网络安全事件的实时关联技术研究
|
摘要
随着网络及其应用的发展,人们对网络的依赖越来越强,网络连接的资产越来越巨大;与此同时,网络安全领域所面临的挑战也日益严峻,恶意攻击所引起的安全事故时有发生,损失巨大。企业、组织为保护自己的网络系统,部署了越来越多的安全产品(如入侵检测系统、防火墙、防病毒系统等),但应用这些产品不仅远未达到人们的期望,而且还衍生了新的问题。这些安全产品产生的安全事件(各种告警、安全日志等数据)数量巨大、并伴有严重的误报或漏报,不能作为响应的直接依据。结果是,既很难从泛滥的安全事件中分析出真正的危险状态,也不能实时发现或预测攻击。
当前,为解决上述问题而提出的多种关联技术尽管各有成效,但仍然存在严重不足。主要表现在以下几个方面:一是概念含混不清,缺乏全局关联视角上的考虑和定义。二是缺乏实时关联的解决方案。一些聚合方法要么离线作用,要么在线却难以确定诸多参数更不能实现有效的实时预警。三是是没有建立在较高级别安全事件基础上的实时动态定量风险评估体系和方法。因此,对巨量安全事件进行实时关联分析,有效地识别出真正的安全风险或威胁,对网络安全具有非常重要的意义。
对国内外网络安全事件关联方法进行了归纳和分类,将它们概括为分类、聚合、序列关联、交叉关联和其它五大类。从全局关联视角上给出了网络安全事件关联的相关定义。网络安全事件关联也可称之为广义的入侵检测(高层次的入侵检测或后入侵检测),是针对网络安全事件处理中存在的问题而提出的一套特定的数据关联方法,它将不同空间来源和不同时间序列的安全事件与具体的网络环境结合在一起,通过分析网络安全事件之间以及安全事件与其环境之间的关系,来减少误报,弥补漏报,确认攻击。指出了网络安全事件之间存在冗余、序列、并列和环境匹配四种关系以及关联处理系统的评估问题等。深入剖析了典型的开源关联系统OSSIM,指出了其四点改进方向。这些基础性的工作为网络安全事件实时关联的系统设计奠定了理论基础。
设计了网络安全事件实时关联的系统综合解决方案——NSICMS。该方案以“立足全局、积极主动、面向对象、不断优化”作为基本指导思想,以“减少安全事件数量,提高安全事件质量,实时检测和预测攻击,保护受控网络”作为基本目标。方案继承了PDR动态模型的基本思想,以“分区管理,纵深防御;可控可管,实时联动;隐藏伪装,虚实结合;不断加固,提高抵抗力”等积极主动的措施作为网络安全事件关联处理的基础,这些基础可以大大减少送往上层关联处理安全事件的数量。NSICMS是一个网络安全事件关联处理网络,它集成了针对不同安全事件关系的实时关联处理方法,如实时聚合、实时交叉关联、实时序列关联以及实时风险评估等。
提出了网络安全事件实时聚合方法。该聚合方法以受控网络节点为研究对象,简化了关联的具体内容;使用缓存中节点超安全事件的表示方法,保证了实时性;使用弱队列长度代替时间窗口,弱化了时间窗口的概念,解决了常用的聚合算法中时间参数难于确定的问题。该聚合方法能实时地为后续关联处理提供高质量超安全事件,没有难于确定的参数,丢掉了“聚合率”这种非实时的概念,它的一些思想和概念是全新的,如聚合粒度的定义,以弱队列窗口代替时间窗口等。
提出了安全事件序列的实时关联方法。该方法针对多步攻击提出,以实时聚合和交叉关联结果作为基础,可以提前预测攻击,发现协作的多步攻击。它使用挖掘、验证后的多步攻击模式,通过实时超安全事件匹配以实现攻击预警。该方法中的攻击场景模式挖掘算法采用全新的挖掘数据集,克服了直接从告警数据中挖掘场景带来的问题;实时超安全事件匹配预警算法克服了思维定势带来的漏预警问题。
提出了实时动态定量风险评估方法。该方法以网络安全事件作为风险的诱因,以实时超安全事件风险作为基础,充分考虑了超安全事件间的序列关联关系。实时动态定量地计算节点风险便于风险消减;通过实时动态显示节点风险(不同资产等级的节点风险分开显示),为安全管理者提供了对整个受控网络中安全态势的全局实时感知能力。
With the development of network and its application, people are becoming more and more reliable to network and the capital connected to network incredibly increased as well. Meanwhile network security field confronts demanding challenges and security accidents resulted from vicious attacks have accounted for tremendous losses. In order to protect company and organization network, security application devices such as IDS (intrusion detection system), firewalls and AVS (anti-virus system) have been deployed; however, the effect is far from expectation and novel problems are brought about. Security events generated by these security devices, such as various alert data and security audit data, appear in huge volumes and are accompanied by serious intrusion false positives and fasle negatives, which disables it for direct knowledge for attack responses. Ultimately it is hardly possible to identify a real dangerous situation among overwhelming security events or to discover and predict any attack in a real-time way.
At present although different correlation technologies which aim at solving these issues above are somehow effective, serious deficiencies still exist. First, conceptions are indefinite, lacking of considerations or definitions from a holistic correlative angle of view. Second, there is lack of an effective real-time correlation method. Some aggregation methods either work off-line or are unable to confirm parameters while working on-line, let alone effective real-time alert. Third, there is no real-time dynamic quantitative risk evaluation system which is based on relative high grade security event. Thus, it is significant in network security field to analyze huge security event through a real-time correlative method and to effectively recognize genuine security risk and threat.
In this paper, network security event correlation methods are concluded and classified into five categories: classification correlation, aggregation correlation, sequence correlation, cross correlation and other correlation. Relevant conceptions in network security event correlation are defined from a holistic correlative angle of view. Network security event correlation can be called broad sense intrusion detection, i.e. high level intrusion detection or post intrusion detection. It is a specific data correlation method targeting at problems in network security event treatment in which transverse security event, i.e. from different sources and lengthwise security event, i.e. with temporal sequence relation, are integrated with specific network environment. Relationships among network security event and relationships between security event and environment are analyzed to reduce intrusion false positive, discover miss detection and confirm attack. There are four main types of relationships concerning security event, namely, abundance, sequence, coordination and environment match. The existence significance of correlation system is pointed out and typical OSSIM is under deep analysis. These fundamental works provide the theoretical basis for a real-time correlation design of network security event.
A systematical design of security event correlation system is proposed, namely NSICMS, which is based on a holistic view characterized by initiative, object-orientation and ever-updating and it aims at reducing quantity of security event, improving quality of security event, operating real-time detection and attack-prediction, and protecting controlled network. NCICMS inherits basic ideas of PDR dynamic model and makes several active strategies powerful basis of network security event correlation, reducing quantity of security event at upper correlation level. NSICMS is a security event correlation network consisting of different servers and real-time correlation methods for security event of different relationships, such as aggregation correlation, cross correlation, sequence correlation and risk evaluation.
Network security event real-time aggregation method is proposed which targets at node in controlled network. It simplifies specific correlation content, adopts the expression of node super security event in cache guaranteeing property of being real-time and replaces time window with weak alignment length diminishing concept of time window so as to solve the indefiniteness of time parameter in normal aggregation arithmetic. This aggregation method is able to provide high-quality super security event for succeeding correlation in a real-time way without difficult parameters or ideas of aggregation rate. Several ideas and conceptions are brand new, for example, definition of aggregation granularity and replacement of time window with weak alignment window.
A real-time correlation method of security event sequence is proposed. Aiming at correlating multi-stage attacks, this method is based on real-time aggregation and cross correlation results. It is able to predict attacks and to discover cooperative multi-stage attacks. It uses reliable multi-stage attack patterns obtained after mining and validation. Real time hyper security event is matched to realize attack alert. The attacking scene pattern mining arithmetic adopts brand new mining data collection, avoiding problems out of direct mining scene from alert data. Real-time hyper security event match alert arithmetic overcomes the problem of missing alerts caused by stereotype.
