基于多源融合的网络安全态势量化感知与评估
|
摘要
随着计算机技术的普及,网络已成为社会进步的重要推动力量。然而,日益严峻的安全形势使得网络技术的发展面临着巨大的挑战,传统的单点安全系统(如IDS、Firewall、VPN等)虽然在一定程度上提高了网络的安全性,但由于彼此间缺乏有效的协作,无法实现全网的安全态势监控。在这种背景下,开展对网络安全态势感知的研究,具有较高的学术价值和广泛的现实意义。
目前,对于网络安全态势感知的研究还不成熟,态势感知模型多基于单源环境;量化感知主要依靠对安全传感器原始报警信息的统计量化,仍无法实现对攻击阶段和序列的感知;对态势评估的研究多集中于指标体系的确立,仍缺乏对评估模型和评估方法的深入讨论。鉴于上述情况,本文提出基于多源融合的网络安全态势感知研究,并对所涉及到的框架模型、攻击轨迹获取、量化感知和评估等技术问题进行深入探讨。
首先,针对技术背景需求,研究基于多源融合的网络安全态势感知层次模型(MsFHM)。本模型自下而上分为信息获取层、量化感知层和态势评估层三个层次,对融合、轨迹重构、量化感知和评估等模型组件展开详细描述,并从整体上明确了层次与层次、组件与组件之间的关系。对组件的分析表明,MsFHM能够满足多源融合、面向攻击轨迹的复杂态势感知和态势评估等方面的研究需求,并以MsFHM为指导,构建一条从信息获取到量化感知再到态势评估的研究路线。通过模型的应用,验证本框架模型是有效的,可用于指导工程实践,并为后续研究内容的开展奠定基础。
其次,在MsFHM的基础上,根据融合算法对推理准确性、先验知识和鲁棒性等的需求,以报警聚合和位图冲突证据剔除为多源融合的预处理,研究基于粒子群D-S证据理论(PSO-DS)的多源融合算法,降低不确定性,融合生成准确的报警。接着,根据融合报警构造超警,提出基于超警复合关联相异度(HACCD)的攻击轨迹重构方法,达到分阶段、细粒度安全信息获取的目的,并为层次量化感知提供必要的条件。仿真试验结果表明,在PSO-DS多源融合算法提高检测率和降低误警率的基础上,基于HACCD的轨迹重构方法也具有较高的准确性和完整性。
再次,研究基于威胁因子生成的量化感知方法,包括态势要素提取和量化感知两个方面的研究内容。一方面,根据态势要素提取模型,以攻击强度、攻击阶段和事件威胁程度等作为态势要素,并结合对威胁因子和威胁等级函数关系的推演,生成威胁因子;另一方面,提出基于威胁因子加权量化的感知方法,实现对攻击阶段、攻击轨迹和网络三个层次的量化感知。仿真实验结果表明,该量化感知方法能够并行、直观和准确的反映攻击轨迹和网络系统安全态势的动态演化情况,能够有效的监控和管理网络,并为正确决策提供依据。
最后,研究基于最优线性分配的NSSA评估方法。首先,从报警准确性、轨迹可信性、量化感知精确度和应用时效性等方面确立信息获取层和量化感知层两个层次的评估指标。然后构建NSSA的评估模型,并在模型的指导下,通过分析线性分配理论,最终提出基于最优线性分配的网络安全态势评估方法,并利用信息获取层和量化感知层的评估指标,实现对NSSA的定量评估。仿真实验表明,本评估方法能够满足评估需求,可以从报警、攻击轨迹、量化感知和环境的角度反映NSSA的感知能力。
With the popularization of computer technology, network provides great impetus for the advancement of society. However, the development of the network technology faces with great challenges under the unceasing rigorous network situation and traditional single-point heterogeneous security defense technologies, such as IDS, Firewall and VPN, can enhance security performance of network system to a certain degree, but among which lack of effective collaboration leads to being unable to monitor the whole network security situation. Under this circumstance, the research about Network Security Situation Awareness (NSSA) has upper academic value and comprehensive practical value.
But the researches related to NSSA are still far away from maturation at present. Most of situation awareness models are based on single-source environment, quantification awareness methods mainly depend on quantifying the raw alerts of the security sensor and they can not actualize the awareness of attcak steps and sequences. The research aobut situation evaluation mainly focuses on the construction of index system and is lack of deep study in evaluation model and method. Aiming at these problems, a research scheme of NSSA based on multi-source fusion is proposed in which the framework model, attack track acquisition, quantification awareness and the situation evaluation related to this study are also discussed deeply.
Firstly, facing with the technology requirements, a NSSA hierarchy model based on muti-source fusion (MsFHM) is studied. This model is divided into three layers which called information acquisition layer, quantification awareness layer and situation evaluation layer from bottom to top. The components of every layer are desciribed in detai and the ralations between blayer and layer, component and component are illuminated clearly. The analysis of model components shows that MsFHM can meet the demands of research in multi-source fusion, attack track oriented complicated situation awareness and situation evaluation. And this model also constructs a kind of research line from information acquisition and quantification awareness to situation evalutaion. The results of the model application validate that the model is effective. It can be used to guide the development of engineering practice and also establish the foundation for successive research contents.
Secondly, based on MsFHM and the requirements of fusion methods in reasoning precision, prior knowledge and robustness, the PSO-DS multi-source fusion algorithm is studied using the alerts aggregation and Bit Map collision evidence elimination as the preprocessing. The fusion algorithm reduces the uncertainty and generates accurate alerts. After that, the hyper-alerts are created according to the aggregation algorithm based on the fusion alerts,and a attack track reconsturction method is put forward based on the hyper-alert correlation composite difference (HACCD). The HACCD method reaches the goal of information acquisition in fine-grained by step and also provides the necessary condition for hierarchy quantification awareness in next step. The simulation experiments show that the PSO-DS multi-source fusion algorithm can increase the detection rate and decrease the false detection rate. According to this, the track reconstruction method based on HACCD has the higher correctiveness and soundness.
Thirdly, the network security situation quantification awareness method based on the threat gene generation is explored and this method includes two aspects which consist of situation factors extraction and quantification awareness. In first aspects, a situation factors model is constructed and in this model the situation factors are attack intensity, attack step, event threat degree and et.al. The threat gene is achieved through the reasoning of the function relation between the threat gene and the threat level. In second aspects, a threat gene weighted quantification awareness method is proposed that accomplishes the quantification awareness of the attack step, the attack track and the network. The simulation experimental results show that this quantification awareness method can reflects dynamic evolvement of attack track situation and the network system situation in a parallel, intuitionistic and accurate way. And this method can not only monitor and manage the network effectively, but also provide evidence for decision-making.
Finally, a NSSA evaluation method based on optimization linear assignment is presented. First of all, the evaluation indexes include alert purity, track confidence, awareness precision and application timeliness are established which are divided into information acqusition layer and quantification awareness layer. Then a NSSA evaluation model is constructed. According to the evaluation model and linear assignment theory, the network security situation evaluation method is proposed based on optimal linear assignment ultimately and the quantitative evaluation is realized using the indexes of information acqusition layer and quantification awareness layer. The simulation experiments demonstrate that the evaluation method is able to satisfy the evaluation requirements and reflect the awareness performance of NSSA from the aspects of alert, attack track, quantification awareness and environment.
