基于蜜罐系统的网络行为模式分析
|
摘要
随着互联网的日益普及,人们的生活由于互联网的发展变得便利的同时,互联网的安全威胁问题也日益给人们的生活带来各种各样的隐患。例如各种机构的网站受到的攻击、个人网上密码被盗等事件时有发生。因此,发展各种网络安全技术以改善现有的网络安全欠佳的现状是互联网的当务之急。
本文首先通过对蜜罐技术,序列模式挖掘在网络安全领域的应用以及序列模式挖掘算法进行详细的研究,了解数据挖掘技术在蜜罐相关和网络安全应用中被广泛应用。然后根据网络安全设备以及蜜罐数据量大,而且网络行为存在着先后序列顺序的特点,设计了一种基于蜜罐技术的网络行为模式分析系统的网络架构与系统模块结构,并且详细的阐述了本系统模块的具体功能。该系统的目的是使用基于蜜罐技术的方式对网络行为进行捕获与分析,并且设计了网络行为模式分析系统的具体流程。
根据本系统蜜罐捕获的行为数据之间同时有不同来源的数据相互交错的特点,讨论了一种根据行为数据的特征属性:来源地址、操作文件与进程进行关联的方法,以防止多个来源的数据交错时对数据分析的影响。并且对蜜罐捕获的数据使用序列模式挖掘算法提取网络的行为模式,另外将根据行为数据中属性权重存在差异的特性与序列模式挖掘的特点进行分析,选择使用基于垂直数据格式的序列模式挖掘算法,给出对序列模式挖掘算法的修改思想,设计相关算法并通过实验进行分析。最后讨论行为关联模块与序列模式挖掘模块的实验结果,将修改的序列挖掘算法的结果与原算法进行比较分析,显示其改善了挖掘结果的准确性与效率。
最后提出了下一步的工作方向,期望使用向量空间模型等方法对行为数据集使用其行为特征作为特征向量,使用向量空间中的相似性方法对行为数据集之间的关联性进行分析。
With the increasing popularity of the Internet, when people's lives have become convenient as a result of the development of the Internet to facilitate, the issue of Internet security threats has effected to the lives of people kinds of hidden dangers also. Such as various agencies web site attacks, individual Internet password theft incidents. Therefore, the Internet's immediate concern is the development of network security technology to improve the current poor status of network security.
It shows that it has significance to research honeypot technology through analysis on today's honeypot and network security research, and finds that data mining technology are widely used in the honeypot and network security applications. According to the large amount of data from the network security device as well as honeypot, this paper describes the network architecture and system module structure of a honeypot technology-based attack behavior analysis system, and expounds the detail of the system modules and functions. Honeypot-based technology will be used to capture and analysis the network attacks activity. Afterwards, specific process of attack behavior patterns analysis system will be designed.
According to the characteristics of the behavioral data which is captured by this honeypot system, this paper discusses a correlation method of the data based on the characteristics of properties of data, source IP and the process name, in order to prevent data staggered between multiple attacker to impact on the analysis. Moreover it carries on sequential pattern mining based on the weight difference in the properties of the characteristics, improving thinking of sequential pattern mining algorithm is also gave, algorithm is designed and analyzed. Then, the results of the modify sequence mining algorithm is analyzed compare to the original algorithm, it shows that it improves the accuracy of the results and the mining efficiency.
At last, the next step of work is raised. It expects the use of methods such as vector space model for definition of an attacker using their behavior feature, and the use of vector space similar to analyze the association of attacks.
本文首先通过对蜜罐技术,序列模式挖掘在网络安全领域的应用以及序列模式挖掘算法进行详细的研究,了解数据挖掘技术在蜜罐相关和网络安全应用中被广泛应用。然后根据网络安全设备以及蜜罐数据量大,而且网络行为存在着先后序列顺序的特点,设计了一种基于蜜罐技术的网络行为模式分析系统的网络架构与系统模块结构,并且详细的阐述了本系统模块的具体功能。该系统的目的是使用基于蜜罐技术的方式对网络行为进行捕获与分析,并且设计了网络行为模式分析系统的具体流程。
根据本系统蜜罐捕获的行为数据之间同时有不同来源的数据相互交错的特点,讨论了一种根据行为数据的特征属性:来源地址、操作文件与进程进行关联的方法,以防止多个来源的数据交错时对数据分析的影响。并且对蜜罐捕获的数据使用序列模式挖掘算法提取网络的行为模式,另外将根据行为数据中属性权重存在差异的特性与序列模式挖掘的特点进行分析,选择使用基于垂直数据格式的序列模式挖掘算法,给出对序列模式挖掘算法的修改思想,设计相关算法并通过实验进行分析。最后讨论行为关联模块与序列模式挖掘模块的实验结果,将修改的序列挖掘算法的结果与原算法进行比较分析,显示其改善了挖掘结果的准确性与效率。
最后提出了下一步的工作方向,期望使用向量空间模型等方法对行为数据集使用其行为特征作为特征向量,使用向量空间中的相似性方法对行为数据集之间的关联性进行分析。
With the increasing popularity of the Internet, when people's lives have become convenient as a result of the development of the Internet to facilitate, the issue of Internet security threats has effected to the lives of people kinds of hidden dangers also. Such as various agencies web site attacks, individual Internet password theft incidents. Therefore, the Internet's immediate concern is the development of network security technology to improve the current poor status of network security.
It shows that it has significance to research honeypot technology through analysis on today's honeypot and network security research, and finds that data mining technology are widely used in the honeypot and network security applications. According to the large amount of data from the network security device as well as honeypot, this paper describes the network architecture and system module structure of a honeypot technology-based attack behavior analysis system, and expounds the detail of the system modules and functions. Honeypot-based technology will be used to capture and analysis the network attacks activity. Afterwards, specific process of attack behavior patterns analysis system will be designed.
According to the characteristics of the behavioral data which is captured by this honeypot system, this paper discusses a correlation method of the data based on the characteristics of properties of data, source IP and the process name, in order to prevent data staggered between multiple attacker to impact on the analysis. Moreover it carries on sequential pattern mining based on the weight difference in the properties of the characteristics, improving thinking of sequential pattern mining algorithm is also gave, algorithm is designed and analyzed. Then, the results of the modify sequence mining algorithm is analyzed compare to the original algorithm, it shows that it improves the accuracy of the results and the mining efficiency.
At last, the next step of work is raised. It expects the use of methods such as vector space model for definition of an attacker using their behavior feature, and the use of vector space similar to analyze the association of attacks.
引文
[1]Andrea L. Foster. Colleges Brace for the NextWorm. The Chronicle of Higher Education, 2004, 50(28), A29.
[2]PMichael Bailey, Evan Cooke, Farnam Jahanian et al. Data reduction for the scalable automated analysis of distributed darknet traffic. In: Proceedings of the 5th ACM SIGCOMM conference on Internet measurement. New York NY: ACM, 2005. 1~14
[3]Shiuh-Jeng Wang, Da-Yu Kao. Internet forensics on the basis of evidence gathering with Peep attacks. Computer Standards & Interfaces, 2007, 29(4): 423-429
[4]Lad, Zhao, Zhang, Massey, Zhang. Analysis of BGP update surge during slammer worm attack. In: Distributed Computing - IWDC 2003. 5th International Workshop. Proceedings. Berlin, Germany : Springer-Verlag, 2003. 66~79
[5]David Moore, Vern Paxson, Stefan Savage, et al. Inside the Slammer worm. IEEE Security & Privacy, 2003,1(4): 33~39
[6]Bill Cheswick. An evening with Berferd in which a cracker is lured, endured, and studied. In: Proceedings of the Winter 1992 USENIX Conference. San Francisco, California: USENIX, 1991. 163~174
[7]Wang Li; Li Zhi-tang; Lei Jie, et al. A novel algorithm SF for mining attack scenarios model. In: Proceedings. IEEE International Conference on e-Business Engineering. Piscataway, NJ 08855-1331, United States:IEEE, 2006. 55~61
[8]Abbas.Claudia J. Barenco, Villalba.L.Javier Garcia, Lopez.Victoria. Implementation and attacks analysis of a honeypot. Lecture Notes in Computer Science, 2007, 4706 LNCS (2): 489~502
[9]韩心慧,郭晋鹏,周勇林等.僵尸网络活动调查分析.通信学报, 2007, 28(12). 167~172
[10]De Andrade Carbone.M.P, De Geus, P.L. A mechanism for automatic digital evidence collection on high-interaction honeypots . In: Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop . Piscataway, NJ, USA :IEEE, 2004.1~8
[11]Wasniowski.R.A. Data base support for intrusion detection with honeynets. In: Proceedings of the 6th WSEAS International Conference on Telecommunications and Informatics(TELE-INFO'07).6th WSEAS International Conference on Signal Processing (SIP '07). Dallas, TX, USA: WSEAS, 2007.11~15
[12]Kreibich.C, Crowcroft.J. Honeycomb-creating intrusion detection signatures using honeypots. Comput Commun Review, 2004(34), 51~56
[13]Gregio.A, Santos.R, Montes.A. Evaluation of data mining techniques for suspicious network activity classification using honeypots data. In: Proceedings of the SPIE - TheInternational Society for Optical Engineering. Bellingham WA, United States: SPIE, 2007. 1~10
[14]Pathak.L.D, Soh.B. Incorporating data mining tools into a new hybrid-IDS to detect known and unknown attacks. In: Ubiquitous Intelligence and Computing. Third International Conference, UIC 2006. Proceedings. Berlin, Germany: Springer-Verlag, 2006. 826~834
[15] Bruce D. Caulkins, Joohan Lee, Morgan Wang. A dynamic data mining technique for intrusion detection systems. In: Proceedings of the 43rd annual Southeast regional conference. New York, NY, USA: ACM, 2005. 14 ~153
[16]Jian Yin, Gang Zhang, Yi-Qun Chen. Intrusion discovery with data mining on Honeynet. In: Proceedings of the 2003 International Conference on Machine Learning and Cybernetics. Piscataway, NJ, USA: IEEE, 2003. 41~45
[17]Guang Xiang, Xiaomei Dong, Ge Yu. Correlating alerts with a data mining based approach. In: Proceedings. The 2005 IEEE International Conference on e-Technology, e-Commerce and e-Service. Los Alamitos, CA, USA: IEEE, 2005. 341~246
[18]Watson, D. Honeynets:a tool for counterintelligence in online security. Network Security(UK), 2007,2007(1) : 4~8
[19]Maheswari.V, Sankaranarayanan.P.E. Honeypots:deployment and data forensic analysis. In: 2007 International Conference on Computational Intelligence and Multimedia Applications. Piscataway, United States: IEEE, 2008. 129~131
[20]田俊峰,刘永立.一种新的蜜网模型——BRHNS.计算机工程与应用, 2007, 43(7):139~143
[21] Adeel.M, Chaudhry.A.A, Ahmed. E, et al. Honeynets:an architectural overview. IEEE Security and Privacy, 2007,5(4): 40~47
[22]Iksu Kim, Myungho Kim. The DecoyPort_Redirecting hackers to honeypots. In: Network-Based Information Systems. Proceedings First International Conference, NBiS 2007. Berlin, Germany: Springer-Verlag, 2007. 59~68
[23]Quynh.N.A, Takefuji.Y. Towards an invisible honeypot monitoring system. In: Information Security and Privacy. 11th Australasian Conference, ACISP 2006. Proceedings. Berlin, Germany: Springer-Verlag, 2006. 111-122
[24]Fairbanks.K.D, Lee.C.P.1, Xia, Y.H, et al. TimeKeeper_A Metadata Archiving Method for Honeypot Forensics. In: Proceedings of the 2007 IEEE Workshop on Information Assurance. Piscataway, United States: IEEE, 2007. 114~118
[25]诸葛建伟,韩心慧,周勇林等. HoneyBow:一个基于高交互式蜜罐技术的恶意代码自动捕获器.通信学报, 2007,28(12),8~13
[26]Heng Yin, Dawn Song, Manuel Egele, et al. Panorama:capturing system-wideinformation flow for malware detection and analysis. In: Proceedings of the 14th ACM conference on Computer and communications security. New York, NY USA: ACM, 2007. 116~127
[27]Zhitang Li, Aifang Zhang, Jie Lei, et al. Real-Time Correlation of Network Security Alerts. In: Proceedings of the IEEE International Conference on e-Business Engineering. Washington, DC, USA : IEEE Computer Society, 2007. 73~80
[28]Wang Li, Li Zhi-tang, Li Dong, et al. Attack scenario construction with a new sequential mining technique. In: Proceedings of the Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing. Washington, DC, USA : IEEE Computer Society, 2007. 872~877
[29]Balas Edward, Viecco Camilo1. Towards a Third Generation Data Capture Architecture for Honeynets. In: Proceedings from the 6th Annual IEEE System, Man and Cybernetics Information Assurance Workshop, SMC 2005. Washington, DC, USA : IEEE. 2005.21~25
[30]Guofei Gu, Porras.P, Yegneswaran.V, et al. BotHunter Detecting Malware Infection Through IDS-Driven Dialog Correlation. In: 16th USENIX Security Symposium. Berkeley, CA, USA : USENIX Association , 2007. 167~182
[31]赵峰,李庆华,赵彦斌.网络入侵检测中序列模式挖掘技术研究.计算机科学, 2004,31(3):75~79
[32]李庆华,赵峰.序列关联并行挖掘算法研究.计算机科学, 2003,30(8):114~116
[33]Shi-Jie Song, Zunguo Huang, Hua-Ping Hu, et al. A sequential pattern mining algorithm for misuse intrusion detection. In: Grid and Cooperative Computing - GCC 2004 Workshops, GCC 2004 International Workshops IGKG, SGT, GISS, AAC-GEVO, and VVS. Proceedings. Berlin, Germany: Springer-Verlag, 2004. 458~465
[34]Jian.Z, Shirai.H, Takahashi.I, Kuroiwa.J, et al. A hybrid command sequence model for anomaly detection. In: Advances in Knowledge Discovery and Data Mining. 11th Pacific-Asia Conference, PAKDD 2007. Proceedings. Berlin, Germany: Springer, 2007. 108~118
[35]Huang Sisi, Li Zhitang, Wang Li. Mining Attack Correlation Scenarios Based on Multi-agent System. Lecture Notes in Computer Science , 2007 ,4557 LNCS(1):632~641
[36]H. Güne? Kayacik, A. Nur Zincir-Heywood. Using self-organizing maps to build an attack map for forensic analysis. Proceedings of the 2006 International Conference on Privacy, Security and Trust. New York, NY USA: ACM, 2006. 1~8
[37]Agrawalr, Srikantr. Mining sequential pattern. In: Proceedings of the EleventhInternational Conference on Data Engineering. Los Alamitos, CA, USA : IEEE Comput. Soc. Press , 1995. 3~14
[38]Pei J, Han J. PrefixSpan: mining sequential patterns efficiently by prefix-projected pattern growth. In: Proc of the 7th International Conference on Data Engineering. Washington DC: IEEE Computer Society, 2001. 215~224
[39]Pinto H, Han J, Pei J, et al. Multi-dimensional sequential pattern mining. In: Proc of the 10th International Conference on Information and Knowledge Management. Atlanta, New York: ACM Press, 2001:81~88.
[40]Lin Ming-yen, Lee S Y. Fast discovery of sequential patterns by memory indexing. In: Proc of the 4th International Conference on Data Warehousing and Knowledge Discovery. London, UK: SpringerVerlag, 2002. 150~160
[41]Srikantr, Agrawalr. Mining sequential patterns:Generalizationsand performance improvements. In: Proceedings of 5th Conference on Extended Database Technology (EDBT'96). Berlin, Germany: Springer-Verlag, 1996. 3~17
[42]Zakim J. SPADE:An efficient algorithm for mining frequent sequences. Machine Learning, 2001, 41 (1-2) : 31~60
[43]吕静,王晓峰, Osei Adjei等.序列模式图及其构造算法.计算机学报, 2004,27(6):782~788
[44] Tian Jun-Feng, Wang Jian-Ling, Li Ren-Ling, et al. A Study of Intrusion Signature Based on Honeypot. In: Proceedings - Sixth International Conference on Parallel and Distributed Computing, Applications and Technologies, PDCAT 2005. Washington, DC, USA : IEEE. 2005.125~129
[45]Ayres Jay, Flannick Jason1, Gehrke Johannes, et al. Sequential pattern mining using A bitmap representation. In: Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. New York, NY USA: ACM, 2002. 429~435
[2]PMichael Bailey, Evan Cooke, Farnam Jahanian et al. Data reduction for the scalable automated analysis of distributed darknet traffic. In: Proceedings of the 5th ACM SIGCOMM conference on Internet measurement. New York NY: ACM, 2005. 1~14
[3]Shiuh-Jeng Wang, Da-Yu Kao. Internet forensics on the basis of evidence gathering with Peep attacks. Computer Standards & Interfaces, 2007, 29(4): 423-429
[4]Lad, Zhao, Zhang, Massey, Zhang. Analysis of BGP update surge during slammer worm attack. In: Distributed Computing - IWDC 2003. 5th International Workshop. Proceedings. Berlin, Germany : Springer-Verlag, 2003. 66~79
[5]David Moore, Vern Paxson, Stefan Savage, et al. Inside the Slammer worm. IEEE Security & Privacy, 2003,1(4): 33~39
[6]Bill Cheswick. An evening with Berferd in which a cracker is lured, endured, and studied. In: Proceedings of the Winter 1992 USENIX Conference. San Francisco, California: USENIX, 1991. 163~174
[7]Wang Li; Li Zhi-tang; Lei Jie, et al. A novel algorithm SF for mining attack scenarios model. In: Proceedings. IEEE International Conference on e-Business Engineering. Piscataway, NJ 08855-1331, United States:IEEE, 2006. 55~61
[8]Abbas.Claudia J. Barenco, Villalba.L.Javier Garcia, Lopez.Victoria. Implementation and attacks analysis of a honeypot. Lecture Notes in Computer Science, 2007, 4706 LNCS (2): 489~502
[9]韩心慧,郭晋鹏,周勇林等.僵尸网络活动调查分析.通信学报, 2007, 28(12). 167~172
[10]De Andrade Carbone.M.P, De Geus, P.L. A mechanism for automatic digital evidence collection on high-interaction honeypots . In: Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop . Piscataway, NJ, USA :IEEE, 2004.1~8
[11]Wasniowski.R.A. Data base support for intrusion detection with honeynets. In: Proceedings of the 6th WSEAS International Conference on Telecommunications and Informatics(TELE-INFO'07).6th WSEAS International Conference on Signal Processing (SIP '07). Dallas, TX, USA: WSEAS, 2007.11~15
[12]Kreibich.C, Crowcroft.J. Honeycomb-creating intrusion detection signatures using honeypots. Comput Commun Review, 2004(34), 51~56
[13]Gregio.A, Santos.R, Montes.A. Evaluation of data mining techniques for suspicious network activity classification using honeypots data. In: Proceedings of the SPIE - TheInternational Society for Optical Engineering. Bellingham WA, United States: SPIE, 2007. 1~10
[14]Pathak.L.D, Soh.B. Incorporating data mining tools into a new hybrid-IDS to detect known and unknown attacks. In: Ubiquitous Intelligence and Computing. Third International Conference, UIC 2006. Proceedings. Berlin, Germany: Springer-Verlag, 2006. 826~834
[15] Bruce D. Caulkins, Joohan Lee, Morgan Wang. A dynamic data mining technique for intrusion detection systems. In: Proceedings of the 43rd annual Southeast regional conference. New York, NY, USA: ACM, 2005. 14 ~153
[16]Jian Yin, Gang Zhang, Yi-Qun Chen. Intrusion discovery with data mining on Honeynet. In: Proceedings of the 2003 International Conference on Machine Learning and Cybernetics. Piscataway, NJ, USA: IEEE, 2003. 41~45
[17]Guang Xiang, Xiaomei Dong, Ge Yu. Correlating alerts with a data mining based approach. In: Proceedings. The 2005 IEEE International Conference on e-Technology, e-Commerce and e-Service. Los Alamitos, CA, USA: IEEE, 2005. 341~246
[18]Watson, D. Honeynets:a tool for counterintelligence in online security. Network Security(UK), 2007,2007(1) : 4~8
[19]Maheswari.V, Sankaranarayanan.P.E. Honeypots:deployment and data forensic analysis. In: 2007 International Conference on Computational Intelligence and Multimedia Applications. Piscataway, United States: IEEE, 2008. 129~131
[20]田俊峰,刘永立.一种新的蜜网模型——BRHNS.计算机工程与应用, 2007, 43(7):139~143
[21] Adeel.M, Chaudhry.A.A, Ahmed. E, et al. Honeynets:an architectural overview. IEEE Security and Privacy, 2007,5(4): 40~47
[22]Iksu Kim, Myungho Kim. The DecoyPort_Redirecting hackers to honeypots. In: Network-Based Information Systems. Proceedings First International Conference, NBiS 2007. Berlin, Germany: Springer-Verlag, 2007. 59~68
[23]Quynh.N.A, Takefuji.Y. Towards an invisible honeypot monitoring system. In: Information Security and Privacy. 11th Australasian Conference, ACISP 2006. Proceedings. Berlin, Germany: Springer-Verlag, 2006. 111-122
[24]Fairbanks.K.D, Lee.C.P.1, Xia, Y.H, et al. TimeKeeper_A Metadata Archiving Method for Honeypot Forensics. In: Proceedings of the 2007 IEEE Workshop on Information Assurance. Piscataway, United States: IEEE, 2007. 114~118
[25]诸葛建伟,韩心慧,周勇林等. HoneyBow:一个基于高交互式蜜罐技术的恶意代码自动捕获器.通信学报, 2007,28(12),8~13
[26]Heng Yin, Dawn Song, Manuel Egele, et al. Panorama:capturing system-wideinformation flow for malware detection and analysis. In: Proceedings of the 14th ACM conference on Computer and communications security. New York, NY USA: ACM, 2007. 116~127
[27]Zhitang Li, Aifang Zhang, Jie Lei, et al. Real-Time Correlation of Network Security Alerts. In: Proceedings of the IEEE International Conference on e-Business Engineering. Washington, DC, USA : IEEE Computer Society, 2007. 73~80
[28]Wang Li, Li Zhi-tang, Li Dong, et al. Attack scenario construction with a new sequential mining technique. In: Proceedings of the Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing. Washington, DC, USA : IEEE Computer Society, 2007. 872~877
[29]Balas Edward, Viecco Camilo1. Towards a Third Generation Data Capture Architecture for Honeynets. In: Proceedings from the 6th Annual IEEE System, Man and Cybernetics Information Assurance Workshop, SMC 2005. Washington, DC, USA : IEEE. 2005.21~25
[30]Guofei Gu, Porras.P, Yegneswaran.V, et al. BotHunter Detecting Malware Infection Through IDS-Driven Dialog Correlation. In: 16th USENIX Security Symposium. Berkeley, CA, USA : USENIX Association , 2007. 167~182
[31]赵峰,李庆华,赵彦斌.网络入侵检测中序列模式挖掘技术研究.计算机科学, 2004,31(3):75~79
[32]李庆华,赵峰.序列关联并行挖掘算法研究.计算机科学, 2003,30(8):114~116
[33]Shi-Jie Song, Zunguo Huang, Hua-Ping Hu, et al. A sequential pattern mining algorithm for misuse intrusion detection. In: Grid and Cooperative Computing - GCC 2004 Workshops, GCC 2004 International Workshops IGKG, SGT, GISS, AAC-GEVO, and VVS. Proceedings. Berlin, Germany: Springer-Verlag, 2004. 458~465
[34]Jian.Z, Shirai.H, Takahashi.I, Kuroiwa.J, et al. A hybrid command sequence model for anomaly detection. In: Advances in Knowledge Discovery and Data Mining. 11th Pacific-Asia Conference, PAKDD 2007. Proceedings. Berlin, Germany: Springer, 2007. 108~118
[35]Huang Sisi, Li Zhitang, Wang Li. Mining Attack Correlation Scenarios Based on Multi-agent System. Lecture Notes in Computer Science , 2007 ,4557 LNCS(1):632~641
[36]H. Güne? Kayacik, A. Nur Zincir-Heywood. Using self-organizing maps to build an attack map for forensic analysis. Proceedings of the 2006 International Conference on Privacy, Security and Trust. New York, NY USA: ACM, 2006. 1~8
[37]Agrawalr, Srikantr. Mining sequential pattern. In: Proceedings of the EleventhInternational Conference on Data Engineering. Los Alamitos, CA, USA : IEEE Comput. Soc. Press , 1995. 3~14
[38]Pei J, Han J. PrefixSpan: mining sequential patterns efficiently by prefix-projected pattern growth. In: Proc of the 7th International Conference on Data Engineering. Washington DC: IEEE Computer Society, 2001. 215~224
[39]Pinto H, Han J, Pei J, et al. Multi-dimensional sequential pattern mining. In: Proc of the 10th International Conference on Information and Knowledge Management. Atlanta, New York: ACM Press, 2001:81~88.
[40]Lin Ming-yen, Lee S Y. Fast discovery of sequential patterns by memory indexing. In: Proc of the 4th International Conference on Data Warehousing and Knowledge Discovery. London, UK: SpringerVerlag, 2002. 150~160
[41]Srikantr, Agrawalr. Mining sequential patterns:Generalizationsand performance improvements. In: Proceedings of 5th Conference on Extended Database Technology (EDBT'96). Berlin, Germany: Springer-Verlag, 1996. 3~17
[42]Zakim J. SPADE:An efficient algorithm for mining frequent sequences. Machine Learning, 2001, 41 (1-2) : 31~60
[43]吕静,王晓峰, Osei Adjei等.序列模式图及其构造算法.计算机学报, 2004,27(6):782~788
[44] Tian Jun-Feng, Wang Jian-Ling, Li Ren-Ling, et al. A Study of Intrusion Signature Based on Honeypot. In: Proceedings - Sixth International Conference on Parallel and Distributed Computing, Applications and Technologies, PDCAT 2005. Washington, DC, USA : IEEE. 2005.125~129
[45]Ayres Jay, Flannick Jason1, Gehrke Johannes, et al. Sequential pattern mining using A bitmap representation. In: Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. New York, NY USA: ACM, 2002. 429~435