A real-time dynamic risk evaluation method is proposed. It treats security events as inducements for the risk, considers real-time hyper security event risk as foundation and calculates node risk in a real-time dynamic quantitative way for the sake of risk reduction. Node risk is displayed in real-time dynamic way where nodes of different capital grades and categories are presented separately, offering security managers a real-time holistic sensibility of security situation in controlled network.
当前,为解决上述问题而提出的多种关联技术尽管各有成效,但仍然存在严重不足。主要表现在以下几个方面:一是概念含混不清,缺乏全局关联视角上的考虑和定义。二是缺乏实时关联的解决方案。一些聚合方法要么离线作用,要么在线却难以确定诸多参数更不能实现有效的实时预警。三是是没有建立在较高级别安全事件基础上的实时动态定量风险评估体系和方法。因此,对巨量安全事件进行实时关联分析,有效地识别出真正的安全风险或威胁,对网络安全具有非常重要的意义。
对国内外网络安全事件关联方法进行了归纳和分类,将它们概括为分类、聚合、序列关联、交叉关联和其它五大类。从全局关联视角上给出了网络安全事件关联的相关定义。网络安全事件关联也可称之为广义的入侵检测(高层次的入侵检测或后入侵检测),是针对网络安全事件处理中存在的问题而提出的一套特定的数据关联方法,它将不同空间来源和不同时间序列的安全事件与具体的网络环境结合在一起,通过分析网络安全事件之间以及安全事件与其环境之间的关系,来减少误报,弥补漏报,确认攻击。指出了网络安全事件之间存在冗余、序列、并列和环境匹配四种关系以及关联处理系统的评估问题等。深入剖析了典型的开源关联系统OSSIM,指出了其四点改进方向。这些基础性的工作为网络安全事件实时关联的系统设计奠定了理论基础。
设计了网络安全事件实时关联的系统综合解决方案——NSICMS。该方案以“立足全局、积极主动、面向对象、不断优化”作为基本指导思想,以“减少安全事件数量,提高安全事件质量,实时检测和预测攻击,保护受控网络”作为基本目标。方案继承了PDR动态模型的基本思想,以“分区管理,纵深防御;可控可管,实时联动;隐藏伪装,虚实结合;不断加固,提高抵抗力”等积极主动的措施作为网络安全事件关联处理的基础,这些基础可以大大减少送往上层关联处理安全事件的数量。NSICMS是一个网络安全事件关联处理网络,它集成了针对不同安全事件关系的实时关联处理方法,如实时聚合、实时交叉关联、实时序列关联以及实时风险评估等。
提出了网络安全事件实时聚合方法。该聚合方法以受控网络节点为研究对象,简化了关联的具体内容;使用缓存中节点超安全事件的表示方法,保证了实时性;使用弱队列长度代替时间窗口,弱化了时间窗口的概念,解决了常用的聚合算法中时间参数难于确定的问题。该聚合方法能实时地为后续关联处理提供高质量超安全事件,没有难于确定的参数,丢掉了“聚合率”这种非实时的概念,它的一些思想和概念是全新的,如聚合粒度的定义,以弱队列窗口代替时间窗口等。
提出了安全事件序列的实时关联方法。该方法针对多步攻击提出,以实时聚合和交叉关联结果作为基础,可以提前预测攻击,发现协作的多步攻击。它使用挖掘、验证后的多步攻击模式,通过实时超安全事件匹配以实现攻击预警。该方法中的攻击场景模式挖掘算法采用全新的挖掘数据集,克服了直接从告警数据中挖掘场景带来的问题;实时超安全事件匹配预警算法克服了思维定势带来的漏预警问题。
提出了实时动态定量风险评估方法。该方法以网络安全事件作为风险的诱因,以实时超安全事件风险作为基础,充分考虑了超安全事件间的序列关联关系。实时动态定量地计算节点风险便于风险消减;通过实时动态显示节点风险(不同资产等级的节点风险分开显示),为安全管理者提供了对整个受控网络中安全态势的全局实时感知能力。
With the development of network and its application, people are becoming more and more reliable to network and the capital connected to network incredibly increased as well. Meanwhile network security field confronts demanding challenges and security accidents resulted from vicious attacks have accounted for tremendous losses. In order to protect company and organization network, security application devices such as IDS (intrusion detection system), firewalls and AVS (anti-virus system) have been deployed; however, the effect is far from expectation and novel problems are brought about. Security events generated by these security devices, such as various alert data and security audit data, appear in huge volumes and are accompanied by serious intrusion false positives and fasle negatives, which disables it for direct knowledge for attack responses. Ultimately it is hardly possible to identify a real dangerous situation among overwhelming security events or to discover and predict any attack in a real-time way.
At present although different correlation technologies which aim at solving these issues above are somehow effective, serious deficiencies still exist. First, conceptions are indefinite, lacking of considerations or definitions from a holistic correlative angle of view. Second, there is lack of an effective real-time correlation method. Some aggregation methods either work off-line or are unable to confirm parameters while working on-line, let alone effective real-time alert. Third, there is no real-time dynamic quantitative risk evaluation system which is based on relative high grade security event. Thus, it is significant in network security field to analyze huge security event through a real-time correlative method and to effectively recognize genuine security risk and threat.
In this paper, network security event correlation methods are concluded and classified into five categories: classification correlation, aggregation correlation, sequence correlation, cross correlation and other correlation. Relevant conceptions in network security event correlation are defined from a holistic correlative angle of view. Network security event correlation can be called broad sense intrusion detection, i.e. high level intrusion detection or post intrusion detection. It is a specific data correlation method targeting at problems in network security event treatment in which transverse security event, i.e. from different sources and lengthwise security event, i.e. with temporal sequence relation, are integrated with specific network environment. Relationships among network security event and relationships between security event and environment are analyzed to reduce intrusion false positive, discover miss detection and confirm attack. There are four main types of relationships concerning security event, namely, abundance, sequence, coordination and environment match. The existence significance of correlation system is pointed out and typical OSSIM is under deep analysis. These fundamental works provide the theoretical basis for a real-time correlation design of network security event.
A systematical design of security event correlation system is proposed, namely NSICMS, which is based on a holistic view characterized by initiative, object-orientation and ever-updating and it aims at reducing quantity of security event, improving quality of security event, operating real-time detection and attack-prediction, and protecting controlled network. NCICMS inherits basic ideas of PDR dynamic model and makes several active strategies powerful basis of network security event correlation, reducing quantity of security event at upper correlation level. NSICMS is a security event correlation network consisting of different servers and real-time correlation methods for security event of different relationships, such as aggregation correlation, cross correlation, sequence correlation and risk evaluation.
Network security event real-time aggregation method is proposed which targets at node in controlled network. It simplifies specific correlation content, adopts the expression of node super security event in cache guaranteeing property of being real-time and replaces time window with weak alignment length diminishing concept of time window so as to solve the indefiniteness of time parameter in normal aggregation arithmetic. This aggregation method is able to provide high-quality super security event for succeeding correlation in a real-time way without difficult parameters or ideas of aggregation rate. Several ideas and conceptions are brand new, for example, definition of aggregation granularity and replacement of time window with weak alignment window.
A real-time correlation method of security event sequence is proposed. Aiming at correlating multi-stage attacks, this method is based on real-time aggregation and cross correlation results. It is able to predict attacks and to discover cooperative multi-stage attacks. It uses reliable multi-stage attack patterns obtained after mining and validation. Real time hyper security event is matched to realize attack alert. The attacking scene pattern mining arithmetic adopts brand new mining data collection, avoiding problems out of direct mining scene from alert data. Real-time hyper security event match alert arithmetic overcomes the problem of missing alerts caused by stereotype.
A real-time dynamic risk evaluation method is proposed. It treats security events as inducements for the risk, considers real-time hyper security event risk as foundation and calculates node risk in a real-time dynamic quantitative way for the sake of risk reduction. Node risk is displayed in real-time dynamic way where nodes of different capital grades and categories are presented separately, offering security managers a real-time holistic sensibility of security situation in controlled network.
