基于校园网环境的异常检测系统研究
|
摘要
随着网络的发展,网络安全问题日益突出,采取积极的安全措施保护信息资源是当前网络安全领域十分重要和迫切的问题。单纯依靠传统的防火墙、安全路由器等设备已经难以有效抵御多种多样的网络入侵。尽管防火墙可以防止常见的协议实现漏洞、地址欺骗等多种入侵手段,但不能对付层出不穷的拒绝服务攻击、网络病毒等入侵方式的攻击。特别是现在的入侵行为大多来自网络内部,而防火墙对内部用户的非法行为无能为力。目前想要完全避免入侵事件的发生是不现实的,网络安全所能做的只能是尽量尽早发现入侵和入侵企图,以便尽快采取有效措施制止入侵、修补漏洞或者修复受损系统。入侵检测系统做的正是这方面的工作。入侵检测作为一种积极主动地安全防护技术,及时(甚至实时)对内部入侵、外部入侵及用户误操作进行检测,在网络系统受到危害时进行响应。
本论文首先追踪研究了国内外入侵检测系统的最新学术和应用成果,对入侵检测系统的检测方法、体系结构等进行了研究。针对校园网的特点和常见的拒绝服务攻击的特点,提出了基于网络异常流量实时监测的网络异常入侵检测系统。
本论文的主要做了以下工作:
(1)对网络安全与入侵检测技术进行了比较系统的研究与分析。
(2)对典型的入侵检测系统和入侵方式进行了分析与比较。
(3)对网络入侵检测系统所涉及的网络协议、实现技术等进行了研究。
(4)提出了一种基于网络异常流量进行实时监测的网络入侵检测模式,该检测模式具有宏观监测网络行为、可伸缩性强、可扩展性强等特点。
(5)结合校园网实际,在实践中对原型系统设计框架进行了部分实现,现有原型系统具备了基本的入侵检测功能。
(6)在实验环境中对原型系统进行了训练和测试,验证了原型系统具有较理想的检测能力。
(7)利用自己开发的审计记录生成组件,对校园网部分关键节点的网络流进行了长时间监测,取得了第一手的数据资料,对以后进一步的研究积累了经验。
最后,本论文总结了研究工作尚存的不足和进一步的工作,并分析了入侵检测技术进一步的研究方向和发展前景。
With development of network, network security become serious increasingly. It is very pressing to protect our information resource with active steps in network security domain. Today, it' s difficult to resist the multiple and changeful intrusions effectively only by the traditional network security devices such as firewall and security router. Although the firewall can deter familiar intrusion means such as protocol implementation hole and address spoofing, it cannot resist intrusions such as Denial of Service and network virus, emerging in endlessly. Especially, actual intrusions come mostly from intranet. But the firewall is incapable for them. It is idealist to avoid completely intrusion events. For network security, presently, it can only try hard to find intrusions and intrusion attempts early in order to take actions to hold back intrusion, repair hole, or restore the system destroyed. That is just Intrusion Detection System' s work. Intrusion detection system, as an active safety precaution technolog
y, detects inter intrusions, external intrusions and user' s misuses in good time, even real time, and responds to intrusions when network system is hurting.
First, the last scholarship and application of IDS, including detection means, architecture, etc., were traced and studied in this thesis. Then, aiming at the characters of campus network security and familiar Denial of Services, the network abnormal intrusion detection system based on the monitoring of network' s abnormal flux was advanced.
In this thesis, the works have been done as following:
(1) I studied and analyzed network security and intrusion detection technology relatively by the numbers.
(2) Analyzed and compared the typical intrusion detection systems and intrusion means.
(3) Studied the network protocol, technology for realization, etc. relating to intrusion detection system.
(4) Advancing a king of network intrusion detection pattern which bases on the monitoring of network' s abnormal flux, with the characters such as monitoring network actions macroscopically, strong retractility and strong expansibility.
(5) Having realized the design structure of prototype system partly in practice, combining with the fact of campus network. The prototype system has basic function for intrusion detection now.
(6) By training and testing the prototype system in experimental environment, the relative perfect detection ability of prototype system was validated.
(7) By monitoring the flux of campus network long-term in some pivotal nodes by the audit producing module developed by myself, I got some original data and accumulated experience for the farther research.
Finally, I summarized some betterment of this thesis and analyzed the father research directions and the future of intrusion detection system.
本论文首先追踪研究了国内外入侵检测系统的最新学术和应用成果,对入侵检测系统的检测方法、体系结构等进行了研究。针对校园网的特点和常见的拒绝服务攻击的特点,提出了基于网络异常流量实时监测的网络异常入侵检测系统。
本论文的主要做了以下工作:
(1)对网络安全与入侵检测技术进行了比较系统的研究与分析。
(2)对典型的入侵检测系统和入侵方式进行了分析与比较。
(3)对网络入侵检测系统所涉及的网络协议、实现技术等进行了研究。
(4)提出了一种基于网络异常流量进行实时监测的网络入侵检测模式,该检测模式具有宏观监测网络行为、可伸缩性强、可扩展性强等特点。
(5)结合校园网实际,在实践中对原型系统设计框架进行了部分实现,现有原型系统具备了基本的入侵检测功能。
(6)在实验环境中对原型系统进行了训练和测试,验证了原型系统具有较理想的检测能力。
(7)利用自己开发的审计记录生成组件,对校园网部分关键节点的网络流进行了长时间监测,取得了第一手的数据资料,对以后进一步的研究积累了经验。
最后,本论文总结了研究工作尚存的不足和进一步的工作,并分析了入侵检测技术进一步的研究方向和发展前景。
With development of network, network security become serious increasingly. It is very pressing to protect our information resource with active steps in network security domain. Today, it' s difficult to resist the multiple and changeful intrusions effectively only by the traditional network security devices such as firewall and security router. Although the firewall can deter familiar intrusion means such as protocol implementation hole and address spoofing, it cannot resist intrusions such as Denial of Service and network virus, emerging in endlessly. Especially, actual intrusions come mostly from intranet. But the firewall is incapable for them. It is idealist to avoid completely intrusion events. For network security, presently, it can only try hard to find intrusions and intrusion attempts early in order to take actions to hold back intrusion, repair hole, or restore the system destroyed. That is just Intrusion Detection System' s work. Intrusion detection system, as an active safety precaution technolog
y, detects inter intrusions, external intrusions and user' s misuses in good time, even real time, and responds to intrusions when network system is hurting.
First, the last scholarship and application of IDS, including detection means, architecture, etc., were traced and studied in this thesis. Then, aiming at the characters of campus network security and familiar Denial of Services, the network abnormal intrusion detection system based on the monitoring of network' s abnormal flux was advanced.
In this thesis, the works have been done as following:
(1) I studied and analyzed network security and intrusion detection technology relatively by the numbers.
(2) Analyzed and compared the typical intrusion detection systems and intrusion means.
(3) Studied the network protocol, technology for realization, etc. relating to intrusion detection system.
(4) Advancing a king of network intrusion detection pattern which bases on the monitoring of network' s abnormal flux, with the characters such as monitoring network actions macroscopically, strong retractility and strong expansibility.
(5) Having realized the design structure of prototype system partly in practice, combining with the fact of campus network. The prototype system has basic function for intrusion detection now.
(6) By training and testing the prototype system in experimental environment, the relative perfect detection ability of prototype system was validated.
(7) By monitoring the flux of campus network long-term in some pivotal nodes by the audit producing module developed by myself, I got some original data and accumulated experience for the farther research.
Finally, I summarized some betterment of this thesis and analyzed the father research directions and the future of intrusion detection system.
引文
[1] J.P. Anderson. Computer Security Threat Monitoring and Surveillance. Technical report, James P. Anderson Company, Fort Washington, Pennsylvania, April 1980.
[2] Smaha, S. E. Haystack: An intrusion detection system. Proceedings of the Fourth Aerospace Computer Security Applications Conference, 1988. pp.3744.
[3] Julia Allen, Alan Christie, William Fithen et al. State of the Practice of Intrusion Detection Technologies. Technical Report 99TR-028, Carnegie Mellon-Software Engineering Institute, 2000.
[4] CERT Coordination Center. http://www.cert.org.
[5] CERT Coordination Center. CERT/CC Statistics 1988-2002. http://www.cert.org/stats/cert_stats.htm1#incidents, January 21, 2003.
[6] 蒋建春,马恒太,任党恩等.网络安全入侵检测:研究综述.软件学报,2000,11(11):1460-1466.
[7] Proctor, P. Audit Reduction and Misuse Detection in Heterogeneous Environments: Framework and Application. In Proceedings of the 10th Annual Computer Security Applications, 1994.
[8] Intrusion SecureHost. Intrusion Detection, Inc. https://www.intrusion.com/products/downloads/SecureHostPO_1102.pdf, Nov 2002.
[9] RealSecure Network Sensor and Gigabit Network Sensor Installation Guide. Internet Security Systems, Inc. http://documents.iss.net/literature/RealSecure/RS_NetSensor_IG_7.0.pdf, Mar 2003.
[10] Cisco Secure Intrusion Detection System Version 2.2.1 User Guide. Cisco System, Inc. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids1/csidsug/index.htm, July 19, 2000.
[11] G. Vigna, R. Kemmerer, NetSTAT: A Network-based Intrusion Detection System. Journal of Computer Security, Volume 7, Issue 1, 1999.
[12] Vern Paxon. Bro: A system for detecting network intruders in real-time. In Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, 1998.
[13] 北京中科网威信息技术有限公司.天眼入侵侦测系统-主机监控系统技术白皮书.http://www.netpower.com.cn/JIEJUE/CHANPIN/4_2.htm.
[14] 北京中科网威信息技术有限公司.天眼入侵侦测系统-网络监控系统技术白皮书.http://www.netpower.com.cn/JIEJUE/CHANPIN/4.HTM.
[15] 启明星辰信息技术有限公司.天阗(tian)黑客入侵检测系统.http://www.venustech.com.cn/pands/tiantian_index.htm.
[16] Steven Noel, Duminda Wijesekera, Charles Youman. Modern Intrusion Detection, Data Mining, and Degrees of Attack Guilt. In Applications of Data Mining in Computer Security, Daniel Barbara and Sushil Jajodia, eds., ISBN 1-4020-7054-3, Kluwer Academic Publishers, Boston, 2002.
[17] Lunt, T., Tamaru, A., Gilham, F. et al. A Real-Time Intrusion Detection Expert System(IDES), Interim Progress Report, Project 6784, SRI International, May 1990.
[18] Lunt, T., Tamaru, A., Gilham, F. et al. A Real-Time Intrusion-Detection Expert System(IDES), Final Technical Report. Computer Science Laboratory, SRI International, Menlo Park, California, February 1992.
[19] Teresa F. Lunt, R. Jagannathan, Rosanna Lee et al. IDES: The enhanced prototype.
Technical report, SRI International, Computer Science Lab, October 1988.
[20] D. Anderson, T. Frivold, A. Valdes. Next Generation Intrusion Detection Expert System(NIDES): A Summary. Tech Report SRI-CSL-95-07, SRI International, Menlo Park, CA, May, 1995.
[21] Anderson, D., T. F. Lunt, H. Javitz et al. Detecting Unusual Program Behavior Using the Statistical Component of the Next Generation Intrusion Detection Expert System (NIDES), SRI-CSL-95-06, SRI International, Menlo Park, CA, May, 1995.
[22] 彭铮良.网络安全技术与黑客攻击危胁.http://www.cns911.com/docs/hacker/hack0016.php, 2000-06-14.
[23] U.S. Department of Defense, Computer Security Center. Trusted computer system evaluation criteria, December 1985.
[24] Information Technology Security Evaluation Criteria (ITSEC). Provisional Harmonized Criteria. Commission of the European Communities, Brussels, June 1991.
[25] The Canadian Trusted Computer Product Evaluation Criteria, Version 3.0e, January 1993, Communications Security Establishment, Government of Canada.
[26] Federal Criteria for Information Security Technology, Draft. National Institute of Standards and technology (NIST) and National Security Agency (NSA), 1992.
[27] Common Criteria Project. Common Criteria for Information Technology Security Evaluation. NIST, USA, http://csrc.nist.gov/cc/, May 1998.
[28] GB/T 17859-1999, 计算机信息系统安全保护等级划分准则.北京:中国标准出版社,1999.
[29] Oracle Corporation, Computer Security Criteria: Security Evaluations and Assessment, July 2001.
[30] B. Cheswick, S. Bellovin. Firewalls and Internet security: Repelling the Wily Hacker. Addison-Wesley, 1994.
[31] R. Sandhu, P. Samarati. Access control: Principles and practice. IEEE Communications Magazine, pp.40-48, September 1994.
[32] 曲毅.网络安全中身份认证技术的研究.淮海工学院学报.2001,10(3):24.
[33] National Institute of Standards Technology. Data Encryption Standard (DES). Draft Federal Information Processing Standards Publication 46-3, January 1999.
[34] Bruce Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C, Second Edition. John Wiley & Sons, Inc. 1996.
[35] D. Atkins, P. Buis, C. Hare, R. Kelley, C. Nachenberg, A. B. Nelson, P. Phillips, T. Ritchey, and W. Steen. Internet Security Professional Reference. New Riders Publishing, 1996.
[36] Brenda McAnderson, Paul Ramstedt. Intrusion Detection Technology: Today and Tomorrow. Nov 18, 1999.
[37] S.M. Bellovin. Security problems in the TCP/IP protocol suite. Computer Communication Review, April 1989,19(2):32.
[38] 安氏安全实验室.安氏漏洞评估和入侵检测解决方案.http://shanghai.ccw.com.cn/zhuan/200104/zh_03.asp.
[39] 程海蓉.入侵检测系统IDS的研究与展望.计算机辅助工程,2001,2001(4):30-38.
[40] S. Kumar. Classification and Detection of Computer Intrusions. PhD thesis, Department of Computer Sciences, Purdue University, August 1995.
[41] R.A. Maxion, K. M. C. Tan. Benchmarking anomaly-based detection systems. In Proceedings of the lst International Conference on Dependable Systems & Networks,
2000. pp.623-630.
[42] Matthew G. Schultz, Eleazar Eskin, Erez Zadok, et al. Data Mining Methods for Detection of New Malicious Executables. Long Version of Paper that Appeared in Proceedings of 2001 IEEE Symposium on Security and Privacy (IEEE S&P-2001), Oakland, CA, May 2001.
[43] U. Lindqvist and P.A. Porras. Detecting computer and network misuse through the Production-Based Expert System Toolset (PBEST). In Proceedings of the 1999 Symposium on Security and Privacy, Oakland, California, May 1999. IEEE Computer Society.
[44] Verwoerd, T. and Hunt, R., Intrusion Detection Techniques and Approaches. Computer Communications, Elsevier, U.K., Vol 25, No 15, September 2002, pp.1356-1365.
[45] 张剑,龚俭.异常检测方法综述.计算机科学,2003,30(2).
[46] Steven Noel, Duminda Wijesekera, Charles Youman. Modern Intrusion Detection, Data Mining, and Degrees of Attack Guilt. In Applications of Data Mining in Computer Security, Daniel Barbara and Sushil Jajodia, eds., ISBN 1-4020-7054-3, Kluwer Academic Publishers, Boston, 2002.
[47] 如何防止黑客侵害网络.科技日报.http://www.cns911.com/docs/hacker/hack0020.php, 2000-06-08.
[48] CIDF working group. The Common Intrusion Detection Framework Architecture. http://www.gidos.org/,1998.
[49] CIDF working group. A Common Intrusion Specification Language. http://www.gidos.org/,2000.
[50] IDF working group. Communication in the Common Intrusion Detection Framework. http://www.gidos.org/,1998.
[51] CIDF working group. Common Intrusion Detection Framework APIs. http://www.gidos.org/,1998.
[52] 韩海东,王超,李群.入侵检测系统实例剖析,北京:清华大学出版社,2002.
[53] D. Curry, H. Debar: Intrusion Detection Message Exchange Format Data Model and Extensible Markup Language(XML) Document Type Definition, draft-ietf-idwg-idmef-xml-03 (work in progress), June 20, 2002.
[54] D. New:The TUNNEL Profile, Internet-Draft:draft-ietf-idwg-beep-tunnel-02, August,2001.
[55] B. Feinstein, G. Matthews, J. White: The Intrusion Detection Exchange Protocol (IDXP), draft-ietf-idwg-beep-idxp-05, June 17, 2002.
[56] NFR Security. Overview of NFR network intrusion detection. White paper, June 2001. http://www.nfr.com/products/NID/docs/NID_Technical_Overview. pdf.
[57] Computer Associations. eTrust Intrusion Detection Getting Started Guide. http://support.ca.com/techbases/etrustid/eIDGS20.pdf, July 29, 2002.
[58] Computer Associations. eTrust Intrusion Detection Administrator Guide. http://support.ca.com/techbases/etrustid/eIDAG20.pdf, July 29, 2002.
[59] 冠群电脑(中国)有限公司.eTrust产品功能说明书.
[60] J.S. Javitz, A. Valdes. The SRI IDES Statistical Anomaly Detector. Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, Oakland, CA, May 1991. pp.316-326.
[61] T. Lunt, R. Jagannathan, A Prototype Real-Time Intrusion-Detection Expert System. Proceedings of the 1988 Symposium on Security and Privacy, Apr 1988, pp.59-66.
[62] Denning, D. E., Neumann, P. G. Requirements and Model for IDES-A Real-Time
Intrusion Detection Expert System, Technical Report, Computer Science Laboratory, SRI International, Menlo Park, CA, 1985.
[63] Anderson, D., Frivold, T., Tamaru, A. et al. Next-generation Intrusion Detection Expert System (NIDES): Software Users Manual, Beta-Update Release. SRI International, December 1, 1994.
[64] Harold S. Javitz, A. Valdez. The NIDES Statistical Component: Description and Justification. Technical report, SRI International, March 1993.
[65] Teresa F. Lunt, Debra Anderson. Software requirements specification: Nextgeneration intrusion detection expert system. Final Report A001, SRI International, 333 Ravenswood Avenue, Menlo Park, CA 94025, April 1994.
[66] Debra Anderson, Thane Frivold, Ann Tamaru et al. Next Generation Intrusion Detection Expert System (NIDES) Software Design, Product Specification, and Version Description Document. Document A002 and A005, SRI International, 333 Ravenswood Avenue, Menlo Park, CA 94025, July 1994.
[67] Phillip A. Porras, Peter G. Neumann. EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. SRI International, Menlo Park, CA 94025-3493. October, 1997. http://www.sdl.sri.com/emerald/emerald-niss97.html.
[68] Martin Roesch, Chris Green. Snort Users Manual, Snort Release:1.9.1. November 2002. http://www.snort.org.
[69] W. Richard Stevens. TCP/IP 详解-卷 1:协议.机械工业出版社,2000.
[70] Van Jacobson, et al. TCPDUMP(1). Unix Manual Page.
[71] Florian Kerschbaum, Eugene H. Spafford, Diego Zamboni. Using embedded sensors for detecting network attacks. In Proceedings of the lst ACM Workshop on Intrusion Detection Systems (Nov.), ACM Press, New York, NY.
[72] S. Staniford-Chen, S. Cheung, R. Crawford et al. GrIDS - a graph based intrusion detection system for large networks. In Proceedings of the 19th National Information Systems Security Conference, volume 1, October 1996. pp.361-370.
[73] Ryan, J., Lin, M., Miikkulainen, R. Intrusion Detection with Neural Networks. AI Approaches to Fraud Detection and Risk Management: Papers from the 1997 AAAI Workshop (Providence, Rhode Island), Menlo Park, CA: AAAI. pp.72-79.
[74] C. Schuba, I. Krsul, M. Kuhn et al. Analysis of a denial of service attack on TCP. In Proceedings of the 1997 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, May 1997. pp.208-223.
[75] K.J. Houle, G. M. Weaver. Trends in Denial of Service Attack Technology. CERT Coordination Center, October 2001.
[76] Jose Costa-Requena. Recent Development in DDoS research. Telecommunications Software and Multimedia, 2001. http://www.tml.hut.fi/Studies/T-110.501/2001/papers/jose.requena.pdf.
[77] F. Lau, S. H. Rubin, M. H. Smith et al. Distributed denial of service attacks. In IEEE International Conference on Systems, Man, and Cybernetics, Nashville, TN, USA, Oct. 2000, pp.2275-2280.
[78] CERT Coordination Center, Results of the Distributed-Systems Intruder Tools Workshop, Software Engineering Institute, Carnegie Mellon University, http://www.cert.org/reports/dsit_workshop-final.html, December 7, 1999.
[79] Haining Wang, Danlu Zhang, Kang G. Shin. Detecting SYN Flooding Attacks. Proceedings of IEEE INFOCOM'2002 (21st),vol.3, June 2002. pp. 1530-1539.
[80] Kanlayasiri, U., Sanguanpong, S. Network-based Intrusion Detection Model for Detecting
TCP SYN flooding. In Proceedings of the 4th National Computer Science and Engineering Conference. Bangkok, Thailand, 2000.
[81] CERT Coordination Center. CERT Advisory CA-1996-21 TCP SYN Flooding and IP Spoofing Attacks. http://www.cert.org/advisories/CA-1996-21.html, September 19, 1996.
[82] CERT Coordination Center. CERT Advisory CA-1996-01 UDP Port Denial-of-Service Attack. http://www.cert.org/advisories/CA-1996-01.html, February 8, 1996.
[83] CERT Coordination Center. CERT Advisory CA-1998-01 Smurf IP Denial-of-Service Attacks. http://www.cert.org/advisories/CA-1998-01.html, January 5, 1998.
[84] IHTFP Hack Gallery. IHTFP Hack Gallery Frequently Asked Questrons. http://hacks.mit.edu/Hacks/misc/faq.html, 1998.
[85] Jordana Heaton. Hacker History. http://www.slais.ubc.ca/people/students/student-projects/J_Heaton/.
[86] Robert Trigaux. A History of Hacking. St. Petersburg Times Online. http://www.sptimes.com/Hackers/history.hacking.html,June 14, 1998.
[87] 王栾生,李方.大学生上网情况调查报告(上).ttp://www.edu.cn/20020125/3018746.shtml.
[88] 王栾生,李方.大学生上网情况调查报告(下).ttp://www.edu.cn/20020201/3019536.shtml.
[89] 研究指出拒绝服务式攻击每周发生4000多次.http://www.netfront.com.cn/attention/hacker/200105/20010523_01.htm, 2001-05-23.
[90] CNET.美国大学校园网仍最有可能被黑客利用.http://tech.sina.com.cn/news/internet/2000-02-17/17604.shtml, 2000-02-17.
[91] Gary R. Wright, W. Richard Stevens. TCP/IP 详解-卷2:实现.机械工业出版社,2000.
[92] Lee, W., S. J. Stolfo, K. Mok. Mining in a Data-flow Environment: Experience in Network Intrusion Detection. Proceedings 5th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining (KDD'99), 1999. San Diego, CA.
[93] Kurt Wall et al. GNU/Linux 编程指南.清华大学出版社.2002.
[94] 唐正军等.网络入侵检测系统的设计与实现.电子工业出版社,2002.
[95] Steven McCanne, Van Jacobson. The BSD packet filter: A new architecture for userlevel packet capture. In Proceedings of the Winter 1993 USENIX Conference. USENIX Association, January 1993. pp.259-269.
[96] Tim Carstens. Programming with pcap. http://www.tcpdump.org/pcap.htm.
[97] Packet Capture With libpcap and other Low Level Network Tricks. http://www.cet.nau.edu/~mc8/Socket/Tutorials/section 1.html.
[98] Packet Capture library 3. http://www.tcpdump.org/pcap3_man.html.
[99] Lee, W., S. Stolfo. Data Mining Approaches for Intrusion Detection. in Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, 1998.
[100] Bloedorn, E., L. Talbot, C. Skorupka et al. Data Mining applied to Intrusion Detection: MITRE Experiences. Submitted to the 2001 IEEE International Conference on Data Mining.
[101] Xiaolei Qian. New Programs at DARPA and NSE SIGMOD Record, 1996, 25(4):94-98.
[102] P. D'haeseleer, S. Forrest, P. Helman. An Immunological Approach to Change Detection: Algorithms, Analysis, and Implications. In Proceedings of the 1996 IEEE Symposium on Computer Security and Privacy, 1996.
[103] D. Schnackenberg, K. Djahandari, D. Sterne. Infrastructure for intrusion detection and response. In Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX), Hilton Head, South Carolina, January 2000.
[2] Smaha, S. E. Haystack: An intrusion detection system. Proceedings of the Fourth Aerospace Computer Security Applications Conference, 1988. pp.3744.
[3] Julia Allen, Alan Christie, William Fithen et al. State of the Practice of Intrusion Detection Technologies. Technical Report 99TR-028, Carnegie Mellon-Software Engineering Institute, 2000.
[4] CERT Coordination Center. http://www.cert.org.
[5] CERT Coordination Center. CERT/CC Statistics 1988-2002. http://www.cert.org/stats/cert_stats.htm1#incidents, January 21, 2003.
[6] 蒋建春,马恒太,任党恩等.网络安全入侵检测:研究综述.软件学报,2000,11(11):1460-1466.
[7] Proctor, P. Audit Reduction and Misuse Detection in Heterogeneous Environments: Framework and Application. In Proceedings of the 10th Annual Computer Security Applications, 1994.
[8] Intrusion SecureHost. Intrusion Detection, Inc. https://www.intrusion.com/products/downloads/SecureHostPO_1102.pdf, Nov 2002.
[9] RealSecure Network Sensor and Gigabit Network Sensor Installation Guide. Internet Security Systems, Inc. http://documents.iss.net/literature/RealSecure/RS_NetSensor_IG_7.0.pdf, Mar 2003.
[10] Cisco Secure Intrusion Detection System Version 2.2.1 User Guide. Cisco System, Inc. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids1/csidsug/index.htm, July 19, 2000.
[11] G. Vigna, R. Kemmerer, NetSTAT: A Network-based Intrusion Detection System. Journal of Computer Security, Volume 7, Issue 1, 1999.
[12] Vern Paxon. Bro: A system for detecting network intruders in real-time. In Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, 1998.
[13] 北京中科网威信息技术有限公司.天眼入侵侦测系统-主机监控系统技术白皮书.http://www.netpower.com.cn/JIEJUE/CHANPIN/4_2.htm.
[14] 北京中科网威信息技术有限公司.天眼入侵侦测系统-网络监控系统技术白皮书.http://www.netpower.com.cn/JIEJUE/CHANPIN/4.HTM.
[15] 启明星辰信息技术有限公司.天阗(tian)黑客入侵检测系统.http://www.venustech.com.cn/pands/tiantian_index.htm.
[16] Steven Noel, Duminda Wijesekera, Charles Youman. Modern Intrusion Detection, Data Mining, and Degrees of Attack Guilt. In Applications of Data Mining in Computer Security, Daniel Barbara and Sushil Jajodia, eds., ISBN 1-4020-7054-3, Kluwer Academic Publishers, Boston, 2002.
[17] Lunt, T., Tamaru, A., Gilham, F. et al. A Real-Time Intrusion Detection Expert System(IDES), Interim Progress Report, Project 6784, SRI International, May 1990.
[18] Lunt, T., Tamaru, A., Gilham, F. et al. A Real-Time Intrusion-Detection Expert System(IDES), Final Technical Report. Computer Science Laboratory, SRI International, Menlo Park, California, February 1992.
[19] Teresa F. Lunt, R. Jagannathan, Rosanna Lee et al. IDES: The enhanced prototype.
Technical report, SRI International, Computer Science Lab, October 1988.
[20] D. Anderson, T. Frivold, A. Valdes. Next Generation Intrusion Detection Expert System(NIDES): A Summary. Tech Report SRI-CSL-95-07, SRI International, Menlo Park, CA, May, 1995.
[21] Anderson, D., T. F. Lunt, H. Javitz et al. Detecting Unusual Program Behavior Using the Statistical Component of the Next Generation Intrusion Detection Expert System (NIDES), SRI-CSL-95-06, SRI International, Menlo Park, CA, May, 1995.
[22] 彭铮良.网络安全技术与黑客攻击危胁.http://www.cns911.com/docs/hacker/hack0016.php, 2000-06-14.
[23] U.S. Department of Defense, Computer Security Center. Trusted computer system evaluation criteria, December 1985.
[24] Information Technology Security Evaluation Criteria (ITSEC). Provisional Harmonized Criteria. Commission of the European Communities, Brussels, June 1991.
[25] The Canadian Trusted Computer Product Evaluation Criteria, Version 3.0e, January 1993, Communications Security Establishment, Government of Canada.
[26] Federal Criteria for Information Security Technology, Draft. National Institute of Standards and technology (NIST) and National Security Agency (NSA), 1992.
[27] Common Criteria Project. Common Criteria for Information Technology Security Evaluation. NIST, USA, http://csrc.nist.gov/cc/, May 1998.
[28] GB/T 17859-1999, 计算机信息系统安全保护等级划分准则.北京:中国标准出版社,1999.
[29] Oracle Corporation, Computer Security Criteria: Security Evaluations and Assessment, July 2001.
[30] B. Cheswick, S. Bellovin. Firewalls and Internet security: Repelling the Wily Hacker. Addison-Wesley, 1994.
[31] R. Sandhu, P. Samarati. Access control: Principles and practice. IEEE Communications Magazine, pp.40-48, September 1994.
[32] 曲毅.网络安全中身份认证技术的研究.淮海工学院学报.2001,10(3):24.
[33] National Institute of Standards Technology. Data Encryption Standard (DES). Draft Federal Information Processing Standards Publication 46-3, January 1999.
[34] Bruce Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C, Second Edition. John Wiley & Sons, Inc. 1996.
[35] D. Atkins, P. Buis, C. Hare, R. Kelley, C. Nachenberg, A. B. Nelson, P. Phillips, T. Ritchey, and W. Steen. Internet Security Professional Reference. New Riders Publishing, 1996.
[36] Brenda McAnderson, Paul Ramstedt. Intrusion Detection Technology: Today and Tomorrow. Nov 18, 1999.
[37] S.M. Bellovin. Security problems in the TCP/IP protocol suite. Computer Communication Review, April 1989,19(2):32.
[38] 安氏安全实验室.安氏漏洞评估和入侵检测解决方案.http://shanghai.ccw.com.cn/zhuan/200104/zh_03.asp.
[39] 程海蓉.入侵检测系统IDS的研究与展望.计算机辅助工程,2001,2001(4):30-38.
[40] S. Kumar. Classification and Detection of Computer Intrusions. PhD thesis, Department of Computer Sciences, Purdue University, August 1995.
[41] R.A. Maxion, K. M. C. Tan. Benchmarking anomaly-based detection systems. In Proceedings of the lst International Conference on Dependable Systems & Networks,
2000. pp.623-630.
[42] Matthew G. Schultz, Eleazar Eskin, Erez Zadok, et al. Data Mining Methods for Detection of New Malicious Executables. Long Version of Paper that Appeared in Proceedings of 2001 IEEE Symposium on Security and Privacy (IEEE S&P-2001), Oakland, CA, May 2001.
[43] U. Lindqvist and P.A. Porras. Detecting computer and network misuse through the Production-Based Expert System Toolset (PBEST). In Proceedings of the 1999 Symposium on Security and Privacy, Oakland, California, May 1999. IEEE Computer Society.
[44] Verwoerd, T. and Hunt, R., Intrusion Detection Techniques and Approaches. Computer Communications, Elsevier, U.K., Vol 25, No 15, September 2002, pp.1356-1365.
[45] 张剑,龚俭.异常检测方法综述.计算机科学,2003,30(2).
[46] Steven Noel, Duminda Wijesekera, Charles Youman. Modern Intrusion Detection, Data Mining, and Degrees of Attack Guilt. In Applications of Data Mining in Computer Security, Daniel Barbara and Sushil Jajodia, eds., ISBN 1-4020-7054-3, Kluwer Academic Publishers, Boston, 2002.
[47] 如何防止黑客侵害网络.科技日报.http://www.cns911.com/docs/hacker/hack0020.php, 2000-06-08.
[48] CIDF working group. The Common Intrusion Detection Framework Architecture. http://www.gidos.org/,1998.
[49] CIDF working group. A Common Intrusion Specification Language. http://www.gidos.org/,2000.
[50] IDF working group. Communication in the Common Intrusion Detection Framework. http://www.gidos.org/,1998.
[51] CIDF working group. Common Intrusion Detection Framework APIs. http://www.gidos.org/,1998.
[52] 韩海东,王超,李群.入侵检测系统实例剖析,北京:清华大学出版社,2002.
[53] D. Curry, H. Debar: Intrusion Detection Message Exchange Format Data Model and Extensible Markup Language(XML) Document Type Definition, draft-ietf-idwg-idmef-xml-03 (work in progress), June 20, 2002.
[54] D. New:The TUNNEL Profile, Internet-Draft:draft-ietf-idwg-beep-tunnel-02, August,2001.
[55] B. Feinstein, G. Matthews, J. White: The Intrusion Detection Exchange Protocol (IDXP), draft-ietf-idwg-beep-idxp-05, June 17, 2002.
[56] NFR Security. Overview of NFR network intrusion detection. White paper, June 2001. http://www.nfr.com/products/NID/docs/NID_Technical_Overview. pdf.
[57] Computer Associations. eTrust Intrusion Detection Getting Started Guide. http://support.ca.com/techbases/etrustid/eIDGS20.pdf, July 29, 2002.
[58] Computer Associations. eTrust Intrusion Detection Administrator Guide. http://support.ca.com/techbases/etrustid/eIDAG20.pdf, July 29, 2002.
[59] 冠群电脑(中国)有限公司.eTrust产品功能说明书.
[60] J.S. Javitz, A. Valdes. The SRI IDES Statistical Anomaly Detector. Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, Oakland, CA, May 1991. pp.316-326.
[61] T. Lunt, R. Jagannathan, A Prototype Real-Time Intrusion-Detection Expert System. Proceedings of the 1988 Symposium on Security and Privacy, Apr 1988, pp.59-66.
[62] Denning, D. E., Neumann, P. G. Requirements and Model for IDES-A Real-Time
Intrusion Detection Expert System, Technical Report, Computer Science Laboratory, SRI International, Menlo Park, CA, 1985.
[63] Anderson, D., Frivold, T., Tamaru, A. et al. Next-generation Intrusion Detection Expert System (NIDES): Software Users Manual, Beta-Update Release. SRI International, December 1, 1994.
[64] Harold S. Javitz, A. Valdez. The NIDES Statistical Component: Description and Justification. Technical report, SRI International, March 1993.
[65] Teresa F. Lunt, Debra Anderson. Software requirements specification: Nextgeneration intrusion detection expert system. Final Report A001, SRI International, 333 Ravenswood Avenue, Menlo Park, CA 94025, April 1994.
[66] Debra Anderson, Thane Frivold, Ann Tamaru et al. Next Generation Intrusion Detection Expert System (NIDES) Software Design, Product Specification, and Version Description Document. Document A002 and A005, SRI International, 333 Ravenswood Avenue, Menlo Park, CA 94025, July 1994.
[67] Phillip A. Porras, Peter G. Neumann. EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. SRI International, Menlo Park, CA 94025-3493. October, 1997. http://www.sdl.sri.com/emerald/emerald-niss97.html.
[68] Martin Roesch, Chris Green. Snort Users Manual, Snort Release:1.9.1. November 2002. http://www.snort.org.
[69] W. Richard Stevens. TCP/IP 详解-卷 1:协议.机械工业出版社,2000.
[70] Van Jacobson, et al. TCPDUMP(1). Unix Manual Page.
[71] Florian Kerschbaum, Eugene H. Spafford, Diego Zamboni. Using embedded sensors for detecting network attacks. In Proceedings of the lst ACM Workshop on Intrusion Detection Systems (Nov.), ACM Press, New York, NY.
[72] S. Staniford-Chen, S. Cheung, R. Crawford et al. GrIDS - a graph based intrusion detection system for large networks. In Proceedings of the 19th National Information Systems Security Conference, volume 1, October 1996. pp.361-370.
[73] Ryan, J., Lin, M., Miikkulainen, R. Intrusion Detection with Neural Networks. AI Approaches to Fraud Detection and Risk Management: Papers from the 1997 AAAI Workshop (Providence, Rhode Island), Menlo Park, CA: AAAI. pp.72-79.
[74] C. Schuba, I. Krsul, M. Kuhn et al. Analysis of a denial of service attack on TCP. In Proceedings of the 1997 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, May 1997. pp.208-223.
[75] K.J. Houle, G. M. Weaver. Trends in Denial of Service Attack Technology. CERT Coordination Center, October 2001.
[76] Jose Costa-Requena. Recent Development in DDoS research. Telecommunications Software and Multimedia, 2001. http://www.tml.hut.fi/Studies/T-110.501/2001/papers/jose.requena.pdf.
[77] F. Lau, S. H. Rubin, M. H. Smith et al. Distributed denial of service attacks. In IEEE International Conference on Systems, Man, and Cybernetics, Nashville, TN, USA, Oct. 2000, pp.2275-2280.
[78] CERT Coordination Center, Results of the Distributed-Systems Intruder Tools Workshop, Software Engineering Institute, Carnegie Mellon University, http://www.cert.org/reports/dsit_workshop-final.html, December 7, 1999.
[79] Haining Wang, Danlu Zhang, Kang G. Shin. Detecting SYN Flooding Attacks. Proceedings of IEEE INFOCOM'2002 (21st),vol.3, June 2002. pp. 1530-1539.
[80] Kanlayasiri, U., Sanguanpong, S. Network-based Intrusion Detection Model for Detecting
TCP SYN flooding. In Proceedings of the 4th National Computer Science and Engineering Conference. Bangkok, Thailand, 2000.
[81] CERT Coordination Center. CERT Advisory CA-1996-21 TCP SYN Flooding and IP Spoofing Attacks. http://www.cert.org/advisories/CA-1996-21.html, September 19, 1996.
[82] CERT Coordination Center. CERT Advisory CA-1996-01 UDP Port Denial-of-Service Attack. http://www.cert.org/advisories/CA-1996-01.html, February 8, 1996.
[83] CERT Coordination Center. CERT Advisory CA-1998-01 Smurf IP Denial-of-Service Attacks. http://www.cert.org/advisories/CA-1998-01.html, January 5, 1998.
[84] IHTFP Hack Gallery. IHTFP Hack Gallery Frequently Asked Questrons. http://hacks.mit.edu/Hacks/misc/faq.html, 1998.
[85] Jordana Heaton. Hacker History. http://www.slais.ubc.ca/people/students/student-projects/J_Heaton/.
[86] Robert Trigaux. A History of Hacking. St. Petersburg Times Online. http://www.sptimes.com/Hackers/history.hacking.html,June 14, 1998.
[87] 王栾生,李方.大学生上网情况调查报告(上).ttp://www.edu.cn/20020125/3018746.shtml.
[88] 王栾生,李方.大学生上网情况调查报告(下).ttp://www.edu.cn/20020201/3019536.shtml.
[89] 研究指出拒绝服务式攻击每周发生4000多次.http://www.netfront.com.cn/attention/hacker/200105/20010523_01.htm, 2001-05-23.
[90] CNET.美国大学校园网仍最有可能被黑客利用.http://tech.sina.com.cn/news/internet/2000-02-17/17604.shtml, 2000-02-17.
[91] Gary R. Wright, W. Richard Stevens. TCP/IP 详解-卷2:实现.机械工业出版社,2000.
[92] Lee, W., S. J. Stolfo, K. Mok. Mining in a Data-flow Environment: Experience in Network Intrusion Detection. Proceedings 5th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining (KDD'99), 1999. San Diego, CA.
[93] Kurt Wall et al. GNU/Linux 编程指南.清华大学出版社.2002.
[94] 唐正军等.网络入侵检测系统的设计与实现.电子工业出版社,2002.
[95] Steven McCanne, Van Jacobson. The BSD packet filter: A new architecture for userlevel packet capture. In Proceedings of the Winter 1993 USENIX Conference. USENIX Association, January 1993. pp.259-269.
[96] Tim Carstens. Programming with pcap. http://www.tcpdump.org/pcap.htm.
[97] Packet Capture With libpcap and other Low Level Network Tricks. http://www.cet.nau.edu/~mc8/Socket/Tutorials/section 1.html.
[98] Packet Capture library 3. http://www.tcpdump.org/pcap3_man.html.
[99] Lee, W., S. Stolfo. Data Mining Approaches for Intrusion Detection. in Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, 1998.
[100] Bloedorn, E., L. Talbot, C. Skorupka et al. Data Mining applied to Intrusion Detection: MITRE Experiences. Submitted to the 2001 IEEE International Conference on Data Mining.
[101] Xiaolei Qian. New Programs at DARPA and NSE SIGMOD Record, 1996, 25(4):94-98.
[102] P. D'haeseleer, S. Forrest, P. Helman. An Immunological Approach to Change Detection: Algorithms, Analysis, and Implications. In Proceedings of the 1996 IEEE Symposium on Computer Security and Privacy, 1996.
[103] D. Schnackenberg, K. Djahandari, D. Sterne. Infrastructure for intrusion detection and response. In Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX), Hilton Head, South Carolina, January 2000.