M. Pietrek著、侯俊傑譯，「Windows 95系統程式大奧秘」，ISBN: 957-717-255-5，旗標出版社，民國86年5月。
 J. Richter著、張永慶譯，「深入Windows程式設計」，ISBN: 957-22-2702-5， 松崗電腦圖書資料股份有限公司，民國86年10月。
 李勁頤、陳奕明，「分散式入侵偵測系統研究現況介紹」，資訊安全通訊，第八卷第二期，38 ~ 61頁，民國91年3月。
 陳奕明、李勁頤，「利用分散式入侵偵測與回應系統防治網蟲之入侵」，全國計算機會議2001(NCS 2001)，F156 ~ F166頁，民國90年12月。
 蔡昌憲，「反入侵偵測技術：Snort設計剖析與測試」，2001網際網路安全工程研討會(WISE2001)，111 ~ 128頁，民國90年8月。
 Aglets.org, “The aglets portal,” http://aglets.sourceforge.net, 2001.
 J. Allen, A. Christie, and W. Fithen et al., “State of the Practice of Intrusion Detection Technologies,” Technical Report CMU/SEI-99-TR-028, CMU/SEI, January 2000. (Access From: http://www.cert.org/archive/pdf/99tr028.pdf)
 D. Anderson, T. Frivold, and A Valdes, “Next-generation intrusion-detection expert system (NIDES),” Technical Report SRI-CSL-95-07, Computer Science Laboratory, SRI International, May 1995. (Access From: http://www.sdl.sri.com/ projects/nides/)
 D. Anderson, T.F. Lunt, and H. Javitz et al., “Detecting unusual program behavior using the statistical component of the next-generation intrusion detection system (NIDES),” Technical Report SRI-CSL-95-06, Computer Science Laboratory, SRI International, May 1995. (Access From: http://www.sdl.sri.com/papers/5sri/5sri.pdf)
 J.P Anderson, “Computer security threat monitoring and surveillance,” Technical Report, James P. Anderson Co., Fort Washington, PA, 1980. (Access From: http://csrc.nist.gov/publications/history/ande80.pdf)
 J.S. Balasubramaniyan, J.O. Garcia-Fernandez, and D. Isacoff et al., “An Archiecture for Intrusion Detection using Autonomous Agents,” COAST Technical Report 98/05, June 11, 1998. (Access From: http://www.cerias.purdue. edu/homes/aafid/tr9805.pdf)
 J. Barrus, N.C. Rowe, “A Distributed Autonomous-Agent Network-Intrusion Detection and Response System,” In the Proceedings of the 1998 Command and Control Research and Technology Symposium, pages: 577-586, 1998.
 T. Boyd and P. Dasgupta, “Injecting Distributed Capabilities into Legacy Applications Through Cloning and Virtualization,” The 2000 International Conference on Parallel and Distributed Processing Techniques and Applications (PDPTA’’2000), July 2000. (Access From: http://cactus.eas.asu.edu/partha/ Papers-PDF/pdpta2000.pdf)
 C.A. Carver, J.M.D. Hill, J.R. Surdu, and U.W. Pooch, “A Methodology for using Intelligent Agents to provide Automated Intrusion Response,” In Proceedings of the IEEE Systems, Man, and Cybernetics Information Assurance and Security Workshop, pages: 110 ~ 116, June 2000.
 CERT Coordination Center, “FTP Bounce,” http://www.cert.org/advisories/ CA-97.27.FTP_bounce.html, December 1997.
 CERT Coordination Center, “Microsoft IIS 4.0 / 5.0 vulnerable to directory traversal via extended unicode in url (MS00-078),” http://www.kb.cert.org/ vuls/id/111677, November 2000.
 CERT Coordination Center, “CERT® Advisory CA-2001-10 Buffer Overflow Vulnerability in Microsoft IIS 5.0,” http://www.cert.org/advisories/ CA-2001-10.html, May 2001.
