建华,胥光辉,张涛等译.TCP/IP详解(倦1:协议).机械工业出版社,2000年4月
[46] 陆雪莹,蒋慧等译.TCP/IP详解(卷2:实现).机械工业出版社,2000年7月
[47] David S. Bauer, Michael E. Koblentz, Nidx: an expert system for real-time network intrusion detection. In IEEE Computer Networking Symposium, 1998 98~106
[48] J.R. Winkler,L. C. Landry. Intrusion and anomaly detection, isoa update. In the 15th National Computer Security Conference, Baltimore, MD, October 1992, 272~281
[49] J. R. Winkler. A Unix prototype for intrusion detection and anomaly detection in secure networks. In the 13th National Compute Security Conference, Washington D.C., October 1990, 115~124
[50] C.Dowell, P. Ramstedt. The computer watch data reduction tool. In 13th National Computer Security Conference, Washington D. C., October 1990, 99~108
[51] G. E. Liepins, H. S. Vaccaro. Intrusion detection: It's role and validation.Computer Security, November 1992, 347~355
[52] Sandeep Kumar, Eugene H.Spafford. "A Pattern Matching Model for Misuse Intrusion Detection". The COAST Project Dep. of Computer Sciences Purdue University, 1994
[53] P. Porras, R. Kemmerer. Penetration state transition analysis: a rule-based intrusion detection approach. In 8~(th) Annual Computer Security Application Conference, November 1992,220—229
[54] G Vigna, R. Kemmerer. NetSTAT: ANetwork-based Intrusion Detection Approach. In Proceedings of the 14~(th) Anuual Computer Security Application Conference, Scotttsdale, Arizonna, December 1998
[55] Cisco Systems Inc, NetRanger documentation. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/netranger.html
[56] Internet Security Systems. Introduction to realsecure version 3.0,2002,01
[57] J. Lin, X. S. Wang, Jajodia. Abstraction-based misuse detection: High level specification and adaptable strategies. In the 11~(th) Computer Security Foundations Workshop, Rockport, MA, June 1998
[58] M. Crosbie, B. Dole, T. Ellis, etc. Idiot-users guide. Technical Report TR-96-050, COAST Laboratory, Purdue University, September 1996
[59] P. Porras, P. G Neumann. Emerld: Event monitoring enabling responses to anomalous live disturbances. In the 19~(th) National Information Systems Security Conference, Baltimore, MD, October 1997,353—365
[60] 李新远,吴字红,狄文远. 基于数据挖掘的入侵检测建模[J].计算机工程, 2002, 28(2): 159-161
[61] S. E. Smaha. Haystack: A intrusion detection system. In IEEE 4~(th) Aerospace Computer Security Applications Conference, Orlando, FL, December 1988,37—44
[62] W. T. Tener. Discovery: an expert system in the commercial data security environment In 4~(th) IFIPTC11 International Conference on Computer Security, North Holland, Amsterdam, 1986, 261-268
[63] H. S. Vaccaro, G. E.Liepins. Detection of anomalous computer session activity. In IEEE Symposium on Security and Privacy, Oakland, CA, 1989,280—289
[64] G E. Liepins, H. S. Vaccaro. Anomaly detection purpose and framework. In 12~(th) National Computer Security Conference, Baltimre, MD, October 1989,495—504
[65] E. H. Spafford and D. Zamboni. Intrusion detection using autonomous agents. Computer Networks, 2000,34:547—570
[66] L. T. Heberlein, B. Mukherjee, K. N. Levitt. Internet security monitor An intrusion detection system for large-scale networks, In the 15~(th) National Computer Security Conference, Baltimore, MD, October 1992,262-271
