网络安全威胁态势评估与分析方法研究
|
摘要
面对日益严峻的网络安全形势,传统的安全检测和防护手段已不能满足当前网络安全管理的需求。网络态势感知与安全评估作为安全管理的新手段,是安全领域的重要研究方向。其目标是融合现有安全设备信息,提取安全要素,对网络攻击威胁和实时安全状态进行评估和预测,为网络安全规划和管理策略的制定提供科学依据。
目前网络安全及威胁态势评估技术还存在诸多问题。例如告警误报率偏高,导致评估质量低下;评估模型无统一标准,安全要素关系混淆不清;静态评估方法为主,难以动态感知威胁;专家知识依赖较多,评估指标缺乏量化等等。
提出基于告警分析的威胁感知方法。在分析告警重尾分布特性的基础上,建立了告警数据的时序模型。对告警序列进行谱分析表明,它可分解为主要部分和残差部分,前者变化平缓而有持续的规律,反映了告警序列的本质特征,后者可反映异常,是威胁感知的重要依据。提出了基于谱分解的告警序列异常检测方法,采用滑动窗口方式,通过基准窗口构建序列本质特征,用检测窗口判断异常,并把两者异常距离的大小作为检测标准。针对基准窗口滑动需要进行谱分解和重新计算会影响效率的问题,采用了一种基准序列主结构增量更新的方法,降低了基准序列重建的时间开销。该方法不以告警序列周期性、趋势性、平稳性等特征为假设前提,以告警序列本质规律为根本,具有适应序列结构变化的能力。对比实验表明,异常检测率达92%以上,在去除大量误报的同时,还能有效感知隐匿于误告警数据之中的威胁。
提出了基于信息融合的网络威胁态势量化评估方法。在对安全事件与安全事件、安全事件与脆弱性、安全事件与资产环境等威胁要素间关系进行分析的基础上,构建出多要素关联融合的威胁态势评估模型。该模型由威胁度,威胁严重度、资产值三部分组成:威胁度描述攻击成功的可能性,威胁严重度描述攻击造成破坏的严重性,资产值则反映攻击对资产造成的损失。通过挖掘告警的时空关联关系,建立起告警的关联模式及关联规则。计算告警与关联规则的匹配程度并融合告警与环境信息的匹配结果得到量化的威胁度评估值。构建由告警、脆弱性和服务可靠性等要素组成的威胁严重度评估指标体系,提出了基于模糊隶属函数的指标量化方法,解决了告警、脆弱性等抽象对象难以量化融合的问题,给出了进行威胁严重度计算的模糊规则。整个评估方法是以告警为线索,以威胁要素量化指标为依据,对各指标值进行逐步融合的过程,其结果是构建出评估对象的实时威胁态势图。实验表明,该方法能动态地量化出受保护主机或网络的威胁状况,直观显示网络威胁态势,为管理员及时查找安全原因、调整安全策略提供了有效依据。
针对威胁态势预测,提出了基于组合预测模型的预测方法,通过组合多个单一预测模型,实现模型之间的取长补短。模型之间关系的确立,采用一种基于信息熵值的权重确定方法。实验表明组合预测模型能提高网络威胁态势预测的准确度,提高了预警水平。
提出了基于攻击图的网络威胁态势分析方法。在对网络威胁传播行为方式进行分析的基础上,构建了基于告警的攻击图模型。该模型是利用告警中拓扑信息构建的赋权有向图,告警的每个IP地址构成图的节点,图的每一边代表告警本身,边上的权值代表节点间的威胁影响程度。攻击图的节点是潜在的威胁传播节点,攻击图的路径对应潜在的威胁传播路径。提出基于威胁频率的边权值确定方法,并建立了攻击图构造方法。指出最具威胁的节点(边)是通过其进行威胁传播最频繁节点(边),并以此引入了攻击图的介数概念。通过计算每个节点(边)在图中所有最短路径的出现的次数得到攻击图的点(边)介数。利用攻击图序列的概念,对不同时间周期内的告警建立攻击图模型。根据攻击图序列中的高介数节点(边)出现频繁程度来确认威胁节点和威胁路径,实现了宏观网络威胁态势分析的目标。基于上述告警攻击图威胁态势分析方法的优点在于:1)能动态反映网络实际威胁场景;2)能自动完成攻击图生成与威胁态势分析流程,减少对专家知识库的依赖;3)告警信息易于获取,适应网络范围广。
Facing the increasingly complex and severe network security environment, the traditional security detection and protection method have not been able to satisfy the current demand of network security management. As a new approach for network security management, the network situation awareness and security evaluation has become an important research area. Its goal is fusing existing safety equipment information, extracting security factors, evaluating and forecasting the attack threats and security state, providing the scientific information for the network security plan and the management games formulation.
At present, there still many challenges in the network security and threat situation awareness technology. For examples, the false positives alerts cause the low quality evaluation data, the evaluation model with no unified standards confuses the relations of security factors, static evaluation methods do poorly in dynamical threat awareness, largely dependent on expert knowledge lacks quantification standards.
In this work, an alerts analyzing based threat awareness method is proposed. Base on analyzing the heavy tail distribution characteristic of alerts, an alert sequence model is built. The result of spectrum analysis for alert sequence indicate the sequence can be decomposed into the major part and the residual part, the former changes genteelly and owns continuing characteristics, which reflects the nature characteristics of alert sequence. The anomalies occur in the latter is the important evidences of threat awareness. The work proposes a spectrum analysis based anomalies detection approach for alert sequence, which uses sliding windows. The basic window is used for construct nature characteristics of alert sequence; the detection window is used for monitoring anomalies, and the distances existed between of them are taken as detection standard. For the low efficiency problem caused by recalculating and reconstructing in the sliding basic window, the work propos an incrementally updating method to adopt new characteristics in major part of alert sequence, which decrease the corresponding time cost. The method does not take periodicity, trendy, stability of sequence as the premise, and has the ability to adapt the structural changes in the sequence. The results of comparing experiments show, the true positives rate reaches above 92%.The approach not only eliminate massive false alerts, but also recognize the true threats hide in the alert noises.
An information fusion based network threat situation quantized evaluation method is proposed. The relations of security incident and security incident, security incident and vulnerability, security incident and property environment are analyzed. Base on this, a multi-factors correlation and fusion based threat evaluation model is presented. The model composes three parts:threat degree, threat severity and the property value. The threat degree describes the successful possibility of an attack, the threat severity describes the destruction caused by an attack, and the property value reflects the loss caused by an attack. Through the excavation alert's space and time incidence relations, the correlation patterns and rules are built. The result of combing the match degree between alerts and rules, alerts and environmental information is the threat degree value. The factors of threat severity are composed by alert severity, vulnerability and service availabilities. A series of fuzz member functions are defined for these factors, which resolves the problem for fusion the alerts information and vulnerability information, fuzz rules for calculating the threat severity are presented. The whole process of the method is a fusion process and the result of the process is the threat situation value of some object. Experiments show, the approach can dynamically quantify the threat level of protected host or network, and can display network threat situation directly. The searches for security reasons and the adjustment of security policies can be provide by the evaluation results.
For the threat situation forecast, a combination forecast model is applied. Through combing many sole forecast models, the shortcoming reside in them are relieved. An information entropy based method for determining the relations of models is applied. The experiment indicates that the combination forecast model can improve the accuracy of network threat situation forecast, updates the warning level.
The work also proposes an alert attack graph based threat situation analyzing method. On the base of analyzing threat propagation behaviors, the alert attack graph model is proposed. The model utilizes the alert information to construct a weighed directed graph. The IP addresses of the alerts construct the nodes in the graph; each edge of the graph represents just the alerts, and the weight of edge indicates the threat impact between a pair of nodes. The nodes in the attack graph respond for threat propagation node, the path in the attack graph respond for threat propagation edge. The weight of edge is determined by the threat frequency and the algorithm for construct the attack graph is proposed. Then, the most threat node or edge is the node or edge that be passed most frequently by others, and the concept of betweenness centrality for attack graph is defined. Besides, the concept of attack graph sequence is proposed, which construct attack graph by using alerts information within different time span. In accordance with the frequency that a node (edge) with high betweenness centrality occurs in the attack graph sequence, the threat node (edge) can be identified, and the goal of macroscopic network threat situation analysis achieves. The merit of an alert attack graph based threat situation analyzing method lie in: 1) dynamically reflect network threat scene; 2) the constructing of attack graph and process of situation analyzing are carried out automatically which reduces the expert knowledge dependence; 3) the alert information can be easily obtained, and the adaptation for network scope is broad.
目前网络安全及威胁态势评估技术还存在诸多问题。例如告警误报率偏高,导致评估质量低下;评估模型无统一标准,安全要素关系混淆不清;静态评估方法为主,难以动态感知威胁;专家知识依赖较多,评估指标缺乏量化等等。
提出基于告警分析的威胁感知方法。在分析告警重尾分布特性的基础上,建立了告警数据的时序模型。对告警序列进行谱分析表明,它可分解为主要部分和残差部分,前者变化平缓而有持续的规律,反映了告警序列的本质特征,后者可反映异常,是威胁感知的重要依据。提出了基于谱分解的告警序列异常检测方法,采用滑动窗口方式,通过基准窗口构建序列本质特征,用检测窗口判断异常,并把两者异常距离的大小作为检测标准。针对基准窗口滑动需要进行谱分解和重新计算会影响效率的问题,采用了一种基准序列主结构增量更新的方法,降低了基准序列重建的时间开销。该方法不以告警序列周期性、趋势性、平稳性等特征为假设前提,以告警序列本质规律为根本,具有适应序列结构变化的能力。对比实验表明,异常检测率达92%以上,在去除大量误报的同时,还能有效感知隐匿于误告警数据之中的威胁。
提出了基于信息融合的网络威胁态势量化评估方法。在对安全事件与安全事件、安全事件与脆弱性、安全事件与资产环境等威胁要素间关系进行分析的基础上,构建出多要素关联融合的威胁态势评估模型。该模型由威胁度,威胁严重度、资产值三部分组成:威胁度描述攻击成功的可能性,威胁严重度描述攻击造成破坏的严重性,资产值则反映攻击对资产造成的损失。通过挖掘告警的时空关联关系,建立起告警的关联模式及关联规则。计算告警与关联规则的匹配程度并融合告警与环境信息的匹配结果得到量化的威胁度评估值。构建由告警、脆弱性和服务可靠性等要素组成的威胁严重度评估指标体系,提出了基于模糊隶属函数的指标量化方法,解决了告警、脆弱性等抽象对象难以量化融合的问题,给出了进行威胁严重度计算的模糊规则。整个评估方法是以告警为线索,以威胁要素量化指标为依据,对各指标值进行逐步融合的过程,其结果是构建出评估对象的实时威胁态势图。实验表明,该方法能动态地量化出受保护主机或网络的威胁状况,直观显示网络威胁态势,为管理员及时查找安全原因、调整安全策略提供了有效依据。
针对威胁态势预测,提出了基于组合预测模型的预测方法,通过组合多个单一预测模型,实现模型之间的取长补短。模型之间关系的确立,采用一种基于信息熵值的权重确定方法。实验表明组合预测模型能提高网络威胁态势预测的准确度,提高了预警水平。
提出了基于攻击图的网络威胁态势分析方法。在对网络威胁传播行为方式进行分析的基础上,构建了基于告警的攻击图模型。该模型是利用告警中拓扑信息构建的赋权有向图,告警的每个IP地址构成图的节点,图的每一边代表告警本身,边上的权值代表节点间的威胁影响程度。攻击图的节点是潜在的威胁传播节点,攻击图的路径对应潜在的威胁传播路径。提出基于威胁频率的边权值确定方法,并建立了攻击图构造方法。指出最具威胁的节点(边)是通过其进行威胁传播最频繁节点(边),并以此引入了攻击图的介数概念。通过计算每个节点(边)在图中所有最短路径的出现的次数得到攻击图的点(边)介数。利用攻击图序列的概念,对不同时间周期内的告警建立攻击图模型。根据攻击图序列中的高介数节点(边)出现频繁程度来确认威胁节点和威胁路径,实现了宏观网络威胁态势分析的目标。基于上述告警攻击图威胁态势分析方法的优点在于:1)能动态反映网络实际威胁场景;2)能自动完成攻击图生成与威胁态势分析流程,减少对专家知识库的依赖;3)告警信息易于获取,适应网络范围广。
Facing the increasingly complex and severe network security environment, the traditional security detection and protection method have not been able to satisfy the current demand of network security management. As a new approach for network security management, the network situation awareness and security evaluation has become an important research area. Its goal is fusing existing safety equipment information, extracting security factors, evaluating and forecasting the attack threats and security state, providing the scientific information for the network security plan and the management games formulation.
At present, there still many challenges in the network security and threat situation awareness technology. For examples, the false positives alerts cause the low quality evaluation data, the evaluation model with no unified standards confuses the relations of security factors, static evaluation methods do poorly in dynamical threat awareness, largely dependent on expert knowledge lacks quantification standards.
In this work, an alerts analyzing based threat awareness method is proposed. Base on analyzing the heavy tail distribution characteristic of alerts, an alert sequence model is built. The result of spectrum analysis for alert sequence indicate the sequence can be decomposed into the major part and the residual part, the former changes genteelly and owns continuing characteristics, which reflects the nature characteristics of alert sequence. The anomalies occur in the latter is the important evidences of threat awareness. The work proposes a spectrum analysis based anomalies detection approach for alert sequence, which uses sliding windows. The basic window is used for construct nature characteristics of alert sequence; the detection window is used for monitoring anomalies, and the distances existed between of them are taken as detection standard. For the low efficiency problem caused by recalculating and reconstructing in the sliding basic window, the work propos an incrementally updating method to adopt new characteristics in major part of alert sequence, which decrease the corresponding time cost. The method does not take periodicity, trendy, stability of sequence as the premise, and has the ability to adapt the structural changes in the sequence. The results of comparing experiments show, the true positives rate reaches above 92%.The approach not only eliminate massive false alerts, but also recognize the true threats hide in the alert noises.
An information fusion based network threat situation quantized evaluation method is proposed. The relations of security incident and security incident, security incident and vulnerability, security incident and property environment are analyzed. Base on this, a multi-factors correlation and fusion based threat evaluation model is presented. The model composes three parts:threat degree, threat severity and the property value. The threat degree describes the successful possibility of an attack, the threat severity describes the destruction caused by an attack, and the property value reflects the loss caused by an attack. Through the excavation alert's space and time incidence relations, the correlation patterns and rules are built. The result of combing the match degree between alerts and rules, alerts and environmental information is the threat degree value. The factors of threat severity are composed by alert severity, vulnerability and service availabilities. A series of fuzz member functions are defined for these factors, which resolves the problem for fusion the alerts information and vulnerability information, fuzz rules for calculating the threat severity are presented. The whole process of the method is a fusion process and the result of the process is the threat situation value of some object. Experiments show, the approach can dynamically quantify the threat level of protected host or network, and can display network threat situation directly. The searches for security reasons and the adjustment of security policies can be provide by the evaluation results.
For the threat situation forecast, a combination forecast model is applied. Through combing many sole forecast models, the shortcoming reside in them are relieved. An information entropy based method for determining the relations of models is applied. The experiment indicates that the combination forecast model can improve the accuracy of network threat situation forecast, updates the warning level.
The work also proposes an alert attack graph based threat situation analyzing method. On the base of analyzing threat propagation behaviors, the alert attack graph model is proposed. The model utilizes the alert information to construct a weighed directed graph. The IP addresses of the alerts construct the nodes in the graph; each edge of the graph represents just the alerts, and the weight of edge indicates the threat impact between a pair of nodes. The nodes in the attack graph respond for threat propagation node, the path in the attack graph respond for threat propagation edge. The weight of edge is determined by the threat frequency and the algorithm for construct the attack graph is proposed. Then, the most threat node or edge is the node or edge that be passed most frequently by others, and the concept of betweenness centrality for attack graph is defined. Besides, the concept of attack graph sequence is proposed, which construct attack graph by using alerts information within different time span. In accordance with the frequency that a node (edge) with high betweenness centrality occurs in the attack graph sequence, the threat node (edge) can be identified, and the goal of macroscopic network threat situation analysis achieves. The merit of an alert attack graph based threat situation analyzing method lie in: 1) dynamically reflect network threat scene; 2) the constructing of attack graph and process of situation analyzing are carried out automatically which reduces the expert knowledge dependence; 3) the alert information can be easily obtained, and the adaptation for network scope is broad.
引文
[1]Durso, F.T., Gronlund, S.D. Situation Awareness. In:Durso Fed.Handbook of Applied Cognition. NewYork:John Wiley&Sons,1999,283-314.
[2]Endsley, M.R., Toward, A. Theory of Situation Awareness in Dynamic Systems. Human Factors,1995,37(1):32-64.
[3]王慧强,赖积宝,朱亮等.网络态势感知系统研究综述.计算机科学,2006,33(10):5-11.
[4]Bass, T. Intrusion detection systems & multisensor data fusion:Creating cyberspace situational awareness. Communications of the ACM,2000.43(4):99-105
[5]Bass, T. Multisensor data fusion for next generation distributed intrusion detection systems. In: Proc. of the'99 IRIS National Symp. on Sensor and Data Fusion. Laurel,1999.24-27.
[6]ARDA. Advanced Research and Development Activity. Exploratory Program Call for Proposals 2006. USA.2006.
[7]赖积保.网络安全态势感知系统关键技术研究.[硕士学位论文].哈尔滨工程大学.2006.12.
[8]陈秀真,郑庆华,管晓宏等.层次化网络安全威胁态势量化评估方法.软件学报.2006,17(4):885-897.
[9]萧海东.网络安全态势评估与趋势感知的分析研究.[博士学位论文].上海交通大学.2008.
[10]宣蕾、网络安全定量风险评估及预测技术研究.[博士学位论文].国防科技大学.2007.
[11]张勇、网络安全态势感知模型研究与系统实现.[博士学位论文].中国科技大学.2010.
[12]李涛.基于免疫的网络安全风险检测[J].中国科学E辑.2008,35(8):798-816.
[13]GaryRollie.防火墙技术大全.李昂,刘芳萍,杨旭,程鹏,译.北京:机械工业出版社,2003
[14]蒋建春,马恒太,任党恩,等.网络安全入侵检测:研究综述[J].软件学报,2000,11(11):1460-1467
[15]李江涛.2008.基于行为的病毒检测系统的设计与实现.[硕士学位论文].北京交通大学
[16]InternetSeeuritySystem.http://www.iss.net/
[17]冯登国,张阳,张玉清,信息安全风险评估综述,通信学报,2004,25(7):10-18
[18]ISO/IEC13335-2003. The International Organization for Standardization, Information Technology-guideline for the Management of IT Security.2003
[19]GB17895-2007.计算机信息系统安全保护等级划分准则.2007
[20]BSI. BS7799-Code of Practice for Information Security Management. British Standards Institute.1999
[21]Introduction to Security Risk Analysis. http://www.security-risk-analysis.com/introcob.htm
[22]Alberts, C. J., Dorofee, A. J. OCTAVE(Operationlly Critical Threat, Asset and Vulnerability Evaluation Framework)Criteria.Version2.0. Technical Report CMU/SEI-2001-TR-016. Dec, 2001.34-56
[23]RITCHEY, R.W., AMMANN P. Using model checking to analyze network vulnerabilities[A]. Proc 2001 IEEE Symposium on Security and Privacy. Oakland, California, USA, 2001.156-165.
[24]张涛,胡铭曾,云晓春等.计算机网络安全性分析建模研究.通信学报.2005,26(12):100-109
[25]张永铮,方滨兴,迟悦.用于评估网络信息系统的风险传播模型.软件学报.2007,18(1):137-145.
[26]Ammann, P., Wijesekera D., Kaushik, S. Scalable, Graph-based Network Vulnerability Analysis. in:Proceedings of 9th ACM Conference on Computer and Communications Security (CCS 2002):2002.
[27]Roesch, M. Snort-Lightweight Intrusion Detection for Networks. in:Proceedings of the USENIX LISA'99 Conference:1999.
[28]Bugtraq. http://www.securityfocus.com/archive/1,2010.
[29]CVE. Common Vulnerabilities and Exposures, http://www.cve.mitre.org/.2010.
[30]CVSS. Common Vulnerability Scoring System. http://nvd.nist.gov/cvss.cfm,2010.
[31]Porras, P. A., Fong, M. W., Valdes, A. A Mission-Impact-based Approach to INFOSEC Alarm Correlation. in:Poceedings of the 5th International Symposium on Recent Advances in Intrusion Detection(RAID2002). Zurich, Switzerland:Springer-Verlag,2002.95.
[32]Deraison, R. Nessus Vulnerability Scanner. http://www.nessus.org/.2010.
[33]Kruegel, C., Robertson, W. Alert Verification:Determining the Success of Intrusion Attempts. in:Proc. First Workshop the Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA 2004):2004.
[34]Hariri, S., Qu, G., Dharmagadda, T. Impact Analysis of Faults and Attacks in Large-scale Networks. in:IEEE Security & Privacy:vol.1,2009.49-54.
[35]张义荣,鲜明,王国玉.一种基于网络熵的计算机网络攻击效果定量评估方法.通信学报.2008,25(11):159-165.
[36]Sunu Mathew, C. S., Shambhu Upadhyaya. An Alert Fusion Framework for Situation Awareness of Coordinated Multistage Attacks, in:Proceedings of the 5th IEEE International Workshop on Information Assurance (IWIA'08):2008.
[37]Mehta, V., Bartzis, C., Zhu, H., Clarke, E., et al. Ranking Attack Graphs, in:Proceedings of the International Symposium on the Recent Advances in Intrusion Detection(RAID 2006): Springer-Verlag,2006.127-144.
[38]Arnes, A., Valeur, F., Vigna, G., Kemmerer, R. A. Using Hidden Markov Models to Evaluate the Risk of Intrusions, in:Proceedings of the International Symposium on the Recent Advances in Intrusion Detection(RAID 2006):Springer-Verlag, vol. LNCS,2006.145-164.
[39]Haslum, K., Arnes, A. Multisensor real-time risk assessment using continuous-time hidden Markov models,. in:the International Conference on Computational Intelligence and Security (CIS):2006.694-703
[40]Liu, M.S., Sun, S.J. Research on the evaluation of security risk for e-government information system, in:Proceedings of the Seventh International Conference on Machine Learning and Cybernetics, Kunming,12-15 July 2008:1404-1408.
[41]Cukier, R. M. Assessing the Attack Threat due to IRC Channels. in:Proceedings of the 2006 International Conference on Dependable Systems and Networks (DSN'06):2006.
[42]Ramkumar Chinchani, A.I., Hung, Q. Towards A Theory Of Insider Threat Assessment. in: Proceedings of the 2007 International Conference on Dependable Systems and Networks (DSN'07):IEEE,2007.
[43]Koike, H., Ohno, K. SnortView:Visualization systems of snort logs. in:2008 ACM workshop on Visulization and data mining for computer security. Washington DC, USA:2008.143-147.
[44]Danyliw, R. ACID:Analysis Console for Intrusion Databases. http://acidlab.sourceforge.net. 2001
[45]OSSIM. Open Source Security Information Management. http://www.ossim.net/,2009.
[46]Wing, J. M., Manadhata. Measuring a System's Attack Surface. in:13th USENIX Security Symposium. San Diego, CA:2004.
[47]Yegneswaran,V., Barford,P, Pahson, V. Using honeynets for internet situational awareness. In: Proceedings of the 5th Workshop on Hot Topics in Networks, Maryland,2006.
[48]Abad, C., Yurcik, W. UCLog+:A security situational awareness system for incident storage, querying, and correlation[C]. In:Proceedings of the 14th International Conference on Telecommunication Systems Modeling and Analysis(ICTSM),2006:316-322.
[49]赵国生,王慧强,王健.基于灰色关联分析的网络可生存性态势评估研究[J]小型微型计算机系统,2006,27(10):1861-1864.
[50]Jonsson, E., Olovsson, T. A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior. IEEE Transactions on Software Engineering. April 2004 23(4):235-245.
[51]Gehani, A., Kedem, G., Rheostat. Real-time Risk Management. in:the 7th International Symposium on Recent Advances in Intrusion Detection(RAID2004):2004.
[52]Ballard, D., Rippy, L. A knowledge-based Decision Aid for Enhanced Situational Awareness. in:AIAA/IEEE 13th Digital Avionic Systems Conference:1994.340-347.
[53]Stover, J. A., Hall, D., Gibson, R. A Fuzzy-logic Architecture for Autonomous Multisensor Data Fusion. IEEE Transations on Industrial Electronics.1996,43(3):403-410.
[54]Das, S., Grey, R., Gonsalves, P. Situation Assessment via Bayesian Belief Networks. in:the Fifth International Conference on Information Fusion:vol.1,2002.664-671.
[55]Bogler, P.L. Shafer-Dempster Reasoning with Application on Multisensor Target Identification System. IEEE Trans on System, Man and Cybernetics.1987,17:968-977.
[56]Hellerstein, J. L., Ma, S., Perng, C.S. Discovering Actionable Patterns in Event Data. IBM Systems Journal.2002,41(3):475.
[57]Cheung, S., Lindqvist,U., Fong, M.W. Modeling multistep cyber attacks for scenario recognition. In:Proc. of the 3rd DARPA Information Survivability Conf. and Exposition. Washington,2003,284-292.
[58]Ning,P., Xu, D. B., Healey, C.G. A. Amant. Building attack scenarios through integration of complementary alert correlation methods. In:Proc. of the 11th Annual Network and Distributed System Security Symp.2004,97-111.
[59]Lincoln Laboratory, Lincoln Laboratory DDoS Attack Scenario 1.0. http://ww.11.mit.edu/SST/ideval/data/2000/2000_data_index.html 2000.
[60]Cuppens, F., Miege, A. Alert Correlation in a Cooperative Intrusion Detection Framework. in: Proceedings 2002 IEEE Symposium on Security and Privacy (SP 2002). Berkeley, CA, USA: IEEE Comput. Soc,2002.
[61]Lee, W., Qin, X. Statistical Causality Analysis of INFOSEC Alert Data. G. Vigna, E. Jonsson and C. Kruegel, Editors. RAID. Springer. Berlin, Heidelberg,2003:73-93
[62]QIN, X., Lee, W. Causal discovery-based alert correlation. In:the 21th Annual Computer Security Applications Conference (ACSAC 2005). Tucson, AZ., December 2005:33-40
[63]Wang, L., Liu, A., Jajodia, S. Using Attack Graphs for Correlating, Hypothesizing, and Predicting intrusion alerts. Computer Communications.2006,29:2917-2933.
[64]Dain, O. a. C., R. Fusing a Heterogeneous alert stream into scenarios. in:Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications:2001.
[65]Qin, X, Lee, W. Attack Plan Recognition and Prediction Using Causal Networks. in: Proceedings of The 20th Annual Computer Security Applications Conference (ACSAC 2004): 2004.370-379
[66]Geib, C. W., Goldman, R. P. Plan Recognition in Intrusion Detection Systems. in:Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEXⅡ'01):2001.
[67]Charniak, E., Goldman, R. P. A Probabilistic Model of Plan Recognition. in:the Ninth National Conference on Artificial Intelligence:1991.160-165.
[68]Schmidt, C., Sridharan, N., Goodson, J. The Plan Recognition Problem:an Intersection of Psychology and Artificial Intelligence. Artificial Intelligence.1998,11:45-83.
[69]Kautz, H., Allen, J. F. Generalized Plan Recognition. in:Proceedings of the Fifth National Conference on Artificial Intelligence:2006.32-38.
[70]Julisch, K. Mining Alarm Clusters to Improve Alarm Handling Efficiency, in:Proceedings of the 17th Annual Conference on Computer Security Applications,2001:12-21
[71]Jidong, L., Daniel, S. Distinguishing false from true alerts in Snort by data mining patterns of alerts. Sara Stoecklin Proceedings of SPIE 6241,2006:99-108.
[72]Clifton C, Gengo G. Developing custom intrusion detection filters using data mining. In Proceedings of Military Communications Intl Symposium. California,2000.440-443
[73]Pietraszek, T., Tanner, A. Data mining and machine learning-Towards reducing false positives in intrusion detection. Information Security Technical Report,2005,10:169-83.
[74]Hideki, K., Kazuhiro, O. SnortView:Visualization System of Snort Logs. Computer and Communications Security Conference (CCS 2004), Workshop on Visualization for Computer Security Proc. of Workshop on Visualization for Computer Security.2004:143-147.
[75]Cohem, W.W. Fast Effective Rule Induction[A]. In Proceedings of the Twelfth International Conference on Machine Learning, Lake Tahoe, CA:Morgan Kaufman,1995:115-123.
[76]Viinikka, J., Debar, H., etc. Time series modeling for ids alert management, in:Proceedings of the ACM Symposium on Information, Computer and Communications Security (AsiaCCS'06), 2006:102-113.
[77]梅海彬,龚俭.一种基于时间序列面向预警的警报分析方法,计算机科学,2007,34(12):68-72.
[78]Dong Li, Zhitang Li, Jie Ma. Processing intrusion detection alerts in large-scale network. International Symposium on Electronic Commerce Security,2008.
[79]Caswell, B., Roesch, M. Snort:The open source network intrusion detection system. Available via Snort. http://www.snort.org/
[80]IETF. Intrusion Detection Message Exchange Formt Data Modedl and Extensible Markup Language (XML) Document Type Definition. http://www. ietf. org/internet-drafts/draf-ietf-idwg-idmef-xml-10. txt,2003.1.10
[81]IETF. IAP:Intrusion Alert Protocol. http://www.ietf.org/internet-draflts/draft-ietf-idwg-iap-04.txt,2001.8.20
[82]IETF. The Intrsion Detection Essxchange Protocol (IDX). http://www.ietf.org/ internet-draft-ietf-idwg-beep-idxp-07.txt,2002.10.23
[83]Oueslati,S., Roberts, J.A. new direction for quality of service:Flow aware networking.In Proc.NGI 2005.Rome,2005.1-8.
[84]Barford, P., Plonka, D.Characteristics of Network Traffic Flow Anomalies.In Proc of ACMSIGCOMM Internet Measurement Workshop(IMW)2001:69-73.
[85]Duffield, N., Lund, C., Thorup, M. Learn more sample less:control of volume and variance in network measurement[J].IEEE Transactions in Information Theory.2005.51(5):1756-1775.
[86]Bugtraq Microsoft IIS 5.0 "Translate:f" Source Disclosure Vulnerability. Available via Security Focus.http://www.securityfocus.com/bid/1578.
[87]Snort (2007d) ICMP L3retriever Ping. Available via Snort. http://www.snort.org/pub-bin/sigs.cgi?sid=1:466. Cited 13 June 2007
[88]Vogt, R., Aycock, J., Jacobson,M. J. Army of Botnet, In Proceedings of 14th Annual Network and Distributed System Security Symposium(NDSS'07),2007:111-123
[89]杨叔子,吴雅.时间序列分析的工程应用(第二版).武汉:华中理工大学出社,1991.86~113
[90]Nekrutkin, N., Zhigljavsky, V.2006. Analysis of Time Series Structure—SSA and Related Techniques. Chapman & Hall/CRC, Boca Raton, FL, pp.13-78.
[91]江志红,丁裕国.奇异谱分析的广义性及其应用特色.气象学报,2007,56(6):736-745.
[92]Press, W.H., Teukolsky, S.A. C语言数值算法程序大全(第二版)电子工业出版社.1995
[93]Deerwester, S., Dumais, S. T., Furnas, G. W., Landauer, T. K., and Harshman, R. (1990). Indexing by Latent Semantic Analysis. Journal of the American Society for Information Science.41(6).
[94]Gorodetsky, V., Karsaev, O. Samoilov, V. On-line update of situation assessment based on asynchronous data treams. In Proceedings of the Knowledge-Based Intelligent Information and Engineering Systems, Berlin/Heidelberg. SPRINGER-VERLAG,2008:1136-1142.
[95]Bass,T. Intrusion detection systems& multisensor data fusion:Creating cyberspace situational awareness. Communications of the ACM,2000,43(4):99-105
[96]Guofei, G., Alvaro, A. Cardenas, Lee,W. Principled Reasoning and Practical Applications of Alert Fusion in Intrusion Detection Systems. In Proceedings of ACM Symposium on InformAction, Computer and Communications Security (ASIACCS'08), Tokyo, Japan, March 2008
[97]Arnes, A., Valeur, F., Vigna, G., Kemmerer, R. A. Using Hidden Markov Models to Evaluate the Risk of Intrusions. in:Proceedings of the International Symposium on the Recent Advances in Intrusion Detection(RAID 2006):Springer-Verlag,2006.145-164.
[98]李伟明,雷杰,董静,等.一种优化的实时网络安全风险量化方法[J].计算机学报,2009, 32(4):793-804.
[99]宣蕾,卢锡城,于瑞厚,赵学明.网络威胁时序的自相似性分析.通信学报,2007
[100]Lakkaraju K, Yurcik W, Lee A J. NVisionfP:Netflow visualizations of system state for security situational awareness.Proceedings of the 2004 ACM W orkshop on Visualization and Data Mining for Computer Security. Washington DC,2004:65-72
[101]Yin X, Yurcik W, Treaster M. VisFlowConnect:Netflow visualizations of link relationships for security situational awareness. Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security. Washington DC,2004:26-34
[102]陈秀真,郑庆华,管晓宏,等.层次化网络安全威胁态势量化评估方法[1].软件学报,2006,17(4):885-897.
[103]冯登国,张阳,张玉清.信息安全风险评估综述[J].通信学报.2004,25(7):10-18.
[104]Agrawal R.,I. T., Swami A. Mining Association Rules Between Sets of Items in Large Databases. in:Proceedings of the ACM SIGMOD Conference on Management of Data:1993. 207-216.
[105]Agrawal, R., Srikant, R. Mining Sequential Patterns. in:Eleventh International Conference on Data Engineering. Taipei, Taiwan:IEEE Computer Society Press,1995.3-14.
[106]MIT Lincoln Lab.2000 DARPA Intrusion Detection Scenario Specific Data Sets. http://www. 11.mit.edu/IST/ideval/data/2000/2000dataindex.html
[107]The Nessus Project.Nessus, http://www.nessus.org/intro.html,June 14,2009.
[108]United States Computer Emergency Readiness Team(US-CERT). US-CERT Vulnerability Note Field Deseriptions. Sep 18,2006.
[109]SANS Institute. SANS Critical Vulnerability Analysis Archive http://www. sans.org/newsletters/cva.Sep 18,2008.
[110]Schiffman, Mike, The common Vulnerability Scoring System (CVSS) (online), FiRST, http://www.first.org/cvss/cvss-guide.html Sep 8,2008.
[111]陈水利,李敬功,王向公,模糊集理论及其应用,科学技术出版社,2005,3-10.
[112]Zadeh L A. Fuzzy sets, Information and Control,1965,8:338-353.
[113]Cuixia Gao, Zhitang Li, Haigang Song. Security Evaluation Method Based on Host Resource Availability. In Proceeedings of 2009 Third International Conference on Multimedia and Ubiquitous Engineering.IEEE,2009.499-504
[114]Adas, A. Traffic models in broadband networks. IEEE Communications Magazine,1997, 35(7):82-89.
[115]Chen B. S., Peng, S. C., Wang, K. C. Traffic Modeling,Prediction,and Congestion Contol for High-SpeedNetworks:A Fuzzy AR Approach IEEE Trans. Fuzzy Systems,2000,8(5): 491-508.
[116]Paxson. V., Floyd, S. Wide area traffic:The failure ofPoisson modeling.IEEE/ACM Trans. Networking,1995,3(3):226-244.
[117]Akar, N., Arikan, E. Markov modulated periodic arrivalprocess offered to an ATM multiplexer. Perform. Eval.,1994,22:175-190.
[118]Bhat, V. N. Renewal approximations of the switched Poisson processes and their applications to queueing system Operational Res. Soc.,1994,45(3):345-353.
[119]Hush, D. R., Home, B.G. Progress in Supervised Neural Networks. IEEE Signal Processing Magazine,1993,10(1):8-39.
[120]Davey, N., Hunt, S. P., Frank, R. J. Time Series Prediction and Neural Networks.In:Proc.5th International Conference on Engineering Applications of Neural Networks.1999,93-98.
[121]Edwards, T., Tansley, R. J., Frank, N. Davey. Traffic Trends Analysis using Neural Networks. In:Proceedings of the International Workshop on Application of Neural Networks to Telecommunications 1997,158-164.
[122]张晓峒.Eview使用指南与案例(数量经济学应用系列)[M].北京:机械工业出版社,2007:106-107.
[123]Bates J M, Granger C W J.Combination of forecasts[J].Operations Research Quarterly,1969, 20(4):451-468.
[124]丁咏梅,周晓阳.组合预测在粮食产量预测中的应用,统计与决策,2004 3:44-45.
[125]Shannon,C.E.A. mathematical theory of communication[J].The Bell System Technical Journal,1948,1 (27):379-423
[126]Shui Yu and Wanlei Zhou, "Entropy-Based Collaborative Detection of DDOS Attacks on Community Networks", in Proceedings of the 7th IEEE International Conference on Pervasive Computing and Communications (PerCom),2008:566-571.
[127]陈华友著.组合预测方法有效性理论及其应用.北京:科学出版社,2008:50-54.
[128]Deng, J. L.Grey Forecast and Grey Decision[M].Wuhan:Huazhong University of Science and Technology Press,2002.
[129]童明容,薛恒新,林琳.基于Holt-winter模型的铁路货运量预测研究.铁道运输与经济,2007,29(1):79-81.
[130]PHILLIPS, C., SWILER, L.P. A graph-based system for network vulnerability analysis[A]. Proc 1998 Workshop on New Security Paradigms[C]. Virginia, USA,1998.71-79.
[131]RITCHEY R, W., AMMANN, P. Using model checking to analyze network vulnerabilitie[A]. Proc 2001 IEEE Symposium on Security and Privacy[C]. Oakland, California, USA, 2001.156-165.
[132]SHEYNER, O., HAINES, J., JHA, S. Automated generation and analysisof attack graphs[A]. Proc 2002 IEEE Symposium on Security and Privacy[C]. Oakland, California, USA, 2002.254-265
[133]AMMANN, P., WIJESEKERA,D., KAUSHIK,S. Scalable, graph-based network vulnerability analysis[A]. Proc the 9th ACM Conference on Computer and Communications Security[C]. Washington, DC, USA,2002.217-224.
[134]SHAHRIARI, H.R, JALILI, R. Modeling and analyzing network vulnerabilities via a logic-based approach[A]. Proc the 2nd International Symposium of Telecommunications (IST2005)[C]. Shiraz, Iran,2005.13-21.
[135]QU X, BOYER W F, MCQUEEN M A. A scalable approach to attack graph generation[A]. Proc the 13th ACM Conference on Computer and Communications Security(CCS'06)[C]. Alexandria, Virginia, USA,2006.336-345.
[136]NOEL, S., JACOBS, M., KALAPA, P. Multiple coordinated views for network attack graphs[A]. Proc 2005 Workshop on Visualization for Computer Security[C]. Minneapolis, USA,2005.99-106.
[137]LI W, VAUGHN R B. Cluster security research involving the modeling of network exploitations using exploitation graphs[A]. Proc of the 6th IEEE International Symposium on Cluster Computing and the Grid Workshops(CCGRIDW06)[C]. Singapore,2006.26-37.
[138]DAWKINS, J., HALE, J. A systematic approach to multi-stage network attack analysis[A]. Proc of the Second IEEE International Information Assurance Workshop (IWIA'04)[C]. Charlotte, NC, USA,2004.48-54.
[139]Zhan, F.B.Three Fastest Shortest Path Algorithms on Real Road Networks. Journal of Geographic Information and Decision Analysis,1997,1(1):69-82
[140]Fredman, M.L., Tarjan, R.E. Fibonacci heaps and their uses in improved network optimization algorithms.Journal of the Association for Computing Machinery,34(3):596-615
[2]Endsley, M.R., Toward, A. Theory of Situation Awareness in Dynamic Systems. Human Factors,1995,37(1):32-64.
[3]王慧强,赖积宝,朱亮等.网络态势感知系统研究综述.计算机科学,2006,33(10):5-11.
[4]Bass, T. Intrusion detection systems & multisensor data fusion:Creating cyberspace situational awareness. Communications of the ACM,2000.43(4):99-105
[5]Bass, T. Multisensor data fusion for next generation distributed intrusion detection systems. In: Proc. of the'99 IRIS National Symp. on Sensor and Data Fusion. Laurel,1999.24-27.
[6]ARDA. Advanced Research and Development Activity. Exploratory Program Call for Proposals 2006. USA.2006.
[7]赖积保.网络安全态势感知系统关键技术研究.[硕士学位论文].哈尔滨工程大学.2006.12.
[8]陈秀真,郑庆华,管晓宏等.层次化网络安全威胁态势量化评估方法.软件学报.2006,17(4):885-897.
[9]萧海东.网络安全态势评估与趋势感知的分析研究.[博士学位论文].上海交通大学.2008.
[10]宣蕾、网络安全定量风险评估及预测技术研究.[博士学位论文].国防科技大学.2007.
[11]张勇、网络安全态势感知模型研究与系统实现.[博士学位论文].中国科技大学.2010.
[12]李涛.基于免疫的网络安全风险检测[J].中国科学E辑.2008,35(8):798-816.
[13]GaryRollie.防火墙技术大全.李昂,刘芳萍,杨旭,程鹏,译.北京:机械工业出版社,2003
[14]蒋建春,马恒太,任党恩,等.网络安全入侵检测:研究综述[J].软件学报,2000,11(11):1460-1467
[15]李江涛.2008.基于行为的病毒检测系统的设计与实现.[硕士学位论文].北京交通大学
[16]InternetSeeuritySystem.http://www.iss.net/
[17]冯登国,张阳,张玉清,信息安全风险评估综述,通信学报,2004,25(7):10-18
[18]ISO/IEC13335-2003. The International Organization for Standardization, Information Technology-guideline for the Management of IT Security.2003
[19]GB17895-2007.计算机信息系统安全保护等级划分准则.2007
[20]BSI. BS7799-Code of Practice for Information Security Management. British Standards Institute.1999
[21]Introduction to Security Risk Analysis. http://www.security-risk-analysis.com/introcob.htm
[22]Alberts, C. J., Dorofee, A. J. OCTAVE(Operationlly Critical Threat, Asset and Vulnerability Evaluation Framework)Criteria.Version2.0. Technical Report CMU/SEI-2001-TR-016. Dec, 2001.34-56
[23]RITCHEY, R.W., AMMANN P. Using model checking to analyze network vulnerabilities[A]. Proc 2001 IEEE Symposium on Security and Privacy. Oakland, California, USA, 2001.156-165.
[24]张涛,胡铭曾,云晓春等.计算机网络安全性分析建模研究.通信学报.2005,26(12):100-109
[25]张永铮,方滨兴,迟悦.用于评估网络信息系统的风险传播模型.软件学报.2007,18(1):137-145.
[26]Ammann, P., Wijesekera D., Kaushik, S. Scalable, Graph-based Network Vulnerability Analysis. in:Proceedings of 9th ACM Conference on Computer and Communications Security (CCS 2002):2002.
[27]Roesch, M. Snort-Lightweight Intrusion Detection for Networks. in:Proceedings of the USENIX LISA'99 Conference:1999.
[28]Bugtraq. http://www.securityfocus.com/archive/1,2010.
[29]CVE. Common Vulnerabilities and Exposures, http://www.cve.mitre.org/.2010.
[30]CVSS. Common Vulnerability Scoring System. http://nvd.nist.gov/cvss.cfm,2010.
[31]Porras, P. A., Fong, M. W., Valdes, A. A Mission-Impact-based Approach to INFOSEC Alarm Correlation. in:Poceedings of the 5th International Symposium on Recent Advances in Intrusion Detection(RAID2002). Zurich, Switzerland:Springer-Verlag,2002.95.
[32]Deraison, R. Nessus Vulnerability Scanner. http://www.nessus.org/.2010.
[33]Kruegel, C., Robertson, W. Alert Verification:Determining the Success of Intrusion Attempts. in:Proc. First Workshop the Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA 2004):2004.
[34]Hariri, S., Qu, G., Dharmagadda, T. Impact Analysis of Faults and Attacks in Large-scale Networks. in:IEEE Security & Privacy:vol.1,2009.49-54.
[35]张义荣,鲜明,王国玉.一种基于网络熵的计算机网络攻击效果定量评估方法.通信学报.2008,25(11):159-165.
[36]Sunu Mathew, C. S., Shambhu Upadhyaya. An Alert Fusion Framework for Situation Awareness of Coordinated Multistage Attacks, in:Proceedings of the 5th IEEE International Workshop on Information Assurance (IWIA'08):2008.
[37]Mehta, V., Bartzis, C., Zhu, H., Clarke, E., et al. Ranking Attack Graphs, in:Proceedings of the International Symposium on the Recent Advances in Intrusion Detection(RAID 2006): Springer-Verlag,2006.127-144.
[38]Arnes, A., Valeur, F., Vigna, G., Kemmerer, R. A. Using Hidden Markov Models to Evaluate the Risk of Intrusions, in:Proceedings of the International Symposium on the Recent Advances in Intrusion Detection(RAID 2006):Springer-Verlag, vol. LNCS,2006.145-164.
[39]Haslum, K., Arnes, A. Multisensor real-time risk assessment using continuous-time hidden Markov models,. in:the International Conference on Computational Intelligence and Security (CIS):2006.694-703
[40]Liu, M.S., Sun, S.J. Research on the evaluation of security risk for e-government information system, in:Proceedings of the Seventh International Conference on Machine Learning and Cybernetics, Kunming,12-15 July 2008:1404-1408.
[41]Cukier, R. M. Assessing the Attack Threat due to IRC Channels. in:Proceedings of the 2006 International Conference on Dependable Systems and Networks (DSN'06):2006.
[42]Ramkumar Chinchani, A.I., Hung, Q. Towards A Theory Of Insider Threat Assessment. in: Proceedings of the 2007 International Conference on Dependable Systems and Networks (DSN'07):IEEE,2007.
[43]Koike, H., Ohno, K. SnortView:Visualization systems of snort logs. in:2008 ACM workshop on Visulization and data mining for computer security. Washington DC, USA:2008.143-147.
[44]Danyliw, R. ACID:Analysis Console for Intrusion Databases. http://acidlab.sourceforge.net. 2001
[45]OSSIM. Open Source Security Information Management. http://www.ossim.net/,2009.
[46]Wing, J. M., Manadhata. Measuring a System's Attack Surface. in:13th USENIX Security Symposium. San Diego, CA:2004.
[47]Yegneswaran,V., Barford,P, Pahson, V. Using honeynets for internet situational awareness. In: Proceedings of the 5th Workshop on Hot Topics in Networks, Maryland,2006.
[48]Abad, C., Yurcik, W. UCLog+:A security situational awareness system for incident storage, querying, and correlation[C]. In:Proceedings of the 14th International Conference on Telecommunication Systems Modeling and Analysis(ICTSM),2006:316-322.
[49]赵国生,王慧强,王健.基于灰色关联分析的网络可生存性态势评估研究[J]小型微型计算机系统,2006,27(10):1861-1864.
[50]Jonsson, E., Olovsson, T. A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior. IEEE Transactions on Software Engineering. April 2004 23(4):235-245.
[51]Gehani, A., Kedem, G., Rheostat. Real-time Risk Management. in:the 7th International Symposium on Recent Advances in Intrusion Detection(RAID2004):2004.
[52]Ballard, D., Rippy, L. A knowledge-based Decision Aid for Enhanced Situational Awareness. in:AIAA/IEEE 13th Digital Avionic Systems Conference:1994.340-347.
[53]Stover, J. A., Hall, D., Gibson, R. A Fuzzy-logic Architecture for Autonomous Multisensor Data Fusion. IEEE Transations on Industrial Electronics.1996,43(3):403-410.
[54]Das, S., Grey, R., Gonsalves, P. Situation Assessment via Bayesian Belief Networks. in:the Fifth International Conference on Information Fusion:vol.1,2002.664-671.
[55]Bogler, P.L. Shafer-Dempster Reasoning with Application on Multisensor Target Identification System. IEEE Trans on System, Man and Cybernetics.1987,17:968-977.
[56]Hellerstein, J. L., Ma, S., Perng, C.S. Discovering Actionable Patterns in Event Data. IBM Systems Journal.2002,41(3):475.
[57]Cheung, S., Lindqvist,U., Fong, M.W. Modeling multistep cyber attacks for scenario recognition. In:Proc. of the 3rd DARPA Information Survivability Conf. and Exposition. Washington,2003,284-292.
[58]Ning,P., Xu, D. B., Healey, C.G. A. Amant. Building attack scenarios through integration of complementary alert correlation methods. In:Proc. of the 11th Annual Network and Distributed System Security Symp.2004,97-111.
[59]Lincoln Laboratory, Lincoln Laboratory DDoS Attack Scenario 1.0. http://ww.11.mit.edu/SST/ideval/data/2000/2000_data_index.html 2000.
[60]Cuppens, F., Miege, A. Alert Correlation in a Cooperative Intrusion Detection Framework. in: Proceedings 2002 IEEE Symposium on Security and Privacy (SP 2002). Berkeley, CA, USA: IEEE Comput. Soc,2002.
[61]Lee, W., Qin, X. Statistical Causality Analysis of INFOSEC Alert Data. G. Vigna, E. Jonsson and C. Kruegel, Editors. RAID. Springer. Berlin, Heidelberg,2003:73-93
[62]QIN, X., Lee, W. Causal discovery-based alert correlation. In:the 21th Annual Computer Security Applications Conference (ACSAC 2005). Tucson, AZ., December 2005:33-40
[63]Wang, L., Liu, A., Jajodia, S. Using Attack Graphs for Correlating, Hypothesizing, and Predicting intrusion alerts. Computer Communications.2006,29:2917-2933.
[64]Dain, O. a. C., R. Fusing a Heterogeneous alert stream into scenarios. in:Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications:2001.
[65]Qin, X, Lee, W. Attack Plan Recognition and Prediction Using Causal Networks. in: Proceedings of The 20th Annual Computer Security Applications Conference (ACSAC 2004): 2004.370-379
[66]Geib, C. W., Goldman, R. P. Plan Recognition in Intrusion Detection Systems. in:Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEXⅡ'01):2001.
[67]Charniak, E., Goldman, R. P. A Probabilistic Model of Plan Recognition. in:the Ninth National Conference on Artificial Intelligence:1991.160-165.
[68]Schmidt, C., Sridharan, N., Goodson, J. The Plan Recognition Problem:an Intersection of Psychology and Artificial Intelligence. Artificial Intelligence.1998,11:45-83.
[69]Kautz, H., Allen, J. F. Generalized Plan Recognition. in:Proceedings of the Fifth National Conference on Artificial Intelligence:2006.32-38.
[70]Julisch, K. Mining Alarm Clusters to Improve Alarm Handling Efficiency, in:Proceedings of the 17th Annual Conference on Computer Security Applications,2001:12-21
[71]Jidong, L., Daniel, S. Distinguishing false from true alerts in Snort by data mining patterns of alerts. Sara Stoecklin Proceedings of SPIE 6241,2006:99-108.
[72]Clifton C, Gengo G. Developing custom intrusion detection filters using data mining. In Proceedings of Military Communications Intl Symposium. California,2000.440-443
[73]Pietraszek, T., Tanner, A. Data mining and machine learning-Towards reducing false positives in intrusion detection. Information Security Technical Report,2005,10:169-83.
[74]Hideki, K., Kazuhiro, O. SnortView:Visualization System of Snort Logs. Computer and Communications Security Conference (CCS 2004), Workshop on Visualization for Computer Security Proc. of Workshop on Visualization for Computer Security.2004:143-147.
[75]Cohem, W.W. Fast Effective Rule Induction[A]. In Proceedings of the Twelfth International Conference on Machine Learning, Lake Tahoe, CA:Morgan Kaufman,1995:115-123.
[76]Viinikka, J., Debar, H., etc. Time series modeling for ids alert management, in:Proceedings of the ACM Symposium on Information, Computer and Communications Security (AsiaCCS'06), 2006:102-113.
[77]梅海彬,龚俭.一种基于时间序列面向预警的警报分析方法,计算机科学,2007,34(12):68-72.
[78]Dong Li, Zhitang Li, Jie Ma. Processing intrusion detection alerts in large-scale network. International Symposium on Electronic Commerce Security,2008.
[79]Caswell, B., Roesch, M. Snort:The open source network intrusion detection system. Available via Snort. http://www.snort.org/
[80]IETF. Intrusion Detection Message Exchange Formt Data Modedl and Extensible Markup Language (XML) Document Type Definition. http://www. ietf. org/internet-drafts/draf-ietf-idwg-idmef-xml-10. txt,2003.1.10
[81]IETF. IAP:Intrusion Alert Protocol. http://www.ietf.org/internet-draflts/draft-ietf-idwg-iap-04.txt,2001.8.20
[82]IETF. The Intrsion Detection Essxchange Protocol (IDX). http://www.ietf.org/ internet-draft-ietf-idwg-beep-idxp-07.txt,2002.10.23
[83]Oueslati,S., Roberts, J.A. new direction for quality of service:Flow aware networking.In Proc.NGI 2005.Rome,2005.1-8.
[84]Barford, P., Plonka, D.Characteristics of Network Traffic Flow Anomalies.In Proc of ACMSIGCOMM Internet Measurement Workshop(IMW)2001:69-73.
[85]Duffield, N., Lund, C., Thorup, M. Learn more sample less:control of volume and variance in network measurement[J].IEEE Transactions in Information Theory.2005.51(5):1756-1775.
[86]Bugtraq Microsoft IIS 5.0 "Translate:f" Source Disclosure Vulnerability. Available via Security Focus.http://www.securityfocus.com/bid/1578.
[87]Snort (2007d) ICMP L3retriever Ping. Available via Snort. http://www.snort.org/pub-bin/sigs.cgi?sid=1:466. Cited 13 June 2007
[88]Vogt, R., Aycock, J., Jacobson,M. J. Army of Botnet, In Proceedings of 14th Annual Network and Distributed System Security Symposium(NDSS'07),2007:111-123
[89]杨叔子,吴雅.时间序列分析的工程应用(第二版).武汉:华中理工大学出社,1991.86~113
[90]Nekrutkin, N., Zhigljavsky, V.2006. Analysis of Time Series Structure—SSA and Related Techniques. Chapman & Hall/CRC, Boca Raton, FL, pp.13-78.
[91]江志红,丁裕国.奇异谱分析的广义性及其应用特色.气象学报,2007,56(6):736-745.
[92]Press, W.H., Teukolsky, S.A. C语言数值算法程序大全(第二版)电子工业出版社.1995
[93]Deerwester, S., Dumais, S. T., Furnas, G. W., Landauer, T. K., and Harshman, R. (1990). Indexing by Latent Semantic Analysis. Journal of the American Society for Information Science.41(6).
[94]Gorodetsky, V., Karsaev, O. Samoilov, V. On-line update of situation assessment based on asynchronous data treams. In Proceedings of the Knowledge-Based Intelligent Information and Engineering Systems, Berlin/Heidelberg. SPRINGER-VERLAG,2008:1136-1142.
[95]Bass,T. Intrusion detection systems& multisensor data fusion:Creating cyberspace situational awareness. Communications of the ACM,2000,43(4):99-105
[96]Guofei, G., Alvaro, A. Cardenas, Lee,W. Principled Reasoning and Practical Applications of Alert Fusion in Intrusion Detection Systems. In Proceedings of ACM Symposium on InformAction, Computer and Communications Security (ASIACCS'08), Tokyo, Japan, March 2008
[97]Arnes, A., Valeur, F., Vigna, G., Kemmerer, R. A. Using Hidden Markov Models to Evaluate the Risk of Intrusions. in:Proceedings of the International Symposium on the Recent Advances in Intrusion Detection(RAID 2006):Springer-Verlag,2006.145-164.
[98]李伟明,雷杰,董静,等.一种优化的实时网络安全风险量化方法[J].计算机学报,2009, 32(4):793-804.
[99]宣蕾,卢锡城,于瑞厚,赵学明.网络威胁时序的自相似性分析.通信学报,2007
[100]Lakkaraju K, Yurcik W, Lee A J. NVisionfP:Netflow visualizations of system state for security situational awareness.Proceedings of the 2004 ACM W orkshop on Visualization and Data Mining for Computer Security. Washington DC,2004:65-72
[101]Yin X, Yurcik W, Treaster M. VisFlowConnect:Netflow visualizations of link relationships for security situational awareness. Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security. Washington DC,2004:26-34
[102]陈秀真,郑庆华,管晓宏,等.层次化网络安全威胁态势量化评估方法[1].软件学报,2006,17(4):885-897.
[103]冯登国,张阳,张玉清.信息安全风险评估综述[J].通信学报.2004,25(7):10-18.
[104]Agrawal R.,I. T., Swami A. Mining Association Rules Between Sets of Items in Large Databases. in:Proceedings of the ACM SIGMOD Conference on Management of Data:1993. 207-216.
[105]Agrawal, R., Srikant, R. Mining Sequential Patterns. in:Eleventh International Conference on Data Engineering. Taipei, Taiwan:IEEE Computer Society Press,1995.3-14.
[106]MIT Lincoln Lab.2000 DARPA Intrusion Detection Scenario Specific Data Sets. http://www. 11.mit.edu/IST/ideval/data/2000/2000dataindex.html
[107]The Nessus Project.Nessus, http://www.nessus.org/intro.html,June 14,2009.
[108]United States Computer Emergency Readiness Team(US-CERT). US-CERT Vulnerability Note Field Deseriptions. Sep 18,2006.
[109]SANS Institute. SANS Critical Vulnerability Analysis Archive http://www. sans.org/newsletters/cva.Sep 18,2008.
[110]Schiffman, Mike, The common Vulnerability Scoring System (CVSS) (online), FiRST, http://www.first.org/cvss/cvss-guide.html Sep 8,2008.
[111]陈水利,李敬功,王向公,模糊集理论及其应用,科学技术出版社,2005,3-10.
[112]Zadeh L A. Fuzzy sets, Information and Control,1965,8:338-353.
[113]Cuixia Gao, Zhitang Li, Haigang Song. Security Evaluation Method Based on Host Resource Availability. In Proceeedings of 2009 Third International Conference on Multimedia and Ubiquitous Engineering.IEEE,2009.499-504
[114]Adas, A. Traffic models in broadband networks. IEEE Communications Magazine,1997, 35(7):82-89.
[115]Chen B. S., Peng, S. C., Wang, K. C. Traffic Modeling,Prediction,and Congestion Contol for High-SpeedNetworks:A Fuzzy AR Approach IEEE Trans. Fuzzy Systems,2000,8(5): 491-508.
[116]Paxson. V., Floyd, S. Wide area traffic:The failure ofPoisson modeling.IEEE/ACM Trans. Networking,1995,3(3):226-244.
[117]Akar, N., Arikan, E. Markov modulated periodic arrivalprocess offered to an ATM multiplexer. Perform. Eval.,1994,22:175-190.
[118]Bhat, V. N. Renewal approximations of the switched Poisson processes and their applications to queueing system Operational Res. Soc.,1994,45(3):345-353.
[119]Hush, D. R., Home, B.G. Progress in Supervised Neural Networks. IEEE Signal Processing Magazine,1993,10(1):8-39.
[120]Davey, N., Hunt, S. P., Frank, R. J. Time Series Prediction and Neural Networks.In:Proc.5th International Conference on Engineering Applications of Neural Networks.1999,93-98.
[121]Edwards, T., Tansley, R. J., Frank, N. Davey. Traffic Trends Analysis using Neural Networks. In:Proceedings of the International Workshop on Application of Neural Networks to Telecommunications 1997,158-164.
[122]张晓峒.Eview使用指南与案例(数量经济学应用系列)[M].北京:机械工业出版社,2007:106-107.
[123]Bates J M, Granger C W J.Combination of forecasts[J].Operations Research Quarterly,1969, 20(4):451-468.
[124]丁咏梅,周晓阳.组合预测在粮食产量预测中的应用,统计与决策,2004 3:44-45.
[125]Shannon,C.E.A. mathematical theory of communication[J].The Bell System Technical Journal,1948,1 (27):379-423
[126]Shui Yu and Wanlei Zhou, "Entropy-Based Collaborative Detection of DDOS Attacks on Community Networks", in Proceedings of the 7th IEEE International Conference on Pervasive Computing and Communications (PerCom),2008:566-571.
[127]陈华友著.组合预测方法有效性理论及其应用.北京:科学出版社,2008:50-54.
[128]Deng, J. L.Grey Forecast and Grey Decision[M].Wuhan:Huazhong University of Science and Technology Press,2002.
[129]童明容,薛恒新,林琳.基于Holt-winter模型的铁路货运量预测研究.铁道运输与经济,2007,29(1):79-81.
[130]PHILLIPS, C., SWILER, L.P. A graph-based system for network vulnerability analysis[A]. Proc 1998 Workshop on New Security Paradigms[C]. Virginia, USA,1998.71-79.
[131]RITCHEY R, W., AMMANN, P. Using model checking to analyze network vulnerabilitie[A]. Proc 2001 IEEE Symposium on Security and Privacy[C]. Oakland, California, USA, 2001.156-165.
[132]SHEYNER, O., HAINES, J., JHA, S. Automated generation and analysisof attack graphs[A]. Proc 2002 IEEE Symposium on Security and Privacy[C]. Oakland, California, USA, 2002.254-265
[133]AMMANN, P., WIJESEKERA,D., KAUSHIK,S. Scalable, graph-based network vulnerability analysis[A]. Proc the 9th ACM Conference on Computer and Communications Security[C]. Washington, DC, USA,2002.217-224.
[134]SHAHRIARI, H.R, JALILI, R. Modeling and analyzing network vulnerabilities via a logic-based approach[A]. Proc the 2nd International Symposium of Telecommunications (IST2005)[C]. Shiraz, Iran,2005.13-21.
[135]QU X, BOYER W F, MCQUEEN M A. A scalable approach to attack graph generation[A]. Proc the 13th ACM Conference on Computer and Communications Security(CCS'06)[C]. Alexandria, Virginia, USA,2006.336-345.
[136]NOEL, S., JACOBS, M., KALAPA, P. Multiple coordinated views for network attack graphs[A]. Proc 2005 Workshop on Visualization for Computer Security[C]. Minneapolis, USA,2005.99-106.
[137]LI W, VAUGHN R B. Cluster security research involving the modeling of network exploitations using exploitation graphs[A]. Proc of the 6th IEEE International Symposium on Cluster Computing and the Grid Workshops(CCGRIDW06)[C]. Singapore,2006.26-37.
[138]DAWKINS, J., HALE, J. A systematic approach to multi-stage network attack analysis[A]. Proc of the Second IEEE International Information Assurance Workshop (IWIA'04)[C]. Charlotte, NC, USA,2004.48-54.
[139]Zhan, F.B.Three Fastest Shortest Path Algorithms on Real Road Networks. Journal of Geographic Information and Decision Analysis,1997,1(1):69-82
[140]Fredman, M.L., Tarjan, R.E. Fibonacci heaps and their uses in improved network optimization algorithms.Journal of the Association for Computing Machinery,34(3):596-615