基于机器学习的Web安全检测方法研究
|
摘要
近年来,随着Web(万维网)应用的快速发展和其本身不受防火墙限制的优势,越来越多的传统的应用都转成了Web的应用形式。Web的普及,也带来了针对Web的攻击的爆发。入侵检测是防御攻击的主要手段,但传统的误用检测的将每一种攻击的特征手动编码成规则并逐一检测,难以应对快速增长的攻击类型,已经显露出明显的弊端;建立正常的行为模式,将偏离正常模式的行为视为攻击的异常检测研究思路逐渐显示出优势,也越来越受到重视。这种方法认为异常的攻击行为和正常的访问行为在行为模式上具有较大差异,正常的行为模式也较为固定和容易学习。这种方法常采用机器学习和数据挖掘中的模型和算法来建立正常行为模式的模型和检测方法,这种方法优点在于可以有效的应对新的未知攻击方式。本文据此思路,对基于机器学习的Web入侵检测进行了多方面的研究。
本文提出了一种基于隐马尔科夫模型的语法检测模型。隐马尔科夫模型适合用于正则语法的描述,用隐马尔科夫模型表示的语法模型采用语法模型对样本的匹配程度作为区别正常和异常行为的度量标准,可以有效地学习正常的访问行为。算法结合贝叶斯最大后验概率的原则,给出了模型泛化的最优标准,使得语法模型不仅可以识别训练集中的样本,还可以识别与训练集中样本相似的其它正常样本。
隐马尔科夫模型的语法检测模型具有很高的模型复杂度,导致学习和检测过程中也具有很高的计算复杂度。针对该问题,本文提出了一种以DFA(确定有限状态机)代替隐马尔科夫模型的检测方法。这种方法大大简化了语法结构,也简化了语法的学习、泛化过程。另外,包括隐马尔科夫模型在内的很多检测模型都需要额外的分类策略辅助完成对样本的最终检测,而DFA的结构既是语法描述结构,也是一个高效的分类器,可以独自完成检测分类,简化了检测机制。实验证明,这种模型不但可以简化学习检测过程,提高实用价值,同时能够很好的保持语法模型的检测性能。
本文对基于语法的检测模型做了一个总结和比较。对主要的语法模型从系统复杂度、训练/检测特性、模型相互的内在联系等各个方面做了系统的分析,并在实验中给出了验证。
本文基于异常访问样本只占总访问量一小部分的规律且正常样本具有较好聚类特性的特点,提出了一种基于聚类的无监督学习检测方法。这种方法免除了繁杂的训练样本的准备工作,直接在混有正常和异常样本的样本集合中通过聚类将样本集分为正常和异常的两类。算法还给出了基于最小误差原则的聚类停止标准。实验结果表明这种方法能达到很好的检测效果。
由于异常的攻击类型、形式多样,层出不穷,单一种类的检测模型无法有效地检测实际中可能含有多种攻击类型的网络数据流。如何组合现有的多种检测模型对复杂的攻击数据进行更为有效的检测成了一个亟需解决的问题。本文针对该问题,提出了一种多模型融合的检测框架。本文方法将多个模型的异常估计值投影到统一的高维特征空间中,利用成熟的SVM分类器学习和分类样本。实验表明这样不仅可以提高检测性能,同时还能扩展可检测的攻击类型范围。
Recent years, Web (World Wide Web) boomed for its being free of restriction by common firewalls, which stimulates the trend that most legacy applications are ported to take the form of a Web application. The popularization of Web also has its dark side, it brought about the web-based attack becoming the number one threat on the internet. Intrusion detection is the main counter-measure against attacks, however the much adopted misuse detection which encodes the features of every known attack into signatures failed to handle the sharp increase of new attacks. Anomay detection which builds patterns for normal behaviors and detects attacks which significantly deviates from the normal patterns is becoming a promising alternative. This method usually adopts models and metrics from machine learning and data mining to build its own detection model and procedure, it is also known as being able to detect new unknown attacks.
A hidden markov based grammar model is presented in this paper. Hidden markov model successfully addressed applications like voice recognition and handwriting recognition, and it also proved to be a good candidate for representing a regular grammar. HMM-based grammar model effectively encodes the grammar of normal requests, and the similarity of a sample to the model is also an appropriate measurement for anomality evaluation. A maximized Bayesian post priori based principal controlling the generalization process, ensures neither over-generalization nor under-generalization of the grammar.
As the HMM-based grammar model troubled by structural complexity and computational complexity in terms of learning, a DFA (Definitive Finite Automaton) model is proposed to replace the HMM model as the grammar representation. DFA is much simpler in both structural and computational complexity compared to HMM, Moreover, its self is a highly efficient classifier, which saves additional classifying mechanism. DFA proves not only to simplify the leaning and detection which is paramount in practical use, but also to retain almost as good a detection performance as HMM does.
This paper also summarized and compared the much referred grammar-based models. A systematic analysis is made on inner connections between models, and a comparing experiment is carried out on the advantages and disadvantages in terms of complexity, performance and special features.
Most supervised learning methods are troubled be training phase design and the laborious training samples labeling, thus the detection performance also heavily relies on the perfection of training. An unsupervised clustering based method is proposed, which works under the premise that normal samples present a great similarity with each other, and dominate in number in the normal and abnormal samples blended practical network stream. A bottom-up agglomerative clustering process sets the maximized cluster from the others, which represents the normal sample cluster and the anomaly clusters. A minimized error principal is adopted to decide the optimized stopping criteria.
A single detection model models one aspect of attacks, and is hard to cope with practical network streams with variant attack types. A multi-model detection framework is proposed to map anomaly probabilities of multiple models into a unified high-dimensional feature space, and to detect with a kernel-based SVM classifier. This framework not only enhances the detection performance, but also exhibits an impressing flexibility.
本文提出了一种基于隐马尔科夫模型的语法检测模型。隐马尔科夫模型适合用于正则语法的描述,用隐马尔科夫模型表示的语法模型采用语法模型对样本的匹配程度作为区别正常和异常行为的度量标准,可以有效地学习正常的访问行为。算法结合贝叶斯最大后验概率的原则,给出了模型泛化的最优标准,使得语法模型不仅可以识别训练集中的样本,还可以识别与训练集中样本相似的其它正常样本。
隐马尔科夫模型的语法检测模型具有很高的模型复杂度,导致学习和检测过程中也具有很高的计算复杂度。针对该问题,本文提出了一种以DFA(确定有限状态机)代替隐马尔科夫模型的检测方法。这种方法大大简化了语法结构,也简化了语法的学习、泛化过程。另外,包括隐马尔科夫模型在内的很多检测模型都需要额外的分类策略辅助完成对样本的最终检测,而DFA的结构既是语法描述结构,也是一个高效的分类器,可以独自完成检测分类,简化了检测机制。实验证明,这种模型不但可以简化学习检测过程,提高实用价值,同时能够很好的保持语法模型的检测性能。
本文对基于语法的检测模型做了一个总结和比较。对主要的语法模型从系统复杂度、训练/检测特性、模型相互的内在联系等各个方面做了系统的分析,并在实验中给出了验证。
本文基于异常访问样本只占总访问量一小部分的规律且正常样本具有较好聚类特性的特点,提出了一种基于聚类的无监督学习检测方法。这种方法免除了繁杂的训练样本的准备工作,直接在混有正常和异常样本的样本集合中通过聚类将样本集分为正常和异常的两类。算法还给出了基于最小误差原则的聚类停止标准。实验结果表明这种方法能达到很好的检测效果。
由于异常的攻击类型、形式多样,层出不穷,单一种类的检测模型无法有效地检测实际中可能含有多种攻击类型的网络数据流。如何组合现有的多种检测模型对复杂的攻击数据进行更为有效的检测成了一个亟需解决的问题。本文针对该问题,提出了一种多模型融合的检测框架。本文方法将多个模型的异常估计值投影到统一的高维特征空间中,利用成熟的SVM分类器学习和分类样本。实验表明这样不仅可以提高检测性能,同时还能扩展可检测的攻击类型范围。
Recent years, Web (World Wide Web) boomed for its being free of restriction by common firewalls, which stimulates the trend that most legacy applications are ported to take the form of a Web application. The popularization of Web also has its dark side, it brought about the web-based attack becoming the number one threat on the internet. Intrusion detection is the main counter-measure against attacks, however the much adopted misuse detection which encodes the features of every known attack into signatures failed to handle the sharp increase of new attacks. Anomay detection which builds patterns for normal behaviors and detects attacks which significantly deviates from the normal patterns is becoming a promising alternative. This method usually adopts models and metrics from machine learning and data mining to build its own detection model and procedure, it is also known as being able to detect new unknown attacks.