[67] J. Hochberg, K. Jackson, C. Stallings, etc. Nadir: An automated system for detecting network intrusions and misuse. Computer and Security, May 1993, 12(3):253~248
[68] 薛静锋,宁宇鹏,阎慧.入侵检测技术.机械工业出版社,2004年4月
[69] Tung Brian. Common intrusion detection framework(CIDF)[EB/OL], http://www.isi.edu/gost/cidf
[70] Erlinger Michael, Staniford-chen Stuart. Intrusion detection exchange format(idwg)[EB/OL]. http://www.ietf.org/html.charters/idwg-charter.html
[71] 徐勉,王景光.孤立点挖掘技术在入侵检测中的应用研究.计算机安全,2004(1):22~24
[72] Sodiya A.S. Longe H.O.D. Akinwale A.T. Maintaining privacy in anomaly-based intrusion detection systems. Information Management & Computer Security 13, 2005(1): 72-80
[73] 蒋文沛.对字符串模式匹配KMP算法的探讨.南宁师范高等专科学校学报,2001(2):72~74
[74] 李静.字符串的模式匹配算法——基于KMP算法的讨论.青岛化工学院学报(自然科学版),2002(2):78~80
[75] 戈晓斐,黄竞伟,胡磊.改进的KMP算法在生物序列模式自动识别中的应用.计算机工程,2004(10):140~142
[76] 周庆勋.高效率的模式匹配算法.云南民族学院学报(自然科学版),2000(4):222~224
[77] 姜火文,徐新爱.模式匹配问题BM算法探讨.江西教育学院学报,2002(6):40~41
[78] 赵一瑾.一个改进的BM串匹配算法.计算机研究与发展,1998(1):45~48
[79] John McHugh. Intrusion and intrusion detection. International Journal of Information Security, 2001(7): 14~35
[80] Jianhua Sun, Hai Jin, Hao Chen, et al. A Compound Intrusion Detection Model. Internet and Cluster Computing Center, Huazhong University of Science and Technology, Wuhan, 430074, China, 2003(9): 370~381
[81] Yongsu Park, Jaeheung Lee, Yookun Cho. Intrusion Detection Using Noisy Training Data. School of Computer Science and Engineering, Seoul National University, San 56-1, Shillim-dong, Gwanak-gu, Seoul 151-742 Korea; Connectivity Laboratory, Digital Media R&D Center, Samsung Electronics, Suwon Korea, 2004(4): 547~556
[82] W. Fan, M. Miller, S. Stolfo, et al. Using artificial anomalies to detect unknown and known network intrusions. IBM T. J. Watson Research Hawthome NY 10532 USA; Computer Science Columbia University New York NY USA; College of Computer Science Georgia Tech Atlanta GA USA; Computer Science Florida Institute of Technology Melbourn FL USA, 2004(9): 507~527
[83] 王景新,戴葵,宋辉,王志英.基于神经网络的入侵检测系统.计算机工程与科学,2003(6):28~31
[2] Anderson J P. Computer security thread monitoring and surveillance[R]. Fort Washington, PA: James P Anderson Co, 1980
[3] Denning D E. An intrusion-detection model[J]. IEEE Transaction on Software Engineering, 1987, SE-13:222~232
[4] Teresa L, Jagannathan R, Lee R, et al. IDES: Theen-hanced prototype, a real-time intrusion detection system[R]. MenloPark, CA: SRI International, Computer Science lab, 1988
[5] Heberlein L T. A network security monitor[A]. Proceeding of the IEEE Symposium on Researching Security and Privacy[C]. Oakland, CA: IEEE,1990,296~304
[6] Jackson K, Dubois D, Stallings C. An expert system application for network intrusion detection[A].Proceeding of the 14th Department of Energy Computer Security Group Conference[C], Concord, CA: Unite States Department of Energy(DOE), 1991
[7] Snapp S R, Brentano J, Dias G V, et al. A system for distributed intrusion detection[A]. Proceedings ofthe IEEE COMPCON91 [C]. San Francisco, CA: IEEE, 1991. 170~176
[8] Mark Crosbie, Gene Spafford. Defending a computer system using autonomous agents[R]. Purdue University:COAST Laboratory, Department of Computer Sciences, 1994
[9] S. Stanifor-Chen, S. Cheung, R. Crawford, etc. Grids: a graph-based intrusion detection system for large networks. In 19th National Information Systems Security Conference, Baltimore, MD, October 1996, 361~370
