高速网络入侵检测与防御
|
摘要
随着网络安全的问题日益严重,入侵检测系统(IDS: Intrusion Detection System)和入侵防御系统(IPS: Intrusion Prevention System)已经成为计算机安全中的关键组成部分。但是,高速网络技术的发展和普及,为IDS和IPS的应用带来严峻的挑战。
本文针对高速网络环境下入侵检测和入侵防御进行了一定的研究,主要工作有以下四个方面:
1.本文设计并实现了一个网络入侵防御原型系统——DXIPS。该系统可提供实时、主动的防护能力,能够有效的阻断攻击,还可以针对不同的应用环境采取较为灵活的部署策略,具有较好的可扩展性。
2.本文将统计学的抽样技术引入IDS/IPS的数据收集过程中,提出了基于抽样的数据收集模型。实验结果表明,该模型可增强网络IDS/IPS的处理性能,对于其抵御洪泛式拒绝服务攻击也具有一定的参考价值。
3.本文提出了一个可用于入侵检测/防御的基于FPGA的可扩展流量抽样平台——STAMP。该平台可为网络IDS/IPS的入侵检测提供较为有效的网络数据源,并能灵活地调整抽样策略,支持未来的Tbps高速网络。
4.本文引入了可信通信的概念,设计并实现了基于XML的可信通信协议。该协议可以扩展支持各种网络安全产品(如防火墙,IDS,IPS等)和网络管理设备,对于实现这些设备之间的数据融合,检测复杂的分布式网络攻击具有一定的参考价值。
With the development of Internet, the world economy has been deeply communed together. The nation is just like a huge network computer, and computer network has been the foundation and life vein of a nation’s economy. As the entire society increasingly relies on network infrastructures, network security also changes for the worse seriously. It is very difficult for traditional security policies or mechanisms (such as authentication, cryptography and firewall) to prevent network attacks, and Intrusion Detection System (IDS) has been an important component of a network’s security system. However, IDSs are fundamentally passive and fail–open. Because their primary task is classification, they do nothing to prevent an attack from succeeding. While Intrusion Prevention System (IPS) integrates traditional firewall with IDS, and provides the capability to stop attacks. But IDS/IPS can’t keep pace with the development of high speed networking technique. Especially in the large-scale high-speed work, the incoming rates of packets heavily exceed the processing capabilities of IDS/IPS, which leads to packets drop. The performance of IDS/IPS will be compromised seriously, which may cause the failures of themselves.
In this paper, we investigate intrusion detection and intrusion prevention in high speed network and the main research work is as follows:
1. Based on the investigation on the recent trends of network security techniques, such as firewall and IDS, we propose a intrusion prevention scheme based on the correlation between IDS and firewall. This scheme complements the fundamental flaws of IDS and firewall, and it may provide real-time, active prevention and attempts to stop attacks, which contributes to normal transmission of legal network traffic. In this paper, we present the design and implementation of a prototype system of network IPS——DXIPS, based on the correlation between Snort_inline and Netfilter configured by IPtables. The hierarchical architecture of this system includes intrusion prevention layer, server layer and control layer, in which intrusion prevention layer monitors the traversing traffic and conducts intrusion detection and prevention; server layer collects log data and translate them into readable formats; control layer is administrational console and perform data display. The system is design with modularization, which includes intrusion prevention module, log recording module, central control module and communication module, and the concrete implementations of these modules are presented. The deployment policies are discussed according to various applications environment. Netfilter is a built-in firewall in the kernel of Linux, which belongs to the latest fifth generation firewall. It has the capability to directly filter malicious packets in the TCP/IP stack in kernel, which improves the response performance. What’s more, DXIPS provides better scalability according to various applications environment.
2. Data collection mechanism is a key factor that affects the performance of IDS/IPS. The most current products execute per-packet detection. However, with the development and widespread of high speed networking technique, the application of IDS/IPS has been faced with serious challenges. In this paper, the sampling technique in statistics is introduced into the procedure of data collection for IDS/IPS, and the new data collection module based on sampling is proposed. Three typical sampling strategies, such as systematic sampling, Poisson sampling and stratified sampling, are applied to network traffic collection. The packet length and type serve as the measure of anomaly detection, and simulation results show that the sample traffic is still characterized as the whole network traffic, and it may provide efficient data source for anomaly detection with the lower overhead. In a short, this method exceedingly strengthens the processing performance of IDS/IPS by the means of replacing dropping packets passively with sampling packets actively with the minor degradation of detection rates, and may improve resistant to Denial of Service attacks.
3. With the ever increasing deployment and usage of gigabit networks, traditional networks Intrusion Detection/Prevention Systems (IDS/IPS) have not scaled accordingly. More recently, researchers have been looking at hardware based solutions that use FPGA’s to assist network IDSs/IPSs, and some proposed systems have been developed that can be scaled to achieve a high speed over 10Gbps. However, these solutions available have inherent limitations and unable to be applied to future high speed network (Tbps). In this paper, we present a scalable traffic sampling platform for intrusion detection/prevention on FPGA, called STAMP. The methodology is when the proposed platform is unable to capture the whole network traffic; it will initiate elephant flow sampling other than merely randomly dropping packets. Meanwhile, sampling rate is adaptive to the traffic load of elephant flow. All the captured packets are forward from STAMP to IDS via PCI bus. The noteworthy features of STAMP include: it takes the self similarity of network traffic into account with the attempts to collect malicious traffic, and improve the efficiency of network traffic sampling for IDS/IPS; it employs adaptive elephant flow sampling (AEFS) to retain inherent characteristics of network traffic, which contributes to anomaly detection; it provides a flexible and scalable platform for network IDSs/IPSs that will be faced the challenge of future high-speed network.
4. To achieve the secure and reliable transmission for the interactive data between IDS and firewall, the concept of trusted communication is introduced in this paper. We give the design and implementation of a trusted communication protocol based on XML. The design and implementation of trusted communication mechanism between firewall and IDS is presented considering each functional unit of common intrusion detection framework. The CORBA middleware is applied to data transmission, and TLS secure protocol is applied to trusted transmission between IDS and firewall. The hierarchical architecture of this protocol includes application layer, XML resolution layer and message transaction layer, in which application layer consists of client and server used to capture and analyze packets; XML resolution layer translates the data into uniform XML format and provide the base for data exchange; message transaction layer employs TLS security protocol to achieve secure and trusted communication. The data type between IDS and firewall of the proposed prototype system is composed of event data, rule data, analysis result data and response action data, and the concrete descriptions of these data based on XML DTD are also provided. The proposed trusted communication protocol has the scalability to support various network security products (such as firewall, IDS, IPS, etc.) and management facilities, and may contribute to the data fusion of these facilities and detect sophisticated distributed network attacks.
本文针对高速网络环境下入侵检测和入侵防御进行了一定的研究,主要工作有以下四个方面:
1.本文设计并实现了一个网络入侵防御原型系统——DXIPS。该系统可提供实时、主动的防护能力,能够有效的阻断攻击,还可以针对不同的应用环境采取较为灵活的部署策略,具有较好的可扩展性。
2.本文将统计学的抽样技术引入IDS/IPS的数据收集过程中,提出了基于抽样的数据收集模型。实验结果表明,该模型可增强网络IDS/IPS的处理性能,对于其抵御洪泛式拒绝服务攻击也具有一定的参考价值。
3.本文提出了一个可用于入侵检测/防御的基于FPGA的可扩展流量抽样平台——STAMP。该平台可为网络IDS/IPS的入侵检测提供较为有效的网络数据源,并能灵活地调整抽样策略,支持未来的Tbps高速网络。
4.本文引入了可信通信的概念,设计并实现了基于XML的可信通信协议。该协议可以扩展支持各种网络安全产品(如防火墙,IDS,IPS等)和网络管理设备,对于实现这些设备之间的数据融合,检测复杂的分布式网络攻击具有一定的参考价值。
With the development of Internet, the world economy has been deeply communed together. The nation is just like a huge network computer, and computer network has been the foundation and life vein of a nation’s economy. As the entire society increasingly relies on network infrastructures, network security also changes for the worse seriously. It is very difficult for traditional security policies or mechanisms (such as authentication, cryptography and firewall) to prevent network attacks, and Intrusion Detection System (IDS) has been an important component of a network’s security system. However, IDSs are fundamentally passive and fail–open. Because their primary task is classification, they do nothing to prevent an attack from succeeding. While Intrusion Prevention System (IPS) integrates traditional firewall with IDS, and provides the capability to stop attacks. But IDS/IPS can’t keep pace with the development of high speed networking technique. Especially in the large-scale high-speed work, the incoming rates of packets heavily exceed the processing capabilities of IDS/IPS, which leads to packets drop. The performance of IDS/IPS will be compromised seriously, which may cause the failures of themselves.