目前,对于网络安全态势感知的研究还不成熟,态势感知模型多基于单源环境;量化感知主要依靠对安全传感器原始报警信息的统计量化,仍无法实现对攻击阶段和序列的感知;对态势评估的研究多集中于指标体系的确立,仍缺乏对评估模型和评估方法的深入讨论。鉴于上述情况,本文提出基于多源融合的网络安全态势感知研究,并对所涉及到的框架模型、攻击轨迹获取、量化感知和评估等技术问题进行深入探讨。
首先,针对技术背景需求,研究基于多源融合的网络安全态势感知层次模型(MsFHM)。本模型自下而上分为信息获取层、量化感知层和态势评估层三个层次,对融合、轨迹重构、量化感知和评估等模型组件展开详细描述,并从整体上明确了层次与层次、组件与组件之间的关系。对组件的分析表明,MsFHM能够满足多源融合、面向攻击轨迹的复杂态势感知和态势评估等方面的研究需求,并以MsFHM为指导,构建一条从信息获取到量化感知再到态势评估的研究路线。通过模型的应用,验证本框架模型是有效的,可用于指导工程实践,并为后续研究内容的开展奠定基础。
其次,在MsFHM的基础上,根据融合算法对推理准确性、先验知识和鲁棒性等的需求,以报警聚合和位图冲突证据剔除为多源融合的预处理,研究基于粒子群D-S证据理论(PSO-DS)的多源融合算法,降低不确定性,融合生成准确的报警。接着,根据融合报警构造超警,提出基于超警复合关联相异度(HACCD)的攻击轨迹重构方法,达到分阶段、细粒度安全信息获取的目的,并为层次量化感知提供必要的条件。仿真试验结果表明,在PSO-DS多源融合算法提高检测率和降低误警率的基础上,基于HACCD的轨迹重构方法也具有较高的准确性和完整性。
再次,研究基于威胁因子生成的量化感知方法,包括态势要素提取和量化感知两个方面的研究内容。一方面,根据态势要素提取模型,以攻击强度、攻击阶段和事件威胁程度等作为态势要素,并结合对威胁因子和威胁等级函数关系的推演,生成威胁因子;另一方面,提出基于威胁因子加权量化的感知方法,实现对攻击阶段、攻击轨迹和网络三个层次的量化感知。仿真实验结果表明,该量化感知方法能够并行、直观和准确的反映攻击轨迹和网络系统安全态势的动态演化情况,能够有效的监控和管理网络,并为正确决策提供依据。
最后,研究基于最优线性分配的NSSA评估方法。首先,从报警准确性、轨迹可信性、量化感知精确度和应用时效性等方面确立信息获取层和量化感知层两个层次的评估指标。然后构建NSSA的评估模型,并在模型的指导下,通过分析线性分配理论,最终提出基于最优线性分配的网络安全态势评估方法,并利用信息获取层和量化感知层的评估指标,实现对NSSA的定量评估。仿真实验表明,本评估方法能够满足评估需求,可以从报警、攻击轨迹、量化感知和环境的角度反映NSSA的感知能力。
With the popularization of computer technology, network provides great impetus for the advancement of society. However, the development of the network technology faces with great challenges under the unceasing rigorous network situation and traditional single-point heterogeneous security defense technologies, such as IDS, Firewall and VPN, can enhance security performance of network system to a certain degree, but among which lack of effective collaboration leads to being unable to monitor the whole network security situation. Under this circumstance, the research about Network Security Situation Awareness (NSSA) has upper academic value and comprehensive practical value.
But the researches related to NSSA are still far away from maturation at present. Most of situation awareness models are based on single-source environment, quantification awareness methods mainly depend on quantifying the raw alerts of the security sensor and they can not actualize the awareness of attcak steps and sequences. The research aobut situation evaluation mainly focuses on the construction of index system and is lack of deep study in evaluation model and method. Aiming at these problems, a research scheme of NSSA based on multi-source fusion is proposed in which the framework model, attack track acquisition, quantification awareness and the situation evaluation related to this study are also discussed deeply.
Firstly, facing with the technology requirements, a NSSA hierarchy model based on muti-source fusion (MsFHM) is studied. This model is divided into three layers which called information acquisition layer, quantification awareness layer and situation evaluation layer from bottom to top. The components of every layer are desciribed in detai and the ralations between blayer and layer, component and component are illuminated clearly. The analysis of model components shows that MsFHM can meet the demands of research in multi-source fusion, attack track oriented complicated situation awareness and situation evaluation. And this model also constructs a kind of research line from information acquisition and quantification awareness to situation evalutaion. The results of the model application validate that the model is effective. It can be used to guide the development of engineering practice and also establish the foundation for successive research contents.
Secondly, based on MsFHM and the requirements of fusion methods in reasoning precision, prior knowledge and robustness, the PSO-DS multi-source fusion algorithm is studied using the alerts aggregation and Bit Map collision evidence elimination as the preprocessing. The fusion algorithm reduces the uncertainty and generates accurate alerts. After that, the hyper-alerts are created according to the aggregation algorithm based on the fusion alerts,and a attack track reconsturction method is put forward based on the hyper-alert correlation composite difference (HACCD). The HACCD method reaches the goal of information acquisition in fine-grained by step and also provides the necessary condition for hierarchy quantification awareness in next step. The simulation experiments show that the PSO-DS multi-source fusion algorithm can increase the detection rate and decrease the false detection rate. According to this, the track reconstruction method based on HACCD has the higher correctiveness and soundness.
Thirdly, the network security situation quantification awareness method based on the threat gene generation is explored and this method includes two aspects which consist of situation factors extraction and quantification awareness. In first aspects, a situation factors model is constructed and in this model the situation factors are attack intensity, attack step, event threat degree and et.al. The threat gene is achieved through the reasoning of the function relation between the threat gene and the threat level. In second aspects, a threat gene weighted quantification awareness method is proposed that accomplishes the quantification awareness of the attack step, the attack track and the network. The simulation experimental results show that this quantification awareness method can reflects dynamic evolvement of attack track situation and the network system situation in a parallel, intuitionistic and accurate way. And this method can not only monitor and manage the network effectively, but also provide evidence for decision-making.
Finally, a NSSA evaluation method based on optimization linear assignment is presented. First of all, the evaluation indexes include alert purity, track confidence, awareness precision and application timeliness are established which are divided into information acqusition layer and quantification awareness layer. Then a NSSA evaluation model is constructed. According to the evaluation model and linear assignment theory, the network security situation evaluation method is proposed based on optimal linear assignment ultimately and the quantitative evaluation is realized using the indexes of information acqusition layer and quantification awareness layer. The simulation experiments demonstrate that the evaluation method is able to satisfy the evaluation requirements and reflect the awareness performance of NSSA from the aspects of alert, attack track, quantification awareness and environment.
