基于策略树的网络安全主动防御模型研究
|
摘要
安全需求正经历着从信息安全到信息保障的转变。传统的被动防护已不能适应当前的安全形势,纵深防御和主动防御应势而生。纵深防御策略意在提高信息系统的抗打击能力和可生存能力,使得攻击者在突破一层防御之后,无法破坏整个信息基础设施。主动防御集成了纵深防御策略,与传统防御相比,具有明显的主动性特征:主动预测入侵趋势、主动获取攻击信息、动态评估入侵威胁并响应。 这体现了网络安全的攻防对抗本质。但是,由于缺乏系统的理论指导,使得信息系统的主动防御变得困难。
本论文从理论和实施两方面,对主动防御模型和技术进行研究和实践。内容主要涉及基于策略树的主动防御模型、大规模入侵检测方法、协同攻击的威胁评估方法、网络安全预警方法、主动/被动安全响应技术、主动防御模型的安全应用。研究工作取得了如下创新性成果:
提出基于策略树的主动防御形式化模型:运用Z语言定义了策略树结构、属性和操作。分析策略树完备性、正确性和一致性问题,提出安全策略的完备性构造方法、正确性验证抽象说明和一致性自动检查方法。该形式化模型为网络安全主动防御提供理论和方法论支撑。用该模型描述安全防御系统,能够检测已知攻击和大规模入侵,预测未知攻击和安全趋势,依据威胁评估有的放矢的响应。
提出一种大规模入侵的检测方法:在传统入侵检测的基础上,提出了方法。该方法能表征入侵事件的网络分布、请求服务类型分布、攻击类型分布等时空分布特征,这使入侵报警更为简洁有效。提出了协同入侵的威胁评估方法,该方法通过计算初始威胁值、攻击源分布、攻击频次、攻击目标的重要程度等因素,来评估攻击威胁度,作为入侵响应的依据。
提出一种网络安全预警方案:包括中长期安全趋势预测和短期安全趋势预测。前者依据特定攻击发生的历史规律,预测网络攻击的未来发生次数,同时分析了时间粒度对预测结果的影响,以及算法对周期性攻击和非周期性攻击的预测效果;后者通过建立正常流量测度指标,对新型攻击的发生进行预测。
提出一种强弱分级的入侵响应技术体系:研究了主要的安全响应技术,包括:攻击源回溯技术、攻击阻断方法、攻击吸收与转移技术、蜜罐技
术、主机僚机技术。该安全响应技术体系为设计高效的入侵响应系统奠定了基础。
建立基于主动防御模型的应用系统:建立了网络安全主动防御系统、大规模战略预警与监管系统的应用示例。提出主动防御能力评估的方法,设计网络对抗环境下的自动攻击系统。
Requirement for Security is changing from information security to information assurance. Traditional passive protection can’t adapt to this new situation, then enhanced defense and proactive defense are proposed. Enhanced defense offers promotion on robusticity and survivability of information system. It prevents attacker from damaging system even he already has broken through one or several but not all layers of the system. Proactive defense integrates enhanced defense and shows the activeness greatly in contrast with traditional defense. It actively predicts intrusion trend and attains attacker’s information, dynamically evaluates and responds intrusion. This shows the counteracting property of network security. At the present time, building a proactive defense system is a challenge, because there are no well-established theories to support it.
This dissertation has conducted research on the proactive defense for its supporting theories and technologies. It covers policy-tree-based proactive defense model, large-scale intrusion detection method, threat assessment metrics for coordinated attacks, early warning scheme for network security, active and passive response technologies, and applications of the proactive defense model. The contributions of this dissertation include:
Proposing a formal model for proactive defense based on policy tree
The model is formally defined in Z language. Completeness, correctness and consistency are analyzed. A completely building method, an abstract for correctness validating and a consistency checking method on security policy are proposed. Policy-tree model gives theoretical and methodological support for proactive defense. Proactive defense system based on this model can detect known attacks and large-scale intrusions, predict unknown attacks and security trend, and respond effectively according to threat assessment.
Proposing an detection method for large-scale intrusion
Based on traditional intrusion detection, NASTQ is proposed to represent net segment distribution, service distribution and attack type distribution of intrusion accident. NASTQ makes alert simpler and more comprehensive. The threat assessment metrics for coordinated intrusion evaluate threat according to initial value,
attacker distribution, attacks frequency and the value of protected target.
Proposing an early warning scheme for network security
The scheme consists of Intrusion-Event-based Early Warning method (IEEW) and Sampling-Measurement-based Early Warning method (SMEW). They suit to long time and short time security trends prediction respectively. The former predicts future occurrence of intrusions according to statistical data. It gains better performance on periodical attacks over non-periodical attacks. IEEW is more suitable to DoS attacks. By constructing characters on normal flow, SMEW predicts unknown attacks with anomaly flow.