In this paper, we investigate intrusion detection and intrusion prevention in high speed network and the main research work is as follows:
1. Based on the investigation on the recent trends of network security techniques, such as firewall and IDS, we propose a intrusion prevention scheme based on the correlation between IDS and firewall. This scheme complements the fundamental flaws of IDS and firewall, and it may provide real-time, active prevention and attempts to stop attacks, which contributes to normal transmission of legal network traffic. In this paper, we present the design and implementation of a prototype system of network IPS——DXIPS, based on the correlation between Snort_inline and Netfilter configured by IPtables. The hierarchical architecture of this system includes intrusion prevention layer, server layer and control layer, in which intrusion prevention layer monitors the traversing traffic and conducts intrusion detection and prevention; server layer collects log data and translate them into readable formats; control layer is administrational console and perform data display. The system is design with modularization, which includes intrusion prevention module, log recording module, central control module and communication module, and the concrete implementations of these modules are presented. The deployment policies are discussed according to various applications environment. Netfilter is a built-in firewall in the kernel of Linux, which belongs to the latest fifth generation firewall. It has the capability to directly filter malicious packets in the TCP/IP stack in kernel, which improves the response performance. What’s more, DXIPS provides better scalability according to various applications environment.
2. Data collection mechanism is a key factor that affects the performance of IDS/IPS. The most current products execute per-packet detection. However, with the development and widespread of high speed networking technique, the application of IDS/IPS has been faced with serious challenges. In this paper, the sampling technique in statistics is introduced into the procedure of data collection for IDS/IPS, and the new data collection module based on sampling is proposed. Three typical sampling strategies, such as systematic sampling, Poisson sampling and stratified sampling, are applied to network traffic collection. The packet length and type serve as the measure of anomaly detection, and simulation results show that the sample traffic is still characterized as the whole network traffic, and it may provide efficient data source for anomaly detection with the lower overhead. In a short, this method exceedingly strengthens the processing performance of IDS/IPS by the means of replacing dropping packets passively with sampling packets actively with the minor degradation of detection rates, and may improve resistant to Denial of Service attacks.
3. With the ever increasing deployment and usage of gigabit networks, traditional networks Intrusion Detection/Prevention Systems (IDS/IPS) have not scaled accordingly. More recently, researchers have been looking at hardware based solutions that use FPGA’s to assist network IDSs/IPSs, and some proposed systems have been developed that can be scaled to achieve a high speed over 10Gbps. However, these solutions available have inherent limitations and unable to be applied to future high speed network (Tbps). In this paper, we present a scalable traffic sampling platform for intrusion detection/prevention on FPGA, called STAMP. The methodology is when the proposed platform is unable to capture the whole network traffic; it will initiate elephant flow sampling other than merely randomly dropping packets. Meanwhile, sampling rate is adaptive to the traffic load of elephant flow. All the captured packets are forward from STAMP to IDS via PCI bus. The noteworthy features of STAMP include: it takes the self similarity of network traffic into account with the attempts to collect malicious traffic, and improve the efficiency of network traffic sampling for IDS/IPS; it employs adaptive elephant flow sampling (AEFS) to retain inherent characteristics of network traffic, which contributes to anomaly detection; it provides a flexible and scalable platform for network IDSs/IPSs that will be faced the challenge of future high-speed network.
4. To achieve the secure and reliable transmission for the interactive data between IDS and firewall, the concept of trusted communication is introduced in this paper. We give the design and implementation of a trusted communication protocol based on XML. The design and implementation of trusted communication mechanism between firewall and IDS is presented considering each functional unit of common intrusion detection framework. The CORBA middleware is applied to data transmission, and TLS secure protocol is applied to trusted transmission between IDS and firewall. The hierarchical architecture of this protocol includes application layer, XML resolution layer and message transaction layer, in which application layer consists of client and server used to capture and analyze packets; XML resolution layer translates the data into uniform XML format and provide the base for data exchange; message transaction layer employs TLS security protocol to achieve secure and trusted communication. The data type between IDS and firewall of the proposed prototype system is composed of event data, rule data, analysis result data and response action data, and the concrete descriptions of these data based on XML DTD are also provided. The proposed trusted communication protocol has the scalability to support various network security products (such as firewall, IDS, IPS, etc.) and management facilities, and may contribute to the data fusion of these facilities and detect sophisticated distributed network attacks.
引文
[1] Escamilla T. Intrusion Detection: Network Security Beyond the Firewall [M]. New York:John Wiley & Sons, 1998.
[2] Jajodia S, Ammann P, McCollum C.D. Surviving information warfare attacks [J]. Computer, 1999, 32(3):57-63.
[3] J. Allen, A. Christie, W, Fithen, et al. State of the practice of intrusion detection technologies [R]. Software Engineering Institute, Carnegie Mellon University, Tech Rep: CMU/ SEI2992TR2028, 2000.
[4] Silicon. Hackers hit high-profile web sites [EB/OL]. http://www.silicon.com. 2002-2-10.
[5] CERT/CC Statistics 1988-1005 [EB/OL]. http://www.cert.org, 2008-10-6.
[6]国家计算机网络应急技术处理协调中心. CNNERT/CC 2007年网络安全工作报告[EB/OL]. http://www.cert.org.cn, 2008-10-6.
[7] Miller B P,Koski D, Lee, et al. A re-examination of the reliability of UNIX utilities and services [R]. Dept. of Computer Science, University of Wisconsin, Tech Rep: CS-TR-95-1268, 1995.
[8] Anderson J.P. Computer Security Threat Monitoring and Surveillance [R]. Technical report, James P Anderson Co., Fort Washington, Pennsylvania, April 1980.
[9] Mukherjee B, Levitt T L. Network intrusion detection [J]. IEEE Network, 1984, 8(3):26-41.
[10] Vigna G, Robertson W, Kher V, et al. A Stateful Intrusion Detection System for World-Wide Web Servers [C]. Proc. of 19th Annual Computer Security Applications Conference (ACSAC 2003), Las Vegas, NV: IEEE Press, 2003:34-43.
[11] Kruegel C, Vigna G. Anomaly Detection of Web-based Attacks [C]. Proc. of the 10th ACM Conference on Computer and Communications Security (CCS’03), Washington, DC USA: ACM Press, 2003:251-261.
[12] Ryutov T, Neuman C. Integrated Access Control and Intrusion Detection for Web Service [C]. Proc. of the 23th International Conference on Distributed Computing Systems (ICDCS’03), Dongho Kim: IEEE Press, 2003:374-413.
[13] Heberlein L T. A Network Security Monitor [C]. Proc. of the IEEE Symposium on Research in Security and Privacy, Oakland: IEEE Press, 1990:296-304.
[14] Snapp S R, Brentano J, Dias G V, et al. A System for Distributed Intrusion Detection [C]. Proc. of the IEEE COMPCON91, San Francisco, CA: IEEE, 1991: 170-176.
[15] Porras P, Neumann P G. Emerld: Event Monitoring Enabling Response to Anomalous Live Disturbances [C]. Proc. of 19th National Information System Secuirty Conference, Baltimore, Maryland: IEEE Press, 1997: 353-365.
[16] Chen S S, Cheung S, Dilger M. GrIDS: A Graph-based Intrusion Detection System for Large Networks [C]. Proc. of 19th National Information System Secuirty Conference, Baltimore, Maryland: IEEE Press, 1996: 361-370.
