基于多Agent的入侵检测系统规则库的构建
|
摘要
目前,网络和各种信息技术被广泛应用,但同时也存在严重的风险和威胁,安全问题备受关注。入侵检测系统是网络安全领域的重要分支和研究热点,是保护网络系统安全的关键技术和重要手段。随着入侵技术变得更加综合化、复杂化,入侵规模不断扩大,网络安全设备的处理速度尚不能满足需求,如何降低入侵检测系统的误报率和漏报率,增强互动性和智能化的程度等方面始终是有待进一步研究的课题。基于网络的入侵检测系统(NIDS)是目前入侵检测系统研究的热点。
随着人工智能以及Agent技术的发展,利用具有一定自主推理、自主决策能力的Agent以及由其组成的多Agent系统已经成为网络应用系统中的热门工具。多Agent系统是一种分布式人工智能方法,以智能Agent技术为基础,将多Agent技术应用到入侵检测系统中的研究已经取得了一定的成果,它能使逻辑上和物理上分散的检测系统并行、协调地求解问题,有利于实现分布式的处理,可以平衡多处理器的负载,具有动态可扩展性和智能化等优点,显著提高了检测系统的性能。基于Agent的分布式入侵检测系统的研究设计是目前智能化入侵检测技术研究的重要方向之一。
规则库描述入侵攻击事件的特征和相应的响应规则,控制入侵检测引擎,是入侵检测系统能否有效检测入侵的关键。检测规则的表示模式的选择直接影响着规则获取能力和规则运用效率,是入侵检测系统中最基本的问题之一。因此,对入侵检测系统规则的表示模式、规则库的构建的研究和改进具有重要的价值。
本文在详细分析目前国内外基于多Agent的入侵检测系统研究现状的基础上,面向NIDS对规则库的构建进行了研究和探讨。主要研究工作涉及以下几个方面:
1、运用知识工程和面向对象的方法,提出了基于面向对象的攻击知识表达模型,并采用Java语言实现了攻击知识的表达。研究中把网络攻击事件看作一个对象知识,把一些具有相似性质的攻击知识定义为一个攻击类知识,定义了攻击知识对象的抽象结构、方法集、规则集。
2、定义了一种基于知识工程方法的规则描述语言对检测规则进行结构化描述,对规则头、规则协议、规则选项和数据结构进行了详细设计,定义的规则描述语言简单、灵活、高效。
3、在分析NIDS模型的功能特点和协议数据包的基本特征基础上,规划了针对不同类型数据包的特征提取和检测规则表示,在基本特征提取基础上,提取生成复杂特征,能够有效地对入侵行为进行全面检测。
4、对基于多Agent的入侵检测系统中各种Agent的功能及其相互之间的联系进行了分配,对与规则相关的Agent进行了详细设计。
5、利用表的形式实现简单攻击事件和关联攻击事件的定义与推理规则;使用脚本存储方案设计了基于数据模式的单行为攻击事件描述和基于统计与关联的行为关联事件描述语法。
6、以面向对象的知识表达模型为基础,融入层次规则库设计思想,探讨了NIDS规则库的实现方式和自动更新方法,给出了可行的规则库实现方案。
论文提出的攻击知识表达模型能够正确有效的描述组合、分布式攻击等复杂的攻击知识,所设计的规则库模型和实现方案体现了良好的知识管理机制,具有检测效率高、自适应等特点,以期对网络入侵检测系统智能化提供参考和帮助。
At present, the network and each kind of information technology are widely applied, but simultaneously also has the serious risk and the threat, the security problem prepares to be paid more attention. The invasion examination system is the network security domain's important branch and the research hot area, it is the essential technology protects the network system security and also the important method. Changes integrated, the complication along with the invasion technology, the invasion scale unceasingly expands, the network security equipment processing speed still could not meet the need, how reduced the invasion examination system reporting mistakenly rate and failing to report rate, and intellectualized degree aspect and so on the enhancement interaction throughout was a topic which waited for further studies.