A hidden markov based grammar model is presented in this paper. Hidden markov model successfully addressed applications like voice recognition and handwriting recognition, and it also proved to be a good candidate for representing a regular grammar. HMM-based grammar model effectively encodes the grammar of normal requests, and the similarity of a sample to the model is also an appropriate measurement for anomality evaluation. A maximized Bayesian post priori based principal controlling the generalization process, ensures neither over-generalization nor under-generalization of the grammar.
As the HMM-based grammar model troubled by structural complexity and computational complexity in terms of learning, a DFA (Definitive Finite Automaton) model is proposed to replace the HMM model as the grammar representation. DFA is much simpler in both structural and computational complexity compared to HMM, Moreover, its self is a highly efficient classifier, which saves additional classifying mechanism. DFA proves not only to simplify the leaning and detection which is paramount in practical use, but also to retain almost as good a detection performance as HMM does.
This paper also summarized and compared the much referred grammar-based models. A systematic analysis is made on inner connections between models, and a comparing experiment is carried out on the advantages and disadvantages in terms of complexity, performance and special features.
Most supervised learning methods are troubled be training phase design and the laborious training samples labeling, thus the detection performance also heavily relies on the perfection of training. An unsupervised clustering based method is proposed, which works under the premise that normal samples present a great similarity with each other, and dominate in number in the normal and abnormal samples blended practical network stream. A bottom-up agglomerative clustering process sets the maximized cluster from the others, which represents the normal sample cluster and the anomaly clusters. A minimized error principal is adopted to decide the optimized stopping criteria.
A single detection model models one aspect of attacks, and is hard to cope with practical network streams with variant attack types. A multi-model detection framework is proposed to map anomaly probabilities of multiple models into a unified high-dimensional feature space, and to detect with a kernel-based SVM classifier. This framework not only enhances the detection performance, but also exhibits an impressing flexibility.
引文
[1].《第23次中国互联网络发展状况统计报告》,http://www.cnnic.net.cn/index/OE /00/11/index.htm
[2].《2010年第三季度中国网络购物市场监测报告》,http://www.iresearch.com.cn/
[3]. Christey S, Martin R A. Vulnerability type distributions in CVE. http://cwe.mitre. org/documents/vuln-trends.html.2009.
[4]. Roesch M. Snort-Lightweight Intrusion Detection for Networks. Proc. of the 13th USENIX Conference on System Administration (LISA),1999,229-238.
[5]. Anderson J P. Computer security technology planning study. Tech. Rep. ESD-TR-73-51, United States Air Force, Electronic Systems Division,1972.
[6]. Anderson J P. Computer security threat monitoring and surveillance. Technical report, James P. Anderson Company, Fort Washington Pennsylvania,1980.
[7]. Denning, D E. An Intrusion-Detection Model. IEEE Trans. on Software Engineering, 1987, SE-13(2):222-232
[8]. Denning D E, Neumann P G. Requirements and model for IDES-A real-time intrusion detection system. Technical report, Computer Science Laboratory,SRI International, Menlo Park,CA,USA,1985.
[9]. Sebring M M, Shellhouse E, Hanna M E and Whitehurst R A. Expert systems in intrusion detection:a case study. In Proc. of the 11th National Computer Security Conference, Baltimore, Maryland,1988:74-81.
[10].Axelsson S. The base-rate fallacy and the difficulty of intrusion detection. ACM Trans. on Information and Systems Security.2000:186-205.
[11].Bloedorn E., Hill B, Christiansen A, Skorupka C, Talbot L and Tivel J. Data mining for improving intrusion detection,2000. http://www.mitre.org/work/tech_papers/ tech_papers_00/bloedorn_datamining/index.html
[12].Cuppens F. Managing alerts in a multi-intrusion detection environment. In 17th Annual Computer Security Applications Conference.2001,22-31.
[13].ISO/TC97/SC16. Reference model of open systems interconnection. Tech. Rep. N. 227, International Organization for Standardization, June 1979.
[14].Heberlein L T, Dias G V, Levitt K N, Mukherjee B, Wood J and Wolber D. A network security monitor. In Proc. of the IEEE Symposium on Security and Privacy. 1990:296-304.
[15].ⅡS:http://www.iss.net/
[16].Cisco System, Cisco NetRanger Sensor http://www.cisco.com/en/US/products /ps6009/index.html
[17].Javitz H S and Valdes A. The SRI IDES Statistical Anomaly Detector. In Proc. of the IEEE Symposium on Research in Security and Privacy.1991.
[18].Lunt T, Tamaru A, Gilham F, Jagannathan R, Jalali C, Neumann P G, Javitz H S, Valdes A and Garvey T D. A Real Time Intrusion Detection Expert System (IDES), SRI Technical report,1992.
[19].Dowell C and Ramstedt P. The Computerwatch Data Reduction Tool. In Proc. of the 13th National Computer Security Conference, Washington, DC,1990.
[20].Lindqvist U and Porras P A. Detecting Computer and Network Misuse Through the Production-Based Expert System Toolset (P-BEST). In Proc. of the IEEE Symposium on Security and Privacy.1999,146-161.
[21].Esmaili M, Balachandran B, Safavi-Naini R and Pieprzyk J. Case-Based Reasoning For Intrusion Detection. In Proc. of the 12th Annual Computer Security Applications Conference.1996.
[22].Esmaili M, Safavi-Naini R and Balachandran B M. Autoguard:A Continuous Case-Based Intrusion Detection System. In Proceedings of the Australian Computer Science Conference.1997,392-401.
[23].Ilgun K. USTAT: A Real-time Intrusion Detection System for UNIX. University of California Santa Barbara, Master Thesis,1992.
[24].Porras P A and Kemmerer R A. Penetration State Transition Analysis:A Rule-Based Intrusion Detection Approach. In Proc. of the 8th Annual Computer Security Applications Conference.1992,220-229.
[25].Vigna G and Kemmerer R A. Netstat: A Network-Based Intrusion Detection Approach. Journal of Computer Security,1999,7(1):37-71.
[26]. Javitz H S and Valdes A. The sri ides statistical anomaly detector. In Proc. of the IEEE Symposium on Research in Security and Privacy.1991,316
[27].Porras P A and Neumann P G.. EMERALD:Event monitoring enabling responses to anomalous live disturbances. In Proc. of 20th NIST-NCSC National Information Systems Security Conference.1997,353-365.
