摘要
网络威胁是指可以破坏网络系统环境安全的目标或事件威胁是潜在的攻击,很多时候二者等同,但在本文中,威胁还包括攻击意图等内涵网络威胁攻击的不断发生和网络威胁日趋复杂化给互联网络的安全造成很大的隐患,使得网络威胁的检测技术逐渐成为网络安全领域的热点研究课题网络威胁检测技术中,首先通过一定的途径获取当前可能存在网络威胁活动的相关信息,然后根据这些信息,应用多种分析融合检测技术识别并判断出网络威胁的存在近年来,国内外相关领域已经取得了一定的研究成果,但是网络威胁检测技术中的信息采集与信息关联融合阶段时间开销较大,威胁特征的关联融合方法存在局限性,威胁行为协同检测技术与威胁预测技术尚未成熟,这些都是目前网络威胁检测技术尚需解决的问题
本文针对网络威胁检测中的相关问题与需求,深入研究了相关技术的发展现状,提出了威胁感知传感器的并行部署算法警报信息的关联技术威胁行为分类模型的构建和基于该模型的威胁匹配检测算法协同检测模型的构建和基于该模型的体系结构威胁预测模型的构建和基于该模型的安全态势分析方法主要贡献包括以下几个方面:
一针对网络威胁信息的采集与关联问题,进行网络威胁感知传感器的并行部署研究,提出感知传感器并行部署算法SPDA(Sensor Parallel DeploymentAlgorithm)通过该算法实现快速并行部署传感器,并实现了SensorPool原型系统利用SensorPool部署传感器,通过传感器进行警报信息采集同时针对所采集的海量警报信息,提出警报频繁模式挖掘关联算法与自动时段划分警报关联算法,实现了对频繁模式进一步关联处理,并对警报误报进行过滤消除,提高了警报信息采集的正确率,并大幅减小了时间开销
二针对威胁分类的通用性与威胁检测中的匹配技术问题,提出基于威胁行为分类模型与行为序列模板的网络威胁检测体系结构,包括警报信息处理模块威胁检测模块,协同检测模块威胁预测模块和网络态势分析模块通过对Snort规则库与TIAA(a Toolkit for Intrusion Alert Analysis)系统的分析,以及对当前网络威胁行为的特点分析,提出威胁行为分类模型的框架,框架包括初始分类匹配模型结构化语义模型特征匹配重用模型特征匹配自适应迭代模型阈值确定模型匹配类型模型和威胁匹配矩阵模型等模块在威胁行为分类模型的基础上,提出威胁行为序列模板的构建,对复杂攻击的检测提供了更为通用的规则库基于威胁行为分类模型与行为序列模板提出两种威胁检测的匹配算法:模式匹配算法和图匹配算法最终对威胁特征进行融合,实现对网络威胁行为的检测,并实现具有通用性的威胁行为分类模型,与准确性较高,时间开销较小的威胁匹配算法
三针对网络威胁的协同检测技术,对威胁检测协同模型给出定义,并通过模型框架建模和协同机制完成对威胁检测层次协同模型——TDLC(ThreatDetection Level Collaboration)模型的构建该模型从框架结构数据结构建模过程和协同机制等四个方面详细介绍了TDLC模型,提出协同检测系统体系结构与协同构件的算法描述以僵尸网络为例提出了基于协同模型的分布式检测方法,描述了威胁检测系统中感知传感器的协同工作机理,提出了传感器的可信性问题针对复杂网络威胁,最终实现网络威胁协同检测,相比单节点威胁检测,协同检测更具有检测复杂威胁的能力,尤其对例如僵尸网络等分布式威胁检测具有更佳效果
四针对网络威胁态势分析中对威胁的预测准确性差问题,提出威胁预测模型,通过对粒子群优化算法的研究进行改进,提出一种威胁重叠预测算法,对威胁趋势进行预测结果相比粒子群优化算法误差减小一半左右通过对网络安全态势进行量化评估,将网络系统分为系统级主机级服务级和攻击级针对存在的威胁进行威胁指数定义,提出对威胁指数进行量化和计算的方法对每一层级进行重要性权重比的计算,由此评判整体网络系统的安全态势引入D-S证据理论方法,实现对整体网络中出现所有威胁的可能进行评分,通过计算识别具体网络威胁的种类,判断出现威胁种类的权重比例,对网络系统的安全态势作出详细分析
本文研究的相关问题是对网络威胁检测技术一次有益的总结与探究,研究成果对于网络威胁检测技术的发展具有重要的实践意义与理论价值,对网络安全领域的完善和发展起到了积极推动作用
The network threats undermine the security of the network system environmentgoals or event. The threat is a potential attack, often both equivalent, but in this article,threats including attacks intention connotation. The frequent cyber threats give a greatrising harm to Internet security, which has led Cyber Threat Detection to become a hottopic recently. Cyber threat detection, firstly gathers potential cyber threat activityinformation in various ways, then uses multiple analyzing, grouping and detectingtechniques to identify the cyber threats based on the threat signatures in the gatheredinformation, and finally determines the threat classification, threat level and theorigination and destination of threat. In recent, there are a lot of efforts have been giveninto this field. However, there are still some problems to be solved in the aspects ofsynergistic association analysis and system architecture, regarding to cyber threatinformation gathering and grouping, signature extraction and merge, threat behaviordetermination and detection.
Addressing the problems and requirements in cyber threat detection, thisdissertation firstly reviews the state of the art of cyber threat detection techniques, andthen gives efforts on threat sensor parallel deployment algorithm, alert informationassociation technique, threat classification model and its threat behavior detectingalgorithm, synergistic detecting model and its architecture, threat prediction model anda security situation analyzing algorithm based on it. The major contributions of thisdissertation can be summarized as follows:
1. A Sensor Parallel Deployment Algorithm (SPDA) for cyber threat informationgathering is proposed, and a SensorPool prototype system is implemented. Theproposed algorithm can achieve a fast parallel deployment of threat sensor. Using theSensorPool to deploy sensors is propitious to fast and effectively utilize networkresource to carry out security defense, and to improve the flexibility and effectiveness ofdeployment. Compared with the most popular Virtual Honeynets and Potemkindeployment algorithms, the time cost of the proposed SPDA is reduced dramatically,and the more deploying nodes, the more parallelism can be achieved, so the less timecost. Meanwhile, an association algorithm for alert frequency pattern mining andautomatic alert time dividing is proposed, which further processes the frequency pattern,and filters the false alarms. The time cost is reduced to1/60of the original algorithmwhile keeping more than95%accuracy of the original algorithm.
2. A cyber threat detecting architecture based on threat classification and behaviorsequence template is proposed, which includes alter information process module, threatdetection module, synergistic detection module, threat prediction module and networksituation analysis module. By analyzing the Snort rule database, TIAA (a Toolkit for Intrusion Alert Analysis) system, and the feature of current cyber threat behavior, athreat classification framework is proposed, which includes initial classificationmatching model, structural semantics model, feature match reuse model, feature matchadaptive iteration model, threshold determining model, match classification model andthreat matching matrix model, etc. Specially, a detailed introduction is given to theconstruction method of the two most important modules, i.e., the initial classificationmatching model and the threat matching matrix model. Based on the threatclassification model, a construction method of threat behavior sequence template isproposed, which converts the threats in the rule database into sequences instead ofelements, providing a more flexible rule database to complex attack detection. Based onthe threat classification model and sequence template, two threat detection matchingalgorithms are proposed: pattern matching algorithm and graph matching algorithm, inorder to merge threat features and cyber threat behavior. Experimental results indicatethat the time cost of these two algorithms reduces above50%compared with the classicCupid and S-Match algorithms. The average time cost of graph matching algorithm isabout65%of pattern matching algorithm. The more graph nodes in the template and themore complex of threat detection, the smaller is the ratio of time cost of graph matchingalgorithm relative to the time cost of pattern matching algorithm.
3. We define the threat synergistic detection model and constructs a ThreatDetection Layer Cooperation-TDLC model through model framework, modeling andsynergistic mechanisms. The TDLC model is introduced in details in four layers: modelframework, modeling process, data structure and synergistic mechanism. Base on themodel, a cyber-threat synergistic detecting system and its architecture is proposed, andthe design objective, architecture, logic structure, physical structure and work principleare explained in detail. Considering the current mainstream threats, i.e., botnet andDDoS attach, a distributed detection method based on synergistic model is proposed.The synergistic detection on botnet attack is built upon a synergistic sensing model. Thecooperation mechanism of threat sensors for threat detection is explained afterwards.Addressing the creditability problem that the deployed threat sensor nodes might betaken over by attackers, the malicious sensor that determining method based on trustmeasurement is proposed; addressing the synergistic detection on DDoS attack, a trafficstatus snapshot prediction algorithm, a fine-grain exception detection algorithm and amalicious IP address extraction algorithm is proposed. Experimental results indicate that,compared with the recently proposed traffic exception detection algorithm based oncomentropy and subspace method, the proposed detection algorithm can effectivelyhandle the DDoS attacks based on botnet. The detection algorithm proposed in thisdissertation has a relative high precision at the initial stage of threats; however, thedetection precision approaches the same value for both algorithms as the ratio of DDoStraffic in the background traffic increases.
4. We propose a threat prediction recognition model as the threat predictionframework. By improving the particle swarm optimization algorithm, an overlapprediction algorithm based on prediction model is proposed, and a threat predictionmodel is constructed to predict the threat trends. The prediction error by predictionmodel is about a half of the error by the particle swarm optimization model, whichsufficiently proves the accuracy and robustness of the prediction model. According tothe quantitative evaluation on the network security situation, the network can beclassified as system level, host level, service level and attack level.(We) define thethreat index for the existing threats, and propose a quantitative computation method forthreat index.(We) further calculate the importance weight for every level, and use it toevaluate the security situation for the entire network. We introduce a D-S evidencereasoning method to grade the possibilities of all the threats occurred in the network. Byidentifying the specific cyber threat class,(sth.) determines the weight ratios of all thethreat occurred in one day, and then makes a detailed analysis on the network securitysituation.
This dissertation serves as an instructive practice and exploration on the cyberthreat detection techniques. The results have a theoretical and practical value onpromoting the cyber threat detection research, and it is an affirmative promotion on theperfection and development of network security.
引文
[1]第31次中国互联网络发展状况统计报告. http://www.cnnic.net.cn,2013.1.
[2]网络安全信息与动态周报. http://www.cert.org.cn/,2013.2.
[3] Symantec Corporation. August Botnet Distribution [EB/OL].http://www.symantec.com/connect/blogs/august-botnet-distribution.
[4] Marc F, Mack T, Mazurek D, et al. Symantec Internet Security Threat Report:Trends for2010(Volume16)[R]. Cupertino, CA, USA: Symantec Inc.,2011.
[5] McAfee Labs.迈克菲威胁报告:2010年第四季度[R].美国加利福尼亚州圣克拉拉市:迈克菲公司,2010.
[6]卡巴斯基实验室数据. http://www.kaspersky.com.cn,2012
[7] Gartner Survey Shows Phishing Attacks Escalated in2007[EB/OL].http://www.gartner.com/it/page.jsp?id=565125,2007-12-17/2010-09-19.
[8] McAfee Labs.迈克菲威胁报告:2010年第三季度[R].美国加利福尼亚州圣克拉拉市:迈克菲公司,2010.
[9]梅海彬,大规模网IDS警报关联与预警研究[D]:[博士学位论文].南京:东南大学,2010.
[10] J.Allen, A.Christie, W.Fithen, J.McHugh, J.Pickel, E.Stoner.State of the practiceof intrusion detection technologies[R].Technical Report, Networked SystemsSurvivability Program,2000,47-85.
[11]蒋建春,冯登国.网络入侵检测原理与技术[M].北京:国防工业出版社,2001.
[12]冯登国,卿斯汉.信息和通信安全-CCICS'99(第一届中国信息和通信安全学术会议论文集)[M].北京:科学出版社,2000.
[13]王伟.多信息源的实时入侵检测方法研究[D]:[博士学位论文].西安:西安交通大学,2005.
[14]魏宇欣.网络入侵检测系统关键技术研究[D]:[博士学位论文].北京:北京邮电大学,2008.
[15]龚俭,吴桦,杨望.计算机网络安全导论[M].南京:东南大学,2007.
[16]孙美凤.滥用入侵检测系统中入侵表示的研究[D]:[博士学位论文].南京:东南大学,2007.
[17]王文奇.入侵检测与安全防御协同控制研究[D]:[博士学位论文].西安:西北工业大学,2006.
[18]徐明.基于系统调用的异常入侵检测技术及IDS扩展功能的研究[D]:[博士学位论文].杭州:浙江大学,2003.
[19] J.P.Anderson. Computer security threat monitoring and surveillance[R].Technical Report, James P. Anderson Company. Fort Washington,Pennsylvania, USA,1980.
[20]王莉.网络多步攻击识别方法研究[D]:[博士学位论文].武汉:华中科技大学,2007.
[21] K.Julisch.Clustering intrusion detection alarms to support root cause analysis[J].ACM Transactions on Information and System Security,2003,4(6):443-471.
[22] J. Haines, D. K. Ryder, L. Tinnel, S. Taylor. Validation of Sensor AlertCorrelators[J]. IEEE Security and Privacy,2003,1(1):46-56.
[23] A.Valdes, K.Skinner. An approach to sensor correlation[C]. In: Proceedings ofthe3th International Symposium on Recent Advances in Intrusion Detection,Tolouse, France,2000.
[24]王景新.安全事件管理系统关键技术研究[D]:[博士学位论文].长沙:国防科学技术大学,2007.
[25] D.Gorton. Extending intrusion detection with alert correlation and intrusiontolerance[D]:[MPhil Thesis]. Goteborg, Sweden: ChalmersUniversity ofTechnology,2003.
[26]陆伟宙,余顺争.僵尸网络检测方法研究.电信科学.2007,12.
[27] Binkley J, Singh S. An algorithm for anomaly-based botnet detection. InProceedings of USENIX SRUTl062nd Workshop on Steps to ReducingUnwanted Traffic on Internet,2006.
[28]林闯,汪洋,李泉林.网络安全的随机模型方法与评价技术[J].计算机学报,2005,28(12):1943-1955.
[29] Richard S. Intrusion detection is dead.10ng live intrusion prevention.http://www.sans.org/rr/papers/index.php?id=1028,2003-6-11.
[30] D. Schnackenberg, H. Holliday, R. Smith. Cooperative intrusion traceback andresponse architecture(CITRA)[C]. In: Proceedings of the Second DARPAInformation Survivability Conference and Exposition (DISCEX II), Anaheim,CA,2001,56-68.
[31] F. Cuppens, O. Toulouse. Managing alerts in a multi-intrusion detectionenvironment[C]. In: Proceedings of the17th Annual Computer SecurityApplications Conference, New Orleans, Louisiana,2001,22-31.
[32] F. Cuppens, A. Miege. Alert correlation in a cooperative intrusion detectionframework[C]. In: Proceedings of the2002IEEE Symposium on Security andPrivacy, Berkeley,California,USA,2002,202-215.
[33] F. Autrel, F. Cuppens. CRIM: An alert correlation and reaction module[J].Annales Des Telecommunications-Annals of Telecommunications,2006,61(9/10):1172-1192.
[34] K. Julisch. Clustering intrusion detection alarms to support root cause analysis[J].ACM Transactions on Information and System Security,2003,4(6):443-471.
[35] H. Debar, A. Wespi. Aggregation and correlation of intrusion detection alerts[C].In: Proceedings of the4th International Symposium on Recent Advances inIntrusion Detection, Davis,2001,85-103.
[36] R. Gula. Correlating IDS Alerts with Vulnerability Information[R]. TechnicalReport, Tenable Network Security, Inc.,2002.
[37] C. Kruegel, W. Robertson. Alert Verification: Determining the Success ofIntrusion Attempts[C]. In: Proceedings of the DIMVA'04, Germany,2004,25-38.
[38] M. Roesch. Snort-lightweight intrusion detection for networks[C]. In:Proceedings of the13th USENIX conference on System administration,Seattle,Washington,1999,229-238.
[39] Snort. Snort[EB/OL]. http://www.snort.org/,2010.
[40] G. Eschelbeck, M. Krieger. Eliminating noise from intrusion detection systems[J].Information Security Technical Report,2003,8(4):26-33.
[41] QuIDScor. QuIDScor[EB/OL]. http://quidscor.sourceforge.net/,2009.
[42]思科公司. IDS降低误报率的最新方法--思科威胁响应技术[J].计算机安全,2003,2(9):30-31.
[43] B. Morin, L. Mé, H. Debar, M. Ducassé. M2D2: A formal data model for IDSalert correlation[C]. In: Proceedings of the5th International Symposium onRecent Advances in Intrusion Detection, Zurich, Switzerland,2002,115-137.
[44] P. A. Porras, M. W. Fong, A. Valdes. A mission-impact-based approach toINFOSEC alarm correlation[C]. In: Proceedings of the5th internationalconference on Recent advances in intrusion detection, Zurich, Switzerland,2002,95-114.
[45] Y. Wang, H. Abdel-Wahab. A correlative context-based framework for networkintrusion detection system[C]. In: Proceedings of the10th IEEE Symposium onComputers and Communications(ISCC2005),2005,463-468.
[46] V. Yegneswaran, P. Barford, S. Jha. Global intrusion detection in the DOMINOoverlay system[C]. In: Proceedings of the11th Annual Network and DistributedSystem Security Symposium, San Diego,USA,2004,79-95.
[47]穆成坡,黄厚宽,田盛丰.基于多层模糊综合评判的入侵检测系统报警验证[J].计算机应用,2006,26(3):553-55.
[48] Y. Thomas, H. Debar, B. Morin. Improving Security Management throughPassive Network Observation[C]. In: Proceedings of First InternationalConference on Availability, Reliability and Security (ARES'06),2006,382-389.
[49] K. Julisch. Mining alarm clusters to improve alarm handling efficiency[C]. In:Proceedings of the17th Annual Computer Security Applications Conference,New Orleans,2001,12-21.
[50] K. Julisch, M. Dacier. Mining intrusion detection alarms for actionableknowledge[C]. In: Proceedings of the8th International Conference onKnowledge Discovery and Data Mining, New York,2002,366-375.
[51] T. Pietraszek. Alert classification to reduce false positives in intrusiondetection[D]:[PhD Thesis]. Freiburg, Germany: Univeristy of Freiburg,2006.
[52] T. Pietraszek. Using adaptive alert classification to reduce false positives inintrusion detection[C]. In: Proceedings of the7th International Symposium onRecent Advances in Intrusion Detection, Berlin,2004,102-124.
[53] F. Cuppens, R. Ortalo. LAMBDA: A Language to Model a Database forDetection of Attacks[C]. In: Proceeding of3th International Workshop on theRecent Advances in Intrusion Detection, Toulouse, France,2000,197-216.
[54] C. Krügel, T. Toth, C. Kerer. Decentralized Event Correlation for IntrusionDetection[C]. In: Proceedings of the4th International conference on InformationSecurity and Cryptology,2001,114-131.
[55] L. Perrochon, E. Jang, D. C. Luckham. Enlisting Event Patterns for CyberBattlefield Awareness[C]. In: Proceeding of DARPA Information SurvivabilityConference&Exposition, Hilton Head, South Carolina,2000,25-27.
[56] S. Cheung, U. Lindqvist, M. W. Fong. Modeling multi-step cyber attacks forscenario recongnition[C]. In: Proceedings of the Third DARPA InformationSurvivability Conference and Exposition, Washington, D.C.,2003,284-292.
[57] E. Totel, B. Vivinis, L. Mé. A language driven intrusion detection system forevent and alert correlation[C]. In: Proceedings at the19th IFIP InternationalInformation Security Conference, Kluwer Academic, Toulouse,2004,208-224.
[58] B. Morin, H. Debar. Correlation of intrusion symptoms: an application ofchronicles[C]. In: Proceedings of the6th International Conference on RecentAdvances in Intrusion Detection, Pittsburgh, USA,2003,202-215.
[59] S. Templeton, K. Levitt. A requires/provides model for computer attacks[C]. In:Proceedings of the2000workshop on New security paradigms, Cork Ireland,2000,31-38.
[60] J. Zhou, M. Heckman, B. Reynolds, A. Carlson, M. Bishop. Modeling networkintrusion detection alerts for correlation[J]. ACM Transactions on Informationand System Security,2007,10(1):1-13.
[61] O. Dain, R. K. Cunningham. Building scenarios from a heterogeneous alertstream[C]. In: Proceedings of the2001IEEE Workshop on InformationAssurance and Security,2001,231-235.
[62] B. Zhu, A. A. Ghorbani. Alert correlation for extracting attack strategies[J].International Journal of Network Security,2006,3(3):244-258.
[63] T. H. Ptacek, T. N. Newsham. Insertion, evasion and denial of service: Eludingnetwork intrusion detection[R]. Technical report, Secure Networks Inc.,1998.
[64] V. P. Bro. A system for detecting network intruders in real-time[J]. ComputerNetworks,1999,31(23/24):2435-2463.
[65] S.M.Bellowin. Packets found on an Internet[J]. Computer CommunicationsReview,1993,23(3):26-31.
[66] S. Axelsson. The base-rate fallacy and its implications for the intrusiondetection[C]. In: Proceedings of the6th ACM Conference on Computer andCommunications Security, Singapore,1999,1-7.
[67] Lindqvist U, Porras PA. Detecting computer and network misuse through theProduction-based expert system toolset(P-BEST).Proceedings of the1999IEEESymp. On Security and Privacy. Oakland,1999:146-161.
[68] Ilgun K, Kemmerer RA, Porras PA. State transition analysis: A rule-basedintrusion detection approach. IEEE Trans. on Software Engineering,1995,21(3):181-189.
[69] Lee W, Stolfo SJ, Mok KW. A data mining framework for building intrusiondetection models. Proceedings of the1999IEEE Symp. on Security and Privacy.Oakland,1999:120-132.
[70]王凌.智能优化算法及其应用.北京:清华大学出版社.2001.
[71]关键,刘大昕.一种基于遗传算法的误用检测模型自适应建立算法.哈尔滨工程大学学报.2004,25(1):80-84.
[72]张凤斌,杨永田,江子扬.遗传算法在基于网络异常的入侵检测中的应用.电子学报.2004,32(5):875-877.
[73] Ludovic M. Genetic algorithm, a biologically inspired approach for securityaudittrails analysis, In: Proc. of the12th Int’l Conf. On Computer Safety.1993.
[74]许建华,张学工译.统计学习理论.电子工业出版社,2004:293-323.
[75] Wang.Y.X., Wong.J., Miner. A.Anomaly Intrusion Detection using One ClassSVM.Proceedings of5th Annual IEEE SMC,Information Assurance Workshop.Jun,2004:358-364.
[76] Sung A.H. Identify important features for intrusion detection using supportvector machines and neural networks. Proceedings of the2003Symposium onApplications and the Internet,2003.
[77]付小青,张爱明.基于SOM的入侵检测算法的特征选择.华中科技大学学报(自然科学版).2007,35(7):5-7.
[78] Fox. K, Henning R, Reed, J et a1. A neural network approach towards intrusiondetection.Proceedings of the l3th National Computer Security Conference.1990:125-134.
[79] Dasgupta D. Immunity-Based intrusion detection system: A general framework.Proceedings of the22nd NISSC.1999.
[80] FANG Xiao-zhao, ZHANG Wei, TENG Shao-hua, HAN Na, CooperativeIntrusion Detection Method Based on δ-HSSVM, Computer Engineering.2011,37(21):100-104.
[81]史美林, CSCW:计算机支持的协同工作,通信学报,1995,6(1):55~61.
[82] Dourish P, Bellotti V. Awareness and coordination in shared workspaces [C]Proc. of the CSCW’92. Toronto: ACM Press,1992:107~114.
[83] ROBERT E, ADELE C, PRANAB B. A Multi-Layered Approach to BotnetDetection [C]//Proc of2008International Conference on Security andManagement (SAM’08). USA: CSREA,2008:301~308.
[84] Zhang ZH, Youki K. A holistic perspective on understanding and breakingbotnets: Challenges and countermeasures [J]. Journal of the National Institute ofInformation and Communications Technology,2008,55(2):43~59.
[85] Ji SG, Im CT, Kim MJ, et al. Botnet detection and response architecture foroffering secure internet services [C]//Proc of2008International Conference onSecurity Technology (SecTech2008). Washington, DC: IEEE Computer Society,2008:101~104.
[86] Paxton N, Ahn GJ, Chu B. Towards practical framework for collecting andanalyzing network-centric attacks [C]//Proc of IEEE International Conferenceon Information Reuse and Integration. Washington, DC: IEEE Computer Society,2007:73~78.
[87] Peng T, Leckie C and Ramamohanarao K. Survey of network-based defensemechanisms countering the DoS and DDoS problems [J]. ACM ComputingSurveys,2007,39(1).
[88] Yu J, Lee H, Kim MS and Park D. Traffic flooding attack detection with SNMPMIB using SVM [J]. Computer Communications,2008,31:4212~4219.
[89] A. Rathmell, J. Dorschner, M. Knights. Summary of Research Results: threatAssessment and Early Warning Methodologies for Information Assurance.2003.
[90] A. Rathmell, R. Ovrill, L. Valeri. Information Warfare Attack Assessmentsystem.2003.
[91]苗青,范勤,苏金树.网络安全战略预警系统的特征信息融合方法.计算机工程,2002,28(7):61-62.
[92]宣蕾,苏金树,苗青.网络安全战略预警系统研究.通信技术,2001(7):90-92.
[93]苗青,宣蕾,苏金树.网络安全战略预警系统的攻击检测技术研究.计算机工程与科学,2002,24(1):14-17.
[94] A. J. P. Computer security threat monitoring and surveillance (Technical Report).James P. Anderson Company: Fort Washington, Pennsylvania.1980.
[95] R. G. Bace. Intrusion Detection.2000: Macmillan Technology Publishing.
[96] B. Mukherjee, L. T. Heberlein, K. N. Levitt. Network intrusion detection. IEEENetwork,1994,8(3):26-41.
[97] G. Vigna, R. A. Kemmerer. NetSTAT: A network-based intrusion detectionsystem. Journal of Computer Security,1999,7(1):37-71.
[98] P. A. Porras, P. G. Neumann. EMERALD: Event monitoring enabling responseto anomalous live disturbances. In: Proc. of the20th National InformationSystems Security Conf.1997,353-365.
[99] S. Cheung, U. Lindqvist, M. W. Fong. Modeling multistep cyber attacks forscenario recognition. In: Proc. of the3rd DARPA Information SurvivabilityConf. and Exposition. Washington,2003,284-292.
[100] F. Cuppens, A. Miege. Alert correlation in a cooperative intrusion detectionframework, IEEE Symposium on Security and Privacy. Oakland, USA.2002.
[101] P. Ning, D. B. Xu, C. G. Healey, R. A. Amant. Building attack scenarios throughintegration of complementary alert correlation methods. In: Proc. of the11thAnnual Network and Distributed System Security Symp.2004,97-111.
[102] A. Valdes, K. Skinner. Probabilistic alert correlation. In: Proceedings of the4thInternational Symposium on Recent Advances in Intrusion Detection.2001,54-68.
[103] S. Eckmann, G. Vigna, R. Kemmerer. STATL: An attack language forstate-based intrusion detection. Journal of Computer Security,2002,10(1/2):71-104.
[104] S. Templeton, K. Levitt. A requires/provides model for computer attacks. In:Proc. of the New Security Paradigms Workshop.2000,31-38.
[105] M. Y. Huang, T. M. Wicks. A large-scale distributed intrusion detectionframework based on attack strategy analysis. Computer Networks,1999:2465-2475.
[106] C. W. Geib, R. P. Goldman. Plan recognition in intrusion detection systems. In:DARPA Information Survivability Conference&Exposition II.2001,46-55.
[107] N. Ye, X. Li, Q. Chen, S. M. Emran, et al. Probabilistic techniques for intrusiondetection based on computes audit data. IEEE Transactions on System,2001,31(4):266-274.
[108]张永,陆余良.攻击树在多阶段入侵检测系统中的应用.计算机应用与软件,2004(8):104-106.
[109]王祖俪,程小平.入侵响应中基于事件相关性的攻击预测算法.计算机科学,2005,32(4):144-147.
[110] J. Yuill, S. F. Wu, F. Gong, M.-Y. Huang. Intrusion Detection for an On-GoingAttack.1999.
[111] M.-Y. Huang, R. J. Jasper, T. M. Wicks. A Large scale Distributed IntrusionDetection Framework Based on Attack Strategy Analysis. Computer Networks,1999,31(23-24):2465-2475.
[112]胡华平,张怡,陈海涛,宣蕾, et al.面向大规模网络的入侵检测与预警系统研究.国防科技大学学报,2003,25(1):21-25.
[113]赖积保,王慧强,金爽.基于Netflow的网络安全态势感知系统研究.计算机应用研究,2007,24(8):167-169.
[114] Steinburg A N,Bowman C I, White F E, Revisions to the JDI Data Fusion Model,Joint NATO/IRIS Conference, Quebec, October1998.
[115] Endsley M R, Toward a theory of situation awareness in dynamic systems,Human Factors.1995,37(1):32-64.
[116]汪渊,网络安全量化评估方法研究,中国科学技术大学[博士学位论文]:合肥.2003.
[117] J. Hallberg, A. Hunstad, M. Peterson,A Framework for System SecurityAssessment. In: Proceedings of the IEEE Workshop on Information Assuranceand Security.2005,224-231.
[118] G. Fragkos, A. Blyth. Architecture for Near Real-Time Threat Assessment usingIDS Data. In: Proc of the4th European Conference on Information Warfare andSecurity.2005,91-98.
[119] P. A. Porras, M. W. Fong, A. Valdes,A Mission-Impact-Based Approach toINFOSEC Alarm Correlation. In: Proceedings of the International Symposiumon Recent Advances in Intrusion Detection.2002,95-114.
[120] F. Cohen,Managing network security attack and defense strategies. NetworkSecurity,1999,7(5):7-11.
[121] H. S, Q. G. Z, D. T,Impact analysis of faults and attacks in large-scale networks.IEEE Trans. on Security&Privacy,2003,1(5):49-54.
[122] J. W. Freeman, T. C. Darr, R. B. Neely,Risk assessment for large heterogeneoussystems. In: Proceedings of13th annual computer security applicationconference. San Diego, CA, USA,1997,44-52.
[123]李涛.基于免疫的网络安全风险检测,中国科学E辑:信息科学,2005,35(8):798-816.
[124] S. Boyer, O. Dain, R. Cunningham,Stellar: A fusion system for scenarioconstruction and security risk assessment. In: Proceedings of Third IEEEInternational Workshop on Information Assurance.2005,105-116.
[125] A. Arnes, K. Sallhammar, K. Haslum,Real time risk assessment with networksensors and intrusion detection systems. In: International Conference onComputational Intelligence and Security. Xi'an, China,2005,388-397.
[126] A. Arnes, F. Valeur, G. Vigna, R. A. Kemmerer,Using Hidden Markov modelsto evaluate the risks of intrusion. In:9th International Symposium On RecentAdvances In Intrusion Detection. Hamburg, Germany,2006,23.
[127]王慧强,赖积保,朱亮,梁颖,网络态势感知系统研究综述,计算机科学,2006,33(10):5-10.
[128]冯毅,关于我军信息与网络安全的几点思考,中国信息战,2005.
[129]陈秀真,郑庆华,管晓宏,林晨光,层次化网络安全威胁态势量化评估方法.软件学报,2006,17(4):885-897.
[130] Smith JE. The Architecture of Virtual Machines. IEEE Computer,38,2005.
[131] R.P. Goldberg. Survey of Virtual Machine Research. Computer, June1974.
[132] R.Figueiredo, P.Dinda, J. Fortes. Resource Virtualization Renaissance, IEEEComputer (Special Issue On Resource Virtualization), May,2005.
[133] Paul Barham, Boris Dragovic, Keir Fraser, et al. Xen and the Art ofVirtualization.Proc. of the ACM Symposium on Operating Systems Principles(SOSP), October2003.
[134] C. A. Waldspurger. Memory resource management in VMware ESX server. Proc.of the5th Symposium on Operating Systems Design and Implementation (OSDI2002), Boston, MA, USA, Dec.2002.
[135] Microsoft Virtual PC2004.http://www.microsoft.com/windows/virtualpc/default.mspx.
[136] Michael Vrable, Justin Ma, Jay Chen, David Moore, Erik Vandekieft, Alex C.Snoeren, Geoffrey M. Voelker, Stefan Savage, Scalability, fidelity, andcontainment in the potemkin virtual honeyfarm, ACM SIGOPS OperatingSystems Review, v.39n.5, December2005.
[137] A. Valdes, K. Skinner. Probabilistic alert correlation[C]. In: Proceedings of the4th International Symposium on Recent Advances in Intrusion Detection,Davis,CA,2001,54-68.
[138] F. Autrel, F. Cuppens. CRIM: An alert correlation and reaction module[J].Annales Des Telecommunications-Annals of Telecommunications,2006,61(9/10):1172-1192.
[139] D. Schnackenberg, H. Holliday, R. Smith. Cooperative intrusion traceback andresponse architecture(CITRA)[C]. In: Proceedings of the Second DARPAInformation Survivability Conference and Exposition (DISCEX II), Anaheim,CA,2001,56-68.
[140] H. Debar, A. Wespi. Aggregation and correlation of intrusion detection alerts[C].In: Proceedings of the4th International Symposium on Recent Advances inIntrusion Detection, Davis,2001,85-103.
[141] C. Clifton, G. Gengo. Developing custom intrusion detection filters using datamining[C]. In: Military Communications Int'l Symposium, California,2000,440-443.
[142] K. Julisch. Clustering intrusion detection alarms to support root cause analysis[J].ACM Transactions on Information and System Security,2003,4(6):443-471.
[143] K. Julisch. Mining alarm clusters to improve alarm handling efficiency[C]. In:Proceedings of the17th Annual Computer Security Applications Conference,New Orleans,2001,12-21.
[144] K. Julisch, M. Dacier. Mining intrusion detection alarms for actionableknowledge[C]. In: Proceedings of the8th International Conference onKnowledge Discovery and Data Mining, New York,2002,366-375.
[145] S. Manganaris, M. Christensen, D. Zerkle, K. Hermiz. A data mining analysis ofRTID alarms[J]. Computer Networks,2000,34(4):571-577.
[146] K. Julisch. Clustering intrusion detection alarms to support root cause analysis[J].ACM Transactions on Information and System Security,2003,4(6):443-471.
[147] J. Han, M. Kamber.数据挖掘概念与技术[M].北京:机械工业出版社,2001.
[148] Dong Ma, Yongjun Wang, Haiyan Yu, Feng Huang. Deployment of honeypotcluster system HoneyPool[J], Beijing Gongye Daxue Xuebao/Journal of BeijingUniversity of Technology, v36, n SUPPL.2, p92-97, September2010.
[149] Wood B, An Insider Threat Model for Adversary Simulation[C]. TheProceedings of a Workshop with Title Research on Mitigating the InsiderThreat to Information Systems. Arlington VA,2000.
[150] Schultz E E, A framework for Understanding and Predicting Insider Attacks[J].Computers and Security,2000,21(6):526-531.
[151] Magklaras G B, Fumell S M, Insider Threat Prediction Tool: Evaluating theProbability of IT Misuse[J]. Computers&Security,2002,21(1):62-73.
[152] B Schneier, Attack Trees: Modeling Security Threats[J]. Dr Dobb’S Journal,1999.
[153] Madhavan J, Bernstein PA, Rahm E. Generic Schema Matching with Cupid[C].VLDB Conference.(2001),49-58.
[154] Aumüller D, Do HH, Massmann S, Rahm E, Schema and ontology matchingwith COMA++[C]. SIGMOD Conference.(2005), pp.906~908.
[155] Do HH, Rahm E,COMA: A System for Flexible Combination of SchemaMatching Approaches[C].VLDB Conference.(2002), pp.610~621.
[156] Rahm E, Bernstein PA, A Survey of Approaches to Automatic SchemaMatching[J]. The VLDB Journal.(2001),10(4), pp.334~350.
[157] Shanchieh J.Yang, Adam Stotz, Jared Holsopple, Moises Sudit, Michael Kuhl,High level information fusion for tracking and projection of multistage cyberattacks[J]. Information Fusion.(2009),10, pp.107~121.
[158] Anat Bremler-Barr, David Hay, Yaron Koral, CompactDFA: Generic StateMachine Compression for Scalable Pattern Matching, IEEE CommunicationSociety subject matter experts publication in the IEEE INFOCOM2010proceedings.
[159] Kedar Namjoshi, Girija Narlikar, Robust and Fast Pattern Matching forIntrusion Detection, IEEE Communication Society subject matter expertspublication in the IEEE INFOCOM2010proceedings.
[160] Boyer R S, Moore J S, A fast string searching algorithm[J]. Communications ofthe ACM,1977,20(10):762-772.
[161] Wu Sun, Manber U, A Fast Algorithm for Multi-pattern Searching:[TechnicalReport]. The University of Arizona: The Computer Science Department, May.1994.
[162] Aho A V, Corasick M J, Efficient String Matching: An Aid to BibliographicSearch[J]. Communications of the ACM,1975,18(6):333-340.
[163] The Snort Project. Snort users manual2.6.1[EB/OL].http://www.snort.org/docs/snort_manual.pdf,2006.
[164] US Department of Defense, Data Fusion SubPanel of the Joint Directors ofLaboratories, Technical panel for C3, in: Data Fusion Lexicon, October1991.
[165] T. Coffman, S. Greenblatt, S. Marcus, Graph-based technologies for intelligenceanalysis, Communications of the ACM47(3March),2004,45-47.
[166] Coras F. CoreSim: A Simulator for Evaluating LISP Mapping Systems [D].Diplom Thesis, Technical University of Cluj-Napoca, June2009.
[167] Govil J.Examining the criminology of bot zoo [C]//Proc of the6th InternationalConference on Information, Communications and Signal Processing.Washington, DC: IEEE Computer Society,2007:473~478.
[168] Govil J, Govil J. Criminology of BotNets and their detection and defensemethods [C]//Proc of2007IEEE International Conference onElectro/Information Technology (EIT2007). Washington, DC: IEEE ComputerSociety,2007:215~220.
[169] Snapp SR, Brentano J, Dias GV, et al. A system for distributed intrusiondetection [C]//Proc of the IEEE COM PCON91. Washington, DC: IEEEComputer Society,1991:170~176.
[170] Janakiraman R, Zhang M. Indra: a peer-to-peer approach to network intrusiondetection and prevention [C]//Proc of the20th IEEE international workshops onenabling technologies: infrastructure for collaborative enterprises (WETICE).Washington, DC: IEEE Computer Society,2003:226~231.
[171] Yegneswaran V, Barford P, Jha S. Global intrusion detection in the DOMINOoverlay system [C]//Proc of the11th network and distributed securitysymposium (NDSS’04). Berkeley, CA: USENIX Association,2004.
[172] Cai BQ. Distributed Intrusion Detection System node cooperation algorithm [D].Najing: Nanjing University of Science,2008(Ch).
[173] Xue YD, Han XL, Dai SF. Distributed Cooperative Intrusion Detection SystemBased on Snort [J]. Computer Engineering,2010,36(19):165~167(Ch).
[174] Lu W, Ghorbani AA. Bots Behaviors vs. Human Behaviors on Large-ScaleCommunication Networks [G]//LNCS5230: Proc of the11th InternationalSymposium on Recent Advances in Intrusion Detection. Berlin: Springer,2008:415~416.
[175] Gu GF, Porras P, Yegneswaran V, et al. BotHunter: Detecting malware infectionthrough ids-driven dialog correlation [C]//Proc of the16th USENIX SecuritySymposium (Security’07). Berkeley, CA: USENIX Association,2007:167~182.
[176] Open Source Host-based Instrusion Detection System (OSSEC)[EB/OL].http://www.ossec.net.
[177] T. Bass, Intrusion detection systems and multisensor data fusion.Communications of the ACM,2000,43(4):99-105.
[178] H.Debar, A.Wespi, Aggregation and correlation of intrusion-detection alerts.Recent Advances in Intrusion Detection, LNCS2212,2001:85-103.
[179] P. Ning, Y. Cui. An intrusion alert correlator based on prerequisites of intrusions,Technical Report TR-2002-01. Department of Computer Science, North CarolinaState University.2002.
[180] P. Ning, D.Reeves, Yun Cui. Correlating alerts using prerequisites of intrusions,Technical Report TR-2001-13. Department of Computer Science, NorthCarolina State University.2001.
[181] A.Valdes, K.Skinner. Probabilistic alert correlation. In: Proceedings of the4thInternational Symposium on Recent Advances in Intrusion Detection.2001,54-68.
[182] F.Cuppens. Managing alerts in a multiintrusion detection environmnent,17thAnnual Computer Security Applications Conference. New-Orleans.2001.
[183] A. Adas. Traffic models in broadband networks. IEEE CommunicationsMagazine,1997,35(7):82-89.
[184] B. S. Chen, S. C. Peng, K. C. Wang. Traffic Modeling,Prediction,and CongestionContol for High-SpeedNetworks: A Fuzzy AR Approach. IEEE Trans. FuzzySystems,2000,8(5):491-508.
[185] V. Paxson, S. Floyd. Wide area traffic: The failure ofPoisson modeling.IEEE/ACM Trans. Networking,1995,3(3):226-244.
[186] D. R. Hush, B. G. Home. Progress in Supervised Neural Networks. IEEE SignalProcessing Magazine,1993,10(1):8-39.
[187] T. Edwards, D. S. W. Tansley, R. J. Frank, N. Davey. Traffic Trends Analysisusing Neural Networks. In: Proceedings of the International Workshop onApplications of Neural Networks to Telecommunications.1997,157-164.
[188] J. Jacek, K. Krzyszt. Rough Set Reduction of Attributes and Their Domains forNeural Networks. Computational Intelligence,1995,11(2):339-347.
[189] Ortalo R, Deswarte Y, Kaaniche M. Experimenting with quantitative evaluationtools for monitoring operational security. IEEE Trans. on Software Engineering,1999,25(5):633-651.
[190] Xiao DJ, Yang SJ, Zhou KF, Chen XS. A study of evaluation model for networksecurity. Journal of Huazhong University of Science&Technology (NatureScience Edition),2002,30(4):37-39(in Chinese with English abstract).
[191] Feng DG, Zhang Y, Zhang YQ. Survey of information security risk assessment.Journal of China Institute of Communications,2004,25(7):10-18(in Chinesewith English abstract).
[192] Blyth A. Footprinting for intrusion detection and threat assessment. InformationSecurity Technical Report,1999,4(3):43-53.
[193] Hariri S, Qu GZ, Dharmagadda T, et al. Impact analysis of faults and attacks inlarge-scale networks. IEEE Security&Privacy,2003,1(5):49-54.
[194] Cohen F. Managing network security attack and defense strategies.2004.http://www.blacksheepnetworks.com/security/info/misc/9907.html.
[195] Bass T. Multisensor data fusion for next generation distributed intrusiondetection systems. In:1999IRIS National Symp. on Sensor and Data Fusion.Laurel,1999.24-27.
[196] D’Ambrosio B, Takikawa M, Upper D, Fitzgerald J, Mahoney S. Securitysituation assessment and response evaluation. In: DARPA InformationSurvivability Conf.&Exposition II. Anaheirn,2001.387-394.
[197] Porras P, Fong M, Valdes A. A mission-impact-based approach to INFOSECalarm correlation. In: Proc. of the15th Int’l Symp. on Recent Advances inIntrusion Detection. Zurich,2002.95-114.
[198] Feng Chen, Multitarget attack graph based on a hierarchical network security riskassessment methods [D]:[Ph.D Thesis]. Changsha, China: National University ofDefense Technology.2009.
[199] Shafer G. A Mathematical Theory of Evidence. Princeton: Princeton UniversityPress,1976.
[200] Wei SZ, Zhao H, Wang G, Zhang XD. Situation assessment model of complexsystem and its implementation method based on ontology. Journal of SystemSimulation,2005,17(5):1200-1202.
[201] Li WS, Wang BS. A synthetic method for situation assessment based on fuzzylogic and D-S evidential theory. Systems Engineering and Electronics,2003,25(10):1278-1280.
[202] Xu XH, Liu ZL. A method for situation assessment based on D-S evidencetheory. Electronics Optics&Control,2005,12(5):36-37.
[203] R. C. Everhart, J. A. Kennedy. New Optimizer Using Particle Swarm Theory. In:Proc Sixth International Symposium on Micro Machine and Human Science.Nagoya,1995,39-43.
[204] J. Kennedy, R. C. Eberhart. Particle swarm optimization. In: IEEE InternationalConference on Neural Network. Perth,1995,1942-1948.