Along with the artificial intelligence as well as the Agent technology's development, the use had the certainly independent inference, independent decision power Agent as well as the multi-Agent system which was composed by it already becomes a popular tool in the network application system. The multi-Agent system is one distributional artificial intelligence method, take the intelligent Agent technology as the foundation, applied the multi-Agent technology in the invasion examination system and the research had already obtain certain achievement, it could parallel, coordinated make the examination system which in the logic and physics dispersed to solve the question, was advantageous to realizes distributional processing, was allowed to balance the multi-processor the load, had dynamic may merit and so on extension and intellectualization, remarkably enhanced the examination system performance. Based on the multi-Agent distributional invasion examination system research and design is one of present intellectualization invasion examination engineering research's important directions.
The regular warehouse descripe the invasion attack's characteristic and the corresponding response rule, and control invasion examination engine, and it is the key content to know whether to check out the invadation effectively. The choice of Examination rule's expressed pattern is directly affecting the rule gain ability and the rule utilization efficiency, it's one of most basic question of the invasion-examination system. Therefore, to express the pattern of invasion-examination system rule, the regular warehouse constructs the research and the improvement has the important value.
This thesis analyse the research status at present of domestic and foreign in multi-Agent invasion-examination system, on the foundation of this, it constructed NIDS oriented to the regular warehouse has conducted the research and the discussion. The main research work involves following several aspects:
1. The utilization of knowledge engineering and the object-oriented method, proposed expressesed model based on the object-oriented attack knowledge, and used the Java language to realize the attack knowledge expression. In the research regards as the network attack an object knowledge, has define the similar attack knowledge as an attack class knowledge, has defined the attack knowledge object's abstract structure, the method collection, the ruleset.
2. Proposed one kind of rule description based on the knowledge engineering method, to the rule, the regular agreement, the regular option and the construction of data carried on the detailed design, the definition-rule description language is simple, nimble, has been highly effective.
3. In analyzes the NIDS model's function characteristic and agreement data packet basic characteristic foundation, planned has withdrawn in view of the different type data packet characteristic with the examination rule expression.
4. To each kind of Agent function and its mutually relation has carried on the assignment based on in the multi-Agent invasion examination system, and has carried on the detailed design with rule correlation Agent.
5. Proposed two kind of realizations rules warehouse construction plan. Using table form realize the definition and reasoning rule between simple attack and related attack; And use script memory plan design description grammar of related event based on the data pattern single action and also based on statistical and the connection behavior connection event.
The paper use the model of object-oriented knowledge as a foundation, melts into the level regular warehouse's designing thought, has discussed the NIDS regular swarehouse realization way and the automatic renewal method, has produced the feasible regular warehouse realization plan. The pan which has been proposed can define combination、distributional attack and so complex attack knowledge effectively, designs the regular storehouse model and the realization plan has manifested the good knowledge management mechanism, has the examination efficiency to be high, auto-adapted and so on the characteristic, provides the reference and the help by the time to the network invasion examination system intellectualization.
随着人工智能以及Agent技术的发展,利用具有一定自主推理、自主决策能力的Agent以及由其组成的多Agent系统已经成为网络应用系统中的热门工具。多Agent系统是一种分布式人工智能方法,以智能Agent技术为基础,将多Agent技术应用到入侵检测系统中的研究已经取得了一定的成果,它能使逻辑上和物理上分散的检测系统并行、协调地求解问题,有利于实现分布式的处理,可以平衡多处理器的负载,具有动态可扩展性和智能化等优点,显著提高了检测系统的性能。基于Agent的分布式入侵检测系统的研究设计是目前智能化入侵检测技术研究的重要方向之一。
规则库描述入侵攻击事件的特征和相应的响应规则,控制入侵检测引擎,是入侵检测系统能否有效检测入侵的关键。检测规则的表示模式的选择直接影响着规则获取能力和规则运用效率,是入侵检测系统中最基本的问题之一。因此,对入侵检测系统规则的表示模式、规则库的构建的研究和改进具有重要的价值。
本文在详细分析目前国内外基于多Agent的入侵检测系统研究现状的基础上,面向NIDS对规则库的构建进行了研究和探讨。主要研究工作涉及以下几个方面:
1、运用知识工程和面向对象的方法,提出了基于面向对象的攻击知识表达模型,并采用Java语言实现了攻击知识的表达。研究中把网络攻击事件看作一个对象知识,把一些具有相似性质的攻击知识定义为一个攻击类知识,定义了攻击知识对象的抽象结构、方法集、规则集。