[10] Cheung S, Craford R, Dilger M, et al. The design of GrIDS: A graph-based intrusion detection system[R]. University of California, Davis: Department of Computer Science, 1999
[11] 戴云,范平志.入侵检测系统研究综述.计算机工程与应用,2002(4):17~21
[12] 蒋建春,马恒太,任党恩等.网络安全入侵检测:研究综述.软件学报,2000,11(11):146-1467
[13] 张瑞霞,王勇.入侵检测研究综述.计算机科学与工程2002,24(6):27~31
[14] 卢勇,曹阳,凌军等.基于数据挖掘的入侵检测系统框架.武汉大学学报(理学版),2002,148(1):63~66
[15] 盛思源,战守义,石耀斌.基于数据挖掘的入侵检测系统.计算机工程,2003,129(1):156~ 158
[16] 赵铭,罗均周.基于agent入侵检测系统框架研究.计算机工程与应用,2002(18):176~181
[17] 杨向容,宋擒豹,沈均毅.基于数据挖掘的智能化入侵检测系统.计算机工程,2001,127(9):17~19
[18] 宁玉杰,郭小淳.基于数据挖掘技术的网络入侵检测系统.计算机测量与控制,2002,10(3):189~190
[19] 徐著,刘宝旭,许榕生.基于数据挖掘技术的入侵检测系统设计与实现.计算机工程2002,28(6):9~11
[20] 邹仕宏,网喜戎,龚向阳等.基于数据挖掘与CIDF的自适应入侵检测系统.计算机工程与应用,2002(11):184~186
[21] 詹瑾瑜,熊光泽,孙明.基于DM的入侵检测系统结构方案.电子科技大学学报,2002,31(5):504~508
[22] Forrest S, Hofmeyr S, Somayaji A. Computer immunology[J]. Communications of the ACM, 1997,40(10):88~96
[23] Ross Anderson, Abida Khattak.The use of information retrieval techniques for intrusion detection[R].Louvain-la-691
[24] Crosbie M, Dole B, Ellis T, Krsul I, Spafford E.IDIOT: Users Guide. Technical Report TR-96-050, Purdue University, COAST Laboratory, Sept. 1996.
[25] Me L. Genetic Algorithms,a biologically inspired approach for security audit trails analysis, short paper,presented at the 1996 IEEE Symposium on Security and Privacy, Oakland, CA, May 1996.
[26] 蒋孝良,蔡之华.异常挖掘方法研究,计算机工程与应用,2003(19):189~191
[27] Rakesh, Agrawal, Prabhakar, Ragaran. A Linear Method for Deviation Detection in Large Databases[C].In: KDD Conference Proceedings, 1995
[28] C. C. Aggarwal, P. Yu. Outlier Detection for High Dimensional Data[C]. In: Proc of ACM SIGMOD'2001
[29] E. Knorr, R.Ng. Finding In tensional Knowledge of Distance-based Outliers[C]. In: VLDB Conference Proceedings, 1999
[30] D. Hawkins. Identification of Outliers[M]. London: Chapman and Hall, 1980
[31] V. Barnett, T. Lewis. Outliers in Statistical Data[M]. New York: John Wiley&Sons, 1994
[32] E. Knorr,R.Ng. Algorithms for Mining Distance-Based Outliers in Large Datasets[C]. In: Pro 1998 Int Conf Very Large Data Bases VLDB98, New York, 1998-08:392~403
[33] A. Aming, R. Agrawal, P. Raghavan. A linear method for deviation detection in large databases[C]. In: Proc 1996 Int Conf Data Mining and Knowledge Discovery KDD'96, Portland, OR, 1996-08: 164~169
[34] 范明,孟小峰等译.数据挖掘—概念与技术.机械工业出版社,2001年8月
[35] 闪四清,陈茵,程雁等译.数据挖掘—概念、模型、方法和算法.清华大学出版社,2003年8月
[36] 朱明.数据挖掘.中国科学技术大学出版社,2002年5月
[37] 张银奎,廖丽,宋俊.数据挖掘原理,机械工业出版社,2003年4月
[38] W. Lee, S. Stolfo, K. Mok. A Data Mining Framework for Adaptive Intrusion Detection. Artificial Intelligence Review, 1999
[39] R. Heady, G Luger, A. Maccabe, etc. The architecture of a network level intrusion detection system. Technical report, Computer Science Department, University of New Mexico, August 1990
[40] B.Padmanabhan, A. Tuzhilin. A belief-driven method for discovering unexpected patterns.In proceedings of the 4th International Conference on Knowledge Discovery and Data Mining, New York, NY, August 1998.AAA1 Press
[41] T. Lunt. Detecting intruders in computer systems[A]. In: Proceedings of the 1993 Conference on Auditing and Computer Technology[C], 1993.