[17] Balasubramaniyan J S, et al. An Architecture for Intrusion Detection Using Autonomous Agents [C]. Proc. of the 14th IEEE Computer Security Applications Conference (ICSAC’98), Washington DC, USA: IEEE Computer Society, 1998: 13-24.
[18] Vigna G, Kemmerer R. NetSTAT: A Network-based Intrusion Detection Approach [C]. Proc. of the 14th Annual Computer Security Application Conference, Scooosdale. Arizonna: IEEE Press, 1998: 25-34.
[19] Zhang R, Qian D, Chen H, et al. Collaborative Intrusion Detection Based on Coordination Agent [C]. Proc. of the 4th International Conference on Parallel and Distributed Computing, Applications and Technologies (PDCAT’03), Chengdu, China: IEEE Press, 2003:175-179.
[20] Wu Y S, Foo B, Mei Y. Collaborative Intrusion Detection System (CIDS): A Framework for Accurate and Efficient IDS [C]. Proc. of the 19th Annual Computer Security Applications Conference (ACSAC 2003), Las Vegas, Nevada: IEEE Press, 2003:234-245.
[21] Kumar S, Spafford E H. A Pattern-matching Model for Misuse Intrusion Detection [C]. Proc. of the 17th National Computer Security Conference, Baltimore, MD: IEEE, 1994:11-21.
[22] Boyer R, Moore S. A Fast String Matching Algorithm [J]. Communications of the ACM, 1997, 20(20):762-772.
[23] Aho A V, Corasick M J. Efficient String Matching: An Aid to Bibliographic Search [J]. Communications of the ACM, 1975, 18(6):333-340.
[24] McAlerney J, Coit C, Staniford S. Toward Faster Pattern Matching for Intrusion Detection or Exceeding the Speed of Snort [C]. Proc. of IEEE DARPA Information Survivability Conference and Exposition (DISCEXⅡ), Anaheim, CA: IEEE, 2001:367-374.
[25] Walter C. A String Matching Algorithm Fast on the Average [C]. Proc. of the 6th International Colloquium on Automata, Languages, and Programming, Graz, Austria: Springer LNCS, 1979:118-132.
[26] Baeza-Yates R A. Improved String Searching [J]. Software Practice and Experience. 1989, 19:257-271.
[27] Kumar S. Classification and Detection of Computer Intrusion [D]. Dissertation, Purdue University, 1995.
[28] Porras P. STAT-A: A State Transition Analysis Tool for Intrusion Detection [D].Computer Science Department, University of California, Santa Barbara, Master’s Thesis, 1992.
[29] Porras P, Kemmerer R. Penetration State Transition: A Rule-based Intrusion Detection Approach. Proc. of the 8th Annual Computer Security Conference [C], New Orleans, LA: IEEE, 1992:220-229.
[30] Jackson K, Dubois D, Stallings C. An Expert System Application for Network Intrusion Detection [C]. Proc. of the 14th National Computer Security Conference, Washington, D.C.: IEEE, 1991:215-225.
[31] Crosbie M, Dole B, Ellis T. Idiot: Users Guide [R]. COAST Laboratory, Purdue University, Tech Rep: TR-96-050, 1996.
[32] Denning D E. An Intrusion Detection Model [J]. IEEE Transactions on Software Engineering. 1987, 13(2):222-232.
[33] Heady R, Luger G, Maccabe A, et al. The Atchitecture of a Network Level Intrusion Detection System [R]. Department of Computer Science, University of New Mexico. 1990.
[34] Lunt T F, Trmaru A, Gilham F, et al. A Real-Time Intrusion Detection Expert System (IDES)-Final Technical Report [R]. Computer Science Laboratory, SRI International, Menlo Park, California, 1992.
[35] Valdes A, Skinner K. Adaptive model-based monitoring for cyber attack detection [EB/OL]. http://www.sdl.sri.com/projects/emerald/adaptbn-paper/ adaptbn.html.
[36] Teng H S, Chen K, Lu S C. Adaptive real-time anomaly detection using inductively generated sequential patterns [C]. Proc. of the IEEE Symposium on Research in Security and Privacy. Oakland, CA: IEEE Press, 1990, 12(4):278-284.
[37] Carla T L, Brodley E. Temporal sequence learning and data reduction for anomaly detection [C]. Proc. of the 5th Conference on Computer & Communications Security [C]. New York: ACM Press, 1998:150-158.
[38] Carla T L, Broaley E. Detecting the Abnormal: Maching Learning in Computer Security [R]. Tech Rep. TR-ECE 97-1, Purdue University, West Lafayette, 1997.
[39] Lee W, Stolfo S, Mok K. Mining in a data-flow environment: experience in network intrusion detection [EB/OL]. http://www.cs.columbia.edu/~sal/hpapers/kdd99- id.ps.gz
[40] Lior C, Gil A, Mark L, et al. Info-fuzzy algorithms for mining dynamic data streams [J]. Applied Soft Computing Journal, 2008, 8(4):1283-1294.
[41] Hammerstrom D. Working with Neural Network [J]. IEEE Spectrum. 1993, 30(7): 46-53.
[42] Kayacik H G, Zincir-Heywood A N, Heywood M I. A hierachical SOM-based intrusion detection system [J]. 2007, 20(4):439-451.
[43] Powers S T, He J. A hybrid artificial immune system and Self Organising Map for network intrusion detection [J]. 2008, 178(15):3024-3042.
[44] Haag C R, Lamont G B, Williams P D, et al. An artificial immune system-inspired multiobjective evolutionary algorithm with application to the detection of distributed computer network intrusions [C]. Proc. of the 6th International Conference on Artificial Immune Systems (ICARIS 2007), Santos, Brazil: Springer LNCS, 2007:420-435.
[45] Grundschober S. Sniffer Detector Report [R]. IBM Research Division Zurich Research Laboratory Global Security Analysis Lab, 1998.
[46] Ning P, Cui Y, Douglas S R, et al. Techniques and tools for analyzing intrusion alerts [J]. ACM Transactions on Information and System Security, 2004, 7(2): 274-318.
[47] Valeur F, Vigna G, Kruegel C, et al. A Comprehensive Approach to Intrusion Detection Alert Correlation [J]. IEEE Transactions on Dependable and Secure Computing, 2004, 1(3):146-169.
[48]刘衍珩,田大新,余雪岗等.基于分布式学习的大规模网络入侵检测算法[J].软件学报, 2007, 19(4):993-1003.
[49]俞研,黄皓.基于改进多目标遗传算法的入侵检测集成方法[J].软件学报, 2007, 18(6):1369-1378.
[50]陈友,程学旗,李洋等.基于特征选择的轻量级入侵检测系统[J].软件学报, 2007, 18(7):1639-1651.
[51]陈友,沈华伟,李洋等.一种高效的面向轻量级入侵检测系统的特征选择算法[J].计算机学报, 2007, 30(8):1398-1408.
[52]叶明江,崔勇,徐恪等.基于有状态BIoom fliter引擎的高速分组检测[J].软件学报, 2007, 18(1):117-126.
[53]张新宇,卿斯汉,李琦等.一种基于本地网络的蠕虫协同检测方法[J].软件学报, 2007, 18(2):412-421.
[54]杨武、方滨兴、云晓春.一种可扩展的高效入侵监测平台技术[J].软件学报, 2007, 18(9):2271-2282.
[55]刘在强,林东岱,冯登国.一种用于网络取证分析的模糊决策树推理方法[J].软件学报, 2007, 18(10):2635-2644.
[56]石进,陆音,谢立.基于博弈理论的动态入侵响应[J].计算机研究与发展, 2008, 45(5):747-757.
[57]孙小涓,孙凝晖,陈明宇.多核平台上B-NIDS的优化[J].计算机研究与发展, 2007, 44(10):1733-1740.
[58]田新广,高立志,孙春来等.基于系统调用和齐次Markov链模型的程序行为异常检测[J].计算机研究与发展, 2007, 44(9):1538-1544.
[59]曹晓梅,韩志杰,陈贵海.基于流量预测的传感器网络拒绝服务攻击检测方案[J].计算机学报, 2007, 30(10):1798-1805.
