通信网络恶意代码及其应急响应关键技术研究
|
摘要
通信网络业务数据化、网络技术IP分组化、网络接入无线化、网络逐渐开放化,以及网络不断融合发展,已经成为通信网络演进的主流方向。随着通信网络的迅速发展和日益开放,网络安全问题逐渐凸显出来。本文从业务层安全、控制层安全、传输层安全和接入层安全等层次入手,深入系统地研究通信网络在各个层次的安全特性和安全隐患,提出通信网络恶意代码的技术框架,并解决用于通信网络恶意代码应急响应的完整处置过程所涉及的关键技术问题。研究工作的主要贡献包括以下五个方面:
(1)提出通信网络恶意代码以及应急响应的技术框架
在总结了通信网络安全隐患和恶意代码关键技术发展趋势的基础上,本文设计和实现了通信网络恶意代码攻击平台,旨在增强恶意代码的综合破坏效果、改进恶意代码的传播机制、实现恶意代码攻击行为的智能化,并将其运用于通信网络的软交换技术。恶意代码的破坏效果是实现和核心,恶意代码是通过原子功能实现的,主要阐述本人设计实现的部分恶意代码,包括Shellcode的设计、基于堆的溢出攻击技术、格式化字符串攻击技术、内核入侵隐藏技术、杀毒软件反制的技术,以及SIP监听与拒绝服务技术。同时,该平台也适用于测试恶意代码应急响应系统的功能和性能。
另一方面,基于对恶意代码攻击关键技术问题分析的基础上,面向通信网络环境,提出通信网络恶意代码应急响应技术框架。旨在构建恶意代码防范的整体架构,提出针对通信网络恶意代码的有效检测防御技术和手段,以及研究对恶意代码免疫技术,并对恶意代码的攻击和防御效果从理论上进行的合理评估与评价。
(2)提出恶意代码的静态和动态检测新方法
在恶意代码静态分析方面,提出基于未知恶意代码样本空间关系特征的静态样本自动检测技术。发掘恶意代码字符空间关系的独特“纹理”特征,基于区域生长的智能分块算法,划分恶意代码样本空间关系区域;根据区域分别提取恶意代码样本的字符矩、信息熵和相关系数等空间关系特征;采用综合多特征的相似优先匹配方法检测未知恶意代码。
在恶意代码动态分析方面,提出基于自相似特性的恶意代码分析技术,通过重新标度权差分析算法、回归方差算法、Higuchi算法等多种自相似方法综合进行比较,从而验证确实恶意代码动态特性确实存在自相似性。在此基础上提出了基于模糊识别和支持向量机的联合动态检测技术,对系统调用序列进行匹配生成元扫描,根据生成元的距离采用加权平均法得到模糊识别初步结论;进而对可疑程序,采用基于层次的多属性支持向量机分析法,对量化的API系统调用序列进行属性分解,最终依据多个属性动态行为属性的汉明距离,从而确认其恶意行为和恶意代码的所属类型。
(3)提出基于综合熵值法的恶意代码量化评估方法
在总结通信网络恶意代码攻击手段、攻击对象、攻击步骤,以及攻击指标的基础上,本文采用综合流量判定和系统指标判定的方法,提出了联合交叉熵和网络特征熵的办法来构建恶意代码网络攻击效果评估设计方案。实时采集的相关指标并权衡各种不同类型的指标之间的差异;采用交叉熵方法自适应预估,利用网络特征熵对攻击进行精确描述,结合多次评估结果进行反馈修正。这种综合熵值的计算办法,直观看出网络攻击的存在,量化网络攻击的效果,而且可以准确定位出攻击的起止时刻。
(4)提出基于通信网络恶意代码的免疫模型和改进算法
应急响应的最后部分是进行恶意代码免疫。设计实现了恶意代码免疫机制的新框架,包括免疫信息的采集程序、免疫信息的过滤处理程序、免疫信息的判别程序,以及免疫响应程序四个相互关联的组成部分。针对目前免疫算法中的信号的误分类给检测准确率带来极大影响的问题,提出基于模糊加权支持向量机的网络恶意代码树突细胞免疫算法,对信号和抗原进行模糊聚类,减少了免疫策略的数量,并且降低了免疫响应时间,从而提高免疫系统的效率和性能。此外,本文采用不平衡支持向量机对输出的亲和力值进行筛选,只保留其最重要的特征值,便于免疫响应程序进行优化判定处理,从而优化恶意代码免疫输出结果。
(5)设计实现了恶意代码及其应急响应原型系统
为了验证提出的通信网络恶意代码及应急响应关键技术,设计和实现了恶意代码及应急响应的原型系统。对于恶意代码原型系统,从软交换的平台的搭建和测试、蠕虫挂马的准备、攻击策略的制定、恶意代码破坏的实施,以及恶意代码攻击反馈等五个阶段进行了详细的阐述。而对于应急响应原型系统主要阐述了对可疑程序的监控、恶意代码静态检测、恶意代码动态检测、恶意代码破坏评估,以及恶意代码免疫等五个阶段。
Communications network services digitization, network technology IP packetization,wireless network access, network gradually opening up, together with network constantintegrated development, which has become the mainstream direction of communicationnetwork evolution. With the rapid development and increasingly openning of communicationnetworks, network security issues are increasingly prominently. The thesis summarizes thepotential security threats in the communication network mainly from the following fouraspects: service layer security, control layer security, transmission layer security, and accesslayer security. It elaborates technical framework of communications network malicious code,and furthermore it proposes complete disposal process of key technical issues involved in themalicious code and emergency response in communication networks. The main contributionsof the research work include the following five aspects:
(1) It proposes the technology framework of communication network malicious code aswell as emergency response.
The thesis summarizes the security risks of communication network and malicious codedeveloping trends. And it designs and implements communication network malicious codeattacks platform, which aims to enhance the destructive effect of the malicious code, toimprove the spread mechanisms of malicious code, and to realize the intelligence attack ofmalicious code, and it is applied to softswitch technology used in communications networks.Destructive effect of the malicious code is regarded as the core, and malicious code isimplemented by atomic functions. The thesis focuses on the following malicious codes: thedesign of Shellcode, heap-based overflow attacks, format string attack techniques, kernelintrusion hidden technology, antivirus software counter technology, as well as the the SIPsniffering and DoS services technology. Meanwhile, the platform also applies to test thefunctionality and performance of the emergency response system.
Based on the analysis of the key technical issues of malicious code attacks and orientedcommunication network environment, it proposes the framework of communication networkmalicious code emergency response, which aims to build the overall architecture of maliciouscode prevention, to develop technologies and means of effective communication networkmalicious code detection and prevention, to research on malicious code immune technology,and to reasonablely assess and evaluate the malicious code attacks and defensive effects.
(2) It proposes new methods of malicious code static and dynamic detection.
As the static analysis method of malicious code, it proposes unknown malicious codeautomatic detection based on space relevance features. According to the characteristicsquantitative vectors of character space, malicious code samples are divided into spacerelevance blocks based on the intelligence region growing segmentation algorithm. In eachblock of malicious code sample, the spatial relations of character moment, informationentropy, and correlation coefficient are calculated, the feature vectors are extracted, and thenormalization processes are manipulated. Then, then reference of spatial relational featurevectors have been set up through the analysis of general spatial properties of malicious codesamples. And the similarity preferred matching algorithm which is based on comprehensiveanalysis of multiple features is adopted to identify the unknown malicious code subordinatetype. And as dynamic analysis method of malicious code, it introduces self similarcharacteristics into the dynamic analysis of malicious code process and computes the Hurstindex by the series respectively through the use of R/S method, aggregated variance methodand higuchi method, and matches the similarity of the same type malicious programs. Itcomes to the conclusion that malicious programs have some differences in calling APIfunction with normal procedure, and the same type of malicious programs are self-similar, sothat it identifies malicious programs with dynamism. Morever, it proposes Rootkit dynamicdetection based on fuzzy pattern recognition and support virtual machine technology. It formsfeature vectors by counting up the generating elements important degree of system call series,and comes to the fuzzy pattern recognition conclusion with the use of weighted averagingmethod. Then, it exactly locates the types of Rootkit malicious code based on the analysismethod of layered multi-attributes support virtual machine.Finally, it determines the dynamicbehaviour properties by calculating of hamming distance.
(3) It proposes malicious code attack evaluation based on synthetic entropy method.
It combines cross entropy and network character entropy method and proposes designscheme to evaluate the malicious code attack effect. It captures the related indicators in realtime and normalized the data so as to evaluate them at the same level; then adopts crossentropy method to preprocesses the indicators adaptively; further more, it calculates theweight coefficient and exploits network character entropy method to evaluate the attack withaccuracy according to the importance of the indicators in the evaluation system. And it carries out the follow-up assessment feedback based on the previous network attack assessment. Itdraws a conclusion that we can not only visually recognize the presence of network attacksand determine the network attack effect, but also accurately locate the beginning and end timewith the network character entropy method.
(4) It proposes immune model and algorithm improvements of communication networkmalicious code.
It implements network malicious code immune model. And the malicious codeimmunization program is mainly composed of four major components, which are immuneinformation collection program, immune information filtering processing program,immunization information discrimination program, and immune response program. Accordingto the significant impact on the accuracy rate of detection of current immune algorithmsbrought by incorrect classification of signal, it proposes network malicious code dendritic cellimmune algorithm based on fuzzy weighted support vector machine. It introduces fuzzyweighted support vector machine clustering method within immune algorithm proposed, soas to bring down the number of immunization strategies and reduce the immune response time,as a result it improve the efficiency and performance of the immune system. In addition,imbalanced support vector machine is applied to optimize output results of malicious codeimmunization program, and uncertainty malicious code immune outputs are removed. As aresult, it facilitates precise determination time of the emergence of immune response.
(5) It designs and implements prototype system of malicious code and emergencyresponse.
In order to verify the communication network malicious code and emergency responsetechnology, the prototype system is implemented. As to the malicious code prototype system,it carries out five steps, which are setting up softswitch platform, preparatory work of wormsand webpage Trojan horse, the formulation of attack strategy, the execution of the maliciouscode, and feedback of malicious code attacks. And as to the emergency response prototypesystem, it covers monitoring of suspicious programs, malicious code static and dynamicdetection, malicious code damage assessment, as well as malicious code immune process.
(1)提出通信网络恶意代码以及应急响应的技术框架
在总结了通信网络安全隐患和恶意代码关键技术发展趋势的基础上,本文设计和实现了通信网络恶意代码攻击平台,旨在增强恶意代码的综合破坏效果、改进恶意代码的传播机制、实现恶意代码攻击行为的智能化,并将其运用于通信网络的软交换技术。恶意代码的破坏效果是实现和核心,恶意代码是通过原子功能实现的,主要阐述本人设计实现的部分恶意代码,包括Shellcode的设计、基于堆的溢出攻击技术、格式化字符串攻击技术、内核入侵隐藏技术、杀毒软件反制的技术,以及SIP监听与拒绝服务技术。同时,该平台也适用于测试恶意代码应急响应系统的功能和性能。
另一方面,基于对恶意代码攻击关键技术问题分析的基础上,面向通信网络环境,提出通信网络恶意代码应急响应技术框架。旨在构建恶意代码防范的整体架构,提出针对通信网络恶意代码的有效检测防御技术和手段,以及研究对恶意代码免疫技术,并对恶意代码的攻击和防御效果从理论上进行的合理评估与评价。
(2)提出恶意代码的静态和动态检测新方法
在恶意代码静态分析方面,提出基于未知恶意代码样本空间关系特征的静态样本自动检测技术。发掘恶意代码字符空间关系的独特“纹理”特征,基于区域生长的智能分块算法,划分恶意代码样本空间关系区域;根据区域分别提取恶意代码样本的字符矩、信息熵和相关系数等空间关系特征;采用综合多特征的相似优先匹配方法检测未知恶意代码。
在恶意代码动态分析方面,提出基于自相似特性的恶意代码分析技术,通过重新标度权差分析算法、回归方差算法、Higuchi算法等多种自相似方法综合进行比较,从而验证确实恶意代码动态特性确实存在自相似性。在此基础上提出了基于模糊识别和支持向量机的联合动态检测技术,对系统调用序列进行匹配生成元扫描,根据生成元的距离采用加权平均法得到模糊识别初步结论;进而对可疑程序,采用基于层次的多属性支持向量机分析法,对量化的API系统调用序列进行属性分解,最终依据多个属性动态行为属性的汉明距离,从而确认其恶意行为和恶意代码的所属类型。
(3)提出基于综合熵值法的恶意代码量化评估方法
在总结通信网络恶意代码攻击手段、攻击对象、攻击步骤,以及攻击指标的基础上,本文采用综合流量判定和系统指标判定的方法,提出了联合交叉熵和网络特征熵的办法来构建恶意代码网络攻击效果评估设计方案。实时采集的相关指标并权衡各种不同类型的指标之间的差异;采用交叉熵方法自适应预估,利用网络特征熵对攻击进行精确描述,结合多次评估结果进行反馈修正。这种综合熵值的计算办法,直观看出网络攻击的存在,量化网络攻击的效果,而且可以准确定位出攻击的起止时刻。
(4)提出基于通信网络恶意代码的免疫模型和改进算法
应急响应的最后部分是进行恶意代码免疫。设计实现了恶意代码免疫机制的新框架,包括免疫信息的采集程序、免疫信息的过滤处理程序、免疫信息的判别程序,以及免疫响应程序四个相互关联的组成部分。针对目前免疫算法中的信号的误分类给检测准确率带来极大影响的问题,提出基于模糊加权支持向量机的网络恶意代码树突细胞免疫算法,对信号和抗原进行模糊聚类,减少了免疫策略的数量,并且降低了免疫响应时间,从而提高免疫系统的效率和性能。此外,本文采用不平衡支持向量机对输出的亲和力值进行筛选,只保留其最重要的特征值,便于免疫响应程序进行优化判定处理,从而优化恶意代码免疫输出结果。
(5)设计实现了恶意代码及其应急响应原型系统
为了验证提出的通信网络恶意代码及应急响应关键技术,设计和实现了恶意代码及应急响应的原型系统。对于恶意代码原型系统,从软交换的平台的搭建和测试、蠕虫挂马的准备、攻击策略的制定、恶意代码破坏的实施,以及恶意代码攻击反馈等五个阶段进行了详细的阐述。而对于应急响应原型系统主要阐述了对可疑程序的监控、恶意代码静态检测、恶意代码动态检测、恶意代码破坏评估,以及恶意代码免疫等五个阶段。
Communications network services digitization, network technology IP packetization,wireless network access, network gradually opening up, together with network constantintegrated development, which has become the mainstream direction of communicationnetwork evolution. With the rapid development and increasingly openning of communicationnetworks, network security issues are increasingly prominently. The thesis summarizes thepotential security threats in the communication network mainly from the following fouraspects: service layer security, control layer security, transmission layer security, and accesslayer security. It elaborates technical framework of communications network malicious code,and furthermore it proposes complete disposal process of key technical issues involved in themalicious code and emergency response in communication networks. The main contributionsof the research work include the following five aspects:
(1) It proposes the technology framework of communication network malicious code aswell as emergency response.
The thesis summarizes the security risks of communication network and malicious codedeveloping trends. And it designs and implements communication network malicious codeattacks platform, which aims to enhance the destructive effect of the malicious code, toimprove the spread mechanisms of malicious code, and to realize the intelligence attack ofmalicious code, and it is applied to softswitch technology used in communications networks.Destructive effect of the malicious code is regarded as the core, and malicious code isimplemented by atomic functions. The thesis focuses on the following malicious codes: thedesign of Shellcode, heap-based overflow attacks, format string attack techniques, kernelintrusion hidden technology, antivirus software counter technology, as well as the the SIPsniffering and DoS services technology. Meanwhile, the platform also applies to test thefunctionality and performance of the emergency response system.
Based on the analysis of the key technical issues of malicious code attacks and orientedcommunication network environment, it proposes the framework of communication networkmalicious code emergency response, which aims to build the overall architecture of maliciouscode prevention, to develop technologies and means of effective communication networkmalicious code detection and prevention, to research on malicious code immune technology,and to reasonablely assess and evaluate the malicious code attacks and defensive effects.
(2) It proposes new methods of malicious code static and dynamic detection.
As the static analysis method of malicious code, it proposes unknown malicious codeautomatic detection based on space relevance features. According to the characteristicsquantitative vectors of character space, malicious code samples are divided into spacerelevance blocks based on the intelligence region growing segmentation algorithm. In eachblock of malicious code sample, the spatial relations of character moment, informationentropy, and correlation coefficient are calculated, the feature vectors are extracted, and thenormalization processes are manipulated. Then, then reference of spatial relational featurevectors have been set up through the analysis of general spatial properties of malicious codesamples. And the similarity preferred matching algorithm which is based on comprehensiveanalysis of multiple features is adopted to identify the unknown malicious code subordinatetype. And as dynamic analysis method of malicious code, it introduces self similarcharacteristics into the dynamic analysis of malicious code process and computes the Hurstindex by the series respectively through the use of R/S method, aggregated variance methodand higuchi method, and matches the similarity of the same type malicious programs. Itcomes to the conclusion that malicious programs have some differences in calling APIfunction with normal procedure, and the same type of malicious programs are self-similar, sothat it identifies malicious programs with dynamism. Morever, it proposes Rootkit dynamicdetection based on fuzzy pattern recognition and support virtual machine technology. It formsfeature vectors by counting up the generating elements important degree of system call series,and comes to the fuzzy pattern recognition conclusion with the use of weighted averagingmethod. Then, it exactly locates the types of Rootkit malicious code based on the analysismethod of layered multi-attributes support virtual machine.Finally, it determines the dynamicbehaviour properties by calculating of hamming distance.
(3) It proposes malicious code attack evaluation based on synthetic entropy method.
It combines cross entropy and network character entropy method and proposes designscheme to evaluate the malicious code attack effect. It captures the related indicators in realtime and normalized the data so as to evaluate them at the same level; then adopts crossentropy method to preprocesses the indicators adaptively; further more, it calculates theweight coefficient and exploits network character entropy method to evaluate the attack withaccuracy according to the importance of the indicators in the evaluation system. And it carries out the follow-up assessment feedback based on the previous network attack assessment. Itdraws a conclusion that we can not only visually recognize the presence of network attacksand determine the network attack effect, but also accurately locate the beginning and end timewith the network character entropy method.
(4) It proposes immune model and algorithm improvements of communication networkmalicious code.
It implements network malicious code immune model. And the malicious codeimmunization program is mainly composed of four major components, which are immuneinformation collection program, immune information filtering processing program,immunization information discrimination program, and immune response program. Accordingto the significant impact on the accuracy rate of detection of current immune algorithmsbrought by incorrect classification of signal, it proposes network malicious code dendritic cellimmune algorithm based on fuzzy weighted support vector machine. It introduces fuzzyweighted support vector machine clustering method within immune algorithm proposed, soas to bring down the number of immunization strategies and reduce the immune response time,as a result it improve the efficiency and performance of the immune system. In addition,imbalanced support vector machine is applied to optimize output results of malicious codeimmunization program, and uncertainty malicious code immune outputs are removed. As aresult, it facilitates precise determination time of the emergence of immune response.
(5) It designs and implements prototype system of malicious code and emergencyresponse.
In order to verify the communication network malicious code and emergency responsetechnology, the prototype system is implemented. As to the malicious code prototype system,it carries out five steps, which are setting up softswitch platform, preparatory work of wormsand webpage Trojan horse, the formulation of attack strategy, the execution of the maliciouscode, and feedback of malicious code attacks. And as to the emergency response prototypesystem, it covers monitoring of suspicious programs, malicious code static and dynamicdetection, malicious code damage assessment, as well as malicious code immune process.
引文
[1]沉风.模块化、专业化、互联网化——中国计算机病毒发展呈现三大特征[N].人民邮电,2009-2-11(007).
[2]金山毒霸.2009年6-7月份中国电脑病毒疫情及互联网安全报告[EB/OL].2009/2009-06-30[2009-10-15].http://www.duba.net/zt/2009/6virus.
[3]中国互联网络信息中心.第26次中国互联网络发展状况统计报告[R].2010.
[4] Cncert国家互联网应急中心.2011年中国互联网网络安全态势报告[R].2012.
[5]安全中心.2012上半年中国互联网安全报告[EB/OL].2012/2012-07-22[2012-8-16].http://bbs.360.cn/3229787/254520854.html.
[6] Yan W, Wu E. Toward automatic discovery of malware signature for anti-virus cloud computing[A]. ICSTLecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering,October26-30,2009, Naples, Italy[C]. Berlin: Springer,2009:724-728.
[7] Li P, Wang R C, Zhang W. Key technologies of new malicious code developments and defensive measuresin communication networks[J]. The Journal of China Universities of Posts and Telecommunications.2010,17(4):69-73.
[8] Cohen F B, Cohen D F. A short course on computer viruses[M]. New York, USA: John Wiley&Sons,1994.
[9] Cohen F. Computational aspects of computer viruses[J]. Computers&Security.1989,8(4):297-298.
[10] Cohen F. Computer viruses: theory and experiments[J]. Computers&Security.1987,6(1):22-35.
[11] Adleman L. An abstract theory of computer viruses[A]. Proceedings of the8th Annual InternationalCryptology Conference on Advances in Cryptology, January8-11,1990, Sydney, Australia[C]. Springer,1990:354-374.
[12] Grimes R A. Malicious mobile code: Virus protection for Windows[M]. Sebastopol, CA, USA: O'ReillyMedia,2001:2-3.
[13] Wikipedia. Elk Cloner[EB/OL].2012/2012-03-24[2012-3-26]. http://en.wikipedia.org/wiki/Elk_Cloner.
[14] Spafford E H. The Internet worm program: an analysis[J]. ACM SIGCOMM Computer CommunicationReview.1989,19(1):17-57.
[15] Wikipedia. ILOVEYOU[EB/OL].2012/2012-03-24[2012-3-25]. http://en.wikipedia.org/wiki/ILOVEYOU.
[16] Wikipedia. Code Red[EB/OL].2012/2012-03-24[2012-3-25].http://en.wikipedia.org/wiki/Code_Red_worm.
[17] Kienzle D M, Elder M C. Recent worms: a survey and trends[A]. Proceedings of the2003ACM Workshopon Rapid Malcode (WORM’03), Oct27,2003, Washington, DC, USA[C]. New York, NY, USA: ACM,2003:1-10.
[18] Zhuge J, Holz T, Song C, et al. Studying malicious websites and the underground economy on the Chineseweb[A]. Proceedings of the7th Workshop on the Economics of Information Security (WEIS’08), Jun25-27,2008,Hanover, NH, USA[C]. New York, NY, USA: Springer-Verlag,2009:225-244.
[19] Wikipedia. Conficker[EB/OL].2012/2012-03-24[2012-3-25]. http://en.wikipedia.org/wiki/Conficker.
[20] Symantec C. Trojan.Mebratix.B–the Ghost in MBR[EB/OL].2010/2012-04-30[2012-8-16].http://www.symantec.com/connect/blogs/trojanmebratixb-ghost-mbr.
[21] Quittek J, Niccolini S, Tartarelli S, et al. On spam over Internet telephony (SPIT) prevention[J].Communications Magazine, IEEE.2008,46(8):80-86.
[22] Marias G F, Dritsas S, Theoharidou M, et al. SIP vulnerabilities and anti-SPIT mechanisms assessment[A].16th International Conference on Computer Communications and Networks, ICCCN2007, August13-16,2007.Turtle Bay Resort, Honolulu, Hawaii, USA[C]. Piscataway, NJ, USA: IEEE,2007:597-604.
[23] Mcclure S, Scambray J, Kurtz G, et al. Hacking exposed: network security secrets&solutions[M].4th ed.New York, NY, USA: McGraw-Hill/Osborne New York,2005:452-453.
[24] Anagnostakis K G I S M S. Efficient packet monitoring for network management[A]. Proceedings of the8thIEEE/IFIP Network Operations and Management Symposium (NOMS’05), April15-19,2005, Florence, Italy[C].Piscataway, NJ, USA: IEEE,2005:1-15.
[25] Shin-Jia H, Kuang-Hsi C. A proxy automatic signature scheme using a compiler in distributed systems for(unknown) virus detection[A]. Proceedings of the19th International Conference on Advanced InformationNetworking and Applications (AINA’05), Mar28-30,2005, Taipei, China[C]. Piscataway, NJ, USA: IEEE,2005:649-654.
[26] Wang J H, Deng P S, Fan Y S, et al. Virus detection using data mining techinques[A]. Proceedings of theIEEE37th Annual International Carnahan Conference on Security Technology (CCST’03), Oct1416,2003,Taipei,China[C]. Piscataway, NJ, USA: IEEE,2003:71-76.
[27] Oh S Y, Cornell B, Smith D, et al. Rapid detection of influenza A virus in clinical samples using an ionchannel switch biosensor[J]. Biosensors and Bioelectronics.2008,23(7):1161-1165.
[28] Case J, Moelius Iii S E. Cautious virus detection in the extreme[A]. Proceedings of the2007ACMSIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS’07), Jun14,2007, San Diego,CA, USA[C]. New York, NY, USA: ACM,2007:47-52.
[29] Li T, Liu X, Li H. An immune-based model for computer virus detection[A]. Proceedings of the4thInternational Conference on Cryptology and Network Security (CANS’05), Dec1416, Xiamen, China[C]. LNCS3810. Berlin, Germany: Springer-Verlag,2005:59-71.
[30] Hu H P, Liang X, Zhang B L. Proactive-defense network transmission system[J]. Dianzi Xuebao(ActaElectronica Sinica).2005,33(4):701-705.
[31] Han L, Han S, Yang M. The epidemic threshold of a more general epidemic spreading model for networkviruses[A]. Proceedings of the3rd IEEE Conference on Natural Computation (ICNC’07), Aug24-27,2007,Haikou, China[C]. Los Alamitos, CA, USA: IEEE Computer Society,2007:66-69.
[32] Schmidt M, Baumgartner L, Graubner P, et al. Malware Detection and Kernel Rootkit Prevention in CloudComputing Environments[A].19th Euromicro International Conference on Parallel, Distributed andNetwork-Based Processing (PDP),Feb9-11,2011, Cyprus[C]. Piscataway, NJ, USA: IEEE,2011:603-610.
[33] Hoglund G, Butler J. Rootkits: subverting the Windows kernel[M]. Boston, MA, USA: Addison-WesleyProfessional,2006:57-64.
[34] Sun J, Qin J, Chen S, et al. A virus immunization model based on communities in large scale networks[A].Proceedings of International Conference on Software Engineering, Artificial Intelligence, Networking, andParallel/Distributed Computing (SNPD’07): Vol3, Jul30-Aug1,2007, Qingdao, China[C]. Piscataway, NJ, USA:IEEE,2007:917-922.
[35]文伟平.恶意代码机理与防范技术研究[D].北京:中国:中国科学院研究生院,2004:40-53.
[36] Qing S, Wen W. A survey and trends on Internet worms[J]. Computers&Security.2005,24(4):334-346.
[37] Sulaiman A, Ramamoorthy K, Mukkamala S, et al. Disassembled code analyzer for malware (DCAM)[A].Proceedings of the2005IEEE International Conference on Information Reuse and Integration, August15-17,2005, Las Vegas, NV, USA[C]. Piscataway, NJ: IEEE,2005:398-403.
[38] Christodorescu M, Jha S, Seshia S A, et al. Semantics-aware malware detection[A]. Proceedings of2005IEEE Symposium on Security and Privacy, May8-11,2005, Oakland, California, USA[C]. Piscataway, NJ: IEEE,2005:32-46.
[39] Wang Z. Static detection and identification of X86malicious executables: A multidisciplinary approach[D].Alberta: Department of Computing Science, University of Alberta,2009.
[40] Linn C, Debray S. Obfuscation of executable code to improve resistance to static disassembly[A]. ACMConference on Computer and Communications Security (CCS), October27-30,2003, Washington, DC, USA [C].New York, NY, USA: ACM,2003:290-299.
[41] Collberg C, Thomborson C, Low D. Manufacturing cheap, resilient, and stealthy opaque constructs[A].Proceedings of the25th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, January19-21,1998, San Diego, CA, USA[C]. New York, NY, USA: ACM,1998:184-196.
[42] Shabtai A, Moskovitch R, Elovici Y, et al. Detection of malicious code by applying machine learningclassifiers on static features: A state-of-the-art survey[J]. Information Security Technical Report.2009,14(1):16-29.
[43] Moskovitch R, Nissim N, Elovici Y. Malicious Code Detection Using Active Learning[A]. ComputerScience, Privacy, Security, and Trust in KDD, August24,2008, Las Vegas, NV, USA[C]. Berlin: Springer,2009:74-91.
[44] Arnab A, Martin T, Hutchison A. Practical experiences with purenet, a self-learning malware preventionsystem[A]. Open Research Problems in Network Security, June9,2011, Luzern, Switzerland[C]. Berlin: Springer,2011:56-69.
[45] Abou-Assaleh T, Cercone N, Keselj V, et al. Detection of new malicious code using n-grams signatures[A].Proceedings of Second Annual Conference on Privacy, Security and Trust, October13-15,2004, University ofNew Brunswick[C]. Fredericton, New Brunswick, Canada,2004:193-196.
[46] Moskovitch R, Stopel D, Feher C, et al. Unknown malcode detection via text categorization and theimbalance problem[A]. IEEE International Conference on Intelligence and Security Informatics, Taipei,Taiwan[C]. Piscataway, NJ: IEEE,2008:156-161.
[47] Elovici Y, Shabtai A, Moskovitch R, et al. Applying machine learning techniques for detection of maliciouscode in network traffic[A]. Proceedings of30th Annual German Conference on AI, KI2007, September10-13,2007, Osnabrück, Germany[C]. Berlin: Springer,2007:44-50.
[48] Menahem E, Shabtai A, Rokach L, et al. Improving malware detection by applying multi-inducerensemble[J]. Computational Statistics&Data Analysis.2009,53(4):1483-1494.
[49] Henchiri O, Japkowicz N. A feature selection and evaluation scheme for computer virus detection[A]. SixthInternational Conference on Data Mining, July8,2005, Newport Beach, California, USA[C]. Piscataway, NJ:IEEE,2006:891-895.
[50] Moskovitch R, Feher C, Tzachar N, et al. Unknown malcode detection using opcode representation[A].European conference on intelligence and security informatics, December3-5th,2008, Esbjerg, Denmark[C].Berlin: Springer,2008:204-215.
[51] Kolter J Z, Maloof M A. Learning to detect and classify malicious executables in the wild[J]. The Journal ofMachine Learning Research.2006,7:2721-2744.
[52] Bayer U, Moser A, Kruegel C, et al. Dynamic analysis of malicious code[J]. Journal in Computer Virology.2006,2(1):67-77.
[53] Bayer U, Kruegel C, Kirda E. TTAnalyze: A tool for analyzing malware[A].15th Annual Conference of theEuropean Institute for Computer Antivirus Research (EICAR), April2006, Germany[C]. Belgium: EICAR Press,2006:1-12.
[54] Mcree. Malcode Analysis Software Tools[J]. ISSA Journal.2007,5(7):30-32.
[55] Rieck K, Holz T, Willems C, et al. Learning and classification of malware behavior[A]. Conference onDetection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), July10-11th,2008, Paris, France
[C]. Berlin: Springer,2008:108-125.
[56] Morales J A, Clarke P J, Deng Y. Characterizing and Detecting Virus Replication[A]. Third InternationalConference on Systems, ICONS2008April13-18,2008, Cancun, Mexico[C]. Piscataway, NJ: IEEE,2008:214-219.
[57]梁升荣. WindowsRootkit检测机制的研究与实现[D].成都:电子科技大学,2009:13-19.
[58]王宁,刘志军,麦永浩. Windows RootKit检测与取证技术研究[J].信息网络安全.2012,2:51-57.
[59] Vasisht V R. Architectural support for autonomic protection against stealth by rootkit exploits[D]. GeorgiaInstitute of Technology,2008:8-9.
[60] Vasisht V R, Lee H H S. SHARK: Architectural support for autonomic protection against stealth by rootkitexploits[A].41st IEEE/ACM International Symposium on Microarchitecture MICRO-41, November8-12,2008,Lake Como, ITALY [C]. Piscataway, NJ: IEEE,2008:106-116.
[61] M P, Y C, P E, et al. System, NGSCB A Trusted Open[A]. Proceedings of9th Australasian Conference onInformation Security and Privacy ACISP,2004, Sydney, Australia[C]. Springer, Berlin, German,2004:86-97.
[62] Bayer U, Moser A, Kruegel C, et al. Dynamic analysis of malicious code[J]. Journal in Computer Virology.2006,2(1):67-77.
[63]王一,胡汉平,王祖喜,等.基于流量攻击判定的网络安全评估模型[J].华中科技大学学报:自然科学版.2008,36(004):37-40.
[64]张义荣,鲜明,赵志超.计算机网络攻击效果评估技术研究[J].国防科技大学学报.2002,24(5):24-28.
[65] Holm H, Sommestad T, Almroth J, et al. A quantitative evaluation of vulnerability scanning[J]. InformationManagement&Computer Security.2011,19(4):231-247.
[66]汪生,孙乐昌.网络攻击效果评估系统的研究与实现——基于指标体系[J].计算机工程与应用.2006,41(34):149-153.
[67]李涛.计算机免疫学[M].北京:电子工业出版社,2004:3-4.
[68] Ji Z, Dasgupta D. Real-valued negative selection algorithm with variable-sized detectors[A]. The Geneticand Evolutionary Computation Conference, GECCO-2004, June26-30,2004, Seattle, Washington, USA[C].Berlin, Germany: Springer-Verlag,2004:287-298.
[69] Seiden P E, Celada F. A model for simulating cognate recognition and response in the immune system[J].Journal Of Theoretical Biology.1992,158(3):329-357.
[70] Farmer J D, Packard N H, Perelson A S. The immune system, adaptation, and machine learning[J]. PhysicaD: Nonlinear Phenomena.1986,22(1):187-204.
[71] Liu R C, Niu M C, Jiao L C. A new artificial immune network algorithm for classifying complex data[J].Dianzi Yu Xinxi Xuebao(Journal of Electronics and Information Technology).2010,32(3):515-521.
[72] Smith S L, Cagnoni S. Genetic and evolutionary computation: medical applications[M]. Boston, MA, USA:Addison-Wesley Professional,2011.
[73] Amro S, Elizondo D, Solanas A, et al. Evolutionary Computation in Computer Security and Forensics: AnOverview[A]. Computational Intelligence for Privacy and Security, SCI394, March6-8th,Nuremberg,Germany[C]. Berlin, Germany: Springer-Verlag,2012:25-34.
[74] Sun F, Jin X. Immune danger theory based quantitative model for network security situation awareness[J].Application Research of Computers.2011,28(7):2680-2686.
[75] Zheng J, Chen Y, Zhang W. A Survey of artificial immune applications[J]. Artificial Intelligence Review.2010,34(1):19-34.
[76] Jain P, Goyal S. An Adaptive Intrusion Prevention System Based on Immunity[A]. International Conferenceon Advances in Computing, Control,&Telecommunication Technologies,2009, Trivandrum, Kerala, India[C].Piscataway, NJ: IEEE,2009:759-763.
[77] Zeng J, Li T. A Novel Computer Virus Detection Method from Ideas of Immunology[A]. InternationalConference on Multimedia Information Networking and Security,2009, Wuhan, China[C]. Piscataway, NJ: IEEE,2009:412-416.
[78] Yun W, Huijian Z J X. The Application of Immune Theory to Virus Detection[J]. Computer Applicationsand Software.2008,25(9):52-54.
[79] Chen Z, Shen C, Wu X. A Crypto-based Immunization Model against Malicious Code[J]. ComputerScience.2008,82(1):288-289.
[80]彭凌西,谢冬青,付颖芳,等.基于危险理论的自动入侵响应系统模型[J].通信学报.2012,33(1):136-144.
[81] Sun F X. A Danger Theory Inspired Security Evaluation Paradigm for Computer Network[J]. AdvancedMaterials Research.2011,179(1):1333-1337.
[82] Zhang J, Liang Y. A novel intrusion detection model based on danger theory[A].2008IEEE Pacific-AsiaWorkshop on Computational Intelligence and Industrial Application, December19-20,2008, Wuhan, Hubei,China[C]. Piscataway, NJ: IEEE,2008:867-871.
[83] Aickelin U, Bentley P, Cayzer S, et al. Danger theory: The link between AIS and IDS?[A]. ArtificialImmune Systems, Second International Conference, ICARIS2003, Edinburgh, UK, September1-3,2003[C].Lecture Notes in Computer Science2787Springer2003,2003:147-155.
[84] Dasgupta D. Advances in artificial immune systems[J]. Computational Intelligence Magazine. Piscataway,NJ: IEEE.2006,1(4):40-49.
[85] Folcik V A, Broderick G, Mohan S, et al. Using an agent-based model to analyze the dynamiccommunication network of the immune response[J]. Theoretical Biology and Medical Modelling.2011,8(1):1-25.
[86] Macal C M, North M J. Tutorial on agent-based modelling and simulation[J]. Journal of Simulation.2010,4(3):151-162.
[87] Pang W, Coghill G. QML-AiNet: An Immune-Inspired Network Approach to Qualitative ModelLearning[J]. Artificial Immune Systems.2010:223-236.
[88] Izadinia H, Sadeghi F, Ebadzadeh M M. A novel multi-epitopic immune network model hybridized withneural theory and fuzzy concept[J]. Neural Networks.2009,22(5-6):633-641.
[89] Liu T, Zhang L, Shi B. Adaptive immune response network model[A]. proceedings of the5th InternationalConference on Intelligent Computing, ICIC2009, Ulsan South Korea, September2009[C]. Emerging IntelligentComputing Technology and Applications. With Aspects of Artificial Intelligence,2009:890-898.
[90] Fanelli R. A hybrid model for immune inspired network intrusion detection[A]. Artificial Immune Systems,7th International Conference, ICARIS2008, Phuket, Thailand, August10-13,2008[C]. Lecture Notes inComputer Science5132Springer,2008:107-118.
[91] Zhu X, Yu Y, Wang H. Research of immune neural network model based on extenics[A]. The InternationalConference on Life System Modeling and Simulation (LSMS'07), Shanghai, CHINA. September17-20,2007[C].Springer-Verlag,2007:18-27.
[92] Ma X, Wu H. Power system short-term load forecasting based on cooperative co-evolutionary immunenetwork model[A]. ICETC2010The2nd International Conference on Education Techhnology and Computer,Shanghai, China.2010June22-24[C]. Piscataway, NJ: IEEE,2010:582-585.
[93] Li T. An immune based model for network monitoring[J]. Chinese Journal of Computers.2006,29(9):1515-1522.
[94] Moskovitch R, Feher C, Tzachar N, et al. Unknown malcode detection using opcode representation[A].European Conference on Intelligence and Security Informatics Esbjerg, December3-5th, Esbjerg, Denmark[C].New York, NY, USA: Springer-Verlag,2008:204-215.
[95] Arce I. The shellcode generation[J]. Security&Privacy, IEEE.2004,2(5):72-76.
[96] Chi Q, Luo H, Qiao X D. Method research of writing Windows Shellcode based on stack[J]. ComputerEngineering and Design.2010,31(6):1198-1201.
[97]张登银,洪福鑫.典型Shellcode引擎特征检测方法研究[J].计算机技术与发展.2010,20(1):18-22.
[98]李鹏,王汝传.堆溢出攻击原理、攻击与防范研究[J].中国科学学报.2007,2007(1):1-3.
[99] Cowan C, Wagle F, Pu C, et al. Buffer overflows: Attacks and defenses for the vulnerability of thedecade[A]. Proceedings of the Foundations of Intrusion Tolerant Systems (OASIS’03), Los Alamitos,California[C]. Piscataway, NJ, USA: IEEE,2003:119-129.
[100] Wilander J, Kamkar M. A comparison of publicly available tools for dynamic buffer overflowprevention[A].10th Network and Distributed System Security Symposium, February6-7,2003, San Diego,California[C].2003:149-162.
[101] Perriot F, Sz r P. C sources based worm that compiles itself to ELF; performs DDoS attacks; spreads viabuffer overflow attacks against vulnerable versions of OpenSSL[R]. USA: Symantec Security Response2002.
[102] Exposed H. Network Security Secrets and Solutions[M]. New York, USA: McGraw-Hill,2009.
[103] Conover M W W S T. w00w00on Heap Overflows[2012-3-25].http://www.w00w00.org/files/articles/heaptut.txt.
[104] Webb W. FTP Security and the WU-FTP File Globbing Heap Corruption Vulnerability. Version2.0[R].USA: GCIH Practical Assignment2002.
[105]李鹏,王汝传,王绍棣.格式化字符串攻击检测与防范研究[J].南京邮电大学学报:自然科学版.2007,27(005):84-89.
[106] Lhee K S, Chapin S J. Buffer overflow and format string overflow vulnerabilities[J]. Software: Practice andExperience.2003,33(5):423-460.
[107] Newsham T. Format string attacks[EB/OL].2000/2000-09-30[2012-3-25].http://www.lava.net/~newsham/format-string-attacks.pdf.
[108] Paul M. format string Vulnerabilities[J]. Information Security Management Handbook.2009,3(1):199.
[109] Scut, Teso T. Exploiting Format String Vulnerabilities, version1.2[EB/OL].2001/2001-09-01[2012-3-25].http://www.doc88.com/p-89692237823.html.
[110] Rivas J M B. Overwriting the. dtors section[EB/OL].2000[2012-3-25].http://www.synnergy.net/downloads/papers/dtors.txt.
[111] Bulba, R K. Bypassing Stackguard and stackshield[J]. Phrack Magazine.2000,10(38):1-8.
[112] Gera, Riq. Advances in format string exploiting[J]. Phrack Magazine.2002,11(59):1-25.
[113] Bouchareine P. Memory Bugs:__atexit[EB/OL].2006[2012-3-25].http://doc.bughunter.net/buffer-overflow/atexit.html.
[114] Ringenburg M F, Grossman D. Preventing format-string attacks via automatic and efficient dynamicchecking[A]. Proceedings of the12th ACM conference on Computer and communications security, Alexandria,VA, USA[C]. New York, NY, USA: ACM,2005:354-363.
[115]李鹏,王汝传.内核入侵隐藏技术的研究与实现[J].计算机技术与发展.2011,21(3):170-173.
[116]左黎明,蒋兆峰,汤鹏志. Windows Rootkit隐藏技术与综合检测方法[J].计算机工程.2009,35(10):118-120.
[117]张登银,高德华,李鹏.一种新的注册表隐藏Rootkit检测方案[J].江苏大学学报:自然科学版.2010,31(003):328-333.
[118] Heasman J. Implementing and detecting a PCI rootkit[J]. Retrieved February.2006,20(7):1-3.
[119] Fossi M, Egan G, Haley K, et al. Symantec Internet Security Threat Report trends for2010[EB/OL].2011[2012-3-25].https://a248.e.akamai.net/f/248/41008/14d/ig.rsys3.net/responsysimages/smapac/__RS_CP__/Symantec_Internet_Security_Threat_Report.pdf.
[120] Love R. Linux kernel development[M]. Canada: Addison-Wesley Professional,2010.
[121] Kong J. Designing BSD rootkits: an introduction to kernel hacking[M]. San Francisco, USA: No StarchPress,2007.
[122] Sd D. Linux on-the-fly kernel patching without KM[J].2001,11(58):1-16.
[123] Nanavati M, Kothari B. Hidden Processes Detection using the PspCidTable[EB/OL].2010http://helios.miellabs. com/downloads/process_scan. pdf.
[124] C S. Runtime kernel kmem patching[2012-3-25]. http://vx.netlux.org/lib/vsc07.html.
[125] Hoglund G.,Butler J. Rootkits-Windows内核的安全防护[M].北京:清华大学出版社,2007.
[126]周利荣,马文龙. Windows7遍历PspCidTable表检测隐藏进程[J].计算机系统应用.2011,20(9):222-225.
[127] Rosenberg J, Schulzrinne H, Camarillo G, et al. SIP: session initiation protocol[S]. Internet EngineeringTask Force, Comments R F,2002.
[128]李鹏,王绍棣,王汝传.网络主动攻击技术研究与实现[J].信息安全与通信保密.2007(3):113-115.
[129]李鹏.网络主动攻击核心技术[D].南京邮电大学,2005.
[130] Mcckure S, Scambray J. Hacking Exposed: Network Security Secrets and Solutions[M]. New York:McGraw-Hill,2003:533-556.
[131] Foster J C. Buffer overflow attacks: detect, exploit, prevent[M]. USA: Syngress Media Inc,2005.
[132] Choi Y H, Jan I S, Oh H G, et al. Anatomy of Exploit Code in Non-Executable Files using Virtualization[A].Third International Conference on Convergence and Hybrid Information Technology, Aug28-30,2008, Daejeon,Korea[C]. Piscataway, NJ: IEEE,2008:574-577.
[133] J T. Set Thoery[M]. Third Edition ed. German: Springer-Verlag Press,2007.
[134] Cover T M, Thomas J A. Elements of Information[M]. Second Edition ed. USA: John Wiley&Sons, NewJersey,2006.
[135] Heavens V. Virus Collection[EB/OL].2009[2012-3-25]. http://vx.netlux.org.
[136] Carbone A, Castelli G, Stanley H E. Time-dependent Hurst exponent in financial time series[J]. Physica A:Statistical Mechanics and its Applications.2004,344(1):267-271.
[137] M B. From Poisson Processes to Self-Similarity: a Survey of Network Traffic Models[R]. Citeseer2008.
[138] Mandelbrot B B. Limit theorems on the self-normalized range for weakly and strongly dependentprocesses[J]. Probability Theory And Related Fields.1975,31(4):271-285.
[139] Feldman R E, Taqqu M S. A practical guide to heavy tails: statistical techniques and applications[M].Switzerland: Birkhauser,1998:186-218.
[140] Murad S, Teverovsky V, Willinger W. Estimators for long-range dependence: an empirical study[J].Fractals-Complex Geometry Patterns And Scaling In Nature And Society.1995,3(4):488-785.
[141] Com A. API monitor[2012-3-25]. http://www.apimonitor.com/.
[142]李鹏,王汝传,高德华.基于模糊识别和支持向量机的联合Rootkit动态检测技术研究[J].电子学报.2012,40(1):115-120.
[143]刘巍伟,石勇,郭煜,等.一种基于综合行为特征的恶意代码识别方法[J].电子学报.2009(004):696-700.
[144] D B. Low Down and Dirty: Anti-forensic Rootkits[R]. Blackhat Japan2006.
[145] Barford P, Yegneswaran V. An inside look at botnets[J]. Malware Detection.2007,27(1):171-191.
[146] Weber M, Schmid M, Schatz M, et al. A toolkit for detecting and analyzing malicious software[A].18thAnnual Computer Security Applications Conference, Dec9-13,2002, Las Vegas, USA, Los Alamitos, CA,USA[C]. IEEE Computer Society,2002:423-431.
[147]付文,魏博,赵荣彩,等.基于模糊推理的程序恶意性分析模型研究[J].通信学报.2010,31(1):44-50.
[148]邓乃杨,田英杰.支持向量机:理论、算法与拓展[M].北京:科学出版社,2009:81-111.
[149] Hsu C W, Chang C C, Lin C J. A practical guide to support vector classification[R].
[150] Kruegel C, Robertson W, Vigna G. Detecting kernel-level rootkits through binary analysis[A]. Proceedingsof the20th Annual Computer Security Applications Conference, December6-10,2004, Tucson, AZ[C].Piscataway, NJ: IEEE,2004:91-100.
[151] Battistoni R, Gabrielli E, Mancini L. A host intrusion prevention system for Windows operating systems[A].9th European Symposium on Research in Computer Security Sophia Antipolis, September13-15,2004, FrenchRiviera, France[C]. Lecture Notes in Computer Science3193, Springer,2004:352-368.