[42] K. Ilgun,R.A. Kemmerer, P. A. Porras. State transition analysis: A role-based intrusion detection approach[J]. IEEE Transactions on Software Engineering, 1995, 21(3):181~199
[43] 朱明,明鸣,王军.基于异类挖掘的网络入侵检测方法[J],计算机工程,2003,(13):125~128
[44] 唐正军.网络入侵检测系统的设计与实现.电子工业出版社,2002年4月
[45] 范建华,胥光辉,张涛等译.TCP/IP详解(倦1:协议).机械工业出版社,2000年4月
[46] 陆雪莹,蒋慧等译.TCP/IP详解(卷2:实现).机械工业出版社,2000年7月
[47] David S. Bauer, Michael E. Koblentz, Nidx: an expert system for real-time network intrusion detection. In IEEE Computer Networking Symposium, 1998 98~106
[48] J.R. Winkler,L. C. Landry. Intrusion and anomaly detection, isoa update. In the 15th National Computer Security Conference, Baltimore, MD, October 1992, 272~281
[49] J. R. Winkler. A Unix prototype for intrusion detection and anomaly detection in secure networks. In the 13th National Compute Security Conference, Washington D.C., October 1990, 115~124
[50] C.Dowell, P. Ramstedt. The computer watch data reduction tool. In 13th National Computer Security Conference, Washington D. C., October 1990, 99~108
[51] G. E. Liepins, H. S. Vaccaro. Intrusion detection: It's role and validation.Computer Security, November 1992, 347~355
[52] Sandeep Kumar, Eugene H.Spafford. "A Pattern Matching Model for Misuse Intrusion Detection". The COAST Project Dep. of Computer Sciences Purdue University, 1994
[53] P. Porras, R. Kemmerer. Penetration state transition analysis: a rule-based intrusion detection approach. In 8~(th) Annual Computer Security Application Conference, November 1992,220—229
[54] G Vigna, R. Kemmerer. NetSTAT: ANetwork-based Intrusion Detection Approach. In Proceedings of the 14~(th) Anuual Computer Security Application Conference, Scotttsdale, Arizonna, December 1998
[55] Cisco Systems Inc, NetRanger documentation. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/netranger.html
[56] Internet Security Systems. Introduction to realsecure version 3.0,2002,01
[57] J. Lin, X. S. Wang, Jajodia. Abstraction-based misuse detection: High level specification and adaptable strategies. In the 11~(th) Computer Security Foundations Workshop, Rockport, MA, June 1998
[58] M. Crosbie, B. Dole, T. Ellis, etc. Idiot-users guide. Technical Report TR-96-050, COAST Laboratory, Purdue University, September 1996
[59] P. Porras, P. G Neumann. Emerld: Event monitoring enabling responses to anomalous live disturbances. In the 19~(th) National Information Systems Security Conference, Baltimore, MD, October 1997,353—365
[60] 李新远,吴字红,狄文远. 基于数据挖掘的入侵检测建模[J].计算机工程, 2002, 28(2): 159-161
[61] S. E. Smaha. Haystack: A intrusion detection system. In IEEE 4~(th) Aerospace Computer Security Applications Conference, Orlando, FL, December 1988,37—44
[62] W. T. Tener. Discovery: an expert system in the commercial data security environment In 4~(th) IFIPTC11 International Conference on Computer Security, North Holland, Amsterdam, 1986, 261-268