[60]李洋,方滨兴,郭莉,田志宏.基于主动学习和TCM—KNN方法的有指导入侵检测技术[J].计算机学报, 2007, 30(8):1464-1473.
[61] Mell P, Hu V, Lippmann R, et al. An Overview of Issues in Testing Intrusion Detection Systems [EB/OL]. http://csrc.nist.gov/publications/nistir/nistir -7007.pdf, 2008-10-6.
[62] Puketza N, Zhang K, Chung M, et al. A methodology for testing intrusion detection systems [J]. IEEE Transactions on Software Engineering, 1996, 22(10): 719-729.
[63] Mchugh J. Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by LincolnL aboratory [J].ACM Transactions on Information and System Security, 2000,3 (4):262-294.
[64] Aguirre S J, Hill W H. Intrusion Detection Fly-Off: Implications for the United States Navy [R]. MITRE Technical Report, Tech Rep: MTR 97W096, 1997.
[65] Lippmann R, Fried D, Graf I, et al. Evaluating Intrusion Detection Systems: the 1998 DARPA Off-Line Intrusion Detection Evaluation [C]. Proc. of the 2000 DARPA Information Survivability Conference and Exposition (DISCEX), Hilton Head: IEEE, 2000, 2:1012-1035.
[66] Lippmann R, Haines J, Fried D, et al. The 1999 DARPA off-line intrusion detection evaluation [J]. Computer Networks, 2000, 34(4):579-595.
[67] Lee M R, Robert K C, et al.LARIAT: Lincoln Adaptable Real-time InformationAssurance Testbed [C]. Proc. of IEEE Aerospace Conference, MT,USA: IEEE, 2002: 2671-2682.
[68] Gong F M. Intrusion Prevention: Myths, Challenges, and Requirements [EB/OL]. http://www.mcafee.com/us/local_content/white_papers/wp_intrusionprevention.pdf, 2008-10-6.
[69]刘宝旭,许榕生.主动型安全防护措施——陷阱网络的研究与设计[J],计算机工程, 2002, 28(12):64-67.
[70] Cho S, Chang H Y, Kim H G, et al. SoIDPS: Sensor objects-based intrusion detection and prevention system and its implementation [C]. Proc. of International Conference on Computational Intelligence and Security (CIS 2005), Xi’an, China: Springer LNCS, 2005:260-266.
[71] Cheng B C, Chen M J, Chu Y S, et al. SIPS: A Stateful and Flow-Based Intrusion Prevention System for Email Applications [C]. Proc. of 2007 IFIP International Conference on Network and Parallel Computing (NPC 2007), Dalian, China: Springer LNCS, 2007:334-343.
[72] Locasto M E, Wang K, Keromytis A D, et al. FLIPS: Hybrid Adaptive Intrusion Prevention [C]. Proc. of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID 2005), Seattle, WA: Springer LNCS, 2005:82-101.
[73] Dai J Z, Miao H K. D_DIPS: An Intrusion Prevention System for Database Security [C]. Proc. of the 7th International Conference on Information and Communications Security (ICICS 2005), Beijing, China: Springer LNCS, 2005:481-490.
[74] Sproull T, Lockwood J. Distributed instrusion prevention in active and extensible networks [C]. Proc. of the 6th Annual International Working Conference on Active Networks. (IWAN 2004), Lawrence, KS: Springer LNCS, 2004:54-65.
[75] Kim B K, Yoon S Y, Oh J. ATPS–Adaptive Threat Prevention System for High-Performance Intrusion Detection and Response [C]. Proc. of the 10th Asia-Pacific Network Operations and Management Symposium (APNOMS 2007), Sapporo, Hokkaido, Japan: Springer LNCS, 2007:343-353.
[76] Jin H, Yang Z L, Sun J H, et al. CIPS: Coordinated Intrusion Prevention System [C]. Proc. of International Conference on Information Networking, Convergence in Broadband and Mobile Networking (ICOIN 2005), Cheju Island, Korea: Springer LNCS, 2005:89-98.
[77] McCanne S, Jacobson V. The BSD packet filter: a new architecture for user-level packet capture [C]. Proc. of USENIX Winter 1993, San Diego, California: USENIX Association, 1993:1-9.
[78]王佰玲,方滨兴.零拷贝报文捕获平台的研究与实现[J],计算机学报, 2005, 1(1): 46-52.
[79]孙钦东,张德运.并行入侵检测系统的负载均衡算法[J].小型微型计算机, 2004, 25(12):2215-2217.
[80]吕志军,郑憬,黄皓.高速网络下的分布式实时入侵检测系统[J],计算机研究与发展, 2004, 41(4):667-673.
[81]陈训逊,方滨兴,李蕾.高速网络环境下入侵检测系统结构研究[J],计算机研究与发展, 2004, 41(9):1481-1487.
[82] Schaelicke L, Wheeler K, Freeland C. SPANIDS: A Scalable Network Intrusion Detection Loadbalancer [C]. Proc. of the 2nd Conference on Computing Frontiers, Ischia, Italy: ACM Press, 2005:315-322.
[83] Claff K C, Polyzos G C, Braun H W. Application of Sampling Methodologies to Network Traffic Characterization [C], Proc. of ACM SIGCOMM’93, San Francisco, California: ACM, 1993:194-203.
[84] Isler V, Kannan S, Daniilidis K. Sampling based sensor-network deployment [C]. Proc. of 2004 IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS 2004), Sendai, Japan: IEEE, 2004:172-177.
[85] Duffield N, Sampling for Passive Internet Measurement: A Review Statistics Science [J],Statistical Science,2004,19(3):472-498.
[86]张峰,雷振明.基于泊松分布的报文抽样性能衡量[J].北京邮电大学学报, 2005, 28(2):35-38.
[87] Paxson V, Almes G. IETF RFC 2330-1998, Framework for IP performance metrics [EB/OL], www.ietf.org/rfc/rfc2003.txt, 1998.
[88]张峰,雷振明.基于分层抽样的高速网络吞吐率测量[J].吉林大学学报[信息科学版],2004, 22(6):558-563.
[89]冯士雍,倪国华.抽样调查理论与方法[M].北京:中国统计出版社,第一版, 1998.
[90]盛骤,谢世千.概率论与数理统计[M].高等教育出版社,第二版, 2002.
[91] Baker Z K, Prasanna V K. A methodology for synthesis of efficient intrusion detection systems on FPGAs [C]. Proc. of the Field-Programmable Custom Computing Machines, 12th Annual IEEE Symposium on (FCCM’04), Napa, CA: IEEE Computer Society, 2004:135-144.
[92] Baker Z K, Prasanna V K. Time and area efficient pattern matching on FPGAs [C].Proc. of the 2004 ACM/SIGDA 12th International Symposium on Field Programmable Gate Arrays, Monterey, California: ACM Press, 2004:223-232.
[93] Kim S, Lee J Y. A system architecture for high-speed deep packet inspection in signature-based network intrusion prevention [J]. Journal of Systems Architecture, 2007, 53(5-6): 310-320.
[94] Lee D J, Brownlee N. Passive measurement of one-way and two-way flow lifetimes [J]. ACM SIGCOMM Computer Communication Review, 2007, 37(3): 19-27.
[95] Duffield N G., Lund C, Thorup Mikkel. Learn more, sample less: control of volume and variance in network measurement [J]. IEEE Transactions on Information Theory, 2005, 51(5):1756-1775.
[96] Estan C, Savage S, Varghese G. Automatically Inferring Patterns of Resource Consumption in Network Traffic [C]. Proc. of ACM SIGCOMM’03, Karlsruhe, Germany: ACM Press, 2003:137-148.
[97] Packet Sampling, IETF Working Group Charter PSAMP.
[98] IPFIX, IETF Working Group Charter IP Flow Information Export. http://www.ietf. org/html.charters/ipfixcharter.html, 2008-10-6.
[99] Lakhina A, Crovella M, Diot C. Mining Anomalies Using Traffic Feature Distributions [J]. ACM SIGCOMM Computer Communication Review, 2005, 35(4): 217-228.