引文
[1] S.Braynov, M.Jadliwala. Representation and analysis of coordinated attacks. Proceedings of the 2003 ACM Workshop on Formal Methods in Security Engineering, New York, NY, USA, 2003.10:43-51P
[2] J. R.Goodall, W. G. Lutters, and A.Komlodi. The work of intrusion detection: rethinking the role of security analysts. Proceeding of the Tenth Americas Conference on Information System, New York, NY, USA, 2004.8:1421-1427P
[3] Navy Aviation Schools Command. Situational awareness. www.cnet. navy.mil.crm/crm/stand_mat/seven_skills/sa.asp
[4]王慧强,赖积保,朱亮,梁颖.网络安全态势感知系统研究综述.计算机科学.2006,33(10):5-10页
[5] M.R.Endsley. Design and evaluation for situation awareness enhancement. Proceeding of the 32nd Human Factors Society Annual Meeting, Anaheim, California, USA, 1988: 97-101P
[6] G.Tadda, J.J.Salerno, D.Boulware, et.al. Realizing situation awareness in a cyber environment. Proceedings of Multisensor, Multisource Information Fusion: Architecture, Algorithms, and Applications, Kissimmee, Florida, USA, 2006,SPIE 6242:1-8P
[7] T.Bass. Multi-sensor data fusion for next generation distributed intrusion detection systems. Johns-Hopkins University, Applied Physics Laboratory, Proceedings of IRIS National Symposium on Sensor and Data Fusion, Laurel, MD,USA,1999:24-27P
[8] T.Bass, D.Gruber. A glimpse into the future of ID. Special Issue on Intrusion Detection. www.silkroad.com/papers/pdf/usenix-glimpse.pdf,1999.9
[9] V.Yegneswaran, P.Barford. Using honeynets for internet situational awareness, http://www.cs.wisc.edu/~pb/hotnets 05_final.pdf,2006
[10] E.Hughes, A.Somayaji. Towards network awareness. Proceeding of 19th Large Installation System Administration Conference, Long Beach, CA,USA, 2005:113-123P
[11] K.Lakkaraju, Y.Li, X.Yin, W.Yurcik. NVisionIP and VisFlowConnect: Two Interactive Tools for Visualizing Network Flow for Security. www.ncassr.org/projects/sift,2004
[12] G.Cole, N.Bulashova, W.Yurcik. Geographical netflows visualization for network situational awareness: naukanet administrative data analysis system (NADAS). http://www. ncassr.org/projects/sift/ papers/NADAS.pdf,2004
[13] A. Siraj, R. B. Vaughn.Office Of The Secretary Of Defense, Deputy Director Of Defense Research & Engineering Deputy Under Secretary Of Defense, Small Business Innovation Research. 2005.3
[14] Advanced Research and Development Activity (ARDA). Exploratory Program Call for Proposals.2006
[15] D.L. Hall. Mathematical Techniques in Multisensor Data Fusion. Bosston: Artech House. 2004:125-137.
[16] S.G. Batsell, N.S. Rao, M. Shankar. Distributed Intrusion Detection and Attack Containment for Organizational Cyber Security.http://www.ioc.ornl.gov/projects/documents/containment.pdf,2005
[17] J.Shifflet. A technique independent fusion model for network intrusion detection. Proceedings of the Midstates Conference on Undergraduate Research in Computer Science and Mathematics, College of Wooster in Ohio, 2004.10:13-19P
[18] J.J.Salerno, M.Hinman, D.Boulware. A situation awareness model applied to multiple domains. Proceedings of the Defense and Security Conference, Orlando, FL, USA,5813:65-74P
[19] D.Shen, G.Chen, J.B.Cruz, et al. A markov game theoretic data fusion approach for cyber situational awareness. Multisensor, Multisource Information Fusion: Architecture, Algorithms, and Applications,2007, Orlando, Florida, USA :1-11P
[20] R.Polikar, D.Parikh, S.Mandayam. Multiple classifier systems for multisensor data fusion. Proceedings of IEEE Sensors Applications Symposium, Houston, Texas USA, ,2006:180-184P
[21] C.Siaterlis, V.Maglaris. One step ahead to multisensor data fusion for DDoS detection. Journal of Computer Security,2005, 13:779-806P
[22] J.Beyerer, M.Heizman, J.Sander. Fuselets-an agent based architecture for fusion of heterogeneous information and data. Proceedings of SPIE 2006, Kissimmee, Florida, USA ,2006:1-9P
[23] J.Lu, X. Yang, G. Zhang. Support vector machine-based multi-source multi-attribute information integration for situation assessment. Expert Systems with Application,2007, 34(2):1333-1340P
[24] J.J.Braun, S.P.Jeswani. Information fusion of large number of sources with support vector machine technique. Proceedings of SPIE 2003, Orlando, FL, USA ,2003:13-23P
[25] J.Zhang, K.Wang, Q.Yue. Data fusion algorithm based on functional link artificial neural networks. Proceedings of the 6th World Congress on Intelligent Control and Automation, Dalian China,2006:2806-2810P
[26] M.Sudit, A.Stotz, M.Holender. Measuring situational awareness and resolving inherent high-level fusion obstacle. Proceedings of SPIE 2006, Kissimmee, Florida, USA ,2006:1-9P
[27] M.Oxenham, S.Challa, M.Morelande. Fusion of disparate identity estimates for shared situation awareness in a network-centric environment. Information Fusion,2006,7:395-417P
[28] B.Sabata, C.Ornes. Multi-source evidence fusion for cyber situation assessment. Multisensor, Multisource Information Fusion: Architecture, Algorithms, and Applications,2006, Orlando, FL, USA,2006:1-9P
[29] A.Blyth. Footprinting for intrusion detection and threat assessment. Information Security Technical Report. 1999,4(3):43-53P
[30] B.D'Ambrosio, M.Takikawa, J.Fitzgerald, D.Upper, and et.al. Security situation assessment and response evaluation (SSARE). Proceedings of DARPA Information Survivability Conference & Exposition II, Berkeley, California,2001.7:387– 394P
[31] V.Gorodetsky, O.Karsaev, V.Samoilov. On-line update of situation assessment based on asynchronous data streams. Knowledge-Based Intelligent Information and Engineering Systems,LNCS 3213,Berlin,Heidelberg,2004:1136-1142P
[32] J.J.Selerno, G.Tadda, D.Boulware, et.al. Achieving situation awareness in a cyber environment. Proceedings of the MILCOM2005, Atlantic City, New Jersey,2005.10:123-129P
[33] P.Ning, Y.Cui, D.S.Reeves. Construction attack scenarios through correlation of intrusion alerts. Proceedings of CCS2002, Washington, DC, USA,2002.11:245-254P
[34]刘玉玲,杜瑞忠,赵卫东等.一种入侵场景构建模型-BPCRISM.计算机研究与发展.2007,44(4):589-597页
[35]严芬,黄皓,殷新春.基于CTPN的复合攻击检测方法研究.计算机学报. 2006,29(8):1383-1391页
[36]马琳茹,杨林,王建新.多源异构安全信息融合关联技术.系统仿真学报.2008.2,20(4):981-989页
[37]田俊峰,赵卫东,杜瑞忠,蔡红云.新的入侵检测数据融合模型—IDSFP.通信学报.2006,27(6):115-120页
[38] X.Yin, W.Yurcik, M.Treaster. VisFlowConnect: NetFlow visualizations of link relationships for security situational awareness. Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, Fairfax, VA, USA,2004:26-34P
[39] L.Stephen. The spinning cube of potential doom. Communications of ACM, 2004,47(6):25-26P
[40] W. Yurcik. Visualizing NetFlows for security at line speed: the SIFT tool suit. Proceedings of 19th Usenix Large Installation System Administration Conference, Atlanta, GA,USA, 2005.12:169-176P
[41] Carnegie Mellon’s SEI. System for Internet Level Knowledge (SILK). Http://silktools.sourceforge.net,2005
[42] K.Lakkaraju, W.Yurcik, A.J. Lee. NVisionIP: NetFlow visualizations of system state for security situational awareness. Proceedings of VizSEC/DMSEC, Fairfax, VA, USA,2004.10:65-72P