[152] Windows,硬件开发. KrView-the Kernrate Viewer[2012-9-1].http://msdn.microsoft.com/en-us/windows/hardware/gg463380.aspx.
[153] Wang Z, Xia Q. An approach on detecting network attack based on entropy[A]. Proceedings of the2011IEEE International Conference on Cyber Technology in Automation, Control, and Intelligent Systems March20-23,2011, Kunming, China[C]. Piscataway, NJ: IEEE,2011:210-214.
[154] Kroese D P, Rubinstein R Y, Glynn P W. The Cross-Entropy Method for Estimation[EB/OL].2010[2012-3-25]. http://www.maths.uq.edu.au/~kroese/ps/CEest.pdf.
[155] De Boer P T, Kroese D P, Mannor S, et al. A tutorial on the cross-entropy method[J]. Annals Of OperationsResearch.2005,134(1):19-67.
[156] Mannor S, Rubinstein R, Gat Y. The cross entropy method for fast policy search[A]. Proceedings of theTwentieth International Conference on Machine Learning (ICML-2003), August21-24,2003, Washington DC,USA[C]. AAAI Press,2003:512-519.
[157] Maher M, Liu R, Ngoduy D. Signal optimisation using the cross entropy method[J]. TransportationResearch Part C: Emerging Technologies.2011,19(6):1-13.
[158] Ho S L, Yang S. The cross-entropy method and its application to inverse problems[J]. Magnetics, IEEETransactions on.2010,46(8):3401-3404.
[159]周泓,邱月.交叉熵算法在企业违约风险评估中的应用研究[J].计算机工程与应用.2009,44(20):13-16.
[160] Celenk M, Conley T, Willis J, et al. Anomaly detection and visualization using Fisher discriminantclustering of network entropy[A]. Proc. IEEE Third Int. Conf. Digital Information Management (ICDIM2008),August24-29,2008, Aracaju, SE, Brazil[C]. Piscataway, NJ: IEEE,2008:216-220.
[161] Ji L, Bing-Hong W, Wen-Xu W, et al. Network entropy based on topology configuration and itscomputation to random networks[J]. Chinese Physics Letters.2008,25(11):4177-4180.
[162] Kroese D P, Rubinstein R Y, Taimre T. Application of the cross-entropy method to clustering and vectorquantization[J]. Journal Of Global Optimization.2007,37(1):137-157.
[163] Rubinstein R Y, Kroese D P. The cross-entropy method: a unified approach to combinatorial optimization,Monte-Carlo simulation, and machine learning[M]. German: Springer-Verlag Press,2004.
[164] Rao C R. Entropy and cross entropy: Characterizations and applications[J]. The Legacy of AlladiRamakrishnan in the Mathematical Sciences.2010,3(1):359-367.
[165] Zhang Y R, Xian M, Wang G Y. A quantitative evaluation technique of attack effect of computer networkbased on network entropy[J]. Journal of China Institute of.2002,25(11):158-165.
[166] Wagner A, Plattner B. Entropy based worm and anomaly detection in fast IP networks[A].14th IEEEInternational Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise, June13-152005,Link ping, Sweden[C]. Piscataway, NJ: IEEE,2005:172-177.
[167] Quan Q, Hong-Yi C, Rui Z. Entropy Based Method for Network Anomaly Detection[A].15th IEEE PacificRim International Symposium on Dependable Computing,16-18Nov.2009, Shanghai, China[C]. Piscataway, NJ:IEEE,2009:189-191.
[168] Riihijarvi J, Wellens M, Mahonen P. Measuring complexity and predictability in networks with multiscaleentropy analysis[A]. Proceedings IEEE INFOCOM, April19-252009, Arizona State University, US[C].Piscataway, NJ: IEEE,2009:1107-1115.
[169] Bezdek J C, Ehrlich R. FCM: The fuzzy c-means clustering algorithm[J]. Computers&Geosciences.1984,10(2-3):191-203.
[170] Mahfouz M A, Ismail M A. Fuzzy relatives of the CLARANS algorithm with application to textclustering[J]. World Academy of Science, Engineering and Technology.2009,49(1):334-341.
[171] Costa A, Jones O D, Kroese D. Convergence properties of the cross-entropy method for discreteoptimization[J]. Operations Research Letters.2007,35(5):573-580.
[172] Markou M, Singh S. Novelty detection: a review-art2:: neural network based approaches[J]. SignalProcessing.2003,83(12):2499-2521.
[173] Mahfouz M A, Ismail M A. Fuzzy relatives of the CLARANS algorithm with application to textclustering[A]. Proceedings of World Academy of Science, Engineering and Technology, Jan2009, France[C].2009:334-341.
[174] Mokhtar M, Bi R, Timmis J, et al. A modified dendritic cell algorithm for on-line error detection in roboticsystems[A]. IEEE Congress on Evolutionary Computation (IEEE CEC2009), Trondheim, Norway. May18-21,2009[C]. Piscataway, NJ: IEEE,2009:2055-2062.
[175] Abdulla S M, Zakaria O. Devising a Biological Model to Detect Polymorphic Computer Viruses ArtificialImmune System (AIM): Review[A].2009International Conference on Computer Technology and Development(ICCTD2009), Kota Kinabalu, Malaysia,2009November13-15th[C]. Piscataway, NJ: IEEE,2009:300-304.
[176] Kim J, Bentley P J, Aickelin U, et al. Immune system approaches to intrusion detection-a review [J].Natural computing.2007,6(4):413-466.
[177] Aickelin U, Bentley P, Cayzer S, et al. Danger theory: The link between AIS and IDS?[A]. SecondInternational Conference on Artificial Immune Systems, ICARIS2003, September1-3,2003, Edinburgh, UK[C].Lecture Notes in Computer Science2787Springer,2003:147-155.
[178] Dasgupta D. Advances in artificial immune systems[J]. Computational Intelligence Magazine, IEEE.2006,1(4):40-49.
[179] Twycross J, Aickelin U. Towards a conceptual framework for innate immunity[A]. Artificial ImmuneSystems4th International Conference, ICARIS2005, Proceedings of Lecture Notes in Computer Science3627,August14-17,2005, Banff, Alberta, Canada[C]. Lecture Notes in Computer Science3627Springer,2005:112-125.
[180] Aarntzen E H J G, Figdor C G, Adema G J, et al. Dendritic cell vaccination and immune monitoring[J].Cancer Immunology, Immunotherapy.2008,57(10):1559-1568.
[181] Al-Hammadi Y, Aickelin U, Greensmith J. Dca for bot detection[A]. IEEE World Congress onComputational Intelligence (WCCI2008), June2-6,2008, Hong Kong, China[C]. Piscataway, NJ: IEEE,2008:1807-1816.
[182] Luo L K, Peng H, Zhang Q S, et al. A comparison of strategies for unbalance sample distribution in supportvector machine[A]. IST IEEE Conference on2006Industrial Electronics and Applications Industrial Electronicsand Applications,2006, May24-26,2006, Singapore[C]. Piscataway, NJ: IEEE,2006:1-5.
[183] Stibor T, Oates R, Kendall G, et al. Geometrical insights into the dendritic cell algorithm[A]. Proceedings ofthe11th Annual conference on Genetic and evolutionary computation, Shanghai, China. June12-14,2009[C].ACM New York, NY, USA,2009:1275-1282.
[184] Twycross J, Aickelin U. Towards a conceptual framework for innate immunity[A]. Proceedings of4thInternational Conference, ICARIS2005, Banff, Alberta, Canada, August14-17,2005[C]. Artificial ImmuneSystemsLecture Notes in Computer Science Volume3627,2005:112-125.
[185] Takeuchi O, Akira S. Innate immunity to virus infection[J]. Immunological Reviews.2009,227(1):75-86.
[186] Kim J, Greensmith J, Twycross J, et al. Malicious code execution detection and response immune systeminspired by the danger theory[A]. Proceedings of Adaptive and Resilient Computing Security Workshop(ARCS-05), March14–17, Innsbruck, Austria[C]. Universit t Karlsruhe,2010:1-4.
[187] Meng Q, Zhao W. Study on fault diagnosis algorithm based on artificial immune danger theory[A].International Conference on Mechanic Automation and Control Engineering (MACE), June26-28,2010, Wuhan,China [C]. Piscataway, NJ: IEEE Computer Society,2010:5997-6000.
[188] Aickelin U, Cayzer S. The danger theory and its application to artificial immune systems[A]. Proceedings ofthe1st Internet Conference on Artificial Immune Systems (ICARIS-2002), Nov242008, Canterbury, UK[C].Unversity of Kent at Canterbury Printing Unit,2008:141-148.
[189] Matzinger P. The Real Function of the Immune System or Tolerance and Four D's (Danger, Death,Destruction and Distress)[EB/OL].2004[2012-3-25]. http://cmmg.biosci.wayne.edu/asg/polly.html.
[190] Shilton A, Lai D T H. Iterative fuzzy support vector machine classification[A]. IEEE International FuzzySystems Conference, July23-262007, London, UK[C]. Piscataway, NJ: IEEE,2007:1391-1396.
[191]杨志民,刘广利.不确定性支持向量机原理及应用[M].科学出版社,2007.
[192] Chang C C, Lin C J. LIBSVM: a library for support vector machines[J]. ACM Transactions on IntelligentSystems and Technology (TIST).2011,2(3):27.
[193] Yuanhong D, Hongchang C, Tao P. Cost-sensitive Support Vector Machine based on weighted attribute[A].International Forum on Information Technology and Applications,2009, Chengdu, China,15-17May2009[C].Piscataway, NJ: IEEE,2009:690-692.
[194] Greensmith J. The dendritic cell algorithm[D]. University of Nottingham,2007.
[195] Twycross J, Aickelin U. Libtissue-implementing innate immunity[A]. IEEE Congress on EvolutionaryComputation, July16-212006, Sheraton Vancouver Wall Centre, Vancouver, BC, Canada[C]. Piscataway, NJ:IEEE,2006:499-506.
[196] Kaspersky. Kaspersky Lab: Antivirus software[EB/OL].2011[2012-3-25]. http://www.kaspersky.com/.
[2]金山毒霸.2009年6-7月份中国电脑病毒疫情及互联网安全报告[EB/OL].2009/2009-06-30[2009-10-15].http://www.duba.net/zt/2009/6virus.
[3]中国互联网络信息中心.第26次中国互联网络发展状况统计报告[R].2010.
[4] Cncert国家互联网应急中心.2011年中国互联网网络安全态势报告[R].2012.
[5]安全中心.2012上半年中国互联网安全报告[EB/OL].2012/2012-07-22[2012-8-16].http://bbs.360.cn/3229787/254520854.html.
[6] Yan W, Wu E. Toward automatic discovery of malware signature for anti-virus cloud computing[A]. ICSTLecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering,October26-30,2009, Naples, Italy[C]. Berlin: Springer,2009:724-728.
[7] Li P, Wang R C, Zhang W. Key technologies of new malicious code developments and defensive measuresin communication networks[J]. The Journal of China Universities of Posts and Telecommunications.2010,17(4):69-73.
[8] Cohen F B, Cohen D F. A short course on computer viruses[M]. New York, USA: John Wiley&Sons,1994.
[9] Cohen F. Computational aspects of computer viruses[J]. Computers&Security.1989,8(4):297-298.
[10] Cohen F. Computer viruses: theory and experiments[J]. Computers&Security.1987,6(1):22-35.
[11] Adleman L. An abstract theory of computer viruses[A]. Proceedings of the8th Annual InternationalCryptology Conference on Advances in Cryptology, January8-11,1990, Sydney, Australia[C]. Springer,1990:354-374.
[12] Grimes R A. Malicious mobile code: Virus protection for Windows[M]. Sebastopol, CA, USA: O'ReillyMedia,2001:2-3.
[13] Wikipedia. Elk Cloner[EB/OL].2012/2012-03-24[2012-3-26]. http://en.wikipedia.org/wiki/Elk_Cloner.
[14] Spafford E H. The Internet worm program: an analysis[J]. ACM SIGCOMM Computer CommunicationReview.1989,19(1):17-57.
[15] Wikipedia. ILOVEYOU[EB/OL].2012/2012-03-24[2012-3-25]. http://en.wikipedia.org/wiki/ILOVEYOU.
[16] Wikipedia. Code Red[EB/OL].2012/2012-03-24[2012-3-25].http://en.wikipedia.org/wiki/Code_Red_worm.
[17] Kienzle D M, Elder M C. Recent worms: a survey and trends[A]. Proceedings of the2003ACM Workshopon Rapid Malcode (WORM’03), Oct27,2003, Washington, DC, USA[C]. New York, NY, USA: ACM,2003:1-10.
[18] Zhuge J, Holz T, Song C, et al. Studying malicious websites and the underground economy on the Chineseweb[A]. Proceedings of the7th Workshop on the Economics of Information Security (WEIS’08), Jun25-27,2008,Hanover, NH, USA[C]. New York, NY, USA: Springer-Verlag,2009:225-244.
[19] Wikipedia. Conficker[EB/OL].2012/2012-03-24[2012-3-25]. http://en.wikipedia.org/wiki/Conficker.
[20] Symantec C. Trojan.Mebratix.B–the Ghost in MBR[EB/OL].2010/2012-04-30[2012-8-16].http://www.symantec.com/connect/blogs/trojanmebratixb-ghost-mbr.
[21] Quittek J, Niccolini S, Tartarelli S, et al. On spam over Internet telephony (SPIT) prevention[J].Communications Magazine, IEEE.2008,46(8):80-86.
[22] Marias G F, Dritsas S, Theoharidou M, et al. SIP vulnerabilities and anti-SPIT mechanisms assessment[A].16th International Conference on Computer Communications and Networks, ICCCN2007, August13-16,2007.Turtle Bay Resort, Honolulu, Hawaii, USA[C]. Piscataway, NJ, USA: IEEE,2007:597-604.
[23] Mcclure S, Scambray J, Kurtz G, et al. Hacking exposed: network security secrets&solutions[M].4th ed.New York, NY, USA: McGraw-Hill/Osborne New York,2005:452-453.
[24] Anagnostakis K G I S M S. Efficient packet monitoring for network management[A]. Proceedings of the8thIEEE/IFIP Network Operations and Management Symposium (NOMS’05), April15-19,2005, Florence, Italy[C].Piscataway, NJ, USA: IEEE,2005:1-15.
[25] Shin-Jia H, Kuang-Hsi C. A proxy automatic signature scheme using a compiler in distributed systems for(unknown) virus detection[A]. Proceedings of the19th International Conference on Advanced InformationNetworking and Applications (AINA’05), Mar28-30,2005, Taipei, China[C]. Piscataway, NJ, USA: IEEE,2005:649-654.
[26] Wang J H, Deng P S, Fan Y S, et al. Virus detection using data mining techinques[A]. Proceedings of theIEEE37th Annual International Carnahan Conference on Security Technology (CCST’03), Oct1416,2003,Taipei,China[C]. Piscataway, NJ, USA: IEEE,2003:71-76.
[27] Oh S Y, Cornell B, Smith D, et al. Rapid detection of influenza A virus in clinical samples using an ionchannel switch biosensor[J]. Biosensors and Bioelectronics.2008,23(7):1161-1165.
[28] Case J, Moelius Iii S E. Cautious virus detection in the extreme[A]. Proceedings of the2007ACMSIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS’07), Jun14,2007, San Diego,CA, USA[C]. New York, NY, USA: ACM,2007:47-52.
[29] Li T, Liu X, Li H. An immune-based model for computer virus detection[A]. Proceedings of the4thInternational Conference on Cryptology and Network Security (CANS’05), Dec1416, Xiamen, China[C]. LNCS3810. Berlin, Germany: Springer-Verlag,2005:59-71.
[30] Hu H P, Liang X, Zhang B L. Proactive-defense network transmission system[J]. Dianzi Xuebao(ActaElectronica Sinica).2005,33(4):701-705.
[31] Han L, Han S, Yang M. The epidemic threshold of a more general epidemic spreading model for networkviruses[A]. Proceedings of the3rd IEEE Conference on Natural Computation (ICNC’07), Aug24-27,2007,Haikou, China[C]. Los Alamitos, CA, USA: IEEE Computer Society,2007:66-69.
[32] Schmidt M, Baumgartner L, Graubner P, et al. Malware Detection and Kernel Rootkit Prevention in CloudComputing Environments[A].19th Euromicro International Conference on Parallel, Distributed andNetwork-Based Processing (PDP),Feb9-11,2011, Cyprus[C]. Piscataway, NJ, USA: IEEE,2011:603-610.
[33] Hoglund G, Butler J. Rootkits: subverting the Windows kernel[M]. Boston, MA, USA: Addison-WesleyProfessional,2006:57-64.
[34] Sun J, Qin J, Chen S, et al. A virus immunization model based on communities in large scale networks[A].Proceedings of International Conference on Software Engineering, Artificial Intelligence, Networking, andParallel/Distributed Computing (SNPD’07): Vol3, Jul30-Aug1,2007, Qingdao, China[C]. Piscataway, NJ, USA:IEEE,2007:917-922.
[35]文伟平.恶意代码机理与防范技术研究[D].北京:中国:中国科学院研究生院,2004:40-53.
[36] Qing S, Wen W. A survey and trends on Internet worms[J]. Computers&Security.2005,24(4):334-346.
[37] Sulaiman A, Ramamoorthy K, Mukkamala S, et al. Disassembled code analyzer for malware (DCAM)[A].Proceedings of the2005IEEE International Conference on Information Reuse and Integration, August15-17,2005, Las Vegas, NV, USA[C]. Piscataway, NJ: IEEE,2005:398-403.
[38] Christodorescu M, Jha S, Seshia S A, et al. Semantics-aware malware detection[A]. Proceedings of2005IEEE Symposium on Security and Privacy, May8-11,2005, Oakland, California, USA[C]. Piscataway, NJ: IEEE,2005:32-46.
[39] Wang Z. Static detection and identification of X86malicious executables: A multidisciplinary approach[D].Alberta: Department of Computing Science, University of Alberta,2009.
[40] Linn C, Debray S. Obfuscation of executable code to improve resistance to static disassembly[A]. ACMConference on Computer and Communications Security (CCS), October27-30,2003, Washington, DC, USA [C].New York, NY, USA: ACM,2003:290-299.
[41] Collberg C, Thomborson C, Low D. Manufacturing cheap, resilient, and stealthy opaque constructs[A].Proceedings of the25th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, January19-21,1998, San Diego, CA, USA[C]. New York, NY, USA: ACM,1998:184-196.
[42] Shabtai A, Moskovitch R, Elovici Y, et al. Detection of malicious code by applying machine learningclassifiers on static features: A state-of-the-art survey[J]. Information Security Technical Report.2009,14(1):16-29.
[43] Moskovitch R, Nissim N, Elovici Y. Malicious Code Detection Using Active Learning[A]. ComputerScience, Privacy, Security, and Trust in KDD, August24,2008, Las Vegas, NV, USA[C]. Berlin: Springer,2009:74-91.
[44] Arnab A, Martin T, Hutchison A. Practical experiences with purenet, a self-learning malware preventionsystem[A]. Open Research Problems in Network Security, June9,2011, Luzern, Switzerland[C]. Berlin: Springer,2011:56-69.
[45] Abou-Assaleh T, Cercone N, Keselj V, et al. Detection of new malicious code using n-grams signatures[A].Proceedings of Second Annual Conference on Privacy, Security and Trust, October13-15,2004, University ofNew Brunswick[C]. Fredericton, New Brunswick, Canada,2004:193-196.
[46] Moskovitch R, Stopel D, Feher C, et al. Unknown malcode detection via text categorization and theimbalance problem[A]. IEEE International Conference on Intelligence and Security Informatics, Taipei,Taiwan[C]. Piscataway, NJ: IEEE,2008:156-161.
[47] Elovici Y, Shabtai A, Moskovitch R, et al. Applying machine learning techniques for detection of maliciouscode in network traffic[A]. Proceedings of30th Annual German Conference on AI, KI2007, September10-13,2007, Osnabrück, Germany[C]. Berlin: Springer,2007:44-50.
[48] Menahem E, Shabtai A, Rokach L, et al. Improving malware detection by applying multi-inducerensemble[J]. Computational Statistics&Data Analysis.2009,53(4):1483-1494.
[49] Henchiri O, Japkowicz N. A feature selection and evaluation scheme for computer virus detection[A]. SixthInternational Conference on Data Mining, July8,2005, Newport Beach, California, USA[C]. Piscataway, NJ:IEEE,2006:891-895.
[50] Moskovitch R, Feher C, Tzachar N, et al. Unknown malcode detection using opcode representation[A].European conference on intelligence and security informatics, December3-5th,2008, Esbjerg, Denmark[C].Berlin: Springer,2008:204-215.
[51] Kolter J Z, Maloof M A. Learning to detect and classify malicious executables in the wild[J]. The Journal ofMachine Learning Research.2006,7:2721-2744.
[52] Bayer U, Moser A, Kruegel C, et al. Dynamic analysis of malicious code[J]. Journal in Computer Virology.2006,2(1):67-77.
[53] Bayer U, Kruegel C, Kirda E. TTAnalyze: A tool for analyzing malware[A].15th Annual Conference of theEuropean Institute for Computer Antivirus Research (EICAR), April2006, Germany[C]. Belgium: EICAR Press,2006:1-12.
[54] Mcree. Malcode Analysis Software Tools[J]. ISSA Journal.2007,5(7):30-32.
[55] Rieck K, Holz T, Willems C, et al. Learning and classification of malware behavior[A]. Conference onDetection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), July10-11th,2008, Paris, France
[C]. Berlin: Springer,2008:108-125.
[56] Morales J A, Clarke P J, Deng Y. Characterizing and Detecting Virus Replication[A]. Third InternationalConference on Systems, ICONS2008April13-18,2008, Cancun, Mexico[C]. Piscataway, NJ: IEEE,2008:214-219.
[57]梁升荣. WindowsRootkit检测机制的研究与实现[D].成都:电子科技大学,2009:13-19.
[58]王宁,刘志军,麦永浩. Windows RootKit检测与取证技术研究[J].信息网络安全.2012,2:51-57.
[59] Vasisht V R. Architectural support for autonomic protection against stealth by rootkit exploits[D]. GeorgiaInstitute of Technology,2008:8-9.
[60] Vasisht V R, Lee H H S. SHARK: Architectural support for autonomic protection against stealth by rootkitexploits[A].41st IEEE/ACM International Symposium on Microarchitecture MICRO-41, November8-12,2008,Lake Como, ITALY [C]. Piscataway, NJ: IEEE,2008:106-116.
[61] M P, Y C, P E, et al. System, NGSCB A Trusted Open[A]. Proceedings of9th Australasian Conference onInformation Security and Privacy ACISP,2004, Sydney, Australia[C]. Springer, Berlin, German,2004:86-97.
[62] Bayer U, Moser A, Kruegel C, et al. Dynamic analysis of malicious code[J]. Journal in Computer Virology.2006,2(1):67-77.
[63]王一,胡汉平,王祖喜,等.基于流量攻击判定的网络安全评估模型[J].华中科技大学学报:自然科学版.2008,36(004):37-40.
[64]张义荣,鲜明,赵志超.计算机网络攻击效果评估技术研究[J].国防科技大学学报.2002,24(5):24-28.
[65] Holm H, Sommestad T, Almroth J, et al. A quantitative evaluation of vulnerability scanning[J]. InformationManagement&Computer Security.2011,19(4):231-247.
[66]汪生,孙乐昌.网络攻击效果评估系统的研究与实现——基于指标体系[J].计算机工程与应用.2006,41(34):149-153.
[67]李涛.计算机免疫学[M].北京:电子工业出版社,2004:3-4.
[68] Ji Z, Dasgupta D. Real-valued negative selection algorithm with variable-sized detectors[A]. The Geneticand Evolutionary Computation Conference, GECCO-2004, June26-30,2004, Seattle, Washington, USA[C].Berlin, Germany: Springer-Verlag,2004:287-298.
[69] Seiden P E, Celada F. A model for simulating cognate recognition and response in the immune system[J].Journal Of Theoretical Biology.1992,158(3):329-357.
[70] Farmer J D, Packard N H, Perelson A S. The immune system, adaptation, and machine learning[J]. PhysicaD: Nonlinear Phenomena.1986,22(1):187-204.
[71] Liu R C, Niu M C, Jiao L C. A new artificial immune network algorithm for classifying complex data[J].Dianzi Yu Xinxi Xuebao(Journal of Electronics and Information Technology).2010,32(3):515-521.
[72] Smith S L, Cagnoni S. Genetic and evolutionary computation: medical applications[M]. Boston, MA, USA:Addison-Wesley Professional,2011.
[73] Amro S, Elizondo D, Solanas A, et al. Evolutionary Computation in Computer Security and Forensics: AnOverview[A]. Computational Intelligence for Privacy and Security, SCI394, March6-8th,Nuremberg,Germany[C]. Berlin, Germany: Springer-Verlag,2012:25-34.
[74] Sun F, Jin X. Immune danger theory based quantitative model for network security situation awareness[J].Application Research of Computers.2011,28(7):2680-2686.
[75] Zheng J, Chen Y, Zhang W. A Survey of artificial immune applications[J]. Artificial Intelligence Review.2010,34(1):19-34.
[76] Jain P, Goyal S. An Adaptive Intrusion Prevention System Based on Immunity[A]. International Conferenceon Advances in Computing, Control,&Telecommunication Technologies,2009, Trivandrum, Kerala, India[C].Piscataway, NJ: IEEE,2009:759-763.
[77] Zeng J, Li T. A Novel Computer Virus Detection Method from Ideas of Immunology[A]. InternationalConference on Multimedia Information Networking and Security,2009, Wuhan, China[C]. Piscataway, NJ: IEEE,2009:412-416.
[78] Yun W, Huijian Z J X. The Application of Immune Theory to Virus Detection[J]. Computer Applicationsand Software.2008,25(9):52-54.
[79] Chen Z, Shen C, Wu X. A Crypto-based Immunization Model against Malicious Code[J]. ComputerScience.2008,82(1):288-289.
[80]彭凌西,谢冬青,付颖芳,等.基于危险理论的自动入侵响应系统模型[J].通信学报.2012,33(1):136-144.
[81] Sun F X. A Danger Theory Inspired Security Evaluation Paradigm for Computer Network[J]. AdvancedMaterials Research.2011,179(1):1333-1337.
[82] Zhang J, Liang Y. A novel intrusion detection model based on danger theory[A].2008IEEE Pacific-AsiaWorkshop on Computational Intelligence and Industrial Application, December19-20,2008, Wuhan, Hubei,China[C]. Piscataway, NJ: IEEE,2008:867-871.
[83] Aickelin U, Bentley P, Cayzer S, et al. Danger theory: The link between AIS and IDS?[A]. ArtificialImmune Systems, Second International Conference, ICARIS2003, Edinburgh, UK, September1-3,2003[C].Lecture Notes in Computer Science2787Springer2003,2003:147-155.
[84] Dasgupta D. Advances in artificial immune systems[J]. Computational Intelligence Magazine. Piscataway,NJ: IEEE.2006,1(4):40-49.
[85] Folcik V A, Broderick G, Mohan S, et al. Using an agent-based model to analyze the dynamiccommunication network of the immune response[J]. Theoretical Biology and Medical Modelling.2011,8(1):1-25.
[86] Macal C M, North M J. Tutorial on agent-based modelling and simulation[J]. Journal of Simulation.2010,4(3):151-162.
[87] Pang W, Coghill G. QML-AiNet: An Immune-Inspired Network Approach to Qualitative ModelLearning[J]. Artificial Immune Systems.2010:223-236.
[88] Izadinia H, Sadeghi F, Ebadzadeh M M. A novel multi-epitopic immune network model hybridized withneural theory and fuzzy concept[J]. Neural Networks.2009,22(5-6):633-641.
[89] Liu T, Zhang L, Shi B. Adaptive immune response network model[A]. proceedings of the5th InternationalConference on Intelligent Computing, ICIC2009, Ulsan South Korea, September2009[C]. Emerging IntelligentComputing Technology and Applications. With Aspects of Artificial Intelligence,2009:890-898.
[90] Fanelli R. A hybrid model for immune inspired network intrusion detection[A]. Artificial Immune Systems,7th International Conference, ICARIS2008, Phuket, Thailand, August10-13,2008[C]. Lecture Notes inComputer Science5132Springer,2008:107-118.
[91] Zhu X, Yu Y, Wang H. Research of immune neural network model based on extenics[A]. The InternationalConference on Life System Modeling and Simulation (LSMS'07), Shanghai, CHINA. September17-20,2007[C].Springer-Verlag,2007:18-27.
[92] Ma X, Wu H. Power system short-term load forecasting based on cooperative co-evolutionary immunenetwork model[A]. ICETC2010The2nd International Conference on Education Techhnology and Computer,Shanghai, China.2010June22-24[C]. Piscataway, NJ: IEEE,2010:582-585.
[93] Li T. An immune based model for network monitoring[J]. Chinese Journal of Computers.2006,29(9):1515-1522.
[94] Moskovitch R, Feher C, Tzachar N, et al. Unknown malcode detection using opcode representation[A].European Conference on Intelligence and Security Informatics Esbjerg, December3-5th, Esbjerg, Denmark[C].New York, NY, USA: Springer-Verlag,2008:204-215.
[95] Arce I. The shellcode generation[J]. Security&Privacy, IEEE.2004,2(5):72-76.
[96] Chi Q, Luo H, Qiao X D. Method research of writing Windows Shellcode based on stack[J]. ComputerEngineering and Design.2010,31(6):1198-1201.
[97]张登银,洪福鑫.典型Shellcode引擎特征检测方法研究[J].计算机技术与发展.2010,20(1):18-22.
[98]李鹏,王汝传.堆溢出攻击原理、攻击与防范研究[J].中国科学学报.2007,2007(1):1-3.
[99] Cowan C, Wagle F, Pu C, et al. Buffer overflows: Attacks and defenses for the vulnerability of thedecade[A]. Proceedings of the Foundations of Intrusion Tolerant Systems (OASIS’03), Los Alamitos,California[C]. Piscataway, NJ, USA: IEEE,2003:119-129.
[100] Wilander J, Kamkar M. A comparison of publicly available tools for dynamic buffer overflowprevention[A].10th Network and Distributed System Security Symposium, February6-7,2003, San Diego,California[C].2003:149-162.
[101] Perriot F, Sz r P. C sources based worm that compiles itself to ELF; performs DDoS attacks; spreads viabuffer overflow attacks against vulnerable versions of OpenSSL[R]. USA: Symantec Security Response2002.
[102] Exposed H. Network Security Secrets and Solutions[M]. New York, USA: McGraw-Hill,2009.
[103] Conover M W W S T. w00w00on Heap Overflows[2012-3-25].http://www.w00w00.org/files/articles/heaptut.txt.
[104] Webb W. FTP Security and the WU-FTP File Globbing Heap Corruption Vulnerability. Version2.0[R].USA: GCIH Practical Assignment2002.
[105]李鹏,王汝传,王绍棣.格式化字符串攻击检测与防范研究[J].南京邮电大学学报:自然科学版.2007,27(005):84-89.
[106] Lhee K S, Chapin S J. Buffer overflow and format string overflow vulnerabilities[J]. Software: Practice andExperience.2003,33(5):423-460.
[107] Newsham T. Format string attacks[EB/OL].2000/2000-09-30[2012-3-25].http://www.lava.net/~newsham/format-string-attacks.pdf.
[108] Paul M. format string Vulnerabilities[J]. Information Security Management Handbook.2009,3(1):199.
[109] Scut, Teso T. Exploiting Format String Vulnerabilities, version1.2[EB/OL].2001/2001-09-01[2012-3-25].http://www.doc88.com/p-89692237823.html.
[110] Rivas J M B. Overwriting the. dtors section[EB/OL].2000[2012-3-25].http://www.synnergy.net/downloads/papers/dtors.txt.
[111] Bulba, R K. Bypassing Stackguard and stackshield[J]. Phrack Magazine.2000,10(38):1-8.
[112] Gera, Riq. Advances in format string exploiting[J]. Phrack Magazine.2002,11(59):1-25.
[113] Bouchareine P. Memory Bugs:__atexit[EB/OL].2006[2012-3-25].http://doc.bughunter.net/buffer-overflow/atexit.html.
[114] Ringenburg M F, Grossman D. Preventing format-string attacks via automatic and efficient dynamicchecking[A]. Proceedings of the12th ACM conference on Computer and communications security, Alexandria,VA, USA[C]. New York, NY, USA: ACM,2005:354-363.
[115]李鹏,王汝传.内核入侵隐藏技术的研究与实现[J].计算机技术与发展.2011,21(3):170-173.
[116]左黎明,蒋兆峰,汤鹏志. Windows Rootkit隐藏技术与综合检测方法[J].计算机工程.2009,35(10):118-120.
[117]张登银,高德华,李鹏.一种新的注册表隐藏Rootkit检测方案[J].江苏大学学报:自然科学版.2010,31(003):328-333.
[118] Heasman J. Implementing and detecting a PCI rootkit[J]. Retrieved February.2006,20(7):1-3.
[119] Fossi M, Egan G, Haley K, et al. Symantec Internet Security Threat Report trends for2010[EB/OL].2011[2012-3-25].https://a248.e.akamai.net/f/248/41008/14d/ig.rsys3.net/responsysimages/smapac/__RS_CP__/Symantec_Internet_Security_Threat_Report.pdf.
[120] Love R. Linux kernel development[M]. Canada: Addison-Wesley Professional,2010.
[121] Kong J. Designing BSD rootkits: an introduction to kernel hacking[M]. San Francisco, USA: No StarchPress,2007.
[122] Sd D. Linux on-the-fly kernel patching without KM[J].2001,11(58):1-16.
[123] Nanavati M, Kothari B. Hidden Processes Detection using the PspCidTable[EB/OL].2010http://helios.miellabs. com/downloads/process_scan. pdf.
[124] C S. Runtime kernel kmem patching[2012-3-25]. http://vx.netlux.org/lib/vsc07.html.
[125] Hoglund G.,Butler J. Rootkits-Windows内核的安全防护[M].北京:清华大学出版社,2007.
[126]周利荣,马文龙. Windows7遍历PspCidTable表检测隐藏进程[J].计算机系统应用.2011,20(9):222-225.
[127] Rosenberg J, Schulzrinne H, Camarillo G, et al. SIP: session initiation protocol[S]. Internet EngineeringTask Force, Comments R F,2002.
[128]李鹏,王绍棣,王汝传.网络主动攻击技术研究与实现[J].信息安全与通信保密.2007(3):113-115.
[129]李鹏.网络主动攻击核心技术[D].南京邮电大学,2005.
[130] Mcckure S, Scambray J. Hacking Exposed: Network Security Secrets and Solutions[M]. New York:McGraw-Hill,2003:533-556.
[131] Foster J C. Buffer overflow attacks: detect, exploit, prevent[M]. USA: Syngress Media Inc,2005.
[132] Choi Y H, Jan I S, Oh H G, et al. Anatomy of Exploit Code in Non-Executable Files using Virtualization[A].Third International Conference on Convergence and Hybrid Information Technology, Aug28-30,2008, Daejeon,Korea[C]. Piscataway, NJ: IEEE,2008:574-577.
[133] J T. Set Thoery[M]. Third Edition ed. German: Springer-Verlag Press,2007.
[134] Cover T M, Thomas J A. Elements of Information[M]. Second Edition ed. USA: John Wiley&Sons, NewJersey,2006.
[135] Heavens V. Virus Collection[EB/OL].2009[2012-3-25]. http://vx.netlux.org.
[136] Carbone A, Castelli G, Stanley H E. Time-dependent Hurst exponent in financial time series[J]. Physica A:Statistical Mechanics and its Applications.2004,344(1):267-271.
[137] M B. From Poisson Processes to Self-Similarity: a Survey of Network Traffic Models[R]. Citeseer2008.
[138] Mandelbrot B B. Limit theorems on the self-normalized range for weakly and strongly dependentprocesses[J]. Probability Theory And Related Fields.1975,31(4):271-285.
[139] Feldman R E, Taqqu M S. A practical guide to heavy tails: statistical techniques and applications[M].Switzerland: Birkhauser,1998:186-218.
[140] Murad S, Teverovsky V, Willinger W. Estimators for long-range dependence: an empirical study[J].Fractals-Complex Geometry Patterns And Scaling In Nature And Society.1995,3(4):488-785.
[141] Com A. API monitor[2012-3-25]. http://www.apimonitor.com/.
[142]李鹏,王汝传,高德华.基于模糊识别和支持向量机的联合Rootkit动态检测技术研究[J].电子学报.2012,40(1):115-120.
[143]刘巍伟,石勇,郭煜,等.一种基于综合行为特征的恶意代码识别方法[J].电子学报.2009(004):696-700.
[144] D B. Low Down and Dirty: Anti-forensic Rootkits[R]. Blackhat Japan2006.
[145] Barford P, Yegneswaran V. An inside look at botnets[J]. Malware Detection.2007,27(1):171-191.
[146] Weber M, Schmid M, Schatz M, et al. A toolkit for detecting and analyzing malicious software[A].18thAnnual Computer Security Applications Conference, Dec9-13,2002, Las Vegas, USA, Los Alamitos, CA,USA[C]. IEEE Computer Society,2002:423-431.
[147]付文,魏博,赵荣彩,等.基于模糊推理的程序恶意性分析模型研究[J].通信学报.2010,31(1):44-50.
[148]邓乃杨,田英杰.支持向量机:理论、算法与拓展[M].北京:科学出版社,2009:81-111.
[149] Hsu C W, Chang C C, Lin C J. A practical guide to support vector classification[R].
[150] Kruegel C, Robertson W, Vigna G. Detecting kernel-level rootkits through binary analysis[A]. Proceedingsof the20th Annual Computer Security Applications Conference, December6-10,2004, Tucson, AZ[C].Piscataway, NJ: IEEE,2004:91-100.
[151] Battistoni R, Gabrielli E, Mancini L. A host intrusion prevention system for Windows operating systems[A].9th European Symposium on Research in Computer Security Sophia Antipolis, September13-15,2004, FrenchRiviera, France[C]. Lecture Notes in Computer Science3193, Springer,2004:352-368.
[152] Windows,硬件开发. KrView-the Kernrate Viewer[2012-9-1].http://msdn.microsoft.com/en-us/windows/hardware/gg463380.aspx.
[153] Wang Z, Xia Q. An approach on detecting network attack based on entropy[A]. Proceedings of the2011IEEE International Conference on Cyber Technology in Automation, Control, and Intelligent Systems March20-23,2011, Kunming, China[C]. Piscataway, NJ: IEEE,2011:210-214.
[154] Kroese D P, Rubinstein R Y, Glynn P W. The Cross-Entropy Method for Estimation[EB/OL].2010[2012-3-25]. http://www.maths.uq.edu.au/~kroese/ps/CEest.pdf.
[155] De Boer P T, Kroese D P, Mannor S, et al. A tutorial on the cross-entropy method[J]. Annals Of OperationsResearch.2005,134(1):19-67.
[156] Mannor S, Rubinstein R, Gat Y. The cross entropy method for fast policy search[A]. Proceedings of theTwentieth International Conference on Machine Learning (ICML-2003), August21-24,2003, Washington DC,USA[C]. AAAI Press,2003:512-519.
[157] Maher M, Liu R, Ngoduy D. Signal optimisation using the cross entropy method[J]. TransportationResearch Part C: Emerging Technologies.2011,19(6):1-13.
[158] Ho S L, Yang S. The cross-entropy method and its application to inverse problems[J]. Magnetics, IEEETransactions on.2010,46(8):3401-3404.
[159]周泓,邱月.交叉熵算法在企业违约风险评估中的应用研究[J].计算机工程与应用.2009,44(20):13-16.
[160] Celenk M, Conley T, Willis J, et al. Anomaly detection and visualization using Fisher discriminantclustering of network entropy[A]. Proc. IEEE Third Int. Conf. Digital Information Management (ICDIM2008),August24-29,2008, Aracaju, SE, Brazil[C]. Piscataway, NJ: IEEE,2008:216-220.
[161] Ji L, Bing-Hong W, Wen-Xu W, et al. Network entropy based on topology configuration and itscomputation to random networks[J]. Chinese Physics Letters.2008,25(11):4177-4180.
[162] Kroese D P, Rubinstein R Y, Taimre T. Application of the cross-entropy method to clustering and vectorquantization[J]. Journal Of Global Optimization.2007,37(1):137-157.
[163] Rubinstein R Y, Kroese D P. The cross-entropy method: a unified approach to combinatorial optimization,Monte-Carlo simulation, and machine learning[M]. German: Springer-Verlag Press,2004.
[164] Rao C R. Entropy and cross entropy: Characterizations and applications[J]. The Legacy of AlladiRamakrishnan in the Mathematical Sciences.2010,3(1):359-367.
[165] Zhang Y R, Xian M, Wang G Y. A quantitative evaluation technique of attack effect of computer networkbased on network entropy[J]. Journal of China Institute of.2002,25(11):158-165.
[166] Wagner A, Plattner B. Entropy based worm and anomaly detection in fast IP networks[A].14th IEEEInternational Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise, June13-152005,Link ping, Sweden[C]. Piscataway, NJ: IEEE,2005:172-177.
[167] Quan Q, Hong-Yi C, Rui Z. Entropy Based Method for Network Anomaly Detection[A].15th IEEE PacificRim International Symposium on Dependable Computing,16-18Nov.2009, Shanghai, China[C]. Piscataway, NJ:IEEE,2009:189-191.
[168] Riihijarvi J, Wellens M, Mahonen P. Measuring complexity and predictability in networks with multiscaleentropy analysis[A]. Proceedings IEEE INFOCOM, April19-252009, Arizona State University, US[C].Piscataway, NJ: IEEE,2009:1107-1115.
[169] Bezdek J C, Ehrlich R. FCM: The fuzzy c-means clustering algorithm[J]. Computers&Geosciences.1984,10(2-3):191-203.
[170] Mahfouz M A, Ismail M A. Fuzzy relatives of the CLARANS algorithm with application to textclustering[J]. World Academy of Science, Engineering and Technology.2009,49(1):334-341.
[171] Costa A, Jones O D, Kroese D. Convergence properties of the cross-entropy method for discreteoptimization[J]. Operations Research Letters.2007,35(5):573-580.
[172] Markou M, Singh S. Novelty detection: a review-art2:: neural network based approaches[J]. SignalProcessing.2003,83(12):2499-2521.
[173] Mahfouz M A, Ismail M A. Fuzzy relatives of the CLARANS algorithm with application to textclustering[A]. Proceedings of World Academy of Science, Engineering and Technology, Jan2009, France[C].2009:334-341.
[174] Mokhtar M, Bi R, Timmis J, et al. A modified dendritic cell algorithm for on-line error detection in roboticsystems[A]. IEEE Congress on Evolutionary Computation (IEEE CEC2009), Trondheim, Norway. May18-21,2009[C]. Piscataway, NJ: IEEE,2009:2055-2062.
[175] Abdulla S M, Zakaria O. Devising a Biological Model to Detect Polymorphic Computer Viruses ArtificialImmune System (AIM): Review[A].2009International Conference on Computer Technology and Development(ICCTD2009), Kota Kinabalu, Malaysia,2009November13-15th[C]. Piscataway, NJ: IEEE,2009:300-304.
[176] Kim J, Bentley P J, Aickelin U, et al. Immune system approaches to intrusion detection-a review [J].Natural computing.2007,6(4):413-466.
[177] Aickelin U, Bentley P, Cayzer S, et al. Danger theory: The link between AIS and IDS?[A]. SecondInternational Conference on Artificial Immune Systems, ICARIS2003, September1-3,2003, Edinburgh, UK[C].Lecture Notes in Computer Science2787Springer,2003:147-155.
[178] Dasgupta D. Advances in artificial immune systems[J]. Computational Intelligence Magazine, IEEE.2006,1(4):40-49.
[179] Twycross J, Aickelin U. Towards a conceptual framework for innate immunity[A]. Artificial ImmuneSystems4th International Conference, ICARIS2005, Proceedings of Lecture Notes in Computer Science3627,August14-17,2005, Banff, Alberta, Canada[C]. Lecture Notes in Computer Science3627Springer,2005:112-125.
[180] Aarntzen E H J G, Figdor C G, Adema G J, et al. Dendritic cell vaccination and immune monitoring[J].Cancer Immunology, Immunotherapy.2008,57(10):1559-1568.
[181] Al-Hammadi Y, Aickelin U, Greensmith J. Dca for bot detection[A]. IEEE World Congress onComputational Intelligence (WCCI2008), June2-6,2008, Hong Kong, China[C]. Piscataway, NJ: IEEE,2008:1807-1816.
[182] Luo L K, Peng H, Zhang Q S, et al. A comparison of strategies for unbalance sample distribution in supportvector machine[A]. IST IEEE Conference on2006Industrial Electronics and Applications Industrial Electronicsand Applications,2006, May24-26,2006, Singapore[C]. Piscataway, NJ: IEEE,2006:1-5.
[183] Stibor T, Oates R, Kendall G, et al. Geometrical insights into the dendritic cell algorithm[A]. Proceedings ofthe11th Annual conference on Genetic and evolutionary computation, Shanghai, China. June12-14,2009[C].ACM New York, NY, USA,2009:1275-1282.
[184] Twycross J, Aickelin U. Towards a conceptual framework for innate immunity[A]. Proceedings of4thInternational Conference, ICARIS2005, Banff, Alberta, Canada, August14-17,2005[C]. Artificial ImmuneSystemsLecture Notes in Computer Science Volume3627,2005:112-125.
[185] Takeuchi O, Akira S. Innate immunity to virus infection[J]. Immunological Reviews.2009,227(1):75-86.
[186] Kim J, Greensmith J, Twycross J, et al. Malicious code execution detection and response immune systeminspired by the danger theory[A]. Proceedings of Adaptive and Resilient Computing Security Workshop(ARCS-05), March14–17, Innsbruck, Austria[C]. Universit t Karlsruhe,2010:1-4.
[187] Meng Q, Zhao W. Study on fault diagnosis algorithm based on artificial immune danger theory[A].International Conference on Mechanic Automation and Control Engineering (MACE), June26-28,2010, Wuhan,China [C]. Piscataway, NJ: IEEE Computer Society,2010:5997-6000.
[188] Aickelin U, Cayzer S. The danger theory and its application to artificial immune systems[A]. Proceedings ofthe1st Internet Conference on Artificial Immune Systems (ICARIS-2002), Nov242008, Canterbury, UK[C].Unversity of Kent at Canterbury Printing Unit,2008:141-148.
[189] Matzinger P. The Real Function of the Immune System or Tolerance and Four D's (Danger, Death,Destruction and Distress)[EB/OL].2004[2012-3-25]. http://cmmg.biosci.wayne.edu/asg/polly.html.
[190] Shilton A, Lai D T H. Iterative fuzzy support vector machine classification[A]. IEEE International FuzzySystems Conference, July23-262007, London, UK[C]. Piscataway, NJ: IEEE,2007:1391-1396.
[191]杨志民,刘广利.不确定性支持向量机原理及应用[M].科学出版社,2007.
[192] Chang C C, Lin C J. LIBSVM: a library for support vector machines[J]. ACM Transactions on IntelligentSystems and Technology (TIST).2011,2(3):27.
[193] Yuanhong D, Hongchang C, Tao P. Cost-sensitive Support Vector Machine based on weighted attribute[A].International Forum on Information Technology and Applications,2009, Chengdu, China,15-17May2009[C].Piscataway, NJ: IEEE,2009:690-692.
[194] Greensmith J. The dendritic cell algorithm[D]. University of Nottingham,2007.
[195] Twycross J, Aickelin U. Libtissue-implementing innate immunity[A]. IEEE Congress on EvolutionaryComputation, July16-212006, Sheraton Vancouver Wall Centre, Vancouver, BC, Canada[C]. Piscataway, NJ:IEEE,2006:499-506.
[196] Kaspersky. Kaspersky Lab: Antivirus software[EB/OL].2011[2012-3-25]. http://www.kaspersky.com/.