引文
[1] 2006年中国政府网站绩效评估. http: //www. cstc. org. cn/2006wzpg/, 2006
[2]蒋耀平在2007中国计算机网络安全应急年会上的讲话. http: //www. cert. org. cn/articles/news/common/2007041623281. shtml, 2007
[3]第20次中国互联网络发展状况统计报告. http: //www. cnnic. net. cn/html/Dir/ 2007/07/17/4722. htm, 2007
[4] 2006年全国信息网络安全状况与计算机病毒疫情调查分析报告. http: //www. antivirus-china. org. cn/content/report2006. doc, 2006
[5]关于构建国家安全体系的思考. http: //sise. gucas. ac. cn/gaikuang/ news/ 2006/ 03qcy. html, 2006
[6]国家计算机网络应急技术处理协调中心. CNCERT/CC 2006年网络安全工作报告. http: //www. cert. org. cn/UserFiles/File/ 2006CNCERTCC AnnualReport_ Chinese. pdf, 2006
[7] CNCERT/CC被黑网页统计报告. http: //www. cert. org. cn/articles/ docs/common/2007061123338. shtml, 2007
[8]汪春阳,喻超等.下一代网络安全.北京:北京邮电大学出版社, 2006
[9] GB/T 17900-1999网络代理服务器的安全技术要求. http: //www. std168. com/ search/stdgb_29551. htm
[10] GB/T 18019-1999信息技术包过滤防火墙安全技术要求. http: //www. std168. com/html/L80/29559. htm
[11] GB/T 18020-1999信息技术应用级防火墙安全技术要求. http: //www. std168. com/search/stdgb_29560. htm
[12] LaForges talk about Netfilter. http: //www. lisoleg. org/forum-source/ messages/ 1410. html, 2007
[13] The netfilter framework in Linux 2. 4. http: //www. gnumonks. org/papers/ netfilter-lk2000/presentation. html, 2007
[14] Linux 2. 4 Packet Filtering HOWTO. http: //netfilter. kernelnotes. org/ unreliable-guides/ packet-filtering-HOWTO/index. html, 2007
[15] Linux 2. 4 NAT HOWTO. http: //netfilter. kernelnotes. org/unreliable-guides/ NAT- HOWTO/index. html, 2007
[16] Netfilter hacking HOWTO. http: //netfilter. kernelnotes. org/unreliable-guides/ netfilter-hacking-HOWTO/index. html, 2007
[17] The netfilter. org project. http: //www. netfilter. org/, 2007
[18] Steve Suehring, Robert L. Ziegler.何泾沙等译. Linux防火墙.北京:机械工业出版社, 2006. 6
[19] Iptables & netfilter. http: //netfilter. filewatcher. org/, 2007
[20] The International Organization for Standardization and the International Electrotechnical Commission, Joint Technical Committee 1. Evaluation Criteria for IT Security-Part 1: Introduction and General Model, 1999(E): ISO/IEC 15408- 1
[21] The International Organization for Standardization and the International Electrotechnical Commission, Joint Technical Committee 1. Evaluation Criteria for IT Security-Part 2: Security Functional Requirements, 1999(E): ISO/ IEC15408-2
[22] The International Organization for Standardization and the International Electrotechnical Commission, Joint Technical Committee 1. Evaluation Criteria for IT Security-Part 3: Security Assurance Requirements, 1999(E): ISO/ IEC15408-3
[23] Brian Caswell, Jay Beale等著,宋劲松等译. Snort 2. 0入侵检测.北京:国防工业出版社, 2000
[24] Anderson J P. Computer security thread monitoring and surveillance. Technical Report, Jame P Anderson Co., Fort Washington, Pennsylvania, 1980
[25] Denning DE. An intrusion-detection model. IEEE Transaction on Software Engineering, February 1987, SE-13(2): 222-232
[26] L. T. Heberlein. A network security monitor. Proc, 1990 Symposium on Research in Security and Privacy, May 1990: 296-304
[27] Intrusion Detection Exchange Format(idwg). http: //www. ietf. org/html. charters/idwg-charter. html, Sep. 2002
[28] C. Kahn, P. A. Porras, S. Staniford-Chen, et cl. A common intrusion detection framework. Submitted to Journal of Computer Security, July 1998
[29] Korral Ilgun. USTAT: A Real-time Intrusion Detection System. Master Thesis. UCSB, 1992
[30] The Intrusion Detection System AID[EB/OL]. http: //www. -rnks. informatik. tu-cottbus. de/-sobirey/aid. e. html, Oct., 2002
[31] Sandeep Kumar, Eugene H Spafford. An Application of Pattern Match in Intrusion Detection. Technical Report CSD-TR-94-013. Purdue University, Department of Computer Science, June 17, 1994
[32] Vaccaro H. S., Liepins G. E.. Detection of anomalous computer session activity. Oakland, CA: Proceeding of the 1989 Symposiumon Research in Security and Privacy, 1989
[33] Teresa F. L., Jagannathan R., Lee R., et al. IDES: The enhanced prototype-a real-time intrusion-detection expert system. Menlo Park, CA: SRI International, Computer Science Lab, Oct., 1988
[34] Snort: The Open Source Network Intrusion Detection System. http: //www. snort. org/, Oct., 2007
[35] NFR Network Intrusion Detection(NFR NID). http: //www. nfr. com/products/ NID/, 2006
[36] Vern Paxson. Bro: A System for Detecting Network Intruders in Real-Time. Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, January 1998
[37]胡昌振.网络入侵检测误警问题研究.信息安全与通信保密, 2003(8): 55-61
[38]唐正军.入侵检测技术导论.北京:机械工业出版社, 2004
[39]刘建伟,王育明.网络安全-技术与实践.北京:清华大学出版社, 2005
[40] P A Poras, A Valdes. Live Traffic Analysis of TCP/IP Gateways[C]. Proceeding of the 1998 ISOC Symposium on Networks and Distributed Systems Security, San Diego, CA: Internet Society, 1998: 132-140
[41] N Athanasiudes, R Abler, J Levine, et a1. Intrusion Detection Testing and Benchmarking Methodologies[C]. Proeeedings of the 1st IEEE InternationalWorkshop on Information Assurance, Darmstadt, Germany: IEEE Computer Society, 2003: 63-72
[42]吴庆涛,邵志清.入侵检测研究综述.计算机应用研究, 2005(12): 11-14
[43]董晓梅,肖珂等.入侵检测系统评估技术述评.计算机科学, 2004(23): 32-38
[44]蔡忠闽,孙国基等.入侵检测系统评估环境的设计与实现.系统仿真学报, 2002, 14(3): 377-380
[45] Jack Koziol.吴溥峰,孙默等译. Snort入侵检测实用解决方案.北京:机械工业出版社, 2005
[46] CARVER C A. Int rusion response systems: A survey [EB/OL]. 2003[1005-08-02]. http://faculty.cs.tamu.edu/ pooch/course/ CPSC665/ Spring 2001/ Lessons/Intrusion_Detection_ and_ Response/ rtirs2. doc, 2003
[47] UTM技术阻挡混合型安全威胁. http: //cnw2005. cnw. com. cn/store/detail/ detail. asp?articleId=31046&ColumnId=4320, 2005
[48] K Julisch. Dealing with False Positives in Intrusion Detection [C]. In 3nd Workshop on Recent Advances in Intrusion Detection. http: //www. raid-symposium. org/raid2000/program. html, 2000
[49] Chuvakin. Security event analysis through correlation. Information Systems Security, 2004(13): 13
[50]高能,冯登国等.一种基于数据挖掘的拒绝服务攻击检测技术.计算机学报, June 2006, 29(6): 944-951
[51]何申,张四海等.网络脚本病毒的统计分析方法.计算机学报, June 2006, 29(6): 969-975
[52]邓吉.黑客攻防实战入门.北京:电子工业出版社, 2004
[53]邱亮,孙亚刚.网络安全工具及案例分析.北京:电子工业出版社, 2004
[54] William W. Cohen. Fast Effective Rule Induction. Machine Learning: Proceedings of the Twelfth International Conference, 1995
[55] Tadeusz Pietraszek. Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection. Symposium on Recent Advance in Intrusion Detection (RAID), 2004
[56] Debar, H. and Wespi, A., Aggregation and correlation of intrusion-detection alerts. In: Recent Advances In Intrusion Detection, 2001