[43] J.McHugh. Network awareness and network security. CASCON CyberSecurity Workshop. Richmond Hill, Ontario, Canada, 2005.10:263-268P
[44] V.Yegneswaran, P.Barford, V.Paxson. Using honeynets for internet situational awareness. Proceedings of ACM/USENIX Hotnets. Http://www.icir.org/vern/papers/sit-aware-hotnet 05.pdf,2005
[45] R.M.McGraw, C.Lammers, A.D.Trevisani. Effectiveness measurements and state estimation simulation for DSAP. Multisensor, Multisource Information Fusion: Architecture, Algorithms, and Applications, 2006, Kissimmee, Florida,USA,2006:1-8P
[46] A.Kirlik, R.Strauss. Situation awareness as judgmentⅠ: statistical modeling and quantitative measurement. International Journal of Industrial Ergonomics,2006,36: 463-474P
[47] S.M.Mahoney,K.Laskey, E.Wright, et.al. Measuring performance for situation assessment. Proceedings of National Symposium on Sensor and Data Fusion, San Antonio, Texas: June 2000:67-75P
[48] J.Salerno, E.Blasch, M.Hinman, D.Boulware. Evaluating algorithmic techniques in supporting situation awareness. Proceedings of SPIE, San Antonio, Texas, USA, 2005:96-104P
[49] S.J.Yang, A.Stotz, J.Holsopple, et al. High level information fusion for tracking and projection of multistage cyber attacks. Information fusion. 2009,10(1):107-121P
[50]韦勇,连一峰.基于日志审计与性能修正算法的网络安全态势评估模型.计算机学报.2009,32(4):763-772页
[51]陈秀真,郑庆华,管晓宏等.层次化网络安全威胁态势量化评估方法.软件学报. 2006,17(4):885-897页
[52]李涛.基于免疫的网络安全风险检测.中国科学.2005,35(8):798-816页
[53] Xiu-Zhen Chen, et al. Multiple behavior information fusion based quantitative threat evaluation. Computer & Security,2005,24: 218-231P
[54]张慧敏,钱亦萍,郑庆华等.集成化网络安全监控平台的研究与实现.通信学报.2003,24(7):155-163页
[55]北京理工大学信息安全与对抗技术研究中心.网络安全态势评估系统技术白皮书. http://www.thinkor.com/product/download/网络安全态势评估系统技术白皮2.doc,2005
[56]李英楠,张宏莉,云晓春等.基于网络拓扑的网络安全事件宏观预警与响应分析.哈尔滨工业大学学报.2005,37(11):1459-1462页
[57]雷英杰,王宝树,王毅.基于直觉模糊决策的战场态势评估方法.电子学报.2006,34(12):2175-2179页
[58]胡华平,张怡,陈海涛等.面向大规模网络的入侵检测与预警系统研究.国防科技大学学报.2003,25(1):21-25页
[59] H.Wang, Y.Liang, X.Liu. Stochastic game theoretical method of quantification for network situational awareness. Proceedings of the 2008 International Conference on Internet Computing in Science and Engineering. Harbin,China,2008:312-316P
[60] J.Lai, H.Wang, X.Liu, and et.al. A WNN-based network security situation quantitative prediction method and its optimization. Journal of Computer Science and Technology. 2008,23(2):222-230P
[61]韦勇,连一峰,冯登国.基于信息融合的网络安全态势评估模型.计算机研究与发展.2009,46(3):353-362页
[62] S.Cheung, U.Lindqvist, M.W.Fong. Modeling multistep cyber attacks scenario recognition. Proceedings of the Third DARPA Information Survivability Conference and Exposition, Washington, DC, USA,2003.4: 284–292P
[63] S.Mathew, D.Britt, R.Giomundo, S.Upadhyaya. Real-time multistage attack awareness through enhanced intrusion alert clustering. Proceedings of IEEE Military Communications Conference, 2005, Atlantic City, USA,3:1801-1806P
[64] S.Noel, E.Robertson, S.Jajodia. Correlating intrusion events and building attack scenarios through attack graph distances. Proceedings of the 20th Annual Computer Security Applications Conference, Tucson, AZ, USA,2004.12:350-359P
[65]鲍旭华,戴英侠,冯萍慧等.基于入侵意图的复合攻击检测和预测算法.软件学报. 2005,16(12)5:2132-2138页
[66] O.M.Dahl, S.D. Wolthusen. Modeling and execution of complex attack scenarios using interval timed colored petri nets. Proceedings of fourth IEEE International Workshop onInformation Assurance, Royal Holloway, UK,2006:157-168P
[67]田俊峰,赵卫东,杜瑞忠,蔡红云.新的入侵检测数据融合模型—IDSFP.通信学报.2006,27(6):115-120页
[68] X.Qin, W.Lee. Statistical causality of INFOSEC alert data. Proceedings of Recent Advances in Intrusion Detection 2003, Pittsburgh, PA, USA, LNCS 2820,Springer-Verlag,2003:73-94P
[69] P.A.Porras, M.W.Fong, A.Valdes. A mission-impact-based approach to INFOSEC alarm correlation. Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID), Zurich, Switzerland, LNCS 2516, Springer-Verlag 2002:95-114P
[70] B.Morin, L.Mé, H.Debar, M.Ducassé. M2D2: a formal data model for IDS alert correlation. Proceedings of recent advances in intrusion detection 2002, Zurich, Switzerland, LNCS 2516,Springer-Verlag,2002: 115-137P
[71] D.Andersson, M.Fong, A.Valdes. Heterogeneous sensor correlation: a case study of live traffic analysis. Proceedings of the 2002 IEEE Information Assurance Workshop, West point, NY, 2002.6:1555-1560P
[72] Cisco Systems Inc. NetForensics: Report Guide. www.cisco.com /application/pdf/en/us/guest/products/ps5209/c1626/ccmigration_09186a008019d567.pdf,2003.4
[73] J.Holsopple, S.J.Yang, M.Sudit. TANDI: threat assessment of network data and information. Multisensor, Multisource Information Fusion: Architecture, Algorithms, and Applications, SPIE, Kissimmee, Florida, USA ,2006:1-11P
[74] C4ISR Architecture Framework, Version 1.0. C4ISR ITF Intergrated Architecture Panel. CISA-0000-104-96,1996.7
[75]吴陈,李新锋,夏祖勋,解洪成.数据融合系统的模型化和形式化研究.华东船舶工业学院学报.2000,15(3):13-19页
[76]佘二永,王润生.基于线性融合模型的多源图像融.电子学报。2005,33(6):1008-1010页
[77]李军,刘君华.多源融合系统的可靠性模型研究.西安交通大学学报.2004,38(8):775-795页
[78]周中良,于雷,潘泉,王琳.合化多源空间管理模型与算法研究.传感技术学报.2007,20(11):2438-2441页
[79]穆成坡,黄厚宽,田盛风.入侵检测系统报警信息聚合与关联技术研究综述.计算机研究与发展.2006,43(1):1-8页
[80] O.Dain, R.K.Cunningham. Fuison a heterogeneous alert stream into scenarios. Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications,2001:231-235P
[81]李辉,郑庆华,韩崇昭,管晓宏.基于多假设跟踪的入侵场景构建研究.通信学报.2005,26(4):70-79页
[82] A. Valdes, K. Skinner. Probabilistic alert correlation. Proceedings of the Fourth International Symposium on Recent Advance in Intrusion Detection, Davis, CA, USA,2001:54-69P
[83]田志宏,张伟哲,张永铮等.基于权能转换模型的攻击场景推理、假设与预测.通信学报.2007,28(12):78-84页
[84] S.Mathew, D.Britt, R.Giomundo, S.Upadhyaya. Real-time multistage attack awareness through enhanced intrusion alert clustering. Proceedings of IEEE Military Communications Conference, 2005, Atlantic City, USA,3:1801-1806P
[85]李之棠,王莉,黎耀.一种新的基于统计的场景挖掘算法研究.计算机研究与发展.2006,43(Suppl.):442-446页
[86]董晓梅,于戈,孙晶茹,王丽娜.基于频繁模式挖掘的报警关联与分析算法.电子学报.2005,33(8):1356-1359页
[87] P.J.Nahin, J. Gibbons, M.Knel. NCTR plus sensor fusion equals IFFN. IEEE Transactions on Aerospace Electronic Systems,1980, 16:320-327P
[88] J.Llinas. Engineering guidelines for data correlation algorithmcharacterization, Buffalo NY, State university of New York, 1996
[89] C.Bowman, A.Steinberg. A systems engineering approach for implementing data fusion systems. Handbook of Multisensor Data Fusion. CRC Press, 2001
[90] R.Polikar, D.Parikh, S.Mandayam. Multiple classifier systems for multisensor data fusion. Proceedings of IEEE Sensors Applications Symposium, Houston, Texas USA, ,2006:180-184P
[91] J.J.Braun. Dempster-Shafer theory and Bayesian reasoning in multisensor data fusion. Sensor Fusion: Architectures, Algorithms, and Applications,SPIE 4051,2000:255-266P
[92] J.Yen. Discussion of Demster-Shafer’s Theory. State College. 2003