 CERT Coordination Center, “Overview of Attack Trends,” http://www.cert.org/ archive/pdf/attack_trends.pdf, 2002.
 S. Cheung, R. Crawford, and M. Dilger et al., “The Design of GrIDS: A Graph-Based Intrusion Detection System,” Technical Report CSE-99-2, U.C. Davis Computer Science Department, January 1999. (Access From: http://seclab.cs.ucdavis.edu/arpa/grids/grids.ps)
 F.B. Cohen, “A Note on Distributed Coordinated Attacks,” Computer & Security, vol. 15, pages 103-121, 1996.
 M. Crosbie, G. Spafford, “Active Defense of a Computer System using Autonomous Agents,” COAST Technical Report 95-008, Purdue, 1995. (Access From: http://www.purdue.cs.edu/homes/spaf/tech-reps/9508.ps)
 M. Crosbie, B. Dole, and T. Ellis et al., “IDIOT User Guide,” COAST Technical Report TR-96-050, Purdue, 1996. (Access From: http://www.cerias.purdue.edu/ ssl/techreports-ssl/public/96-04.ps)
 D. Curry, H. Debar, “Intrusion Detection Message Exchange Format Data Model and Extensible Markup Language (XML) Document Type Definition,” http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-06.txt, February 2002.
 H. Debar and A. Wespi, “Aggregation and Correlation of Intrusion-Detection Alerts,” In the proceedings of Recent Advances in Intrusion Detection (RAID) 2001, pages: 85 ~ 103, November 2001.
 P. Dasgupta, V. Karamcheti, and Z. Kedem, “Transparent distribution middleware for general purpose computations,” In Proceedings of Intl. Conf. on Parallel and Distributed Processing Techniques and Applications (PDPTA’’99), June 1999. (Access From: http://www.zmkedem.com/nyu/pubs/DKK1999a.pdf)
 R.J. Ellison, R.C. Linger, and T. Longstaff et al., ”Survivable Network System Analysis：A Case Study,” IEEE Software, pages: 70 ~ 77, 1999.
 E. Eskin, W. Lee, and S.J. Stolfo, “Modeling System Calls for Intrusion Detection with Dynamic Window Sizes,” In Proceedings of DARPA Information Survivability Conference and Exposition II, June 2001. (Access From: http://www.cs.columbia.edu/ids/publications/smt-syscall-discex01.ps)
 R. Feiertag, S. Rho, L. Benzinger, and S. Wu et al., “Intrusion Detection inter-component adaptive negotiation,” Computer Networks, vol. 34, pages 605 ~ 621, 2000.
 B. Feinstein, G. Matthews, and J. White, “The Intrusion Detection Exchange Protocol (IDXP),” http://www.ietf.org/internet-drafts/draft-ietf-idwg-beep-idxp- 04.txt, February 2002.
 J. Finnegan, “Nerditorium,” Vol. 14, No. 1, Microsoft Systems of Journal, January 1999. (Access From: http://msdn.microsoft.com/library/default.asp? url=/library/en-us/dnmsj99/html/nerd0199.asp)
 S. Forrest, S.A. Hofmeyr, A. Somayaji and T.A. Longstaff, “A sense of self for UNIX processes, ” In Proceedings of the 1996 IEEE Symposium on Security and Privacy, pages: 120 ~ 128, 1996.
 T. Fraser, L. Badger, and M. Feldman, “Hardening COTS components with generic software wrappers,” In Proceedings of the 1999 IEEE Symposium on Security and Privacy, pages: 2-16, May 1999.
 Foundstone, “fport - Identify unknown open ports and their associated applications,” http://www.foundstone.com/knowledge/proddesc/fport.html, 2002.
 A.K. Ghosh, J. Wanken, and F. Charron, “Detecting anomalous and unknown intrusions against programs,” In Proceedings of the 1998 Annual Computer Security Applications Conference, pages: 259 ~ 267, December 1998.
 A.K. Ghosh, A. Schwatzbard, and M. Shatz, “Learning Program Behavior Profiles for Intrusion Detection,” In Proceedings 1st USENIX Workshop on Intrusion Detection and Network Monitoring, April 1999. (Access From: http://www.usenix.org/events/detection99/full_papers/ghosh/ghosh.pdf)
 R.P. Goldman, W. Heimerdinger, and S. Harp et al., “Information Modeling for Intrusion Report Aggregation,” In Proceedings of the DARPA Information Survivability Conference and Exposition II (DISCEX II 2001), 2001. (Access From: http://www.geocities.com/rpgoldman/papers/discex01irm.pdf)
 R. Graham, “FAQ: Network Intrusion Detection System,” version 0.8.3, http://www.robertgraham.com/pubs/network-intrusion-detection.html, March 2000.
 K.M. Hansen, A.P. Ravn, V. Stavridou, “From safety analysis to software requirements,” IEEE Transactions on Software Engineering, 24(7), pages 573 ~ 584, July 1998.
 T. Heberlein, G. Dias, and K. Levitt et al., “A network security monitor,” In Proceedings of the 1990 IEEE Symposium on Research in Security and Privacy, pages 296 ~ 304, 1990.
 G. Helmer, J. Wong, V. Honavar, and L. Miller, “Automated discovery of concise predictive rules for intrusion detection,” In Proceedings of AAAI’’99, 1999. (Access From: http:// latte.cs.iastate.edu/~ghelmer/tr9901.ps)
 G. Helmer, J. Wong, and M. Slagell et al., “A Software Fault Tree Approach to Requirements Analysis of an Intrusion Detection System,” In Proceedings of the 1st Symposium on Requirements Engineering for Information Security, October 2000. (Access From: http://latte.cs.iastate.edu/~ghelmer/SFTA-ID.ps)
 G. Helmer, J. Wong, and M. Slagell et al., “Software Fault Tree and Colored Petri Net Based Specification, Design and Implementation of Agent-Based Intrusion Detection Systems,” Submitted to ACM Transactions on Information and Systems Security, 2001. (Access From: http://latte.cs.iastate.edu/~ghelmer/ CPN-IDS.ps)
 G. Hunt and D. Brubacher, “Detours: Binary Interception of Win32 Functions,” In Proceedings of the 3rd USENIX Windows NT Symposium, pages: 135-143, July 1999.
 K. Ilgun, “USTAT: A real-time intrusion detection system for UNIX,” In Proceedings of the 1993 IEEE Symposium on Research in Security and Privacy, pages: 16 ~ 28, May 1993.
 K. Ilgun, R.A. Kemmerer, and P.A. Porras, “State Transition Analysis: A Rule-Based Intrusion Detection Approach,” IEEE Transaction on Software Engineering, 21(3), pages: 181 ~ 199, March 1995.
 Internet Security Systems, “RealSecure Product Datasheet,” http://www.iss.net/ customer care/resource center/product lit/, 2000.
 I. Ivanov, “API hooking revealed,” http://www.codeproject.com/system/ HookSys.asp, April 2002.
 K. Jensen, “Colored Petri Nets. Basic Concepts, Analysis Methods and Practical Use. Vol 1: Basic Concepts,” Monographs in Theoretical Computer Science, Spring-Verlag, 1992.
 A. Jones, J. Ohlund, “Windows Sockets 2.0: Write Scalable Winsock Apps Using Completion Ports,” MSDN Magazine, October 2000. (Access From: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnmag00/html/Winsock.asp)
 A. Jones, J. Ohlund, “Network Programming for Microsoft Windows,” Second Edition, ISBN: 0-7356-1579-9, Microsoft Press, 2002.
 C. Kahn, D. Bolinger, D. Schnackenberg, “Communication in the Common Intrusion Detection Framework,” v0.7 DRAFT Specification, CIDF Working Group, June 1998. (Access From: http://www.isi.edu/gost/cidf/drafts/ communication.txt)
 Y. Kaplan, “API Spying Techniques for Windows 9x, NT and 2000,” http://www.internals.com/articles/apispy/apispy.htm, 1999.
 R.A. Kemmerer, “NSTAT: A Model-based Real-time Network Intrusion Detection System,” Technical Report TRCS97-18, Computer Science Dep., University of California Santa Barbara, November 1997. (Access From: http://www.cs.ucsb.edu/TRs/techreports/TRCS97-18.ps)
 C. Ko, G.. Fink, and K. Levitt, “Automated detection of vulnerabilities in privileged programs by execution monitoring,” In Proceedings of the 10th Annual Computer Security Applications Conference, pages: 134 ~ 144, December 1994.
 W. Lee, and S.J. Stolfo, “Data mining approaches for intrusion detection,” In Proceedings of the 7th USENIX Security Symposium, 1998. (Access From: http://www.cs.columbia.edu/~wenke/papers/usenix.ps)
 W. Lee, M. Miller, and S. Stolfo et al, “Toward cost-sensitive modeling for intrusion detection,” Technical Report CUCS-002-00, Computer Science, Columbia University, 2000. (Access From: http://www.csc.ncsu.edu/faculty/lee/ papers/jcs_lee.ps)
 W. Lee, R.A. Numbalkar, and K.K. Yee et al., “A data mining and CIDF based approach for detecting novel and distributed intrusions,” In Proceedings of 3rd International Workshop on the Recent Advances in Intrusion Detection, October 2000. (Access From: http://www.csc.ncsu.edu/faculty/lee/papers/lee_raid_00.ps)
 N.G. Leveson, “Safeware: System Safety and Computers,” Addison-Wesley, Reading, MA, USA, 1995.
 T.F. Lunt, R. Jagannathan, and R. Lee et al, “IDES: The enhanced prototype, A real-time intrusion detection system,” Technical Report SRI Project 4185-010, SRI-CSL-88-12, CSL SRI International, Computer Science Laboratory, October 1988. (Access From: http://www.sdl.sri.com/projects/nides/reports/1sri.pdf)
 T.F. Lunt, A. Tamaru, and F. Gilham et al., “A real-time intrusion-detection expert system (IDES),” Technical Report Project 6784, CSL, SRI International, Computer Science Laboratory, February 1992. (Access From: http://www.sdl.sri.com/projects/nides/ reports/9sri.pdf)
 Microsoft Corporation, “TDI Drivers,” Network Devices and Protocol: Windows DDK, http://msdn.microsoft.com/library/default.asp?url=/library/en-us/network/ hh/ network/303tdi_1otj.asp, October 2001.
 Microsoft Corporation, “Event Tracing,” Platform SDK: Performance Monitoring, http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ perfmon /evt_structures_7zar.asp, November 2001.
 T. Mitchem, R. Lu, and R. O’’Brien, “Using Kernel Hypervisors to Secure Applications,” In Proceedings of the Annual Computer Security Applications Conference, December 1997. (Access From: http://www.securecomputing.com/ khyper/acsac97.pdf)
 G. Nebbett, “Windows NT/2000 Native API Reference,” ISBN: 1-57870-199-6, Macmillan Technical Publishing, 2000.
 Network Flight Recorder Inc., “Network Flight Recorder,” http://www.nfr.com, 1997.
 P.G. Neumann, and P.A. Porras, “Experience with EMERALD To Date,” presented at 1st USENIX Workshop on Intrusion Detection and Network Monitoring, pages 73 ~ 80, 1999.
 D. New, “The TUNNEL Profile,” http://www.ietf.org/internet-drafts/ draft-ietf-idwg-beep-tunnel-02, February 2002.
 P. Ning, X.S. Wang, and S. Jajodia, “Modeling requests among cooperating intrusion detection systems,” Computer Communications, vol. 23, issues 17, pages 1702 ~ 1715, November 2000.
 P. Ning, S. Jajodia, and X.S. Wang, “Abstraction-based Intrusion Detection in Distributed Environments,” ACM Transactions on Information and System Security (TISSEC), 4(4), pages 407 ~ 452, November 2001.
 P. Ning, S. Jajodia, X.S. Wang, “Design and Implementation of A Decentralized Prototype System for Detecting Distributed Attacks,” Computer Communications, Special Issue on Intrusion Detection Systems, pages: 1374-1391,2002.
 S. Northcutt, “Network Intrusion Detection: An Analyst’s Handbook,” ISBN:0-7357-1008-2,New Piders, 1999.
 V. Paxson, “Bro: A System for Detecting Network Intruders in Real-Time,” Computer Networks, 31(23-24), pages 2435 ~ 2463, December 1999.
 M. Pietrek, “Peering Inside the PE: A Tour of the Win32® Portable Executable File Format,” Vol. 9, No. 3, Microsoft Systems Journal, March 1994. (Access From: http://caolan.wvware.com/~caolan/publink/winresdump/winresdump/doc/ msdn_peeringpe.html)
 M. Pietrek, “Under the Hood,” Vol. 12, No. 9, Microsoft Systems Journal, September 1997. (Access From: http://www.microsoft.com/msj/defaulttop.asp? page=/msj/archive/s6ce.htm)
 M. Pietrek, “An In-Depth Look into the Win32 Portable Executable File Format,” MSDN Magazine, February 2002.
 P.A. Porras, “STAT - A state transition analysis tool for intrusion detection,” M.S. thesis, Computer Science Dep., University of California Santa Barbara, June 1992. (Access From: http://www.cs.ucsb.edu/ http://www.cs.ucsb.edu/TRs/Docs/ TRCS93-25.ps)
 P.A. Porras, and Peter G Neumann, “EMERALD: Event monitoring enabling responses to anomalous live disturbances,” In Proceedings of the 20th National Information Systems Security Conference, pages 353 ~ 365, Baltimore, Maryland, USA, National Institute of Standards and Technology/National Computer Security Center, October 1997.
 P. Porras, D. Schnackenberg, and S. Staniford-Chen et al., “The Common Intrusion Detection Framework Architecture,” CIDF working group document, 1998. (Access From: http://www.isi.edu/gost/cidf/papers/cidf-isw.txt)
 T.H. Ptacek and T. Newsham, “Insertion, Evasion, And Denial Of Service: Eluding Network Intrusion Detection,” Technical Report, Secure Networks, Inc., January 1998. (Access From: http://www.securityfocus.com/data/library/ids.ps)
 D. Ruiu, “Cautionary Tales: Stealth Coordinated Attack HOWTO,” http://www.nswc.navy.mil/ISSEC/CID/, 1999.
 D. Schnackenberg, K. Djahandari, and D. Strmem, “Infrastructure of Intrusion Detection and Response,” In Proceedings of the DARPA Information Survivability Conference and Exposition, January 2000. (Access From: http:// download.nai.com/products/media/nai/pdf/DISCEX-IDR-Infrastructure.pdf)
 D. Schnackenberg, H. Holliday, and R. Smith et al., “Cooperative Intrusion Traceback and Response Architecture,” DARPA Information Survivability Conference & Exposition II, 2001. DISCEX ’’01. Proceedings, vol: 1, pages: 56 ~ 68, 2001.
 S.V. Schreiber, “Undocumented Windows 2000 Secrets --- A Programmer’s Cookbook,” ISBN: 0-201-7218702, Addison-Wesley, 2001.
 R. Sekar, Y. Cai, and M. Segal, “A Specification-Based Approach for Building Survivable Systems,” In Proceedings of the 21st National Computer Security Conference, October 1998. (Access From: http://seclab.cs.sunysb.edu/sekar/ papers/nissc98.ps)
 R. Sekar, M. Bendre, P. Bollineni, and D. Dhurjati, “A Fast Automaton-Based Approach for Learning Program Behaviors,” In IEEE Symposium on Security and Privacy, pages: 144 ~ 155, 2001.
 M. Slagell, “The Design and Implementation of MAIDS (Mobile Agents for Intrusion Detection System),” M.S. thesis, Computer Science Department, Iowa State University, 2001. (Access From: http://latte.cs.iastate.edu/ms/cc.ps)
 S.R. Snapp, J. Brentano , and G.V. Dias et al., “A system for distributed intrusion detection,” In Proceedings of the IEEE COMPCON 91, pages: 170 ~ 176, February 1991.
 S.R. Snapp, J. Brentano , and G.V. Dias et al., “DIDS -- Motivation, Architecture, and an Early Prototype,” In Proceeding 14th National Computer Security Conference, pages 167 ~ 176, October 1991.
 Snort.org, “Snort - The Open Source Network IDS,” http://www.snort.org.
 D.A. Solomon and M.E. Russinovich, “Inside Windows 2000,” Third Edition, ISBN: 0-7356-1021-5, Microsoft Press.
 E.H. Spafford and D. Zamboni, “Intrusion detection using autonomous agent,” Computer Networks, vol. 34, issues 4, pages 547~570, 2000.
 S. Staniford-Chen, S. Cheung, and R. Crawford et al., “GrIDS: A graph based intrusion detection system for large networks,” In Proceedings of the 19th National Information Systems Security Conference, pages 361 ~ 370, 1996.
 Sun Microsystems, “SunSHIELD Basic Security Module Guide,” http://docs.sun.com, February 2000.
 A. Valdes and K. Skinner, “Probabilistic Alert Correlation,” In the proceedings of Recent Advances in Intrusion Detection (RAID) 2001, pages: 54 ~ 68, November 2001.
 G. Vigna and R. Kemmerer, “NetSTAT: A Network-based Intrusion Detection Approach,” In Proceedings of the 14th Annual Computer Security Application Conference, December 1998. (Access From: http://www.cs.ucsb.edu/~vigna/ pub/vigna_kemmerer_acsac98.ps.gz)
 G. Vigna and R.A. Kemmerer, “NetSTAT: A Network-based Intrusion Detection System,” Journal of Computer Security, 7(1), IOS Press, 1999. (Access From: www.cs.ucsb.edu/~kemm/NetSTAT/docs/vigna_kemmerer_jcs99.ps.gz)
 Warrender, Christina, S. Forrest, and B. Pearlmutter, “Detecting Intrusions Using System Calls: Alternative Data Models,” In 1999 IEEE Symposium on Security and Privacy, 1999. (Access From: http://www.cs.unm.edu/~immsec/publications/ oakland99-alt-data-models.ps)
 G. White, E.A. Fisch, and V.W. Pooch, “Cooperating Security Managers: A Peer-Based Intrusion Detection System,” IEEE Network, 10(1), pages 20 ~ 23, January/February 1996.
 G. White and V.W. Pooch, “Cooperating security managers: Distributed intrusion detection systems,” Computers & Security, vol. 15, no. 5, pages: 441 ~ 450, 1996.
 M. Wood, M. Erlinger, “Intrusion Detection Message Exchange Requirements,” http://www.ietf.org/internet-drafts/draft-ietf-idwg-requirements-06, February 2001.
 J. Yang, P. Ning, X, S. Wang, and S. Jajodia, “CARDS: A Distributed System for Detecting Coordinated Attacks,” In Proceedings of IFIP TC11 Sixteenth Annual Working Conference on Information Security, pages 171~ 180, August 2000.
 P.H. Winston, “Artifical Intelligence,” 3rd Edition, ISBN: 0201533774, Addison-Wesley, January 1992.