摘要
随着网络技术的发展,人们对网络的依赖性越来越强,涉及计算机及其网络的安全问题越来越突出。入侵检测作为是安全体系结构中的重要环节,是对入侵进行响应的基础,同时也为进一步的预防入侵提供参考信息。近年来,围绕网络数据进行入侵检测的研究开展较多,但是随着网络带宽的增加和网络流量的加大,人们通过网络进行各种生活应用和信息管理越来越普遍,传统的面向底层数据的检测逐渐暴露出一些问题和困难,例如无法及时或者准确地检测日益变化的各种入侵行为。因此,面向应用层面的入侵检测应运而生,它是入侵检测技术发展的一个重要方向。
本文主要围绕发生在主机上的异常行为展开研究,探索检测主机异常行为的方法和技术。首先研究了行为检测的基础性工作——行为特征选择,通过研究行为特征选择算法选择准确的刻画行为的特征,为检测各种行为创造条件。而后,围绕主机行为的三个层面,按照由低到高、由内到外的行为顺序展开研究。软件运行过程中的行为对主机来说是一种较底层的行为,而用户使用计算机的行为是一种高级的综合行为,涉及到多个程序的综合行为表现。网络浏览器作为沟通主机和网络的桥梁,其对主机资源的访问使用行为,则是从主机之外对主机内部实施的外部行为。
论文主要研究内容和贡献如下:
(1)基于信息理论的行为特征选择的研究。针对行为属性多样性的情况,在论述有关信息理论的基础上,提出基于条件熵计算各种属性与攻击之间的相关程度,然后在相关程度比较大的属性间利用交互熵计算其相互依赖性,将相互依赖性强的属性剔除,保留相关程度大,并且冗余信息量少的属性特征。这样不仅保持了特征选择的准确性,也能进一步降低了入侵检测的计算量,实验证明能在一定程度上提高检测效率。
(2)软件异常行为检测技术研究。针对进程的异常行为检测,围绕表征进程行为的系统调用序列展开研究,提出了利用长度不限的满足一定支持度的系统调用短序列作为程序正常环境下的特征模式,在此基础上改进了HMM,提出了DBCPIDS检测模型。在检测前,首先发掘表征全局行为的特征模式,再对IHMM进行训练,建立改进的隐马尔科夫链。该模型将全局的程序特征和局部的动态行为进行了有机结合,适合于在线检测,且实验证明实时性强、检测率高、误报率低,有较好的适应环境变化的能力。
(3)异常用户行为检测模型研究。针对异常用户的检测,围绕用户使用程序的行为习惯展开研究,吸收了本体理论中的本体及语义的概念,利用用户的日常使用计算机程序或者服务的行为建立行为习惯语义关系图。将使用过的程序作为节点,使用的先后顺序关系为有向边,将有向边称为语义关系,并定义相应语义关系的重要程度。检测时,实时捕获用户使用程序的情况,并建立阶段行为语义关系图,计算该图与行为语义关系图的偏离程度,超过一定限度时认定为异常行为。实验证明,行为语义关系图能较好地描述用户使用计算机的行为习惯,检测异常行为时检测率和准确度都比较高。
(4)浏览器使用主机资源行为的多证据融合方法研究。针对功能日益繁多的浏览器行为,分析了其行为规律,选择其CPU占用情况等五种特征作为其行为证据,分别计算相应的表征异常行为的基本信度,利用D-S证据融合理论,将五种基本异常行为的证据融合为一个新的证据,再根据新证据对异常行为支持的信度判定浏览器行为是否异常。实验证明,该算法能较好地发现通过浏览器进行的攻击行为。
With the development of network technology, people depend on network more and more, relating to a computer and the network security problem is becoming more and more serious. Intrusion detection system is an important part in the security architecture, which is the basis of intrusion response technology and also for the prevention of further invasions provide reference information. In recent years, much more intrusion detection research on the network data is carried out. But with the increase of network bandwidth and network traffic, people living through a variety of network applications and information management is becoming more and more widespread, the traditional detection methods on the underlying data has gradually exposed some problems and difficulties, such as not timely or accurate detection of ever-changing all kinds of intrusion behavior. Therefore, the application-level intrusion detection came into being, which is an important research direction of the intrusion detection technology.
In order to explore the host abnormal behavior detection methods and techniques, this dissertation mainly focuses on the study of abnormal behavior on the host. First, we Carryied out the based work of behavior detection--behavior feature selection. By studying the behavior of feature selection algorithm to select the precise characterization of the behavior characteristics, we got the feature conditions for the detection of variety abnormal behavior. Then, it focuses on three levels of host behavior from the low to high, from the inside to the outside of the host behavior. The behavior of software running on the host is a relatively low-level behavior, while using the computer's behavior is an advanced composite behavior, because the overall number of procedures involved in behavior. In addition, Web browser as a communication bridge between the host and the network, its access behavior to resources on the host is the external behavior of the host from the Internet to the internal host.
The main contents and contributions of this dissertation are summarized as follows:
(1) Behavior feature selection researchbased on information theory. Considering the diversity of behaviorattributes, based on the discussion of information theory, one method is proposed to calculate the correlation degree between various attributes associated with various types of attacks using conditional entropy. Then, the interactive entropy is calculated as the interdependence degree between the attributes with higher correlation degreeeach other. Greater the interdependence between attributes overlap the more information, thus one of them is the more redundant attribute which can not be selected as the behavior character. The attributes with higher correlation degree and less redundant information are the fine behavior characters. This methodwill not only maintain the accuracy of feature selection, but also further reduce the amount of computation. It is proved by experiments can improve the detection efficiency to a certain extent.
(2) Detection technology on software abnormal behavior. Concerning on the process abnormal behavior, thesystem call sequence is often being thought as the best character of software behavior. A new concept of behavior pattern is proposed, which must meet a certain degree of support. Although the behavior pattern is difined a short sequence of system callsunder normal conditions, its length isunlimited.On the basis of behavior pattern, the traditional HMM model is improved, called IHMM. Then, we put forward the DBCPIDS detection model. Before detection, all global behaviorcharacterization patterns are mined, and then the IHMM model is trained in order to establish an improved hidden Markov chain. The model combines the global behaviorcharacterization patterns and local dynamic behavior, whici is suitable for online testing.Experiments show that the detection model has the advantage of better real-time, higher detection rate, less false alarm rate, and a better ability to adapt to environmental changes.
(3) Anomaly detection model of user behavior. In order to figure users behavior nicely, this detection model is established on users' habit of using programs. Referencing the concept of ontology and semantic from ontology theory, the semantic behavior diagram is established using the user's daily behavior habit of the useabout computer programs or services. In the diagrm, the used program is a node, the using orders of programs is the directional side edges that be called the behavior semantic relations. Every semantic relationis defined with the appropriate degree of importance. While detecting the abnormal behavior, the program used by user is real-time captured, and then, we construct semantic graph ofphase behavior. The deviation of phase behavior semantic grasp from the normal global semantic digram is calculated. When the deviation isover a certain limit, the behavior is identified as abnormal behavior. Experiments show that behavior semantic diagram can be used to describe the person's habit of using the computer's behavior to detect abnormal behavior, and the detection rate and accuracy are preferable.
(4) Detection browsers' abnormal behavior on using the host resources by fusion method of multi-evidence. For browser behavior with the increasing range offunction, the analysis of its behavior patterns is executed. And then, selecting the CPU usage and other four features as evidences of browser behavior, the fundmental believable degeree is calculated corresponding to the five features. According to D-S evidencefusion theory, the five basic evidence of abnormal behavior are fused as new evidence. To determine whether the behavior isabnormal or other, how much the new evidences'support for abnormal behavior is cheched. Experiments show that the algorithm can discover attack through the browser abnormal behavior preferably.
引文
[1]中国互联网络发展状况统计报告.中国互联网络信息中心.http://www.cnnic.net.cn/dtygg/dtgg/201101/t20110118_20250.html.2011-1-19
[2]国家计算机网络应急技术处理协调中心.2010年中国互联网网络安全报告http://www.cert.org.cn/articles/docs/common/2011042225342.shtml.2011-4-22
[3]俞研.基于数据挖掘的网络入侵检测技术研究.博士学位论文.南京大学计算机科学与技术系.2006
[4]田新广.基于主机的入侵检测方法研究.国防科学技术大学博士论文.国防科学技术大学研究生院.2005
[5]段丹青.入侵检测算法及关键技术研究.中南大学博士论文.中南大学信息科学与工程学院.2007
[6]http://www.csoonline.com/analyst/report400.html 2010-5-2
[7]Anderson J P. Computer Security Threat Monitoring and Surveillance[R].Fort Washington, PA:Jame p Anderson Co.1980
[8]Dorothy Denning, An Intrusion-Detection Model, IEEE Transactions on Software Engineering, February 1987, No.2,Page 222
[9]蒋建春等,网络安全入侵检测:研究综述,软件学报,2000, Vol 11,No 11
[10]Vaccaro H S, Liepins G E, Detection of Anomalous Computer Session Activity [R], Oakland, CA. Proceeding of the 1989 Symposium on Research in Security and Privacy,1989
[11]Winkler JR, Page WJ. Intrusion and Anomaly Detection Intrusion Systems [R], Tucson, AZ. Proceeding of the Fifth Annual Computer Security Applications Conference,1989
[12]Heberlein L T, A network security monitor [A], Proceeding of the IEEE Symposium on Research in Security and Privacy [C], Oakland, CA:IEEE,1990,Page 296-304
[13]Jackson K, Dubois D, Stallings C, An Expert System Application for Network Intrusion Detection [A], Proceeding of the 14th Department of Energy Computer Security Group Conference [C], Concord, CA. Unite States Department of Energy (DOE),1991
[14]Snapp SR, Brentano J, Dias G V, A System for Distributed Intrusion Detection [A], Proceedings of the IEEE COMPCON91[C], San Francisco, CA:IEEE,1991, Page 170-176.
[15]Mark Crosbie, Gene Spafford, Defending a Computer System Using Autonomous Agents[R]. Purdue University: COAST Laboratory, Department of Computer Sciences, 1994.
[16]ChenS S, Cheung S, Dilger M, et al, GrIDS-A Graph-Based Intrusion Detection System for Large Networks [R], Balti-more,MD:The 19th National Information Systems Security Conference,1996
[17]S Forrest,S Hofmeyr,A Somayaji. Computer immunology [J]. Communications of the ACM,1997,40(10):88-96.
[18]Ross Andersion, Abida K hattak, The Use of Information Retrieval Techniques for Intrusion Detection [R], Louvain-la-691 Neuve,Belgium:Proceeding of RAID'98,1998.
[19]http://www.cerias.purdue.edu/about/history/coast/projects/2004-2-8
[20]Giovanni Vigna, William Robertson Davide Balzarotti Testing Networkbased Intrusion Detection Signatures Using Mutant Exploits CCS'04, October 25-29,2003, Washington, DC, USA.
[21]D. Anderson, T. Frivold, and A. Valdes, Next-generation Intrusion Detection Expert System: A Summary, SRI International Computer Science Laboratory Technical Report SRI-CSL-95-07,1995.
[22]Bonifaco JM, Moreira ES. An adaptive intrusion detection system using neural network [M].Brazil:UNESP,1997
[23]CannadyJ. Artifical neural network for misuse detection (C).In Proceeding of the 1988 National Information system Security Conference(NI-SSC 98),1998,10:5-8):443-456
[24]Hofmann, A., Sick, B.:Evolutionary Optimization of Radial Basis Function Networks for Intrusion Detection. Submitted to the International Joint Conference on Neural Networks 2003(2003)
[25]Hofmann, A., Schmitz, C., Sick, B.:Intrusion Detection in Computer networks with Neural and Fuzzy classifiers. Submitted to the International Conference on Artificial Neural Networks ICANN 2003 (2003)
[26]姚羽,高福祥,于戈基于混沌神经元的延时滥用入侵检测模型电子学报2004年8月
[27]ALAN BIVENS CHANDRIKA PALAGIRI. NETWORK-BASED INTRUSION DETECTION USING NEURAL NETWORKS www.cs.rpi.edu/~szymansk/papers/annie02.pdf 2005-5-20
[28]Steven AH. An immune logical model of distributed detection and its application to computer security[D].[s.l.]:University of NewMexico,1999
[29]U Aickelin, P Bentley, S Cayzer, J Kim, and J McLeod. Danger theory:The link between ais and ids. In Proc. of the Second Internation Conference on Artificial Immune Systems (ICARIS-03), pages 147-155,2003.
[30]Dasgupta and F Gonzalez. An immunity-based technique to characterize intrusions in computer networks. IEEE Transactions on Evolutionary Computation,6(3):281-291,2002.
[31]F Gonzalez and D Dasgupta. Anomaly detection using real-valued negative selection. Journal of Genetic Programming and Evolvable Machines,4:383-403,2003.
[32]J Boudec and S Sarafijanovic. An artificial immune system approach to mis-behavior detection in mobile ad-hoc networks. Technical Report IC/2003/59, Ecole Polytechnique Federale de Lausanne,2003.
[33]K Begnum and M Burgess. A scaled, immunological approach to anomaly counter measures (combining ph with cfengine). Integrated Network Management, pages 31-42,2003.
[34]Ludovic Me. Gassata. A genetic algorithm as an alternative tool for security audit trail analysis (R).Cesson Sevigne Cedex,France:Superlec,1996
[35]Crosbie M, Spafford G. Applying genetic programming to intrusion detection [R].Purdus University:Department Computer Sciences,Coast Laboratory,1997
[36]Wei Li Using Genetic Algorithm for Network Intrusion Detection www.cse.msstate.edu/~security/docs/Publications/wli/DOECSG2004.pdf
[37]C. Krugel, and T. Toth, Applying Mobile Agent Technology to Intrusion Detection, In ICSE Workshop on Software Engineering and Mobility, Toronoto May 2001.
[38]Saaty T L. How to Make a Decision:The Analytic Hierarchy Process. European Journal of Operational Research,1990,1(48):9-26
[39]Abidi MA. And Gonzalez RC. Data fusion in robotics and machine intelligence [M]. Academic Press, Inc.1992,1-6.
[40]Christos Siaterlis. Basil Maglaris. Towards Multi sensor Data Fusion for DoS detection 2004 ACM Symposium on Applied Computing SAC'04, March 14-17,2004, Nicosia, Cyprus
[41]B.V., Intrusion detection,Information Fusion,4(4),243-245,2003.
[42]J. Haines, D.K. Ryder, L. Tinnel, and S. Taylor. Validation of Sensor Alert Correlators. IEEE Security & Privacy Magazine,1(1):46-56, January/February 2003
[43]Antti Hatala, Camillo Sars,Addams-Moring, Ronja,Virtanen Teemupekka:Event Data Exchange and Intrusion Alert Correlation in Heterogeneous Networks. In:Proceedings from the Eight Colloquium for Information Systems Security Education. Printing House,2004. 84-91
[44]NING, P., CUI, Y., AND REEVES, D. S. Analyzing intensive intrusion alerts via correlation. In:Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection. Zurich,Switzerland,2002.
[45]NING, P., CUI, Y., AND REEVES, D. S. Constructing attack scenarios through correlation of intrusion alerts. In:Proceedings of the 9th ACM Conference on Computer and Communications Security. Washington,D.C.,2003.245-254.
[46]Peng Ning, Dingbang Xu. Hypothesizing and Reasoning about Attacks Missed by Intrusion Detection Systems. ACM Transactions on Information and System Security.2004,7(4):1-37
[47]J.L. Hellerstein, S. Ma, C.-S. Perng Discovering actionable patterns in event data. IBM Systems Journal,2002.9
[48]Dong, Deborah Frincke, "A Novel Framework for Alert Correlation and Understanding" ((?) Springer-Verlag), in Springer's LNCS series, vol 3089, pp452-466, International Conference on Applied Cryptography and Network Security (ACNS) 2004.
[49]Shris Sinclair, Lyn Pierce,Sara Matzner. An application of machine learning to network intrusion detection. Proceedings of the 15th Annual Computer Security Applications Conference,1999
[50]Christopher Kruegel Darren Mutz William Robertson Fredrik Valeur. BayesianEvent Classification for Intrusion Detection. Proceedings of 19th Annual Computer Security Applications Conference,2003
[51]LeonidPortnoy,Eleazar Eskin,Salvatore J Stolfo.Intrusion detection with unlabeled data using clustering[C].Philadelphia,PA:Proceedings of ACM CSS Workshop on Data Mining Applied to Security(DMSA),2001.
[52]Eleazar Eskin, Andrew Arnold, Michael Prerau, Leonid Portnoy and Salvatore Stolfo. A geometric framework for unsupervised anomaly detection:Detecting intrusions in unlabeled data [M]. In Data Mining for Security Applications, Kluwer 2002.
[53]Shi Zong, Taghi Khoshgoftaar, and Naeem Seliya, Evaluating Clustering Techniques for Network Intrusion Detection.International Journal of Reliability, Quality,and Safety Engineering.2005.
[54]Kalle Burbeck and Simin Nadjm-Tehrani. ADWICE-Anomaly Detection with Real-Time Incremental Clustering Information Security and Cryptology-ICISC 2004Lecture Notes in Computer Science,2005, Volume 3506/2005,46-51,
[55]Ian Davidson, Matthew Ward, Matthew Ward. A Particle Visualization Framework for Clustering and Anomaly Detection. ACM KDD 2001 Workshop on Visual Data Mining, 2001
[56]Soon Tee Teoh, Kwan Liu Ma, S. Felix Wu, Xiaoliang Zhao. Case study:interactive visualization for internet security. Proceedings of the conference on Visualization,505-508, 2002
[57]J McPherson, K-L Ma, P Krystosk, T Bartoletti, M Christensen. Portvis:a tool for port-based detection of security events. In VizSEC/DMSEC'04:Proc. ACM workshop on Visualization and Data Mining for Computer Security,73-81,2004
[58]Daniel Barbard, Julia Couto, Sushil Jajodia, Ningning Wu, ADAM:A Testbed for Exploring the Use of Data Mining in Intrusion Detection, SIGMOD Record, Vol.30, No.4, December 2001
[59]Jesus Molina and William Arbaugh Using Independent Auditors as Intrusion Detection Systems_R. Deng et al. (Eds.):ICICS 2002, LNCS 2513, pp.291-302,2002.
[60]GAO Yan, GUAN Xiao, Hong SUN, Guo Ji, FENG Li. The Host-Based Intrusion Detection Based on Real Time Keystroke Sequences CHINESE JOURNAL OF COMPUTERS Mar. 2004
[61]YU Chang sheng, XU Li, QUAN Yu shu, Dynamic Monitor and Static Analysis of Windows NT Registry, Computer Applications, Mar.,2003
[62]F. Apap, A. Honig, S. Hershkop, E. Eskin, and S. Stolfo. Detecting malicious software by monitoring anomalous windows registry accesses. Proceedings of the Fifth International Symposium on Recent Advances in Intrusion Detection (RAID 2002),2002.
[63]Katherine A. Heller Krysta M. Svore Angelos D. Keromytis Salvatore J. Stolfo, One Class Support Vector Machines for Detecting Anomalous Windows Registry Accesses, ICDM Workshop on Data Mining for Computer Security (DMSEC 03), November 19,2003
[64]Matthew Stillerman,Carla Marceau,Mareen Stillman. Intrusion detection for distributed applications [J]. Communications of the ACM,1999,42 (7):62-69.
[65]Anita Jones,Yu Lin. Application intrusion detection using language library calls [A].17th Annual
[66]WANG Li-na,XUWei,LIUZhu Research and Implementation of an Anomaly Intrusion Detection System Model Based on Similarity Cluster Analysis, MINI-MICROSYSTEMSJuly2004
[67]Dit-Yan Yeung., Yuxin Ding Host-based intrusion detection using dynamic and static behavioral models Pattern Recognition 36 (2003) 229-243
[68]M. Schonlau, M. Theus, Detecting masquerades in intrusion detection based on unpopular commands, Inform. Process. Lett.76 (1=2) (2000) 33-38.
[69]Forrest S, Hofmeyr SA, Somayaji A, Longstaff TA. A sense of self for Unix processes. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, Los Alamitos, CA. IEEE Computer Society Press; 1996. p.120-128.
[70]ZHANG Xiang feng,SUN Yu fang,ZHAO Qing song, Intrusion Detection Based on SubSet of System Calls ACTA ELECTRONICA SINICA Aug.2004
[71]Eleazar Eskin Wenke Lee Modeling System Calls for Intrusion Detection with Dynamic Window Sizes 2002
[72]YAO Li hong,ZI Xiao chao,HUANG Hao,MAO Bing,XIE Li Re search of System Call Ba sed Intrusion Detection ACTA ELECTRONICA SINICA Aug.2003
[73]Izuru Sato, Yoshinori Okazaki and Shigeki Goto, An Improved Intrusion Detecting Method Based on Process Profiling IPSJ Journal Nov.2002
[74]3rd Generation Intrusion Detection Technology From Network ICE, Protocol Analysis vs Pattern Matching in Network and Host Intrusion Detection Systems, www.seclib.com/seclib/ids.general/Protocol_Analysis_vs_Pattern.pdf 2005-5-25
[75]http://www.SNORT.org/2005-5-25
[76]C Krugel, T Toth. Distributed pattern detection for intrusion detection. The Network and Distributed System Security Symposium Conf, San Diego, CA, USA,2002
[77]Heberlein, L. et al. "A Network Security Monitor." Proceedings of the IEEE Computer Society Symposium, Research in Security and Privacy, May 1990, pp.296-303.
[78]段海新吴建平,一种分布式协同入侵检测系统的设计与实现软件学报2001年9月
[79]钱德沛张然,一种基于UML的协同入侵检测系统分析方法北京航空航天大学学报2004年9月
[80]J PIckel, R Danyliw. Enabling automated detection of security events that affect multiple administrative domains. Information Networking Instkute, Camegie Mellon University, Pittsburgh, PA, USA,2000. http://www.Incident.org/thesis/bookl.html
[81]Prelude:an open source, Hybrid Intrusion Detection System, Technical Documentation.http://www.prelude-ids.org 2004-5-25
[82]University of Melbourne Intrusion Detection Systems and A View To Its Forensic Applications The University of Melbourne Department of Computer Science Parkville 3052, Australia. http://vip.poly.edu/kulesh/forensics/docs/intrusion-detection-systems-and.pdf 2005-5-20
[83]Peter Stephenson The Application of Intrusion Detection Systems in a Forensic Environment(Extended Abstract)[EB/OL] HTTP://www.raid.symposium.org/raid2000/materials/abstracs/47/47.pdf 2010-08-21
[84]Ranger G R, Khosla P K, Bakkloglu M, et al. Survivable Storage Systems[A]. In DARPA Information Survivability conference and Exposition II[c]. New York:IEEE Computer Society,2001.184-195.
[85]N. Puketza, K. Zhang, M. Chung, B. Mukherjee, and R. A. Olsson, "A methodology for testing intrusion detection systems," IEEE Transactions on Software Engineering,22,1996, pp.719-729.
[86]N. Puketza, M. Chung, R. A. Olsson, and B. Mukherjee, A Software Platform for Testing Intrusion Detection Systems, IEEE Software, September/October,1997,43-51.
[87]J. Gaffney, and J. Ulvila, Evaluation of intrusion detectors:A decision theory approach, Proceedings of the 2001 IEEE Symposium on Security and Privacy, IEEE Computer Society, Los Alamitos, CA(2001) pp.50-61.
[88]Nicholas Athanasiades, Randal Abler, John Levine, Henry Owen, and George Riley, Intrusion Detection Testing and Benchmarking Methodologies, First IEEE International Information Assurance Workshop 2003
[89]Jacob W. Ulvila, John E. Gaffney, Jr. Evaluation of Intrusion Detection Systems, Journal of Research of the National Institute of Standards and Technology, Volume 108, Number 6, November-December 2004
[90]Andrew T. Zhou James Blustein Nur Zincir-Heywood Improving Intrusion Detection Systems Through Heuristic Evaluation appear in 17th Annual Canadian Conference on Electrical and Computer Engineering (CCECE 2004)
[91]P. and P. Porras, Experience with EMERALD to date,1st USENIX Workshop on Intrusion Detection and Network Monitoring, Santa Clara, CA,11-12 April 1999, pp.73-80.
[92]H. Debar, "Testing Intrusion Detection Systems, Presentation to Group OSSIR," July 1999; www.ossir.org/ftp/supports/99/debar/index1.html.
[93]H. Debar, M. Dacier, A. Wespi, and S. Lampart, An Experimental Workbench for Intrusion Detection Systems, Research Report RZ 2998 (#93044), IBM Research Division, Zurich Research Laboratory,8803 Ruschlikon, Switzerland, March 9,1999, http://www.zurich.ibm.com/Technology/Security/extern/gsal/docs/index.html.
[94]MIT Lincoln Laboratory, A public web site http://www.ll.mit.edu/IST/ideval/index.html, contains limited information on the 1998 and 1999 evaluations.
[95]http://www.isi.edu/-brian/cidf/2004-1-20
[96]http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-14.txt
[97]http://www.ietf.org/internet-drafts/draft-ietf-idwg-beep-idxp-07.txt
[98]^Intrusion Alert Protocol-IAP》 Internet DraftInternet Engineering Task Force GuptaHewlett-Packard March 31,2000
[99]刘鹏.网络用户行为分析的若干问题研究.北京邮电大学博士论文.北京邮电大学,2010
[100]David Geer. Behavior2based security become t he main streamof network security. Computer,2006,39 (3):14-17
[101]倪桂强;李佳桢;潘志松;缪志敏;基于支持向量数据描述的击键生物特征认证.模式识别与人工智能,2008年05期
[102]Hosseinzadeh, D.; Krishnan, S.; Gaussian Mixture Modeling of Keystroke Patterns for Biometric Applications. Systems, Man, and Cybernetics, Part C:Applications and Reviews, IEEE Transactions on Volume:38, Issue:6 2008, Page(s):816-826
[103]Araujo, L.C.F.; Sucupira, L.H.R., Jr.; Lizarraga, M.G.; Ling, L.L.; Yabu-Uti, J.B.T.; User authentication through typing biometrics features. Signal Processing, IEEE Transactions on Volume:53, Issue:2, Part:2,2005, Page(s):851-855
[104]Giroux, S.; Wachowiak-Smolikova, R.; Wachowiak, M.P.; Keystroke-based authentication by key press intervals as a complementary behavioral biometric. Systems, Man and Cybernetics,2009. SMC 2009. IEEE International Conference on Digital Object Identifier:10.1109/ICSMC.2009.5346319.2009, Page(s):80-85
[105]Yong Sheng; Phoha, V.V.; Rovnyak, S.M.; A parallel decision tree-based method for user authentication based on keystroke patterns. Systems, Man, and Cybernetics, Part B: Cybernetics, IEEE Transactions on Volume:35, Issue:4,2005, Page(s):826-833
[106]Sinthupinyo, S.; Roadrungwasinkul, W.; Chantan, C.; User recognition via keystroke latencies using SOM and Backpropagation Neural Network. ICCAS-SICE,2009 Publication Year:2009, Page(s):3160-3165
[107]Killourhy, K.S.; Maxion, R.A.; Comparing anomaly-detection algorithms for keystroke dynamics Dependable Systems & Networks,2009. DSN'09. IEEE/IFIP International Conference on Digital Object Identifier:10.1109/DSN.2009.5270346.2009, Page(s):125-134
[108]Khayam, S.A.; Radha, H.; Using Session-Keystroke Mutual Information to Detect Self-Propagating Malicious Codes. Communications,2007. ICC'07. IEEE International Conference on igital Object Identifier:10.1109/ICC.2007.233 Publication Year:2007, Page(s):1385-1390
[109]Bazrafshan, F.; Javanbakht, A.; Mojallali, H.;Keystroke identification with a genetic fuzzy classifier. Computer Engineering and Technology (ICCET),2010 2nd International Conference on Volume:4 Digital Object Identifier: 10.1109/ICCET.2010.5485677 Publication Year:2010, Page(s):V4-136-V4-140
[110]Karnan, M.; Akila, M.; Personal Authentication Based on Keystroke Dynamics Using Soft Computing Techniques. Communication Software and Networks,2010. ICCSN '10. Second International Conference on Digital Object Identifier:10.1109/ICCSN.2010.50
[111]Bours, P.; Fullu, C.J.; A Login System Using Mouse Dynamics Intelligent Information Hiding and Multimedia Signal Processing,2009. IIH-MSP'09. Fifth International Conference on Digital Object Identifier:10.1109/IIH-MSP.2009.77 Publication Year:2009, Page(s):1072-1077
[112]Chao Shen; Zhongmin Cai; Xiaohong Guan; Huilan Sha; Jingzi Du; Feature Analysis of MouseDynamics in Identity Authentication and Monitoring Communications, 2009. ICC'09. IEEE International Conference on Digital Object Identifier: 10.1109/ICC.2009.5199032 Publication Year:2009, Page(s):1-5
[113]Ahmed, A.A.E.; Traore, I.; A New Biometric Technology Based on Mouse Dynamics Dependable and Secure Computing, IEEE Transactions on Volume:4, Issue:3 Digital Object Identifier:10.1109/TDSC.2007.70207 Publication Year:2007, Page(s):165-179
[114]Shlomo Hershkop, Ryan Ferster, Linh H, Bui, Ke Wang and Salvatore J. Stolfo. Host-based Anomaly Detection Using Wrapping File System. CU Tech Report April 2004.
[115]Youhui Zhang; Hongyi Wang; Yu Gu; Dongsheng Wang;IDRS: CombiningFile-levelIntrusionDetectionwith Block-level Data Recovery based on iSCSI. Availability, Reliability and Security,2008. ARES 08. Third International Conference on Digital Object Identifier:10.1109/ARES.2008.59 Publication Year:2008, Page(s):630-635
[116]A. G. Pennington, J. D. Stunk, J. L. Griffin, C. A.Soules, G. R. Goodson, and G R. Ganger. Storage based intrusion detection:Watching storage activity for suspicious behavior. In Proceedings of the 12th USENIX Security Symposium,2003..
[117]Alam Ansari, M.S.; Chattopadhayay, A.; Das, S.; A Kernel Level VFS Logger for Building Efficient FileSystem Intrusion Detection SystemComputer and Network Technology (ICCNT),2010 Second International Conference on Digital Object Identifier:10.1109/ICCNT.2010.47 Publication Year:2010, Page(s):273-279.
[118]McDaniel, M.; Heydari, M.H.; Content based file type detection algorithms. System Sciences,2003. Proceedings of the 36th Annual Hawaii International Conference on Digital Object Identifier:10.1109/HICSS.2003.1174905 Publication Year:2003.
[119]Sitaraman, S.; Venkatesan, S.;Forensic analysis of file system intrusions using improved backtracking.Information Assurance,2005. Proceedings. Third IEEE International Workshop on Digital Object Identifier:10.1109/IWIA.2005.9 Publication Year:2005, Page(s):154-163
[120]Okazaki, Y.; Sato, I.; Goto, S.; A new intrusion detection method based on process profiling Applications and the Internet,2002. (SAINT 2002). Proceedings.2002 Symposium on Digital Object Identifier:10.1109/SAINT.2002.994455 Publication Year:2002, Page(s): 82-90
[121]罗亚丽;周安民;吴少华;胡勇;丁怡;一种基于行为分析的程序异常检测方法.计算机应用,2008年10期.2492-2494
[122]Miao Wang; Cheng Zhang; Jingjing Yu; Native API based Windows anomaly intrusion detection method using SVM. Sensor Networks, Ubiquitous, and Trustworthy Computing,2006. IEEE International Conference on Volume:1 Digital Object Identifier: 10.1109/SUTC.2006.1636219 Publication Year:2006.
[123]Wen Fu; Jianmin Pang; Rongcai Zhao; Yichi Zhang; Bo Wei; Static Detection of API-Calling Behavior from Malicious Binary Executables. Computer and Electrical Engineering,2008. ICCEE 2008. International Conference on Digital Object Identifier: 10.1109/ICCEE.2008.53 Publication Year:2008, Page(s):388-392
[124]Alazab, M.; Venkataraman, S.; Watters, P.; Towards Understanding Malware Behaviour by the Extraction of API Calls. Cybercrime and Trustworthy Computing Workshop (CTC),2010 Second Digital Object Identifier:10.1109/CTC.2010.8 Publication Year:2010,Page(s):52-59
[125]Fei Xu; Chengyu Tan; Yi Zheng; Ming Geng; The Method of Classified Danger Sensed for Windows Process Intrusion Detection. Management of e-Commerce and e-Government,2009. ICMECG'09. International Conference on Digital Object Identifier: 10.1109/ICMeCG.2009.72 Publication Year:2009, Page(s):469-472
[126]Topallar, M.; Depren, M.O.; Anarim, E.; Ciliz, K.; Host-based intrusion detection by monitoring Windows registry accesses. Signal Processing and Communications Applications Conference,2004. Proceedings of the IEEE 12th Digital Object Identifier:10.1109/SIU.2004.1338634 Publication Year:2004, Page(s): 728-731
[127]Dong Hwi Lee; Jae Myung Kim; Kyong-Ho Choi; Kim, K.J.; The Study of Response Model & Mechanism Against Windows Kernel Compromises Convergence and Hybrid Information Technology,2008. ICHIT'08. International Conference on Digital Object Identifier:10.1109/ICHIT.2008.235 Publication Year:2008, Page(s):600-608
[128]Shuhui Zhang; Lianhai Wang; Lei Zhang;Extracting windows registry information from physical memory. Computer Research and Development (ICCRD),2011 3rd International Conference on Volume:2 Digital Object Identifier: 10.1109/ICCRD.2011.5764089 Publication Year:2011, Page(s):85-89
[129]Du, W.; Garg, P.; Mathur, A.P.;Security relevancy analysis on the registry of Windows NT 4.0 Computer Security Applications Conference,1999. (ACSAC'99) Proceedings.15th Annual Digital Object Identifier:10.1109/CSAC.1999.816044 Publication Year:1999, Page(s):331-338
[130]Thomas, P.; Morris, A.;An Investigation into the Development of an Anti-forensic Tool to Obscure USB Flash Drive Device Information on a Windows XP Platform Digital Forensics and Incident Analysis,2008. WDFIA'08. Third International Annual Workshop on Digital Object Identifier:10.1109/WDFIA.2008.13Publication Year:2008, Page(s): 60-66
[131]Desheng Fu; Shu Zhou; Chenglong Cao;A Windows Rootkit Detection Method Based on Cross-View E-Product E-Service and E-Entertainment (ICEEE),2010 International Conference on Digital Object Identifier:10.1109/ICEEE.2010.5660871 Publication Year:2010, Page(s):1-3
[132]Xueqin Zhang; Chunhua Gu; Jiajun Lin;Support Vector Machines for Anomaly Detection. Intelligent Control and Automation,2006. WCICA 2006. The Sixth World Congress on Volume:1 Digital Object Identifier:10.1109/WCICA.2006.1712831 Publication Year:2006, Page(s):2594-2598
[133]Sang-Jun Han; Sung-Bae Cho; Rule-based integration of multiple measure-models for effective intrusion detectionSystems, Man and Cybernetics,2003. IEEE International Conference on Volume:1 Digital Object Identifier:10.1109/ICSMC.2003.1243802, Publication Year:2003, Page(s):120-125 vol.1
[134]Liu Huan, Yu Lei. Toward Integrating Feature Selection Algorithms for Classification and Clustering. IEEE transactions onKnowledge and Data Engineering,2005, 17(3):491-502
[135]Hofmann, A.; Horeis, T.; Sick, B.;Feature selection for intrusion detection:an evolutionary wrapper approach Neural Networks,2004. Proceedings.2004 IEEE International Joint Conference on Volume:2 Digital Object Identifier: 10.1109/IJCNN.2004.1380189 Publication Year:2004, Page(s):1563-1568 vol.2
[136]Hai-Hua Gao; Hui-Hua Yang; Xing-Yu Wang;Ant colony optimization based network intrusion feature selection and detection Machine Learning and Cybernetics,2005. Proceedings of 2005 International Conference on Volume:6 Digital Object Identifier: 10.1109/ICMLC.2005.1527615 Publication Year:2005, Page(s):3871-3875 Vol.6
[137]Yang Li; Bin-Xing Fang; You Chen; Li Guo; A Lightweight Intrusion Detection Model Based on Feature Selection and Maximum Entropy Model. Communication Technology,2006. ICCT'06. International Conference on Digital Object Identifier: 10.1109/ICCT.2006.341771 Publication Year:2006, Page(s):1-4
[138]俞研,黄皓.面向入侵检测的基于多目标遗传算法的特征选择.计算机科学2007Vo134(3),197-200
[139]陈波,于泠,吉根林.基于条件信息熵的网络攻击特征选择技术.小型微型计算机系统2008年3月,428-432
[140]Kok-Chin Khor; Choo-Yee Ting; Amnuaisuk, S.-P.; A Feature Selection Approach for Network Intrusion Detection.Information Management and Engineering,2009. ICIME '09. International Conference on Digital Object Identifier:10.1109/ICIME.2009.68 Publication Year:2009, Page(s):133-137
[141]张昊,陶然,李志勇,蔡镇河.基于KNN算法及禁忌搜索算法的特征选择方法在入侵检测中的应用研究.电子学报.2009年7月,1628-1633
[142]Tieming Chen; Xiaoming Pan; Yiguang Xuan; Jixia Ma; Jie Jiang; A Naive Feature Selection Method and Its Application in Network Intrusion Detection.Computational Intelligence and Security (CIS),2010 International Conference on Digital Object Identifier:10.1109/CIS.2010.96Publication Year:2010, Page(s):416-420
[143]Hai Nguyen; Franke, K.; Petrovic, S.; Improving Effectiveness of Intrusion Detection by Correlation Feature Selection. Availability, Reliability, and Security,2010. ARES'10 International Conference on Digital Object Identifier:10.1109/ARES.2010.70 Publication Year:2010, Page(s):17-24
[144]Lizhong Xiao; Yunxiang Liu;A Two-step Feature Selection Algorithm Adapting to Intrusion Detection. Artificial Intelligence,2009. JCAI'09. International Joint Conference on Digital Object Identifier:10.1109/JCAI.2009.214 Publication Year:2009, Page(s):618-622
[145]李玲娟.数据挖掘技术在入侵检测系统中的应用研究.苏州大学博士论文.苏州大学.2008.