[28].Ho L L, Macey C J and Hiller R. A distributed and reliable platform for adap-tive anomaly detection in ip networks. In Proc. of the 10th IFIP/IEEE International Workshop on Distributed Systems:Operations and Management.1999,33-46.
[29].Kruegel C, Toth T and Kirda E. Service specific anomaly detection for network intrusion detection. In Proc. of the ACM symposium on Applied computing.2002, 201-208.
[30].Kruegel C and Vigna G. Anomaly detection of web-based attacks. In Proc. of the 10th ACM conference on Computer and communications security.2003,251-261.
[31].Mahoney M V and Chan P K. Learning nonstationary models of normal network traffic for detecting novel attacks. In Proc. of the 8th ACM SIGKDD international conference on Knowledge discovery and data mining.2002,376-385.
[32].Mahoney, M V and Chan P K. Learning rules for anomaly detection of hostile network traffic. In Proc. of the 3rd IEEE International Conference on Data Mining. 2003,601-604.
[33].Mahoney M V, Chan P K and Arshad M H. A machine learning approach to anomaly detection. Tech. Rep. CS-2003-06, Department of Computer Science, Florida Institute of Technology Melbourne FL 32901.2003.
[34].Gwadera R, Atallah M J and Szpankowski W. Detection of significant sets of episodes in event sequences. In Proc. of the 4th IEEE International Conference on Data Mining.2004,3-10.
[35].Gwadera R, Atallah M J and Szpankowski W. Reliable detection of episodes in event sequences. Knowledge and Information Systems.2005,7(4):415-437.
[36].Ye N and Chen Q. An anomaly detection technique based on a chi-square statistic for detecting intrusions into information systems. Quality and Reliability Engineering International.2001,17(2):105-112.
[37].Debar H, Dacier M, Nassehi M and Wespi A. Fixed vs. variable-length patterns for detecting suspicious process behavior. In Proc. of the 5th European Symposium on Research in Computer Security.1998,1-15.
[38].Eskin E, Lee W and Stolfo S. Modeling system call for intrusion detection using dynamic window sizes. In Proc. of DISCEX.2001.
[39].Forrest S, D'haeseleer P and Helman P. An immunological approach to change detection:Algorithms, analysis and implications. In Proc. of the IEEE Symposium on Security and Privacy.1996,110-119.
[40].Forrest S, Esponda F and Helman P. A formal framework for positive and negative detection schemes. In IEEE Trans. on Systems, Man and Cybernetics, Part B.2004, 34(1):357-373.
[41].Forrest S, Hofmeyr S A, Somayaji A and Longstaff T A. A sense of self for unix processes. In Proc. of the ISRSP96.1996,120-128.
[42].Forrest S, Perelson A S, Allen L and Cherukuri R. Self-nonself discrimination in a computer. In Proc. of the IEEE Symposium on Security and Privacy.1994,202-212.
[43].Forrest S, Warrender C and Pearlmutter B. Detecting intrusions using system calls: Alternate data models. In Proc. of the IEEE ISRSP.1999,133-145.
[44].Ghosh A K, Wanken J and Charron F. Detecting anomalous and unknown intrusions against programs. In Proc. of the 14th Annual Computer Security Applications Conference.1998,259-267.
[45].Hu W, Liao Y and Vemuri V R. Robust anomaly detection using support vector machines. In Proc. of the International Conference on Machine Learning.2003, 282-289.
[46].Heller K A, Svore K M, Keromytis A D and Stolfo S J. One class support vector machines for detecting anomalous windows registry accesses. In Proc. of the Workshop on Data Mining for Computer Security.2003.
[47].Hawkins S, He H,Williams G J and Baxter R A. Outlier detection using replicator neural networks. In Proc. of the 4th International Conference on Data Warehousing and Knowledge Discovery.2002,170-180.
[48].Valdes A and Skinner K. Adaptive, model-based monitoring for cyber attack detection. In Proc. of the 3rd International Workshop on Recent Advances in Intrusion Detection.2000,80-92.
[49].Bronstein A, Das J, Duro M, Friedrich R, Kleyner G, Mueller M, Singhal S and Cohen I. Self-aware services:using Bayesian networks for detecting anomalies in Internet-based services. In International Symposium on Integrated Network Management.2001,623-638.
[50].Sebyala A A, Olukemi T and Sacks L. Active platform security through intrusion detection using naive bayesian network for anomaly detection. In Proc. of the London Communications Symposium.2002.
[51].He Z, Deng S, Xu X and Huang J Z. A fast greedy algorithm for outlier mining. In Proc. of 10th Paciffic-Asia Conference on Knowledge and Data Discovery.2006, 567-576.
[52].He Z, Xu X, and Deng S. An optimization model for outlier detection in categorical data. In Proc.s of International Conference on Intelligent Computing.2005, 400-409.
[53].Arning A, Agrawal R and Raghavan P. A linear method for deviation detection in large databases. In Proc. of 2nd International Conference of Knowledge Discovery and Data Mining.1996,164-169.
[54].Keogh E, Lonardi S and Ratanamahatana C A. Towards parameter-free data mining. In Proc. of the 10th ACM SIGKDD international conference on Knowledge discovery and data mining.2004,206-215.
[55]. Noble C C and Cook D J. Graph-based anomaly detection. In Proc. of the 9th ACM SIGKDD international conference on Knowledge discovery and data mining.2003, 631-636.
[56].Li M and Vitanyi P M B. An Introduction to Kolmogorov Complexity and Its Applications. Springer-Verlag, Berlin.1993.
[57].Lee W and Xiang D. Information-theoretic measures for anomaly detection. In Proc. of the IEEE Symposium on Security and Privacy.2001,130-143.
[58].Tan P N, Steinbach M and Kumar V. Introduction to Data Mining. Addison-Wesley. 2005.
[59].Boriah S, Chandola V and Kumar V. Similarity measures for categorical data:A comparative evaluation. In Proc. of the eighth SIAM International Conference on Data Mining.2008,243-254.
[60].Chan P K and Mahoney M V. Modeling multiple time series for anomaly detection. In Proc. of the 5th IEEE International Conference on Data Mining.2005,90-97.
[61].Eskin E, Arnold A, Prerau M, Portnoy L and Stolfo S. A geometric framework for unsupervised anomaly detection. In Proc. of Applications of Data Mining in Computer Security.2002,78-100.
[62]. Angiulli F and Pizzuti C. Fast outlier detection in high dimensional spaces. In Proc. of the 6th European Conference on Principles of Data Mining and Knowledge Discovery.2002,15-26.
[63].Zhang J and Wang H. Detecting outlying subspaces for high-dimensional data:the new task, algorithms, and performance. Knowledge and Information Systems.2006, 10(3):333-355.
[64].Breunig M M, Kriegel H P, Ng R T and Sander J. Optics-of: Identifying local outliers. In Proc. of the 3rd European Conference on Principles of Data Mining and Knowledge Discovery.1999,262-270.
[65].Breunig M M, Kriegel H P, Ng R T and Sander J. Lof:identifying density-based local outliers. In Proc. of ACM SIGMOD International Conference on Management of Data.2000,93-104.
[66].Tang J, Chen Z, Fu A W and Cheung D W. Enhancing effectiveness of outlier detections for low density patterns. In Proc. of the Paciffic-Asia Conference on Knowledge Discovery and Data Mining.2002,535-548.
[67].Sequeira K and Zaki M. Admit:anomaly-based data mining for intrusions. In Proc. of the 8th ACM SIGKDD international conference on Knowledge discovery and data mining.2002,386-395.
[68].Wu N and Zhang J. Factor analysis based anomaly detection. In Proc. of IEEE Workshop on Information Assurance.2003,108-115.
[69].Otey M, Parthasarathy S, Ghoting A, Li G., Narravula S and Panda D. Towards nic-based intrusion detection. In Proc. of the 9th ACM SIGKDD international conference on Knowledge discovery and data mining.2003,723-728.
[70].Damashek M. Gauging similarity with n-grams:language-independent categorization of text. Science.1995,267(5199):843-848.
[71].Kiani M, Clark A, Mohay G. Length Based Modelling of HTTP Traffic for Detecting SQL Injection Attacks. RNSA Security Technology Conference.2007.
[72].Ficco M, Coppolino L, Romano L. A Weight-Based Symptom Correlation Approach to SQL Injection Attacks.4th Latin-American Symposium on Dependable Computing.2009,9-16
[73].Halfond W G J, Orso A. AMNESIA:analysis and monitoring for NEutralizing SQL-injection attacks. Proc. of the 20th IEEE/ACM international Conference on Automated software engineering.2005,174-183.
[74].Boyd S W and Keromytis A D. SQLrand:Preventing SQL Injection Attacks. Lecture Notes in Computer Science.2004,292-302
[75].Martin M, Lam M S. Automatic generation of XSS and SQL injection attacks with goal-directed model checking. Proc. of the 17th conference on Security symposium.2008,31-43.
[76].Johns M, Engelmann B, Posegga J. XSSDS:Server-Side Detection of Cross-Site Scripting Attacks. Computer Security Applications Conference.2008,335-344.
[77].Zou C C, Gong W, Towsley D. Code red worm propagation modeling and analysis. Proc. of the 9th ACM conf. on Computer and communications security.2002, 138-147.
[78].Salem B and Karim T. Classification features for detecting Server-side and Client-side Web attacks. Proc. of The Ifip Tc 11 23rd International Information Security Conference.2008,729-733.
[79].Ingham K L, Inoue H. Comparing anomaly detection techniques for HTTP. Recent Advances of Intrusion Detection.2007,42-62.
[80].Sebesta R W著,刘庄孙峰姜少峰译.Web编程技术.机械工业出版社,2003.
[81].Fielding R, Gettys J, Mogul J, et al. Hypertext Transfer Pro-tocol-HTTP/1.1. RFC-2616,1999.
[82].Kruegel C, Vigna G and Robertson W. A multi-model approach to the detection of web-based attacks. Computer Networks.2005,48(5):717-738
[83].王钰周志华周傲英.机器学习及其应用.清华大学出版社.2006.
[84].Waibel A, Hanazawa T, Hinton G, Shikano K and Lang K. Phoneme recognition using time-delay neural networks. IEEE Trans. on Acoustics, Speech and Signal Processing.1989,37(3):328-339
[85].Lee K. Automatic speech recognition:The development of the Sphinx system. Boston:Kluwer Academic Publishers.1989.
[86].Pomerleau D A. ALVINN:An autonomous land vehicle in a neural network. (Technical Report CMU-CS-89-107). Pittsburgh, PA:Carnegie Mellon University. 1989.
[87].LeCun Y, Jackel L, Bottou L, Cortes C, Denker J, et. al. Learning algorithms for classification:A comparison on handwritten digit recognition. Neural Networks. 1995,261-276.
[88].Mitchell T M著,曾华军张银奎等译机器学习.机械工业出版社.2003.
[89].The Official Microsoft IIS Site, http://www.iis.net/
[90].Theodoridis S, Koutroumbas K著.李晶皎,王爱侠,张广渊等译.模式识别,第三版.电子工业出版社.2006.
[91].Chen MY, Kundu A, Srihari S N. Variable duration HMM and morphological segmentation for handwritten word recognition. IEEE Trans, on Image Processing. 1995,4(12):1675-1689.
[92].Vlontzos J A, Kung S Y. Hidden Markov models for character recognition. IEEE Trans. on Image Processing.1992,1(4):516-543.
[93].Chen J L, Kundu A. Unsupervised texture segmentation using multichannel decomposition and hidden Markov models. IEEE Trans. On Image Processing.1995, 4(12):603-620,
[94].Wu W R., Wei S C. Rotational and gray scale transform invariant texture classification using spiral resampling, subband decomposition, and hidden Markov model. IEEE Trans. on Image Processing.1996,5(10):1423-1435.
[95].Anton-Haro C, Fonollosa J A R, Fonollosa J R. Blind channel estimation and data detection using HMM. IEEE Trans. on Signal Processing.1997,45(1):241-247.
[96].Pikrakis A., Theodoridis S., Kamarotos D. Classification of musical patterns using variable duration hidden Markov models. IEEE Trans. on Audio, Speech, and Language Processing.2006,14(5):1795-1807.
[97].Yeung D Y, Ding Y. Host-based intrusion detection using dynamic and static behavioral models. Pattern Recognition.2003,36(1):229-243
[98].邬书跃,田新广.基于隐马尔可夫模型的用户行为异常检测新方法.通信学报.2007,28(4):38-43.
[99].周东清,张海锋,张绍武等.基于HMM的分布式拒绝服务攻击检测方法.计算机研究与发展.2005,42(9):1594-1599.
[100].Stolcke A, Omohundro S. Inducing probabilistic grammars by Bayesian model merging. In Conference on Grammatical Inference.1994,106-118.
[101].Stolcke A, Omohundro S. Hidden markov model induction by bayesian model merging. In Advances in Neural Information Processing Systems.1992,11-18.
[102].Kendall K. A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems. Master's Thesis, Massachusetts Institute of Technology,1998.
[103].Lippmann R P, Graf I, Wyschogrod D, Webster S E, Weber D J and Gorton S. The 1998 DARPA/AFRL Off-Line Intrusion Detection Evaluation. First International Workshop on Recent Advances in Intrusion Detection (RAID).1998.
[104].Haines J W, Lippmann R P, Fried D J, et al.1999 DARPA intrusion detection system evaluation:Design and procedures, TR-1062. Lincoln Laboratory, Massachusetts Institute of Technology,2001.
[105].Lippmann R P, Haines J W, Fried D J, et al. The 1999 DARPA off-line intrusion detection evaluation. Computer Networks,2000,34(4):579-595.
[106].KDDCup'99:http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html
[107].McHugh J. The 1998 Lincoln Laboratory IDS evaluation—a critique. In RAID. 2000,145-161.
[108].McHugh J. Testing intrusion detection systems:a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Trans. on Information and Systems Security.2000,3(4): 262-294.
[109].Wang K, Stolfo S J. Anomalous payload-based network intrusion detection. In: RAID.2004,203-222.
[110].Mahoney M V. Network traffic anomaly detection based on packet bytes. In:Proc. of the ACM Symposium on Applied computing.2003,346-350.
[111].Estevez-Tapiador J M, Garcia-Teodoro P, Diaz-Verdejo J E. Measuring normality in http trafficc for anomaly-based intrusion detection. Journal of Computer Networks.2004,45(2):175-193.
[112].Ingham K L, Somayajib A, Burgea J and Forrest S. Learning DFA representations of HTTP for protecting web applications. Computer Networks.2007,51(5): 1239-1255.
[113].Chen S, Kalbarczyk Z, Xu J, Iyer R K, A Data-Driven Finite State Machine Model for Analyzing Security Vulnerabilities. In DSN'03.2003.