[63] H. S. Vaccaro, G. E.Liepins. Detection of anomalous computer session activity. In IEEE Symposium on Security and Privacy, Oakland, CA, 1989,280—289
[64] G E. Liepins, H. S. Vaccaro. Anomaly detection purpose and framework. In 12~(th) National Computer Security Conference, Baltimre, MD, October 1989,495—504
[65] E. H. Spafford and D. Zamboni. Intrusion detection using autonomous agents. Computer Networks, 2000,34:547—570
[66] L. T. Heberlein, B. Mukherjee, K. N. Levitt. Internet security monitor An intrusion detection system for large-scale networks, In the 15~(th) National Computer Security Conference, Baltimore, MD, October 1992,262-271
[67] J. Hochberg, K. Jackson, C. Stallings, etc. Nadir: An automated system for detecting network intrusions and misuse. Computer and Security, May 1993, 12(3):253~248
[68] 薛静锋,宁宇鹏,阎慧.入侵检测技术.机械工业出版社,2004年4月
[69] Tung Brian. Common intrusion detection framework(CIDF)[EB/OL], http://www.isi.edu/gost/cidf
[70] Erlinger Michael, Staniford-chen Stuart. Intrusion detection exchange format(idwg)[EB/OL]. http://www.ietf.org/html.charters/idwg-charter.html
[71] 徐勉,王景光.孤立点挖掘技术在入侵检测中的应用研究.计算机安全,2004(1):22~24
[72] Sodiya A.S. Longe H.O.D. Akinwale A.T. Maintaining privacy in anomaly-based intrusion detection systems. Information Management & Computer Security 13, 2005(1): 72-80
[73] 蒋文沛.对字符串模式匹配KMP算法的探讨.南宁师范高等专科学校学报,2001(2):72~74
[74] 李静.字符串的模式匹配算法——基于KMP算法的讨论.青岛化工学院学报(自然科学版),2002(2):78~80
[75] 戈晓斐,黄竞伟,胡磊.改进的KMP算法在生物序列模式自动识别中的应用.计算机工程,2004(10):140~142
[76] 周庆勋.高效率的模式匹配算法.云南民族学院学报(自然科学版),2000(4):222~224
[77] 姜火文,徐新爱.模式匹配问题BM算法探讨.江西教育学院学报,2002(6):40~41
[78] 赵一瑾.一个改进的BM串匹配算法.计算机研究与发展,1998(1):45~48
[79] John McHugh. Intrusion and intrusion detection. International Journal of Information Security, 2001(7): 14~35
[80] Jianhua Sun, Hai Jin, Hao Chen, et al. A Compound Intrusion Detection Model. Internet and Cluster Computing Center, Huazhong University of Science and Technology, Wuhan, 430074, China, 2003(9): 370~381
[81] Yongsu Park, Jaeheung Lee, Yookun Cho. Intrusion Detection Using Noisy Training Data. School of Computer Science and Engineering, Seoul National University, San 56-1, Shillim-dong, Gwanak-gu, Seoul 151-742 Korea; Connectivity Laboratory, Digital Media R&D Center, Samsung Electronics, Suwon Korea, 2004(4): 547~556
[82] W. Fan, M. Miller, S. Stolfo, et al. Using artificial anomalies to detect unknown and known network intrusions. IBM T. J. Watson Research Hawthome NY 10532 USA; Computer Science Columbia University New York NY USA; College of Computer Science Georgia Tech Atlanta GA USA; Computer Science Florida Institute of Technology Melbourn FL USA, 2004(9): 507~527
[83] 王景新,戴葵,宋辉,王志英.基于神经网络的入侵检测系统.计算机工程与科学,2003(6):28~31