[57] Tivoli Enterprise Console. http: //www-306. ibm. com/software/info/ecatalog/ zh_ CN/products/D106133T04676R57. html, 2006
[58] Valdes, K. Skinner. Probabilistic Alert Correlation. in Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, Davis, California, 2001
[59] Klaus Julisch. Clustering intrusion detection alarms to support root cause analysis. ACM Transactions on Information and System Security (TISSEC), 2003, 6(4): 443-471
[60] F. Cuppens and A. Miege. Alert correlation in a cooperative intrusion detection framework. presented at Proceedings 2002 IEEE Symposium on Security and Privacy, Berkeley, CA, USA, 12-15 May 2002
[61] F. Cuppens and R. Ortalo. LAMBDA: a language to model a database for detection of attacks. Toulouse, France, 2000
[62] P. Ning, Y. Cui, and D. S. Reeves. Analyzing intensive intrusion alerts via correlation. Presented at Recent Advances in Intrusion Detection. 5th International Symposium, RAID 2002. Proceedings, Zurich, Switzerland, 16-18 Oct. 2002
[63] P. Ning, Y. Cui, and D. S. Reeves. Constructing attack scenarios through correlation of intrusion alerts. Presented at Proceedings of the 9th ACM Conference on Computer and Communications Security, Washington, DC, United States, 18-22 Nov. 2002
[64] P. Ning, Y. Cui, D. S. Reeves, and D. Xu. Techniques and tools for analyzing intrusion alerts. ACM Transactions on Information and System Security, 2004(7): 274
[65] P. Ning and D. Xu. Alert correlation through triggering events and common resources. Tucson, AZ, USA, 2004
[66] P. Ning and D. Xu. Hypothesizing and reasoning about attacks missed by intrusion detection systems. ACM Transactions on Information and System Security, 2004(7): 591
[67] P. Ning, Y. Zhai, P. Iyer, and D. S. Reeves. Reasoning about complementary intrusion evidence. Tucson, AZ, USA, 2004
[68] A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems, Computer Science Department, Columbia University, New York, NY.. http: //www-static. cc. gatech. edu/-wenke/, June 1999
[69] W. Lee and X. Qin. Statistical Causality Analysis of INFOSEC Alert Data. Presented at RAID, 2003
[70] Q. Xinzhou and L. Wenke. Discovering novel attack strategies from INFOSEC alerts. Sophia Antipolis, France, 2004
[71]王莉.网络多步攻击识别方法研究: [博士学位论文].华中科技大学图书馆, 2007. 5
[72]陶建明,秦拯等.一种基于数据挖掘的告警相关方法的研究与实现.科学技术与工程, 2006(7): 65-73
[73]姚伟力,王锡禄等.基于序列模式挖掘的告警相关性分析算法.北京邮电大学学报, 2005: 10
[74] Malheiros MD. A model for alarm correlation in telecommunications networks[J]. Belo Horizonte, 1997
[75] Kimmo H, Klementtinen M, Mannila H, et al. TASA: telecommunication alarm sequence analyzer or how to enjoy faults in your network[A]. IEEE/IFTP, 1996 Network Operations and Management Symposium (NOMS’96[C]. Kyoto, Japan, 1996: 520-529
[76]毛国君,段立娟等.数据挖掘原理与算法.北京:清华大学出版社, 2005
[77] Ian H. Witten, Eide Frank. Data Mining: Practical Learning Tools and Techniques with Java Implementations. Elsevier, 2003
[78] Sourcefire. Realtime Network Awareness. http: //www. sourcefire. com/products/ rna. html, 2001
[79] Morin, B., L. Me, et al. (2002). M2D2: a formal data model for IDS alert correlation. Recent Advances in Intrusion Detection. 5th International Symposium, RAID 2002
[80] R. Gula. Correlating IDS alerts with vulnerability information. Tenable NetworkSecurity, Tech. Rep., 2002
[81] Chengpo Mu, Houkuan Huang, Shengfeng Tian. Intrusion detection alert verification based on multi-level fuzzy comprehensive evaluation. In: Proc. 2005 International Co nference on Computational Intelligence and Security, Lecture Notes in Artificial Intelligence 3801, Berlin: Springer-Verlag, 2005: 9-16
[82] Bass Tim & Gruber Dave. A Glimpse into the Future of ID. login: The USENIX Association Magazine [online]. http: //www. silkroad. com/papers/ html/glimpse, July 1999
[83]唐正军等编著.网络入侵检测系统的设计与实现.北京:电子工业出版社, 2002. 4
[84] M. H. Kang and T. Mayfield. A cyber-event correlation framework and metrics. Proceedings of the SPIE - The International Society for Optical Engineering, 2003(5107): 72
[85] R. P. Goldman, W. Heimerdinger, S. A. Harp, C. W. Geib, V. Thomas, and R. L. Carter. Information modeling for intrusion report aggregation. Presented at DARPA Information Survivability Conference & Exposition II, 2001. DISCEX '01. Proceedings, 2001
[86] J. Yu, Y. V. R. Reddy, S. Sentil, K. Srinivas, R. Sumitra, and B. Vijayanand. TRINETR: an intrusion detection alert management systems. Presented at Proceedings. Thirteenth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, Modena, Italy, 14-16 June 2004
[87] Z. Dong and A. S. Sethi. SEL, a new event pattern specification language for event correlation. presented at Proceedings Tenth International Conference on Computer Communications and Networks, Scottsdale, AZ, USA, 15-17 Oct. 2001
[88] L. Guangtian, A. K. Mok, and E. J. Yang. Composite events for network event correlation. presented at Proceedings of IM'99 6th IFIP/IEEE International Symposium on Integrated Network Management, Boston, MA, USA, 24-28 May 1999
[89] L. Guangtian and M. Russina. ECA + SQL: a practical event correlation approach. presented at Proceedings of 16th International Conference on CommunicationTechnology (ICCT'00), Beijing, China, 21-25 Aug. 2000
[90] P. A. Porras, M. W. Fong, and A. Valdes. A mission-impact-based approach to INFOSEC alarm correlation. presented at Recent Advances in Intrusion Detection. 5th International Symposium, RAID 2002. Proceedings, Zurich, Switzerland, 16-18 Oct. 2002
[91] Andr′e Arnes, Fredrik Valeur, etc. Using Hidden Markov Models to Evaluate the Risks of Intrusions System Architecture and Model Validation, RAID, 2006
[92] L. Wald. Definitions and Terms of Reference in Data Fusion. International Archives of Photogrammetry and Remote Sensing. Part 7-4-3 W6, Valladolid, Spain, 3-4 June, 1999: 32
[93] Joshua Maines, Dorene Kewley, Laura Tinnel, et a1. Validation of sensor alert correlators. IEEE Security & Privacy Magazine, 2003, 1(1): 46-56
[94] eTrust? Secure Content Manager r8. http: //www3. ca. com/smb/product. aspx? id=5280&culture=en-us, 2007
[95] ISS SiteProtector. http: //www. jiancenj. com/chanpin6. asp, 2007
[96] Tivoli Enterprise Console. http: //www-306. ibm. com/software/info/ ecatalog/ zh _CN/products/D106133T04676R57. html, 2007
[97] ArcSight Enterprise Security Manager. http: //www. arcsight. com/product. htm, 2007
[98] Activeworx Security Center. http: //www. activeworx. com/, 2007
[99] Eventia. http: //www. checkpoint. com/index. html, 2007
[100]泰合信息安全运营中心. http: //www. venustech. com. cn/products2005/thx/, 2005
[101]网络卫士安全审计系统TA-L. http: //www. topsec. com. cn/products/ng-ta-l. asp, 2007
[102] Check Point为统一安全管理订立新标准. http: //it. sohu. com/20060517/ n243275690. shtml, 2006
[103]洞悉未来: 2006年世界IT发展八大预测. http: //industry. ccidnet. com/art/3847/ 20060115/415149_1. html, 2006
[104] Open Source Security Information Management [EB/OL]. http: //www. ossim.net/, 2005
[105] Open Source Security Information Management [EB/OL]. Nov. 26, 2003. http: //www. ossim. net/docs/OSSIM-desc-en. pdf, 2003
[106] Julio Casal. OSSIM Fast Guide [EB/OL]. Feb. 8, 2004. http: //www. ossim. net/docs/OSSIM-fastguide. pdf, 2004
[107] ChangeLog for OSSIM. [EB/OL]. http: //www. ossim. net/ChangeLog. html, 2007
[108] Dominique Karg. Correlation engine explained. [EB/OL]. http: //www. ossim. net/docs/correlation_engine_explained_rpc_dcom_example. pdf, Feb. 1, 2004
[109] Dominique Karg. Correlation engine explained. [EB/OL]. http: //www. ossim. net/docs/correlation_engine_explained_worm_example. pdf, Mar. 8, 2004
[110] Kevin Milne. Open Source Security Information Manager User Manual [EB/OL]. http: //www. ossim. net/docs/User-Manual. pdf, Sep. 2, 2004
[111] Youyou, Lance. [EB/OL]. http: //www. ossim. net/docs/A_Practice_for_Ossim. Pdf, 2005
[112]董杰,董蕾.控制系统通信网络实时性问题的分析.现场总线与网络技术, 2007(4): 41-49
[113] Schwartau W. Time Based Security: Practical and Provable Methods to Protect Enterprise and Infrastructure, Networks and Nation. America: Winn Schwartau &Interpact, 1998
[114]潘柱廷. PDR模型回顾. http: //blog. sina. com. cn/s/blog_5527228e010001ej. html, 2005
[115]赵建平,成秉照. PDR安全模型在银行信息系统中的应用.大众标准化, 2004(6): 41-48
[116]侯小梅,毛宗源,张波.基于P2DR模型的Internet安全技术.计算机工程与应用, 2000(12): 1-2
[117]吴军,李桃红. P2DR2网络安全模型的研究及应用. http: //www. xinxijishu. org/Article/pc/kaifayingyong/200607/1477. html, 2006
[118]李家春,李之棠.动态网络安全模型的研究.华中科技大学学报(自然科学版), 2003, 31(3): 44-46
[119] John Mallery, Jason Zann等著,邓琦皓,孙学涛等译. Hardening Network Security中文版.北京:清华大学出版社, 2006. 5
[120]多方案协同之路--开放式安全平台(OPSEC), http: //www0. ccidnet. com/tech/hack/2001/09/04/58_3178. html, 2001
[121] Check Point Software Technologies Ltd., OPSEC Integration Overview, http: //www. checkpoint. com, 2006
[122] TOPSEC联盟能做什么?http: //www2. ccw. com. cn/01/0151/d/0151d08_5. asp, 2007
[123]满林松.天融信TOPSEC网络安全体系平台. http: //www. talentit. com. cn, 2006
[124]姚兰,王新梅.防火墙与入侵检测系统的联动分析.信息安全与通信保密, 2002(6): 18
[125]李国栋,孙忠林等. Netfilter/iptables与Snort联动的实现.福建电脑, 2004(12): 21-27
[126]柳亚鑫,吴智发,诸葛建伟.基于Vmware的第三代虚拟Honeynet部署以及攻击实例分析.狩猎女神项目组技术报告, 2005: 8
[127] John H. Terpstra, Paul Love等著,王建桥,杨晓云等译. HARDENING Linux中文版.北京:清华大学出版社, 2006. 2
[128] Yang-ming MA, Zhi-tang LI, et. al. An Intelligent Agent-Oriented System for Integrating Network Security Devices and Handling Large Amount of Security Events. Proceedings of the 2007 Pacific Asian Workshop on ISI (PAISI 2007), 2007
[129]靳小龙,张世武.多智能体原理与技术.北京:清华大学出版社, 2003
[130]张云勇,刘锦德.移动agent技术.北京:清华大学出版社, 2003
[131] Stephen Northcutt著,余青霓,王晓程等译.网络入侵检测分析员手册.北京:人民邮电出版社, 2000. 10
[132]范明,孟小峰.数据挖掘概念与技术.北京:机械工业出版社, 2001
[133] Margaret H. Dunham著,郭崇慧译.数据挖掘教程.北京:清华大学出版社,2005. 5
[134] Julisch, K. Using Root Cause Analysis to Handle Intrusion Detection Alarms. PhD thesis, University of Dortmund, 2003
[135] Tadeusz Pietraszek, Axel Tanner. Data mining and machine learning– Towards reducing false positives in intrusion detection. Information Security Technical Report, 2005
[136] H. Debar and D. Curry, The Intrusion Detection Message Exchange Format, http: //www. ietf. org/internet-drafts/draft-ietf-idwg-idmef-xml-16. txt, 2005
[137] Fre′de′ric Cuppens. Managing alerts in multi-intrusion detection environment. In: Proceedings 17th annual computer security applications conference. New Orleans; 2001: 22-31
[138] Fre′de′ric Cuppens, Fabien Autrel, Alexandre Mie`ge, Salem Benferhat. Correlation in an intrusion detection process. In: Proceedings SE′curite′des communications sur internet (SECI02), 2002: 153-171
[139] S. J. Templeton and K. Levitt. A requires/provides model for computer attacks. Ballycotton, Ireland, 2001
[140] P. Ning and D. Xu. Learning attack strategies from intrusion alerts. presented at Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003, Washington, DC, United States, 27-31 Oct. 2003
[141] R Agrawal, and R Srikant. Mining sequential pattern. Proceedings of the Int. Conference on Data Engineering (ICDE). Chinese Taipei, Mar. 1995: 3-14
[142] MIT Lincoln Lab. 2000 DARPA Intrusion Detection Scenario Specific Data Sets. http: //www. ll. mit. edu/IST/ideval/data/2000/2000_data_index. html, 2000
[143] MIT Lincoln Lab. Tcpdump File Replay Utility. http: //ideval. ll. mit. edu/IST/ ideval/tools/tools_index. html, Sep. 2003
[144] ISO/IEC 15408. The International Organization for Standardization, Common Criteria for Information Technology Security Evaluation [S], 1999(E)
[145] ISO/IEC 17799. The International Organization for Standardization, Code of Practice for Information Security Management[S], 2000
[146] ISO/IEC TR 13335. The International Organization for Standardization, Information technology-Guidelines for the management of IT Security, 2001
[147]我国信息安全风险评估现状与展望. http: //www. cisraf. infosec. org. cn/index/ NewsInfo. asp?NewsId=136, 2006
[148] National Computer Security Center, Dept. of Defense, no. DoD 5200, 2000
[149] STD. Trusted computer system evaluation criteria[S], 1999
[150] Steps to Do It Yourself Cramm. http: //www. itsmsolutions. com/newsletters/ DITYvol2iss8. htm, 2006
[151] CORA. http: //www. ist-usa. com/, 2006
[152] ITSEC. The Information Technology Security Evaluation Criteria vernon 1. 2, 1991
[153] ISO/ IEC 15408, Common criteria for information technology security evaluation (CC v2. 1)[S], 2000
[154] R Ortalo, Y Deswarte, M Ka_niche. Experimenting with quantitative evaluation tools for monitoring operational security[J]. IEEE Trans on Software Engineering, 1999, 25(5): 633 - 650
[155] B B Madan, K Go‘eva-Popstoaanova, K baidyanathan, et al. Modeling and quantification of security attributes of software systems [A]. In Proc Int Conf on Dependable Systems and Networks(IPDS stream)[C]. cashington, DC, 2002(2): 505-514
[156] CERT Statistics. http: //www. cert. org/stats/cert_stats. html, 2007
[157] MITRE. http: //www. mitre. org/about/index. html, 2007
[158] CVE. http: //cve. mitre. org/, 2007