[100] Ye A S, Bhattacharyya T S. Connectionless Port Scan Detection on the Backbone [C]. Proc. of 25th IEEE International Conference on Performance, Computing, and Communications (IPCCC 2006), Phoenix, Arizona: IEEE Press, 2006.
[101] Kruegel C, Valeur F, Vigna G, et al. Stateful intrusion detection for high-speed networks [C]. Proc. of IEEE Symposium on Research on Security and Privacy, Oakland, California: IEEE Computer Science, 2002:285-294.
[102] GOKHALE M, DUBOIS D, DUBOIS A, et al. Granidt: Towards gigabit rate network intrusion detection technology [C]. Proc. of 12th Conference on Field Programmable Logic and Applications, New York: Springer-Verlag, 2002: 404–413.
[103] YU F, KATZ R, LAKSHMAN T. Gigabit Rate Packet Pattern-Matching Using TCAM [C]. Proc. of 12th IEEE International Conference on Network Protocols. Los Alamitos, CA: IEEE, 2004: 174-183.
[104] YUSUF S, LUK W. Reconfigurable network processors based on field programmable system level integrated circuits [C]. Proc. of 10th Conference on Field Programmable Logic and Applications. New York: Springer-Verlag, 2005: 39-47.
[105] SINGARAJU J, BU L, ANDCHANDY, J A. Asignature match processor architecture for network intrusion detection [C]. Proc. of IEEE Symposium on Field - Programmable Custom Computing Machines. Los Alamitos, CA:IEEE, 2005: 235-242.
[106] SIDHU R, PRASANNA V K. Fast regular expression matching using FPGAs [C]. Proc. of IEEE Symposium on Field-Programmable Custom Computing Machines. Los Alamitos, CA: IEEE, 2001: 227-238.
[107] FRANKLIN R, CARVER D, HUTCHINGS, B L. Assisting network intrusion detection with reconfigurable hardware [C]. Proc. of the IEEE Symposium on FPGA’s for Custom Computing Machines. Los Alamitos, CA: IEEE, 2002: 111-120.
[108] MOSCOLA J, LOCKWOOD J, LOUI R, et al. Implementation of a content-scanning module for an internet firewall [C]. Proc .of IEEE Symposium on Field - Programmable Custom Computing Machines. Los Alamitos, CA: IEEE, 2003: 31-38.
[109] SOURDIS I, PNEVMATIKATOS D. Fast, Large-scale string match for a 10Gbps FPGAbased network intrusion detection system [C]. Proc. 13th Conference on Field Programmable Logic and Applications. New York: Springer-Verlag, 2003.
[110] CHO Y H, ANDMANGIONE-SMITH W H. Deep packet filter with dedicated logic and read only memories [C]. Proc. of IEEE Symposium on Field-Programmable Custom Computing Machines. Los Alamitos, CA: IEEE, 2004: 125-134.
[111] CHO Y H, MANGIONE-SMITH W H. A pattern matching co-processor for network security. Proc. of IEEE/ACM 42nd Design Automation Conference. Los Alamitos, CA: IEEE/ACM, 2005: 234-239.
[112] Duffield N, Lund C, Thorup M. Properties and Prediction of Flow Statistics from Sampled Packet Streams [C]. Proc. of ACM SIGCOMM IMW’02, Marseille, France: ACM Press, 2002: 159-171.
[113] Hohn N, Veitch D. Inverting Sampled Traffic. Proc. of ACM SIGCOMM IMC’03, Miami Beach, Florida: ACM Press, 2003: 222-233.
[114] Mai J N, Chuah C N, Sridharan A, et al. Is Sampled Data Sufficient for Anomaly Detection? [C]. Proc. of the 6th ACM SIGCOMM, Rio de Janeriro, Brazil: ACM Press,2006: 165-176.
[115] Leland W, Taqqu M, Willinger W, et al. On the self-similar nature of Ethernet traffic [C], Proc. of ACM SIGCOMM’93, San Francisco, CA: ACM Press, 1993: 203-213.
[116] Leland W, Taqqu M, Willinger W, et al. On the self-similar nature of Ethernet traffic (extended version) [J]. IEEE/ACM Transactions on Networking, 2004, 2(1):1-15.
[117] Paxon V, Floyd S. Wide Area Traffic: The Failure of Poisson Modeling [C]. Proc. of ACM SIGCOMM’94, London, UK: ACM Press, 1994: 226-244.
[118] Garett M, Willinger W. Analysis, Modeling and Generation of Self-Similar VBR Video Traffic [C]. Proc. of ACM SIGCOMM’94, London, UK: ACM Press, 1994: 269-280.
[119] Crovella M E, Bestavros A. Self-Similarity in World Wide Web Traffic: Evidence and Possible Causes [J]. IEEE/ACM Transactions on Networking, 1997, 5(6): 835-846.
[120] Mori T, Kawahara R, Naito S, et al. On the characteristics of Internet Traffic variability: Spikes and Elephants [C], Proc. of IEEE/IPSJ SAINT. Tokyo, Japan: IEEE Press, 2004: 99-106.
[121] Papagiannaki K, Taft N, Bhattacharya S, et al. On the feasibility of identifying elephants in internet backbone traffic [R]. Sprint Labs, Sprint ATL Technical Report TR01-ATL-110918, 2001.
[122] Thompson K, Miller G J, Wilder R. Wide-area internet traffic patterns and characteristics [J], IEEE Network, 1997, 11(6): 10-23.
[123] Ramakrishna M, Fu E, Bahcekapili E. Efficient hardware hashing functions for high performance computers [J], IEEE Trans. on Computers, 1997, 46(12): 1378-1381.
[124] Ramabhadran S, Varghese G. Efficient implementation of a statistics counter architecture [C], Proc. of ACM SIGMETRICS’03, California, USA: ACM Press, 2003: 261-271.
[125] CHO Y H, NAVAB S, MANGIONE-SMITH W H. Deep network packet filter design for reconfigurable devices. Proc. of 12th Conference on Field Programmable Logic and Applications. New York: Springer-Verlag, 2002: 452–461.
[126] Feinstein B, Matthews G. IETF RFC 4767, The Intrusion Detection Exchange Protocol (IDXP) [EB/OL], http://www.ietf.org/rfc/rfc4767.txt, 2007.
[127] Debar H, Curry D, Feinstein B. IETF RFC 4765, The Intrusion Detection Message Exchange Format (IDMEF) [EB/OL], http://www.ietf.org/rfc/rfc4765.txt, 2007.
[128] Gupta D, Buchheim T, Matthews G, et al. IAP: Intrusion Alert Protocol [EB/OL], http://tools.ietf.org/html/draft-ietf-idwg-iap-05, 2001.
[2] Jajodia S, Ammann P, McCollum C.D. Surviving information warfare attacks [J]. Computer, 1999, 32(3):57-63.
[3] J. Allen, A. Christie, W, Fithen, et al. State of the practice of intrusion detection technologies [R]. Software Engineering Institute, Carnegie Mellon University, Tech Rep: CMU/ SEI2992TR2028, 2000.
[4] Silicon. Hackers hit high-profile web sites [EB/OL]. http://www.silicon.com. 2002-2-10.
[5] CERT/CC Statistics 1988-1005 [EB/OL]. http://www.cert.org, 2008-10-6.
[6]国家计算机网络应急技术处理协调中心. CNNERT/CC 2007年网络安全工作报告[EB/OL]. http://www.cert.org.cn, 2008-10-6.
[7] Miller B P,Koski D, Lee, et al. A re-examination of the reliability of UNIX utilities and services [R]. Dept. of Computer Science, University of Wisconsin, Tech Rep: CS-TR-95-1268, 1995.
[8] Anderson J.P. Computer Security Threat Monitoring and Surveillance [R]. Technical report, James P Anderson Co., Fort Washington, Pennsylvania, April 1980.
[9] Mukherjee B, Levitt T L. Network intrusion detection [J]. IEEE Network, 1984, 8(3):26-41.
[10] Vigna G, Robertson W, Kher V, et al. A Stateful Intrusion Detection System for World-Wide Web Servers [C]. Proc. of 19th Annual Computer Security Applications Conference (ACSAC 2003), Las Vegas, NV: IEEE Press, 2003:34-43.
[11] Kruegel C, Vigna G. Anomaly Detection of Web-based Attacks [C]. Proc. of the 10th ACM Conference on Computer and Communications Security (CCS’03), Washington, DC USA: ACM Press, 2003:251-261.
[12] Ryutov T, Neuman C. Integrated Access Control and Intrusion Detection for Web Service [C]. Proc. of the 23th International Conference on Distributed Computing Systems (ICDCS’03), Dongho Kim: IEEE Press, 2003:374-413.
[13] Heberlein L T. A Network Security Monitor [C]. Proc. of the IEEE Symposium on Research in Security and Privacy, Oakland: IEEE Press, 1990:296-304.
[14] Snapp S R, Brentano J, Dias G V, et al. A System for Distributed Intrusion Detection [C]. Proc. of the IEEE COMPCON91, San Francisco, CA: IEEE, 1991: 170-176.
[15] Porras P, Neumann P G. Emerld: Event Monitoring Enabling Response to Anomalous Live Disturbances [C]. Proc. of 19th National Information System Secuirty Conference, Baltimore, Maryland: IEEE Press, 1997: 353-365.
[16] Chen S S, Cheung S, Dilger M. GrIDS: A Graph-based Intrusion Detection System for Large Networks [C]. Proc. of 19th National Information System Secuirty Conference, Baltimore, Maryland: IEEE Press, 1996: 361-370.
[17] Balasubramaniyan J S, et al. An Architecture for Intrusion Detection Using Autonomous Agents [C]. Proc. of the 14th IEEE Computer Security Applications Conference (ICSAC’98), Washington DC, USA: IEEE Computer Society, 1998: 13-24.
[18] Vigna G, Kemmerer R. NetSTAT: A Network-based Intrusion Detection Approach [C]. Proc. of the 14th Annual Computer Security Application Conference, Scooosdale. Arizonna: IEEE Press, 1998: 25-34.
[19] Zhang R, Qian D, Chen H, et al. Collaborative Intrusion Detection Based on Coordination Agent [C]. Proc. of the 4th International Conference on Parallel and Distributed Computing, Applications and Technologies (PDCAT’03), Chengdu, China: IEEE Press, 2003:175-179.
[20] Wu Y S, Foo B, Mei Y. Collaborative Intrusion Detection System (CIDS): A Framework for Accurate and Efficient IDS [C]. Proc. of the 19th Annual Computer Security Applications Conference (ACSAC 2003), Las Vegas, Nevada: IEEE Press, 2003:234-245.
[21] Kumar S, Spafford E H. A Pattern-matching Model for Misuse Intrusion Detection [C]. Proc. of the 17th National Computer Security Conference, Baltimore, MD: IEEE, 1994:11-21.
[22] Boyer R, Moore S. A Fast String Matching Algorithm [J]. Communications of the ACM, 1997, 20(20):762-772.
[23] Aho A V, Corasick M J. Efficient String Matching: An Aid to Bibliographic Search [J]. Communications of the ACM, 1975, 18(6):333-340.
[24] McAlerney J, Coit C, Staniford S. Toward Faster Pattern Matching for Intrusion Detection or Exceeding the Speed of Snort [C]. Proc. of IEEE DARPA Information Survivability Conference and Exposition (DISCEXⅡ), Anaheim, CA: IEEE, 2001:367-374.
[25] Walter C. A String Matching Algorithm Fast on the Average [C]. Proc. of the 6th International Colloquium on Automata, Languages, and Programming, Graz, Austria: Springer LNCS, 1979:118-132.
[26] Baeza-Yates R A. Improved String Searching [J]. Software Practice and Experience. 1989, 19:257-271.
[27] Kumar S. Classification and Detection of Computer Intrusion [D]. Dissertation, Purdue University, 1995.
[28] Porras P. STAT-A: A State Transition Analysis Tool for Intrusion Detection [D].Computer Science Department, University of California, Santa Barbara, Master’s Thesis, 1992.
[29] Porras P, Kemmerer R. Penetration State Transition: A Rule-based Intrusion Detection Approach. Proc. of the 8th Annual Computer Security Conference [C], New Orleans, LA: IEEE, 1992:220-229.
[30] Jackson K, Dubois D, Stallings C. An Expert System Application for Network Intrusion Detection [C]. Proc. of the 14th National Computer Security Conference, Washington, D.C.: IEEE, 1991:215-225.
[31] Crosbie M, Dole B, Ellis T. Idiot: Users Guide [R]. COAST Laboratory, Purdue University, Tech Rep: TR-96-050, 1996.
[32] Denning D E. An Intrusion Detection Model [J]. IEEE Transactions on Software Engineering. 1987, 13(2):222-232.
[33] Heady R, Luger G, Maccabe A, et al. The Atchitecture of a Network Level Intrusion Detection System [R]. Department of Computer Science, University of New Mexico. 1990.
[34] Lunt T F, Trmaru A, Gilham F, et al. A Real-Time Intrusion Detection Expert System (IDES)-Final Technical Report [R]. Computer Science Laboratory, SRI International, Menlo Park, California, 1992.
[35] Valdes A, Skinner K. Adaptive model-based monitoring for cyber attack detection [EB/OL]. http://www.sdl.sri.com/projects/emerald/adaptbn-paper/ adaptbn.html.
[36] Teng H S, Chen K, Lu S C. Adaptive real-time anomaly detection using inductively generated sequential patterns [C]. Proc. of the IEEE Symposium on Research in Security and Privacy. Oakland, CA: IEEE Press, 1990, 12(4):278-284.
[37] Carla T L, Brodley E. Temporal sequence learning and data reduction for anomaly detection [C]. Proc. of the 5th Conference on Computer & Communications Security [C]. New York: ACM Press, 1998:150-158.
[38] Carla T L, Broaley E. Detecting the Abnormal: Maching Learning in Computer Security [R]. Tech Rep. TR-ECE 97-1, Purdue University, West Lafayette, 1997.
[39] Lee W, Stolfo S, Mok K. Mining in a data-flow environment: experience in network intrusion detection [EB/OL]. http://www.cs.columbia.edu/~sal/hpapers/kdd99- id.ps.gz
[40] Lior C, Gil A, Mark L, et al. Info-fuzzy algorithms for mining dynamic data streams [J]. Applied Soft Computing Journal, 2008, 8(4):1283-1294.
[41] Hammerstrom D. Working with Neural Network [J]. IEEE Spectrum. 1993, 30(7): 46-53.
[42] Kayacik H G, Zincir-Heywood A N, Heywood M I. A hierachical SOM-based intrusion detection system [J]. 2007, 20(4):439-451.
[43] Powers S T, He J. A hybrid artificial immune system and Self Organising Map for network intrusion detection [J]. 2008, 178(15):3024-3042.
[44] Haag C R, Lamont G B, Williams P D, et al. An artificial immune system-inspired multiobjective evolutionary algorithm with application to the detection of distributed computer network intrusions [C]. Proc. of the 6th International Conference on Artificial Immune Systems (ICARIS 2007), Santos, Brazil: Springer LNCS, 2007:420-435.
[45] Grundschober S. Sniffer Detector Report [R]. IBM Research Division Zurich Research Laboratory Global Security Analysis Lab, 1998.
[46] Ning P, Cui Y, Douglas S R, et al. Techniques and tools for analyzing intrusion alerts [J]. ACM Transactions on Information and System Security, 2004, 7(2): 274-318.
[47] Valeur F, Vigna G, Kruegel C, et al. A Comprehensive Approach to Intrusion Detection Alert Correlation [J]. IEEE Transactions on Dependable and Secure Computing, 2004, 1(3):146-169.
[48]刘衍珩,田大新,余雪岗等.基于分布式学习的大规模网络入侵检测算法[J].软件学报, 2007, 19(4):993-1003.
[49]俞研,黄皓.基于改进多目标遗传算法的入侵检测集成方法[J].软件学报, 2007, 18(6):1369-1378.
[50]陈友,程学旗,李洋等.基于特征选择的轻量级入侵检测系统[J].软件学报, 2007, 18(7):1639-1651.
[51]陈友,沈华伟,李洋等.一种高效的面向轻量级入侵检测系统的特征选择算法[J].计算机学报, 2007, 30(8):1398-1408.
[52]叶明江,崔勇,徐恪等.基于有状态BIoom fliter引擎的高速分组检测[J].软件学报, 2007, 18(1):117-126.
[53]张新宇,卿斯汉,李琦等.一种基于本地网络的蠕虫协同检测方法[J].软件学报, 2007, 18(2):412-421.
[54]杨武、方滨兴、云晓春.一种可扩展的高效入侵监测平台技术[J].软件学报, 2007, 18(9):2271-2282.
[55]刘在强,林东岱,冯登国.一种用于网络取证分析的模糊决策树推理方法[J].软件学报, 2007, 18(10):2635-2644.
[56]石进,陆音,谢立.基于博弈理论的动态入侵响应[J].计算机研究与发展, 2008, 45(5):747-757.
[57]孙小涓,孙凝晖,陈明宇.多核平台上B-NIDS的优化[J].计算机研究与发展, 2007, 44(10):1733-1740.
[58]田新广,高立志,孙春来等.基于系统调用和齐次Markov链模型的程序行为异常检测[J].计算机研究与发展, 2007, 44(9):1538-1544.
[59]曹晓梅,韩志杰,陈贵海.基于流量预测的传感器网络拒绝服务攻击检测方案[J].计算机学报, 2007, 30(10):1798-1805.
[60]李洋,方滨兴,郭莉,田志宏.基于主动学习和TCM—KNN方法的有指导入侵检测技术[J].计算机学报, 2007, 30(8):1464-1473.
[61] Mell P, Hu V, Lippmann R, et al. An Overview of Issues in Testing Intrusion Detection Systems [EB/OL]. http://csrc.nist.gov/publications/nistir/nistir -7007.pdf, 2008-10-6.
[62] Puketza N, Zhang K, Chung M, et al. A methodology for testing intrusion detection systems [J]. IEEE Transactions on Software Engineering, 1996, 22(10): 719-729.
[63] Mchugh J. Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by LincolnL aboratory [J].ACM Transactions on Information and System Security, 2000,3 (4):262-294.
[64] Aguirre S J, Hill W H. Intrusion Detection Fly-Off: Implications for the United States Navy [R]. MITRE Technical Report, Tech Rep: MTR 97W096, 1997.
[65] Lippmann R, Fried D, Graf I, et al. Evaluating Intrusion Detection Systems: the 1998 DARPA Off-Line Intrusion Detection Evaluation [C]. Proc. of the 2000 DARPA Information Survivability Conference and Exposition (DISCEX), Hilton Head: IEEE, 2000, 2:1012-1035.
[66] Lippmann R, Haines J, Fried D, et al. The 1999 DARPA off-line intrusion detection evaluation [J]. Computer Networks, 2000, 34(4):579-595.
[67] Lee M R, Robert K C, et al.LARIAT: Lincoln Adaptable Real-time InformationAssurance Testbed [C]. Proc. of IEEE Aerospace Conference, MT,USA: IEEE, 2002: 2671-2682.
[68] Gong F M. Intrusion Prevention: Myths, Challenges, and Requirements [EB/OL]. http://www.mcafee.com/us/local_content/white_papers/wp_intrusionprevention.pdf, 2008-10-6.
[69]刘宝旭,许榕生.主动型安全防护措施——陷阱网络的研究与设计[J],计算机工程, 2002, 28(12):64-67.
[70] Cho S, Chang H Y, Kim H G, et al. SoIDPS: Sensor objects-based intrusion detection and prevention system and its implementation [C]. Proc. of International Conference on Computational Intelligence and Security (CIS 2005), Xi’an, China: Springer LNCS, 2005:260-266.
[71] Cheng B C, Chen M J, Chu Y S, et al. SIPS: A Stateful and Flow-Based Intrusion Prevention System for Email Applications [C]. Proc. of 2007 IFIP International Conference on Network and Parallel Computing (NPC 2007), Dalian, China: Springer LNCS, 2007:334-343.
[72] Locasto M E, Wang K, Keromytis A D, et al. FLIPS: Hybrid Adaptive Intrusion Prevention [C]. Proc. of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID 2005), Seattle, WA: Springer LNCS, 2005:82-101.
[73] Dai J Z, Miao H K. D_DIPS: An Intrusion Prevention System for Database Security [C]. Proc. of the 7th International Conference on Information and Communications Security (ICICS 2005), Beijing, China: Springer LNCS, 2005:481-490.
[74] Sproull T, Lockwood J. Distributed instrusion prevention in active and extensible networks [C]. Proc. of the 6th Annual International Working Conference on Active Networks. (IWAN 2004), Lawrence, KS: Springer LNCS, 2004:54-65.
[75] Kim B K, Yoon S Y, Oh J. ATPS–Adaptive Threat Prevention System for High-Performance Intrusion Detection and Response [C]. Proc. of the 10th Asia-Pacific Network Operations and Management Symposium (APNOMS 2007), Sapporo, Hokkaido, Japan: Springer LNCS, 2007:343-353.
[76] Jin H, Yang Z L, Sun J H, et al. CIPS: Coordinated Intrusion Prevention System [C]. Proc. of International Conference on Information Networking, Convergence in Broadband and Mobile Networking (ICOIN 2005), Cheju Island, Korea: Springer LNCS, 2005:89-98.
[77] McCanne S, Jacobson V. The BSD packet filter: a new architecture for user-level packet capture [C]. Proc. of USENIX Winter 1993, San Diego, California: USENIX Association, 1993:1-9.
[78]王佰玲,方滨兴.零拷贝报文捕获平台的研究与实现[J],计算机学报, 2005, 1(1): 46-52.
[79]孙钦东,张德运.并行入侵检测系统的负载均衡算法[J].小型微型计算机, 2004, 25(12):2215-2217.
[80]吕志军,郑憬,黄皓.高速网络下的分布式实时入侵检测系统[J],计算机研究与发展, 2004, 41(4):667-673.
[81]陈训逊,方滨兴,李蕾.高速网络环境下入侵检测系统结构研究[J],计算机研究与发展, 2004, 41(9):1481-1487.
[82] Schaelicke L, Wheeler K, Freeland C. SPANIDS: A Scalable Network Intrusion Detection Loadbalancer [C]. Proc. of the 2nd Conference on Computing Frontiers, Ischia, Italy: ACM Press, 2005:315-322.
[83] Claff K C, Polyzos G C, Braun H W. Application of Sampling Methodologies to Network Traffic Characterization [C], Proc. of ACM SIGCOMM’93, San Francisco, California: ACM, 1993:194-203.
[84] Isler V, Kannan S, Daniilidis K. Sampling based sensor-network deployment [C]. Proc. of 2004 IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS 2004), Sendai, Japan: IEEE, 2004:172-177.
[85] Duffield N, Sampling for Passive Internet Measurement: A Review Statistics Science [J],Statistical Science,2004,19(3):472-498.
[86]张峰,雷振明.基于泊松分布的报文抽样性能衡量[J].北京邮电大学学报, 2005, 28(2):35-38.
[87] Paxson V, Almes G. IETF RFC 2330-1998, Framework for IP performance metrics [EB/OL], www.ietf.org/rfc/rfc2003.txt, 1998.
[88]张峰,雷振明.基于分层抽样的高速网络吞吐率测量[J].吉林大学学报[信息科学版],2004, 22(6):558-563.
[89]冯士雍,倪国华.抽样调查理论与方法[M].北京:中国统计出版社,第一版, 1998.
[90]盛骤,谢世千.概率论与数理统计[M].高等教育出版社,第二版, 2002.
[91] Baker Z K, Prasanna V K. A methodology for synthesis of efficient intrusion detection systems on FPGAs [C]. Proc. of the Field-Programmable Custom Computing Machines, 12th Annual IEEE Symposium on (FCCM’04), Napa, CA: IEEE Computer Society, 2004:135-144.
[92] Baker Z K, Prasanna V K. Time and area efficient pattern matching on FPGAs [C].Proc. of the 2004 ACM/SIGDA 12th International Symposium on Field Programmable Gate Arrays, Monterey, California: ACM Press, 2004:223-232.
[93] Kim S, Lee J Y. A system architecture for high-speed deep packet inspection in signature-based network intrusion prevention [J]. Journal of Systems Architecture, 2007, 53(5-6): 310-320.
[94] Lee D J, Brownlee N. Passive measurement of one-way and two-way flow lifetimes [J]. ACM SIGCOMM Computer Communication Review, 2007, 37(3): 19-27.
[95] Duffield N G., Lund C, Thorup Mikkel. Learn more, sample less: control of volume and variance in network measurement [J]. IEEE Transactions on Information Theory, 2005, 51(5):1756-1775.
[96] Estan C, Savage S, Varghese G. Automatically Inferring Patterns of Resource Consumption in Network Traffic [C]. Proc. of ACM SIGCOMM’03, Karlsruhe, Germany: ACM Press, 2003:137-148.
[97] Packet Sampling, IETF Working Group Charter PSAMP.
[98] IPFIX, IETF Working Group Charter IP Flow Information Export. http://www.ietf. org/html.charters/ipfixcharter.html, 2008-10-6.
[99] Lakhina A, Crovella M, Diot C. Mining Anomalies Using Traffic Feature Distributions [J]. ACM SIGCOMM Computer Communication Review, 2005, 35(4): 217-228.
[100] Ye A S, Bhattacharyya T S. Connectionless Port Scan Detection on the Backbone [C]. Proc. of 25th IEEE International Conference on Performance, Computing, and Communications (IPCCC 2006), Phoenix, Arizona: IEEE Press, 2006.
[101] Kruegel C, Valeur F, Vigna G, et al. Stateful intrusion detection for high-speed networks [C]. Proc. of IEEE Symposium on Research on Security and Privacy, Oakland, California: IEEE Computer Science, 2002:285-294.
[102] GOKHALE M, DUBOIS D, DUBOIS A, et al. Granidt: Towards gigabit rate network intrusion detection technology [C]. Proc. of 12th Conference on Field Programmable Logic and Applications, New York: Springer-Verlag, 2002: 404–413.
[103] YU F, KATZ R, LAKSHMAN T. Gigabit Rate Packet Pattern-Matching Using TCAM [C]. Proc. of 12th IEEE International Conference on Network Protocols. Los Alamitos, CA: IEEE, 2004: 174-183.
[104] YUSUF S, LUK W. Reconfigurable network processors based on field programmable system level integrated circuits [C]. Proc. of 10th Conference on Field Programmable Logic and Applications. New York: Springer-Verlag, 2005: 39-47.
[105] SINGARAJU J, BU L, ANDCHANDY, J A. Asignature match processor architecture for network intrusion detection [C]. Proc. of IEEE Symposium on Field - Programmable Custom Computing Machines. Los Alamitos, CA:IEEE, 2005: 235-242.
[106] SIDHU R, PRASANNA V K. Fast regular expression matching using FPGAs [C]. Proc. of IEEE Symposium on Field-Programmable Custom Computing Machines. Los Alamitos, CA: IEEE, 2001: 227-238.
[107] FRANKLIN R, CARVER D, HUTCHINGS, B L. Assisting network intrusion detection with reconfigurable hardware [C]. Proc. of the IEEE Symposium on FPGA’s for Custom Computing Machines. Los Alamitos, CA: IEEE, 2002: 111-120.
[108] MOSCOLA J, LOCKWOOD J, LOUI R, et al. Implementation of a content-scanning module for an internet firewall [C]. Proc .of IEEE Symposium on Field - Programmable Custom Computing Machines. Los Alamitos, CA: IEEE, 2003: 31-38.
[109] SOURDIS I, PNEVMATIKATOS D. Fast, Large-scale string match for a 10Gbps FPGAbased network intrusion detection system [C]. Proc. 13th Conference on Field Programmable Logic and Applications. New York: Springer-Verlag, 2003.
[110] CHO Y H, ANDMANGIONE-SMITH W H. Deep packet filter with dedicated logic and read only memories [C]. Proc. of IEEE Symposium on Field-Programmable Custom Computing Machines. Los Alamitos, CA: IEEE, 2004: 125-134.
[111] CHO Y H, MANGIONE-SMITH W H. A pattern matching co-processor for network security. Proc. of IEEE/ACM 42nd Design Automation Conference. Los Alamitos, CA: IEEE/ACM, 2005: 234-239.
[112] Duffield N, Lund C, Thorup M. Properties and Prediction of Flow Statistics from Sampled Packet Streams [C]. Proc. of ACM SIGCOMM IMW’02, Marseille, France: ACM Press, 2002: 159-171.
[113] Hohn N, Veitch D. Inverting Sampled Traffic. Proc. of ACM SIGCOMM IMC’03, Miami Beach, Florida: ACM Press, 2003: 222-233.
[114] Mai J N, Chuah C N, Sridharan A, et al. Is Sampled Data Sufficient for Anomaly Detection? [C]. Proc. of the 6th ACM SIGCOMM, Rio de Janeriro, Brazil: ACM Press,2006: 165-176.
[115] Leland W, Taqqu M, Willinger W, et al. On the self-similar nature of Ethernet traffic [C], Proc. of ACM SIGCOMM’93, San Francisco, CA: ACM Press, 1993: 203-213.
[116] Leland W, Taqqu M, Willinger W, et al. On the self-similar nature of Ethernet traffic (extended version) [J]. IEEE/ACM Transactions on Networking, 2004, 2(1):1-15.
[117] Paxon V, Floyd S. Wide Area Traffic: The Failure of Poisson Modeling [C]. Proc. of ACM SIGCOMM’94, London, UK: ACM Press, 1994: 226-244.
[118] Garett M, Willinger W. Analysis, Modeling and Generation of Self-Similar VBR Video Traffic [C]. Proc. of ACM SIGCOMM’94, London, UK: ACM Press, 1994: 269-280.
[119] Crovella M E, Bestavros A. Self-Similarity in World Wide Web Traffic: Evidence and Possible Causes [J]. IEEE/ACM Transactions on Networking, 1997, 5(6): 835-846.
[120] Mori T, Kawahara R, Naito S, et al. On the characteristics of Internet Traffic variability: Spikes and Elephants [C], Proc. of IEEE/IPSJ SAINT. Tokyo, Japan: IEEE Press, 2004: 99-106.
[121] Papagiannaki K, Taft N, Bhattacharya S, et al. On the feasibility of identifying elephants in internet backbone traffic [R]. Sprint Labs, Sprint ATL Technical Report TR01-ATL-110918, 2001.
[122] Thompson K, Miller G J, Wilder R. Wide-area internet traffic patterns and characteristics [J], IEEE Network, 1997, 11(6): 10-23.
[123] Ramakrishna M, Fu E, Bahcekapili E. Efficient hardware hashing functions for high performance computers [J], IEEE Trans. on Computers, 1997, 46(12): 1378-1381.
[124] Ramabhadran S, Varghese G. Efficient implementation of a statistics counter architecture [C], Proc. of ACM SIGMETRICS’03, California, USA: ACM Press, 2003: 261-271.
[125] CHO Y H, NAVAB S, MANGIONE-SMITH W H. Deep network packet filter design for reconfigurable devices. Proc. of 12th Conference on Field Programmable Logic and Applications. New York: Springer-Verlag, 2002: 452–461.
[126] Feinstein B, Matthews G. IETF RFC 4767, The Intrusion Detection Exchange Protocol (IDXP) [EB/OL], http://www.ietf.org/rfc/rfc4767.txt, 2007.
[127] Debar H, Curry D, Feinstein B. IETF RFC 4765, The Intrusion Detection Message Exchange Format (IDMEF) [EB/OL], http://www.ietf.org/rfc/rfc4765.txt, 2007.
[128] Gupta D, Buchheim T, Matthews G, et al. IAP: Intrusion Alert Protocol [EB/OL], http://tools.ietf.org/html/draft-ietf-idwg-iap-05, 2001.
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |