【正文】 常行為相符合。統(tǒng)計分析方法的優(yōu)勢在于不必像誤用檢測系統(tǒng)那樣對規(guī)則庫不斷 地進行更新和維護，其主要缺陷是不能提供對入侵行為的實時檢測。數(shù)據(jù)挖掘方法的主要問題是檢測結果的滯后問題，即不能進行實時檢測。這種檢測策略的特點是具有良好的檢測效率和數(shù)據(jù)源的可信度。 EMERALD 系統(tǒng)借鑒了 IDES 和 NIDES 的經(jīng)驗，并將關注的重點從一系列主機轉移到了整個網(wǎng) 絡。對于“自我”訪問模式，系統(tǒng)為之提供相應服務；對于“非我”訪問模式，系統(tǒng)認為是異常訪問。 第 3 章 異常 檢測模型 簡介 異常檢測組件是利用一系列統(tǒng)計模型，它利用統(tǒng)計的方法標示 Web 請求的異常。 屬性長度（ Attribute Length） 屬性長度模型（ Attribute Length Model），又叫字符串長度模型（ String Length Model）是基于大部分屬性值的變動都在一個長度范圍內，這個長度可能是個確定值，也可能是個短長度，而惡意的屬性經(jīng)常違反這個假設，比如，緩沖區(qū)溢出，要包含 shellcode， shellcode要足夠的長，從而溢出受攻擊的進程所給的緩沖區(qū)，從而達到控制目標進程的目的。在檢測階段，被檢測屬性的字符分布的概率將通過理想化的分布并使用變量的 Pearsonχ 2檢驗發(fā)被計算出來。狀態(tài)合并目標是盡量抓住中間區(qū)域（即避免過于簡化和過于概括），過于簡化的語法僅能識別原始的輸入，而過于概括的語法又會兼容所有可能的輸入，從而丟失結構信息。 利用屬性長度模型進行異常檢測的具體步驟為： 在機器的學習 階段，在向量中記錄下每一個屬性長度值 X[i],以及這個值出現(xiàn)的次數(shù)N[i]， X和 N的長度為 n。 對于每個 i,j(0≤ i,j≤ m)有： c d i s tjo r i gio b s v dff ?? |)m a x ( | , 其中， m為向量的長度。 舉例說明： 如果，一個屬性值僅有小寫字符和數(shù)字組成，則概括過程可能建立一個正常標識，基于語法： [ a | 0 ]+，如果檢測到一個第一個異常字符是分號 ( “ 。 第 5 章 系統(tǒng)設計與實現(xiàn) LibAnomaly是加利福尼亞大學圣塔芭芭拉分校的可靠軟件組開發(fā)的一個用于異常檢測的工具，它建立了一個異常檢測系統(tǒng)的框架， LibAnomaly使用 C++實現(xiàn)的在 GPL許可證下的自由軟件，但其主要運行在 Linux和 Unix平臺下。 參考文獻： [1] C. Kruegel and G. Vigna. Anomaly Detection of Webbased Attacks. In Proceedings of the 10th ACM Conference on Computer and Communication Security (CCS ’03), pages 251–261, Washington, DC, October 2020. ACM Press. [2] A. Stolcke and S. Omohundro. Inducing Probabilistic Grammars by Bayesian Model Merging. In Conference on Grammatical Inference, 1994. [3] William Robertson, Giovanni Vigna, Christopher Kruegel, and Richard A. Kemmerer, Using Generalization and Characterization Techniques in the Anomalybased Detection ofWeb Attacks, 2020 [4]Denning intrusiondetection Transaction on Software Engineering,1987,13(2):222232 [5]Mukherjee B,Levitt intrusion Network,1994,8(3):2641 [6 [7]Lunt .,Jagananathan R.,Lee R.,Listgarten S.,Edwards .,Javitz S.,Valdes A. IDES:The Enhanced PrototypeA RealTime IntrusionDetection Expert System. Computer Science Laboratory,SRI International,Menlo Park, SRICSL8812. [8]Anderson D.,Lunt .,Javitz H.,Tamaru A.,Valdes Unusual Program Behavior Using the Statistical Component of the Nextgeneration Intrusion Detection Expert System(NIDES).Computer Science Laboratory,SRI International, Menlo Park, SRICSL9506. [9]Anderson D.,Frivold T.,Valdes Intrusion Detection Expert System(NIDES):A Science Laboratory,SRI International, Menlo Park,CA. May, SRICSL9507. [10]Snapp .,Brentano J.,Dias .,Goan .,Heberlein .,Ho .,Levitt ., Mukherjee (Distributed Intrusion Detection System)Motivation, Architecture,and An Early Proceedings of the 14th National Computer Security Conference. [11]CLIPS Reference Lyndon Space Center,1993 [12]Porras state transition analysis tool for intrusion . thesis,Computer Science Dep.,University of California Santa Barbara,June 1992 [13]Ilgun K.,Kemmerer .,Porras tansition aalysis:a rulebased intrusion detection Transaction on Software Engineering,21(3), March 1995 [14]Ilgun :A realtime intrusion detection system for proceedings of the IEEE Symposium on Research on Security and Privacy,Oakland,CA, May 1993 [15]Kemmerer :A Modelbased Realtime Network Intrusion Detection Science Dep.,University of California Santa Barbara,Technical Report TRCS9718,November 1997 [16]Vigna G.,Kemmerer :A Networkbased Intrusion Detection System,Journal of Computer Security,7(1),IOS Press,1999 [17]Vigna G.,Kemmerer :A Networkbased Intrusion Detection Approach,in Proceedings of the 14th Annual Computer Security Application Conference,Scottsdale,Arizona,December 1998 [18 [19 [20]Paxson :A System for Detecting Network Intruders in RealTime. Proceeding of 7th USENIX Security Symposium,San Antonio,Texas,1998 [18]Lee Data Mining Framework for Constructing Features and Models for Intrusion Detection thesis,Columbia University,June 1999. [21] Lee W.,Stolfo .,Mok in a dataflow environment:experience in work intrusion detection,Proceedings of the fifth ACM SIGKDD international conference on Knowledge discovery and data mining,San Diego,California,United States,August 1518,1999, [22] Lee W.,Stolfo ..A framework for constructing features and models for intrusion detection Transactions on Information and System Security (TISSEC)archive 2020,Issue 4 Pages:227261 [23] Joo D,Hong T,Han neural work models for IDS based on the asymmetric costs of false negative errors and false positive Systems with Applications,2020,:6975 [24] Fox ,Henning ,Reed ,Simonian neural work approach towards intrusion :Proceeding of the 13th National Computer Security Conference,Washington,DC, [25] Fu, Neural Network Model for Learning RuleBased proceedings of the International Joint Conference on Neural ,pp.(I) 343348. [26] Frank Intelligence and Intrusion Detection:Current and Future Proceedings of the 17th National Computer Security Conference,1994 [27] Debar H.,Becke M.,Siboni D.(1992).A Neural Network Component for an Intrusion Detection Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy,May,1992, [28] James Neural Networks for Misuse of the 1998 National Information Systems Security Conference(NISSC39。s eve I was reading the book, and had lost myself in it so pletely, that I fot my usual New Year39。 beaucoup de bruit, peu de fruit: much bruit, little fruit Yet certainly there is use of this quality, in civil affairs. Where there is an opinion, and fame to be created, either of virtue, or greatness, these men are good trumpeters. Again, as Titus Livius noteth, in the case of Antiochus, and the Aetolians。 which is to be liberal of praise and mendation to others, in that wherein a man\