[2]蒋耀平在2007中国计算机网络安全应急年会上的讲话. http: //www. cert. org. cn/articles/news/common/2007041623281. shtml, 2007
[3]第20次中国互联网络发展状况统计报告. http: //www. cnnic. net. cn/html/Dir/ 2007/07/17/4722. htm, 2007
[4] 2006年全国信息网络安全状况与计算机病毒疫情调查分析报告. http: //www. antivirus-china. org. cn/content/report2006. doc, 2006
[5]关于构建国家安全体系的思考. http: //sise. gucas. ac. cn/gaikuang/ news/ 2006/ 03qcy. html, 2006
[6]国家计算机网络应急技术处理协调中心. CNCERT/CC 2006年网络安全工作报告. http: //www. cert. org. cn/UserFiles/File/ 2006CNCERTCC AnnualReport_ Chinese. pdf, 2006
[7] CNCERT/CC被黑网页统计报告. http: //www. cert. org. cn/articles/ docs/common/2007061123338. shtml, 2007
[8]汪春阳,喻超等.下一代网络安全.北京:北京邮电大学出版社, 2006
[9] GB/T 17900-1999网络代理服务器的安全技术要求. http: //www. std168. com/ search/stdgb_29551. htm
[10] GB/T 18019-1999信息技术包过滤防火墙安全技术要求. http: //www. std168. com/html/L80/29559. htm
[11] GB/T 18020-1999信息技术应用级防火墙安全技术要求. http: //www. std168. com/search/stdgb_29560. htm
[12] LaForges talk about Netfilter. http: //www. lisoleg. org/forum-source/ messages/ 1410. html, 2007
[13] The netfilter framework in Linux 2. 4. http: //www. gnumonks. org/papers/ netfilter-lk2000/presentation. html, 2007
[14] Linux 2. 4 Packet Filtering HOWTO. http: //netfilter. kernelnotes. org/ unreliable-guides/ packet-filtering-HOWTO/index. html, 2007
[15] Linux 2. 4 NAT HOWTO. http: //netfilter. kernelnotes. org/unreliable-guides/ NAT- HOWTO/index. html, 2007
[16] Netfilter hacking HOWTO. http: //netfilter. kernelnotes. org/unreliable-guides/ netfilter-hacking-HOWTO/index. html, 2007
[17] The netfilter. org project. http: //www. netfilter. org/, 2007
[18] Steve Suehring, Robert L. Ziegler.何泾沙等译. Linux防火墙.北京:机械工业出版社, 2006. 6
[19] Iptables & netfilter. http: //netfilter. filewatcher. org/, 2007
[20] The International Organization for Standardization and the International Electrotechnical Commission, Joint Technical Committee 1. Evaluation Criteria for IT Security-Part 1: Introduction and General Model, 1999(E): ISO/IEC 15408- 1
[21] The International Organization for Standardization and the International Electrotechnical Commission, Joint Technical Committee 1. Evaluation Criteria for IT Security-Part 2: Security Functional Requirements, 1999(E): ISO/ IEC15408-2
[22] The International Organization for Standardization and the International Electrotechnical Commission, Joint Technical Committee 1. Evaluation Criteria for IT Security-Part 3: Security Assurance Requirements, 1999(E): ISO/ IEC15408-3
[23] Brian Caswell, Jay Beale等著,宋劲松等译. Snort 2. 0入侵检测.北京:国防工业出版社, 2000
[24] Anderson J P. Computer security thread monitoring and surveillance. Technical Report, Jame P Anderson Co., Fort Washington, Pennsylvania, 1980
[25] Denning DE. An intrusion-detection model. IEEE Transaction on Software Engineering, February 1987, SE-13(2): 222-232
[26] L. T. Heberlein. A network security monitor. Proc, 1990 Symposium on Research in Security and Privacy, May 1990: 296-304
[27] Intrusion Detection Exchange Format(idwg). http: //www. ietf. org/html. charters/idwg-charter. html, Sep. 2002
[28] C. Kahn, P. A. Porras, S. Staniford-Chen, et cl. A common intrusion detection framework. Submitted to Journal of Computer Security, July 1998
[29] Korral Ilgun. USTAT: A Real-time Intrusion Detection System. Master Thesis. UCSB, 1992
[30] The Intrusion Detection System AID[EB/OL]. http: //www. -rnks. informatik. tu-cottbus. de/-sobirey/aid. e. html, Oct., 2002
[31] Sandeep Kumar, Eugene H Spafford. An Application of Pattern Match in Intrusion Detection. Technical Report CSD-TR-94-013. Purdue University, Department of Computer Science, June 17, 1994
[32] Vaccaro H. S., Liepins G. E.. Detection of anomalous computer session activity. Oakland, CA: Proceeding of the 1989 Symposiumon Research in Security and Privacy, 1989
[33] Teresa F. L., Jagannathan R., Lee R., et al. IDES: The enhanced prototype-a real-time intrusion-detection expert system. Menlo Park, CA: SRI International, Computer Science Lab, Oct., 1988
[34] Snort: The Open Source Network Intrusion Detection System. http: //www. snort. org/, Oct., 2007
[35] NFR Network Intrusion Detection(NFR NID). http: //www. nfr. com/products/ NID/, 2006
[36] Vern Paxson. Bro: A System for Detecting Network Intruders in Real-Time. Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, January 1998
[37]胡昌振.网络入侵检测误警问题研究.信息安全与通信保密, 2003(8): 55-61
[38]唐正军.入侵检测技术导论.北京:机械工业出版社, 2004
[39]刘建伟,王育明.网络安全-技术与实践.北京:清华大学出版社, 2005
[40] P A Poras, A Valdes. Live Traffic Analysis of TCP/IP Gateways[C]. Proceeding of the 1998 ISOC Symposium on Networks and Distributed Systems Security, San Diego, CA: Internet Society, 1998: 132-140
[41] N Athanasiudes, R Abler, J Levine, et a1. Intrusion Detection Testing and Benchmarking Methodologies[C]. Proeeedings of the 1st IEEE InternationalWorkshop on Information Assurance, Darmstadt, Germany: IEEE Computer Society, 2003: 63-72
[42]吴庆涛,邵志清.入侵检测研究综述.计算机应用研究, 2005(12): 11-14
[43]董晓梅,肖珂等.入侵检测系统评估技术述评.计算机科学, 2004(23): 32-38
[44]蔡忠闽,孙国基等.入侵检测系统评估环境的设计与实现.系统仿真学报, 2002, 14(3): 377-380
[45] Jack Koziol.吴溥峰,孙默等译. Snort入侵检测实用解决方案.北京:机械工业出版社, 2005
[46] CARVER C A. Int rusion response systems: A survey [EB/OL]. 2003[1005-08-02]. http://faculty.cs.tamu.edu/ pooch/course/ CPSC665/ Spring 2001/ Lessons/Intrusion_Detection_ and_ Response/ rtirs2. doc, 2003
[47] UTM技术阻挡混合型安全威胁. http: //cnw2005. cnw. com. cn/store/detail/ detail. asp?articleId=31046&ColumnId=4320, 2005
[48] K Julisch. Dealing with False Positives in Intrusion Detection [C]. In 3nd Workshop on Recent Advances in Intrusion Detection. http: //www. raid-symposium. org/raid2000/program. html, 2000
[49] Chuvakin. Security event analysis through correlation. Information Systems Security, 2004(13): 13
[50]高能,冯登国等.一种基于数据挖掘的拒绝服务攻击检测技术.计算机学报, June 2006, 29(6): 944-951
[51]何申,张四海等.网络脚本病毒的统计分析方法.计算机学报, June 2006, 29(6): 969-975
[52]邓吉.黑客攻防实战入门.北京:电子工业出版社, 2004
[53]邱亮,孙亚刚.网络安全工具及案例分析.北京:电子工业出版社, 2004
[54] William W. Cohen. Fast Effective Rule Induction. Machine Learning: Proceedings of the Twelfth International Conference, 1995
[55] Tadeusz Pietraszek. Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection. Symposium on Recent Advance in Intrusion Detection (RAID), 2004
[56] Debar, H. and Wespi, A., Aggregation and correlation of intrusion-detection alerts. In: Recent Advances In Intrusion Detection, 2001
[57] Tivoli Enterprise Console. http: //www-306. ibm. com/software/info/ecatalog/ zh_ CN/products/D106133T04676R57. html, 2006
[58] Valdes, K. Skinner. Probabilistic Alert Correlation. in Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, Davis, California, 2001
[59] Klaus Julisch. Clustering intrusion detection alarms to support root cause analysis. ACM Transactions on Information and System Security (TISSEC), 2003, 6(4): 443-471
[60] F. Cuppens and A. Miege. Alert correlation in a cooperative intrusion detection framework. presented at Proceedings 2002 IEEE Symposium on Security and Privacy, Berkeley, CA, USA, 12-15 May 2002
[61] F. Cuppens and R. Ortalo. LAMBDA: a language to model a database for detection of attacks. Toulouse, France, 2000
[62] P. Ning, Y. Cui, and D. S. Reeves. Analyzing intensive intrusion alerts via correlation. Presented at Recent Advances in Intrusion Detection. 5th International Symposium, RAID 2002. Proceedings, Zurich, Switzerland, 16-18 Oct. 2002
[63] P. Ning, Y. Cui, and D. S. Reeves. Constructing attack scenarios through correlation of intrusion alerts. Presented at Proceedings of the 9th ACM Conference on Computer and Communications Security, Washington, DC, United States, 18-22 Nov. 2002
[64] P. Ning, Y. Cui, D. S. Reeves, and D. Xu. Techniques and tools for analyzing intrusion alerts. ACM Transactions on Information and System Security, 2004(7): 274
[65] P. Ning and D. Xu. Alert correlation through triggering events and common resources. Tucson, AZ, USA, 2004
[66] P. Ning and D. Xu. Hypothesizing and reasoning about attacks missed by intrusion detection systems. ACM Transactions on Information and System Security, 2004(7): 591
[67] P. Ning, Y. Zhai, P. Iyer, and D. S. Reeves. Reasoning about complementary intrusion evidence. Tucson, AZ, USA, 2004
[68] A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems, Computer Science Department, Columbia University, New York, NY.. http: //www-static. cc. gatech. edu/-wenke/, June 1999
[69] W. Lee and X. Qin. Statistical Causality Analysis of INFOSEC Alert Data. Presented at RAID, 2003
[70] Q. Xinzhou and L. Wenke. Discovering novel attack strategies from INFOSEC alerts. Sophia Antipolis, France, 2004
[71]王莉.网络多步攻击识别方法研究: [博士学位论文].华中科技大学图书馆, 2007. 5
[72]陶建明,秦拯等.一种基于数据挖掘的告警相关方法的研究与实现.科学技术与工程, 2006(7): 65-73
[73]姚伟力,王锡禄等.基于序列模式挖掘的告警相关性分析算法.北京邮电大学学报, 2005: 10
[74] Malheiros MD. A model for alarm correlation in telecommunications networks[J]. Belo Horizonte, 1997
[75] Kimmo H, Klementtinen M, Mannila H, et al. TASA: telecommunication alarm sequence analyzer or how to enjoy faults in your network[A]. IEEE/IFTP, 1996 Network Operations and Management Symposium (NOMS’96[C]. Kyoto, Japan, 1996: 520-529
[76]毛国君,段立娟等.数据挖掘原理与算法.北京:清华大学出版社, 2005
[77] Ian H. Witten, Eide Frank. Data Mining: Practical Learning Tools and Techniques with Java Implementations. Elsevier, 2003
[78] Sourcefire. Realtime Network Awareness. http: //www. sourcefire. com/products/ rna. html, 2001
[79] Morin, B., L. Me, et al. (2002). M2D2: a formal data model for IDS alert correlation. Recent Advances in Intrusion Detection. 5th International Symposium, RAID 2002
[80] R. Gula. Correlating IDS alerts with vulnerability information. Tenable NetworkSecurity, Tech. Rep., 2002
[81] Chengpo Mu, Houkuan Huang, Shengfeng Tian. Intrusion detection alert verification based on multi-level fuzzy comprehensive evaluation. In: Proc. 2005 International Co nference on Computational Intelligence and Security, Lecture Notes in Artificial Intelligence 3801, Berlin: Springer-Verlag, 2005: 9-16
[82] Bass Tim & Gruber Dave. A Glimpse into the Future of ID. login: The USENIX Association Magazine [online]. http: //www. silkroad. com/papers/ html/glimpse, July 1999
[83]唐正军等编著.网络入侵检测系统的设计与实现.北京:电子工业出版社, 2002. 4
[84] M. H. Kang and T. Mayfield. A cyber-event correlation framework and metrics. Proceedings of the SPIE - The International Society for Optical Engineering, 2003(5107): 72
[85] R. P. Goldman, W. Heimerdinger, S. A. Harp, C. W. Geib, V. Thomas, and R. L. Carter. Information modeling for intrusion report aggregation. Presented at DARPA Information Survivability Conference & Exposition II, 2001. DISCEX '01. Proceedings, 2001
[86] J. Yu, Y. V. R. Reddy, S. Sentil, K. Srinivas, R. Sumitra, and B. Vijayanand. TRINETR: an intrusion detection alert management systems. Presented at Proceedings. Thirteenth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, Modena, Italy, 14-16 June 2004
[87] Z. Dong and A. S. Sethi. SEL, a new event pattern specification language for event correlation. presented at Proceedings Tenth International Conference on Computer Communications and Networks, Scottsdale, AZ, USA, 15-17 Oct. 2001
[88] L. Guangtian, A. K. Mok, and E. J. Yang. Composite events for network event correlation. presented at Proceedings of IM'99 6th IFIP/IEEE International Symposium on Integrated Network Management, Boston, MA, USA, 24-28 May 1999
[89] L. Guangtian and M. Russina. ECA + SQL: a practical event correlation approach. presented at Proceedings of 16th International Conference on CommunicationTechnology (ICCT'00), Beijing, China, 21-25 Aug. 2000
[90] P. A. Porras, M. W. Fong, and A. Valdes. A mission-impact-based approach to INFOSEC alarm correlation. presented at Recent Advances in Intrusion Detection. 5th International Symposium, RAID 2002. Proceedings, Zurich, Switzerland, 16-18 Oct. 2002
[91] Andr′e Arnes, Fredrik Valeur, etc. Using Hidden Markov Models to Evaluate the Risks of Intrusions System Architecture and Model Validation, RAID, 2006
[92] L. Wald. Definitions and Terms of Reference in Data Fusion. International Archives of Photogrammetry and Remote Sensing. Part 7-4-3 W6, Valladolid, Spain, 3-4 June, 1999: 32
[93] Joshua Maines, Dorene Kewley, Laura Tinnel, et a1. Validation of sensor alert correlators. IEEE Security & Privacy Magazine, 2003, 1(1): 46-56
[94] eTrust? Secure Content Manager r8. http: //www3. ca. com/smb/product. aspx? id=5280&culture=en-us, 2007
[95] ISS SiteProtector. http: //www. jiancenj. com/chanpin6. asp, 2007
[96] Tivoli Enterprise Console. http: //www-306. ibm. com/software/info/ ecatalog/ zh _CN/products/D106133T04676R57. html, 2007
[97] ArcSight Enterprise Security Manager. http: //www. arcsight. com/product. htm, 2007
[98] Activeworx Security Center. http: //www. activeworx. com/, 2007
[99] Eventia. http: //www. checkpoint. com/index. html, 2007
[100]泰合信息安全运营中心. http: //www. venustech. com. cn/products2005/thx/, 2005
[101]网络卫士安全审计系统TA-L. http: //www. topsec. com. cn/products/ng-ta-l. asp, 2007
[102] Check Point为统一安全管理订立新标准. http: //it. sohu. com/20060517/ n243275690. shtml, 2006
[103]洞悉未来: 2006年世界IT发展八大预测. http: //industry. ccidnet. com/art/3847/ 20060115/415149_1. html, 2006
[104] Open Source Security Information Management [EB/OL]. http: //www. ossim.net/, 2005
[105] Open Source Security Information Management [EB/OL]. Nov. 26, 2003. http: //www. ossim. net/docs/OSSIM-desc-en. pdf, 2003
[106] Julio Casal. OSSIM Fast Guide [EB/OL]. Feb. 8, 2004. http: //www. ossim. net/docs/OSSIM-fastguide. pdf, 2004
[107] ChangeLog for OSSIM. [EB/OL]. http: //www. ossim. net/ChangeLog. html, 2007
[108] Dominique Karg. Correlation engine explained. [EB/OL]. http: //www. ossim. net/docs/correlation_engine_explained_rpc_dcom_example. pdf, Feb. 1, 2004
[109] Dominique Karg. Correlation engine explained. [EB/OL]. http: //www. ossim. net/docs/correlation_engine_explained_worm_example. pdf, Mar. 8, 2004
[110] Kevin Milne. Open Source Security Information Manager User Manual [EB/OL]. http: //www. ossim. net/docs/User-Manual. pdf, Sep. 2, 2004
[111] Youyou, Lance. [EB/OL]. http: //www. ossim. net/docs/A_Practice_for_Ossim. Pdf, 2005
[112]董杰,董蕾.控制系统通信网络实时性问题的分析.现场总线与网络技术, 2007(4): 41-49
[113] Schwartau W. Time Based Security: Practical and Provable Methods to Protect Enterprise and Infrastructure, Networks and Nation. America: Winn Schwartau &Interpact, 1998
[114]潘柱廷. PDR模型回顾. http: //blog. sina. com. cn/s/blog_5527228e010001ej. html, 2005
[115]赵建平,成秉照. PDR安全模型在银行信息系统中的应用.大众标准化, 2004(6): 41-48
[116]侯小梅,毛宗源,张波.基于P2DR模型的Internet安全技术.计算机工程与应用, 2000(12): 1-2
[117]吴军,李桃红. P2DR2网络安全模型的研究及应用. http: //www. xinxijishu. org/Article/pc/kaifayingyong/200607/1477. html, 2006
[118]李家春,李之棠.动态网络安全模型的研究.华中科技大学学报(自然科学版), 2003, 31(3): 44-46
[119] John Mallery, Jason Zann等著,邓琦皓,孙学涛等译. Hardening Network Security中文版.北京:清华大学出版社, 2006. 5
[120]多方案协同之路--开放式安全平台(OPSEC), http: //www0. ccidnet. com/tech/hack/2001/09/04/58_3178. html, 2001
[121] Check Point Software Technologies Ltd., OPSEC Integration Overview, http: //www. checkpoint. com, 2006
[122] TOPSEC联盟能做什么?http: //www2. ccw. com. cn/01/0151/d/0151d08_5. asp, 2007
[123]满林松.天融信TOPSEC网络安全体系平台. http: //www. talentit. com. cn, 2006
[124]姚兰,王新梅.防火墙与入侵检测系统的联动分析.信息安全与通信保密, 2002(6): 18
[125]李国栋,孙忠林等. Netfilter/iptables与Snort联动的实现.福建电脑, 2004(12): 21-27
[126]柳亚鑫,吴智发,诸葛建伟.基于Vmware的第三代虚拟Honeynet部署以及攻击实例分析.狩猎女神项目组技术报告, 2005: 8
[127] John H. Terpstra, Paul Love等著,王建桥,杨晓云等译. HARDENING Linux中文版.北京:清华大学出版社, 2006. 2
[128] Yang-ming MA, Zhi-tang LI, et. al. An Intelligent Agent-Oriented System for Integrating Network Security Devices and Handling Large Amount of Security Events. Proceedings of the 2007 Pacific Asian Workshop on ISI (PAISI 2007), 2007
[129]靳小龙,张世武.多智能体原理与技术.北京:清华大学出版社, 2003
[130]张云勇,刘锦德.移动agent技术.北京:清华大学出版社, 2003
[131] Stephen Northcutt著,余青霓,王晓程等译.网络入侵检测分析员手册.北京:人民邮电出版社, 2000. 10
[132]范明,孟小峰.数据挖掘概念与技术.北京:机械工业出版社, 2001
[133] Margaret H. Dunham著,郭崇慧译.数据挖掘教程.北京:清华大学出版社,2005. 5
[134] Julisch, K. Using Root Cause Analysis to Handle Intrusion Detection Alarms. PhD thesis, University of Dortmund, 2003
[135] Tadeusz Pietraszek, Axel Tanner. Data mining and machine learning– Towards reducing false positives in intrusion detection. Information Security Technical Report, 2005
[136] H. Debar and D. Curry, The Intrusion Detection Message Exchange Format, http: //www. ietf. org/internet-drafts/draft-ietf-idwg-idmef-xml-16. txt, 2005
[137] Fre′de′ric Cuppens. Managing alerts in multi-intrusion detection environment. In: Proceedings 17th annual computer security applications conference. New Orleans; 2001: 22-31
[138] Fre′de′ric Cuppens, Fabien Autrel, Alexandre Mie`ge, Salem Benferhat. Correlation in an intrusion detection process. In: Proceedings SE′curite′des communications sur internet (SECI02), 2002: 153-171
[139] S. J. Templeton and K. Levitt. A requires/provides model for computer attacks. Ballycotton, Ireland, 2001
[140] P. Ning and D. Xu. Learning attack strategies from intrusion alerts. presented at Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003, Washington, DC, United States, 27-31 Oct. 2003
[141] R Agrawal, and R Srikant. Mining sequential pattern. Proceedings of the Int. Conference on Data Engineering (ICDE). Chinese Taipei, Mar. 1995: 3-14
[142] MIT Lincoln Lab. 2000 DARPA Intrusion Detection Scenario Specific Data Sets. http: //www. ll. mit. edu/IST/ideval/data/2000/2000_data_index. html, 2000
[143] MIT Lincoln Lab. Tcpdump File Replay Utility. http: //ideval. ll. mit. edu/IST/ ideval/tools/tools_index. html, Sep. 2003
[144] ISO/IEC 15408. The International Organization for Standardization, Common Criteria for Information Technology Security Evaluation [S], 1999(E)
[145] ISO/IEC 17799. The International Organization for Standardization, Code of Practice for Information Security Management[S], 2000
[146] ISO/IEC TR 13335. The International Organization for Standardization, Information technology-Guidelines for the management of IT Security, 2001
[147]我国信息安全风险评估现状与展望. http: //www. cisraf. infosec. org. cn/index/ NewsInfo. asp?NewsId=136, 2006
[148] National Computer Security Center, Dept. of Defense, no. DoD 5200, 2000
[149] STD. Trusted computer system evaluation criteria[S], 1999
[150] Steps to Do It Yourself Cramm. http: //www. itsmsolutions. com/newsletters/ DITYvol2iss8. htm, 2006
[151] CORA. http: //www. ist-usa. com/, 2006
[152] ITSEC. The Information Technology Security Evaluation Criteria vernon 1. 2, 1991
[153] ISO/ IEC 15408, Common criteria for information technology security evaluation (CC v2. 1)[S], 2000
[154] R Ortalo, Y Deswarte, M Ka_niche. Experimenting with quantitative evaluation tools for monitoring operational security[J]. IEEE Trans on Software Engineering, 1999, 25(5): 633 - 650
[155] B B Madan, K Go‘eva-Popstoaanova, K baidyanathan, et al. Modeling and quantification of security attributes of software systems [A]. In Proc Int Conf on Dependable Systems and Networks(IPDS stream)[C]. cashington, DC, 2002(2): 505-514
[156] CERT Statistics. http: //www. cert. org/stats/cert_stats. html, 2007
[157] MITRE. http: //www. mitre. org/about/index. html, 2007
[158] CVE. http: //cve. mitre. org/, 2007
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |