分布式入侵检测系统模型的研究
|
摘要
互联网的发展为全球范围内实现高效的资源和信息共享提供了方便,但同时也对信息的安全性提出了严峻的挑战。现在,信息安全已逐渐发展成为信息系统的关键问题。传统的基于主体的信息安全模型已经不能适应网络技术的发展,P2DR模型应运而生。入侵检测技术是P2DR模型的重要组成部分。入侵检测作为一种主动的信息安全保障措施,是对“防火墙”、“数据加密”等传统安全防护技术的有效补充。它对计算机和网络资源的恶意使用行为进行识别,并为对抗入侵提供重要信息。它不仅检测来自外部的入侵行为,同时也监督内部用户的未授权活动。它有效地弥补了传统安全防护技术的缺陷。通过构建动态的安全循环,可以最大限度地提高系统的安全保障能力,减少安全威胁对系统造成的危害。
随着计算机技术和网络技术的不断发展,分布式计算环境的广泛采用,海量存储和高带宽传输技术的普及,传统的基于单机的集中式入侵检测系统已不能满足安全需求。黑客技术的不断发展特别是分布式拒绝服务攻击(DDOS)的出现已经使分布式入侵检测(Distributed Intrusion Detection, DID)逐渐成为入侵检测乃至整个网络安全领域的研究重点。本文针对面向大规模网络的分布式入侵检测的关键问题进行了一些研究。
本文首先对网络安全现状、当前的网络安全技术进行了一定的研究;然后从信息系统的安全模型开始,介绍了基于主体访问对象的经典安全模型和P2DR动态安全模型;阐述了入侵检测系统对于维护信息系统和计算机网络系统的重要性,随后提出了本文要完成的工作——研究适用于大规模网络的分布式入侵检测系统。然后,研究了入侵以及入侵检测技术概念的提出背景和发展过程。分析了入侵检测系统基本的工作原理、系统模块。从业界的研究热点以及已有的商业化产品两个方面介绍了目前该领域的研究和技术现状。随后介绍了分布式入侵检测技术的产生背景和优势;分析了其相对于传统入侵检测系统的优势。随后按照基于组件的以及基于主体的分类方法介绍了目前国内外用于解决分布式入侵检测的系统架构和具体的检测技术,包括一些处于实验阶段的原型系统和较为成熟的规范。
在系统模型设计方面,本文提出了一种层次化协作的混合型分布式入侵
检测系统模型。该模型将受保护网络划分成若干个安全管理区,并且该模型由探测代理、监视代理、策略执行代理三个部分组成。各部分之间角色的分工借鉴了CIDF模型,并且在每种代理的内部模块的设置上也力求功能完整独立。整个模型在数据来源的分布化、分析检测的分布化、多区域检测的协作化三个层次上体现分布式入侵检测的特点。另外,监视代理的数据融合部分采用了分析探测代理发送的事件之间相关度的方法提取局部异常事件。随后,给出了实现该模型的重点问题。
分布式入侵检测系统的消息交互是实现时的重点,是体现系统分布化、协作化特性的关键所在。本文在组件的消息交互方面做了深入的研究。结合对通信机制、消息内容的需求并且在综合分析国内外的研究方法的基础上,设计了各种交互消息的具体内容并且依据这种消息结构给出了系统运行期间组件之间注册、注销、处理简单攻击以及处理协同攻击时的消息交互流程。
本文在Windows 2000平台下构造了基于规则的网络探测代理,其中的规则集使用的是Snort的。并且在Snort的规则解析基础上,提出了改进的规则解析方法——将Snort的二维规则链表重新划分成规则子集,并针对传输层协议给出了不同的集合划分方法。给出了在程序设计时遇到的若干技术问题的解决方案。最后,为了测试网络探测代理的运行效率进行了丢包率测试、CPU负载测试,测试结果表明在正常的网络通信中,系统可以达到有效的运行状态。此外,我们还通过测试4种扫描工具的攻击时间和可以检测到的攻击数目来测试系统的检测效率,结果表明,网络探测代理可以在较短时间内检测超过95%以上的扫描行为,并及时地采取响应措施。
作为网络安全的一个重要研究领域,分布式入侵检测仍然存在着众多的问题和技术难点,本文的最后给出了今后针对该领域我们的研究方向。
The development of Internet offers great convenience for efficient communion of global resources and information. But it also challenges the security of information severely. Nowadays information security has been a crucial problem of information system. Traditional information security model based of subject can’t adapt to the development of network technology, P2DR model emerges, as the times require. Intrusion Detection technology is an important component of P2DR model. Being a kind of voluntary information protecting measures, intrusion detection is complement of traditional security protect technology such as firewall, data encryption and etc. It identifies the malice activities of utilizing computer and network resources and offers important information to confront intrusion. Not only does it detect outer intrusion behavior, but also it can supervise unauthorized activities of inside users. It makes up the limitation of traditional security defending technology. By forming dynamic security circulation, it can increase the ensuring security ability furthest, and reduce the risk of security threaten.
As the development of computer technology and network technology and the widely adoption of distributed compute environment, the traditional centralized intrusion detection system can’t meet the security need. The development of hacker technology, especially the emergence of distributed denial of service assault has made distributed intrusion detection the emphasis of intrusion detection and even the whole network security field. This paper studies the crucial problems of distributed intrusion detection aiming large-scale network.
In this paper, we analyze the status of network security and the current network security technology firstly; and then we introduce classic security model based subjects access objects and dynamic security model based P2DR after introducing information security model; and we specify intrusion detection system’s importance to maintain information system and computer network system, after that, we advance the work to be completed in this paper ——
studying distributed intrusion detection system aiming large scale network. Then, we studied the background of the conceptions and developing courses of intrusion and intrusion detection, and analyze basic work theory and system modules of the intrusion detection system. We introduce the status of the study course by recommending the research hotspot and developed commercial products. And then we introduce the system architectures and specific intrusion technologies of solving distributed intrusion detection system of both here and abroad according to method based of modules and method based of agents, including some prototypes under experiment and some mature criterion.
As to the aspect of the system model designing, this paper put forward a hierarchical cooperation hybrid distributed intrusion detection system model. This model divides the network under protects into several security areas, and it is composed of sensor agent, monitor agent, countermeasure agent. The function divisions of the components use the reference of CIDF model, and we do our best to make the function of the modules full and independent. This model embodies the feature of distributed intrusion detection from the distribution of data resources, the distribution of analysis and the cooperation of multi-areas. In addition, the data fusing part of monitor agent utilizes the retrieve local abnormal events by analyzing the correlation of the events sent by sensor agents. After that, we advance the important problems of realizing the model.
The component message exchange is stress of realization, and is the key point of distributed detection. We make deep research on message exchange. Based on the need of communication mechanism and message contents and after analyzing the research method of both here and abroad, we design various specific message content and the message exchange flow of login, logout, operating simple assault and operating complicate assault during
随着计算机技术和网络技术的不断发展,分布式计算环境的广泛采用,海量存储和高带宽传输技术的普及,传统的基于单机的集中式入侵检测系统已不能满足安全需求。黑客技术的不断发展特别是分布式拒绝服务攻击(DDOS)的出现已经使分布式入侵检测(Distributed Intrusion Detection, DID)逐渐成为入侵检测乃至整个网络安全领域的研究重点。本文针对面向大规模网络的分布式入侵检测的关键问题进行了一些研究。
本文首先对网络安全现状、当前的网络安全技术进行了一定的研究;然后从信息系统的安全模型开始,介绍了基于主体访问对象的经典安全模型和P2DR动态安全模型;阐述了入侵检测系统对于维护信息系统和计算机网络系统的重要性,随后提出了本文要完成的工作——研究适用于大规模网络的分布式入侵检测系统。然后,研究了入侵以及入侵检测技术概念的提出背景和发展过程。分析了入侵检测系统基本的工作原理、系统模块。从业界的研究热点以及已有的商业化产品两个方面介绍了目前该领域的研究和技术现状。随后介绍了分布式入侵检测技术的产生背景和优势;分析了其相对于传统入侵检测系统的优势。随后按照基于组件的以及基于主体的分类方法介绍了目前国内外用于解决分布式入侵检测的系统架构和具体的检测技术,包括一些处于实验阶段的原型系统和较为成熟的规范。
在系统模型设计方面,本文提出了一种层次化协作的混合型分布式入侵
检测系统模型。该模型将受保护网络划分成若干个安全管理区,并且该模型由探测代理、监视代理、策略执行代理三个部分组成。各部分之间角色的分工借鉴了CIDF模型,并且在每种代理的内部模块的设置上也力求功能完整独立。整个模型在数据来源的分布化、分析检测的分布化、多区域检测的协作化三个层次上体现分布式入侵检测的特点。另外,监视代理的数据融合部分采用了分析探测代理发送的事件之间相关度的方法提取局部异常事件。随后,给出了实现该模型的重点问题。
分布式入侵检测系统的消息交互是实现时的重点,是体现系统分布化、协作化特性的关键所在。本文在组件的消息交互方面做了深入的研究。结合对通信机制、消息内容的需求并且在综合分析国内外的研究方法的基础上,设计了各种交互消息的具体内容并且依据这种消息结构给出了系统运行期间组件之间注册、注销、处理简单攻击以及处理协同攻击时的消息交互流程。
本文在Windows 2000平台下构造了基于规则的网络探测代理,其中的规则集使用的是Snort的。并且在Snort的规则解析基础上,提出了改进的规则解析方法——将Snort的二维规则链表重新划分成规则子集,并针对传输层协议给出了不同的集合划分方法。给出了在程序设计时遇到的若干技术问题的解决方案。最后,为了测试网络探测代理的运行效率进行了丢包率测试、CPU负载测试,测试结果表明在正常的网络通信中,系统可以达到有效的运行状态。此外,我们还通过测试4种扫描工具的攻击时间和可以检测到的攻击数目来测试系统的检测效率,结果表明,网络探测代理可以在较短时间内检测超过95%以上的扫描行为,并及时地采取响应措施。
作为网络安全的一个重要研究领域,分布式入侵检测仍然存在着众多的问题和技术难点,本文的最后给出了今后针对该领域我们的研究方向。
The development of Internet offers great convenience for efficient communion of global resources and information. But it also challenges the security of information severely. Nowadays information security has been a crucial problem of information system. Traditional information security model based of subject can’t adapt to the development of network technology, P2DR model emerges, as the times require. Intrusion Detection technology is an important component of P2DR model. Being a kind of voluntary information protecting measures, intrusion detection is complement of traditional security protect technology such as firewall, data encryption and etc. It identifies the malice activities of utilizing computer and network resources and offers important information to confront intrusion. Not only does it detect outer intrusion behavior, but also it can supervise unauthorized activities of inside users. It makes up the limitation of traditional security defending technology. By forming dynamic security circulation, it can increase the ensuring security ability furthest, and reduce the risk of security threaten.
As the development of computer technology and network technology and the widely adoption of distributed compute environment, the traditional centralized intrusion detection system can’t meet the security need. The development of hacker technology, especially the emergence of distributed denial of service assault has made distributed intrusion detection the emphasis of intrusion detection and even the whole network security field. This paper studies the crucial problems of distributed intrusion detection aiming large-scale network.
In this paper, we analyze the status of network security and the current network security technology firstly; and then we introduce classic security model based subjects access objects and dynamic security model based P2DR after introducing information security model; and we specify intrusion detection system’s importance to maintain information system and computer network system, after that, we advance the work to be completed in this paper ——
studying distributed intrusion detection system aiming large scale network. Then, we studied the background of the conceptions and developing courses of intrusion and intrusion detection, and analyze basic work theory and system modules of the intrusion detection system. We introduce the status of the study course by recommending the research hotspot and developed commercial products. And then we introduce the system architectures and specific intrusion technologies of solving distributed intrusion detection system of both here and abroad according to method based of modules and method based of agents, including some prototypes under experiment and some mature criterion.
As to the aspect of the system model designing, this paper put forward a hierarchical cooperation hybrid distributed intrusion detection system model. This model divides the network under protects into several security areas, and it is composed of sensor agent, monitor agent, countermeasure agent. The function divisions of the components use the reference of CIDF model, and we do our best to make the function of the modules full and independent. This model embodies the feature of distributed intrusion detection from the distribution of data resources, the distribution of analysis and the cooperation of multi-areas. In addition, the data fusing part of monitor agent utilizes the retrieve local abnormal events by analyzing the correlation of the events sent by sensor agents. After that, we advance the important problems of realizing the model.
The component message exchange is stress of realization, and is the key point of distributed detection. We make deep research on message exchange. Based on the need of communication mechanism and message contents and after analyzing the research method of both here and abroad, we design various specific message content and the message exchange flow of login, logout, operating simple assault and operating complicate assault during
引文
中国互联网络消息中心. 中国互联网络发展状况统计报告. Available WWW: ,2004.1.
CERT/CC. CERT/CC Statistics 1988-2003 Available WWW: Nov 2000.
CNCERT/CC.今年上半年我国互联网安全事件分析Available WWW:, 2003.9
E. Hackers Beware, New Riders Publishing, 2002.
Internet Security Systems. Security Basics: What Is The Answer? Available WWW:
E. H. Spafford. The Internet Worm Program: An Analysis, ACM COMPUTER COMMUNICATION REVIEW; 19(1), Jan 1989.
D. Moore, G. M. Voelker, and S. Savage. Inferring Internet denial-of-service activity. In Proc. USENIX Security Symposium, Washington D.C, Aug. 2001.
Lincoln D. Stein , John N. Stewart .The World Wide Web Security FAQ Available WWW:< http://www.cis.ohio-state.edu/cs/Services/rfc/rfc-text/rfc2196.txt>
Yogev Mashiach.WWW Security - Security in a Computer Network Available WWW:< http://www.secinf.net/websecurity/WWW_Security/>
James P. Anderson.Computer Security Threat Monitoring and Surveillance, James P. Anderson Co., Fort Washington, Apr 1980
Heady, R.; Luger, G.; Macabe, A.; Servilla, M.: The architecture of a network level intrusion detection system, Technical Report CS90-20, Department of Computer Science, University of New Mexico, Aug. 1990
Smaha, S. E. (1988) Haystack: an intrusion detection system. Proceedings of the Fourth Aerospace Computer Security Applications Conference, 37–44.
Dorothy E. Denning and P. G. Neumann. Requirements and Model for IDES - A Real-Time Intrusion Detection System. Technical Report, Computer Science Laboratory, SRI International, August 1985.
Denning D. An intrusion detection model. IEEE transaction on Software Engineering, 1987, 13(2):222-232
唐正军 等.网络入侵检测系统的设计与实现.电子工业出版社.2002,2
蒋建春,冯登国 等 网络入侵检测原理与技术 国防工业出版社 2001,7
蒋建春,马恒太,任党恩,卿斯汉.网络安全入侵检测:研究综述.软件学报,2000,11
Stephen Northcutt著,余青霓,王晓程,周钢译.网络入侵检测分析员手册.人民邮电出版社.2000,8
Katherine E Price. Host-Based Misuse Detection and Conventional Operating Systems’Audit Data Collection [D]. Master thesis. Purdue University ,1997
Herve.Debar,Marc Dacier Andreas Wespi Towards a taxonomy of intrusion-detection systems,Computer Networks 1999,31(8):805~822.
Department of Defense. Trusted Computer System Evaluation Criteria. Dec. 1985.
Rebecca G B. Intrusion Detection. Macmillan Technical Publishing, U.S.A., 1999.
戴云,范平志.入侵检测系统研究综述.计算机工程与应用.2002,4
Justin D. Intrusion Detecion:The Application of Feature Selection –A Comparision of Algorithms, and the Application of a Wide Area Network Analyzer.[Ms Thesis].Department of Computer Science, University
of California, Davis,1992.
Lunt, T.F., Tamaru, A., Giham, F., A real-time intrusion detection expert system (IDES).Technical Report ,Computer Science Laboratory, SRI International, Menlo Park California 1992.
Sandeep Kumar, Classification and Detection of Computer Intrusions, Department of Computer Sciences, Purdue University, PhD Dissertation, Coast TR 95-08, 1995.
Wenke Lee. A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems, PhD thesis, Columbia University, 1999.
Sebring, M. M., Sellhouse, E., Hanna, M. E., Whitehurst, R. A. Expert system in intrusion detection: A case study. In Proceedings of the 11th National Computer Security Conference, pages 74-81, Oct. 1988.
Hochberg, J., Jackson, K., Stallings, C., McClary, J., DuBois, D., Ford, J. NADIR: An automated system for detecting network intrusions and misuse. Computers and Security 12(1993)3, May, pages 253-248.
Jackson, K. A. NADIR: A Prototype System for Detecting Network and File System Abuse. In Proceedings of the 7th European Conference on Information Systems, Nov. 1992.
Heberlein, L. T., Dias, G. V., Levitt, K. N., Mukherjee, B., Wood, J., Wolber, D. A Network Security Monitor. In Proceedings of the IEEE Symposium on Research in Security and Privacy, pages 296-304, May 1990.
Liepins, G. E., Vaccaro, H. S. Anomaly detection purpose and framework. In Proceedings of the 12th National Computer Security Conference, 1989.
Lunt, T. F., Jagannathan, R. A Prototype Real-Time Intrusion Detection Expert System. In Proceedings of the Symposium on Security and Privacy, Apr. 1988.
Martin Roesch. Snort - Lightweight intrusion detection for networks. In the Proceedings of the 13th Large Installation System Administration Conference, Seattle, Washington, USA November 1999.
BrianCaswell and Jeremy Hewlett Snort Users Manual Available WWW:. Feb 2004.
Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time, in Proceedings of the 7th USENIX Security Symposium, TX, January 1998.
Anderson, D., Lunt, T. F., Javitz, H., Tamaru, A., Valdes, A. Detecting Unusual Program Behavior Using the Stastistical Component of the Next-generation Intrusion Detection Expert System (NIDES), SRI International, May 1995.
Snapp, S. R., Smaha, S. E., Grance, T., Teal, D. M. The DIDS (Distributed Intrusion Detection System) Prototype. In Proceedings of the USENIX Summer 1992 Technical Conference, pages 227-233, June 1992.
Snapp, S. R., Brentano, J., Dias, G. V., Goan, T. L., Grance, T., Heberlein, L. T., Ho, C.-L., Levit, K. N., Mukherjee, B., Mansur, D. L., Pon, K. L., Smaha, S. E. A System for Distributed Intrusion Detection. In Proceedings of the COMPCON, pages 170-176, Feb./March 1991.
Porras, P. STAT - A State Transition Analysis Tool for Intrusion Detection. Technical Report TRCS93-25, Computer Science Department, University of California at Santa Barbara, November 1993.
Ilgun, K.: USTAT: A Real-time Intrusion Detection System for UNIX, Proc. of the IEEE Computer Society Symposium on Research in Security and Privacy, May 1993, Oakland, CA, 16 – 28.
Richard A. Kemmerer. NSTAT: A model-based realtime Network Intrusion Detection System. Technical Report TRCS97-18, Computer Science Dep., University of California Santa Barbara, November 1997.
Giovanni Vigna, Richard A. Kemmerer. NetSTAT: A network-based intrusion detection approach, Proceedings of the 14th Annual Computer Security Conference, Scottsdale, Arizona, December 1998.
Network Flight Recorder Inc. Customizing NFR NID Using N-Code Available WWW:< https://support.nfr.com>
Fox, K., Henning, R., Reed, J., and Simonian R. A neural network approach towards intrusion detection. Technical Report, Harris Corporation, 1990.
S. Forrest and S.A. Hofmeyr. Immunology as information processing. In Design Principles for the Immune System and Other Distributed Autonomous Systems, edited by L.A. Segel and I. Cohen. Santa Fe Institute Studies in the Sciences of Complexity. New York: Oxford University Press, 2000.
陈波. 于泠. 基于人工免疫的网络入侵检测.计算机工程与应用. 2003,2.
Wenke Lee. A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems, PhD thesis, Columbia University, 1999.
Wenke Lee, Dong Xiang. Information-Theoretic measures for anomaly detection. In the 2001 IEEE Symposium on Security and Privacy, Oakland, CA, May 2001.
Leonid Portnoy, Eleazar Eskin and Salvatore J. Stolfo. Intrusion detection with unlabeled data using clustering. In Proceedings of ACM CSS Workshop on Data Mining Applied to Security (DMSA-2001). Philadelphia, PA: November 5-8, 2001.
Bass,T., Intrusion Detection Systems and Multisensor Data Fusion: Creating Cyberspace SituationalAwareness, Communications of the ACM (to appear), 1999.
连一峰,“分布式入侵检测系统研究”,中国科学技术大学电子工程与信息科学系,博士论文,2002 年6 月.
Snapp, S. R., Brentano, J., Dias, G. V., Goan, T. L. DIDS (Distributed Intrusion Detection System) - Motivation, architecture and an early prototype. In Proceedings of the 14th National Computer Security Conference, October 1991.
J.S.Balasubramaniyan, J.O.Garcia-Fernandez, D.lsacoff, E.Spafford and D. Zamboni. Architecture for Intrusion Detection using Autonomous Agents, COAST Technical Report, COAST Laboratory, Purdue University, 1998.
Mark Crosbie and Eugene Spafford. Active Defense of a Computer System using Autonomous Agents. In Proceedings of the 18th National Information Systems Security Conference, pages 549-558, October 1995.
Internet Security Systems .ISS RealSecure Available WWW:< http://www.ciac.org/ cstc/realsecure/Real_Secure_ ids.html>
Symantec.com Symantec Intruder Alert Available WWW:< http:// enterprisesecurity. symantec.com/products/products.cfm?ProductID=48&PID=5148643>
cisco.com .NetRanger Overview. Available WWW:< http:// www.cisco.com/ univercd/cc/td/doc/ product/iaabu/csids/csids1/csidsug/overview.pdf>
Network Security Wizards.BlackICE? Server Protection 3.5 User Guide Available WWW:< http://documents.iss.net/literature/BlackICE/BISP-UG_35.pdf>
Enterasys Networks.Dragon IDS. Available WWW:
L. Garber. Denial of Service attacks rip the Internet. IEEE Computer , Apr. 2000.
Ahsan Habib, Mohamed M. Hefeeda, Bharat K. Bhargava. Detecting Service Violations and DoS Attacks. CERIAS Tech Report 2002-15.2002.
Fyodor Yarochkin. SnortNet - A distributed IDS approach, Available WWW:< http://snortnet.scorpions.net/snortnet.pdf>
Yoann V, Laurent O, Matt S. Prelude: an Open Source, Hybrid Intrusion Detection System. Available WWW:< http://www.prelude-ids.org/article.php3?id_article=48>
P. A. Porras, P. G. Neumann. EMERALD: Eventmonitoring enabling responses to anomalous live disturbances. In National Information Systems Security Conference, Baltimore MD, October 1997.
Smaha, S. E.: Haystack: An intrusion detection system, Proc. of the IEEE 4th Aerospace Computer Security Applications Conference, Orlando, FL, Dec. 1988
Heberlein, L. T.; Dias, G. V.; Levitt, K. N.; Mukherjee, B.; Wood, J.; Wolber, D.: A network security monitor, Proc. of the IEEE Symposium on Research in Security and Privacy, Oakland, CA, May 1990
CIDF Working Group, The Common Intrusion Detection Framework Architecture Available WWW:< http://www.isi.edu/~brian/cidf/drafts/architecture.txt>
Rich Feiertag, Cliff Kahn, Phil Porras, Dan Schnackenberg, Stuart Staniford-Chen, Brian Tung. A Common Intrusion Specification Language (CISL). Available WWW:< http://www.isi.edu/gost/cidf/drafts/language.txt> June 1999.
Intrusion Detection Working Group.The Intrusion Detection Exchange Protocol (IDXP) Available WWW:, October, 2002
Intrusion Detection Working Group.The Intrusion Detection Message Exchange Format Available WWW:, January, 2004
Intrusion Detection Working Group. Intrusion Detection Message Exchange Requirements Available WWW:< http://www.ietf.org/internet-drafts/draft-ietf- idwg- requirements-10>, October, 2002
Prodromidis, A.L., Chan, P.K.: Meta-learning in distributed data mining systems: Issues and Approaches. Book on Advances of Distributed Data Mining, editors Hillol Kargupta and Philip Chan, AAAI press, 2000.
CIDF Working Group, Communication in the Common Intrusion Detection Framework, Available WWW:< http://www.isi.edu> June 1998.
Martin Casado, Packet Capture With libpcap and other Low Level Network Tricks, tutorial. Available WWW:< http://www.cet.nau.edu>
The WinPcap manual and tutorial for WinPcap 3.1 beta?. Available WWW:February , 2004.
MARC Norton, Daniel Roelker. Snort 2.0 Protocol Flow Analyzer Available WWW:< http://www.sourcefire.com/ technology/ whitepapers.htm>Feb 2003
MARC Norton, Daniel Roelker. Snort 2.0 Rule Opemizer Available WWW:< http://www.sourcefire.com/technology/whitepapers.htm >Feb 2003
MARC Norton, Daniel Roelker. Snort 2.0 Hi-Performance Multi-Rule Inspection Engine Available WWW:< http://www.sourcefire.com>Feb 2003
Sun Wu and Udi Manber. A fast algorithm for multi-pattern searching. Tech. Rep. TR9417, Department of Computer Science, University of Arizona, May 1994.
Mike Fisk, George Varghese. Fast Content-Based Packet Handling for Intrusion Detection. UCSD Technical Report CS2001-0670, Computing, Communications, and Networking Division, Los Alamos National Laboratory. May 2001
JohnE.Swanke. Visual C++ MFC 编程实例 . 机械工业出版社 2000
Douglas E.C, David L.S. 用TCP/IP进行网际互连. 电子工业出版社 1998
CERT/CC. CERT/CC Statistics 1988-2003 Available WWW:
CNCERT/CC.今年上半年我国互联网安全事件分析Available WWW:
E. Hackers Beware, New Riders Publishing, 2002.
Internet Security Systems. Security Basics: What Is The Answer? Available WWW:
E. H. Spafford. The Internet Worm Program: An Analysis, ACM COMPUTER COMMUNICATION REVIEW; 19(1), Jan 1989.
D. Moore, G. M. Voelker, and S. Savage. Inferring Internet denial-of-service activity. In Proc. USENIX Security Symposium, Washington D.C, Aug. 2001.
Lincoln D. Stein , John N. Stewart .The World Wide Web Security FAQ Available WWW:< http://www.cis.ohio-state.edu/cs/Services/rfc/rfc-text/rfc2196.txt>
Yogev Mashiach.WWW Security - Security in a Computer Network Available WWW:< http://www.secinf.net/websecurity/WWW_Security/>
James P. Anderson.Computer Security Threat Monitoring and Surveillance, James P. Anderson Co., Fort Washington, Apr 1980
Heady, R.; Luger, G.; Macabe, A.; Servilla, M.: The architecture of a network level intrusion detection system, Technical Report CS90-20, Department of Computer Science, University of New Mexico, Aug. 1990
Smaha, S. E. (1988) Haystack: an intrusion detection system. Proceedings of the Fourth Aerospace Computer Security Applications Conference, 37–44.
Dorothy E. Denning and P. G. Neumann. Requirements and Model for IDES - A Real-Time Intrusion Detection System. Technical Report, Computer Science Laboratory, SRI International, August 1985.
Denning D. An intrusion detection model. IEEE transaction on Software Engineering, 1987, 13(2):222-232
唐正军 等.网络入侵检测系统的设计与实现.电子工业出版社.2002,2
蒋建春,冯登国 等 网络入侵检测原理与技术 国防工业出版社 2001,7
蒋建春,马恒太,任党恩,卿斯汉.网络安全入侵检测:研究综述.软件学报,2000,11
Stephen Northcutt著,余青霓,王晓程,周钢译.网络入侵检测分析员手册.人民邮电出版社.2000,8
Katherine E Price. Host-Based Misuse Detection and Conventional Operating Systems’Audit Data Collection [D]. Master thesis. Purdue University ,1997
Herve.Debar,Marc Dacier Andreas Wespi Towards a taxonomy of intrusion-detection systems,Computer Networks 1999,31(8):805~822.
Department of Defense. Trusted Computer System Evaluation Criteria. Dec. 1985.
Rebecca G B. Intrusion Detection. Macmillan Technical Publishing, U.S.A., 1999.
戴云,范平志.入侵检测系统研究综述.计算机工程与应用.2002,4
Justin D. Intrusion Detecion:The Application of Feature Selection –A Comparision of Algorithms, and the Application of a Wide Area Network Analyzer.[Ms Thesis].Department of Computer Science, University
of California, Davis,1992.
Lunt, T.F., Tamaru, A., Giham, F., A real-time intrusion detection expert system (IDES).Technical Report ,Computer Science Laboratory, SRI International, Menlo Park California 1992.
Sandeep Kumar, Classification and Detection of Computer Intrusions, Department of Computer Sciences, Purdue University, PhD Dissertation, Coast TR 95-08, 1995.
Wenke Lee. A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems, PhD thesis, Columbia University, 1999.
Sebring, M. M., Sellhouse, E., Hanna, M. E., Whitehurst, R. A. Expert system in intrusion detection: A case study. In Proceedings of the 11th National Computer Security Conference, pages 74-81, Oct. 1988.
Hochberg, J., Jackson, K., Stallings, C., McClary, J., DuBois, D., Ford, J. NADIR: An automated system for detecting network intrusions and misuse. Computers and Security 12(1993)3, May, pages 253-248.
Jackson, K. A. NADIR: A Prototype System for Detecting Network and File System Abuse. In Proceedings of the 7th European Conference on Information Systems, Nov. 1992.
Heberlein, L. T., Dias, G. V., Levitt, K. N., Mukherjee, B., Wood, J., Wolber, D. A Network Security Monitor. In Proceedings of the IEEE Symposium on Research in Security and Privacy, pages 296-304, May 1990.
Liepins, G. E., Vaccaro, H. S. Anomaly detection purpose and framework. In Proceedings of the 12th National Computer Security Conference, 1989.
Lunt, T. F., Jagannathan, R. A Prototype Real-Time Intrusion Detection Expert System. In Proceedings of the Symposium on Security and Privacy, Apr. 1988.
Martin Roesch. Snort - Lightweight intrusion detection for networks. In the Proceedings of the 13th Large Installation System Administration Conference, Seattle, Washington, USA November 1999.
BrianCaswell and Jeremy Hewlett Snort Users Manual Available WWW:
Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time, in Proceedings of the 7th USENIX Security Symposium, TX, January 1998.
Anderson, D., Lunt, T. F., Javitz, H., Tamaru, A., Valdes, A. Detecting Unusual Program Behavior Using the Stastistical Component of the Next-generation Intrusion Detection Expert System (NIDES), SRI International, May 1995.
Snapp, S. R., Smaha, S. E., Grance, T., Teal, D. M. The DIDS (Distributed Intrusion Detection System) Prototype. In Proceedings of the USENIX Summer 1992 Technical Conference, pages 227-233, June 1992.
Snapp, S. R., Brentano, J., Dias, G. V., Goan, T. L., Grance, T., Heberlein, L. T., Ho, C.-L., Levit, K. N., Mukherjee, B., Mansur, D. L., Pon, K. L., Smaha, S. E. A System for Distributed Intrusion Detection. In Proceedings of the COMPCON, pages 170-176, Feb./March 1991.
Porras, P. STAT - A State Transition Analysis Tool for Intrusion Detection. Technical Report TRCS93-25, Computer Science Department, University of California at Santa Barbara, November 1993.
Ilgun, K.: USTAT: A Real-time Intrusion Detection System for UNIX, Proc. of the IEEE Computer Society Symposium on Research in Security and Privacy, May 1993, Oakland, CA, 16 – 28.
Richard A. Kemmerer. NSTAT: A model-based realtime Network Intrusion Detection System. Technical Report TRCS97-18, Computer Science Dep., University of California Santa Barbara, November 1997.
Giovanni Vigna, Richard A. Kemmerer. NetSTAT: A network-based intrusion detection approach, Proceedings of the 14th Annual Computer Security Conference, Scottsdale, Arizona, December 1998.
Network Flight Recorder Inc. Customizing NFR NID Using N-Code Available WWW:< https://support.nfr.com>
Fox, K., Henning, R., Reed, J., and Simonian R. A neural network approach towards intrusion detection. Technical Report, Harris Corporation, 1990.
S. Forrest and S.A. Hofmeyr. Immunology as information processing. In Design Principles for the Immune System and Other Distributed Autonomous Systems, edited by L.A. Segel and I. Cohen. Santa Fe Institute Studies in the Sciences of Complexity. New York: Oxford University Press, 2000.
陈波. 于泠. 基于人工免疫的网络入侵检测.计算机工程与应用. 2003,2.
Wenke Lee. A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems, PhD thesis, Columbia University, 1999.
Wenke Lee, Dong Xiang. Information-Theoretic measures for anomaly detection. In the 2001 IEEE Symposium on Security and Privacy, Oakland, CA, May 2001.
Leonid Portnoy, Eleazar Eskin and Salvatore J. Stolfo. Intrusion detection with unlabeled data using clustering. In Proceedings of ACM CSS Workshop on Data Mining Applied to Security (DMSA-2001). Philadelphia, PA: November 5-8, 2001.
Bass,T., Intrusion Detection Systems and Multisensor Data Fusion: Creating Cyberspace SituationalAwareness, Communications of the ACM (to appear), 1999.
连一峰,“分布式入侵检测系统研究”,中国科学技术大学电子工程与信息科学系,博士论文,2002 年6 月.
Snapp, S. R., Brentano, J., Dias, G. V., Goan, T. L. DIDS (Distributed Intrusion Detection System) - Motivation, architecture and an early prototype. In Proceedings of the 14th National Computer Security Conference, October 1991.
J.S.Balasubramaniyan, J.O.Garcia-Fernandez, D.lsacoff, E.Spafford and D. Zamboni. Architecture for Intrusion Detection using Autonomous Agents, COAST Technical Report, COAST Laboratory, Purdue University, 1998.
Mark Crosbie and Eugene Spafford. Active Defense of a Computer System using Autonomous Agents. In Proceedings of the 18th National Information Systems Security Conference, pages 549-558, October 1995.
Internet Security Systems .ISS RealSecure Available WWW:< http://www.ciac.org/ cstc/realsecure/Real_Secure_ ids.html>
Symantec.com Symantec Intruder Alert Available WWW:< http:// enterprisesecurity. symantec.com/products/products.cfm?ProductID=48&PID=5148643>
cisco.com .NetRanger Overview. Available WWW:< http:// www.cisco.com/ univercd/cc/td/doc/ product/iaabu/csids/csids1/csidsug/overview.pdf>
Network Security Wizards.BlackICE? Server Protection 3.5 User Guide Available WWW:< http://documents.iss.net/literature/BlackICE/BISP-UG_35.pdf>
Enterasys Networks.Dragon IDS. Available WWW:
L. Garber. Denial of Service attacks rip the Internet. IEEE Computer , Apr. 2000.
Ahsan Habib, Mohamed M. Hefeeda, Bharat K. Bhargava. Detecting Service Violations and DoS Attacks. CERIAS Tech Report 2002-15.2002.
Fyodor Yarochkin. SnortNet - A distributed IDS approach, Available WWW:< http://snortnet.scorpions.net/snortnet.pdf>
Yoann V, Laurent O, Matt S. Prelude: an Open Source, Hybrid Intrusion Detection System. Available WWW:< http://www.prelude-ids.org/article.php3?id_article=48>
P. A. Porras, P. G. Neumann. EMERALD: Eventmonitoring enabling responses to anomalous live disturbances. In National Information Systems Security Conference, Baltimore MD, October 1997.
Smaha, S. E.: Haystack: An intrusion detection system, Proc. of the IEEE 4th Aerospace Computer Security Applications Conference, Orlando, FL, Dec. 1988
Heberlein, L. T.; Dias, G. V.; Levitt, K. N.; Mukherjee, B.; Wood, J.; Wolber, D.: A network security monitor, Proc. of the IEEE Symposium on Research in Security and Privacy, Oakland, CA, May 1990
CIDF Working Group, The Common Intrusion Detection Framework Architecture Available WWW:< http://www.isi.edu/~brian/cidf/drafts/architecture.txt>
Rich Feiertag, Cliff Kahn, Phil Porras, Dan Schnackenberg, Stuart Staniford-Chen, Brian Tung. A Common Intrusion Specification Language (CISL). Available WWW:< http://www.isi.edu/gost/cidf/drafts/language.txt> June 1999.
Intrusion Detection Working Group.The Intrusion Detection Exchange Protocol (IDXP) Available WWW:
Intrusion Detection Working Group.The Intrusion Detection Message Exchange Format Available WWW:
Intrusion Detection Working Group. Intrusion Detection Message Exchange Requirements Available WWW:< http://www.ietf.org/internet-drafts/draft-ietf- idwg- requirements-10>, October, 2002
Prodromidis, A.L., Chan, P.K.: Meta-learning in distributed data mining systems: Issues and Approaches. Book on Advances of Distributed Data Mining, editors Hillol Kargupta and Philip Chan, AAAI press, 2000.
CIDF Working Group, Communication in the Common Intrusion Detection Framework, Available WWW:< http://www.isi.edu> June 1998.
Martin Casado, Packet Capture With libpcap and other Low Level Network Tricks, tutorial. Available WWW:< http://www.cet.nau.edu>
The WinPcap manual and tutorial for WinPcap 3.1 beta?. Available WWW:
MARC Norton, Daniel Roelker. Snort 2.0 Protocol Flow Analyzer Available WWW:< http://www.sourcefire.com/ technology/ whitepapers.htm>Feb 2003
MARC Norton, Daniel Roelker. Snort 2.0 Rule Opemizer Available WWW:< http://www.sourcefire.com/technology/whitepapers.htm >Feb 2003
MARC Norton, Daniel Roelker. Snort 2.0 Hi-Performance Multi-Rule Inspection Engine Available WWW:< http://www.sourcefire.com>Feb 2003
Sun Wu and Udi Manber. A fast algorithm for multi-pattern searching. Tech. Rep. TR9417, Department of Computer Science, University of Arizona, May 1994.
Mike Fisk, George Varghese. Fast Content-Based Packet Handling for Intrusion Detection. UCSD Technical Report CS2001-0670, Computing, Communications, and Networking Division, Los Alamos National Laboratory. May 2001
JohnE.Swanke. Visual C++ MFC 编程实例 . 机械工业出版社 2000
Douglas E.C, David L.S. 用TCP/IP进行网际互连. 电子工业出版社 1998