[93] D.Yu, D.Frincke. Alert confidence fusion in intrusion detection systems with extended Dempster-Shafer Theory. Proceedings of the 43rd Annual Southeast Regional Conference, New York, NY, USA ,2005:142-147P
[94]李剑峰,乐光新,尚勇.基于改进型D-S证据理论的决策层融合滤波算法.电子学报.2004,32(7):1160-1164页
[95] L.Xu, Y.Chen, P.Cui. Improvement of D-S evidential theory in multisensor data fusion system. Proceedings of the 5th World Congress on Intelligent Control and Automation, Zhejiang,China 2004:3124-3128P
[96]李烨,蔡云泽,尹汝泼等.基于证据理论的多类分类支持向量机集成.计算机研究与发展.2008,45(4):571-578页
[97] S.J.Julier, J.K.Uhlmannb, J.Walters, et al. The challenge of scalable and distributed fusion of disparate sources of information. Multisensor, Multisource Information Fusion: Architecture, Algorithms, and Applications, SPIE, Kissimmee, Florida, USA ,2006:1-11P
[98] L.Zadeh. Review of books: a mathematical theory of evidence. AIMagazine.1984,5(3):81-83P
[99]邓勇,施文康,朱振福.一种处理冲突证据的组合方法.红外与毫米波学报.2004,23(1):27-32页
[100]陈福增.多源数据融合的数学方法.数学的实践与认识.1995,2:11-16页
[101]黄幼才.数据探测技术与抗差估计.北京:高等教育出版社.1990
[102]燕颢.数据融合的几种算法研究.南京理工硕士论文.2003.3
[103]刘宇等.多模粒子群集成神经网络.计算机研究与发展.2005, 42(9):1519-1526页
[104]窦全胜,周春光,马铭.粒子群优化的两种改进策略.计算机研究与发展. 2005,42(5):897-904页
[105]刘波,杨路明,雷刚跃等.融合粒子群与蚁群算法优化群体智能搜索.计算机研究与发展.2005,45(8):1371-1378页
[106]田建中,王威,谢梅芳.基于粒子群算法的支持向量机训练和实现方法.武汉理工大学学报.2007,29(10):85-88页
[107]周中良,于雷,潘泉,王琳.融合化多源空间管理模型与算法研究.传感技术学报.2007,20(11):2438-2441页
[108]项新建.基于模糊数学与统计理论集成的多源数据融合方法.传感技术学报.2004,2:197-199页
[109] B.Wang, G.Liang, C.Wang. D-S algorithm based on particle swarm optimizer. Electronic Measurement and Instruments,2007.8, 2:311- 315P
[110] J.D.Lawrence, T.D.Garvey. Evidential reasoning: a developing concept. Proceedings of the IEEE International Conference on cybernetics and society, Boston, MA, 1982.1:6-9P
[111]张宇林,蒋鼎国,黄翀鹏等.基于粒子群算法的多源数据融合.化工学报.2008,59(7): 1703-1706页
[112] K.Ranney, N.Nasrabadi.Particle Swarm Optimization and Uncertainty in Dempster-Shafer Fusion. Radar Sensor Technology XIII, Proceedings of SPIE 7308,2009,73081E:1-10P
[113]王波,王灿林,梁国强.基于粒子群寻优的D-S算法.传感器与微系统. 2007,26(1):84-86页
[114]诸葛建伟,王大为,陈昱等.基于D-S证据理论的网络异常检测方法.软件学报. 2006, 17(3):463-471页
[115] J.D.Lawrence, T.D.Garvey. Evidential reasoning: a developing concept. Proceedings of the IEEE International Conference on cybernetics and society, Boston, MA, 1982.1:6-9P
[116]马琳茹,杨林,王建新等.利用模糊聚类实现入侵检测告警关联图的重构.通信学报.2006,27(9):47-52页
[117] S.O.Al-Manory, H.L. Zhang. Scenario discovery using abstracted correlation graph. Proceedings of International Conference on Computational Intelligence and Security, Harbin,China,2007: 702-706P
[118]萧海东.网络安全态势评估与趋势感知的分析研究.上海:上海交通大学博士论文,2007.10
[119] W.Hu, J.Li, X.Jiang, et.al. A hierarchical algorithm for cyberspace situational awareness based on analytic hierarchy process. High Technology Letters,2007,13(3):291-296P
[120]陈继军.多源管理及信息融合.西安:西北工业大学硕士论文,2002.3
[121]刘曙阳,程万梓.C3I系统开发技术.北京:国防工业出版社.1997.4
[122] M.R.Endsley. Toward a theory of situation awareness in dynamic systems. Human Factors,1995,37(1):32-64P
[123] E.Salas, C.Prince, D.P.Baker, et.al. Situation awareness in team performance: implications for measurement and training. Human Factors,1995, 37(1):123-126P
[124] M.H.Kang, T.Mayfield. A cyber-event correlation framework and metrics, Proceeding of SPIE,2003, Orlando, Florida, USA, 5107:72-82P
[125] M.R.Endsley, D.J.Garland. Situation awareness. Lawrence Erlbaum Associates. 2000
[126] R.W.Cooksey. Judgment analysis: theory, methods, and applications. Academic Press. 1996
[127] E.P.Blasch, M.Pribilski, B.Daughtery, et.al. Fusion metrics for dynamic situation analysis. Porceedings of SPIE 5429, 2004.4:428-438P
[128]游庆红,丁荣华,涂国平.线性分配法的一种改进思路.南昌大学学报.2006,28(1):28-30页
[129]陈珽.决策分析.北京:科学出版社.1987
[130] R.E.Burkard, E.Cela. Linear assignment problems and extensions. Handbook of Combinatorial Optimization. 1999,A:75–149P
[131] G.Birkhoff. Tres observaciones sobre el algebra lineal. Rev. Univ. Nac. Tucumán(A). 1946,5:147-151P
[132] M.L.Balinski, A.Russakoff. On the assignment polytope. SIMA Review. 1974,16:516-525P
[133] L.G.Valiant. The complexity of computing the permanent. Theoretical Computer Science. 1979,8:189-201P
[134] P.Hall. On representatives of subsets. Journal of the London Mathematical Society. 1935,10:26-31P
[135] J.E.Hopcroft, R.M.Karp. An n~(5/2) algorithm for maximum matching in bipartite graphs. SIMA Journal on Computing. 1973,2:225-231P
[136] H.Alt, N.Blum, K.Mehlhorn, M.Paul. Computing maximum cardinality matching in time O((m/logn)~n~(1.5)). Information Process. 1992,37:237-240P
[137] D.R.Fulkerson, I.Glicksberg, O.Gross. A production line assignment problem. Rand Corporation. 1953
[2] J. R.Goodall, W. G. Lutters, and A.Komlodi. The work of intrusion detection: rethinking the role of security analysts. Proceeding of the Tenth Americas Conference on Information System, New York, NY, USA, 2004.8:1421-1427P
[3] Navy Aviation Schools Command. Situational awareness. www.cnet. navy.mil.crm/crm/stand_mat/seven_skills/sa.asp
[4]王慧强,赖积保,朱亮,梁颖.网络安全态势感知系统研究综述.计算机科学.2006,33(10):5-10页
[5] M.R.Endsley. Design and evaluation for situation awareness enhancement. Proceeding of the 32nd Human Factors Society Annual Meeting, Anaheim, California, USA, 1988: 97-101P
[6] G.Tadda, J.J.Salerno, D.Boulware, et.al. Realizing situation awareness in a cyber environment. Proceedings of Multisensor, Multisource Information Fusion: Architecture, Algorithms, and Applications, Kissimmee, Florida, USA, 2006,SPIE 6242:1-8P
[7] T.Bass. Multi-sensor data fusion for next generation distributed intrusion detection systems. Johns-Hopkins University, Applied Physics Laboratory, Proceedings of IRIS National Symposium on Sensor and Data Fusion, Laurel, MD,USA,1999:24-27P
[8] T.Bass, D.Gruber. A glimpse into the future of ID. Special Issue on Intrusion Detection. www.silkroad.com/papers/pdf/usenix-glimpse.pdf,1999.9
[9] V.Yegneswaran, P.Barford. Using honeynets for internet situational awareness, http://www.cs.wisc.edu/~pb/hotnets 05_final.pdf,2006
[10] E.Hughes, A.Somayaji. Towards network awareness. Proceeding of 19th Large Installation System Administration Conference, Long Beach, CA,USA, 2005:113-123P
[11] K.Lakkaraju, Y.Li, X.Yin, W.Yurcik. NVisionIP and VisFlowConnect: Two Interactive Tools for Visualizing Network Flow for Security. www.ncassr.org/projects/sift,2004
[12] G.Cole, N.Bulashova, W.Yurcik. Geographical netflows visualization for network situational awareness: naukanet administrative data analysis system (NADAS). http://www. ncassr.org/projects/sift/ papers/NADAS.pdf,2004
[13] A. Siraj, R. B. Vaughn.Office Of The Secretary Of Defense, Deputy Director Of Defense Research & Engineering Deputy Under Secretary Of Defense, Small Business Innovation Research. 2005.3
[14] Advanced Research and Development Activity (ARDA). Exploratory Program Call for Proposals.2006
[15] D.L. Hall. Mathematical Techniques in Multisensor Data Fusion. Bosston: Artech House. 2004:125-137.