[114].Biermanna E, Cloeteb E and Venterc L M. A comparison of Intrusion Detection systems. Computers & Security.2001,20(8):676-683.
[115].Lazarevic A, Ertoz L, Kumar V, Ozgur A and Srivastava J. A comparative study of anomaly detection schemes in network intrusion detection. In Proc. of SIAM.2003, 25-36.
[116].Gonzalez F and Dagupta D. Neuro-immune and self-organizing map approaches to anomaly detection:A comparison. In Proc. of ICARIS.2002,203-211.
[117].Fukunaga K. Introduction to Statistical Pattern Recognition, Second Edition. Academic Press, Boston, MA,1990.
[118].Ng R and Han J. Efficient and effective methods for spatial data mining. In Proc. of Very Large Data Bases.1994,144-155.
[119].Zhang T, Ramakrishnan R and Livny M. Birch:An efficient data clustering method for very large databases. In Proc. ACM SIGMOD International Conference on Management of Data.1996,103-114.
[120].Ester M, Kriegel H, Sander J and Xu X. A density-based algorithm for discovering clusters in large spatial databases with noise. In proc. of the 2nd International Conference on Knowledge Discovery and Data Mining.1996,226-231.
[121].Rojas R. Neural Networks-A systematic introduction. Springer, Berlin,1996.
[122].Eskin E. Anomaly detection over noisy data using learned probability distributions. In Proc. of the International Conference on Machine Learning.2000,255-262.
[123].Portnoy L, Eskin E and Stolfo S. Intrusion detection with unlabeled data using clustering. In Proc. of ACM CSS Workshop on DMSA.2001,5-8.
[124].Leung K, Leckie C. Unsupervised anomaly detection in network intrusion detection using clusters. ACSC '05.2005,333-342.
[125].Shawe-Taylor J and Cristianini N著李国正王猛曾华军译.支持向量机导论.电子工业出版社.2004.
[126].HTTP delivered attacks:http://www.i-pi.com/HTTP-attacks-JoCN-2006/
[127].CGISecurity Homepage. http://www.cgisecurity.com/
[128].PHP-Nuke Homepage. http://phpnuke.org/
[129].AltaVista Search. http://www.altavista.com/
[130].Ingham K L. Anomaly Detection for HTTP Intrusion Detection:Algorithm Comparisons and the Effect of Generalization on Accuracy. University of New Mexico. Ph.D dissertation.2007.
[131].Rieck K. Machine Learning for Application-Layer Intrusion Detection. Birlin Institue of Technology. Ph.D dissertation.2009.
[132].尹清波.基于机器学习的入侵检测方法研究.哈尔滨工程大学.博士论文,2007.
[133].刘雪飞.数据挖掘技术在入侵检测中的应用研究.南京理工大学.博士论文,2005.
[134].Allen J, Christie A, Fithen W, Mchugh J, Pickel J and Stoner E. State of the practice of intrusion detection technologies. Tech. Rep. CMU/SEI-99TR-028, Carnegie Mellon University, Software Engineering Institute,2000.
[135].Bai Y and Kobayashi H. Intrusion detection system:Technology and development. In AINA'03.2003.
[136].Bilar D and Burroughs D. Introduction to state-of-the-art intrusion detection technologies. Proc. of the SPIE-The International Society for Optical Engineering. 2001,123-133.
[137]. Jones A K and Sielken R S. Computer system intrusion detection:A survey. Tech. rep., University of Virginia Computer Science Department,1999.
[138].Kemmerer R A and Vigna G. Intrusion detection:a brief history and overview. Computer.2002,35(4):27-30.
[139].Kvarnstrom H. A survey of commercial tools for intrusion detection. Tech. Rep. 99-8, Department of Computer Engineering, Chalmers University of Technology, Gotenborg, Sweden, Oct.1999.
[140].Lunt T F. Automated audit trail analysis and intrusion detection:A survey. In 11th National Computer Security Conference.1988.,65-73.
[141].Verwoerd T and Hunt R. Intrusion detection techniques and approaches. Computer Communications.2002,25(15):1356-65.
[142].Mukherjee B, Heberlein L and Levitt K. Network intrusion detection. IEEE Network.1994,8(3):26-41.
[143].Axelsson S. Research in intrusion-detection systems:A survey. Tech. Rep.98-17, Department of Computer Engineering, Chalmers University of Technology, SE-412 96 Goteborg, Sweden, Dec.1998.
[144].机器学习系统结构和分类介绍:http://baike.baidu.com/view/7956.htm
[145].杨武,张冰,周渊,王巍.动态自学习的高效入侵检测模型研究.通信学报.2007,28(12):33-38.
[146].林冬梅,钟勇,秦小麟.应用入侵检测研究与进展.计算机科学.2007,34(7):10-13.
[147].罗宁,喻莉.入侵检测技术研究发展.计算机与数字工程.2005,33(6):52-57.
[148].卿斯汉,蒋建春,马恒太,文伟平,刘雪飞.入侵检测技术研究综述.通信学报.2004,25(7):19-29.
[149].穆成坡,黄厚宽,田盛丰.入侵检测系统报警信息聚合与关联技术研究综述.计算机研究与发展.2006,43(1):1-8.
[150].刘衍珩,田大新,余雪岗,王健.基于分布式学习的大规模网络入侵检测算法.软件学报,2008,19(4):993-1003.
[2].《2010年第三季度中国网络购物市场监测报告》,http://www.iresearch.com.cn/
[3]. Christey S, Martin R A. Vulnerability type distributions in CVE. http://cwe.mitre. org/documents/vuln-trends.html.2009.
[4]. Roesch M. Snort-Lightweight Intrusion Detection for Networks. Proc. of the 13th USENIX Conference on System Administration (LISA),1999,229-238.
[5]. Anderson J P. Computer security technology planning study. Tech. Rep. ESD-TR-73-51, United States Air Force, Electronic Systems Division,1972.
[6]. Anderson J P. Computer security threat monitoring and surveillance. Technical report, James P. Anderson Company, Fort Washington Pennsylvania,1980.
[7]. Denning, D E. An Intrusion-Detection Model. IEEE Trans. on Software Engineering, 1987, SE-13(2):222-232
[8]. Denning D E, Neumann P G. Requirements and model for IDES-A real-time intrusion detection system. Technical report, Computer Science Laboratory,SRI International, Menlo Park,CA,USA,1985.
[9]. Sebring M M, Shellhouse E, Hanna M E and Whitehurst R A. Expert systems in intrusion detection:a case study. In Proc. of the 11th National Computer Security Conference, Baltimore, Maryland,1988:74-81.
[10].Axelsson S. The base-rate fallacy and the difficulty of intrusion detection. ACM Trans. on Information and Systems Security.2000:186-205.
[11].Bloedorn E., Hill B, Christiansen A, Skorupka C, Talbot L and Tivel J. Data mining for improving intrusion detection,2000. http://www.mitre.org/work/tech_papers/ tech_papers_00/bloedorn_datamining/index.html
[12].Cuppens F. Managing alerts in a multi-intrusion detection environment. In 17th Annual Computer Security Applications Conference.2001,22-31.
[13].ISO/TC97/SC16. Reference model of open systems interconnection. Tech. Rep. N. 227, International Organization for Standardization, June 1979.
[14].Heberlein L T, Dias G V, Levitt K N, Mukherjee B, Wood J and Wolber D. A network security monitor. In Proc. of the IEEE Symposium on Security and Privacy. 1990:296-304.
[15].ⅡS:http://www.iss.net/
[16].Cisco System, Cisco NetRanger Sensor http://www.cisco.com/en/US/products /ps6009/index.html
[17].Javitz H S and Valdes A. The SRI IDES Statistical Anomaly Detector. In Proc. of the IEEE Symposium on Research in Security and Privacy.1991.
[18].Lunt T, Tamaru A, Gilham F, Jagannathan R, Jalali C, Neumann P G, Javitz H S, Valdes A and Garvey T D. A Real Time Intrusion Detection Expert System (IDES), SRI Technical report,1992.
[19].Dowell C and Ramstedt P. The Computerwatch Data Reduction Tool. In Proc. of the 13th National Computer Security Conference, Washington, DC,1990.
[20].Lindqvist U and Porras P A. Detecting Computer and Network Misuse Through the Production-Based Expert System Toolset (P-BEST). In Proc. of the IEEE Symposium on Security and Privacy.1999,146-161.
[21].Esmaili M, Balachandran B, Safavi-Naini R and Pieprzyk J. Case-Based Reasoning For Intrusion Detection. In Proc. of the 12th Annual Computer Security Applications Conference.1996.
[22].Esmaili M, Safavi-Naini R and Balachandran B M. Autoguard:A Continuous Case-Based Intrusion Detection System. In Proceedings of the Australian Computer Science Conference.1997,392-401.
[23].Ilgun K. USTAT: A Real-time Intrusion Detection System for UNIX. University of California Santa Barbara, Master Thesis,1992.
[24].Porras P A and Kemmerer R A. Penetration State Transition Analysis:A Rule-Based Intrusion Detection Approach. In Proc. of the 8th Annual Computer Security Applications Conference.1992,220-229.
[25].Vigna G and Kemmerer R A. Netstat: A Network-Based Intrusion Detection Approach. Journal of Computer Security,1999,7(1):37-71.
[26]. Javitz H S and Valdes A. The sri ides statistical anomaly detector. In Proc. of the IEEE Symposium on Research in Security and Privacy.1991,316
[27].Porras P A and Neumann P G.. EMERALD:Event monitoring enabling responses to anomalous live disturbances. In Proc. of 20th NIST-NCSC National Information Systems Security Conference.1997,353-365.
[28].Ho L L, Macey C J and Hiller R. A distributed and reliable platform for adap-tive anomaly detection in ip networks. In Proc. of the 10th IFIP/IEEE International Workshop on Distributed Systems:Operations and Management.1999,33-46.
[29].Kruegel C, Toth T and Kirda E. Service specific anomaly detection for network intrusion detection. In Proc. of the ACM symposium on Applied computing.2002, 201-208.
[30].Kruegel C and Vigna G. Anomaly detection of web-based attacks. In Proc. of the 10th ACM conference on Computer and communications security.2003,251-261.
[31].Mahoney M V and Chan P K. Learning nonstationary models of normal network traffic for detecting novel attacks. In Proc. of the 8th ACM SIGKDD international conference on Knowledge discovery and data mining.2002,376-385.
[32].Mahoney, M V and Chan P K. Learning rules for anomaly detection of hostile network traffic. In Proc. of the 3rd IEEE International Conference on Data Mining. 2003,601-604.
[33].Mahoney M V, Chan P K and Arshad M H. A machine learning approach to anomaly detection. Tech. Rep. CS-2003-06, Department of Computer Science, Florida Institute of Technology Melbourne FL 32901.2003.
[34].Gwadera R, Atallah M J and Szpankowski W. Detection of significant sets of episodes in event sequences. In Proc. of the 4th IEEE International Conference on Data Mining.2004,3-10.
[35].Gwadera R, Atallah M J and Szpankowski W. Reliable detection of episodes in event sequences. Knowledge and Information Systems.2005,7(4):415-437.
[36].Ye N and Chen Q. An anomaly detection technique based on a chi-square statistic for detecting intrusions into information systems. Quality and Reliability Engineering International.2001,17(2):105-112.
[37].Debar H, Dacier M, Nassehi M and Wespi A. Fixed vs. variable-length patterns for detecting suspicious process behavior. In Proc. of the 5th European Symposium on Research in Computer Security.1998,1-15.
[38].Eskin E, Lee W and Stolfo S. Modeling system call for intrusion detection using dynamic window sizes. In Proc. of DISCEX.2001.
[39].Forrest S, D'haeseleer P and Helman P. An immunological approach to change detection:Algorithms, analysis and implications. In Proc. of the IEEE Symposium on Security and Privacy.1996,110-119.
[40].Forrest S, Esponda F and Helman P. A formal framework for positive and negative detection schemes. In IEEE Trans. on Systems, Man and Cybernetics, Part B.2004, 34(1):357-373.
[41].Forrest S, Hofmeyr S A, Somayaji A and Longstaff T A. A sense of self for unix processes. In Proc. of the ISRSP96.1996,120-128.
[42].Forrest S, Perelson A S, Allen L and Cherukuri R. Self-nonself discrimination in a computer. In Proc. of the IEEE Symposium on Security and Privacy.1994,202-212.
[43].Forrest S, Warrender C and Pearlmutter B. Detecting intrusions using system calls: Alternate data models. In Proc. of the IEEE ISRSP.1999,133-145.
[44].Ghosh A K, Wanken J and Charron F. Detecting anomalous and unknown intrusions against programs. In Proc. of the 14th Annual Computer Security Applications Conference.1998,259-267.
[45].Hu W, Liao Y and Vemuri V R. Robust anomaly detection using support vector machines. In Proc. of the International Conference on Machine Learning.2003, 282-289.
[46].Heller K A, Svore K M, Keromytis A D and Stolfo S J. One class support vector machines for detecting anomalous windows registry accesses. In Proc. of the Workshop on Data Mining for Computer Security.2003.
[47].Hawkins S, He H,Williams G J and Baxter R A. Outlier detection using replicator neural networks. In Proc. of the 4th International Conference on Data Warehousing and Knowledge Discovery.2002,170-180.
[48].Valdes A and Skinner K. Adaptive, model-based monitoring for cyber attack detection. In Proc. of the 3rd International Workshop on Recent Advances in Intrusion Detection.2000,80-92.
[49].Bronstein A, Das J, Duro M, Friedrich R, Kleyner G, Mueller M, Singhal S and Cohen I. Self-aware services:using Bayesian networks for detecting anomalies in Internet-based services. In International Symposium on Integrated Network Management.2001,623-638.
[50].Sebyala A A, Olukemi T and Sacks L. Active platform security through intrusion detection using naive bayesian network for anomaly detection. In Proc. of the London Communications Symposium.2002.
[51].He Z, Deng S, Xu X and Huang J Z. A fast greedy algorithm for outlier mining. In Proc. of 10th Paciffic-Asia Conference on Knowledge and Data Discovery.2006, 567-576.
[52].He Z, Xu X, and Deng S. An optimization model for outlier detection in categorical data. In Proc.s of International Conference on Intelligent Computing.2005, 400-409.
[53].Arning A, Agrawal R and Raghavan P. A linear method for deviation detection in large databases. In Proc. of 2nd International Conference of Knowledge Discovery and Data Mining.1996,164-169.
[54].Keogh E, Lonardi S and Ratanamahatana C A. Towards parameter-free data mining. In Proc. of the 10th ACM SIGKDD international conference on Knowledge discovery and data mining.2004,206-215.
[55]. Noble C C and Cook D J. Graph-based anomaly detection. In Proc. of the 9th ACM SIGKDD international conference on Knowledge discovery and data mining.2003, 631-636.
[56].Li M and Vitanyi P M B. An Introduction to Kolmogorov Complexity and Its Applications. Springer-Verlag, Berlin.1993.
[57].Lee W and Xiang D. Information-theoretic measures for anomaly detection. In Proc. of the IEEE Symposium on Security and Privacy.2001,130-143.
[58].Tan P N, Steinbach M and Kumar V. Introduction to Data Mining. Addison-Wesley. 2005.
[59].Boriah S, Chandola V and Kumar V. Similarity measures for categorical data:A comparative evaluation. In Proc. of the eighth SIAM International Conference on Data Mining.2008,243-254.
[60].Chan P K and Mahoney M V. Modeling multiple time series for anomaly detection. In Proc. of the 5th IEEE International Conference on Data Mining.2005,90-97.
[61].Eskin E, Arnold A, Prerau M, Portnoy L and Stolfo S. A geometric framework for unsupervised anomaly detection. In Proc. of Applications of Data Mining in Computer Security.2002,78-100.
[62]. Angiulli F and Pizzuti C. Fast outlier detection in high dimensional spaces. In Proc. of the 6th European Conference on Principles of Data Mining and Knowledge Discovery.2002,15-26.
[63].Zhang J and Wang H. Detecting outlying subspaces for high-dimensional data:the new task, algorithms, and performance. Knowledge and Information Systems.2006, 10(3):333-355.
[64].Breunig M M, Kriegel H P, Ng R T and Sander J. Optics-of: Identifying local outliers. In Proc. of the 3rd European Conference on Principles of Data Mining and Knowledge Discovery.1999,262-270.
[65].Breunig M M, Kriegel H P, Ng R T and Sander J. Lof:identifying density-based local outliers. In Proc. of ACM SIGMOD International Conference on Management of Data.2000,93-104.
[66].Tang J, Chen Z, Fu A W and Cheung D W. Enhancing effectiveness of outlier detections for low density patterns. In Proc. of the Paciffic-Asia Conference on Knowledge Discovery and Data Mining.2002,535-548.
[67].Sequeira K and Zaki M. Admit:anomaly-based data mining for intrusions. In Proc. of the 8th ACM SIGKDD international conference on Knowledge discovery and data mining.2002,386-395.
[68].Wu N and Zhang J. Factor analysis based anomaly detection. In Proc. of IEEE Workshop on Information Assurance.2003,108-115.
[69].Otey M, Parthasarathy S, Ghoting A, Li G., Narravula S and Panda D. Towards nic-based intrusion detection. In Proc. of the 9th ACM SIGKDD international conference on Knowledge discovery and data mining.2003,723-728.
[70].Damashek M. Gauging similarity with n-grams:language-independent categorization of text. Science.1995,267(5199):843-848.
[71].Kiani M, Clark A, Mohay G. Length Based Modelling of HTTP Traffic for Detecting SQL Injection Attacks. RNSA Security Technology Conference.2007.
[72].Ficco M, Coppolino L, Romano L. A Weight-Based Symptom Correlation Approach to SQL Injection Attacks.4th Latin-American Symposium on Dependable Computing.2009,9-16
[73].Halfond W G J, Orso A. AMNESIA:analysis and monitoring for NEutralizing SQL-injection attacks. Proc. of the 20th IEEE/ACM international Conference on Automated software engineering.2005,174-183.
[74].Boyd S W and Keromytis A D. SQLrand:Preventing SQL Injection Attacks. Lecture Notes in Computer Science.2004,292-302
[75].Martin M, Lam M S. Automatic generation of XSS and SQL injection attacks with goal-directed model checking. Proc. of the 17th conference on Security symposium.2008,31-43.
[76].Johns M, Engelmann B, Posegga J. XSSDS:Server-Side Detection of Cross-Site Scripting Attacks. Computer Security Applications Conference.2008,335-344.
[77].Zou C C, Gong W, Towsley D. Code red worm propagation modeling and analysis. Proc. of the 9th ACM conf. on Computer and communications security.2002, 138-147.
[78].Salem B and Karim T. Classification features for detecting Server-side and Client-side Web attacks. Proc. of The Ifip Tc 11 23rd International Information Security Conference.2008,729-733.
[79].Ingham K L, Inoue H. Comparing anomaly detection techniques for HTTP. Recent Advances of Intrusion Detection.2007,42-62.
[80].Sebesta R W著,刘庄孙峰姜少峰译.Web编程技术.机械工业出版社,2003.
[81].Fielding R, Gettys J, Mogul J, et al. Hypertext Transfer Pro-tocol-HTTP/1.1. RFC-2616,1999.
[82].Kruegel C, Vigna G and Robertson W. A multi-model approach to the detection of web-based attacks. Computer Networks.2005,48(5):717-738
[83].王钰周志华周傲英.机器学习及其应用.清华大学出版社.2006.
[84].Waibel A, Hanazawa T, Hinton G, Shikano K and Lang K. Phoneme recognition using time-delay neural networks. IEEE Trans. on Acoustics, Speech and Signal Processing.1989,37(3):328-339
[85].Lee K. Automatic speech recognition:The development of the Sphinx system. Boston:Kluwer Academic Publishers.1989.
[86].Pomerleau D A. ALVINN:An autonomous land vehicle in a neural network. (Technical Report CMU-CS-89-107). Pittsburgh, PA:Carnegie Mellon University. 1989.
[87].LeCun Y, Jackel L, Bottou L, Cortes C, Denker J, et. al. Learning algorithms for classification:A comparison on handwritten digit recognition. Neural Networks. 1995,261-276.
[88].Mitchell T M著,曾华军张银奎等译机器学习.机械工业出版社.2003.
[89].The Official Microsoft IIS Site, http://www.iis.net/
[90].Theodoridis S, Koutroumbas K著.李晶皎,王爱侠,张广渊等译.模式识别,第三版.电子工业出版社.2006.
[91].Chen MY, Kundu A, Srihari S N. Variable duration HMM and morphological segmentation for handwritten word recognition. IEEE Trans, on Image Processing. 1995,4(12):1675-1689.
[92].Vlontzos J A, Kung S Y. Hidden Markov models for character recognition. IEEE Trans. on Image Processing.1992,1(4):516-543.
[93].Chen J L, Kundu A. Unsupervised texture segmentation using multichannel decomposition and hidden Markov models. IEEE Trans. On Image Processing.1995, 4(12):603-620,
[94].Wu W R., Wei S C. Rotational and gray scale transform invariant texture classification using spiral resampling, subband decomposition, and hidden Markov model. IEEE Trans. on Image Processing.1996,5(10):1423-1435.
[95].Anton-Haro C, Fonollosa J A R, Fonollosa J R. Blind channel estimation and data detection using HMM. IEEE Trans. on Signal Processing.1997,45(1):241-247.
[96].Pikrakis A., Theodoridis S., Kamarotos D. Classification of musical patterns using variable duration hidden Markov models. IEEE Trans. on Audio, Speech, and Language Processing.2006,14(5):1795-1807.
[97].Yeung D Y, Ding Y. Host-based intrusion detection using dynamic and static behavioral models. Pattern Recognition.2003,36(1):229-243
[98].邬书跃,田新广.基于隐马尔可夫模型的用户行为异常检测新方法.通信学报.2007,28(4):38-43.
[99].周东清,张海锋,张绍武等.基于HMM的分布式拒绝服务攻击检测方法.计算机研究与发展.2005,42(9):1594-1599.
