基于数据挖掘的分布式网络入侵协同检测系统研究及实现
|
摘要
随着网络入侵形式的不断变化与多样性,传统的网络安全技术与设备已不能充分抵御网络攻击。例如,目前推出的商用分布式入侵检测系统基本是采用基于已知入侵行为规则的匹配技术,检测引擎分布在需要监控的网络中或主机上,独立进行入侵检测,入侵检测系统中心管理控制平台仅负责平台配置、检测引擎管理和各检测引擎的检测结果显示,对各检测引擎的检测数据缺乏协同分析。同时网络入侵检测系统与防火墙、防病毒软件等之间也是单兵作战,对复杂的攻击行为难以做出正确的判断。
异常入侵检测技术根据使用者的行为或资源使用情况判断是否存在入侵行为,通用性较强,缺陷是误检率太高。误用检测运用已知攻击方法,根据已定义好的入侵模式,通过判断这些入侵模式是否出现来检测攻击,检测准确度高,但系统依赖性太强,检测范围受已知知识的局限。
将数据挖掘技术应用到入侵检测系统是目前入侵检测研究的重要方向,论文讨论了基于数据挖掘的入侵检测主体技术,指出了联合使用几种数据挖掘方法和将数据挖掘与传统的误用检测、异常检测协是一个重要的研究方向。
论文提出了改进的FP-Growth的关联分析算法、基于分箱统计的FCM网络入侵检测技术和基于免疫学原理的混合入侵检测技术。改进的FP-Growth算法引入了聚合链的单链表结构,每个节点只保留指向父节点的指针,节省了树空间,有效解决了数据挖掘速度问题,提高了入侵检测系统的执行效率和规则库的准确度;基于分箱统计的FCM网络入侵检测技术不需要频繁更新聚类中心,同时耗时问题也得到较好的改善,将特征匹配与基于分箱的FCM算法相结合,能较好的发现新的攻击类型,便于检测知识库的更新;基于免疫学原理的混合入侵检测技术充分发挥了免疫系统在实现过程中表现出的识别、学习、记忆、多样性、自适应、容错及分布式检测等复杂的信息处理能力,具有良好的应用前景。
论文分析了网络入侵检测技术在检测性能、系统的健壮性与自适应性等方面存在的主要问题,讨论了网络入侵检测技术的发展趋势。针对目前商用入侵检测系统协同分析几乎空缺、规则更新滞后、检测技术与入侵手段变化不适应的现状,提出了基于数据挖掘的分布式网络入侵协同检测系统(以下简称“协同检测系统”)模型。该模型从数据采集协同、数据分析协同和系统响应协同三个方面实现了入侵检测系统的结构协作、功能协作、动作协作和处理协作,有效增强了入侵检测系统的检测能力。
论文详细讨论了“协同检测系统”的检测引擎设计、通信模块设计和系统协同设计。检测引擎是系统的主体,涉及到网络数据包捕获、数据解析、入侵检测等功能。针对高速网络环境下信息量大、实时性要求高,使用Libpcap捕包易造成掉包与瘫痪的现状,提出了内存映射与半轮询(NAPI)捕包新技术,有效减少了系统内核向用户空间的内存拷贝,避免了重负载情况下的中断活锁,确保了高速网络环境下数据包采集的实时性与准确性。
数据解协首先对链路层包头、IP层包头、传输层包头、应用层协议四部分进行解析,然后对数据作预处理。在此基础上,运用改进的FP-Growth算法对网络数据进行挖掘,检测子模块解释并评估数据挖掘模块提取的模式,结果送至反馈端口。
通信模块实现了数据采集解析器与数据挖掘检测器之间、检测引擎和报警优化器之间、报警优化器与中心控制平台之间的有效通信,给出有关函数。
系统协同设计是本系统的特色。本文从入侵检测系统内部数据采集协同、入侵检测系统与漏洞扫描系统协同、入侵检测系统与防病毒系统协同、检测引擎分析协同、不同安全系统分析协同、IDS与防病毒系统协同、IDS与交换机协同、IDS与防火墙协同等方面,科学地给出了数据采集协同、数据分析协同、系统响应协同的含义、原理、方法与实现过程。
系统离线实验和仿真实验表明:综合运用本文提出的三种算法可以有效地提高检测效率,降低误报率和漏报率。本文开发的“协同检测系统”可以稳定地工作在以太网络环境下,能够及时发现入侵行为,及时正确记录攻击的详细信息,具备了良好的网络入侵检测性能。
With the changing and concealment of the intrusion forms, the traditional security techniques and devices of network can't prevent network intrusion. For instance, actual commercial intrusion detection system almost adopts the matching technology which is based on the known rules of intrusion. The engines are on the network or computers need to be monitored, they detect network intrusion independently. The central management and control platform of IDS only take charge of platform configuration, detection engine management and detection results' show of every detection engine. But it's lack of the cooperation analysis of the detection data of every detection engine. IDS, firewall and anti-virus software work independently, it's difficult to make the right judgement to the complicated attacks.
Anomaly intrusion detection technology determine whether there is intrusion based on user's behavior or the situation of resources using, which is more common but the rate of mistaken detection is too high. Misuse detection uses known attacks and the defined intrusion models, detect attacks according to the judgement of appearance of the intrusion models. This method has high accuracy, but the system is too dependent, the detection range is limited to the known knowledge.
The application of data mining in the intrusion detection system is an important direction of intrusion detection research. The paper gives a detailed discussion about intrusion detection agents based on data mining. It presents an important research trend of combining more data mining means and using data mining with misuse detection and Anomaly detection.
The paper presents the improved association analysis algorithm based on FP-Growth, FCM network intrusion detection technologies based on statistical binning, Immunological mix intrusion detection technologies. The improved FP-Growth algorithm introduced a kind of single linked lists named aggregative chain. Only the pointers to point its children at each node are kept to save the space of tree. The algorithm increases the speed of mining speed, improves the execution efficiency of IDS and the accuracy of rules. FCM network intrusion detection technologies based on statistical binning need not update the clustering center frequently, and not costs time. Combining character matching with FCM based on statistical binning can find the new intrusion and update the detection rules. Immunologic system represents many complicated information processing abilities such as identification, study, memory, variety, adaptability, fault tolerance and distributed detection. Immunological mix intrusion detection technologies bring these abilities into full play, have great application foreground.