Proposing an Intrusion Response Technical Architecture (IRTA)
Most of active intrusion response technologies are covered. They are remarked according to the control of attacker and protection of target. IP-trace-back based on packet marking, attacks interdiction, attacks sorption and redirection, honeypot and service switching are included. Effective intrusion response system can be established based on proactive defense model and IRTA.
Building applications based on the above proactive defense model
The proactive defense system, strategic early warning and monitoring & administration system for network system are investigated. New methodology of proactive defense ability assessment is proposed. Auto attacking system in information warfare is designed as opposite application of proactive defense model.
本论文从理论和实施两方面,对主动防御模型和技术进行研究和实践。内容主要涉及基于策略树的主动防御模型、大规模入侵检测方法、协同攻击的威胁评估方法、网络安全预警方法、主动/被动安全响应技术、主动防御模型的安全应用。研究工作取得了如下创新性成果:
提出基于策略树的主动防御形式化模型:运用Z语言定义了策略树结构、属性和操作。分析策略树完备性、正确性和一致性问题,提出安全策略的完备性构造方法、正确性验证抽象说明和一致性自动检查方法。该形式化模型为网络安全主动防御提供理论和方法论支撑。用该模型描述安全防御系统,能够检测已知攻击和大规模入侵,预测未知攻击和安全趋势,依据威胁评估有的放矢的响应。
提出一种大规模入侵的检测方法:在传统入侵检测的基础上,提出了方法。该方法能表征入侵事件的网络分布、请求服务类型分布、攻击类型分布等时空分布特征,这使入侵报警更为简洁有效。提出了协同入侵的威胁评估方法,该方法通过计算初始威胁值、攻击源分布、攻击频次、攻击目标的重要程度等因素,来评估攻击威胁度,作为入侵响应的依据。
提出一种网络安全预警方案:包括中长期安全趋势预测和短期安全趋势预测。前者依据特定攻击发生的历史规律,预测网络攻击的未来发生次数,同时分析了时间粒度对预测结果的影响,以及算法对周期性攻击和非周期性攻击的预测效果;后者通过建立正常流量测度指标,对新型攻击的发生进行预测。
提出一种强弱分级的入侵响应技术体系:研究了主要的安全响应技术,包括:攻击源回溯技术、攻击阻断方法、攻击吸收与转移技术、蜜罐技
术、主机僚机技术。该安全响应技术体系为设计高效的入侵响应系统奠定了基础。
建立基于主动防御模型的应用系统:建立了网络安全主动防御系统、大规模战略预警与监管系统的应用示例。提出主动防御能力评估的方法,设计网络对抗环境下的自动攻击系统。
Requirement for Security is changing from information security to information assurance. Traditional passive protection can’t adapt to this new situation, then enhanced defense and proactive defense are proposed. Enhanced defense offers promotion on robusticity and survivability of information system. It prevents attacker from damaging system even he already has broken through one or several but not all layers of the system. Proactive defense integrates enhanced defense and shows the activeness greatly in contrast with traditional defense. It actively predicts intrusion trend and attains attacker’s information, dynamically evaluates and responds intrusion. This shows the counteracting property of network security. At the present time, building a proactive defense system is a challenge, because there are no well-established theories to support it.
This dissertation has conducted research on the proactive defense for its supporting theories and technologies. It covers policy-tree-based proactive defense model, large-scale intrusion detection method, threat assessment metrics for coordinated attacks, early warning scheme for network security, active and passive response technologies, and applications of the proactive defense model. The contributions of this dissertation include:
Proposing a formal model for proactive defense based on policy tree
The model is formally defined in Z language. Completeness, correctness and consistency are analyzed. A completely building method, an abstract for correctness validating and a consistency checking method on security policy are proposed. Policy-tree model gives theoretical and methodological support for proactive defense. Proactive defense system based on this model can detect known attacks and large-scale intrusions, predict unknown attacks and security trend, and respond effectively according to threat assessment.
Proposing an detection method for large-scale intrusion
Based on traditional intrusion detection, NASTQ is proposed to represent net segment distribution, service distribution and attack type distribution of intrusion accident. NASTQ makes alert simpler and more comprehensive. The threat assessment metrics for coordinated intrusion evaluate threat according to initial value,
attacker distribution, attacks frequency and the value of protected target.
Proposing an early warning scheme for network security
The scheme consists of Intrusion-Event-based Early Warning method (IEEW) and Sampling-Measurement-based Early Warning method (SMEW). They suit to long time and short time security trends prediction respectively. The former predicts future occurrence of intrusions according to statistical data. It gains better performance on periodical attacks over non-periodical attacks. IEEW is more suitable to DoS attacks. By constructing characters on normal flow, SMEW predicts unknown attacks with anomaly flow.
Proposing an Intrusion Response Technical Architecture (IRTA)
Most of active intrusion response technologies are covered. They are remarked according to the control of attacker and protection of target. IP-trace-back based on packet marking, attacks interdiction, attacks sorption and redirection, honeypot and service switching are included. Effective intrusion response system can be established based on proactive defense model and IRTA.
Building applications based on the above proactive defense model
The proactive defense system, strategic early warning and monitoring & administration system for network system are investigated. New methodology of proactive defense ability assessment is proposed. Auto attacking system in information warfare is designed as opposite application of proactive defense model.
引文
[ADCT98] ADCT. FY1998 Information Assurance: Automated Intrusion Detection Environment (IA:AIDE). http://www.acq.osd.mil/actd/descript.htm
[Amoro94] Edward G. Amoroso, Fundamentals of Computer Security Technology, Prentice-Hall PTR, Upper Saddle River, NJ, 1994: 34
[Andre97] Andrew Rathmell, Richard Overill, Lorenzo Valeri. Information Warfare Attack Assessment System (IWAAS).1997.http://www.kcl.ac.uk/orgs/icsa/Old/iwaasppr.PDF
[Andre99] Andrew Rathmell, James Dorschner, Michael Knights. Project: Threat Assessment and Early Warning Methodologies for Information Assurance. Oct, 1999-Sep, 2001. http://www.icsa.ac.uk/Projects/ropa.html
[Bauma02] Baumann R, Plattner C. Honeypots, Diploma thesis. http://security.rbaumann.net/download/diplomathesis.pdf.2002.
[Bell75] Bell, D.E. and LaPadula, L.J. Secure Computer Systems: Unified Exposition and Multics Interpretation. MTR-2997, MITRE , 1975
[Bello00] S.M.Bellovin, ICMP Traceback Messages. Internet Draft: draft-bellovin-itrace-00.txt, Mar.2000. http://www.research.att.com/~smb/papers/draft-bellovin-itrace-00.txt
[Biba77] Biba, K. J. Integrity Considerations for Secure Computer systems. Mitre TR-3153, Mitre Corporation, Bedford, MA, April 1977.
[Brewe89] D. Brewer D.F. and Nash M.J. The Chinese Wall Security Policy. Proc. Of IEEE Symposium on Security and Privacy, IEEE Computer Society Press, 1989: 206-214.
[CARDS00] Jiahai Yang, Peng Ning, X. Sean Wang, and Sushil Jajodia. CARDS: A distributed system for detecting coordinated attacks. In Proceedings of IFIP TC11 Sixteenth Annual Working Conference on Information Security, Aug 2000: 171 – 180. http://citeseer.ist.psu.edu/yang00cards.html
[Carve00] Curtis A.Carver, Udo W.Pooch, An Intrusion Response Taxonomy and its Role in Automatic Intrusion Response, Proceedings of the 2000 IEEE Workshop on Information Assurance and Security United States Military Academy, West Point, NY, 6-7 June, 2000. http://www.itoc.usma.edu/marin/Wshop/Papers2000/TP1_4.pdf
[CC99] Common Criteria Project. Common Criteria for Information Technology Security
Evaluation, Version 2.1 CCIMB-99-031. August 1999. http://csrc.nist.gov/cc/CC-v2.1.html
[CERT99] CERT Coordination Center. Results of the distributed systems intruder tools workshop. Nov.1999. http://www.cert.org/reports/dsit_workshop.pdf.
[Clark87] Clark DD and Wilson DR. A Comparison of Commercial and Military Computer Security Policies. IEEE Symposium of Security and Privacy, 1987: 184-194
[Cohen95] Frederick B. Cohen, Protection and Security on the Information Superhighway, John Wiley & Sons, New York, 1995: 54
[David93] David F. Ferraiolo, Dennis M. Gilbert, and Nickilyn Lynch. An examination of federal and commercial access control policy needs. In NIST-NCSC National Computer Security Conference: 107-116, Baltimore, MD, Sep.1993.
[Denni76] Denning, D.E. A Lattice Model of Secure Information Flow. Communications of ACM 19(5):236-243 (1976).
[Fergu98] P. Ferguson et. al. RFC 2267. Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. Technical report, The Internet Society, 1998. http://sunsite.cnlab-switch.ch/ftp/doc/standard/rfc/22xx/2267
[HA01] HA FORUM. Providing Open Architecture High Availability Solutions, Revision 1.0[EB/OL]. Feb, 2001. http://mcg.motorola.com/us/article/article0041.pdf
[Honey03] Honeynet Project. Know Your Enemy: Honeynets. Nov 2003. http://www.honeynet.org/papers/honeynet/
[Howar95] Howard, J. An Analysis of Security Incidents on the Internet (1989-1995). Ph.D. Dissertation, Carnegie Mellon University, Pittsburgh,PA, 1995: 61. http://www.cert.org/research/JHThesis/Start.html
[Huang98] Huang, M.-Y. and Wicks, T. M. A Large-scale Distributed Intrusion Detection Framework Based on Attack Strategy Analysis. Web proceedings of the First International Workshop on Recent Advances in Intrusion Detection (RAID'98), http://citeseer.ist.psu.edu/huang98largescale.html
[Ioann00] Sotiris Ioannidis, Angelos D. Keromytis, Steven M. Bellovin, Jonathan M. Smith.Implementing a distributed firewall. ACM Conference on Computer and Communications Security, 2000. pp.190-199
[Gelfo88] Gelfond, M., and V. Lifschitz. 1988. The Stable Model Semantics for Logic
Programming. In Proceedings of the 5th International Conference on Logic Programming, 1070-1080. Seattle, USA, August. The MIT Press. http://citeseer.nj.nec.com/gelfond88stable.html
[IATF02] National Security Agency (U.S.). The Information Assurance Technical Framework, IATF Release 3.1, http://www.iatf.net/framework_docs/version-3_1/index.cfm, 2002.9
[Lamps71] Lampson, B.W. Protection. 5th Princeton Symposium on Information Science and Systems, 1971: 437-443. Reprinted in ACM Operating Systems Review 8(1):18-24 (1974).
[Lau00] Felix Lau, Stuart H. Rubin, Michael H. Smith, Ljiljana Trajovic. Distributed Denial of Service Attacks. IEEE International Conference on Systems, Man, and Cybernetics, Oct. 2000. pp. 2275-2280
[Mcgra01] Gary McGraw, Greg Morrisett. Attacking Malicious Code: A report to the Infosec Research Council , May. 2001. http://citeseer.nj.nec.com/498998.html.
[Neuma89] Peter G Neumann, Donn B Parker. A summary of computer misuse techniques. In: The 12th National Computer Security Conf. Baltimore, Maryland, USA , 1989. 396~ 407
[Porra97] P. A. Porras and P. G. Neumann. EMERALD: event monitoring enabling responses to anomalous live disturbances. In Proceedings of the 20th National Information Systems Security Conference, October 1997: 353-365. http://citeseer.ist.psu.edu/porras97emerald.html
[Paxso98] V. Paxson, G. Almes, J. Mahdavi, M. Mathis. RFC 2330 - Framework for IP Performance Metrics. May 1998. http://www.faqs.org/rfcs/rfc2330.html
[Russe91] Deborah Russell and G. T. Gangemi, Sr., Computer Security Basics, O’Reilly & Associates, Inc., Sebastopol, CA, 1991: 10-11
[Russe02] Russell R, Linux 2.4 NAT HOWTO. Revision: 1.2. [OB/EL], 2002. http://netfilter.samba.org/documentation/HOWTO//NAT-HOWTO.html.
[Schna01] Schnackengerg D, Holliday H., Smith R. et. al. Cooperative Intrusion Traceback and Response Architecture (CITRA). DARPA Information Survivability Conference & Exposition II, 2001. DISCEX '01. Proceedings , June 2001, Volume: 1, Pages:56 – 68
[Snapp91] Steven R. Snapp et al. DIDS (Distributed Intrusion Detection System) - Motivation, Architecture, and An Early Prototype. Proc. 14th National Computer Security
Conference. Washington, DC, Oct. 1991: 167-176. http://seclab.cs.ucdavis.edu/papers/DIDS.ncsc91.pdf
[Sager98] Sager G. Security fun with OCxmon and cflowd. Internet 2 Working Group Meeting, Nov. 1998. http://www.caida.org/ projects/NGI/content/security/1198
[Sandh93] RS Sandhu. Lattice-based access control models. IEEE Computer, 26(11): 9-19, Nov. 1993
[Sandh94] RS Sandhu, Pierrangela Samarati. Access Control: Principles and Practice. IEEE Communications, 32(9):40--48, 1994
[Sandh96] RS Sandhu and Edward J. Coyne and Hal L. Feinstein and Charles E. Youman. Role-Based Access Control Models. IEEE Computer 29(2): 38-47, Feb. 1996
[Sandh88] R.S. Sandhu. The NTree: A two dimension partial order for protection groups. ACM Trans. on Computer Systems, Vol. 6, No. 2, May 1988, pp. 197-222. http://citeseer.nj.nec.com/article/sandhu88ntree.html
[Savage00] Stefan Savage, David Wetherall, Anna Karlin el at. Practice Network support for ip traceback, In Proceedings of the 2000 ACM SIGCOMM Conference, August 2000: 295-306. http://citeseer.ist.psu.edu/savage00practical.html ?
[Snort03] The Snort Project. Snort Users Manual. http://www.snort.org/docs/snort_manual.pdf. p22-24, Dec,2003
[Spitz02] Lance Spitzner. Honeypot: Definitions and Values. May, 2002. http://www.spitzner.net.
[Spive92] J. M. Spivey. The Z Notation, A Reference Manual. International Series in Computer Science, Second Edition. Prentice-Hall International, 1992. http://spivey.oriel.ox.ac.uk/~mike/zrm/zrm.pdf
[SSPHW91] Security Policy Handbook Working Group (SSPHWG). RFC 1244 - Site Security Handbook. 1991. http://www.faqs.org/rfcs/rfc1244.html
[Stani96] S. Staniford-Chen et al, GrIDS - A Graph Based Intrusion detection System for Large Networks, Proc. 19th National Information Systems Security Conf. Vol.1: 361-370, Oct. 1996
[Stone00] R. Stone. Centertrack: An IP overlay network for tracking DoS floods. In Proceedings of the USENIX Security Symposium, Denver, CO, USA, July 2000, pages 199--212
[TAEWM01] IAAC, Summary of Research Results: Early Warning & Threat Assessment
Methodologies For Information Assurance. May, 2001. http://www.iaac.org.uk/Publications/ROPA/Website%20summary.pdf.
[TCSEC85] Department of Defense Standard (U.S.). Department of Defense Trusted Computer Security Evaluation Criteria, DoD 5200.28-STD. December, 1985. http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html
[Thoma94] Roshan Thomas and Ravi S. Sandhu. Conceptual foundations for a model of task-based authorizations. In IEEE Computer Security Foundations Workshop 7, Franconia, NH, June 1994: 66-79
[Tidwe01] T. Tidwell, R. Larson, K. Fitch et al. Modeling Internet Attacks. Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, 2001: 54-59
[UML02] User-Mode Linux: an OpenSource solution to create a virtual Machine. UML as a honeypot. http://user-mode-linux.sf.net/honeypots.html.
[Yuill99] Yuill, J., Wu, S. F., Gong, F.et al.. Intrusion Detection for an On-Going Attack. Web proceedings of the 2nd International Workshop on Recent Advances in Intrusion Detection (RAID'99). http://citeseer.ist.psu.edu/yuill99intrusion.html
[Zhang03] Feng Zhang, Shijie Zhou, Zhiguang Qin, Jinde Liu. Honeypot: a Supplemented Active Defense System for Network Security. International conference of on Parallel and Distributed Computing, Applications and Technologies (PDCAT 2003), Chengdu, China, August, 2003:231~235. EI Compendex. Accession number: 04158108049.
[韩02] 韩宗芬, 刘科, 金海等. 基于数据挖掘的分布式协同入侵检测. 华中科技大学学报. 2002, 30(7): 33-35
[戴02a] 戴英侠, 连一峰, 王航. 系统安全与入侵检测. 清华大学出版社, 2002.3
[戴02b] 戴宗坤, 罗万伯等. 信息系统安全. 电子工业出版社. 2002.11, pp.7-8
[电03] 电子科技大学课题组. “快速反应及灾难恢复技术”测试分析报告. 2003.1
[何00] 何全胜, 姚国祥. 网络安全需求分析及安全策略研究. 计算机工程. 2000, 26(6):56-58
[何90] 何成武. 自动机理论及其应用[M]. 北京:科学出版社,1990.
[李01] 李正龙. 时序列特征与预测模型选择. 预测. 2001, 20(5): 70-73
[李03] 李守鹏, 孙红波. 信息系统安全策略研究. 电子学报. 2003, 31(7): 977-980
[罗03] 罗绪成. 硕士学位论文:快速反应系统原型设计与实现. 2003
[苗02a] 苗青, 宣蕾, 苏金树. 网络安全战略预警系统的攻击检测技术研究. 计算机工程与
科学. 2002,24(1):14-17
[苗02b] 苗青, 范勤, 苏金树. 网络安全战略预警系统的特征信息融合方法. 计算机工程. 2002,28(7):61-62,169
[沈03] 沈昌祥. 信息安全工程导论. 电子工业出版社, 2003.7: 4-7
[孙01] 孙继广. 矩阵扰动分析(第二版). 人民邮电出版社, 北京, 2001.11, pp.28-31
[唐99] 唐纪, 王景. 组合预测方法评述. [J] 预测, 1999(2): 42-43
[王01] 王晓程, 刘恩德, 谢小权. 攻击分类研究与分布式网络入侵检测系统. 计算机研究与发展. 2001, 38(6): 727-734
[王03] 王璟, 史美林, 董永乐 等. 数据挖掘在协同入侵检测系统中的应用研究. 计算机工程与应用. 2003(21): 140-143,146
[向03] 向尕, 曹元大. 基于攻击分类的攻击树生成算法研究 北京理工大学学报 2003, 23(3): 340-344
[宣01] 宣蕾, 苏金树, 苗青, 张怡. 网络安全战略预警系统研究. 通信技术. 2001,
118:90-92
[严01] 严蔚敏, 吴伟民. 数据结构(第二版). 清华大学出版社, 2001年, pp:118
[张02a] 张峰,秦志光. 网络安全应急系统的有限自动机. 通信学报. 2002, 23(12A): 140-144
[张02b] 张峰,秦志光. 基于有限自动机的网络攻击系统研究,计算机科学(增刊). 2002, 29(9): 160-162
[张03] 张世永. 网络安全原理与应用. 科学出版社. 北京, 2003.5: 35-36
[张04a] 张峰,秦志光,刘锦德. 网络安全中协同攻击的威胁评估方法. 计算机科学. 已录. 将在2004年No.12上发表
[张04b] 张峰,秦志光,刘锦德. 基于入侵事件预测的网络安全预警方法. 计算机科学. 已录. 将在2004年No.11上发表
[Amoro94] Edward G. Amoroso, Fundamentals of Computer Security Technology, Prentice-Hall PTR, Upper Saddle River, NJ, 1994: 34
[Andre97] Andrew Rathmell, Richard Overill, Lorenzo Valeri. Information Warfare Attack Assessment System (IWAAS).1997.http://www.kcl.ac.uk/orgs/icsa/Old/iwaasppr.PDF
[Andre99] Andrew Rathmell, James Dorschner, Michael Knights. Project: Threat Assessment and Early Warning Methodologies for Information Assurance. Oct, 1999-Sep, 2001. http://www.icsa.ac.uk/Projects/ropa.html
[Bauma02] Baumann R, Plattner C. Honeypots, Diploma thesis. http://security.rbaumann.net/download/diplomathesis.pdf.2002.
[Bell75] Bell, D.E. and LaPadula, L.J. Secure Computer Systems: Unified Exposition and Multics Interpretation. MTR-2997, MITRE , 1975
[Bello00] S.M.Bellovin, ICMP Traceback Messages. Internet Draft: draft-bellovin-itrace-00.txt, Mar.2000. http://www.research.att.com/~smb/papers/draft-bellovin-itrace-00.txt
[Biba77] Biba, K. J. Integrity Considerations for Secure Computer systems. Mitre TR-3153, Mitre Corporation, Bedford, MA, April 1977.
[Brewe89] D. Brewer D.F. and Nash M.J. The Chinese Wall Security Policy. Proc. Of IEEE Symposium on Security and Privacy, IEEE Computer Society Press, 1989: 206-214.
[CARDS00] Jiahai Yang, Peng Ning, X. Sean Wang, and Sushil Jajodia. CARDS: A distributed system for detecting coordinated attacks. In Proceedings of IFIP TC11 Sixteenth Annual Working Conference on Information Security, Aug 2000: 171 – 180. http://citeseer.ist.psu.edu/yang00cards.html
[Carve00] Curtis A.Carver, Udo W.Pooch, An Intrusion Response Taxonomy and its Role in Automatic Intrusion Response, Proceedings of the 2000 IEEE Workshop on Information Assurance and Security United States Military Academy, West Point, NY, 6-7 June, 2000. http://www.itoc.usma.edu/marin/Wshop/Papers2000/TP1_4.pdf
[CC99] Common Criteria Project. Common Criteria for Information Technology Security
Evaluation, Version 2.1 CCIMB-99-031. August 1999. http://csrc.nist.gov/cc/CC-v2.1.html
[CERT99] CERT Coordination Center. Results of the distributed systems intruder tools workshop. Nov.1999. http://www.cert.org/reports/dsit_workshop.pdf.
[Clark87] Clark DD and Wilson DR. A Comparison of Commercial and Military Computer Security Policies. IEEE Symposium of Security and Privacy, 1987: 184-194
[Cohen95] Frederick B. Cohen, Protection and Security on the Information Superhighway, John Wiley & Sons, New York, 1995: 54
[David93] David F. Ferraiolo, Dennis M. Gilbert, and Nickilyn Lynch. An examination of federal and commercial access control policy needs. In NIST-NCSC National Computer Security Conference: 107-116, Baltimore, MD, Sep.1993.
[Denni76] Denning, D.E. A Lattice Model of Secure Information Flow. Communications of ACM 19(5):236-243 (1976).
[Fergu98] P. Ferguson et. al. RFC 2267. Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. Technical report, The Internet Society, 1998. http://sunsite.cnlab-switch.ch/ftp/doc/standard/rfc/22xx/2267
[HA01] HA FORUM. Providing Open Architecture High Availability Solutions, Revision 1.0[EB/OL]. Feb, 2001. http://mcg.motorola.com/us/article/article0041.pdf
[Honey03] Honeynet Project. Know Your Enemy: Honeynets. Nov 2003. http://www.honeynet.org/papers/honeynet/
[Howar95] Howard, J. An Analysis of Security Incidents on the Internet (1989-1995). Ph.D. Dissertation, Carnegie Mellon University, Pittsburgh,PA, 1995: 61. http://www.cert.org/research/JHThesis/Start.html
[Huang98] Huang, M.-Y. and Wicks, T. M. A Large-scale Distributed Intrusion Detection Framework Based on Attack Strategy Analysis. Web proceedings of the First International Workshop on Recent Advances in Intrusion Detection (RAID'98), http://citeseer.ist.psu.edu/huang98largescale.html
[Ioann00] Sotiris Ioannidis, Angelos D. Keromytis, Steven M. Bellovin, Jonathan M. Smith.Implementing a distributed firewall. ACM Conference on Computer and Communications Security, 2000. pp.190-199
[Gelfo88] Gelfond, M., and V. Lifschitz. 1988. The Stable Model Semantics for Logic
Programming. In Proceedings of the 5th International Conference on Logic Programming, 1070-1080. Seattle, USA, August. The MIT Press. http://citeseer.nj.nec.com/gelfond88stable.html
[IATF02] National Security Agency (U.S.). The Information Assurance Technical Framework, IATF Release 3.1, http://www.iatf.net/framework_docs/version-3_1/index.cfm, 2002.9
[Lamps71] Lampson, B.W. Protection. 5th Princeton Symposium on Information Science and Systems, 1971: 437-443. Reprinted in ACM Operating Systems Review 8(1):18-24 (1974).
[Lau00] Felix Lau, Stuart H. Rubin, Michael H. Smith, Ljiljana Trajovic. Distributed Denial of Service Attacks. IEEE International Conference on Systems, Man, and Cybernetics, Oct. 2000. pp. 2275-2280
[Mcgra01] Gary McGraw, Greg Morrisett. Attacking Malicious Code: A report to the Infosec Research Council , May. 2001. http://citeseer.nj.nec.com/498998.html.
[Neuma89] Peter G Neumann, Donn B Parker. A summary of computer misuse techniques. In: The 12th National Computer Security Conf. Baltimore, Maryland, USA , 1989. 396~ 407
[Porra97] P. A. Porras and P. G. Neumann. EMERALD: event monitoring enabling responses to anomalous live disturbances. In Proceedings of the 20th National Information Systems Security Conference, October 1997: 353-365. http://citeseer.ist.psu.edu/porras97emerald.html
[Paxso98] V. Paxson, G. Almes, J. Mahdavi, M. Mathis. RFC 2330 - Framework for IP Performance Metrics. May 1998. http://www.faqs.org/rfcs/rfc2330.html
[Russe91] Deborah Russell and G. T. Gangemi, Sr., Computer Security Basics, O’Reilly & Associates, Inc., Sebastopol, CA, 1991: 10-11
[Russe02] Russell R, Linux 2.4 NAT HOWTO. Revision: 1.2. [OB/EL], 2002. http://netfilter.samba.org/documentation/HOWTO//NAT-HOWTO.html.
[Schna01] Schnackengerg D, Holliday H., Smith R. et. al. Cooperative Intrusion Traceback and Response Architecture (CITRA). DARPA Information Survivability Conference & Exposition II, 2001. DISCEX '01. Proceedings , June 2001, Volume: 1, Pages:56 – 68
[Snapp91] Steven R. Snapp et al. DIDS (Distributed Intrusion Detection System) - Motivation, Architecture, and An Early Prototype. Proc. 14th National Computer Security
Conference. Washington, DC, Oct. 1991: 167-176. http://seclab.cs.ucdavis.edu/papers/DIDS.ncsc91.pdf
[Sager98] Sager G. Security fun with OCxmon and cflowd. Internet 2 Working Group Meeting, Nov. 1998. http://www.caida.org/ projects/NGI/content/security/1198
[Sandh93] RS Sandhu. Lattice-based access control models. IEEE Computer, 26(11): 9-19, Nov. 1993
[Sandh94] RS Sandhu, Pierrangela Samarati. Access Control: Principles and Practice. IEEE Communications, 32(9):40--48, 1994
[Sandh96] RS Sandhu and Edward J. Coyne and Hal L. Feinstein and Charles E. Youman. Role-Based Access Control Models. IEEE Computer 29(2): 38-47, Feb. 1996
[Sandh88] R.S. Sandhu. The NTree: A two dimension partial order for protection groups. ACM Trans. on Computer Systems, Vol. 6, No. 2, May 1988, pp. 197-222. http://citeseer.nj.nec.com/article/sandhu88ntree.html
[Savage00] Stefan Savage, David Wetherall, Anna Karlin el at. Practice Network support for ip traceback, In Proceedings of the 2000 ACM SIGCOMM Conference, August 2000: 295-306. http://citeseer.ist.psu.edu/savage00practical.html ?
[Snort03] The Snort Project. Snort Users Manual. http://www.snort.org/docs/snort_manual.pdf. p22-24, Dec,2003
[Spitz02] Lance Spitzner. Honeypot: Definitions and Values. May, 2002. http://www.spitzner.net.
[Spive92] J. M. Spivey. The Z Notation, A Reference Manual. International Series in Computer Science, Second Edition. Prentice-Hall International, 1992. http://spivey.oriel.ox.ac.uk/~mike/zrm/zrm.pdf
[SSPHW91] Security Policy Handbook Working Group (SSPHWG). RFC 1244 - Site Security Handbook. 1991. http://www.faqs.org/rfcs/rfc1244.html
[Stani96] S. Staniford-Chen et al, GrIDS - A Graph Based Intrusion detection System for Large Networks, Proc. 19th National Information Systems Security Conf. Vol.1: 361-370, Oct. 1996
[Stone00] R. Stone. Centertrack: An IP overlay network for tracking DoS floods. In Proceedings of the USENIX Security Symposium, Denver, CO, USA, July 2000, pages 199--212
[TAEWM01] IAAC, Summary of Research Results: Early Warning & Threat Assessment
Methodologies For Information Assurance. May, 2001. http://www.iaac.org.uk/Publications/ROPA/Website%20summary.pdf.
[TCSEC85] Department of Defense Standard (U.S.). Department of Defense Trusted Computer Security Evaluation Criteria, DoD 5200.28-STD. December, 1985. http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html
[Thoma94] Roshan Thomas and Ravi S. Sandhu. Conceptual foundations for a model of task-based authorizations. In IEEE Computer Security Foundations Workshop 7, Franconia, NH, June 1994: 66-79
[Tidwe01] T. Tidwell, R. Larson, K. Fitch et al. Modeling Internet Attacks. Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, 2001: 54-59
[UML02] User-Mode Linux: an OpenSource solution to create a virtual Machine. UML as a honeypot. http://user-mode-linux.sf.net/honeypots.html.
[Yuill99] Yuill, J., Wu, S. F., Gong, F.et al.. Intrusion Detection for an On-Going Attack. Web proceedings of the 2nd International Workshop on Recent Advances in Intrusion Detection (RAID'99). http://citeseer.ist.psu.edu/yuill99intrusion.html
[Zhang03] Feng Zhang, Shijie Zhou, Zhiguang Qin, Jinde Liu. Honeypot: a Supplemented Active Defense System for Network Security. International conference of on Parallel and Distributed Computing, Applications and Technologies (PDCAT 2003), Chengdu, China, August, 2003:231~235. EI Compendex. Accession number: 04158108049.
[韩02] 韩宗芬, 刘科, 金海等. 基于数据挖掘的分布式协同入侵检测. 华中科技大学学报. 2002, 30(7): 33-35
[戴02a] 戴英侠, 连一峰, 王航. 系统安全与入侵检测. 清华大学出版社, 2002.3
[戴02b] 戴宗坤, 罗万伯等. 信息系统安全. 电子工业出版社. 2002.11, pp.7-8
[电03] 电子科技大学课题组. “快速反应及灾难恢复技术”测试分析报告. 2003.1
[何00] 何全胜, 姚国祥. 网络安全需求分析及安全策略研究. 计算机工程. 2000, 26(6):56-58
[何90] 何成武. 自动机理论及其应用[M]. 北京:科学出版社,1990.
[李01] 李正龙. 时序列特征与预测模型选择. 预测. 2001, 20(5): 70-73
[李03] 李守鹏, 孙红波. 信息系统安全策略研究. 电子学报. 2003, 31(7): 977-980
[罗03] 罗绪成. 硕士学位论文:快速反应系统原型设计与实现. 2003
[苗02a] 苗青, 宣蕾, 苏金树. 网络安全战略预警系统的攻击检测技术研究. 计算机工程与
科学. 2002,24(1):14-17
[苗02b] 苗青, 范勤, 苏金树. 网络安全战略预警系统的特征信息融合方法. 计算机工程. 2002,28(7):61-62,169
[沈03] 沈昌祥. 信息安全工程导论. 电子工业出版社, 2003.7: 4-7
[孙01] 孙继广. 矩阵扰动分析(第二版). 人民邮电出版社, 北京, 2001.11, pp.28-31
[唐99] 唐纪, 王景. 组合预测方法评述. [J] 预测, 1999(2): 42-43
[王01] 王晓程, 刘恩德, 谢小权. 攻击分类研究与分布式网络入侵检测系统. 计算机研究与发展. 2001, 38(6): 727-734
[王03] 王璟, 史美林, 董永乐 等. 数据挖掘在协同入侵检测系统中的应用研究. 计算机工程与应用. 2003(21): 140-143,146
[向03] 向尕, 曹元大. 基于攻击分类的攻击树生成算法研究 北京理工大学学报 2003, 23(3): 340-344
[宣01] 宣蕾, 苏金树, 苗青, 张怡. 网络安全战略预警系统研究. 通信技术. 2001,
118:90-92
[严01] 严蔚敏, 吴伟民. 数据结构(第二版). 清华大学出版社, 2001年, pp:118
[张02a] 张峰,秦志光. 网络安全应急系统的有限自动机. 通信学报. 2002, 23(12A): 140-144
[张02b] 张峰,秦志光. 基于有限自动机的网络攻击系统研究,计算机科学(增刊). 2002, 29(9): 160-162
[张03] 张世永. 网络安全原理与应用. 科学出版社. 北京, 2003.5: 35-36
[张04a] 张峰,秦志光,刘锦德. 网络安全中协同攻击的威胁评估方法. 计算机科学. 已录. 将在2004年No.12上发表
[张04b] 张峰,秦志光,刘锦德. 基于入侵事件预测的网络安全预警方法. 计算机科学. 已录. 将在2004年No.11上发表