[16] S.G. Batsell, N.S. Rao, M. Shankar. Distributed Intrusion Detection and Attack Containment for Organizational Cyber Security.http://www.ioc.ornl.gov/projects/documents/containment.pdf,2005
[17] J.Shifflet. A technique independent fusion model for network intrusion detection. Proceedings of the Midstates Conference on Undergraduate Research in Computer Science and Mathematics, College of Wooster in Ohio, 2004.10:13-19P
[18] J.J.Salerno, M.Hinman, D.Boulware. A situation awareness model applied to multiple domains. Proceedings of the Defense and Security Conference, Orlando, FL, USA,5813:65-74P
[19] D.Shen, G.Chen, J.B.Cruz, et al. A markov game theoretic data fusion approach for cyber situational awareness. Multisensor, Multisource Information Fusion: Architecture, Algorithms, and Applications,2007, Orlando, Florida, USA :1-11P
[20] R.Polikar, D.Parikh, S.Mandayam. Multiple classifier systems for multisensor data fusion. Proceedings of IEEE Sensors Applications Symposium, Houston, Texas USA, ,2006:180-184P
[21] C.Siaterlis, V.Maglaris. One step ahead to multisensor data fusion for DDoS detection. Journal of Computer Security,2005, 13:779-806P
[22] J.Beyerer, M.Heizman, J.Sander. Fuselets-an agent based architecture for fusion of heterogeneous information and data. Proceedings of SPIE 2006, Kissimmee, Florida, USA ,2006:1-9P
[23] J.Lu, X. Yang, G. Zhang. Support vector machine-based multi-source multi-attribute information integration for situation assessment. Expert Systems with Application,2007, 34(2):1333-1340P
[24] J.J.Braun, S.P.Jeswani. Information fusion of large number of sources with support vector machine technique. Proceedings of SPIE 2003, Orlando, FL, USA ,2003:13-23P
[25] J.Zhang, K.Wang, Q.Yue. Data fusion algorithm based on functional link artificial neural networks. Proceedings of the 6th World Congress on Intelligent Control and Automation, Dalian China,2006:2806-2810P
[26] M.Sudit, A.Stotz, M.Holender. Measuring situational awareness and resolving inherent high-level fusion obstacle. Proceedings of SPIE 2006, Kissimmee, Florida, USA ,2006:1-9P
[27] M.Oxenham, S.Challa, M.Morelande. Fusion of disparate identity estimates for shared situation awareness in a network-centric environment. Information Fusion,2006,7:395-417P
[28] B.Sabata, C.Ornes. Multi-source evidence fusion for cyber situation assessment. Multisensor, Multisource Information Fusion: Architecture, Algorithms, and Applications,2006, Orlando, FL, USA,2006:1-9P
[29] A.Blyth. Footprinting for intrusion detection and threat assessment. Information Security Technical Report. 1999,4(3):43-53P
[30] B.D'Ambrosio, M.Takikawa, J.Fitzgerald, D.Upper, and et.al. Security situation assessment and response evaluation (SSARE). Proceedings of DARPA Information Survivability Conference & Exposition II, Berkeley, California,2001.7:387– 394P
[31] V.Gorodetsky, O.Karsaev, V.Samoilov. On-line update of situation assessment based on asynchronous data streams. Knowledge-Based Intelligent Information and Engineering Systems,LNCS 3213,Berlin,Heidelberg,2004:1136-1142P
[32] J.J.Selerno, G.Tadda, D.Boulware, et.al. Achieving situation awareness in a cyber environment. Proceedings of the MILCOM2005, Atlantic City, New Jersey,2005.10:123-129P
[33] P.Ning, Y.Cui, D.S.Reeves. Construction attack scenarios through correlation of intrusion alerts. Proceedings of CCS2002, Washington, DC, USA,2002.11:245-254P
[34]刘玉玲,杜瑞忠,赵卫东等.一种入侵场景构建模型-BPCRISM.计算机研究与发展.2007,44(4):589-597页
[35]严芬,黄皓,殷新春.基于CTPN的复合攻击检测方法研究.计算机学报. 2006,29(8):1383-1391页
[36]马琳茹,杨林,王建新.多源异构安全信息融合关联技术.系统仿真学报.2008.2,20(4):981-989页
[37]田俊峰,赵卫东,杜瑞忠,蔡红云.新的入侵检测数据融合模型—IDSFP.通信学报.2006,27(6):115-120页
[38] X.Yin, W.Yurcik, M.Treaster. VisFlowConnect: NetFlow visualizations of link relationships for security situational awareness. Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, Fairfax, VA, USA,2004:26-34P
[39] L.Stephen. The spinning cube of potential doom. Communications of ACM, 2004,47(6):25-26P
[40] W. Yurcik. Visualizing NetFlows for security at line speed: the SIFT tool suit. Proceedings of 19th Usenix Large Installation System Administration Conference, Atlanta, GA,USA, 2005.12:169-176P
[41] Carnegie Mellon’s SEI. System for Internet Level Knowledge (SILK). Http://silktools.sourceforge.net,2005
[42] K.Lakkaraju, W.Yurcik, A.J. Lee. NVisionIP: NetFlow visualizations of system state for security situational awareness. Proceedings of VizSEC/DMSEC, Fairfax, VA, USA,2004.10:65-72P
[43] J.McHugh. Network awareness and network security. CASCON CyberSecurity Workshop. Richmond Hill, Ontario, Canada, 2005.10:263-268P
[44] V.Yegneswaran, P.Barford, V.Paxson. Using honeynets for internet situational awareness. Proceedings of ACM/USENIX Hotnets. Http://www.icir.org/vern/papers/sit-aware-hotnet 05.pdf,2005
[45] R.M.McGraw, C.Lammers, A.D.Trevisani. Effectiveness measurements and state estimation simulation for DSAP. Multisensor, Multisource Information Fusion: Architecture, Algorithms, and Applications, 2006, Kissimmee, Florida,USA,2006:1-8P
[46] A.Kirlik, R.Strauss. Situation awareness as judgmentⅠ: statistical modeling and quantitative measurement. International Journal of Industrial Ergonomics,2006,36: 463-474P
[47] S.M.Mahoney,K.Laskey, E.Wright, et.al. Measuring performance for situation assessment. Proceedings of National Symposium on Sensor and Data Fusion, San Antonio, Texas: June 2000:67-75P
[48] J.Salerno, E.Blasch, M.Hinman, D.Boulware. Evaluating algorithmic techniques in supporting situation awareness. Proceedings of SPIE, San Antonio, Texas, USA, 2005:96-104P
[49] S.J.Yang, A.Stotz, J.Holsopple, et al. High level information fusion for tracking and projection of multistage cyber attacks. Information fusion. 2009,10(1):107-121P
[50]韦勇,连一峰.基于日志审计与性能修正算法的网络安全态势评估模型.计算机学报.2009,32(4):763-772页
[51]陈秀真,郑庆华,管晓宏等.层次化网络安全威胁态势量化评估方法.软件学报. 2006,17(4):885-897页
[52]李涛.基于免疫的网络安全风险检测.中国科学.2005,35(8):798-816页
[53] Xiu-Zhen Chen, et al. Multiple behavior information fusion based quantitative threat evaluation. Computer & Security,2005,24: 218-231P
[54]张慧敏,钱亦萍,郑庆华等.集成化网络安全监控平台的研究与实现.通信学报.2003,24(7):155-163页
[55]北京理工大学信息安全与对抗技术研究中心.网络安全态势评估系统技术白皮书. http://www.thinkor.com/product/download/网络安全态势评估系统技术白皮2.doc,2005
[56]李英楠,张宏莉,云晓春等.基于网络拓扑的网络安全事件宏观预警与响应分析.哈尔滨工业大学学报.2005,37(11):1459-1462页
[57]雷英杰,王宝树,王毅.基于直觉模糊决策的战场态势评估方法.电子学报.2006,34(12):2175-2179页
[58]胡华平,张怡,陈海涛等.面向大规模网络的入侵检测与预警系统研究.国防科技大学学报.2003,25(1):21-25页
[59] H.Wang, Y.Liang, X.Liu. Stochastic game theoretical method of quantification for network situational awareness. Proceedings of the 2008 International Conference on Internet Computing in Science and Engineering. Harbin,China,2008:312-316P
[60] J.Lai, H.Wang, X.Liu, and et.al. A WNN-based network security situation quantitative prediction method and its optimization. Journal of Computer Science and Technology. 2008,23(2):222-230P
[61]韦勇,连一峰,冯登国.基于信息融合的网络安全态势评估模型.计算机研究与发展.2009,46(3):353-362页
[62] S.Cheung, U.Lindqvist, M.W.Fong. Modeling multistep cyber attacks scenario recognition. Proceedings of the Third DARPA Information Survivability Conference and Exposition, Washington, DC, USA,2003.4: 284–292P
[63] S.Mathew, D.Britt, R.Giomundo, S.Upadhyaya. Real-time multistage attack awareness through enhanced intrusion alert clustering. Proceedings of IEEE Military Communications Conference, 2005, Atlantic City, USA,3:1801-1806P
[64] S.Noel, E.Robertson, S.Jajodia. Correlating intrusion events and building attack scenarios through attack graph distances. Proceedings of the 20th Annual Computer Security Applications Conference, Tucson, AZ, USA,2004.12:350-359P
[65]鲍旭华,戴英侠,冯萍慧等.基于入侵意图的复合攻击检测和预测算法.软件学报. 2005,16(12)5:2132-2138页
[66] O.M.Dahl, S.D. Wolthusen. Modeling and execution of complex attack scenarios using interval timed colored petri nets. Proceedings of fourth IEEE International Workshop onInformation Assurance, Royal Holloway, UK,2006:157-168P
[67]田俊峰,赵卫东,杜瑞忠,蔡红云.新的入侵检测数据融合模型—IDSFP.通信学报.2006,27(6):115-120页
[68] X.Qin, W.Lee. Statistical causality of INFOSEC alert data. Proceedings of Recent Advances in Intrusion Detection 2003, Pittsburgh, PA, USA, LNCS 2820,Springer-Verlag,2003:73-94P
[69] P.A.Porras, M.W.Fong, A.Valdes. A mission-impact-based approach to INFOSEC alarm correlation. Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID), Zurich, Switzerland, LNCS 2516, Springer-Verlag 2002:95-114P
[70] B.Morin, L.Mé, H.Debar, M.Ducassé. M2D2: a formal data model for IDS alert correlation. Proceedings of recent advances in intrusion detection 2002, Zurich, Switzerland, LNCS 2516,Springer-Verlag,2002: 115-137P
[71] D.Andersson, M.Fong, A.Valdes. Heterogeneous sensor correlation: a case study of live traffic analysis. Proceedings of the 2002 IEEE Information Assurance Workshop, West point, NY, 2002.6:1555-1560P
[72] Cisco Systems Inc. NetForensics: Report Guide. www.cisco.com /application/pdf/en/us/guest/products/ps5209/c1626/ccmigration_09186a008019d567.pdf,2003.4
[73] J.Holsopple, S.J.Yang, M.Sudit. TANDI: threat assessment of network data and information. Multisensor, Multisource Information Fusion: Architecture, Algorithms, and Applications, SPIE, Kissimmee, Florida, USA ,2006:1-11P
[74] C4ISR Architecture Framework, Version 1.0. C4ISR ITF Intergrated Architecture Panel. CISA-0000-104-96,1996.7
[75]吴陈,李新锋,夏祖勋,解洪成.数据融合系统的模型化和形式化研究.华东船舶工业学院学报.2000,15(3):13-19页
[76]佘二永,王润生.基于线性融合模型的多源图像融.电子学报。2005,33(6):1008-1010页
[77]李军,刘君华.多源融合系统的可靠性模型研究.西安交通大学学报.2004,38(8):775-795页
[78]周中良,于雷,潘泉,王琳.合化多源空间管理模型与算法研究.传感技术学报.2007,20(11):2438-2441页
[79]穆成坡,黄厚宽,田盛风.入侵检测系统报警信息聚合与关联技术研究综述.计算机研究与发展.2006,43(1):1-8页
[80] O.Dain, R.K.Cunningham. Fuison a heterogeneous alert stream into scenarios. Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications,2001:231-235P
[81]李辉,郑庆华,韩崇昭,管晓宏.基于多假设跟踪的入侵场景构建研究.通信学报.2005,26(4):70-79页
[82] A. Valdes, K. Skinner. Probabilistic alert correlation. Proceedings of the Fourth International Symposium on Recent Advance in Intrusion Detection, Davis, CA, USA,2001:54-69P
[83]田志宏,张伟哲,张永铮等.基于权能转换模型的攻击场景推理、假设与预测.通信学报.2007,28(12):78-84页
[84] S.Mathew, D.Britt, R.Giomundo, S.Upadhyaya. Real-time multistage attack awareness through enhanced intrusion alert clustering. Proceedings of IEEE Military Communications Conference, 2005, Atlantic City, USA,3:1801-1806P
[85]李之棠,王莉,黎耀.一种新的基于统计的场景挖掘算法研究.计算机研究与发展.2006,43(Suppl.):442-446页
[86]董晓梅,于戈,孙晶茹,王丽娜.基于频繁模式挖掘的报警关联与分析算法.电子学报.2005,33(8):1356-1359页
[87] P.J.Nahin, J. Gibbons, M.Knel. NCTR plus sensor fusion equals IFFN. IEEE Transactions on Aerospace Electronic Systems,1980, 16:320-327P