[100].Stolcke A, Omohundro S. Inducing probabilistic grammars by Bayesian model merging. In Conference on Grammatical Inference.1994,106-118.
[101].Stolcke A, Omohundro S. Hidden markov model induction by bayesian model merging. In Advances in Neural Information Processing Systems.1992,11-18.
[102].Kendall K. A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems. Master's Thesis, Massachusetts Institute of Technology,1998.
[103].Lippmann R P, Graf I, Wyschogrod D, Webster S E, Weber D J and Gorton S. The 1998 DARPA/AFRL Off-Line Intrusion Detection Evaluation. First International Workshop on Recent Advances in Intrusion Detection (RAID).1998.
[104].Haines J W, Lippmann R P, Fried D J, et al.1999 DARPA intrusion detection system evaluation:Design and procedures, TR-1062. Lincoln Laboratory, Massachusetts Institute of Technology,2001.
[105].Lippmann R P, Haines J W, Fried D J, et al. The 1999 DARPA off-line intrusion detection evaluation. Computer Networks,2000,34(4):579-595.
[106].KDDCup'99:http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html
[107].McHugh J. The 1998 Lincoln Laboratory IDS evaluation—a critique. In RAID. 2000,145-161.
[108].McHugh J. Testing intrusion detection systems:a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Trans. on Information and Systems Security.2000,3(4): 262-294.
[109].Wang K, Stolfo S J. Anomalous payload-based network intrusion detection. In: RAID.2004,203-222.
[110].Mahoney M V. Network traffic anomaly detection based on packet bytes. In:Proc. of the ACM Symposium on Applied computing.2003,346-350.
[111].Estevez-Tapiador J M, Garcia-Teodoro P, Diaz-Verdejo J E. Measuring normality in http trafficc for anomaly-based intrusion detection. Journal of Computer Networks.2004,45(2):175-193.
[112].Ingham K L, Somayajib A, Burgea J and Forrest S. Learning DFA representations of HTTP for protecting web applications. Computer Networks.2007,51(5): 1239-1255.
[113].Chen S, Kalbarczyk Z, Xu J, Iyer R K, A Data-Driven Finite State Machine Model for Analyzing Security Vulnerabilities. In DSN'03.2003.
[114].Biermanna E, Cloeteb E and Venterc L M. A comparison of Intrusion Detection systems. Computers & Security.2001,20(8):676-683.
[115].Lazarevic A, Ertoz L, Kumar V, Ozgur A and Srivastava J. A comparative study of anomaly detection schemes in network intrusion detection. In Proc. of SIAM.2003, 25-36.
[116].Gonzalez F and Dagupta D. Neuro-immune and self-organizing map approaches to anomaly detection:A comparison. In Proc. of ICARIS.2002,203-211.
[117].Fukunaga K. Introduction to Statistical Pattern Recognition, Second Edition. Academic Press, Boston, MA,1990.
[118].Ng R and Han J. Efficient and effective methods for spatial data mining. In Proc. of Very Large Data Bases.1994,144-155.
[119].Zhang T, Ramakrishnan R and Livny M. Birch:An efficient data clustering method for very large databases. In Proc. ACM SIGMOD International Conference on Management of Data.1996,103-114.
[120].Ester M, Kriegel H, Sander J and Xu X. A density-based algorithm for discovering clusters in large spatial databases with noise. In proc. of the 2nd International Conference on Knowledge Discovery and Data Mining.1996,226-231.
[121].Rojas R. Neural Networks-A systematic introduction. Springer, Berlin,1996.
[122].Eskin E. Anomaly detection over noisy data using learned probability distributions. In Proc. of the International Conference on Machine Learning.2000,255-262.
[123].Portnoy L, Eskin E and Stolfo S. Intrusion detection with unlabeled data using clustering. In Proc. of ACM CSS Workshop on DMSA.2001,5-8.
[124].Leung K, Leckie C. Unsupervised anomaly detection in network intrusion detection using clusters. ACSC '05.2005,333-342.
[125].Shawe-Taylor J and Cristianini N著李国正王猛曾华军译.支持向量机导论.电子工业出版社.2004.
[126].HTTP delivered attacks:http://www.i-pi.com/HTTP-attacks-JoCN-2006/
[127].CGISecurity Homepage. http://www.cgisecurity.com/
[128].PHP-Nuke Homepage. http://phpnuke.org/
[129].AltaVista Search. http://www.altavista.com/
[130].Ingham K L. Anomaly Detection for HTTP Intrusion Detection:Algorithm Comparisons and the Effect of Generalization on Accuracy. University of New Mexico. Ph.D dissertation.2007.
[131].Rieck K. Machine Learning for Application-Layer Intrusion Detection. Birlin Institue of Technology. Ph.D dissertation.2009.
[132].尹清波.基于机器学习的入侵检测方法研究.哈尔滨工程大学.博士论文,2007.
[133].刘雪飞.数据挖掘技术在入侵检测中的应用研究.南京理工大学.博士论文,2005.
[134].Allen J, Christie A, Fithen W, Mchugh J, Pickel J and Stoner E. State of the practice of intrusion detection technologies. Tech. Rep. CMU/SEI-99TR-028, Carnegie Mellon University, Software Engineering Institute,2000.
[135].Bai Y and Kobayashi H. Intrusion detection system:Technology and development. In AINA'03.2003.
[136].Bilar D and Burroughs D. Introduction to state-of-the-art intrusion detection technologies. Proc. of the SPIE-The International Society for Optical Engineering. 2001,123-133.
[137]. Jones A K and Sielken R S. Computer system intrusion detection:A survey. Tech. rep., University of Virginia Computer Science Department,1999.
[138].Kemmerer R A and Vigna G. Intrusion detection:a brief history and overview. Computer.2002,35(4):27-30.
[139].Kvarnstrom H. A survey of commercial tools for intrusion detection. Tech. Rep. 99-8, Department of Computer Engineering, Chalmers University of Technology, Gotenborg, Sweden, Oct.1999.
[140].Lunt T F. Automated audit trail analysis and intrusion detection:A survey. In 11th National Computer Security Conference.1988.,65-73.
[141].Verwoerd T and Hunt R. Intrusion detection techniques and approaches. Computer Communications.2002,25(15):1356-65.
[142].Mukherjee B, Heberlein L and Levitt K. Network intrusion detection. IEEE Network.1994,8(3):26-41.
[143].Axelsson S. Research in intrusion-detection systems:A survey. Tech. Rep.98-17, Department of Computer Engineering, Chalmers University of Technology, SE-412 96 Goteborg, Sweden, Dec.1998.
[144].机器学习系统结构和分类介绍:http://baike.baidu.com/view/7956.htm
[145].杨武,张冰,周渊,王巍.动态自学习的高效入侵检测模型研究.通信学报.2007,28(12):33-38.
[146].林冬梅,钟勇,秦小麟.应用入侵检测研究与进展.计算机科学.2007,34(7):10-13.
[147].罗宁,喻莉.入侵检测技术研究发展.计算机与数字工程.2005,33(6):52-57.
[148].卿斯汉,蒋建春,马恒太,文伟平,刘雪飞.入侵检测技术研究综述.通信学报.2004,25(7):19-29.
[149].穆成坡,黄厚宽,田盛丰.入侵检测系统报警信息聚合与关联技术研究综述.计算机研究与发展.2006,43(1):1-8.
[150].刘衍珩,田大新,余雪岗,王健.基于分布式学习的大规模网络入侵检测算法.软件学报,2008,19(4):993-1003.
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |