跳到主要內容

簡易檢索 / 詳目顯示

回結果列表
研究生: 李勁頤
Jing-Yi Lee
論文名稱: 利用程序追蹤方法關聯分散式入侵偵測系統之入侵警示研究
Using the Process Tracking Method for Correlating Intrusion Alerts of Distributed Intrusion Detection Systems
指導教授: 陳奕明
Yi-Ming Chen
口試委員:
學位類別: 碩士
Master
系所名稱: 管理學院 - 資訊管理學系
Department of Information Management
畢業學年度: 90
語文別: 中文
論文頁數: 92
中文關鍵詞: 入侵警示聚合程序追蹤程序關聯模型程序關係關聯分析分散式入侵偵測系統
外文關鍵詞: Distributed Intrusion Detection System, Correlation, Process Relationship, Process Relationship Correlation Model, Process Tracking, Alert Aggreation
相關次數: 點閱:14下載:0
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 隨著網路環境愈來愈複雜,傳統單點式入侵偵測系統已不足以偵測日益精進的入侵手法。為偵測各種複雜的攻擊手法,分散式入侵偵測系統逐漸成為入侵偵測研究的主流。但目前分散式入侵偵測系統的關聯分析能力仍有許多限制,這主要導因於過去分散式入侵偵測系統,所用以進行關聯分析之資訊過於貧乏,且未能分別處理不同型態之警示資訊所致。因此本研究的目的在利用程序追蹤方法(process tracking)來補足關聯分散式入侵偵測系統之警示所需的資訊,並提出新的關聯分析模型,以解決過去分散式入侵偵測系統關聯分析方法所遭遇之問題。
    在本研究中,我們首先整理歸納過去分散式入侵偵測系統研究其關聯分析方法所隱含之缺點、問題及造成此問題之原因,並提出相關解決方法。接著我們由程序的層次來思考整個網路與資訊系統的運作,進而提出一個以程序關係為基礎之關聯分析模型 --- 程序關聯模型。根據此模型,我們設計一分散式入侵測系統雛形PRIDS (Process Relationship based distributed Intrusion Detection System)。
    最後我們利用於Windows 2000上實作出的PRIDS系統雛形,進行三個網路模擬攻擊,我們的實驗結果證明,對於過去分散式入侵偵測系統難以偵測的攻擊手法, 如Relay Attack式攻擊、時間關係為非決定性之攻擊類型與入侵偵測系統躲避式攻擊等複雜攻擊手法,採用程序追蹤方法進行關聯分析的PRIDS都能有效地偵測出來。

    As network environments become complex, it is difficult for traditional intrusion detection systems (IDS) to detect the ingenious intrusion methods successfully. As a result, distributed intrusion detection systems (DIDS) become the main stream of the IDS researches. However, the correlation abilities of DIDS are still limited by (1) the inaccurate information that IDS uses for correlation and (2) the inability to discriminating between the heterogeneous information. To solve these shortcomings, this study uses the technology of process tracking to assist DIDS in correlating alerts and proposes a novel correlation model to solve the flaws of alert correlation that the previous DIDS have.
    In this study, we first sum up the flaws and the causes that lead to them in previous researches. Then we propose a novel Process Relationship Correlation Model (PRCM) to model the operations of network information system in the view of processes. Next, we present the design of a prototype intrusion system named PRIDS (Process Relationship based distributed Intrusion Detection System) based on PRCM.
    We have implemented PRIDS on Microsoft Win2000 System and used three artificial attacks to evaluate its detection abilities. The results of these experiments revealed that PRIDS could efficiently detect those attack methods including relay attacks, the attacks with nondeterministic temporal relationship and IDS evasion attacks that could evade detecting of other DIDS.

    目錄 I 圖目錄 III 表目錄 V 第一章 緒論 1 第一節 研究背景 1 第二節 研究動機與目的 3 第三節 研究範圍與限制 3 第四節 研究貢獻 4 第五節 研究流程 4 第六節 章節架構 6 第二章 相關研究 7 第一節 單點式入侵偵測系統 7 第二節 分散式入侵偵測系統 9 第三節 關聯分析方法 12 2.3.1以異常等級為基礎之關聯分析 14 2.3.2 以來源位址追蹤為基礎之關聯分析 15 2.3.3 以使用者為基礎之關聯分析 16 2.3.4 以攻擊型態特性為基礎之關聯分析 17 2.3.5 以入侵警示內容為基礎之關聯分析 17 2.3.6 以模型工具為基礎之關聯分析 20 2.3.7 綜合比較 23 第四節 本章小結 24 第三章 關聯分析 25 第一節 入侵偵測標的之意義與特性分析 25 第二節 過去關聯分析方法所隱含之問題 28 第三節 利用程序追蹤方法提供解決方案 30 第四節 關聯分析模型 33 3.4.1 程序關係圖 33 3.4.2 程序關係圖在入侵偵測上之應用 34 3.4.3 程序關係圖維護 36 3.4.4 程序關係圖搜尋 37 第五節 本章小結 40 第四章 系統設計 41 第一節 系統概觀 41 第二節 系統架構 42 第三節 程序關係維護 45 第四節 關聯分析流程設計之討論 46 4.4.1 向後搜尋 48 4.4.2 向前搜尋 52 第五節 TRANSCEIVER模組功能擴充性設計 53 第五章 系統實作與模擬實驗 56 第一節 雛形系統實作現況與軟體架構 56 5.1.1 系統實作現況 56 5.1.2 軟體架構 57 第二節 重要功能之實作技術探討 57 5.2.1相關程序追蹤技術探討 58 5.2.2 Tracenet代理人程式 63 5.2.3 Process代理人程式 64 5.2.4 BehaviorMonitor代理人程式 65 第三節 網路入侵與偵測模擬實驗 65 5.3.1 模擬實驗I 66 5.3.2 模擬實驗II 70 5.3.3 模擬實驗III 75 第四節 實驗結果討論 78 第六章 結論 80 第一節 研究貢獻 80 第二節 未來研究方向 81 參考文獻 84 中文參考文獻 84 英文參考文獻 84

    中文參考文獻
    [1] M. Pietrek著、侯俊傑譯,「Windows 95系統程式大奧秘」,ISBN: 957-717-255-5,旗標出版社,民國86年5月。
    [2] J. Richter著、張永慶譯,「深入Windows程式設計」,ISBN: 957-22-2702-5, 松崗電腦圖書資料股份有限公司,民國86年10月。
    [3] 李勁頤、陳奕明,「分散式入侵偵測系統研究現況介紹」,資訊安全通訊,第八卷第二期,38 ~ 61頁,民國91年3月。
    [4] 陳奕明、李勁頤,「利用分散式入侵偵測與回應系統防治網蟲之入侵」,全國計算機會議2001(NCS 2001),F156 ~ F166頁,民國90年12月。
    [5] 曾宇瑞,「網路安全縱深防護機制之研究」,國立中央大學資訊管理學系碩士論文,民國89年6月。
    [6] 蔡昌憲,「反入侵偵測技術:Snort設計剖析與測試」,2001網際網路安全工程研討會(WISE2001),111 ~ 128頁,民國90年8月。
    英文參考文獻
    [7] Aglets.org, “The aglets portal,” http://aglets.sourceforge.net, 2001.
    [8] J. Allen, A. Christie, and W. Fithen et al., “State of the Practice of Intrusion Detection Technologies,” Technical Report CMU/SEI-99-TR-028, CMU/SEI, January 2000. (Access From: http://www.cert.org/archive/pdf/99tr028.pdf)
    [9] D. Anderson, T. Frivold, and A Valdes, “Next-generation intrusion-detection expert system (NIDES),” Technical Report SRI-CSL-95-07, Computer Science Laboratory, SRI International, May 1995. (Access From: http://www.sdl.sri.com/ projects/nides/)
    [10] D. Anderson, T.F. Lunt, and H. Javitz et al., “Detecting unusual program behavior using the statistical component of the next-generation intrusion detection system (NIDES),” Technical Report SRI-CSL-95-06, Computer Science Laboratory, SRI International, May 1995. (Access From: http://www.sdl.sri.com/papers/5sri/5sri.pdf)
    [11] J.P Anderson, “Computer security threat monitoring and surveillance,” Technical Report, James P. Anderson Co., Fort Washington, PA, 1980. (Access From: http://csrc.nist.gov/publications/history/ande80.pdf)
    [12] J.S. Balasubramaniyan, J.O. Garcia-Fernandez, and D. Isacoff et al., “An Archiecture for Intrusion Detection using Autonomous Agents,” COAST Technical Report 98/05, June 11, 1998. (Access From: http://www.cerias.purdue. edu/homes/aafid/tr9805.pdf)
    [13] J. Barrus, N.C. Rowe, “A Distributed Autonomous-Agent Network-Intrusion Detection and Response System,” In the Proceedings of the 1998 Command and Control Research and Technology Symposium, pages: 577-586, 1998.
    [14] T. Boyd and P. Dasgupta, “Injecting Distributed Capabilities into Legacy Applications Through Cloning and Virtualization,” The 2000 International Conference on Parallel and Distributed Processing Techniques and Applications (PDPTA''2000), July 2000. (Access From: http://cactus.eas.asu.edu/partha/ Papers-PDF/pdpta2000.pdf)
    [15] C.A. Carver, J.M.D. Hill, J.R. Surdu, and U.W. Pooch, “A Methodology for using Intelligent Agents to provide Automated Intrusion Response,” In Proceedings of the IEEE Systems, Man, and Cybernetics Information Assurance and Security Workshop, pages: 110 ~ 116, June 2000.
    [16] CERT Coordination Center, “FTP Bounce,” http://www.cert.org/advisories/ CA-97.27.FTP_bounce.html, December 1997.
    [17] CERT Coordination Center, “Microsoft IIS 4.0 / 5.0 vulnerable to directory traversal via extended unicode in url (MS00-078),” http://www.kb.cert.org/ vuls/id/111677, November 2000.
    [18] CERT Coordination Center, “CERT® Advisory CA-2001-10 Buffer Overflow Vulnerability in Microsoft IIS 5.0,” http://www.cert.org/advisories/ CA-2001-10.html, May 2001.
    [19] CERT Coordination Center, “Overview of Attack Trends,” http://www.cert.org/ archive/pdf/attack_trends.pdf, 2002.
    [20] S. Cheung, R. Crawford, and M. Dilger et al., “The Design of GrIDS: A Graph-Based Intrusion Detection System,” Technical Report CSE-99-2, U.C. Davis Computer Science Department, January 1999. (Access From: http://seclab.cs.ucdavis.edu/arpa/grids/grids.ps)
    [21] F.B. Cohen, “A Note on Distributed Coordinated Attacks,” Computer & Security, vol. 15, pages 103-121, 1996.
    [22] M. Crosbie, G. Spafford, “Active Defense of a Computer System using Autonomous Agents,” COAST Technical Report 95-008, Purdue, 1995. (Access From: http://www.purdue.cs.edu/homes/spaf/tech-reps/9508.ps)
    [23] M. Crosbie, B. Dole, and T. Ellis et al., “IDIOT User Guide,” COAST Technical Report TR-96-050, Purdue, 1996. (Access From: http://www.cerias.purdue.edu/ ssl/techreports-ssl/public/96-04.ps)
    [24] D. Curry, H. Debar, “Intrusion Detection Message Exchange Format Data Model and Extensible Markup Language (XML) Document Type Definition,” http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-06.txt, February 2002.
    [25] H. Debar and A. Wespi, “Aggregation and Correlation of Intrusion-Detection Alerts,” In the proceedings of Recent Advances in Intrusion Detection (RAID) 2001, pages: 85 ~ 103, November 2001.
    [26] P. Dasgupta, V. Karamcheti, and Z. Kedem, “Transparent distribution middleware for general purpose computations,” In Proceedings of Intl. Conf. on Parallel and Distributed Processing Techniques and Applications (PDPTA''99), June 1999. (Access From: http://www.zmkedem.com/nyu/pubs/DKK1999a.pdf)
    [27] R.J. Ellison, R.C. Linger, and T. Longstaff et al., ”Survivable Network System Analysis:A Case Study,” IEEE Software, pages: 70 ~ 77, 1999.
    [28] E. Eskin, W. Lee, and S.J. Stolfo, “Modeling System Calls for Intrusion Detection with Dynamic Window Sizes,” In Proceedings of DARPA Information Survivability Conference and Exposition II, June 2001. (Access From: http://www.cs.columbia.edu/ids/publications/smt-syscall-discex01.ps)
    [29] R. Feiertag, S. Rho, L. Benzinger, and S. Wu et al., “Intrusion Detection inter-component adaptive negotiation,” Computer Networks, vol. 34, pages 605 ~ 621, 2000.
    [30] B. Feinstein, G. Matthews, and J. White, “The Intrusion Detection Exchange Protocol (IDXP),” http://www.ietf.org/internet-drafts/draft-ietf-idwg-beep-idxp- 04.txt, February 2002.
    [31] J. Finnegan, “Nerditorium,” Vol. 14, No. 1, Microsoft Systems of Journal, January 1999. (Access From: http://msdn.microsoft.com/library/default.asp? url=/library/en-us/dnmsj99/html/nerd0199.asp)
    [32] S. Forrest, S.A. Hofmeyr, A. Somayaji and T.A. Longstaff, “A sense of self for UNIX processes, ” In Proceedings of the 1996 IEEE Symposium on Security and Privacy, pages: 120 ~ 128, 1996.
    [33] T. Fraser, L. Badger, and M. Feldman, “Hardening COTS components with generic software wrappers,” In Proceedings of the 1999 IEEE Symposium on Security and Privacy, pages: 2-16, May 1999.
    [34] Foundstone, “fport - Identify unknown open ports and their associated applications,” http://www.foundstone.com/knowledge/proddesc/fport.html, 2002.
    [35] A.K. Ghosh, J. Wanken, and F. Charron, “Detecting anomalous and unknown intrusions against programs,” In Proceedings of the 1998 Annual Computer Security Applications Conference, pages: 259 ~ 267, December 1998.
    [36] A.K. Ghosh, A. Schwatzbard, and M. Shatz, “Learning Program Behavior Profiles for Intrusion Detection,” In Proceedings 1st USENIX Workshop on Intrusion Detection and Network Monitoring, April 1999. (Access From: http://www.usenix.org/events/detection99/full_papers/ghosh/ghosh.pdf)
    [37] R.P. Goldman, W. Heimerdinger, and S. Harp et al., “Information Modeling for Intrusion Report Aggregation,” In Proceedings of the DARPA Information Survivability Conference and Exposition II (DISCEX II 2001), 2001. (Access From: http://www.geocities.com/rpgoldman/papers/discex01irm.pdf)
    [38] R. Graham, “FAQ: Network Intrusion Detection System,” version 0.8.3, http://www.robertgraham.com/pubs/network-intrusion-detection.html, March 2000.
    [39] K.M. Hansen, A.P. Ravn, V. Stavridou, “From safety analysis to software requirements,” IEEE Transactions on Software Engineering, 24(7), pages 573 ~ 584, July 1998.
    [40] T. Heberlein, G. Dias, and K. Levitt et al., “A network security monitor,” In Proceedings of the 1990 IEEE Symposium on Research in Security and Privacy, pages 296 ~ 304, 1990.
    [41] G. Helmer, J. Wong, V. Honavar, and L. Miller, “Automated discovery of concise predictive rules for intrusion detection,” In Proceedings of AAAI''99, 1999. (Access From: http:// latte.cs.iastate.edu/~ghelmer/tr9901.ps)
    [42] G. Helmer, J. Wong, and M. Slagell et al., “A Software Fault Tree Approach to Requirements Analysis of an Intrusion Detection System,” In Proceedings of the 1st Symposium on Requirements Engineering for Information Security, October 2000. (Access From: http://latte.cs.iastate.edu/~ghelmer/SFTA-ID.ps)
    [43] G. Helmer, J. Wong, and M. Slagell et al., “Software Fault Tree and Colored Petri Net Based Specification, Design and Implementation of Agent-Based Intrusion Detection Systems,” Submitted to ACM Transactions on Information and Systems Security, 2001. (Access From: http://latte.cs.iastate.edu/~ghelmer/ CPN-IDS.ps)
    [44] G. Hunt and D. Brubacher, “Detours: Binary Interception of Win32 Functions,” In Proceedings of the 3rd USENIX Windows NT Symposium, pages: 135-143, July 1999.
    [45] K. Ilgun, “USTAT: A real-time intrusion detection system for UNIX,” In Proceedings of the 1993 IEEE Symposium on Research in Security and Privacy, pages: 16 ~ 28, May 1993.
    [46] K. Ilgun, R.A. Kemmerer, and P.A. Porras, “State Transition Analysis: A Rule-Based Intrusion Detection Approach,” IEEE Transaction on Software Engineering, 21(3), pages: 181 ~ 199, March 1995.
    [47] Internet Security Systems, “RealSecure Product Datasheet,” http://www.iss.net/ customer care/resource center/product lit/, 2000.
    [48] I. Ivanov, “API hooking revealed,” http://www.codeproject.com/system/ HookSys.asp, April 2002.
    [49] K. Jensen, “Colored Petri Nets. Basic Concepts, Analysis Methods and Practical Use. Vol 1: Basic Concepts,” Monographs in Theoretical Computer Science, Spring-Verlag, 1992.
    [50] A. Jones, J. Ohlund, “Windows Sockets 2.0: Write Scalable Winsock Apps Using Completion Ports,” MSDN Magazine, October 2000. (Access From: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnmag00/html/Winsock.asp)
    [51] A. Jones, J. Ohlund, “Network Programming for Microsoft Windows,” Second Edition, ISBN: 0-7356-1579-9, Microsoft Press, 2002.
    [52] C. Kahn, D. Bolinger, D. Schnackenberg, “Communication in the Common Intrusion Detection Framework,” v0.7 DRAFT Specification, CIDF Working Group, June 1998. (Access From: http://www.isi.edu/gost/cidf/drafts/ communication.txt)
    [53] Y. Kaplan, “API Spying Techniques for Windows 9x, NT and 2000,” http://www.internals.com/articles/apispy/apispy.htm, 1999.
    [54] R.A. Kemmerer, “NSTAT: A Model-based Real-time Network Intrusion Detection System,” Technical Report TRCS97-18, Computer Science Dep., University of California Santa Barbara, November 1997. (Access From: http://www.cs.ucsb.edu/TRs/techreports/TRCS97-18.ps)
    [55] C. Ko, G.. Fink, and K. Levitt, “Automated detection of vulnerabilities in privileged programs by execution monitoring,” In Proceedings of the 10th Annual Computer Security Applications Conference, pages: 134 ~ 144, December 1994.
    [56] W. Lee, and S.J. Stolfo, “Data mining approaches for intrusion detection,” In Proceedings of the 7th USENIX Security Symposium, 1998. (Access From: http://www.cs.columbia.edu/~wenke/papers/usenix.ps)
    [57] W. Lee, M. Miller, and S. Stolfo et al, “Toward cost-sensitive modeling for intrusion detection,” Technical Report CUCS-002-00, Computer Science, Columbia University, 2000. (Access From: http://www.csc.ncsu.edu/faculty/lee/ papers/jcs_lee.ps)
    [58] W. Lee, R.A. Numbalkar, and K.K. Yee et al., “A data mining and CIDF based approach for detecting novel and distributed intrusions,” In Proceedings of 3rd International Workshop on the Recent Advances in Intrusion Detection, October 2000. (Access From: http://www.csc.ncsu.edu/faculty/lee/papers/lee_raid_00.ps)
    [59] N.G. Leveson, “Safeware: System Safety and Computers,” Addison-Wesley, Reading, MA, USA, 1995.
    [60] T.F. Lunt, R. Jagannathan, and R. Lee et al, “IDES: The enhanced prototype, A real-time intrusion detection system,” Technical Report SRI Project 4185-010, SRI-CSL-88-12, CSL SRI International, Computer Science Laboratory, October 1988. (Access From: http://www.sdl.sri.com/projects/nides/reports/1sri.pdf)
    [61] T.F. Lunt, A. Tamaru, and F. Gilham et al., “A real-time intrusion-detection expert system (IDES),” Technical Report Project 6784, CSL, SRI International, Computer Science Laboratory, February 1992. (Access From: http://www.sdl.sri.com/projects/nides/ reports/9sri.pdf)
    [62] Microsoft Corporation, “TDI Drivers,” Network Devices and Protocol: Windows DDK, http://msdn.microsoft.com/library/default.asp?url=/library/en-us/network/ hh/ network/303tdi_1otj.asp, October 2001.
    [63] Microsoft Corporation, “Event Tracing,” Platform SDK: Performance Monitoring, http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ perfmon /evt_structures_7zar.asp, November 2001.
    [64] T. Mitchem, R. Lu, and R. O''Brien, “Using Kernel Hypervisors to Secure Applications,” In Proceedings of the Annual Computer Security Applications Conference, December 1997. (Access From: http://www.securecomputing.com/ khyper/acsac97.pdf)
    [65] G. Nebbett, “Windows NT/2000 Native API Reference,” ISBN: 1-57870-199-6, Macmillan Technical Publishing, 2000.
    [66] Network Flight Recorder Inc., “Network Flight Recorder,” http://www.nfr.com, 1997.
    [67] P.G. Neumann, and P.A. Porras, “Experience with EMERALD To Date,” presented at 1st USENIX Workshop on Intrusion Detection and Network Monitoring, pages 73 ~ 80, 1999.
    [68] D. New, “The TUNNEL Profile,” http://www.ietf.org/internet-drafts/ draft-ietf-idwg-beep-tunnel-02, February 2002.
    [69] P. Ning, X.S. Wang, and S. Jajodia, “Modeling requests among cooperating intrusion detection systems,” Computer Communications, vol. 23, issues 17, pages 1702 ~ 1715, November 2000.
    [70] P. Ning, S. Jajodia, and X.S. Wang, “Abstraction-based Intrusion Detection in Distributed Environments,” ACM Transactions on Information and System Security (TISSEC), 4(4), pages 407 ~ 452, November 2001.
    [71] P. Ning, S. Jajodia, X.S. Wang, “Design and Implementation of A Decentralized Prototype System for Detecting Distributed Attacks,” Computer Communications, Special Issue on Intrusion Detection Systems, pages: 1374-1391,2002.
    [72] S. Northcutt, “Network Intrusion Detection: An Analyst’s Handbook,” ISBN:0-7357-1008-2,New Piders, 1999.
    [73] V. Paxson, “Bro: A System for Detecting Network Intruders in Real-Time,” Computer Networks, 31(23-24), pages 2435 ~ 2463, December 1999.
    [74] M. Pietrek, “Peering Inside the PE: A Tour of the Win32® Portable Executable File Format,” Vol. 9, No. 3, Microsoft Systems Journal, March 1994. (Access From: http://caolan.wvware.com/~caolan/publink/winresdump/winresdump/doc/ msdn_peeringpe.html)
    [75] M. Pietrek, “Under the Hood,” Vol. 12, No. 9, Microsoft Systems Journal, September 1997. (Access From: http://www.microsoft.com/msj/defaulttop.asp? page=/msj/archive/s6ce.htm)
    [76] M. Pietrek, “An In-Depth Look into the Win32 Portable Executable File Format,” MSDN Magazine, February 2002.
    [77] P.A. Porras, “STAT - A state transition analysis tool for intrusion detection,” M.S. thesis, Computer Science Dep., University of California Santa Barbara, June 1992. (Access From: http://www.cs.ucsb.edu/ http://www.cs.ucsb.edu/TRs/Docs/ TRCS93-25.ps)
    [78] P.A. Porras, and Peter G Neumann, “EMERALD: Event monitoring enabling responses to anomalous live disturbances,” In Proceedings of the 20th National Information Systems Security Conference, pages 353 ~ 365, Baltimore, Maryland, USA, National Institute of Standards and Technology/National Computer Security Center, October 1997.
    [79] P. Porras, D. Schnackenberg, and S. Staniford-Chen et al., “The Common Intrusion Detection Framework Architecture,” CIDF working group document, 1998. (Access From: http://www.isi.edu/gost/cidf/papers/cidf-isw.txt)
    [80] T.H. Ptacek and T. Newsham, “Insertion, Evasion, And Denial Of Service: Eluding Network Intrusion Detection,” Technical Report, Secure Networks, Inc., January 1998. (Access From: http://www.securityfocus.com/data/library/ids.ps)
    [81] D. Ruiu, “Cautionary Tales: Stealth Coordinated Attack HOWTO,” http://www.nswc.navy.mil/ISSEC/CID/, 1999.
    [82] D. Schnackenberg, K. Djahandari, and D. Strmem, “Infrastructure of Intrusion Detection and Response,” In Proceedings of the DARPA Information Survivability Conference and Exposition, January 2000. (Access From: http:// download.nai.com/products/media/nai/pdf/DISCEX-IDR-Infrastructure.pdf)
    [83] D. Schnackenberg, H. Holliday, and R. Smith et al., “Cooperative Intrusion Traceback and Response Architecture,” DARPA Information Survivability Conference & Exposition II, 2001. DISCEX ''01. Proceedings, vol: 1, pages: 56 ~ 68, 2001.
    [84] S.V. Schreiber, “Undocumented Windows 2000 Secrets --- A Programmer’s Cookbook,” ISBN: 0-201-7218702, Addison-Wesley, 2001.
    [85] R. Sekar, Y. Cai, and M. Segal, “A Specification-Based Approach for Building Survivable Systems,” In Proceedings of the 21st National Computer Security Conference, October 1998. (Access From: http://seclab.cs.sunysb.edu/sekar/ papers/nissc98.ps)
    [86] R. Sekar, M. Bendre, P. Bollineni, and D. Dhurjati, “A Fast Automaton-Based Approach for Learning Program Behaviors,” In IEEE Symposium on Security and Privacy, pages: 144 ~ 155, 2001.
    [87] M. Slagell, “The Design and Implementation of MAIDS (Mobile Agents for Intrusion Detection System),” M.S. thesis, Computer Science Department, Iowa State University, 2001. (Access From: http://latte.cs.iastate.edu/ms/cc.ps)
    [88] S.R. Snapp, J. Brentano , and G.V. Dias et al., “A system for distributed intrusion detection,” In Proceedings of the IEEE COMPCON 91, pages: 170 ~ 176, February 1991.
    [89] S.R. Snapp, J. Brentano , and G.V. Dias et al., “DIDS -- Motivation, Architecture, and an Early Prototype,” In Proceeding 14th National Computer Security Conference, pages 167 ~ 176, October 1991.
    [90] Snort.org, “Snort - The Open Source Network IDS,” http://www.snort.org.
    [91] D.A. Solomon and M.E. Russinovich, “Inside Windows 2000,” Third Edition, ISBN: 0-7356-1021-5, Microsoft Press.
    [92] E.H. Spafford and D. Zamboni, “Intrusion detection using autonomous agent,” Computer Networks, vol. 34, issues 4, pages 547~570, 2000.
    [93] S. Staniford-Chen, S. Cheung, and R. Crawford et al., “GrIDS: A graph based intrusion detection system for large networks,” In Proceedings of the 19th National Information Systems Security Conference, pages 361 ~ 370, 1996.
    [94] Sun Microsystems, “SunSHIELD Basic Security Module Guide,” http://docs.sun.com, February 2000.
    [95] A. Valdes and K. Skinner, “Probabilistic Alert Correlation,” In the proceedings of Recent Advances in Intrusion Detection (RAID) 2001, pages: 54 ~ 68, November 2001.
    [96] G. Vigna and R. Kemmerer, “NetSTAT: A Network-based Intrusion Detection Approach,” In Proceedings of the 14th Annual Computer Security Application Conference, December 1998. (Access From: http://www.cs.ucsb.edu/~vigna/ pub/vigna_kemmerer_acsac98.ps.gz)
    [97] G. Vigna and R.A. Kemmerer, “NetSTAT: A Network-based Intrusion Detection System,” Journal of Computer Security, 7(1), IOS Press, 1999. (Access From: www.cs.ucsb.edu/~kemm/NetSTAT/docs/vigna_kemmerer_jcs99.ps.gz)
    [98] Warrender, Christina, S. Forrest, and B. Pearlmutter, “Detecting Intrusions Using System Calls: Alternative Data Models,” In 1999 IEEE Symposium on Security and Privacy, 1999. (Access From: http://www.cs.unm.edu/~immsec/publications/ oakland99-alt-data-models.ps)
    [99] G. White, E.A. Fisch, and V.W. Pooch, “Cooperating Security Managers: A Peer-Based Intrusion Detection System,” IEEE Network, 10(1), pages 20 ~ 23, January/February 1996.
    [100] G. White and V.W. Pooch, “Cooperating security managers: Distributed intrusion detection systems,” Computers & Security, vol. 15, no. 5, pages: 441 ~ 450, 1996.
    [101] M. Wood, M. Erlinger, “Intrusion Detection Message Exchange Requirements,” http://www.ietf.org/internet-drafts/draft-ietf-idwg-requirements-06, February 2001.
    [102] J. Yang, P. Ning, X, S. Wang, and S. Jajodia, “CARDS: A Distributed System for Detecting Coordinated Attacks,” In Proceedings of IFIP TC11 Sixteenth Annual Working Conference on Information Security, pages 171~ 180, August 2000.
    [103] P.H. Winston, “Artifical Intelligence,” 3rd Edition, ISBN: 0201533774, Addison-Wesley, January 1992.

    QR CODE
    :::