[146]Isabelle Guyon, Andre Elisseeff. An introduction to variable and feature selection. Journal of Machine Learning Research archive. Volume 3,3/1/2003,1157-1182
[147]Kira, K.,& Rendell, L. A practical approach to feature selection. Proceedings of the Ninth International Conference on Machine Learning,1992,249-256
[148]Hussein Almuallim, Thomas G. Dietterich. Learning with Many Irrelevant features. Proceedings of the Ninth National Conference on Artificial Intelligence, Anaheim, CA, 1991,547-552
[149]George H. John, Ron Kohavi, Karl Pfleger. Irrelevant Features and the Subset Selection Problem. Proceedings of theEleventh International Conference, Morgan Kaufmann Publishers, San Francisco, CA,1994,121-129
[150]http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html 2010-10-10
[151]Fayyad, U.M. and Irani, K.B. Multi-Interval Discretization of continuous-Valued Attributes for Classification Learning. In Proceedings of IJCAI.1993,1022-1029.
[152]D. R. Wilson, T. R. Martinez. Improved Heterogeneous Distance Functions. Journal of Artificial Intelligence Research, Vol 6(1),1-34,1997
[153]Wenke Lee Salvatore J. Stolfo Kui W. Mo. A Data Mining Framework for Building Intrusion Detection Models. Proceedings of the 1999 IEEE Symposium on Security and Privacy.1999,120-132
[154]M. Hall, Correlation Based Feature Selection for Machine Learning, Doctoral Dissertation, The University of Waikato, Department of Computer Science,1999.
[155]L. Yu and H. Liu, "Feature Selection for High-Dimensional Data:A Fast Correlation-Based Filter Solution," Proceedings of The Twentieth International Conference on Machine Leaning, pp.856-863, Washington, D.C., August,2003.
[156]J. R. Quinlan, C4.5:Programs for Machine Learning, Morgan Kaufmann,1993.
[157]Forrest S, et al. A sense of self for unix processes [A]. John McHugh IEEE Symposium on Security and Privacy Proceedings [C]. Oakland CA:IEEE Computer Society Press,1996. pp:120-128.
[158]Lee W, Stolfo S J. Data mining approaches for intrusion detection [A]. The Proceedings of the 7th USENIX Security Symposium [C]. Berkeley:USENIX,1998, pp. 79-94
[159]Liao, Yihua, and Vemuri, V. Rao, Use of k-nearest neighbor classifier for intrusion detection. In Networks and Security,200, Vol.21, pp.438-448.
[160]Lee Wenke, Xiang Dong. Information-theoretic measures for anomaly detection. In:Proceedings of the 2001 IEEE Symposium on Security and Privacy, Oakland, California, USA,2001, pp.130-143
[161]Hofmeyr S A, Forrest S, Somayaji A. Intrusion detection using sequence of system calls[J]. Journal of Computer Security,1998,6(3), pp.151-180
[162]Lane T., Brodley C. E.. Temporal sequence learning and data reduction for anomaly detection. In:Proceedings of the 5th ACM Conference on Computer & Communication Security, San Francisco, California, USA,1998, pp.295-331
[163]Raman C.V. and Atul Negi. A Hybrid Method to Intrusion Detection Systems Using HMM, ICDCIT 2005, LNCS 3816, pp.389-396.
[164]Rabinr LR. A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition. Proceeding of the IEEE[C].1989,Vol.77, No.2.
[165]Zhang Xiang-feng,SUN Yu-fang,ZHAO Qing-song Intrusion Detection Based on Sub Set of System Calls. ACTA ELECTRONICA SINICA Vol.32 No.8 Aug.2004 pp.1338-1341
[166]Kosoresow A P, Hofmeyr S A. Intrusion detection via system call traces [J]. IEEE Software,1997,14(5), pp.35-42
[167]Bin, Y., Qiao, Y., Xin, X.W., and Ge, S. Anomaly intrusion detection method based on HMM.In IEEE Electronic letters Online No:20020467,2002, volume 38, pp.663-664.
[168]Hu, J., Hoang, X.D., and Bertok, P. A multi layer model for anomaly intrusion detection using program sequences of system calls. In IEEE International Conference on Networks,2003.
[169]Radha Krishna, P., Raju, S. Bapi, Arijit Laha, Pradeep Kumar, M. Venkateswara Rao. Intrusion detection system using sequence and set preserving metric. In IEEE International Conference on Intelligence and Security Informatics, ISI,2005, pp.498-504.
[170]http://www.cs.unm.edu/-immsec/data [OL].
[171]Christina Warrender, Stephanie Forrest,Barak Pearlmutter. Detecting intrusion using system calls:Alternative data models[J]. Proceedings of the 1999 IEEE Symposium on Security and Privacy,1999, pp.133-145.
[172]Lane, T. and Brodley, C. Sequence Matching and Learning in Anomaly Detection for Computer Security. In Proceedings of the AAAI-1997 Workshop on AI Approaches to Fraud Detection and Risk Management, pages 43-49.
[173]DuMouchel, W., Schonlau, M. A fast computer intrusion detection algorithm based on hypothesis testing of command transition probabilities. The Fourth International Conference of Knowledge Discovery and Data Mining, August 27-31 1998, New York, pp. 189-193.
[174]Theus, M., Schonlau, M. Intrusion Detection Based on Structural Zeroes. Statistical Computing & Graphics Newsletter,1998, Vol.9, No 1,12-17.
[175]Upadhyaya, S. J. and Kwiat, K. A distributed concurrent intrusion detection scheme based on assertions. In Proceedings of the SCS International Symposium on Performance Evaluation of Computer and Telecommunication Systems,1999, pages 369-376.
[176]S. Upadhyaya, R. Chinchani and K. Kwiat. An Analytical Framework for Reasoning About Intrusions. In Proceedings of 20th IEEE Symposium on Reliable and Distributed Systems, New Orleans, LA, USA, Oct.2001, pp.99-108.
[177]T. Lane. Machine Learning Techniques for the Computer Security Domain of Anomaly Detection. Ph. D. Thesis, CERIAS TR 2000-12, Purdue University, August 2000.
[178]DuMouchel, W. Computer Intrusion Detection Based on Bayes Factors for Comparing Command Transition Probabilities. AT&T Labs-Research Technical Report TR91,1999.
[179]Wen-Hua Ju, Yehuda. Vardi. A Hybrid High-order Markov Chain Model for Computer Intrusion Detection.National Institute of Statistical Sciences. Technical Report No. 92,1999. http://www.niss.org/downloadabletechreports.html
[180]Brian D. Davison and Haym Hirsh. Predicting Sequences of User Actions. AAAI/ICML 1998Workshop on Predicting the Future:AI Approaches to Time-Series Analysis.
[181]Domingos and Pazzani. Beyond Independence:Conditions for the Optimality of the Simple Bayesian Classifier. In Proceedings of the Thirteenth International Conference on Machine Learning (ICML).1996
[182]Rabiner L. R.,Juang, B. H. An introduction to hidden Markov models. IEEE ASSP Magazine, pp.4-15, January 1986.
[183]D.Y. Yeung, Y. Ding. User profiling for intrusion detection using dynamic and static behavioral models. In Advances in Knowledge Discovery and Data Mining, pp.494-505, Springer,2002. (Sixth Pacific-Asia Conference on Knowledge Discovery and Data Mining, PAKDD 2002, Taipei, Taiwan,6-8 May 2002.)
[184]Roy A. Maxion and Tahlia N. Townsend. Masquerade Detection Using Truncated Command Lines. Proceedings of International Conference on Dependable Systems and Networks (DSN'02), p.219, June 23-26,2002.
[185]Robert Neches, Richard Fikes, Tim Finin, Thomas Gruber, Ramesh Patil, Ted Senator, and William R. Swartout. Enabling technology for knowledge sharing. AI Magazine,1991,12(3):36-56.
[186]Thomas R. Gruber. A translation approach to portable ontology specifications. Knowledge Acquisition,1993,5(2):199-220.
[187]Borst Willem Nieo. Construction of Engineering Ontologies for Knowledge Shari ng and Reuse [Doctoral Dissertation]. University of Twente, Enschede,1997.
[188]Rudi Studer, V. Richard Benjamins, Dieter Fensel. Knowledge engineering: Principles and methods. Data and Kowledge Engineering,1998,25(122):161-197.
[189]Vicotr Raskin, Christina F. Hempelrnann, KartlllE. Trieeznberg, and Segrei Nerinburg. Ontology in information security:A useful theoretical foundation and methodological tool[C], Proceedings of NSPW-2001,2001,53-59.
[190]Jeffrey Undercoffer, Anupam Joshi, John Pinkston. Modeling Computer Attacks: An Ontoplogy for Intrusion Detection[C], Proceedings of Recent Advances in Intrusion Detection 2003,2003. LNCS 2820,113-135.
[191]经小川,胡昌振,谭惠民.本体论在网络入侵检测技术中的应用.四川大学学报.2005年5.105-109
[192]陈刚,陈伟.基于本体的协同式入侵检测系统.计算机应用,2005年7月,1554-1557
[193]Tian Xin-Guang, Duan Mi-Yi, Li Wen-Fa, Sun Chun-Lai. Anomaly detection of user behavior based on shell commands and homogeneous Markov chains. Chinese Journal of Electronics,2008,17(2):231-236
[194]Kim H S, Cha S D. Empirical evaluation of SVM-based masquerade detection using UNIX commands. Computers and Security,2005,24(2):160-168
[195]Lane T, Carla E B. An empirical study of two approaches to sequence learning for anomaly detection. Machine Learning,2003,51(1):73-107
[196]http://article.pchome.net/content-828299.html 2011-7-8
[197]WeidongCui, Randy H.Katz, Wai-tianTan. BINDER:An Extrusion-based Break-In Deteetor for Personal Computers.Report No.UCB/CSD-4-1352 October,2005
[198]姚婷婷,郑庆华,管晓宏等.一种基于主机实时流量的安全评估方法.西安交通大学学报,2006,40(4):415-419
[199]HanPingHu, WenxuanGuo, A Method of security measurement of network data transmission.In Proceedings of the 19th IEEE Intemational Paralleland Distributed Processing Symposium. IEEE,2005.291-298.
[200]Carrie Gates. Host Anomalies from Network Data. In Proceedings of the 2005 IEEE Workshop on Information Assuranee. IEEE,2005.325-332.
[201]J.M.Agosta,Jaideep Chandrashekar, et al. Approaches to Anomaly Detectionusing Host Network-Traffic Traces, NIPS workshop, MLSys07, Whistler, BC, Canada. Deeember7,2007
[202]David Whyte, P.C.van Oorschot, Evangelos Kranakis. Exposure Maps:Removing Reliance on Attribution during Scan Detection. USENIX Hotsec.2006
[203]Tateishi, T.; Tabuchi, N.; Secure Behavior of Web Browsers to Prevent Information Leakages. Software Engineering Conference,2007. APSEC 2007.14th Asia-Pacific Page(s):65-72
[204]Hassler, V.; Then, O.; Controlling applets' behavior in a browser, Computer Security Applications Conference,1998, Proceedings.,14th Annual Page(s):120-125
[205]LJUDEVIT BAUER. ACCESS CONTROL FOR THE WEB VIA PROOF-CARRYING AUTHORIZATION. Doctor Dissertation. PRINCETON UNIVERSITY. NOVEMBER 2003
[206]Collin Jackson. IMPROVING BROWSER SECURITY POLICIES. Doctor Dissertation. STANFORD UNIVERSITY. September 2009
[207]Lenin Singaravelu. END-TO-END SECURITY OF INFORMATION FLOW IN WEB-BASED APPLICATIONS. Doctor Dissertation. Georgia Institute of Technology. August 2007
[208]CHRISTOPHER L. GRIER. DESIGNING, IMPLEMENTING, AND EVALUATING SECURE WEB BROWSERS. Doctor Dissertation. University of Illinois at Urbana-Champaign,2009.
[209]Charles Reis. Web Browsers as Operating Systems:Supporting Robust and Secure Web Programs. Doctor Dissertation. University of Washington.2009.
[210]Dempster A. Upper and lower probabilities induced by multi-valued mapping. Annals of Mathematical Statistics,1967,38(2):325-339.
[211]Shafer G. A Mathematical Theory of Evidengce. Princeton:Princeton University Press,1976. OSSEC
[212]BASST. Intrusion detection systems and multi-sensor data fusion[J]. Communications of the ACM,2000,43(4):99-105
[213]高翠霞.基于主机异常入侵检测方法研究.博士论文.华中科技大学.2009年11月.