The thesis analyzes the main problems on the detection performance, the system's robustness and adaptability of the network intrusion detection technology, then discusses its trends. The current commercial intrusion detection system almost does nothing in the data analysis cooperation, the update of rules lags, the detection technology and the intrusion changing don't match. According to the status quo, the distributed network intrusion cooperation detection system model based on data mining (hereinafter referred to as "cooperation detection system") is proposed. The model achieves the cooperation of the intrusion detection system on structure, function, action and disposing by using data collection cooperation, data analysis cooperation and system response cooperation, which strongly improves the detection capabilities of the intrusion detection system.
The present paper gives a detailed discussion about the design of detection engine, communication module and system cooperation design in co-stimulate intrusion detection system. Detection engine which involve packet capture, data analysis and intrusion detection is the principal part of the system. Using Libpcap to capture packet may bring the status of losing packet and system collapse in high-speed network which has informative data and in real time. The new capture packet technique the paper given is memory-mapped and Napi. The new technique effectively reduceds the memory copy from system kernel to user space and avoids the Interrupt Livelock in the situation of heavy Load. It insures the real time and accuracy the situation of high-speed network.
Data Resolution first analysis the packet head of data-link layer, IP layer, transport layer and the protocol of application layers, and then do the data pretreatment; On this basis we use improved FP-Growth algorithm to mine net data, detect sub module explanation and assesses the mode which mined by data mining module, then send the data to feedback port. Communication module give the communication mode and related functions between data acquisition parser and data miner, detection engine and alarm Optimizer, alarm Optimizer and centre control platform.
System cooperation design is the characteristic of this system. In this paper, it give the meaning, principle, method and implementation process in most aspects, such as data mining co-stimulate in intrusion detection system, co-stimulate in intrusion detection system and Vulnerability scanner system, co-stimulate in IDS and antivirus system, co-stimulate in IDS and switching, IDS and firewall, and so on,
Offline and simulation system experiments show that the comprehensive application of the three algorithms can effectively improve the detection efficiency and reduce the rate of misinformed and the rate of underreporting. The co-stimulate intrusion detection system which has good intrusion detection performance can stably work in the situation of intranet, detect the intrusion and record the detailed information of attack.
异常入侵检测技术根据使用者的行为或资源使用情况判断是否存在入侵行为,通用性较强,缺陷是误检率太高。误用检测运用已知攻击方法,根据已定义好的入侵模式,通过判断这些入侵模式是否出现来检测攻击,检测准确度高,但系统依赖性太强,检测范围受已知知识的局限。
将数据挖掘技术应用到入侵检测系统是目前入侵检测研究的重要方向,论文讨论了基于数据挖掘的入侵检测主体技术,指出了联合使用几种数据挖掘方法和将数据挖掘与传统的误用检测、异常检测协是一个重要的研究方向。
论文提出了改进的FP-Growth的关联分析算法、基于分箱统计的FCM网络入侵检测技术和基于免疫学原理的混合入侵检测技术。改进的FP-Growth算法引入了聚合链的单链表结构,每个节点只保留指向父节点的指针,节省了树空间,有效解决了数据挖掘速度问题,提高了入侵检测系统的执行效率和规则库的准确度;基于分箱统计的FCM网络入侵检测技术不需要频繁更新聚类中心,同时耗时问题也得到较好的改善,将特征匹配与基于分箱的FCM算法相结合,能较好的发现新的攻击类型,便于检测知识库的更新;基于免疫学原理的混合入侵检测技术充分发挥了免疫系统在实现过程中表现出的识别、学习、记忆、多样性、自适应、容错及分布式检测等复杂的信息处理能力,具有良好的应用前景。
论文分析了网络入侵检测技术在检测性能、系统的健壮性与自适应性等方面存在的主要问题,讨论了网络入侵检测技术的发展趋势。针对目前商用入侵检测系统协同分析几乎空缺、规则更新滞后、检测技术与入侵手段变化不适应的现状,提出了基于数据挖掘的分布式网络入侵协同检测系统(以下简称“协同检测系统”)模型。该模型从数据采集协同、数据分析协同和系统响应协同三个方面实现了入侵检测系统的结构协作、功能协作、动作协作和处理协作,有效增强了入侵检测系统的检测能力。
论文详细讨论了“协同检测系统”的检测引擎设计、通信模块设计和系统协同设计。检测引擎是系统的主体,涉及到网络数据包捕获、数据解析、入侵检测等功能。针对高速网络环境下信息量大、实时性要求高,使用Libpcap捕包易造成掉包与瘫痪的现状,提出了内存映射与半轮询(NAPI)捕包新技术,有效减少了系统内核向用户空间的内存拷贝,避免了重负载情况下的中断活锁,确保了高速网络环境下数据包采集的实时性与准确性。
数据解协首先对链路层包头、IP层包头、传输层包头、应用层协议四部分进行解析,然后对数据作预处理。在此基础上,运用改进的FP-Growth算法对网络数据进行挖掘,检测子模块解释并评估数据挖掘模块提取的模式,结果送至反馈端口。
通信模块实现了数据采集解析器与数据挖掘检测器之间、检测引擎和报警优化器之间、报警优化器与中心控制平台之间的有效通信,给出有关函数。
系统协同设计是本系统的特色。本文从入侵检测系统内部数据采集协同、入侵检测系统与漏洞扫描系统协同、入侵检测系统与防病毒系统协同、检测引擎分析协同、不同安全系统分析协同、IDS与防病毒系统协同、IDS与交换机协同、IDS与防火墙协同等方面,科学地给出了数据采集协同、数据分析协同、系统响应协同的含义、原理、方法与实现过程。
系统离线实验和仿真实验表明:综合运用本文提出的三种算法可以有效地提高检测效率,降低误报率和漏报率。本文开发的“协同检测系统”可以稳定地工作在以太网络环境下,能够及时发现入侵行为,及时正确记录攻击的详细信息,具备了良好的网络入侵检测性能。
With the changing and concealment of the intrusion forms, the traditional security techniques and devices of network can't prevent network intrusion. For instance, actual commercial intrusion detection system almost adopts the matching technology which is based on the known rules of intrusion. The engines are on the network or computers need to be monitored, they detect network intrusion independently. The central management and control platform of IDS only take charge of platform configuration, detection engine management and detection results' show of every detection engine. But it's lack of the cooperation analysis of the detection data of every detection engine. IDS, firewall and anti-virus software work independently, it's difficult to make the right judgement to the complicated attacks.
Anomaly intrusion detection technology determine whether there is intrusion based on user's behavior or the situation of resources using, which is more common but the rate of mistaken detection is too high. Misuse detection uses known attacks and the defined intrusion models, detect attacks according to the judgement of appearance of the intrusion models. This method has high accuracy, but the system is too dependent, the detection range is limited to the known knowledge.
The application of data mining in the intrusion detection system is an important direction of intrusion detection research. The paper gives a detailed discussion about intrusion detection agents based on data mining. It presents an important research trend of combining more data mining means and using data mining with misuse detection and Anomaly detection.
The paper presents the improved association analysis algorithm based on FP-Growth, FCM network intrusion detection technologies based on statistical binning, Immunological mix intrusion detection technologies. The improved FP-Growth algorithm introduced a kind of single linked lists named aggregative chain. Only the pointers to point its children at each node are kept to save the space of tree. The algorithm increases the speed of mining speed, improves the execution efficiency of IDS and the accuracy of rules. FCM network intrusion detection technologies based on statistical binning need not update the clustering center frequently, and not costs time. Combining character matching with FCM based on statistical binning can find the new intrusion and update the detection rules. Immunologic system represents many complicated information processing abilities such as identification, study, memory, variety, adaptability, fault tolerance and distributed detection. Immunological mix intrusion detection technologies bring these abilities into full play, have great application foreground.
The thesis analyzes the main problems on the detection performance, the system's robustness and adaptability of the network intrusion detection technology, then discusses its trends. The current commercial intrusion detection system almost does nothing in the data analysis cooperation, the update of rules lags, the detection technology and the intrusion changing don't match. According to the status quo, the distributed network intrusion cooperation detection system model based on data mining (hereinafter referred to as "cooperation detection system") is proposed. The model achieves the cooperation of the intrusion detection system on structure, function, action and disposing by using data collection cooperation, data analysis cooperation and system response cooperation, which strongly improves the detection capabilities of the intrusion detection system.
The present paper gives a detailed discussion about the design of detection engine, communication module and system cooperation design in co-stimulate intrusion detection system. Detection engine which involve packet capture, data analysis and intrusion detection is the principal part of the system. Using Libpcap to capture packet may bring the status of losing packet and system collapse in high-speed network which has informative data and in real time. The new capture packet technique the paper given is memory-mapped and Napi. The new technique effectively reduceds the memory copy from system kernel to user space and avoids the Interrupt Livelock in the situation of heavy Load. It insures the real time and accuracy the situation of high-speed network.
Data Resolution first analysis the packet head of data-link layer, IP layer, transport layer and the protocol of application layers, and then do the data pretreatment; On this basis we use improved FP-Growth algorithm to mine net data, detect sub module explanation and assesses the mode which mined by data mining module, then send the data to feedback port. Communication module give the communication mode and related functions between data acquisition parser and data miner, detection engine and alarm Optimizer, alarm Optimizer and centre control platform.
System cooperation design is the characteristic of this system. In this paper, it give the meaning, principle, method and implementation process in most aspects, such as data mining co-stimulate in intrusion detection system, co-stimulate in intrusion detection system and Vulnerability scanner system, co-stimulate in IDS and antivirus system, co-stimulate in IDS and switching, IDS and firewall, and so on,
Offline and simulation system experiments show that the comprehensive application of the three algorithms can effectively improve the detection efficiency and reduce the rate of misinformed and the rate of underreporting. The co-stimulate intrusion detection system which has good intrusion detection performance can stably work in the situation of intranet, detect the intrusion and record the detailed information of attack.
引文
[1]James P.Anderson.Computer Security Threat Monitoring and Surveillance.James P.Anderson Co.,Fort Washington,Pa.,1980
[2]Gunter Ollmann.Intrusion Prevention Systems(IPS)destined to replace legacy routers.Network Security,Volume 2003,Issue 11,November 2003,Pages 18-19
[3]Mafia Papadaki,Steven Fumell.IDS or IPS:what is best?.Network Security,Volume 2004,Issue 7,July 2004,Pages 15-19
[4]S.Hofineyr.Host intrusion prevention:Part of the operating system or on top of the operating system.Computers & Security,Volume 24,Issue 6,September 2005,Pages 440-442
[5]Andreas Fuchsberger.Intrusion Detection Systems and Intrusion Prevention Systems.Information Security Technical Report 2005,10:134-139
[6]Morton Swimmer.Using the danger model of immune systems for distributed defense in modem data networks.Computer Networks,Volume 51,Issue 5,11 April 2007,Pages 1315-1333
[7]Denning DE,Edwards DL,Jagannathan R,et al.A prototype IDES:A real-time intrusion detection expert system.Technical report,Computer Science Laboratory.SRI International,Menlo Park,1987.
[8]周光明,李斌,徐琳.基于面向对象技术的专家系统模型.计算机工程与设计,2006,Vol.27,No.15.
[9]Theuns Verwoerd,Ray Hunt.Intrusion detection techniques and approaches.Computer Communication,Volume25,Issuel 5,15 September 2002,Pages 1356-1365
[10]Andreas Fuchsberger.Intrusion Detection Systems and Intrusion Prevention Systems.Information Security Technical Report 2005,10:134-139
[11]S.Forrest,S.A.Hofmeyr,A.Somayaji,T.A.Longstaff,A sense of self for unix processes,in:Proceedings of the IEEE Symposium on Research in Security and Privacy,Oakland,CA,USA,1996,pp.120-128.
[12]C.Kruegel,D.Mutz,W.Robertson,F.Valeur,Bayesian event classification for intrusion detection,in:roceedings of the 19th Annual Computer Security Applications Conference ,Las Vegas,NV,2003.
[13]A.Valdes,K.Skinner,Adaptive model-based monitoring for cyber attack detection,in: Recent Advances in IntrusionDetection Toulouse,France,2000,pp.80-92.
[14]N.Ye,M.Xu,S.M.Emran,Probabilistic networks with undirected links for anomaly detection,in:Proceedings of the IEEE Systems,Man,and Cybernetics Information Assurance and Security Workshop,West Point,NY,2000.
[15]H.Hotelling.Analysis of a complex of statistical variables into principal components.Journal of Educational Psy-chology 24(1993)417-441:498-520.
[16]R.A.Calvo,M.Partridge,M.A.Jabri.A comparative study of principal component analysis techniques.Proceedings of the Ninth Australian Conference on Neural Networks,Brisbane,Qld,Australia,1998.
[17]M.-L.Shyu,S.-C.Chen,K.Sarinnapakorn,L.Chang.A novel anomaly detection scheme based on principal component classifier.Proceedings of the IEEE Foundationsand New Directions of Data Mining Workshop,Mel-boume,FL,USA,2003,pp.172-179.
[18]Y.Bouzida,F.e.e.Cuppens,N.Cuppens-Boulahia,S.Gombault.Efficient intrusion detection using principal component analysis.Proceedings of the 3e'me Confe'-rence sur la Se'curite' et Architectures Re'seaux(SAR),Orlando,FL,USA,2004.
[19]W.Wang,X.Guan,X.Zhang.A novel intrusion detectionmethod based on principle component analysis in computersecurity.Proceedings of the International Symposium onNeural Networks,Dalian,China,2004,pp.657-662.
[20]W.Wang,R.Battiti.Identifying intrusions in computer networks with principal component analysis.The First International Conference on Availability,Reliability and Security,Vienna,Austria,2006,pp.270-279.
[21]Guisong Liu,Zhang Yi,Shangming Yang.A hierarchical intrusion detection model based on the PCA neural networks.Neurocomputing,In Press,Corrected Proof,Available online 12 December 2006
[22]N.Ye,Y.Z.C.M.Borror,Robustness of the Markov-chain model for cyber-attack detection,IEEE Transactions on Reliability 53(2004)116-123.
[23]D.-Y.Yeung,Y.Ding,Host-based intrusion detection using dynamic and static behavioral models,Pattern Recognition 36(2003)229-243.
[24]徐明,陈纯,应晶.一个两层马尔可夫链异常入侵检测模型.软件学报,2005,Vol.16,No.2:276-285
[25]Teng H S,Chen K,Lu S C.Security audit trail analysis using inductively generated predictive rules[A].Proceeding of the Sixth Conference on Artificial Intelligence Applications.[C].Los Alamitos,USA:IEEE Computer Society Press,1990.24-29.
[26]Crosbie M,Spafford E.Applying genetic programming to intrusion detection[R].West Lafayette,USA:Purdue University,Department of Computer Sciences,1995.
[27]Forrest S,Hofmeyr S A,Somayaji A.Computer immunology[J].Communications of theACM,1997,40(10):88-96.
[28]Kim J,Bentley P J.An evaluation of negative selection in an artificial immune system for network intrusion detection[A].Proc of the Genetic and Evolutionary Computation Conference[C].San Francisco,USA:ISGEC,2001.1330-1337.
[29]Kim G H,Spafford E H.Experiences with tripwire:Using integrity checkers for intrusion detection[R].West Lafayette,USA:Purdue University,Depatment of Computer Sciences,1994.
[30]Ko C,Ruschizka M,Levitt K.Execution monitoring of security-critical programs in distributed systems:A specification-based approach[A].Proceedings of the 1997 IEEE Symposium on Security and Privacy[C].Los Alamitos,USA:IEEE Computer Society press,1997.175-187.
[31 Sekar R,Gupta A,Frullo J,et al.Specification-based anomaly detection:A new approach for detecting network intrusions[A].Proceedings of the 9th ACM Conference on Computer and Communications Security[C].New York,USA:ACM Press,2002.265-274.
[32]Huang M,Jasper R,Wicks T.Large scale distributed intrusion detection framework based on attack strategy analysis.Computer Networks,1999,31(23)
[33]韩东海,王超,李群编著.入侵检测系统实例剖析.北京:清华大学出版社,2002.5
[34]戴英侠、连一峰、王航编著.系统安全与入侵检测.北京:清华大学出版社,2002.3
[35]Lee W,Stolfo S J,Chan P K,et al.Real time data mining-based intrusion detection[A].Proceedings of 2nd DARPA Information Survivability Conference and Exposition(DISCEX)[C].Los Alamitos,USA:IEEE Computer Society Press,2001.89-100.
[36]Ko C,Ruschizka M,Levitt K.Execution monitoring of security-critical programs in distributed systems:A specification-based approach[A].Proceedings of the 1997 IEEE Symposium on Security and Privacy[C].Los Alamitos,USA:IEEE Computer Society press,1997.175-187.
[37]T.F.Lunt,A.Tamaru,F.Gilham,R.Jagannathm,C.Jalali,P.G.Neumann,H.S.Javitz,A.Valdes,T.D.Garvey,A Real-time Intrusion Detection Expert System(IDES),Computer Science Laboratory,SRI International,Menlo Park,CA,USA,Final Technical Report,February 1992.
[38]D.Anderson,T.Frivold,A.Valdes,Next-generation Intrusion Detection Expert System (NIDES):A Summary,Computer Science Laboratory,SRI International,MenloPark,CA 94025,Technical Report SRI-CSL-95-07,May1995.
[39]W.Lee,D.Xiang,Information theoretic measures for anomaly detection,in:Proceedings of the 2001 IEEE Symposium on Security and Privacy,Washington,DC,USA,2001,pp.130-143.
[40]S.Staniford,J.A.Hoagland,J.M.McAlerney,Practical automated detection of stealthy portscans,Journal of Computer Security 10(2002)105-136.
[41]Tao Peng,Christopher Leckie and Kotagiri Ramamohanarao.Information sharing for distributed intrusion detection systems.Journal of Network and Computer Applications,Volume 30,Issue 3,August 2007,Pages 877-899.
[42]CERT Coordination Center:http://www.cert.org/
[43]卿斯汉.入侵检测技术研究综述[J].通信学报.2004 Vol.25 No.7 P.19-29.
[44]http://www.chinaitlab.com/www/news/article_show.asp?id=1616.入侵检测产品比较
[45]Fred Cohen.50 Ways To Defeat Your Intrusion Detection System.http://www.all.net/journal/netsec/9712.html
[46]T.H.Ptacek,T.N.Newsham,“Insertion,Evasion,and Denial of Service:Eluding Network Intrusion Detection”,Secure Networks,Inc.1998
[47]Syed Masum Emran,Nong Ye.A System Architecture for Computer Intrusion Detection.Information,Knowledge,Systems Management.2001.2(3):271-290
[48]胡华平,陈海涛,黄辰林等.入侵检测系统研究现状及发展趋势.计算机工程与科学.2001.23(2):20-25.
[49]Sandhya Peddabachigari,Ajith Abraham,Crina Grosan.Modeling intrusion detection system using hybrid intelligent systems.Journal of Network and Computer Applications.2007.30(1):114-132
[50]Todd Heberlein L,Gihan Dias V,KarlLevittN.et al.A Network security monitor.1991.
[51]Paul E.Proctor.邓琦皓,许鸿飞,张斌.入侵检测实用手册.北京:中国电力出版社.2002.10.
[52]祁建清,闫镔,杨正.IDS研究概述.电子对抗技术.2001,第16卷第4期.
[53]伊胜伟,刘旸,魏红芳.基于数据挖掘的入侵检测系统智能结构模型.计算机工程与设计.2005,第9期.
[54]Sandhya Peddabachigari,Ajith Abraham,Crina Grosan.Modeling intrusion detection system using hybrid intelligent systems.Journal of Network and Computer Applications.2007.30(1):114-132
[55]Huang M,Jasper R,Wicks T.Large scale distributed intrusion detection framework based on attack strategy analysis.Computer Networks,1999,31(23):2465-2475.
[56]马恒太,蒋建春,陈伟锋,卿斯汉.基于Agent的分布式入侵检测系统模型.软件学 报,2000,11(10):1312-1319.
[57]韩东海、王超、李群编著.入侵检测系统实例剖析.北京:清华大学出版社,2002.5.
[58]Peter Mell,Donald Marks,Mark McLarnon.A Denial of Service Resistant Intrusion Detection Architecture.Computer Networks,2000,34(4):641-658.
[59]周水庚,周傲英,曹晶,胡运发.一种基于密度的快速聚类算法.计算机研究与发展,2000,11.
[60]Rajeev Gopalakrishna,Eugene H.Spafford.A Framework for Distributed Intrusion Detection using Interest Driven Cooperating Agents.Department of Computer science,Purdue University,May 2001
[61]史志才、季振洲、胡铭曾.分布式网络入侵检测技术研究.计算机工程,2005,Vol.31,No.13
[62]Peter Mell,Donald Marks,Mark McLarnon.A Denial of Service Resistant Intrusion Detection Architecture.Computer Networks,2000,34(4)
[63]Fayyad U M,Piatesky-shapiro G,Smyth P.Advances in knowledge discovery and data mining.Galiforrtia;AAAI/MIT Press,1996
[64]彭涛.数据挖掘技术在实时网络入侵检测系统中的应用.吉林大学硕士学位论文,2004.
[65]Paul Dokas,Levent Ertoz,Vipin Kumar,Aleksandar Lazarevic,Jaldeep Srivastava,Data Mining for Network Intrusion Detection.University of Minnesota,Minneapolis,USA 2002.
[66]Jiawei Han,and Micheline Kamber.数据挖掘——概念与技术.北京:机械工业出版社,2001.
[67]Fayyad U M,Piatesky-shapiro G,Smyth P.Advances in knowledge discovery and data mining.Galifornia;AAAI/MIT Press,1996.
[68]S.A.Hofmevr,A.Somaya.Jiand S.Forrest.Intrusion Detection Using Sequences of System Calls.2002,12(16)
[69]R.Agrawal,T.Imielinaki,A.Swami,Mining association rules between sets of items in large database[C].Washington,D.C:In Proc.of the ACM SIGMOD Conference on Management of Data,1993:207-216.
[70]W.Lee,S.J.Stolfo.Data mining approaches for intrusion detection.Proceedings of the 7th USENIX Security Symposium(SECURITY-98),Berkeley,CA,USA,1998,pp.79-94.
[71]W.Lee,S.J.Stolfo,K.W.Mok.A data mining framework for building intrusion detection models.Proceedings of the IEEE Symposium on Security and Privacy,Oakland,CA,1999,pp.120-132.
[72]D.Barbara,J.Couto,S.Jajodia,N.Wu.ADAM:a testbed for exploring the use of data mining in intrusion detection.ACM SIGMOD Record:SPECIAL ISSUE:Special section on data mining for intrusion detection and threat analysis 30(2001)15-24.
[73]王丽娜、董晓梅、郭晓淳、于戈.基于数据挖掘的网络数据库入侵检测系统.东北大学学报(自然科学版),2003,Vol24,No.3:225-228.
[74]李庆华、童健华、孟中楼、张薇.基于数据挖掘的入侵特征建模.计算机工程,April.2004,Vol.30,No.8:51-53.
[75]吕锡香、杨波、裴昌幸、苏晓龙.基于数据挖掘的入侵检测系统检测引擎的设计.西安电子科技大学学报(自然科学版),Aug.2004,Vol.31,No.4:574-580.
[76]W.W.Cohen.Fast effective rule induction.Proceedings of the 12th International Conference on Machine Learning,Tahoe City,CA,1995,pp.115-123.
[77]S.Rarnaswamy,R.Rastogi,K.Shim.Efficient algorithms for mining outliers from large data sets.Proceedings of the ACM SIGMOD International Conference on Management of Data,Dallas,TX,USA,2000,pp.427-438.
[78]L.Portnoy,E.Eskin,S.J.Stolfo.Intrusion detection withunlabeled data using clustering Proceedings of theACM Workshop on Data Mining Applied to Security,Philadelphia,PA,2001.
[79]K.Sequeira,M.Zaki.ADMIT:Anomaly-based data mining for intrusions.Proceedings of the 8th ACMSIGKDD International Conference on Knowledge Discovery and Data Mining,Edmonton,Alberta,Canada,2002,pp.386-395.
[80]Jia wei Han,Sonny H.S.Chee,Jenny Y.Chiang.Issues for On-Line Analytical Mining of Data Warehouses.
[81]Martin Roesch.Snort-Lightweight intrusion detection for networks.In the Proceedings of the 13th Large Installation System Administration Conference,Seattle,Washington,USA November 1999.
[82]Denning D.An intrusion detection model.IEEE transaction on Software Engineering,1987,13(2)
[83]纪祥敏、连一峰、戴英侠、许晓利.基于协同的分布式入侵检测模型研究.计算机仿真,2004年21卷第12期:132-135.
[84]Hiren Shah,Jeffrey Undercoffer,Anupam Joshi.Fuzzy Clustering for Intrusion Detection.The IEEE International Conference on Fuzzy Systems,2003:(1274-1278.
[85]胡丽娜、须文波.采用数据挖掘和代理技术的入侵检测系统研究.计算机工程与设计,2007,No:06.
[86]段丹青.入侵检测算法及关键技术研究.中南大学博士学位论文,2007.
[87]思科官方网站http://www.cisco.com
[88]IBM Internet Security Systems http://www.iss.net
[89]王佰岭,方滨兴,云晓春。零拷贝报文捕获平台的研究。计算机学报。2005.1(28):46-50.
[90]蒋涛,李秀峰。高速入侵检测系统。数据通信。2003.(6):31-34.
[91]DRAGAN STANCEVIC.Zero Copy I:User-Mode Perspective.Linux Journal.2003.1(105):48-53.
[92]徐林,张德运,孙钦东,等。基于NAPI的数据包捕获技术研究。计算机工程与应用2004.26:138-139.
[93]SHAHBAZ PERVEZ,IFTIKHAR AHMAD,ADEEL AKRAM。 A Comparative Analysis of Artificial Neural Network Technologies in Intrusion Detection Systems。 WSEAS Transactions on Computers 。 2007.6(1):175-180.
[94]KDD Cup 1999 Data.http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html.Data
[95]关健.入侵检测系统数据分析方法及其相关技术的研究.哈尔滨工程大学博士学位论文,2004.
[96]刘国军 等 基于数据挖掘的入侵检测技术 计算机与现代化2007(9)
[97]蔡忠闽等.基于粗糙集理论的入侵检测新方法[J].计算机学报2003(3).
[98]潘仰峰,刘渊.基于数据挖掘的入侵防御研究.计算机工程 与设计,2007(1).
[99]陈钢等 基于数据挖掘的入侵检测研究 自动化仪表2006(6)
[100]LeeW.and D.XiangInfo(?)ation 2theoretic measures for anomaly detection.Proc.of the 2001 IEEE Symp.on Security and Pri2 vacy.O ak land:IEEE Computer Society Press,2000:130-1431
[2]Gunter Ollmann.Intrusion Prevention Systems(IPS)destined to replace legacy routers.Network Security,Volume 2003,Issue 11,November 2003,Pages 18-19
[3]Mafia Papadaki,Steven Fumell.IDS or IPS:what is best?.Network Security,Volume 2004,Issue 7,July 2004,Pages 15-19
[4]S.Hofineyr.Host intrusion prevention:Part of the operating system or on top of the operating system.Computers & Security,Volume 24,Issue 6,September 2005,Pages 440-442
[5]Andreas Fuchsberger.Intrusion Detection Systems and Intrusion Prevention Systems.Information Security Technical Report 2005,10:134-139
[6]Morton Swimmer.Using the danger model of immune systems for distributed defense in modem data networks.Computer Networks,Volume 51,Issue 5,11 April 2007,Pages 1315-1333
[7]Denning DE,Edwards DL,Jagannathan R,et al.A prototype IDES:A real-time intrusion detection expert system.Technical report,Computer Science Laboratory.SRI International,Menlo Park,1987.
[8]周光明,李斌,徐琳.基于面向对象技术的专家系统模型.计算机工程与设计,2006,Vol.27,No.15.
[9]Theuns Verwoerd,Ray Hunt.Intrusion detection techniques and approaches.Computer Communication,Volume25,Issuel 5,15 September 2002,Pages 1356-1365
[10]Andreas Fuchsberger.Intrusion Detection Systems and Intrusion Prevention Systems.Information Security Technical Report 2005,10:134-139
[11]S.Forrest,S.A.Hofmeyr,A.Somayaji,T.A.Longstaff,A sense of self for unix processes,in:Proceedings of the IEEE Symposium on Research in Security and Privacy,Oakland,CA,USA,1996,pp.120-128.
[12]C.Kruegel,D.Mutz,W.Robertson,F.Valeur,Bayesian event classification for intrusion detection,in:roceedings of the 19th Annual Computer Security Applications Conference ,Las Vegas,NV,2003.
[13]A.Valdes,K.Skinner,Adaptive model-based monitoring for cyber attack detection,in: Recent Advances in IntrusionDetection Toulouse,France,2000,pp.80-92.
[14]N.Ye,M.Xu,S.M.Emran,Probabilistic networks with undirected links for anomaly detection,in:Proceedings of the IEEE Systems,Man,and Cybernetics Information Assurance and Security Workshop,West Point,NY,2000.
[15]H.Hotelling.Analysis of a complex of statistical variables into principal components.Journal of Educational Psy-chology 24(1993)417-441:498-520.
[16]R.A.Calvo,M.Partridge,M.A.Jabri.A comparative study of principal component analysis techniques.Proceedings of the Ninth Australian Conference on Neural Networks,Brisbane,Qld,Australia,1998.
[17]M.-L.Shyu,S.-C.Chen,K.Sarinnapakorn,L.Chang.A novel anomaly detection scheme based on principal component classifier.Proceedings of the IEEE Foundationsand New Directions of Data Mining Workshop,Mel-boume,FL,USA,2003,pp.172-179.
[18]Y.Bouzida,F.e.e.Cuppens,N.Cuppens-Boulahia,S.Gombault.Efficient intrusion detection using principal component analysis.Proceedings of the 3e'me Confe'-rence sur la Se'curite' et Architectures Re'seaux(SAR),Orlando,FL,USA,2004.
[19]W.Wang,X.Guan,X.Zhang.A novel intrusion detectionmethod based on principle component analysis in computersecurity.Proceedings of the International Symposium onNeural Networks,Dalian,China,2004,pp.657-662.
[20]W.Wang,R.Battiti.Identifying intrusions in computer networks with principal component analysis.The First International Conference on Availability,Reliability and Security,Vienna,Austria,2006,pp.270-279.
[21]Guisong Liu,Zhang Yi,Shangming Yang.A hierarchical intrusion detection model based on the PCA neural networks.Neurocomputing,In Press,Corrected Proof,Available online 12 December 2006
[22]N.Ye,Y.Z.C.M.Borror,Robustness of the Markov-chain model for cyber-attack detection,IEEE Transactions on Reliability 53(2004)116-123.
[23]D.-Y.Yeung,Y.Ding,Host-based intrusion detection using dynamic and static behavioral models,Pattern Recognition 36(2003)229-243.
[24]徐明,陈纯,应晶.一个两层马尔可夫链异常入侵检测模型.软件学报,2005,Vol.16,No.2:276-285
[25]Teng H S,Chen K,Lu S C.Security audit trail analysis using inductively generated predictive rules[A].Proceeding of the Sixth Conference on Artificial Intelligence Applications.[C].Los Alamitos,USA:IEEE Computer Society Press,1990.24-29.
[26]Crosbie M,Spafford E.Applying genetic programming to intrusion detection[R].West Lafayette,USA:Purdue University,Department of Computer Sciences,1995.
[27]Forrest S,Hofmeyr S A,Somayaji A.Computer immunology[J].Communications of theACM,1997,40(10):88-96.
[28]Kim J,Bentley P J.An evaluation of negative selection in an artificial immune system for network intrusion detection[A].Proc of the Genetic and Evolutionary Computation Conference[C].San Francisco,USA:ISGEC,2001.1330-1337.
[29]Kim G H,Spafford E H.Experiences with tripwire:Using integrity checkers for intrusion detection[R].West Lafayette,USA:Purdue University,Depatment of Computer Sciences,1994.
[30]Ko C,Ruschizka M,Levitt K.Execution monitoring of security-critical programs in distributed systems:A specification-based approach[A].Proceedings of the 1997 IEEE Symposium on Security and Privacy[C].Los Alamitos,USA:IEEE Computer Society press,1997.175-187.
[31 Sekar R,Gupta A,Frullo J,et al.Specification-based anomaly detection:A new approach for detecting network intrusions[A].Proceedings of the 9th ACM Conference on Computer and Communications Security[C].New York,USA:ACM Press,2002.265-274.
[32]Huang M,Jasper R,Wicks T.Large scale distributed intrusion detection framework based on attack strategy analysis.Computer Networks,1999,31(23)
[33]韩东海,王超,李群编著.入侵检测系统实例剖析.北京:清华大学出版社,2002.5
[34]戴英侠、连一峰、王航编著.系统安全与入侵检测.北京:清华大学出版社,2002.3
[35]Lee W,Stolfo S J,Chan P K,et al.Real time data mining-based intrusion detection[A].Proceedings of 2nd DARPA Information Survivability Conference and Exposition(DISCEX)[C].Los Alamitos,USA:IEEE Computer Society Press,2001.89-100.
[36]Ko C,Ruschizka M,Levitt K.Execution monitoring of security-critical programs in distributed systems:A specification-based approach[A].Proceedings of the 1997 IEEE Symposium on Security and Privacy[C].Los Alamitos,USA:IEEE Computer Society press,1997.175-187.
[37]T.F.Lunt,A.Tamaru,F.Gilham,R.Jagannathm,C.Jalali,P.G.Neumann,H.S.Javitz,A.Valdes,T.D.Garvey,A Real-time Intrusion Detection Expert System(IDES),Computer Science Laboratory,SRI International,Menlo Park,CA,USA,Final Technical Report,February 1992.
[38]D.Anderson,T.Frivold,A.Valdes,Next-generation Intrusion Detection Expert System (NIDES):A Summary,Computer Science Laboratory,SRI International,MenloPark,CA 94025,Technical Report SRI-CSL-95-07,May1995.
[39]W.Lee,D.Xiang,Information theoretic measures for anomaly detection,in:Proceedings of the 2001 IEEE Symposium on Security and Privacy,Washington,DC,USA,2001,pp.130-143.
[40]S.Staniford,J.A.Hoagland,J.M.McAlerney,Practical automated detection of stealthy portscans,Journal of Computer Security 10(2002)105-136.
[41]Tao Peng,Christopher Leckie and Kotagiri Ramamohanarao.Information sharing for distributed intrusion detection systems.Journal of Network and Computer Applications,Volume 30,Issue 3,August 2007,Pages 877-899.
[42]CERT Coordination Center:http://www.cert.org/
[43]卿斯汉.入侵检测技术研究综述[J].通信学报.2004 Vol.25 No.7 P.19-29.
[44]http://www.chinaitlab.com/www/news/article_show.asp?id=1616.入侵检测产品比较
[45]Fred Cohen.50 Ways To Defeat Your Intrusion Detection System.http://www.all.net/journal/netsec/9712.html
[46]T.H.Ptacek,T.N.Newsham,“Insertion,Evasion,and Denial of Service:Eluding Network Intrusion Detection”,Secure Networks,Inc.1998
[47]Syed Masum Emran,Nong Ye.A System Architecture for Computer Intrusion Detection.Information,Knowledge,Systems Management.2001.2(3):271-290
[48]胡华平,陈海涛,黄辰林等.入侵检测系统研究现状及发展趋势.计算机工程与科学.2001.23(2):20-25.
[49]Sandhya Peddabachigari,Ajith Abraham,Crina Grosan.Modeling intrusion detection system using hybrid intelligent systems.Journal of Network and Computer Applications.2007.30(1):114-132
[50]Todd Heberlein L,Gihan Dias V,KarlLevittN.et al.A Network security monitor.1991.
[51]Paul E.Proctor.邓琦皓,许鸿飞,张斌.入侵检测实用手册.北京:中国电力出版社.2002.10.
[52]祁建清,闫镔,杨正.IDS研究概述.电子对抗技术.2001,第16卷第4期.
[53]伊胜伟,刘旸,魏红芳.基于数据挖掘的入侵检测系统智能结构模型.计算机工程与设计.2005,第9期.
[54]Sandhya Peddabachigari,Ajith Abraham,Crina Grosan.Modeling intrusion detection system using hybrid intelligent systems.Journal of Network and Computer Applications.2007.30(1):114-132
[55]Huang M,Jasper R,Wicks T.Large scale distributed intrusion detection framework based on attack strategy analysis.Computer Networks,1999,31(23):2465-2475.
[56]马恒太,蒋建春,陈伟锋,卿斯汉.基于Agent的分布式入侵检测系统模型.软件学 报,2000,11(10):1312-1319.
[57]韩东海、王超、李群编著.入侵检测系统实例剖析.北京:清华大学出版社,2002.5.
[58]Peter Mell,Donald Marks,Mark McLarnon.A Denial of Service Resistant Intrusion Detection Architecture.Computer Networks,2000,34(4):641-658.
[59]周水庚,周傲英,曹晶,胡运发.一种基于密度的快速聚类算法.计算机研究与发展,2000,11.
[60]Rajeev Gopalakrishna,Eugene H.Spafford.A Framework for Distributed Intrusion Detection using Interest Driven Cooperating Agents.Department of Computer science,Purdue University,May 2001
[61]史志才、季振洲、胡铭曾.分布式网络入侵检测技术研究.计算机工程,2005,Vol.31,No.13
[62]Peter Mell,Donald Marks,Mark McLarnon.A Denial of Service Resistant Intrusion Detection Architecture.Computer Networks,2000,34(4)
[63]Fayyad U M,Piatesky-shapiro G,Smyth P.Advances in knowledge discovery and data mining.Galiforrtia;AAAI/MIT Press,1996
[64]彭涛.数据挖掘技术在实时网络入侵检测系统中的应用.吉林大学硕士学位论文,2004.
[65]Paul Dokas,Levent Ertoz,Vipin Kumar,Aleksandar Lazarevic,Jaldeep Srivastava,Data Mining for Network Intrusion Detection.University of Minnesota,Minneapolis,USA 2002.
[66]Jiawei Han,and Micheline Kamber.数据挖掘——概念与技术.北京:机械工业出版社,2001.
[67]Fayyad U M,Piatesky-shapiro G,Smyth P.Advances in knowledge discovery and data mining.Galifornia;AAAI/MIT Press,1996.
[68]S.A.Hofmevr,A.Somaya.Jiand S.Forrest.Intrusion Detection Using Sequences of System Calls.2002,12(16)
[69]R.Agrawal,T.Imielinaki,A.Swami,Mining association rules between sets of items in large database[C].Washington,D.C:In Proc.of the ACM SIGMOD Conference on Management of Data,1993:207-216.
[70]W.Lee,S.J.Stolfo.Data mining approaches for intrusion detection.Proceedings of the 7th USENIX Security Symposium(SECURITY-98),Berkeley,CA,USA,1998,pp.79-94.
[71]W.Lee,S.J.Stolfo,K.W.Mok.A data mining framework for building intrusion detection models.Proceedings of the IEEE Symposium on Security and Privacy,Oakland,CA,1999,pp.120-132.
[72]D.Barbara,J.Couto,S.Jajodia,N.Wu.ADAM:a testbed for exploring the use of data mining in intrusion detection.ACM SIGMOD Record:SPECIAL ISSUE:Special section on data mining for intrusion detection and threat analysis 30(2001)15-24.
[73]王丽娜、董晓梅、郭晓淳、于戈.基于数据挖掘的网络数据库入侵检测系统.东北大学学报(自然科学版),2003,Vol24,No.3:225-228.
[74]李庆华、童健华、孟中楼、张薇.基于数据挖掘的入侵特征建模.计算机工程,April.2004,Vol.30,No.8:51-53.
[75]吕锡香、杨波、裴昌幸、苏晓龙.基于数据挖掘的入侵检测系统检测引擎的设计.西安电子科技大学学报(自然科学版),Aug.2004,Vol.31,No.4:574-580.
[76]W.W.Cohen.Fast effective rule induction.Proceedings of the 12th International Conference on Machine Learning,Tahoe City,CA,1995,pp.115-123.
[77]S.Rarnaswamy,R.Rastogi,K.Shim.Efficient algorithms for mining outliers from large data sets.Proceedings of the ACM SIGMOD International Conference on Management of Data,Dallas,TX,USA,2000,pp.427-438.
[78]L.Portnoy,E.Eskin,S.J.Stolfo.Intrusion detection withunlabeled data using clustering Proceedings of theACM Workshop on Data Mining Applied to Security,Philadelphia,PA,2001.
[79]K.Sequeira,M.Zaki.ADMIT:Anomaly-based data mining for intrusions.Proceedings of the 8th ACMSIGKDD International Conference on Knowledge Discovery and Data Mining,Edmonton,Alberta,Canada,2002,pp.386-395.
[80]Jia wei Han,Sonny H.S.Chee,Jenny Y.Chiang.Issues for On-Line Analytical Mining of Data Warehouses.
[81]Martin Roesch.Snort-Lightweight intrusion detection for networks.In the Proceedings of the 13th Large Installation System Administration Conference,Seattle,Washington,USA November 1999.
[82]Denning D.An intrusion detection model.IEEE transaction on Software Engineering,1987,13(2)
[83]纪祥敏、连一峰、戴英侠、许晓利.基于协同的分布式入侵检测模型研究.计算机仿真,2004年21卷第12期:132-135.
[84]Hiren Shah,Jeffrey Undercoffer,Anupam Joshi.Fuzzy Clustering for Intrusion Detection.The IEEE International Conference on Fuzzy Systems,2003:(1274-1278.
[85]胡丽娜、须文波.采用数据挖掘和代理技术的入侵检测系统研究.计算机工程与设计,2007,No:06.
[86]段丹青.入侵检测算法及关键技术研究.中南大学博士学位论文,2007.
[87]思科官方网站http://www.cisco.com
[88]IBM Internet Security Systems http://www.iss.net
[89]王佰岭,方滨兴,云晓春。零拷贝报文捕获平台的研究。计算机学报。2005.1(28):46-50.
[90]蒋涛,李秀峰。高速入侵检测系统。数据通信。2003.(6):31-34.
[91]DRAGAN STANCEVIC.Zero Copy I:User-Mode Perspective.Linux Journal.2003.1(105):48-53.
[92]徐林,张德运,孙钦东,等。基于NAPI的数据包捕获技术研究。计算机工程与应用2004.26:138-139.
[93]SHAHBAZ PERVEZ,IFTIKHAR AHMAD,ADEEL AKRAM。 A Comparative Analysis of Artificial Neural Network Technologies in Intrusion Detection Systems。 WSEAS Transactions on Computers 。 2007.6(1):175-180.
[94]KDD Cup 1999 Data.http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html.Data
[95]关健.入侵检测系统数据分析方法及其相关技术的研究.哈尔滨工程大学博士学位论文,2004.
[96]刘国军 等 基于数据挖掘的入侵检测技术 计算机与现代化2007(9)
[97]蔡忠闽等.基于粗糙集理论的入侵检测新方法[J].计算机学报2003(3).
[98]潘仰峰,刘渊.基于数据挖掘的入侵防御研究.计算机工程 与设计,2007(1).
[99]陈钢等 基于数据挖掘的入侵检测研究 自动化仪表2006(6)
[100]LeeW.and D.XiangInfo(?)ation 2theoretic measures for anomaly detection.Proc.of the 2001 IEEE Symp.on Security and Pri2 vacy.O ak land:IEEE Computer Society Press,2000:130-1431