基于特权进程行为的入侵检测方法研究
|
摘要
入侵检测技术是保护网络系统的重要手段之一,基于主机的入侵检测系统主要用于对重点主机实施防护,具有检测效率高和检测准确性高等优势。特权进程是攻击者入侵系统时的主要攻击目标,本文通过深入分析针对特权进程的各种攻击方法及其造成的进程行为差异,从异常检测和误用检测两方面研究了针对特权进程行为的入侵检测方法,并在自动响应技术方面进行了探讨性研究。
论文主要取得以下成果:第一,对正常进程和入侵进程进行了对比分析,并对不同的异常行为提出了不同的检测方法;第二,提出了新的基于进程行为监控的检测模型,融合了误用检测和异常检测两种检测技术,充分利用了二者优势,弥补了各自的缺陷和不足;第三,异常检测中,研究了多种检测方法,提出了基于遗传算法的检测模型、基于序列特征提取的检测模型和基于非层次聚类的无监督检测模型,其中基于非层次聚类的无监督检测模型具有对训练数据要求低,生成的正常行为轮廓质量高等优点;第四,首次提出了进程轮廓的实时更新算法,更有利于确保正常行为轮廓与实际应用环境的一致性,改善正常行为轮廓质量;第五,异常检测中,引入了滤噪函数,降低了误报率;第六,提出了新的误用检测算法,提出了一套完整的基于系统调用相关属性的误用描述规则,可详细描述进程异常行为特征,实施误用检测;第七,针对监控特权进程的特殊性,提出了多种可能的响应方法及实现方式,并深入分析了各自的优势和不足;第八,借鉴生物免疫系统原理,设计了一套人工免疫系统,该系统具有自学习功能,可识别自我和非我,并可在运行过程中不断完善,提高检测准确性
With the development of Internet, people's lives have more and more deeply depended on computer networks. And then computer networks should become more and more secure. The technology of Intrusion Detection is one of the important measures to protect the networks. Host-based intrusion detection is used to protect the key hosts, and has better detection efficiency and detection accuracy. Privileged processes are the main object of the intruders. In this paper, attack methods on privileged process and the abnormities of processes' behavior caused by attacks both have been analyzed. Both anomaly and misuse detection methods for the abnormities are brought forward. And some research results are also described in the paper.The contributions of the paper are as following: 1) Analyzing and comparing normal processes and abnormal processes, the different detection methods for different abnormities have been brought forward;2) A novel detection model has been provided, which integrates misuse and abnormal two detection methods to make up disadvantages each other;3) In abnormal intrusion detection, many detection methods have been studied, and three novel detection models, PGBQ ESC, and UNC have been brought forward. UNC decreases the requirements for training data, and generates better profiles.4) The algorithm for updating process's profile has been brought forward firstly, which is helpful for keeping the profile consistent with the real environment.5) In the detection, the noise filtering function was introduced, which decreased the false positive.6) A new misuse detection method has been introduced, and a set of rules have been provided to describe the characters of process abnormities.7) Many special response methods for privileged process monitoring have been introduced and their advantages and disadvantages have been analyzed.8)Inspired natural immune system, an artificial immune system(SAIMUS) has been designed, which could recognized self and none-self, and has the ability of self-learning. It could steeply improve itself and increase the detection accuracy.
论文主要取得以下成果:第一,对正常进程和入侵进程进行了对比分析,并对不同的异常行为提出了不同的检测方法;第二,提出了新的基于进程行为监控的检测模型,融合了误用检测和异常检测两种检测技术,充分利用了二者优势,弥补了各自的缺陷和不足;第三,异常检测中,研究了多种检测方法,提出了基于遗传算法的检测模型、基于序列特征提取的检测模型和基于非层次聚类的无监督检测模型,其中基于非层次聚类的无监督检测模型具有对训练数据要求低,生成的正常行为轮廓质量高等优点;第四,首次提出了进程轮廓的实时更新算法,更有利于确保正常行为轮廓与实际应用环境的一致性,改善正常行为轮廓质量;第五,异常检测中,引入了滤噪函数,降低了误报率;第六,提出了新的误用检测算法,提出了一套完整的基于系统调用相关属性的误用描述规则,可详细描述进程异常行为特征,实施误用检测;第七,针对监控特权进程的特殊性,提出了多种可能的响应方法及实现方式,并深入分析了各自的优势和不足;第八,借鉴生物免疫系统原理,设计了一套人工免疫系统,该系统具有自学习功能,可识别自我和非我,并可在运行过程中不断完善,提高检测准确性
With the development of Internet, people's lives have more and more deeply depended on computer networks. And then computer networks should become more and more secure. The technology of Intrusion Detection is one of the important measures to protect the networks. Host-based intrusion detection is used to protect the key hosts, and has better detection efficiency and detection accuracy. Privileged processes are the main object of the intruders. In this paper, attack methods on privileged process and the abnormities of processes' behavior caused by attacks both have been analyzed. Both anomaly and misuse detection methods for the abnormities are brought forward. And some research results are also described in the paper.The contributions of the paper are as following: 1) Analyzing and comparing normal processes and abnormal processes, the different detection methods for different abnormities have been brought forward;2) A novel detection model has been provided, which integrates misuse and abnormal two detection methods to make up disadvantages each other;3) In abnormal intrusion detection, many detection methods have been studied, and three novel detection models, PGBQ ESC, and UNC have been brought forward. UNC decreases the requirements for training data, and generates better profiles.4) The algorithm for updating process's profile has been brought forward firstly, which is helpful for keeping the profile consistent with the real environment.5) In the detection, the noise filtering function was introduced, which decreased the false positive.6) A new misuse detection method has been introduced, and a set of rules have been provided to describe the characters of process abnormities.7) Many special response methods for privileged process monitoring have been introduced and their advantages and disadvantages have been analyzed.8)Inspired natural immune system, an artificial immune system(SAIMUS) has been designed, which could recognized self and none-self, and has the ability of self-learning. It could steeply improve itself and increase the detection accuracy.
引文
[1] 中国互联网络信息中心(CNNIC),第十三次中国互联网络发展状况统计报告,http://www.cnnic.org.cn/download/manual/statisticalreport13th.pdf
[2] CERT, CERT/CC Statistics 1988-2003, http://www.cert.org/stats/cert_stats.html
[3] CERT, CERT/CC Overview Incident and Vulnerability Trends, http://www.cert.org/present/cert-overview-trends/
[4] Robert Richardson, 2004 CSI/FBI Computer Crime and Security Survey, Computer Security Institute, 2004
[5] Dorothy E. Denning, An Intrusion-Detection Model, IEEE Transactions on Software Engineering, Vol. Se-13, NO. 2, Feb 1987, 222-232
[6] Rebecca Gurley Bace,入侵检测,人民邮电出版社,2001年6月
[7] Julia Allen, Alan Christie, William Fithen, John McHugh, Jed Pickel and Ed Stoner, State of the Practice of Intrusion Detection Technologies, TECHNICAL REPORT: CMU/SEI-99-TR-028, 2001
[8] Stephen Northcutt,网络入侵检测分析员手册,人民邮电出版社,2000年10月
[9] Julia H.Allen,CERT安全指南,清华大学出版社,2002年11月
[10] Information Assurance Technical Framework(IATF),V3.0,NSA,September,2000.(《信息安全保障技术框架》3.0,美国国家安全局原著,中国国家973信息与网络安全体系研究课题组组织翻译,北京中软电子出版社出版,2002)
[11] Network-vs. Host-based Intrusion Detection, http://www.iss.net
[12] R. A. Kemmerer and G. Vigna, Intrusion Detection: A Brief History and Overview IEEE Computer Special Issue on Security and Privacy 27-30 IEEE Press April 2002
[13] Snort Project, Snort Users Manual, http://www.snort.org,2003
[14] M. Bishop, An Overview of Computer Viruses in a Research Environment, technical report, Dept. of Math. and Computer Science, Dartmouth College, 1992.
[15] Chinchani R., S. Upadhyaya and K. Kwiat, A Tamper-Resistant Framework for Unambiguous Detection of Attacks in User Space Using Process Monitors, IEEE International Workshop on Information Assurance, Darmstadt, Germany, March 2003
[16] Jack Marin, Daniel Ragsdale, and John Surdu, A Hybrid Approach to the Profile Creation and Intrusion Detection, Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEXII'01), 2001
[17] Niels Provos. Preventing Privilege Escalation. Technical,Report CITI 02-2, University of Michigan, August 2002.
[18]Hao Chen, David Wagner, and Drew Dean. Setuid Demystified. In Proceedings of the 11th Usenix Security Symposium, August 2002.
[19] S. Forrest, S.A. Hofmeyr, A. Somayaji and T.A. Longstaff, A Sense of Self for Unix Process, IEEE Symposium on Computer Security and Privacy, Los Alamos, CA, pp.120-128,1996
[20] C. Wright, C. Cowan, J. Morris, S. Smalley, and G Kroah-Hartman. Linux security modules: General security support for the linux kernel. In Linux Security Modules: General Security Support for the Linux Kernel, 2002.
[21] W. Lee and S. J. Stolfo. Data mining approaches for intrusion detection. Proceedings of the 7th USNIX Security Symposium,1998
[22] C. Warrender, S. Forrest, and B. Pearlmutter, Detecting intrusions using system calls: Alternative data models. Proceedings IEEE Symposium on Security and Privacy, pages 133-145,1999
[23] Michael Gilleland, Merriam Park Software, Levenshtein Distance in Three Flavors, http://www.merriampark.com/ld.htm
[24]C. C. Michael, Finding the Vocabulary of Program Behavior Data for Anomaly Detection, Proceedings of DISCEX, 2003
[25]Izuru Sato, Yoshinori Okazaki and Shigeki Goto, An Improved Intrusion Detection Method Based on Process Profiling, IPSJ Journal, Vol.43 No.ll, Nov 2002
[26]C. C. MICHAEL and ANUP GHOSH, Simple, State-Based Approaches to Program-Based Anomaly Detection, ACM Transactions on Information and System Security, Vol.5, No.3, August 2002, pp203-237
[27] MARK BURGESS, HA REK HAUGERUD, and SIGMUND STRAUMSNES, Measuring System Normality, ACM Transactions on Computer Systems, Vol. 20, No. 2, May 2002, Pages 125-160.
[28]Carla Marceau, Characterizing the Behavior of a Program Using Multiple-Length N-grams, Proceedings of the New Security Paradigms Workshop 2000, Cork, Ireland, Sept. 19-21,2000.
[29] C. Kruegel & T. Toth, Using decision trees to improve signature-based intrusion detection, RAID, 2003
[30]Yihua Liao, V. Rao Vemuri, Using Text Categorization Techniques for Intrusion Detection, Proceedings of the 11th USENIX Security Symposium, 2002
[31]W. Lee, S. Stolfo, and P. Chan, "Learning Patterns from Unix Process Execution Traces for Intrusion Detection", AAAI Workshop: AI Approaches to Fraud Detection and Risk Management, 1997.
[32] Yihua Liao, V. Rao Vemuri, Use of K-Nearest Neighbor classifier for intrusion detection, Computers & Security, Vol 21, No 5, pp 439-448, 2002
[33] G Vigna, F. Valeur, and R.A. Kemmerer, Designing and Implementing A Family of Intrusion Detection Systems Proceedings of the European Conference on Software Engineering (ESEC) Helsinki, Finland September 2003
[34] K. Jain and R. Sekar. User-Level Infrastructure for System Call Interposition: A Platform for Intrusion Detection and Confinement. In Proceedings of the ISOC Symposium on Network and Distributed System Security, February 2000.
[35]Sotiris Ioannidis, Steven M. Bellovin, and Jonathan M. Smith. Sub-Operating Systems: A New Approach to Application Security. In Proceedings of the SIGOPS European Workshop, September 2002.
[36]Tal Garfinkel. Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools. In Proceedings of the ISOC Symposium on Network and Distributed System Security, 2003.
[37] Steven A. Hofmeyr, Stephanie Forrest, Anil Somayaji, Intrusion Detection using Sequences of System calls, Journal of Computer Security Vol. 6,1998.
[38] 刘雪飞,张秉权,马恒太,蒋建春,文伟平,技术报告:基于系统调用的异常入侵检测研究,南京理工大学计算机系,2003年11月
[39] A. Wepsi, M. Dacier and H. Debar, Intrusion Detection Using Variable-Length Audit Trail Patterns, 3rd International Workshop on the Recent Advances in Intrusion Detection, LNCS 1907, Springer, pp. 110-129,2000
[40]Tan, Kymie M. C; Killourhy, Kevin S. and Maxion, Roy A. "Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits." In Fifth International Symposium on Recent Advances in Intrusion Detection (RAID-2002), pp. 54-73. Lecture Notes in Computer Science, Springer-Verlag, Berlin, 2002.
[41]David Wagner and Paolo Soto, Mimicry Attacks on Host-Based Intrusion Detection Systems, ACM CCS 2002
[42]Kymie M.C. Tan, Roy A. Maxion, Why 6?" Defining the Operational Limits of stide, an Anomaly-Based Intrusion Detector In Proceedings of the IEEE Symposium on Security and Privacy, pages 188-202, Oakland, CA, May 2002.
[43] D. Wagner and D. Dean, "Intrusion Detection via Static Analysis", IEEE
Symposium on Security and Privacy, Oakland, CA, 2001.
[44] R. Sekar, M. Bendre, P. Bollineni, and D. Dhurjati,"A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors", IEEE Symposium on Security and Privacy, Oakland, CA, 2001.
[45]Kathia Regina L. Juca, Azzedine Boukerche, Joao Bosco M. Sobral, Intrusion Detection Based on the Immune Human System, International Parallel and Distributed Processing Symposium: IPDPS 2002 Workshops, April 15 -19, 2002 Fort Lauderdale, Florida
[46]S. Forrest, S. Hofmeyr, and A. Somayaji, Computer Immunology, (DRAFT) Communications of the ACM Vol. 40, No. 10, pp. 88-96 (1997).
[47]A. Somayaji, S. Hofmeyr, and S. Forrest, Principles of a Computer Immune System, 1997 New Security Paradigms Workshop pp. 75-82 (1998)
[48]S. Hofmeyr and S. Forrest, Architecture for an Artificial Immune System, Evolutionary Computation 7(1), Morgan-Kaufmann, San Francisco, CA, pp. 1289-1296 (2000).
[49] Steven Andrew Hofmeyr, An Immunological Model of Distributed Detection and Its Application to Computer Security, Computer Science, University of New Mexico, 1999
[50] Christopher Kruegel, Darren Mutz, Fredrik Valeur, and Giovanni Vigna, On the Detection of Anomalous System Call Arguments, Proceedings of the 8th European Symposium on Research in Computer Security (ESORICS '03), LNCS, 2003, page 326-343, Springer-Verlag
[51]H. Feng, O. Kolesnikov, P. Fogla, W. Lee & W. Gong, Anomaly Detection Using Call Stack Information, IEEE Security and Privacy, May, 2003
[52]Anita Jones, Song Li, Temporal Signatures for Intrusion Detection, The 17th Annual Annual Computer Security Applications Conference., p252-261,2001
[53]Niels Provos, Improving Host Security with System Call Policies, Proceedings of 12th USENDC Security Symposium, Washington DC, August 2003
[54]Suresh Chari and Pau-Chen Cheng, BlueBox: A Plolicy-Driven, Host-Based Intrusion Detection System, ACM Transactions on Information and System Security, Vol.6, No.2, May 2003, ppl73-200
[55] Calvi Ko,Logic Induction of Valid Behavior Specification for Intrusion Detection, 2000 IEEE Symposium on Security and Privacy (S&P 2000),May,2000
[56]A. Somayaji and S. Forrest, Automated Response Using System-Call Delays, Usenix 2000
[57]Mixter, Writing buffer overflow exploits, http://mixter.void.ru/exploit.txt
[58]Evan Thomas. Attack class: Buffer overflows, Hello World!,1999
[59] C. Cowan, C. Pu, D. Maier, H. Hinton, P. Bakke, S. Beattie, A.Grier, P. Wagle and Q. Zhang, StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks, 7th USENIX Security Symposium, San Antonio, TX,1998
[60] Eric Haugh , Matt Bishop , Testing C Programs for Buffer Overflow Vulnerabilities, NDSS'03 Proceedings, 2003
[61]Crispin Cowan, Steve Beattie, John Johansen and Perry Wagle, PointGuardTM: Protecting Pointers From Buffer Overflow Vulnerabilities
[62] K. Ashcraft and D.R. Engler, "Using Programmer- Written Compiler Extensions to Catch Security Holes", IEEE Symposium on Security and Privacy, Oakland, CA, 2002
[63] J.T. Giffin, S. Jha and B.P. Miller, "Detecting Manipulated Remote Call Streams", 11th USENIX Security Symposium, 2002.
[64] C. Ko, G Fink and K. Levitt, "Automated Detection of Vulnerabilities in Privileged Programs by Execution Monitoring", 10th Computer Security Applications Conference, Orlando, Fl, pp. 134-144,1994
[65]Umesh Shankar Kunal Talwar Jeffrey S. Foster David Wagner, Detecting Format String Vulnerabilities with Type Qualifiers, Proceedings of the 10th USENIX Security Symposium Washington, D.C., USA August 13-17, 2001
[66]Klog, The Frame Pointer Overwrite, Phrack Magazine,55(8),1999
[67]Blexim, Basic Integer Overflows, Phrack Magazine, 60(10),2002.12
[68]Oded, Horovitz, Ohorovitz, Big Loop Integer Protection, Phrack Magazine, 60(09), 2002.12
[69] 毛德操、胡希明,Linux内核源代码情景分析(上下册),浙江大学出版社,2001.9
[70] Anonymous, Runtime Process Infection, Phrack Magazine, 59(8), 2002,7
[71]Harold Thimbleby, Stuart Anderson and Paul Cairns, A framework for modeling trojans and computer virus infection, Computer Journal, 41(7), pp444-458,1999.
[72]Staniford-Chen, S., Tung, B., and Schnackenberg, D. The Common Intrusion Detection Framework (CIDF). Position paper accepted to the Information Survivability Workshop, Orlando FL, October 1998.
[73]Wichert Akkerman ,Strace Home Page,http://www.liacs.nl/~wichert/strace/
[74] Pragmatic, Complete Linux Loadable Kernel Modules--the definitive guide for
hackers, virus coders and system administrators, http://packetstormsecurity.org/docs/hack/LKM_HACKING.html
[75] SU Pu-rui, LI De-quan, and FENG Deng-guo, A Host-Based Anomaly Intrusion Detection Model Based on Genetic Programming, Journal of Software, June, 2003
[76] 云庆夏,黄光球,王战权,遗传算法和遗传规划,冶金工业出版社,1997
[77] 张文修,梁怡,遗传算法的数学基础,西安交通大学出版社,2001
[78] 朱剑英,智能系统非经典数学方法,2001年4月
[79] Computer Immune Systems—Data Sets and Software http://www.cs.unm.edu/-immsec/data-sets.htm
[80] SecurityFoucus, LBNL Traceroute Heap Corruption Vulnerability, http://www.securityfocus.com/bid/1739
[81] SecurityFocus, wu-ftpd /bin SITE EXEC Misconfiguration Vulnerability, http://www.securityfocus.com/bid/2241
[82] 马振华,现代应用数学手册——概率统计与随机过程卷,清华大学出版社,2000.7
[83] Eskin, Eleazar. Anomaly Detection over Noisy Data using Learned Probability Distributions, ICMLOO, Palo Alto, CA: July, 2000.
[84] Wenke Lee, Dong Xiang, Information-Theoretic Measures for Anomaly Detection, In Proceedings of the 2001 IEEE Symposium on Security and Privacy, May 2001
[85] S. T. Eckmann, G. Vigna, and R. A. Kemmerer, STATL: An Attack Language for State-based Intrusion Detection, Journal of Computer Security vol. 10, no. 1/2 71-104 IOS Press 2002
[86] Sun Microsystems, Inc. Installing, Administering, and Using the Basic Security Module. 2550 Garcia Ave., Mountain View, CA 94043, December 1991.
[87] S. McCanne, C. Leres, and V. Jacobson. Tcpdump 3.4. Documentation, 1998.
[88] syslog(3). UNIX documentation.
[89] Common Intrusion Detection Framework Working Group. A CISL Tutorial. http://www.gidos.org/tutorial.html,2000.
[90] D. Curry. Intrusion Detection Message Exchange Format: Extensible Markup Language (XML) Document Type Definition. draft-ietf-idwg-idmefxml-01.txt, July 2000.
[91] Common Intrusion Detection Framework Working Group. Common Intrusion Detection Framework Specification. http://www.gidos.org/,2000.
[92] Secure Networks. Custom Attack Simulation Language (CASL), January 1998.
[93] R. Deraison. The Nessus Attack Scripting Language Reference Guide, 2000. http://www.nessus.org.
[94] M. J. Ranum, K. Landfield, M. Stolarchuck, M. Sienkiewicz, A. Lambeth, and E. Wall. Implementing a Generalized Tool for Network Monitoring. In Eleventh Systems Administration Conference (LISA'97). USENIX, October 1997.
[95] U. Lindqvist and P. A. Porras. Detecting Computer and Network Misuse with the Production-Based Expert System Toolset (P-BEST). In IEEE Symposium on Security and Privacy, Oakland, California, May 1999.
[96] S. Eckmann, G. Vigna, and R. Kemmerer. STATL. Technical report, UCSB, 2000.
[97] M. Roesch. Writing Snort Rules: How To write Snort rules and keep your sanity. http://www.snort.org.
[98] Nittida Nunansri, Samar Singh, Tharam S. Dillon, A Process State-Transition Analysis and its Application to Intrusion. Detection, Proceedings of 15th Annual Computer Security Applications Conference of Radisson Resort Scottsdale, Phoenix, Arizona
[99] A. P. Kosoresow and S. A. Hofmeyr. A shape of self for UNIX processes. IEEE Software, 14(5):35-42, 1997.
[100] K. Ilgun. USTAT: A Real-time Intrusion Detection System for UNIX. Master's thesis, Computer Science Department, University of California, Santa Barbara, July 1992.
[101] K. Ilgun. USTAT: A Real-time Intrusion Detection System for UNIX. In Proceedings of the IEEE Symposium on Research on Security and Privacy, Oakland, CA, May 1993.
[102] CheckPoint, Build your Security Infrastructure with Best-of-Breed Products from OPSEC, http://www.checkpoint.com/products/downloads/opsec_whitep aper.pdf
[103] 龙振洲,医学免疫学,人民卫生出版社,1989
[104] Jeffrey O. Kephart, A Biologically Inspired Immune System for Computers, Proceedings of the Fourth International Workshop on the Synthesis and Simulation of Living Systems
[105] 汤子瀛,哲凤屏,汤小丹,计算机操作系统,西安电子科技大学出版社,2000年2月
[106] Alessandro Rubini,Jonathan Corbet,Linux设备驱动程序(第二版),中国电力出版社,2002.4
[2] CERT, CERT/CC Statistics 1988-2003, http://www.cert.org/stats/cert_stats.html
[3] CERT, CERT/CC Overview Incident and Vulnerability Trends, http://www.cert.org/present/cert-overview-trends/
[4] Robert Richardson, 2004 CSI/FBI Computer Crime and Security Survey, Computer Security Institute, 2004
[5] Dorothy E. Denning, An Intrusion-Detection Model, IEEE Transactions on Software Engineering, Vol. Se-13, NO. 2, Feb 1987, 222-232
[6] Rebecca Gurley Bace,入侵检测,人民邮电出版社,2001年6月
[7] Julia Allen, Alan Christie, William Fithen, John McHugh, Jed Pickel and Ed Stoner, State of the Practice of Intrusion Detection Technologies, TECHNICAL REPORT: CMU/SEI-99-TR-028, 2001
[8] Stephen Northcutt,网络入侵检测分析员手册,人民邮电出版社,2000年10月
[9] Julia H.Allen,CERT安全指南,清华大学出版社,2002年11月
[10] Information Assurance Technical Framework(IATF),V3.0,NSA,September,2000.(《信息安全保障技术框架》3.0,美国国家安全局原著,中国国家973信息与网络安全体系研究课题组组织翻译,北京中软电子出版社出版,2002)
[11] Network-vs. Host-based Intrusion Detection, http://www.iss.net
[12] R. A. Kemmerer and G. Vigna, Intrusion Detection: A Brief History and Overview IEEE Computer Special Issue on Security and Privacy 27-30 IEEE Press April 2002
[13] Snort Project, Snort Users Manual, http://www.snort.org,2003
[14] M. Bishop, An Overview of Computer Viruses in a Research Environment, technical report, Dept. of Math. and Computer Science, Dartmouth College, 1992.
[15] Chinchani R., S. Upadhyaya and K. Kwiat, A Tamper-Resistant Framework for Unambiguous Detection of Attacks in User Space Using Process Monitors, IEEE International Workshop on Information Assurance, Darmstadt, Germany, March 2003
[16] Jack Marin, Daniel Ragsdale, and John Surdu, A Hybrid Approach to the Profile Creation and Intrusion Detection, Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEXII'01), 2001
[17] Niels Provos. Preventing Privilege Escalation. Technical,Report CITI 02-2, University of Michigan, August 2002.
[18]Hao Chen, David Wagner, and Drew Dean. Setuid Demystified. In Proceedings of the 11th Usenix Security Symposium, August 2002.
[19] S. Forrest, S.A. Hofmeyr, A. Somayaji and T.A. Longstaff, A Sense of Self for Unix Process, IEEE Symposium on Computer Security and Privacy, Los Alamos, CA, pp.120-128,1996
[20] C. Wright, C. Cowan, J. Morris, S. Smalley, and G Kroah-Hartman. Linux security modules: General security support for the linux kernel. In Linux Security Modules: General Security Support for the Linux Kernel, 2002.
[21] W. Lee and S. J. Stolfo. Data mining approaches for intrusion detection. Proceedings of the 7th USNIX Security Symposium,1998
[22] C. Warrender, S. Forrest, and B. Pearlmutter, Detecting intrusions using system calls: Alternative data models. Proceedings IEEE Symposium on Security and Privacy, pages 133-145,1999
[23] Michael Gilleland, Merriam Park Software, Levenshtein Distance in Three Flavors, http://www.merriampark.com/ld.htm
[24]C. C. Michael, Finding the Vocabulary of Program Behavior Data for Anomaly Detection, Proceedings of DISCEX, 2003
[25]Izuru Sato, Yoshinori Okazaki and Shigeki Goto, An Improved Intrusion Detection Method Based on Process Profiling, IPSJ Journal, Vol.43 No.ll, Nov 2002
[26]C. C. MICHAEL and ANUP GHOSH, Simple, State-Based Approaches to Program-Based Anomaly Detection, ACM Transactions on Information and System Security, Vol.5, No.3, August 2002, pp203-237
[27] MARK BURGESS, HA REK HAUGERUD, and SIGMUND STRAUMSNES, Measuring System Normality, ACM Transactions on Computer Systems, Vol. 20, No. 2, May 2002, Pages 125-160.
[28]Carla Marceau, Characterizing the Behavior of a Program Using Multiple-Length N-grams, Proceedings of the New Security Paradigms Workshop 2000, Cork, Ireland, Sept. 19-21,2000.
[29] C. Kruegel & T. Toth, Using decision trees to improve signature-based intrusion detection, RAID, 2003
[30]Yihua Liao, V. Rao Vemuri, Using Text Categorization Techniques for Intrusion Detection, Proceedings of the 11th USENIX Security Symposium, 2002
[31]W. Lee, S. Stolfo, and P. Chan, "Learning Patterns from Unix Process Execution Traces for Intrusion Detection", AAAI Workshop: AI Approaches to Fraud Detection and Risk Management, 1997.
[32] Yihua Liao, V. Rao Vemuri, Use of K-Nearest Neighbor classifier for intrusion detection, Computers & Security, Vol 21, No 5, pp 439-448, 2002
[33] G Vigna, F. Valeur, and R.A. Kemmerer, Designing and Implementing A Family of Intrusion Detection Systems Proceedings of the European Conference on Software Engineering (ESEC) Helsinki, Finland September 2003
[34] K. Jain and R. Sekar. User-Level Infrastructure for System Call Interposition: A Platform for Intrusion Detection and Confinement. In Proceedings of the ISOC Symposium on Network and Distributed System Security, February 2000.
[35]Sotiris Ioannidis, Steven M. Bellovin, and Jonathan M. Smith. Sub-Operating Systems: A New Approach to Application Security. In Proceedings of the SIGOPS European Workshop, September 2002.
[36]Tal Garfinkel. Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools. In Proceedings of the ISOC Symposium on Network and Distributed System Security, 2003.
[37] Steven A. Hofmeyr, Stephanie Forrest, Anil Somayaji, Intrusion Detection using Sequences of System calls, Journal of Computer Security Vol. 6,1998.
[38] 刘雪飞,张秉权,马恒太,蒋建春,文伟平,技术报告:基于系统调用的异常入侵检测研究,南京理工大学计算机系,2003年11月
[39] A. Wepsi, M. Dacier and H. Debar, Intrusion Detection Using Variable-Length Audit Trail Patterns, 3rd International Workshop on the Recent Advances in Intrusion Detection, LNCS 1907, Springer, pp. 110-129,2000
[40]Tan, Kymie M. C; Killourhy, Kevin S. and Maxion, Roy A. "Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits." In Fifth International Symposium on Recent Advances in Intrusion Detection (RAID-2002), pp. 54-73. Lecture Notes in Computer Science, Springer-Verlag, Berlin, 2002.
[41]David Wagner and Paolo Soto, Mimicry Attacks on Host-Based Intrusion Detection Systems, ACM CCS 2002
[42]Kymie M.C. Tan, Roy A. Maxion, Why 6?" Defining the Operational Limits of stide, an Anomaly-Based Intrusion Detector In Proceedings of the IEEE Symposium on Security and Privacy, pages 188-202, Oakland, CA, May 2002.
[43] D. Wagner and D. Dean, "Intrusion Detection via Static Analysis", IEEE
Symposium on Security and Privacy, Oakland, CA, 2001.
[44] R. Sekar, M. Bendre, P. Bollineni, and D. Dhurjati,"A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors", IEEE Symposium on Security and Privacy, Oakland, CA, 2001.
[45]Kathia Regina L. Juca, Azzedine Boukerche, Joao Bosco M. Sobral, Intrusion Detection Based on the Immune Human System, International Parallel and Distributed Processing Symposium: IPDPS 2002 Workshops, April 15 -19, 2002 Fort Lauderdale, Florida
[46]S. Forrest, S. Hofmeyr, and A. Somayaji, Computer Immunology, (DRAFT) Communications of the ACM Vol. 40, No. 10, pp. 88-96 (1997).
[47]A. Somayaji, S. Hofmeyr, and S. Forrest, Principles of a Computer Immune System, 1997 New Security Paradigms Workshop pp. 75-82 (1998)
[48]S. Hofmeyr and S. Forrest, Architecture for an Artificial Immune System, Evolutionary Computation 7(1), Morgan-Kaufmann, San Francisco, CA, pp. 1289-1296 (2000).
[49] Steven Andrew Hofmeyr, An Immunological Model of Distributed Detection and Its Application to Computer Security, Computer Science, University of New Mexico, 1999
[50] Christopher Kruegel, Darren Mutz, Fredrik Valeur, and Giovanni Vigna, On the Detection of Anomalous System Call Arguments, Proceedings of the 8th European Symposium on Research in Computer Security (ESORICS '03), LNCS, 2003, page 326-343, Springer-Verlag
[51]H. Feng, O. Kolesnikov, P. Fogla, W. Lee & W. Gong, Anomaly Detection Using Call Stack Information, IEEE Security and Privacy, May, 2003
[52]Anita Jones, Song Li, Temporal Signatures for Intrusion Detection, The 17th Annual Annual Computer Security Applications Conference., p252-261,2001
[53]Niels Provos, Improving Host Security with System Call Policies, Proceedings of 12th USENDC Security Symposium, Washington DC, August 2003
[54]Suresh Chari and Pau-Chen Cheng, BlueBox: A Plolicy-Driven, Host-Based Intrusion Detection System, ACM Transactions on Information and System Security, Vol.6, No.2, May 2003, ppl73-200
[55] Calvi Ko,Logic Induction of Valid Behavior Specification for Intrusion Detection, 2000 IEEE Symposium on Security and Privacy (S&P 2000),May,2000
[56]A. Somayaji and S. Forrest, Automated Response Using System-Call Delays, Usenix 2000
[57]Mixter, Writing buffer overflow exploits, http://mixter.void.ru/exploit.txt
[58]Evan Thomas. Attack class: Buffer overflows, Hello World!,1999
[59] C. Cowan, C. Pu, D. Maier, H. Hinton, P. Bakke, S. Beattie, A.Grier, P. Wagle and Q. Zhang, StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks, 7th USENIX Security Symposium, San Antonio, TX,1998
[60] Eric Haugh , Matt Bishop , Testing C Programs for Buffer Overflow Vulnerabilities, NDSS'03 Proceedings, 2003
[61]Crispin Cowan, Steve Beattie, John Johansen and Perry Wagle, PointGuardTM: Protecting Pointers From Buffer Overflow Vulnerabilities
[62] K. Ashcraft and D.R. Engler, "Using Programmer- Written Compiler Extensions to Catch Security Holes", IEEE Symposium on Security and Privacy, Oakland, CA, 2002
[63] J.T. Giffin, S. Jha and B.P. Miller, "Detecting Manipulated Remote Call Streams", 11th USENIX Security Symposium, 2002.
[64] C. Ko, G Fink and K. Levitt, "Automated Detection of Vulnerabilities in Privileged Programs by Execution Monitoring", 10th Computer Security Applications Conference, Orlando, Fl, pp. 134-144,1994
[65]Umesh Shankar Kunal Talwar Jeffrey S. Foster David Wagner, Detecting Format String Vulnerabilities with Type Qualifiers, Proceedings of the 10th USENIX Security Symposium Washington, D.C., USA August 13-17, 2001
[66]Klog, The Frame Pointer Overwrite, Phrack Magazine,55(8),1999
[67]Blexim, Basic Integer Overflows, Phrack Magazine, 60(10),2002.12
[68]Oded, Horovitz, Ohorovitz, Big Loop Integer Protection, Phrack Magazine, 60(09), 2002.12
[69] 毛德操、胡希明,Linux内核源代码情景分析(上下册),浙江大学出版社,2001.9
[70] Anonymous, Runtime Process Infection, Phrack Magazine, 59(8), 2002,7
[71]Harold Thimbleby, Stuart Anderson and Paul Cairns, A framework for modeling trojans and computer virus infection, Computer Journal, 41(7), pp444-458,1999.
[72]Staniford-Chen, S., Tung, B., and Schnackenberg, D. The Common Intrusion Detection Framework (CIDF). Position paper accepted to the Information Survivability Workshop, Orlando FL, October 1998.
[73]Wichert Akkerman ,Strace Home Page,http://www.liacs.nl/~wichert/strace/
[74] Pragmatic, Complete Linux Loadable Kernel Modules--the definitive guide for
hackers, virus coders and system administrators, http://packetstormsecurity.org/docs/hack/LKM_HACKING.html
[75] SU Pu-rui, LI De-quan, and FENG Deng-guo, A Host-Based Anomaly Intrusion Detection Model Based on Genetic Programming, Journal of Software, June, 2003
[76] 云庆夏,黄光球,王战权,遗传算法和遗传规划,冶金工业出版社,1997
[77] 张文修,梁怡,遗传算法的数学基础,西安交通大学出版社,2001
[78] 朱剑英,智能系统非经典数学方法,2001年4月
[79] Computer Immune Systems—Data Sets and Software http://www.cs.unm.edu/-immsec/data-sets.htm
[80] SecurityFoucus, LBNL Traceroute Heap Corruption Vulnerability, http://www.securityfocus.com/bid/1739
[81] SecurityFocus, wu-ftpd /bin SITE EXEC Misconfiguration Vulnerability, http://www.securityfocus.com/bid/2241
[82] 马振华,现代应用数学手册——概率统计与随机过程卷,清华大学出版社,2000.7
[83] Eskin, Eleazar. Anomaly Detection over Noisy Data using Learned Probability Distributions, ICMLOO, Palo Alto, CA: July, 2000.
[84] Wenke Lee, Dong Xiang, Information-Theoretic Measures for Anomaly Detection, In Proceedings of the 2001 IEEE Symposium on Security and Privacy, May 2001
[85] S. T. Eckmann, G. Vigna, and R. A. Kemmerer, STATL: An Attack Language for State-based Intrusion Detection, Journal of Computer Security vol. 10, no. 1/2 71-104 IOS Press 2002
[86] Sun Microsystems, Inc. Installing, Administering, and Using the Basic Security Module. 2550 Garcia Ave., Mountain View, CA 94043, December 1991.
[87] S. McCanne, C. Leres, and V. Jacobson. Tcpdump 3.4. Documentation, 1998.
[88] syslog(3). UNIX documentation.
[89] Common Intrusion Detection Framework Working Group. A CISL Tutorial. http://www.gidos.org/tutorial.html,2000.
[90] D. Curry. Intrusion Detection Message Exchange Format: Extensible Markup Language (XML) Document Type Definition. draft-ietf-idwg-idmefxml-01.txt, July 2000.
[91] Common Intrusion Detection Framework Working Group. Common Intrusion Detection Framework Specification. http://www.gidos.org/,2000.
[92] Secure Networks. Custom Attack Simulation Language (CASL), January 1998.
[93] R. Deraison. The Nessus Attack Scripting Language Reference Guide, 2000. http://www.nessus.org.
[94] M. J. Ranum, K. Landfield, M. Stolarchuck, M. Sienkiewicz, A. Lambeth, and E. Wall. Implementing a Generalized Tool for Network Monitoring. In Eleventh Systems Administration Conference (LISA'97). USENIX, October 1997.
[95] U. Lindqvist and P. A. Porras. Detecting Computer and Network Misuse with the Production-Based Expert System Toolset (P-BEST). In IEEE Symposium on Security and Privacy, Oakland, California, May 1999.
[96] S. Eckmann, G. Vigna, and R. Kemmerer. STATL. Technical report, UCSB, 2000.
[97] M. Roesch. Writing Snort Rules: How To write Snort rules and keep your sanity. http://www.snort.org.
[98] Nittida Nunansri, Samar Singh, Tharam S. Dillon, A Process State-Transition Analysis and its Application to Intrusion. Detection, Proceedings of 15th Annual Computer Security Applications Conference of Radisson Resort Scottsdale, Phoenix, Arizona
[99] A. P. Kosoresow and S. A. Hofmeyr. A shape of self for UNIX processes. IEEE Software, 14(5):35-42, 1997.
[100] K. Ilgun. USTAT: A Real-time Intrusion Detection System for UNIX. Master's thesis, Computer Science Department, University of California, Santa Barbara, July 1992.
[101] K. Ilgun. USTAT: A Real-time Intrusion Detection System for UNIX. In Proceedings of the IEEE Symposium on Research on Security and Privacy, Oakland, CA, May 1993.
[102] CheckPoint, Build your Security Infrastructure with Best-of-Breed Products from OPSEC, http://www.checkpoint.com/products/downloads/opsec_whitep aper.pdf
[103] 龙振洲,医学免疫学,人民卫生出版社,1989
[104] Jeffrey O. Kephart, A Biologically Inspired Immune System for Computers, Proceedings of the Fourth International Workshop on the Synthesis and Simulation of Living Systems
[105] 汤子瀛,哲凤屏,汤小丹,计算机操作系统,西安电子科技大学出版社,2000年2月
[106] Alessandro Rubini,Jonathan Corbet,Linux设备驱动程序(第二版),中国电力出版社,2002.4