[88] J.Llinas. Engineering guidelines for data correlation algorithmcharacterization, Buffalo NY, State university of New York, 1996
[89] C.Bowman, A.Steinberg. A systems engineering approach for implementing data fusion systems. Handbook of Multisensor Data Fusion. CRC Press, 2001
[90] R.Polikar, D.Parikh, S.Mandayam. Multiple classifier systems for multisensor data fusion. Proceedings of IEEE Sensors Applications Symposium, Houston, Texas USA, ,2006:180-184P
[91] J.J.Braun. Dempster-Shafer theory and Bayesian reasoning in multisensor data fusion. Sensor Fusion: Architectures, Algorithms, and Applications,SPIE 4051,2000:255-266P
[92] J.Yen. Discussion of Demster-Shafer’s Theory. State College. 2003
[93] D.Yu, D.Frincke. Alert confidence fusion in intrusion detection systems with extended Dempster-Shafer Theory. Proceedings of the 43rd Annual Southeast Regional Conference, New York, NY, USA ,2005:142-147P
[94]李剑峰,乐光新,尚勇.基于改进型D-S证据理论的决策层融合滤波算法.电子学报.2004,32(7):1160-1164页
[95] L.Xu, Y.Chen, P.Cui. Improvement of D-S evidential theory in multisensor data fusion system. Proceedings of the 5th World Congress on Intelligent Control and Automation, Zhejiang,China 2004:3124-3128P
[96]李烨,蔡云泽,尹汝泼等.基于证据理论的多类分类支持向量机集成.计算机研究与发展.2008,45(4):571-578页
[97] S.J.Julier, J.K.Uhlmannb, J.Walters, et al. The challenge of scalable and distributed fusion of disparate sources of information. Multisensor, Multisource Information Fusion: Architecture, Algorithms, and Applications, SPIE, Kissimmee, Florida, USA ,2006:1-11P
[98] L.Zadeh. Review of books: a mathematical theory of evidence. AIMagazine.1984,5(3):81-83P
[99]邓勇,施文康,朱振福.一种处理冲突证据的组合方法.红外与毫米波学报.2004,23(1):27-32页
[100]陈福增.多源数据融合的数学方法.数学的实践与认识.1995,2:11-16页
[101]黄幼才.数据探测技术与抗差估计.北京:高等教育出版社.1990
[102]燕颢.数据融合的几种算法研究.南京理工硕士论文.2003.3
[103]刘宇等.多模粒子群集成神经网络.计算机研究与发展.2005, 42(9):1519-1526页
[104]窦全胜,周春光,马铭.粒子群优化的两种改进策略.计算机研究与发展. 2005,42(5):897-904页
[105]刘波,杨路明,雷刚跃等.融合粒子群与蚁群算法优化群体智能搜索.计算机研究与发展.2005,45(8):1371-1378页
[106]田建中,王威,谢梅芳.基于粒子群算法的支持向量机训练和实现方法.武汉理工大学学报.2007,29(10):85-88页
[107]周中良,于雷,潘泉,王琳.融合化多源空间管理模型与算法研究.传感技术学报.2007,20(11):2438-2441页
[108]项新建.基于模糊数学与统计理论集成的多源数据融合方法.传感技术学报.2004,2:197-199页
[109] B.Wang, G.Liang, C.Wang. D-S algorithm based on particle swarm optimizer. Electronic Measurement and Instruments,2007.8, 2:311- 315P
[110] J.D.Lawrence, T.D.Garvey. Evidential reasoning: a developing concept. Proceedings of the IEEE International Conference on cybernetics and society, Boston, MA, 1982.1:6-9P
[111]张宇林,蒋鼎国,黄翀鹏等.基于粒子群算法的多源数据融合.化工学报.2008,59(7): 1703-1706页
[112] K.Ranney, N.Nasrabadi.Particle Swarm Optimization and Uncertainty in Dempster-Shafer Fusion. Radar Sensor Technology XIII, Proceedings of SPIE 7308,2009,73081E:1-10P
[113]王波,王灿林,梁国强.基于粒子群寻优的D-S算法.传感器与微系统. 2007,26(1):84-86页
[114]诸葛建伟,王大为,陈昱等.基于D-S证据理论的网络异常检测方法.软件学报. 2006, 17(3):463-471页
[115] J.D.Lawrence, T.D.Garvey. Evidential reasoning: a developing concept. Proceedings of the IEEE International Conference on cybernetics and society, Boston, MA, 1982.1:6-9P
[116]马琳茹,杨林,王建新等.利用模糊聚类实现入侵检测告警关联图的重构.通信学报.2006,27(9):47-52页
[117] S.O.Al-Manory, H.L. Zhang. Scenario discovery using abstracted correlation graph. Proceedings of International Conference on Computational Intelligence and Security, Harbin,China,2007: 702-706P
[118]萧海东.网络安全态势评估与趋势感知的分析研究.上海:上海交通大学博士论文,2007.10
[119] W.Hu, J.Li, X.Jiang, et.al. A hierarchical algorithm for cyberspace situational awareness based on analytic hierarchy process. High Technology Letters,2007,13(3):291-296P
[120]陈继军.多源管理及信息融合.西安:西北工业大学硕士论文,2002.3
[121]刘曙阳,程万梓.C3I系统开发技术.北京:国防工业出版社.1997.4
[122] M.R.Endsley. Toward a theory of situation awareness in dynamic systems. Human Factors,1995,37(1):32-64P
[123] E.Salas, C.Prince, D.P.Baker, et.al. Situation awareness in team performance: implications for measurement and training. Human Factors,1995, 37(1):123-126P
[124] M.H.Kang, T.Mayfield. A cyber-event correlation framework and metrics, Proceeding of SPIE,2003, Orlando, Florida, USA, 5107:72-82P
[125] M.R.Endsley, D.J.Garland. Situation awareness. Lawrence Erlbaum Associates. 2000
[126] R.W.Cooksey. Judgment analysis: theory, methods, and applications. Academic Press. 1996
[127] E.P.Blasch, M.Pribilski, B.Daughtery, et.al. Fusion metrics for dynamic situation analysis. Porceedings of SPIE 5429, 2004.4:428-438P
[128]游庆红,丁荣华,涂国平.线性分配法的一种改进思路.南昌大学学报.2006,28(1):28-30页
[129]陈珽.决策分析.北京:科学出版社.1987
[130] R.E.Burkard, E.Cela. Linear assignment problems and extensions. Handbook of Combinatorial Optimization. 1999,A:75–149P
[131] G.Birkhoff. Tres observaciones sobre el algebra lineal. Rev. Univ. Nac. Tucumán(A). 1946,5:147-151P
[132] M.L.Balinski, A.Russakoff. On the assignment polytope. SIMA Review. 1974,16:516-525P
[133] L.G.Valiant. The complexity of computing the permanent. Theoretical Computer Science. 1979,8:189-201P
[134] P.Hall. On representatives of subsets. Journal of the London Mathematical Society. 1935,10:26-31P
[135] J.E.Hopcroft, R.M.Karp. An n~(5/2) algorithm for maximum matching in bipartite graphs. SIMA Journal on Computing. 1973,2:225-231P
[136] H.Alt, N.Blum, K.Mehlhorn, M.Paul. Computing maximum cardinality matching in time O((m/logn)~n~(1.5)). Information Process. 1992,37:237-240P
[137] D.R.Fulkerson, I.Glicksberg, O.Gross. A production line assignment problem. Rand Corporation. 1953