2、定义了一种基于知识工程方法的规则描述语言对检测规则进行结构化描述,对规则头、规则协议、规则选项和数据结构进行了详细设计,定义的规则描述语言简单、灵活、高效。
3、在分析NIDS模型的功能特点和协议数据包的基本特征基础上,规划了针对不同类型数据包的特征提取和检测规则表示,在基本特征提取基础上,提取生成复杂特征,能够有效地对入侵行为进行全面检测。
4、对基于多Agent的入侵检测系统中各种Agent的功能及其相互之间的联系进行了分配,对与规则相关的Agent进行了详细设计。
5、利用表的形式实现简单攻击事件和关联攻击事件的定义与推理规则;使用脚本存储方案设计了基于数据模式的单行为攻击事件描述和基于统计与关联的行为关联事件描述语法。
6、以面向对象的知识表达模型为基础,融入层次规则库设计思想,探讨了NIDS规则库的实现方式和自动更新方法,给出了可行的规则库实现方案。
论文提出的攻击知识表达模型能够正确有效的描述组合、分布式攻击等复杂的攻击知识,所设计的规则库模型和实现方案体现了良好的知识管理机制,具有检测效率高、自适应等特点,以期对网络入侵检测系统智能化提供参考和帮助。
At present, the network and each kind of information technology are widely applied, but simultaneously also has the serious risk and the threat, the security problem prepares to be paid more attention. The invasion examination system is the network security domain's important branch and the research hot area, it is the essential technology protects the network system security and also the important method. Changes integrated, the complication along with the invasion technology, the invasion scale unceasingly expands, the network security equipment processing speed still could not meet the need, how reduced the invasion examination system reporting mistakenly rate and failing to report rate, and intellectualized degree aspect and so on the enhancement interaction throughout was a topic which waited for further studies.
Along with the artificial intelligence as well as the Agent technology's development, the use had the certainly independent inference, independent decision power Agent as well as the multi-Agent system which was composed by it already becomes a popular tool in the network application system. The multi-Agent system is one distributional artificial intelligence method, take the intelligent Agent technology as the foundation, applied the multi-Agent technology in the invasion examination system and the research had already obtain certain achievement, it could parallel, coordinated make the examination system which in the logic and physics dispersed to solve the question, was advantageous to realizes distributional processing, was allowed to balance the multi-processor the load, had dynamic may merit and so on extension and intellectualization, remarkably enhanced the examination system performance. Based on the multi-Agent distributional invasion examination system research and design is one of present intellectualization invasion examination engineering research's important directions.
The regular warehouse descripe the invasion attack's characteristic and the corresponding response rule, and control invasion examination engine, and it is the key content to know whether to check out the invadation effectively. The choice of Examination rule's expressed pattern is directly affecting the rule gain ability and the rule utilization efficiency, it's one of most basic question of the invasion-examination system. Therefore, to express the pattern of invasion-examination system rule, the regular warehouse constructs the research and the improvement has the important value.
This thesis analyse the research status at present of domestic and foreign in multi-Agent invasion-examination system, on the foundation of this, it constructed NIDS oriented to the regular warehouse has conducted the research and the discussion. The main research work involves following several aspects:
1. The utilization of knowledge engineering and the object-oriented method, proposed expressesed model based on the object-oriented attack knowledge, and used the Java language to realize the attack knowledge expression. In the research regards as the network attack an object knowledge, has define the similar attack knowledge as an attack class knowledge, has defined the attack knowledge object's abstract structure, the method collection, the ruleset.
2. Proposed one kind of rule description based on the knowledge engineering method, to the rule, the regular agreement, the regular option and the construction of data carried on the detailed design, the definition-rule description language is simple, nimble, has been highly effective.
3. In analyzes the NIDS model's function characteristic and agreement data packet basic characteristic foundation, planned has withdrawn in view of the different type data packet characteristic with the examination rule expression.
4. To each kind of Agent function and its mutually relation has carried on the assignment based on in the multi-Agent invasion examination system, and has carried on the detailed design with rule correlation Agent.
5. Proposed two kind of realizations rules warehouse construction plan. Using table form realize the definition and reasoning rule between simple attack and related attack; And use script memory plan design description grammar of related event based on the data pattern single action and also based on statistical and the connection behavior connection event.
The paper use the model of object-oriented knowledge as a foundation, melts into the level regular warehouse's designing thought, has discussed the NIDS regular swarehouse realization way and the automatic renewal method, has produced the feasible regular warehouse realization plan. The pan which has been proposed can define combination、distributional attack and so complex attack knowledge effectively, designs the regular storehouse model and the realization plan has manifested the good knowledge management mechanism, has the examination efficiency to be high, auto-adapted and so on the characteristic, provides the reference and the help by the time to the network invasion examination system intellectualization.
引文
[1] 2006年CNCERT/CC网络安全工作报告.http://www.cert.org.cn.
[2] C Michel, LM'e. ADeLe:An attack description language for knowledge based intrusion detection[J]. 2001, 353-368.
[3] 宋献涛,芦康俊,李祥和.入侵检测系统的分类学研究[J].计算机工程与应用.2002,4,38(8):132—135.
[4] Lange D B. Mobile objects and Mobile agents: the future of distributed computing[R]. Proc of the European Conf on Object Oriented Programming' 98, Bruessels, 1998.
[5] 石纯一,张伟,徐晋晖.多Agent系统引论[M].北京:电子工业出版社.2003.
[6] 陆汝钤.知识科学与计算科学[M].北京:清华大学出版社.2003.
[7] 赵龙文,侯义斌.合作Agent的能力描述[J].小型微型计算机系统,2003,24(2):220-224.
[8] 米歇尔.克罗齐埃.科层现象[M].上海:上海人民出版社.2002
[9] 闫志刚,杜培军.关系数据库表示规则知识的理论与方法[J].计算机工程与应用,2006(26).
[10] Harvey M. Deitel, Paul J. Deitel. The Complete C++ Training Course [M], Second Edition . Prentice Hall. 1998 pp27,267,381-382,412.
[11] 孟科,张恒喜,李登科,江洋溢.基于模糊粗糙特征集的不确定性知识表达[J].计算机工程,2006,32(9).
[12] 杨叔子,丁洪,史铁林等.基于知识的诊断推理[M] .清华大学出版社.1993.
[13] 王明微 周竞涛 张树生.基于多Agent的分布式协同KBE系统框架[J].计算机应用研究,2006,23(9).
[14] 诸葛建伟,徐辉,潘爱民.基于面向对象方法的攻击知识模型[J].计算机研究与发展.2004,42(7):1110-1116.
[15] 吕志军,黄皓,曾庆凯等.网络入侵检测系统安全性能检测研究.计算机科学.2001,Vol.28:92-95.
[16] 赵钦.网络入侵检测系统框架的研究及通用测试平台的实现.天津:天津大学硕士论文.2005.
[17] 胡威,李建华,陈波.入侵检测建模过程中特征提取最优化评估[J].计算机工程,2006,32(12).
[18] Douglas E.Comer著.林瑶,蒋慧,杜蔚轩等译.用TCP/IP进行网际互连-第1卷: 原理、协议和体系结构[M].北京:电子工业出版社,1998.
[19] Wenke Lee, Sal Stolfo . Data Mining Approaches for Intrusion Detection. The Seventh USENIX Security Symposium(SECURITY'98) ,San Antonio , TX, January 2003.
[20] 姚立红,訾小超.基于系统调用特征的入侵检测研究.电子学报.2003,(8):1134-1137.
[21] 任晓峰,董占球.提高Snort规则匹配速度方法的研究与实现[J].计算机应用,2003,23(4).
[22] C Michel, L M' e. ADeLe:An attack description language for knowledge based intrusion detection[J] . 2001, 353-368.
[23] 任铮,陈志刚.基于数据挖掘和规划的智能网络入侵检测系统[J].计算机工程与科学,2006,28(3).
[24] 高秀峰,胡昌振.主动知识库系统在IDS中的应用研究.科技导报,2005.3:28-30.
[25] 罗光春,张骏,卢显良,李炯.入侵检测系统的历史、现状与研究进展.计算机应用研究.2003,VOL.8:1-3.
[26] 陆汝钤.知识科学与计算科学[M].北京:清华大学出版社.2003.
[27] 胡运发.数据与知识工程导论[M].清华大学出版社,2003.
[28] 宋良图,刘现平,毕金元,查金水.一种基于任务分解的多知识库协同求解专家系统[J].模式识别与人工智能,2006,19(4).
[29] 王玉斐,张基温,顾健.基于NIDS数据源的网络攻击事件分类技术研究[J].计算机应用.2005.12:2748-2750.
[30] S T Eckmann , G Vigna, R A Kemmerer. STATL:Anattack language for state-based intrusion detection[J], Journal Compute of Security, 2002, 10.
[31] C Michel, L M'e. ADeLe:An attack description language for knowledge based intrusion detection[J] .2001.
[32] Simon nansman, Ray Hunt. A taxonomy of network and computer attacks[J] . Computers&Security. 2005.
[33] 赵小林,马悦.网络入侵特征的关联检测算法[J].计算机工程.2004.12:96-98
[34] 李德峰.提高分布式入侵检测系统检测准确率的研究.山东:山东大学硕士论文.2005.
[35] 刘思培.基于移动代理的分布式入侵检测系统的设计与实现.吉林大学硕士论文.2004.
[36] 毕亮.基于移动Agent的入侵检测系统.成都:电子科技大学硕士论文.2005.
[37] 徐国芹.基于AGLET移动代理技术的分布式入侵检测系统的研究.辽宁:辽宁工程技术大学硕士论文.2004.
[38] M Dam. On the decidability of process equivalence for the pi-calculus[J]. Theoretical Computer Science, 1997, 163.
[39] 唐惠丰,于洪敏.一种安全模型在指挥自动化网中的应用[J].微计算机信息 2004.11:143
[40] 陆正伟,钱江.一种应用免疫原理的入侵检测原型系统[J].微计算机信息,2006,11.
[41] Liu Peng. Architectures for Intrusion Tolerant Database Systems. IEEE Computer Society, 1730 assachusettsve . , NW Washington , DC USA . Proceeding/ Series-Proceeding-Article, 2002.
[42] Paul E.Proctor 著,邓琦皓,许鸿飞,张斌译.入侵检测使用手册[M].北京:中国电力出版社,2002.
[43] 刘刚,王杰.一种基于移动Agent的入侵检测系统[J].计算机与现代化,2004(2).
[44] 郭建龙,张维明,曹阳等.应用机器学习制定的入侵检测专家系统规则集[J].计算机工程,2002(7).
[45] 郝玉洁,常征.网络安全与防火墙技术[J].电子科技大学学报社科版,2002(1).
[46] 路璐,马先立.利用NIDS与防火墙的功能结合构建安全网络模型[J].微机发展,2002(5).
[47] Brian CaswellJay, BealeJames C. Foster, Snort 2. 0 Intrusion Detection[M]. 北京:国防工业出版社,2004.
[2] C Michel, LM'e. ADeLe:An attack description language for knowledge based intrusion detection[J]. 2001, 353-368.
[3] 宋献涛,芦康俊,李祥和.入侵检测系统的分类学研究[J].计算机工程与应用.2002,4,38(8):132—135.
[4] Lange D B. Mobile objects and Mobile agents: the future of distributed computing[R]. Proc of the European Conf on Object Oriented Programming' 98, Bruessels, 1998.
[5] 石纯一,张伟,徐晋晖.多Agent系统引论[M].北京:电子工业出版社.2003.
[6] 陆汝钤.知识科学与计算科学[M].北京:清华大学出版社.2003.
[7] 赵龙文,侯义斌.合作Agent的能力描述[J].小型微型计算机系统,2003,24(2):220-224.
[8] 米歇尔.克罗齐埃.科层现象[M].上海:上海人民出版社.2002
[9] 闫志刚,杜培军.关系数据库表示规则知识的理论与方法[J].计算机工程与应用,2006(26).
[10] Harvey M. Deitel, Paul J. Deitel. The Complete C++ Training Course [M], Second Edition . Prentice Hall. 1998 pp27,267,381-382,412.
[11] 孟科,张恒喜,李登科,江洋溢.基于模糊粗糙特征集的不确定性知识表达[J].计算机工程,2006,32(9).
[12] 杨叔子,丁洪,史铁林等.基于知识的诊断推理[M] .清华大学出版社.1993.
[13] 王明微 周竞涛 张树生.基于多Agent的分布式协同KBE系统框架[J].计算机应用研究,2006,23(9).
[14] 诸葛建伟,徐辉,潘爱民.基于面向对象方法的攻击知识模型[J].计算机研究与发展.2004,42(7):1110-1116.
[15] 吕志军,黄皓,曾庆凯等.网络入侵检测系统安全性能检测研究.计算机科学.2001,Vol.28:92-95.
[16] 赵钦.网络入侵检测系统框架的研究及通用测试平台的实现.天津:天津大学硕士论文.2005.
[17] 胡威,李建华,陈波.入侵检测建模过程中特征提取最优化评估[J].计算机工程,2006,32(12).
[18] Douglas E.Comer著.林瑶,蒋慧,杜蔚轩等译.用TCP/IP进行网际互连-第1卷: 原理、协议和体系结构[M].北京:电子工业出版社,1998.
[19] Wenke Lee, Sal Stolfo . Data Mining Approaches for Intrusion Detection. The Seventh USENIX Security Symposium(SECURITY'98) ,San Antonio , TX, January 2003.
[20] 姚立红,訾小超.基于系统调用特征的入侵检测研究.电子学报.2003,(8):1134-1137.
[21] 任晓峰,董占球.提高Snort规则匹配速度方法的研究与实现[J].计算机应用,2003,23(4).
[22] C Michel, L M' e. ADeLe:An attack description language for knowledge based intrusion detection[J] . 2001, 353-368.
[23] 任铮,陈志刚.基于数据挖掘和规划的智能网络入侵检测系统[J].计算机工程与科学,2006,28(3).
[24] 高秀峰,胡昌振.主动知识库系统在IDS中的应用研究.科技导报,2005.3:28-30.
[25] 罗光春,张骏,卢显良,李炯.入侵检测系统的历史、现状与研究进展.计算机应用研究.2003,VOL.8:1-3.
[26] 陆汝钤.知识科学与计算科学[M].北京:清华大学出版社.2003.
[27] 胡运发.数据与知识工程导论[M].清华大学出版社,2003.
[28] 宋良图,刘现平,毕金元,查金水.一种基于任务分解的多知识库协同求解专家系统[J].模式识别与人工智能,2006,19(4).
[29] 王玉斐,张基温,顾健.基于NIDS数据源的网络攻击事件分类技术研究[J].计算机应用.2005.12:2748-2750.
[30] S T Eckmann , G Vigna, R A Kemmerer. STATL:Anattack language for state-based intrusion detection[J], Journal Compute of Security, 2002, 10.
[31] C Michel, L M'e. ADeLe:An attack description language for knowledge based intrusion detection[J] .2001.
[32] Simon nansman, Ray Hunt. A taxonomy of network and computer attacks[J] . Computers&Security. 2005.
[33] 赵小林,马悦.网络入侵特征的关联检测算法[J].计算机工程.2004.12:96-98
[34] 李德峰.提高分布式入侵检测系统检测准确率的研究.山东:山东大学硕士论文.2005.
[35] 刘思培.基于移动代理的分布式入侵检测系统的设计与实现.吉林大学硕士论文.2004.
[36] 毕亮.基于移动Agent的入侵检测系统.成都:电子科技大学硕士论文.2005.
[37] 徐国芹.基于AGLET移动代理技术的分布式入侵检测系统的研究.辽宁:辽宁工程技术大学硕士论文.2004.
[38] M Dam. On the decidability of process equivalence for the pi-calculus[J]. Theoretical Computer Science, 1997, 163.
[39] 唐惠丰,于洪敏.一种安全模型在指挥自动化网中的应用[J].微计算机信息 2004.11:143
[40] 陆正伟,钱江.一种应用免疫原理的入侵检测原型系统[J].微计算机信息,2006,11.
[41] Liu Peng. Architectures for Intrusion Tolerant Database Systems. IEEE Computer Society, 1730 assachusettsve . , NW Washington , DC USA . Proceeding/ Series-Proceeding-Article, 2002.
[42] Paul E.Proctor 著,邓琦皓,许鸿飞,张斌译.入侵检测使用手册[M].北京:中国电力出版社,2002.
[43] 刘刚,王杰.一种基于移动Agent的入侵检测系统[J].计算机与现代化,2004(2).
[44] 郭建龙,张维明,曹阳等.应用机器学习制定的入侵检测专家系统规则集[J].计算机工程,2002(7).
[45] 郝玉洁,常征.网络安全与防火墙技术[J].电子科技大学学报社科版,2002(1).
[46] 路璐,马先立.利用NIDS与防火墙的功能结合构建安全网络模型[J].微机发展,2002(5).
[47] Brian CaswellJay, BealeJames C. Foster, Snort 2. 0 Intrusion Detection[M]. 北京:国防工业出版社,2004.