• 格式化字符串漏洞利用 一、引言
万次阅读
2017-04-12 10:10:30

# 一、引言

译者：飞龙

日期：2001.9.1

版本：v1.2

这篇文章解释了某种现象的本质，它已经在 2000 年的下半年震惊了整个安全社群。它就是“格式化字符串漏洞”，是一种被发现的新型漏洞，并且会导致一系列的可利用 bug，它们在各种程序中都有发现，从小型工具到大型服务器应用。

这篇文章尝试解释该漏洞的结构，并随后使用这个只是去构建复杂的利用，它会向你展示如何在 C 代码中发现格式化字符串漏洞，以及为什么这种新型漏洞比通常的缓冲区溢出漏洞更加危险。

这篇文章基于我在德国柏林进行的一个德语演讲“17th Chaos Communication Congress”。演讲之后，我收到了无数翻译它的请求，并收到了很多正面反馈。所有这些激励了我来复查这篇文档，更新和纠正细节，以及制作一个更加易用的 LaTeX 版本。

这篇文章涵盖了其它文章涉及的大多数东西，以及涉及到利用时的一些更多的技巧。在本文完成之时，它是最新的，并且欢迎反馈。所以在你读完之后，请向 scut@team-teso.net 发送反馈，建议和任何不是抱怨的东西。

这篇文章的第一个部分是格式化字符串漏洞的历史和认识，后面是如何在源码中发现和避免该漏洞的细节。之后，一些基本技巧为玩转该漏洞而开发，从中诞生了一些强有力的利用方式，这个方式之后被修改、改进和实际应用到特殊的场景中，允许你利用至今几乎所有类型的格式化字符串漏洞。

对于每个漏洞来说，它们都有一段时间了，而且新的技术的出现，通常由于旧技术在特定场景下不工作了。由于一些在文本中提到的技巧，一些人应当受到尊敬，并且极大影响了我的写作，他们是 tf8，它编写了第一个格式化字符串利用，portal，它在它的文章中开发和研究了可利用性，DiGiT，它发现了至今为止大多数高危的远程格式化字符串漏洞，以及 smiler，它开发了复杂的爆破技巧。

虽然我在没有太大帮助的情况下，也贡献了一些技巧，一些评论和技巧，以理论或者漏洞利用的形式，由它们展示给我，否则这篇文章就不太可能完成。非常感谢，我也要感谢无数评论、复查和改进写篇文章的人。

更新和修正后的版本在 TESO 安全小组的主页上可以找到。

## 1.1 缓冲区溢出 vs 格式化字符串漏洞

由于过去几乎所有严重的漏洞都是某种缓冲区溢出，我们可以将这种严重并且低级的漏洞和这一新兴漏洞相比较。

缓冲区溢出格式化字符串
发布时间20 世纪 80 年代中期
意识到危险20 世纪 90 年代
利用数量几千
被认为安全威胁
技巧进化并且先进
可见性有时非常困难

## 1.2 统计：2000 年重要的格式化字符串漏洞

为了强调格式化字符串漏洞在 2000 年的危险影响，我们在这里例举了最为可利用的公开漏洞。

应用发现人影响年限
wu-ftpd 2.*security.is远程 root
6
Linux rpc.statdsecurity.is远程 root
4
IRIX telnetdLSD远程 root
8
Qualcomm Popper 2.53security.is远程用户
3
Apache + PHP3security.is远程用户
2
NLS / localeCORE SDI本地 root
screenJouko Pynnonen本地 root
5
BSD chpassTESO本地 root
OpenBSD fstatktwo本地 root

在本文完成之时，还有很多未知或者未发现的漏洞，并且接下来的两到三年，格式化字符串漏洞会为已发现的新漏洞的统计做出贡献。我们已经看到，它们易于使用更加复杂的工具自动化发现，并且你可以假设，对于多数现在的漏洞，代码虽然没有公开，但是漏洞已经存在了。

也有一些在应用中发现这一类型咯多年过得方式，它们只在二进制中可用。为此，使用了一种更加通用的方式来寻找“参数缺失”，它在 Halvar Flakes 的二进制审计演讲中有所展示。

更多相关内容
• 关键词：CD-ROM格式 软解码 EDC检错 ECC纠错 引言 CD-ROM是目前应用非常广泛的大容量、低成本的存储设备。为了减小误码率，原始数据经过格式化编码信道编码后，才写入CD-ROM盘片中；在读取时，则需经过信道解码...
• 引言：最近因为某些需要，要把之前Latex中的照片转换成黑白照片，插入到Word中。无奈wps的word不支持直接导入eps格式，手头又只有原图的eps格式，只能想办法迂回完成任务。 方法一： python脚本批量转换 原文链接 该...
• 这篇文章将从个人角度介绍英文论文引言如何撰写，一方面自己英文太差，只能通过最土的办法慢慢提升，另一方面是自己的个人学习笔记，并分享出来希望大家批评指正。希望这篇文章对您有所帮助，这些大佬是真的值得...

《娜璋带你读论文》系列主要是督促自己阅读优秀论文及听取学术讲座，并分享给大家，希望您喜欢。由于作者的英文水平和学术能力不高，需要不断提升，所以还请大家批评指正，非常欢迎大家给我留言评论，学术路上期待与您前行，加油。

前一篇文章详细介绍ACE去雾算法、暗通道先验去雾算法以及雾化生成算法，并且参考了两位计算机视觉大佬（Rizzi 何恺明）的论文。这篇文章将从个人角度介绍英文论文引言如何撰写，一方面自己英文太差，只能通过最土的办法慢慢提升，另一方面是自己的个人学习笔记，并分享出来希望大家批评和指正。希望这篇文章对您有所帮助，这些大佬是真的值得我们去学习，献上小弟的膝盖~fighting！

这里选择的论文多数为近三年的CCF A和二区以上为主，尤其是顶会顶刊。当然，作者能力有限，只能结合自己的实力和实际阅读情况出发，也希望自己能不断进步，每个部分都会持续补充。可能五年十年后，也会详细分享一篇英文论文如何撰写，目前主要以学习和笔记为主。大佬还请飘过O(∩_∩)O

前文赏析：

# 一.引言如何撰写

论文如何撰写因人而异，作者仅分享自己的观点，欢迎大家提出意见。然而，坚持阅读所研究领域最新和经典论文，这个大家应该会赞成，如果能做到相关领域文献如数家珍，就离你撰写第一篇英文论文更近一步了。重点是多读多写，共勉！

## 1.论文总体框架及引言撰写

该部分回顾和参考周老师的博士课程内容，感谢老师的分享。典型的论文框架包括两种（The typical “anatomy” of a paper），如下所示：

第一种格式：理论研究

• Title and authors
• Abstract
• Introduction
• Related Work (可置后)
• Materials and Methods
• Results
• Acknowledgements
• References

第二种格式：系统研究

• Title and authors
• Abstract
• Introduction
• Related Work (可置后)
• System Model
• Mathematics and algorithms
• Experiments
• Acknowledgements
• References

引言主要为提供领域背景信息，以理解为什么从事该研究。

• Presents the background information for a fellow scientist (possibly in another field) to understand why the findings of this paper are significant.

引言的结构通常是：

• Accepted state of knowledge in the field
领域背景知识
• Focus on a particular aspect of the field
聚焦领域
• The research problem the paper attempts to address
研究问题解决情况
• methodology / approach
提出方法
• Conclusions (scientists don’t really like surprise endings!)
结论及贡献（contributions）

那么，如何撰写引言呢？下面是课堂练习。

• Grab a blank piece of paper:
– Take notes
– Draw mini figures
– Define vocabulary
(wikipedia is a quick reference)
– What is the research problem the paper attempts to address?
– What are the claimed contributions of the paper?
– How do the authors substantiate their claims?
– What are the basic conclusions? (Scientists don’t really like surprise endings and this is usually stated in the last paragraph.)

## 2.引言撰写

该部分主要是学习易莉老师书籍，具体如下：

引言（Introduction）无疑是整篇论文里最难的部分之一。前言的作用主要是为读者理解文章的贡献提供一个背景，让读者了解：

• 这个研究的主要研究问题是什么？它有怎么的重要性？
• 这个问题前人研究、解决到了什么程度？领域内没有解决的问题或者有争论的地方在哪里？
• 本研究主要用什么方法来研究这个问题（对研究方法做个概括）？其预期结果是什么？
• 本研究的创新点主要是什么？其优势突出在哪里？

《10条简单规则》一文建议，引言应该充宏大的角度来切入，然后议题缩小到文章讨论的问题范畴内。下一篇会介绍“如何讲好故事”详细讲解，这里我们需要知道讲故事的方式、层次以及深度都要由文章的目的以及预计发表期刊\会议的性质决定。

比如“入侵检测系统”会发表在安全或计算机等领域期刊或会议上，所以需要论述网络空间安全、APT攻击、入侵检测系统、恶意流量检测相关的背景知识。 建议越早引入研究问题越好，如有可能，在第一段结尾就亮出研究问题，这样读者可以更有针对性地理解前言和文章的剩余部分。

例如：… In this study, we investigated how children with ASD attribute false belief to a social robot.

研究问题的提出，通常需要在总结前人研究的基础上，提出前人研究没有解决的问题，或者尚存在争议的问题。因为只有说明你的研究能更好地理解这些没有解决好的问题，才能体现出创新性，否则无法体现你的研究贡献。 这里要特别注意，不要评判别人的研究（用一些“poor” “unreliable”这样的形容词），也不要给自己贴金（“the first to” “more advanced”，以及中文常见的“填补空白”）。注意把握语音的分寸，客观地论述自己的贡献，让读者来评判。

## 3.个人理解

个人感觉：良好的开端等于成功的一半，引言决定了读者或审稿老师对你论文的第一印象。论文的引言真的非常重要，好的引言决定一篇文章的上限，尤其是审稿老师审稿时（由于研究领域的差异性），重点会阅读引言，一个“完美”的引言会让读者或评阅者有继续阅读和欣赏的意愿，会让读者或评阅者思考你提出的观点，并想知道你将如何证明你的论点。这也从侧面上体现了文章的整体价值。

因此，如何写好引言，写高质量引言，写引人入胜的引言很关键。

引言撰写需要注意：

• 开篇角度要尽量放宽然后缩小范围，篇幅内容要适宜。引言的开头可以相对宽泛地介绍研究背景，但最终一定要与你的研究有关系。
• 提出研究目的和意义，引言的主要作用是介绍相关研究背景和你所研究的课题，现象或观点，在引言中要提出你的论点，即本文的方法及贡献。
• 审稿专家将在引言中快速寻找几个问题：文章的工作是否新颖？科学贡献是否重要？文章质量是否适合在本期刊发表？
• 充分引用但不滥用引文。聚焦到该研究主题后，应该充分涵盖最新的相关文献。文献综述应该完整，但不能冗长（非综述），同时避免在单一观点上引用过多文献。
• 避免过多的细节描述。在引言中，如果你的论文在介绍方法之前大量地概括研究主要成果，那么应该避免陈述太多详细的结果。
• 引言回溯法，可以选择先进行文章正文的写作，再进行引言的撰写。有了一定的思路、论据和结构后，引言撰写会更得心应手。
• 结合投稿会议或期刊要求进行撰写。
• 多读（顶会论文）多写，实践最重要。

个人喜欢将引言分为以下几个部分，当然不同的类型写法也不尽相同，如综述、理论、系统、方法论等。

• 第一部分：从现实背景引入到该研究问题至关重要
对所研究的大领域进行陈述，这样的陈述提供了一个背景，使读者对研究的问题及其重要性有一个大致了解。
• 第二部分：解释研究问题（xxx旨在完成xxx），介绍近年来取得的研究进展（顶会和顶刊为主），通过“然而”引出当前方法存在的问题
前人对相同问题在不同方面做过的研究，要对这些已有研究做更加具体的陈述，从而建立一个包含已有知识和信息的基础。同时，指出需要更多的研究来弥补空白（gap），或者拓展已有的研究。
• 第三部分：本文拟提出的方法，从哪些方面如何解决该问题，如何解决上述问题
非常具体的陈述指出本文的研究目的，主要的研究工作或结果。
• 第四分布：本文的主要贡献
对于开展本研究的作用、贡献和重要性的陈述，对文章接下来内容的概述（可省略）。

此外，引用部分的关键词也非常重要，良好的关键词起到承上启下的作用。我们需要将所有环节结合在一起形成一个逻辑连贯的“引言”。同时，你可能需要再添加少量的句子来提供研究背景（比如与主题相关的网络安全攻击事件，Stuxnet、WannaCry等），或者再次安排一下有些句段来使逻辑流动的更加顺畅。这样不仅展示出清晰的写作思路，更让读者能够轻松的读懂你的表达。

该部分参考资料：

• [1] 易莉. 学术写作原来是这样[M]. 机器工业出版社.
• [2] 仓岛保美 甘菁菁. 写作的逻辑[M]. 人民邮电出版社.
• [3] Ruiting Zhou. 博士英语课程学习心得. 武汉大学(周老师).
• [4] Kelly Hogan. how to read a scientific paper
• [5] Philip W. L. Fong. How to Read a CS Research Paper?
• [6] 知乎. 怎么写好论文引言？. https://www.zhihu.com/question/57366545
• [7] 知乎. 如何撰写高分引言？. https://zhuanlan.zhihu.com/p/165505555

# 二.入侵检测系统论文引言句子

个人习惯将引言分为四部分介绍，也欢迎大家批评指正。下面主要以CCF A会议和期刊论文为主进行介绍，重点以入侵检测系统（Intrusion Detection System，IDS）领域为主。

## 第1部分：背景介绍和引入

Traditional malicious traffic detection identifies malicious traffic by analyzing the features of traffic according to preconfigured rules, which aims to protect legitimate Internet users from network attacks [29, 47]. However, the rule-base detection is unable to detect zero-day attacks [8, 12, 22, 65] though it can achieve high detection accuracy and detection throughput in high bandwidth networks, e.g., in Internet backbone networks.

传统IDS旨在…然而…

• Chuanpu Fu, et al. Realtime Robust Malicious Traffic Detection via Frequency Domain Analysis. CCS.

The increasing scale and complexity of modern networks and the tremendous amount (大量) of applications running on them render communication and networking systems highly vulnerable to various intrusion attacks. Intrusion detection system (IDS) plays a significant role in safeguarding networks from intrusion attacks.

With the rapid advancement in machine learning (ML), ML-based Intrusion Detection Systems (IDSs) are widely deployed to protect networks from various attacks.

• Ning Wang, et al. MANDA: On Adversarial Example Detection for Network Intrusion Detection System. IEEE INFOCOM 2021

The mass adoption of IoT technology in smart homes has made them attractive targets to cyber threats, from unlocking doors and eavesdropping on occupants through their own cameras to hijacking (劫持) voice-controlled personal assistant devices.

• Ryan Heartfield, et al. Self-Configurable Cyber-Physical Intrusion Detection for Smart Homes Using Reinforcement Learning. IEEE TIFS.

The electricity grid is a highly complex control system and is one of the most impressive engineering feats of the modern era. Modern societies critically rely on the proper operation of power delivery systems in nearly every facet [1]–[3].

There are a number of threats to the reliability and security of the electric grid, including space weather, aging, accidents, and random failures. In this paper, we focused on the growing threat from cyberattacks to substations.

• Tohid Shekari, et al. RFDIDS: Radio Frequency-based Distributed Intrusion Detection System for the Power Grid. NDSS.

The unprecedented (前所未有的) evolution of networks with a growing plethora of connected devices and things are reshaping the landscape of an Internet-of-Things (IoT). Ranging from devices such as indoor or outdoor surveillance cameras, electrical and mechanical appliances, mobile user-worn devices such as smart watches or health monitors, to connected vehicles and vehicular components, industrial systems, and connected smart cities, the IoT landscape is continuously evolving (see Fig. 1).

Due to the increasing diversity of devices, networks and services in an IoT ecosystem, the vulnerabilities of each constituent technology could be agglomerated, giving rise to novel threats and attack vectors.

• Abdul Jabbar Siddiqui, et al. TempoCode-IoT: temporal codebook-based encoding of flow features
for intrusion detection in Internet of Things. Cluster Computing.

The ADVENT of Internet-of-Things (IoT) systems and their ongoing convergence with diverse industry applications signifies the imminent next wave of the ubiquitously connected society [1]–[5]. By interconnecting different objects (i.e., things), distributed data associated with one industry or business process in the physical world, for example, temperature, humidity, and traffic information over a large area can be collected by different sensors. Accurate and trustworthy collection of such data [6]–[10] play an important role in decision making for smart IoT applications, especially for those industry applications relying on tight collaboration among diverse entities, and they are expected to provide a multitude of different domains of smart services, ranging from environmental monitoring, infrastructure monitoring, to smart factory, just to name a few [11].

• Zhenlong Xiao, et al. Anomalous IoT Sensor Data Detection: An Efficient Approach Enabled by Nonlinear Frequency-Domain Graph Analysis. IOTJ

However, those resource-constraint IoT sensors could be compromised easily, leading to the anomalous data in IoT systems by false-data-injection attacks [12]–[16]. Such anomalous sensor data may result in erroneous decision making and further cause cascaded system failure and avalanche-like reaction due to the extremely high complexity and interdependency among different components of large-scale IoT systems. Hence, the anomalous data detection from the collected sensor data is extremely important for IoT-based smart applications.

• Zhenlong Xiao, et al. Anomalous IoT Sensor Data Detection: An Efficient Approach Enabled by Nonlinear Frequency-Domain Graph Analysis. IOTJ

With advances in network-based computing services and applications, the Internet suffers from more and more security threats. Therefore, intrusion detection systems (IDS) are particularly important as an essential part of network security defense. IDS discovers and identifies intrusions in the system by detecting and analyzing network traffic or host behaviors.

• Xinghua Li, et al. Sustainable Ensemble Learning Driving Intrusion Detection Model. TDSC.

Network Intrusion Detection System (NIDS) is a critical network security function that is designed to monitor the traffic in a network to detect malicious activities or security policy violations. Recently, lots of networks have reached the throughput of 100 Gbps [83]. To keep up with the pace of the soaring throughput of networks, multi-thread approaches [35, 77] have been proposed to build NIDSes to meet the high throughput requirement for detecting attacks. In addition, some NIDSes, such as Bro [67], can be deployed as NIDS clusters [81] that spread detection tasks across multiple nodes.

• Hongda Li, et al. vNIDS: Towards Elastic Security with Safe and Efficient Virtualization of Network Intrusion Detection Systems. CCS.

However, despite their usefulness in addressing scalability issues for NIDSes, both multi-thread and cluster solutions remain limited in flexibility regarding the processing capacity and placement location. In particular, they are still inflexible to detect attacks when a significant workload spike happens. For example, a massive attack like DDoS could bring the network traffic volume up to 500 GBps [42], which requires the NIDSes scaling accordingly to process the peak traffic load.

• Hongda Li, et al. vNIDS: Towards Elastic Security with Safe and Efficient Virtualization of Network Intrusion Detection Systems. CCS.

Moreover, these approaches are also inflexible to protect current prevailing virtualized environments, because the perimeters of networks in virtualized environments become blur and fluid, where applications may migrate from one physical machine to another within a data center or even across multiple data centers for the purpose of flexible resource management and optimization [31]. Therefore, improving the design of current NIDSes to make them well suited to provide flexible network intrusion detection is urgent and relevant.

• Hongda Li, et al. vNIDS: Towards Elastic Security with Safe and Efficient Virtualization of Network Intrusion Detection Systems. CCS.

Cyber-physical systems (CPS) are increasingly being deployed in critical infrastructures. The CPS market is expected to expand by 9.7% each year, which will reach \$9,563M by 2025 [82]. Prominent applications of CPS include industrial control systems (ICS), smart grid, intelligent transportation systems (ITS), and aerial systems. CPSs have evolved to be complex, heterogeneous, and integrated to provide rich functionalities. However, such characteristics also expose CPSs to broader threats.

• Yuan LUO, et al. Deep Learning-based Anomaly Detection in Cyber-physical Systems: Progress and Opportunities. ACM Computing Surveys.

A variety of services have been proposed using Internet of Things (IoT) devices. IoT devices have been one of the frequent targets for adversaries because they are generally cheap with a lack of security awareness. One of the security mechanisms is the intrusion detection systems (IDSes) for detecting on-going intrusions in such IoT networks. There are mainly two types of IDS: network-based intrusion detection system (NIDS) and host-based intrusion detection system (HIDS). Unlike HIDS which is specialized in detecting attacks within a single device, NIDS analyzes data traffic in a networked system to discover the existence of attacks. NIDS has been preferred by researchers for IoT security [1], [10], [11] because an IoT system can be viewed not as a standalone computing device but as a cluster of devices networked to form an ecosystem.

• Sunwoo Ahn, et al. Hawkware: Network Intrusion Detection based on Behavior
Analysis with ANNs on an IoT Device. DAC.

HOST-BASED intrusion detection has long been an important measure to enforce computer security. In today’s world, the cyber attack has become a persistent, aggressive and disruptive threat. For instance, the Advanced Persistent Threat (APT) attack has gradually become a main threat in enterprise’s environment [1], [2]. The “WannaCry” virus has attacked nearly 100 countries in the world [3] and resulted in huge economic losses in 2017 [4].

• Yulai Xie, et al. Pagoda: A Hybrid Approach to Enable Efficient Real-Time Provenance Based Intrusion Detection in Big Data Environments. IEEE Transactions on Dependable and Secure Computing.

WITH the increasing popularity of the Internet in modern life, a larger number of devices have become interoperable through networks, and the security of cyberspace has attracted greater attention. Intrusion detection systems (IDSs) are used to detect various malicious attacks on a network effectively and are one of the most critical systems for maintaining cyberspace security [1]. From the perspective of machine learning (ML), an IDS can be defined as a system aimed to classify network traffic.

• Congyuan Xu, et al. A Method of Few-Shot Network Intrusion Detection Based on Meta-Learning Framework. IEEE Transactions on Information Forensics and Security.

## 第2部分：研究主题及相关工作介绍

The goal of ML-based IDS is to learn a decision boundary that discriminates (区分) malicious network traffic from benign network traffic.

ML technologies have seen great success in domains such as computer vision and natural language processing. While applying to network intrusion detection, state-of-the-art IDSs usually implement advanced neural networks (e.g., LSTM) and learning schemes (e.g., meta-learning and active learning).

• Ning Wang, et al. MANDA: On Adversarial Example Detection for Network Intrusion Detection System. IEEE INFOCOM 2021

In light of these incidents, researchers in academia and industry are gearing efforts to develop novel solutions for intrusion detection in IoT, to secure IoT from different types of intrusions [8, 32, 37, 39]. The various IDSs could be broadly classified in terms of their placement strategy as: centralized, distributed, or hybrid.

• Abdul Jabbar Siddiqui, et al. TempoCode-IoT: temporal codebook-based encoding of flow features
for intrusion detection in Internet of Things. Cluster Computing.

To achieve this purpose, intrusion detection systems (IDSs) (Scarfone and Mell, 2007) are a basic and important security mechanism to defend IoT environments against various security threats. Traditionally, an IDS can be classified into two categories: signature-based IDS and anomaly-based IDS. The former like (Vigna and Kemmerer, 1998; Roesch, 1999) detects a potential threat by comparing inputting events (e.g., system logs) with known signatures, which are used to describe a known attack by means of expert knowledge. By contrast, the latter (Valdes and Anderson, 1995; Ghosh et al., 1998) identifies great deviations between existing events with the pre-established normal profile.

• Wenjuan Li, et al. Enhancing collaborative intrusion detection via disagreement-based semi-supervised learning in IoT environments. Journal of Network and Computer Applications.

A significant amount of research has been conducted to develop intelligent intrusion detection techniques, which help achieve better network security. Bagged boosting-based on C5 decision trees [2] and Kernel Miner [3] are two of the earliest attempts to build intrusion detection schemes. Methods proposed in [4] and [5] have successfully applied machine learning techniques, such as Support Vector Machine (SVM), to classify network traffic patterns that do not match normal network traffic.

• Mohammed A. Ambusaidi, et al. Building an Intrusion Detection System Using a Filter-Based Feature Selection Algorithm. IEEE TRANSACTIONS ON COMPUTERS

In order to detect abnormal behaviors in large-scale network traffic, machine learning-based intrusion detection systems [1], [2], [3] have attracted a wide range of attention. Such methods adopt machine learning techniques to extract features from a large amount of data and train a classification model to classify network traffic or host behaviors to detect intrusions in the system. In order to reduce the false alarm rate and false negative rate, prior works on the machine learning-based intrusion detection system often employ multiple machine learning models [4], [5], [6] to construct the detection model, called ensemble learning method, as demonstrated in Fig. 1.

• Xinghua Li, et al. Sustainable Ensemble Learning Driving Intrusion Detection Model. TDSC.

In this work, our goal is to make a step towards elastic security through NIDS virtualization that overcomes the inflexibility of current NIDS architectures. The virtualization of NIDSes must be safe and efficient. The safe virtualization requires that virtualized NIDSes do not miss any potential attacks that can be detected by traditional NIDSes. The efficient virtualization requires that virtualized NIDSes are provisioned optimally and consume minimum resources.

• Hongda Li, et al. vNIDS: Towards Elastic Security with Safe and Efficient Virtualization of Network Intrusion Detection Systems. CCS.

Current practise for securing organizational networks is to rely on Intrusion Detection Systems (IDS) that inspect network traffic to detect attacks. However, such solutions are either extremely expensive if they are hardware-based, or unscalable to high datarates if they are software-based. Further, the myriad variety of IoT devices, each with its own specific behavior and security vulnerabilities, makes it challenging for the IDS to distinguish normal from abnormal traffic that could be symptomatic of an attack.

• Ayyoob Hamza, et al. Combining MUD Policies with SDN for IoT Intrusion Detection. IOT S&P.

The traditional intrusion detection system typically uses system calls to analyze and identify host-based intrusion [5], [6], [7], [8], [9], [10]. However, these methods are not widely used. Since they do not disclose how the intrusion happens, and thus the detection accuracy is not high. With the stealth and sophistication of modern attacks, it’s critical to identify the causality relationships between the intruder and the damaged files. The existing mainstream methods focus on offline forensic analysis using provenance [11], [12] or audit logs [13], [14], [15]. However, typical attacks such as APT can remain stealthy for half a year after getting into the enterprise [16]. It is too late if sensitive data have been stolen before disclosing the intrusion source.

• Yulai Xie, et al. Pagoda: A Hybrid Approach to Enable Efficient Real-Time Provenance Based Intrusion Detection in Big Data Environments. IEEE Transactions on Dependable and Secure Computing.

A simple model is a binary classification one, which is used to distinguish between the normal and malicious network traffic, thereby enabling the detection of intrusion traffic. With recent advances in research focused on ML, many studies have shown that it is possible to design ML algorithms with the purpose of implementing IDSs. These algorithms are generally no longer based on rules and are aimed to exploit various features of network traffic. They comprise two main steps: feature extraction and classification. For example, in the research work [2], a method of encoding the payload was proposed based on recursive feature addition (RFA) and bigram, and then was utilized to detect intrusions. The experimental results on the ISCX2012 dataset demonstrated that the detection rate could reach 89.60%.

• Congyuan Xu, et al. A Method of Few-Shot Network Intrusion Detection Based on Meta-Learning Framework. IEEE Transactions on Information Forensics and Security.

## 第3部分：现有方法存在的缺陷

通过现有方法存在缺陷引出本文的方法。

There are mainly two types of IDS: signature-based detection [2] and anomaly-based detection [3]. Signature-based detection schemes work by extracting the traffic signature and comparing to those in a pre-built knowledge base. As a result, they are only effective in detecting known attacks but cannot detect attacks outside the knowledge base. Anomaly-based detection aims to detect deviations from an established norm traffic model.

• Ning Wang, et al. MANDA: On Adversarial Example Detection for Network Intrusion Detection System. IEEE INFOCOM 2021

Compared with rule based methods, machine learning based methods can effectively identify zero-day malicious traffic [12, 22]. Unfortunately, due to the processing overhead of machine learning algorithms, existing detection methods achieve low detection throughput and are unable to process high-rate traffic. As a result, most of these methods can only be deployed offline [2, 4, 5, 15, 28, 49] so that they cannot realize realtime detection, particularly in high performance networks (e.g., in 10 Gigabit networks) [42, 77, 78].

• Chuanpu Fu, et al. Realtime Robust Malicious Traffic Detection via Frequency Domain Analysis. CCS.

Meanwhile, attackers can easily interfere with and evade these methods by injecting noises, e.g., packets generated by benign applications, into attack traffic. Packet-level detection [42, 53, 68] that analyzes per-packet feature sequences is unable to achieve robust detection. Actually, even in the absence of the evasion attacks, the packet-level detection is unable to detect sophisticated zero-day attacks. Traditional flow-level methods [4, 28, 49, 77] detecting attacks by analyzing flow-level statistics incur significant detection latency. Moreover, evasion attacks can easily bypass the traditional flow-level detection that uses coarse-grained flow-level statistics [14, 63]. Thus, realtime robust machine learning based detection that is ready for real deployment is still missing.

• Chuanpu Fu, et al. Realtime Robust Malicious Traffic Detection via Frequency Domain Analysis. CCS.

Smart homes, however, present unique challenges with very specific requirements that can make generalist approaches unsuitable (通用方法不适用).

• Ryan Heartfield, et al. Self-Configurable Cyber-Physical Intrusion Detection for Smart Homes Using Reinforcement Learning. IEEE TIFS.

To detect attacks early and potentially reduce their damaging consequences, we need a reliable and robust intrusion detection system (IDS) for the power grid. The existing IDSs focused on securing power substations through monitoring the network traffic of the SCADA system. Accordingly, if the attacker can compromise the SCADA network entirely, the IDS will not be able to detect his malicious activities in the substation.

Motivated by this fact, the aim of this paper is to propose an air-gapped distributed IDS which monitors the substation activities by radio frequency (RF) measurements (as a side channel) to verify the correctness of the SCADA network traffic. With this approach, the SCADA system is assumed to be an untrusted entity.

• Tohid Shekari, et al. RFDIDS: Radio Frequency-based Distributed Intrusion Detection System for the Power Grid. NDSS.

However, current network traffic data, which are often huge in size, present a major challenge to IDSs [9]. These “big data” slow down the entire detection process and may lead to unsatisfactory classification accuracy due to the computational difficulties in handling such data. Classifying a huge amount of data usually causes many mathematical difficulties which then lead to higher computational complexity.

• Mohammed A. Ambusaidi, et al. Building an Intrusion Detection System Using a Filter-Based Feature Selection Algorithm. IEEE TRANSACTIONS ON COMPUTERS

To detect attacks and unexpected errors in CPSs, anomaly detection methods are proposed to mitigate these threats. For example, rule, state estimation (e.g., Kalman filter), and statistical model (e.g., Gaussian model, histogram-based model) based methods are utilized to learn normal status of CPSs [65]. However, these methods usually require expert knowledge (e.g., operators manually extract certain rules) or need to know the underlying distribution of normal data. Machine learning approaches do not rely on domain-specific knowledge [18]. But they usually require a large quantity of labeled data (e.g., classification-based methods). Also, they cannot capture the unique attributes of CPSs (e.g., spatial-temporal correlation) [88].

• Yuan LUO, et al. Deep Learning-based Anomaly Detection in Cyber-physical Systems: Progress and Opportunities. ACM Computing Surveys.

Intrusion detection methods are dedicated to ensuring network communication security [70, 116]. Physical properties are captured to depict the immutable nature of CPSs [36]. Program execution semantics are characterized to protect control systems [19, 89, 112]. However, as CPSs become more complicated and attacks are more stealthy (e.g., APT attacks), these methods are hard to ensure the overall status of CPSs (e.g., protect multivariate physical measurement) and need more domain knowledge (e.g., more components and correlation). Anomaly detection systems need to adapt to capture new characteristics of CPSs.

• Yuan LUO, et al. Deep Learning-based Anomaly Detection in Cyber-physical Systems: Progress and Opportunities. ACM Computing Surveys.

The aforementioned works demonstrate that for a specific type of attack, as long as there is a large number of samples, many ML algorithms can perform appropriately, and detection can be completely automated, no longer requiring excessive manual intervention. It can be outlined that IDSs based on ML can detect new attacks as long as the number of samples for training is sufficient. However, at present, the cyberspace environment is constantly changing, and new types of attacks occur constantly. For example, the zero-day attack [14] is an attack launched on the day when a vulnerability is discovered. It is difficult for security agencies to obtain sufficient attack samples in a short period, and as a result, it may be too late to compose a dataset and publish it.

• Congyuan Xu, et al. A Method of Few-Shot Network Intrusion Detection Based on Meta-Learning Framework. IEEE Transactions on Information Forensics and Security.

## 第4部分：本文方法及贡献

### (1) 本文方法

In this paper, we develop Whisper that aims to realize realtime robust malicious traffic detection by utilizing machine learning algorithms. Whisper effectively extracts and analyzes the sequential information of network traffic by frequency domain analysis [51], which extracts traffic features with low information loss. Especially, the frequency domain features of traffic can efficiently represent various packet ordering patterns of traffic with low feature redundancy.

• Chuanpu Fu, et al. Realtime Robust Malicious Traffic Detection via Frequency Domain Analysis. CCS.

To effectively perform frequency domain traffic feature analysis, we develop a three-step frequency domain feature extraction. First, we encode per-packet feature sequences as vectors, which reduces the data scale and the overhead of subsequent processing. Second, we segment the encoded vectors and perform Discrete Fourier Transformation (DFT) [51] on each frame, which aims to extract the sequential information of traffic. It allows statistical machine learning algorithms to easily learn the patterns. Third, we perform logarithmic transformation on the modulus of the frequency domain representation produced by DFT, which prevents float point overflows incurred by the numerical instability issue [23] during the training of machine learning.

• Chuanpu Fu, et al. Realtime Robust Malicious Traffic Detection via Frequency Domain Analysis. CCS.

Furthermore, we propose an automatic parameter selection module to select the encoding vector for efficient packet feature encoding. To achieve this, we formulate the per-packet feature encoding as a constrained optimization problem to minimize mutual interference of the per-packet features during frequency domain feature analysis.

• Chuanpu Fu, et al. Realtime Robust Malicious Traffic Detection via Frequency Domain Analysis. CCS.

In this paper, we propose MANDA, a MANifold and Decision boundary-based AE detection scheme for ML-based IDS.

• Ning Wang, et al. MANDA: On Adversarial Example Detection for Network Intrusion Detection System. IEEE INFOCOM 2021

In addition, MAGPIE introduces three more innovations (创新) to ensure its practicality in a household, including taking into account users’ risk tolerance, human presence and cyber-physical sources of data. In summary, MAGPIE implements the following contributions:

• Ryan Heartfield, et al. Self-Configurable Cyber-Physical Intrusion Detection for Smart Homes Using Reinforcement Learning. IEEE TIFS.

In order to address the problem of intrusion attacks in IoT, this work proposes a novel method to detect intrusions by transforming flow-based features into more discriminative representations and designs an ensemble of classifiers based on these to differentiate between benign and malicious flows. The proposed method is designed to serve in a centralized IDS, leveraging the compute and storage resources therein. The main contributions of this work are summarised as follows:

• Abdul Jabbar Siddiqui, et al. TempoCode-IoT: temporal codebook-based encoding of flow features
for intrusion detection in Internet of Things. Cluster Computing.

Due to such merits, in this work, our main purpose is to apply the disagreement-based method to intrusion detection. We particularly devise a simple disagreement-based semi-supervised learning algorithm and investigate its performance of detecting intrusions. In addition, due to the nature of IoT networks, there is a need to deploy collaborative intrusion detection systems (CIDSs) to protect the distributed environment. Motivated by this, we further design DAS-CIDS to investigate the use of disagreement-based semi-supervised learning in CIDSs, in the aspects of detection improvement and alarm filtration. The contributions of this work can be summarized as below.

• Wenjuan Li, et al. Enhancing collaborative intrusion detection via disagreement-based semi-supervised learning in IoT environments. Journal of Network and Computer Applications.

To address the aforementioned problems on the methods for feature selection, we have proposed a Hybrid Feature Selection Algorithm (HFSA) in [10]. HFSA consists of two phases. The upper phase conducts a preliminary search to eliminate irrelevant and redundant features from the original data. This helps the wrapper method (the lower phase) to decrease the search range from the entire original feature space to the pre-selected features (the output of the upper phase). In this paper, we extend our work discussed in [10]. The key contributions of this paper are listed as follows.

• Mohammed A. Ambusaidi, et al. Building an Intrusion Detection System Using a Filter-Based Feature Selection Algorithm. IEEE TRANSACTIONS ON COMPUTERS

Therefore, the existing solutions are difficult to adapt to the characteristics of attack diversity and dynamic time-variation. To solve the above problems, this paper proposes an intrusion detection model based on sustainable ensemble learning. The main contributions are summarized as follows:

• Xinghua Li, et al. Sustainable Ensemble Learning Driving Intrusion Detection Model. TDSC.

In this paper, we propose a novel NIDS architecture, vNIDS, which enables safe and efficient virtualization of NIDSes. To address the effective intrusion detection challenge, we classify detection states of virtualized NIDSes into local and global detection states to minimize the number of detection states shared between instances.

• Hongda Li, et al. vNIDS: Towards Elastic Security with Safe and Efficient Virtualization of Network Intrusion Detection Systems. CCS.

To this end, deep learning-based anomaly detection (DLAD) methods have been proposed to identify anomalies in CPS. Current studies have explored different neural network architectures (e.g., ConvLSTM) to mitigate various threats (e.g., false data injection attacks) in different CPS domains (e.g., smart grid). However, since these studies are not introduced in a unified way, a systematic survey is needed to review existing methods and provide guidance for future solutions. Specifically, we need to answer the following four research questions:

• Yuan LUO, et al. Deep Learning-based Anomaly Detection in Cyber-physical Systems: Progress and Opportunities. ACM Computing Surveys.

To resolve these issues, we propose, Hawkware, our lightweight ANN-based distributed NIDS that detects attacks on a device without actual data analysis for DPI, yet attaining better accuracy than latest NIDS [1] for IoT devices. Since resource consumption is a primary concern of every embedded device in an IoT system, efficiency must be of top priority for any techniques targeting most embedded devices with strict resource constraints.

• Sunwoo Ahn, et al. Hawkware: Network Intrusion Detection based on Behavior
Analysis with ANNs on an IoT Device. DAC.

In this paper we aim to increase the scalability and efficacy of IDS using a combination of MUD and SDN. Manufacturer Usage Description (MUD) [12] is an emerging IETF framework for formally specifying the expected network behavior of an IoT device. IoT devices generally perform a specific function, and therefore have a recognizable communication pattern [16], which can be captured formally and succinctly as a MUD profile. Using the Software Defined Networking (SDN) paradigm, this formal behavioral profile can be translated to static and dynamic flow rules that can be enforced at run-time by the network traffic that conforms to these rules can be allowed, while unexpected traffic inspected for potential instrusions. Such an approach dramatically reduces load on the IDS, allowing it to scale in performance and identify device-specific threats.

• Ayyoob Hamza, et al. Combining MUD Policies with SDN for IoT Intrusion Detection. IOT S&P.

To address the above problems, we propose Pagoda, a provenance based intrusion detection system that analyzes the anomaly degree of not only a single path, but also the entire provenance graph. It first looks for the intrusion path that may result in the intrusion. If the path has been found, then it does not have to traverse the provenance graph for further detection. Otherwise, it computes the anomaly degree of the provenance graph in three steps.

Moreover, like many provenance systems (e.g., CamFlow [21]), Pagoda filters unnecessary provenance data to reduce the detection time. This also prevents noisy data generating false alarms. Typical noisy data includes daemon processes, pipe files and temporary files that are not likely to contain intrusion information. As Pagoda mainly uses the dependency relationships between different objects to drive the intrusion detection algorithm, it also omits some provenance data (e.g., environment variables and input parameters) to save the memory space. In addition, as we use an absolute path name to describe a file or a process, files in the same directory have a common prefix in their names. Pagoda uses dictionary encoding [22] technology to compress these duplicates to further reduce the space overhead.

• Yulai Xie, et al. Pagoda: A Hybrid Approach to Enable Efficient Real-Time Provenance Based Intrusion Detection in Big Data Environments. IEEE Transactions on Dependable and Secure Computing.

### (2) 贡献总结经典句子

常用的本文贡献引入句子：

• In summary, MAGPIE implements the following contributions:
• The contributions of our paper are summarized as follows:
• In summary, the contributions of this paper are as follows:
• The main contributions of this work are summarised as follows:
• In summary, the contributions of our paper are five-fold:
• The main contributions are summarized as follows:
• In summary, we make the following contributions:
• The contributions of this paper are as follows:

We present Whisper, a novel malicious traffic detection system by utilizing frequency domain analysis, which is the first system built upon machine learning achieving realtime and robust detection in high throughput networks.

We perform frequency domain feature analysis to extract the sequential information of traffic, which lays the foundation for the detection accuracy, robustness, and high throughput of Whisper.

• Chuanpu Fu, et al. Realtime Robust Malicious Traffic Detection via Frequency Domain Analysis. CCS.

We systematically investigate practical AE attacks and defenses of recent ML-based IDSs. To the best of our knowledge, we are the first to investigate AE attacks for IDS in problem space rather than in feature space, and also the first to propose an effective AE detection scheme to defend against such attacks.

We propose MANDA, a novel MANifold and Decision boundary-based AE detection scheme for ML-based IDS. MANDA is designed by exploiting unique features we observe while trying to categorizing AE attacks from the viewpoint of machine learning model and data manifold. Based on our AE categorization, MANDA combines two building blocks (i.e., Manifold and DB) together to achieve effective AE detection regardless of which AE attack is used.

Our experimental results show that MANDA achieves 98.41% true-positive rate (TPR) with a fixed 5% false-positive rate (FPR) under CW attack, the most powerful AE attack, and over 0.97 AUC-ROC under three frequently-used attacks (FGSM attack, BIM attack, and CW attack) on the NSL-KDD dataset. We also demonstrate that MANDA outperforms Artifact [17], a state-of-the-art solution on AE detector, on both IDS task and image classification task.

• Ning Wang, et al. MANDA: On Adversarial Example Detection for Network Intrusion Detection System. IEEE INFOCOM 2021

We improve the ensemble learning model in the model training stage, based on our finding that different detection algorithms have different sensitivities to different attacks. The individual classifier adaptively selects different weights for different attack types according to their classification confidence and the output probability, thereby improving the detection accuracy of the model. And multi-class regression models are trained to fuse individual classifiers’ results.

In the model update stage, we design a model knowledge transmission method based on incremental learning. The parameters of historical models are transmitted to the new model for pre-training, and the detection results of the historical model are added to the training process of the new model. In this way, the sustainability of the model update is maintained, and the false alarm and false negative rates are reduced. As far as we know, we are the first to reuse of knowledge in the historical detection model in the IDS system.

• Xinghua Li, et al. Sustainable Ensemble Learning Driving Intrusion Detection Model. TDSC.

Ability to continuously adapt unsupervised smart home threat detection to changing conditions. MAGPIE self-adapts by applying reinforcement learning on the unsupervised classifier’s hyperparameters based on a probabilistic reward function without an a priori model or knowledge of the household configuration.

Experimental evaluation with both cyber and physical sources of data. From a threat monitoring perspective, the physical impact of some security breaches constitutes an opportunity because, in conjunction with traditional cyber sources of data, it can provide valuable information about the system’s security state.

• Ryan Heartfield, et al. Self-Configurable Cyber-Physical Intrusion Detection for Smart Homes Using Reinforcement Learning. IEEE TIFS.

This work proposes a new filter-based feature selection method, in which theoretical analysis of mutual information (MI) is introduced to evaluate the dependence between features and output classes. The most relevant features are retained and used to construct classifiers for respective classes. As an enhancement of Mutual Information Feature Selection (MIFS) [11] and Modified Mutual Information-based Feature Selection (MMIFS) [12], the proposed feature selection method does not have any free parameter, such as b in MIFS and MMIFS. Therefore, its performance is free from being influenced by any inappropriate assignment of value to a free parameter and can be guaranteed. Moreover, the proposed method is feasible to work in various domains, and more efficient in comparison with HFSA [10], where the computationally expensive wrapper-based feature selection mechanism is used.

• Mohammed A. Ambusaidi, et al. Building an Intrusion Detection System Using a Filter-Based Feature Selection Algorithm. IEEE TRANSACTIONS ON COMPUTERS

Different from the detection framework proposed in [10] that designs only for binary classification, we design our proposed framework to consider multi-class classification problems. This is to show the effectiveness and the feasibility of the proposed method.

• Mohammed A. Ambusaidi, et al. Building an Intrusion Detection System Using a Filter-Based Feature Selection Algorithm. IEEE TRANSACTIONS ON COMPUTERS

We present WATSON, the first approach to abstracting high-level behaviors from low-level logs without analyst involvement. Our approach summarizes behaviors using information flow as guidance and derives behavior semantics by aggregating contextual semantics of audit events.

We propose the novel idea of inferring log semantics through contextual information. We provide a quantitative representation of behavior semantics and use it to cluster semantically similar behaviors and extract representatives.

We prototype WATSON and conduct a systematic evaluation with both commonly-used benign behaviors and real-world malicious behaviors. The results show that WATSON is effective in abstracting high-level behaviors and reducing human workload in the analysis of logs.

• Jun Zeng, et al. WATSON: Abstracting Behaviors from Audit Logs via Aggregation of Contextual Semantics. NDSS.

We devise a disagreement-based semi-supervised learning algorithm, which can leverage the unlabeled data for classification, and investigate its use in the field of intrusion detection. In addition, we develop a framework of DAS-CIDS by applying the disagreement-based semi-supervised learning to improve the performance of CIDSs, in the aspects of detection performance and alarm filtration.

In the evaluation, we perform two major experiments to exploit the performance of our approach with real datasets and in a real IoT environment, respectively. Our results indicate that the disagreement-based method can outperform traditional supervised machine learning classifiers by learning from unlabeled data, during anomaly detection and alarm filtration.

• Wenjuan Li, et al. Enhancing collaborative intrusion detection via disagreement-based semi-supervised learning in IoT environments. Journal of Network and Computer Applications.

We propose Pagoda, a provenance-based intrusion detection system that takes into account the anomaly degree of both a single path and the whole provenance graph to achieve both fast and accurate detection in big data environments.

To further save the memory space, we apply dictionary encoding to reduce the replicated items in the rule database. Moreover, we filter the noise provenance that is not likely to contain intrusion information or is not used for detecting intrusions in our method. Thus we improve the detection accuracy and reduce the detection time.

We implement the system prototype and evaluate it on a series of real-world normal and vulnerable applications. The experimental results show that Pagoda significantly outperforms the classical syscall-based method [5] and the state-of-the-art (i.e., provenance path based method [17]) on a series of critical axes, such as detection accuracy, detection time, forensic analysis efficiency and space overhead.

• Yulai Xie, et al. Pagoda: A Hybrid Approach to Enable Efficient Real-Time Provenance Based Intrusion Detection in Big Data Environments. IEEE Transactions on Dependable and Secure Computing.

We proposed a few-shot network intrusion detection method based on a meta-learning framework. This method can be used to learn prior knowledge for network traffic classification directly from original traffic. After obtaining sufficient prior knowledge, new types of traffic can be detected with a few-shot of samples.

We proposed a method to construct datasets to perform training corresponding to few-shot network intrusion detection based on real network traffic. Using this method, we constructed two datasets incorporating the data public network traffic data sources and conducted two types of experiments on these datasets.

We demonstrated that the proposed network intrusion detection method is universal and is not limited to specific attack types. Using the proposed method, new types of samples on the basis of only a limited number of labels in an untrained dataset can be detected relying on learned prior knowledge.

• Congyuan Xu, et al. A Method of Few-Shot Network Intrusion Detection Based on Meta-Learning Framework. IEEE Transactions on Information Forensics and Security.

综述类：

We systematically review existing deep learning-based anomaly detection methods that target at detecting faults and attacks in CPS. To this end, we propose a new taxonomy that is based on (i) type of anomalies (i.e., threat model), (ii) detection strategies (i.e., input data, neural network designs, anomaly scores), and (iii) implementation and evaluation metrics. Further, we explore and categorize peer reviewed research papers from conferences and journals under the setting of this taxonomy.

We identify and highlight characteristics that are essential to building a DLAD method. First, we discuss existing methods in representative CPS domains (i.e., ICSs, smart grid, ITSs, and aerial systems). Then, we report unique designs and trends in each domain. All these findings are summarized according to our taxonomy. Meanwhile, we summarize and discuss the limitations and open problems of current methods.

We identify the limitations and deficiencies of deep learning approaches when being applied to the anomaly detection task in CPS. We present our findings and takeaways to improve the design and evaluation of DLAD methods. Also, we discuss several promising research directions and open problems that motivate future research efforts.

• Yuan LUO, et al. Deep Learning-based Anomaly Detection in Cyber-physical Systems: Progress and Opportunities. ACM Computing Surveys.

## 第5部分：工作安排

该部分可省略，建议结合作者习惯撰写。

The rest of the paper is organized as follows: Section 2 introduces the threat model and the design goals of Whisper. Section 3 presents the high-level design of Whisper. In Section 4, we present the design details of Whisper. In Section 5, we conduct a theoretical analysis. In Section 6, we experimentally evaluate the performances of Whisper. Section 7 reviews related works and Section 8 concludes this paper.

• Chuanpu Fu, et al. Realtime Robust Malicious Traffic Detection via Frequency Domain Analysis. CCS.

The remainder of this article is organized as follows. Section II presents the problem formulation and logic flow of this article, and Section III introduces the second order NPGF-based sensor data reconstruction model and its frequency-domain analysis method. In Section IV, the error function concerning the artificial perturbations is derived in the frequency domain, and a detection algorithm is developed based on the high-frequency components. Numerical studies and discussions are presented in Section V, and finally, Section VI concludes this article.

• Zhenlong Xiao, et al. Anomalous IoT Sensor Data Detection: An Efficient Approach Enabled by Nonlinear Frequency-Domain Graph Analysis. IOTJ

The rest of this article is organized as follows. We briefly summarize related work in Section 2, and introduce the basic methods and architecture of our model in Section 3, and present the proposed intrusion detection model in detail in Section 4, and the corresponding experimental analysis is given in Section 5. Finally, Section 6 concludes our work.

• Xinghua Li, et al. Sustainable Ensemble Learning Driving Intrusion Detection Model. TDSC.

The rest of the paper is organized as follows. § 2 presents the motivation of this work. § 3 gives an overview of vNIDS architecture. § 4 discusses the state management approaches to ensure the detection effectiveness as well as minimizing the performance overhead. § 5 presents how to decouple monolithic NIDS into microservices to achieve the efficient provisioning. Implementation and evaluation of vNIDS are presented in § 6 and § 7, respectively. Discussion and related work are addressed in § 8 and § 9, respectively. Finally, we conclude in § 10.

• Hongda Li, et al. vNIDS: Towards Elastic Security with Safe and Efficient Virtualization of Network Intrusion Detection Systems. CCS.

The remainder of the paper is organized as follows. Section II summarizes the related work. Section III introduces the system model and threat model. In Section IV, we elaborate the proposed AE detection scheme. We then present and compare the experimental results in Section V. Conclusion are drawn in Section VI.

• Ning Wang, et al. MANDA: On Adversarial Example Detection for Network Intrusion Detection System. IEEE INFOCOM 2021

# 三.总结

这篇文章就写到这里了，希望对您有所帮助。由于作者英语实在太差，论文的水平也很低，写得不好的地方还请海涵和批评。同时，也欢迎大家讨论，真心推荐原文。学安全两年，认识了很多安全大佬和朋友，希望大家一起进步。同时非常感谢参考文献中的大佬们，感谢老师、实验室小伙伴们的教导和交流，深知自己很菜，得努力前行。感恩遇见，且行且珍惜，小珞珞太可爱了，哈哈。

谢谢CSDN的实体勋章和无线耳机，很幸运，1024写文混了第一名（因为有小珞）希望今年能写上120篇原创文章，在这么忙碌的博士生涯，能写这些真心不容易，都是挤出来的。

最后感谢CSDN和读者们十年的陪伴，不论外面如何评价CSDN，这里始终是我的家，在这里写文章很温馨，也认识了很多大佬和朋友。此外，个人感觉今年是我近十年文章质量最高的一年，每一篇都写得很用心，都是我的血肉，很多都要自己从零去学习再分享，也希望帮助更多初学者。总之，希望自己还能写二十年，五十年，一辈子。这些年CSDN改进真挺多的，也一直为博主着想，希望越来越好。感恩同行，一起加油喔，以后没准小珞珞接管“Eastmount”这个账号，哈哈！

(By:Eastmount 2021-11-23 晚上12点 http://blog.csdn.net/eastmount/ )

展开全文
• 智能交通 智能路侧感知 应用层数据格式应用...北京星云互联科技有限公司 日期 2018 年12 月20 日 1 引言 智能路侧感知设备属于全智能型交通信息基础设施是车路协同智能交通的重要 组成部分智能路侧感知设备可实时感知
• 　服务器、交换机、前端编码器以及专用演播显示器等广播基础设备系统支持各种输入图像格式，在存储、编码显示之前，通常需要将图像转换为高清晰（HD） 或者其他分辨率格式。专用ASSP 虽然满足了这一市场需求，取得...
• 引言 很早之前，我们的项目中就已经采用了webp格式，但是由于webView本身并不能解析webp格式，所以我们基于webView的文章详情页就无法使用到这项优化。  那么有没有什么办法能实现呢？当然是有的。 在开始技术讲解...
• 引言 　随着海洋事业的不断向前发展，海上台风预警搜救问题已越来越成为急需解决的问题，目前最常用的无线数据网络有GPRS或CDMA11x。无论是CDMA11x还是GPRS网络，其上行带宽均在100kbps以下，监控画面的图像格式...
• 如何写引言引言的组成 The background information 背景知识 The relevant literature 相关文献 The nature ,scope,purpose and significance of the problems investigated 研究的问题的重要性以及研究的意义 ...

# 如何写引言：

## 引言的组成

• The background information 背景知识
• The relevant literature 相关文献
• The nature ,scope,purpose and significance of the problems investigated 研究的问题的重要性以及研究的意义
• The results of the investigation 研究结果
• The conclusion suggested by the results 由仿真结果可以得出的结论
• The explanation and definition of terms or abbreviations 术语或缩写的解释和定义

## 引言的特点

三大基本要求：

1. Attraction 吸引力
2. Brevity 简洁
3. Clarity 清晰

## 引言的结构与布局

看了很多论文，其introduction部分一般是以如下内容排版方式进行写作：

• 论文研究领域的背景知识，引入研究课题

背景知识
ALMOST all electronic devices, such as home appliances, automotive electronics, ofﬁce facilities, customer,electronics, various sensors and actuators are expected to be connected to the Internet in future, and thus form the Internet of Things (IoT). Boosted by big data, IoT will greatly facilitate our daily life and make services more intelligent, such as smart home, transportation, health-care, manufacture, and factory [1].
研究课题
To earn the welfare of the IoT, the cloud computing and cloud storage infrastructure that can provide sufﬁcient processing and storage resources are considered as the enabler for ubiquitous IoT services. However, with the rapid increasing popularity of emerging applications, such as augmented reality, face and voice recognition, wearable computing, image and video processing, the centralized cloud-based IoT raises concerns [2], such as latency due to long distance between user terminal (things) and the cloud, and bandwidth limitation due to the limited capacity of the backhaul link.

• 强调该研究的重要性,并且回顾前人的研究结果，指出以前研究结果的不足

强调该研究的重要性
Fog computing and caching that move the network resources from the cloud to the edge has been proposed to accommodate future IoT services, and the fog-enabled IoT is considered as a promising network architecture [3]. ....... Therefore, the efﬁcient management and synergy of caching, computing, and radio resources become the challenges for the fog-enabled IoT.
指出以前研究结果的不足
Although many works (reviewed in Section II of this paper) have been dedicated to providing optimal computation ofﬂoading strategies, content caching policies and resource allocation scheme. However, these important issues, especially computing and caching, were usually considered and solved separately in most existing works. ...

• 介绍以前的解决方案，陈述作者的研究基础。

介绍以前的解决方案,带了[1],[2]...都是引述前人的研究
Most of existing solutions formulate the computation ofﬂoading or content caching as the constrained convex optimization problems with different selected metrics and constraints, such as service latency, network capacity, backhaul rate, and energy efﬁciency [7]. The content caching and on-off switch of BSs are considered together to minimize energy consumption in [8], in which the joint content caching and activation is formulated as an NP-hard problem and solved with a novel approximation framework. Wang et al. .......
陈述作者的研究基础。
Unlike the related works, this paper uses the actor–critic RL framework to formulate the joint optimization problem in the fog-enabled IoT, and proposes the Natural policy-gradientbased deep RL algorithm to learn the optimal stochastic policy. The contributions of this paper are as follows.

• 陈述该项研究的成果以及该项研究在不同领域中的作用。

研究成果：
1) We provide a joint optimization solution for content caching, computing ofﬂoading, and radio resources allocation in the fog-enabled IoT with the objective of minimizing the average end-to-end delay for all service requests
2) We use the model-free RL framework to optimize the policy by interacting with the
......
4) We utilize two up-to-date techniques, namely ﬁxed target network and experience replay, in order to avoid the divergence of the deep RL algorithm and increase stability. Furthermore, the Natural policy gradient method is used to avoid converging to the local maximum.


• 概述当前研究目的(可省略)

• 介绍全文的篇章结构

The rest of this paper is organized as follows. Section II presents the review of the related studies and the new progress of deep RL. Section III elaborates the system models and definitions used in this paper. Section IV formulates the joint optimization problem as a model-free RL problem under unknown stochastic environment. Section V proposes the actor–critic deep RL algorithm to learn the optimal parameterized policy. The evaluation results are examined in Section VI and we conclude this paper in Section VII.


## 引言部分的语言特征

### 时态和语态

• 一般现在时
• 现在完成时
• 一般将来时

#### 常用表达

1. Over the course of the past 30 years, … has emerged form intuitive
2. Technological revolutions have recently hit the industrial world
3. The advent of … systems for has had a significant impact on the
4. The development of … is explored
5. During the past decade, the theory of fuzzy sets has developed in a variety of directions
6.The concept of xx was investigated quite intensively in recent years
6. There has been a turning point in … methodology in accordance with the advent of …
7. A major concern in … today is to continue to improve…
8. A xx is a latecomer in the part representation arena.
9. At the time of this writing, there is still no standard way of xx
10. Although a lot of effort is being spent on improving these weaknesses, the efficient and effective method has yet to be developed.
11. The pioneer work can be traced to xx [1965].
12. To date, none of the methods developed is perfect and all are far from ready to be used in commercial systems.

### 常用句型

#### Beginning

1. In this paper, we focus on the need for
2. This paper proceeds as follow.
3. The structure of the paper is as follows.
4. In this paper, we shall first briefly introduce fuzzy sets and related concepts
5. To begin with we will provide a brief background on the

#### Introduction

1. This will be followed by a description of the fuzzy nature of the problem and a detailed presentation of how the required membership functions are defined.
2. Details on xx and xx are discussed in later sections.
3. In the next section, after a statement of the basic problem, various situations involving possibility knowledge are investigated: first, an entirely possibility model is proposed; then the cases of a fuzzy service time with stochastic arrivals and non fuzzy
service rule is studied; lastly, fuzzy service rule are considered.

#### Review

1. This review is followed by an introduction.
2. A brief summary of some of the relevant concepts in xxx and xxx is presented in Section 2.
3. In the next section, a brief review of the … is given.
4. In the next section, a short review of … is given with special regard to …
5. Section 2 reviews relevant research related to xx.
6. Section 1.1 briefly surveys the motivation for a methodology of action, while 1.2 looks at the difficulties posed by the complexity of systems and outlines the need for development of possibility methods.

#### Body

1. Section 1 defines the notion of robustness, and argues for its importance.
2. Section 1 devoted to the basic aspects of the FLC decision making logic.
3. Section 2 gives the background of the problem which includes xxx
4. Section 2 discusses some problems with and approaches to, natural language understanding.
5. Section 2 explains how flexibility which often … can be expressed in terms of fuzzy time window
6. Section 3 discusses the aspects of fuzzy set theory that are used in the …
7. Section 3 describes the system itself in a general way, including the …… and also discusses how to evaluate system performance.
8. Section 3 describes a new measure of xx.
9. Section 3 demonstrates the use of fuzzy possibility theory in the analysis of xx.
10. Section 3 is a fine description of fuzzy formulation of human decision.
11. Section 3, is developed to the modeling and processing of fuzzy decision rules
12. The main idea of the FLC is described in Section 3 while Section 4 describes the xx strategies.
13. Section 3 and 4 show experimental studies for verifying the proposed model.
14. Section 4 discusses a previous fuzzy set based approach to cost variance investigation.
15. Section 4 gives a specific example of xxx.
16. Section 4 is the experimental study to make a fuzzy model of memory process.
17. Section 4 contains a discussion of the implication of the results of Section 2 and 3.
18. Section 4 applies this fuzzy measure to the analysis of xx and illustrate its use on experimental data.
19. Section 5 presents the primary results of the paper: a fuzzy set model …
20. Section 5 contains some conclusions plus some ideas for further work.
21. Section 6 illustrates the model with an example.
22. Various ways of justification and the reasons for their choice are discussed very briefly in Section 2.
23. In Section 2 are presented the block diagram expression of a whole model of human DM system
24. In Section 2 we shall list a collection of basic assumptions which a … scheme must satisfy.
25. In Section 2 of this paper, we present representation and uniqueness theorems for the fundamental measurement of fuzziness when the domain of discourse is order dense.
26. In Section 3, we describe the preliminary results of an empirical study currently in progress to verify the measurement model and to construct membership functions.
27. In Section 5 is analyzed the inference process through the two kinds of inference experiments…

#### This Section

1. In this section, the characteristics and environment under which MRP is designed are described.
2. We will provide in this section basic terminologies and notations which are necessary for the understanding of subsequent results.Next Section
3. The next section describes the mathematics that goes into the computer implementation of such fuzzy logic statements.
4. However, it is cumbersome for this purpose and in practical applications the formulae were rearranged and simplified as discussed in the next section.
5. The three components will be described in the next two section, and an example of xx analysis of a computer information system will then illustrate their use.
6. We can interpret the results of Experiments I and II as in the following sections.
7. The next section summarizes the method in a from that is useful for arguments based on xx

#### Summary

1. This paper concludes with a discussion of future research consideration in section 5.
2. Section 5 summarizes the results of this investigation.
3. Section 5 gives the conclusions and future directions of research.
4. Section 7 provides a summary and a discussion of some extensions of the paper.
5. Finally, conclusions and future work are summarized
6. The basic questions posed above are then discussed and conclusions are drawn.
7. Section 7 is the conclusion of the paper.

#### Objective / Goal / Purpose

1. The purpose of the inference engine can be outlined as follows:
2. The ultimate goal of the xx system is to allow the non experts to utilize the existing knowledge in the area of manual handling of loads, and to provide intelligent, computer aided instruction for xxx.
3. The paper concerns the development of a xx
4. The scope of this research lies in
5. The main theme of the paper is the application of rule based decision making.
6. These objectives are to be met with such thoroughness and confidence as to permit …
7. The objectives of the … operations study are as follows:
8. The primary purpose/consideration/objective of

原文链接：https://blog.csdn.net/u011650143/article/details/54428069

## 总结

• The Introduction should present first,with all possible clarity,the nature and scope of the problem investigated
• it should briefly review the pertinent literature to orient the reader
• it should state the method of the investigation
• it should state the principal results of the investigation
• it should state the principal conclusions suggested by the results

### Tense

• Use simple present tense, (一般现在时) simple present perfect tense(一般现在完成时) and simple future tense（一般将来时）

ation

• it should state the principal conclusions suggested by the results

### Tense

• Use simple present tense, (一般现在时) simple present perfect tense(一般现在完成时) and simple future tense（一般将来时）
展开全文
• 1、先偷懒吧，到EndNote的主站搜索，看是否有你要的Journal格式；...技巧，先从找一个参考文献自己要求相似的格式。如没有经验，SCI格式是缩略格式，NeuroReport是完整格式(在中国比较流行的相似格式)。我就...

1、先偷懒吧，到EndNote的主站搜索，看是否有你要的Journal格式；如果没有只有自己学啦。

2、打开一个EndNote数据库／Edit／Output Styles/Edit………

意思是将你默认的参考文献格式进行修改，因为重新编写有些语法可能不太会。技巧，先从找一个参考文献和自己要求相似的格式。如没有经验，SCI格式是缩略格式，NeuroReport是完整格式(在中国比较流行的相似格式)。我就打开EndNote了。

我的是EndNote X， 各版本风格相似

3 修改正文格式

4 修改参考文献模板

改好参考文献的模板后，最难的就是作者排名和作者显示风格

5 下面更改作者显示风格

6 更改作者缩写格式

7 参考文献罗列时的风格，是用［1］…表示还是用1…表示

8 其他格式可以点点看看，思路相近

9

当您全部弄好了后就可以保存了，保存时一定要保存在EndNote\Styles的文件夹下面，否则无法调用。

以下讲讲编写新的ENdNote引文格式

1 打开EndNote\Edit\OutPut Styles\New

Style…

2 看第二项，Anonymous Works，这项也不用管它

3 看第三项 Page Numbers，这一项可以做一些选择。

4 Journal Names 更改杂志的格式

5 Citations

这一个改的是正文中的格式和在EndNote中浏览参考文献的格式。不改变文章末尾参考文献的格式。在Templates中，我选的是Bibligraphy

Number，可以将此字段括起来，还可以选中后进行上标，上标图表是“A1”，在Untiled

Style上一栏的工具栏中可以找到。中文杂志经常要求上标格式。其下Author

List等内容一般可以不用改了，应为对正文中的显示格式没有影响，只影响EndNote中数据显示格式。

6

更改Bibligraphy这一项最重要，直接影响正文后面的引文格式，要好好琢磨。Templates最为重要，直接影响作者(Author)、题目(Title)、卷(Volume)、年(Year)、期(Issue)、页码(Pages)的先后位置和上标、斜体等风格，也可以在这些字段中添加标点符号。

点击Reference Style\Journal Article

6.2 在Journal Article模板中插入相应的字段。

如下所示，最后我插入的格式如下Author. Title. Journal.Year.Volume

(Issue):

Pages，这也是中国杂志流行的格式。可以在Title后面加上［J］,表示属于期刊.

弄完之后还可以插入其他模板，比如书(Book)、专利(Patent)等，与此相似。

6.3 依次设定作者罗列(Author List)和作者名字风格(Author

Name)

这两项参见我2007-10-19发表的帖子5

、6和7。在此不赘述，从楼顶找起。

Footnotes和Figures&Tables的修改

7

EndNote还可以管理图片和表格。不过我们一般用得比较少，可以依次打开各选项看看，风格和Bibligraphy相似，不多说了。这样，EndNote新的格式就做好了，将其保存在EndNote\Styles的文件夹下面，否则无法调用。可以起中文名。

这样新格式文件就做好了。“EndNote修改参考文献格式”的主题讲述完毕。

展开全文
• guobiao国标文献格式1 引言 　1.1 制订本标准的目的是为了统一科学技术报告、学位论文学术论文(以下简称报告、论文)的撰写编辑的格式，便利信息系统的收集、存储、处理、加工、检索、利用、交流、传播。 　1.2 ...
• 如何设置Word文档页码 在文档编辑中，经常会遇到如下设置页码的情况： ... 进入目录页的页脚，选择页码，点击右键，选择“设置页码格式”，选择编号格式（希腊字母），取消“续前节”； 进入正文页的页脚，选择页码..
• 软件工程开发文档格式 可行性研究报告 引言 编写目的 阐明编写可行性研究报告的目的指出读者对象 项目背景 应包括所建议开发软件的名称 项目的任务提出者 开发者 用户及实现软件的单位 项目与其它软件或其它系统的...
• 第一章 引言 1.1 基本概念 1.2 网络分类 1.2.1依据传输模式划分网络 1.2.2 依据网络尺度划分网络 1.3服务、接口与协议 1.3.1协议层次结构 1.3.2 服务协议的关系 1.3.3 面向连接与无连接的服务 1.3.4 可靠...
• 电子商务项目可行性研究报告基本格式 电子商务项目可行性研究报告基本格式 电子商务项目可行性研究报告基本格式引言 编写目的 说明编写本电子商务项目可行性研究报告的目的指出预期的读者 背景 说明 所建议实施的...
• 关于latex 作者信息摘要（正文）之间间距过大。 ##这两天在用latex的时候，大部分工作做完了，需要写上作者信息，加上以后发现文章的格式变了一些，其实也就是我倒数第二页的内容有一部分跑到了最后一页参考文献...
• 学 海 无 涯 案例分析题目表述 案 研究 如张某诉李某损害赔偿案 对赔偿标准问题的研究 论文主要内容及框架结构三级标题 一论文主要内容 叙述研究的主要内容 二框架结构 列出三级提纲 案例分析结构 引言 研究目的 ...
• 软件开发可行性研究报告范文格式 引言 1.1 编写目的 说明编写本可行性研究报告的目的指出预期的读者 1.2 背景 说明 所建议开发的软件系统的名称 本项目的任务提出者 开发者用户及实现该软件的计算中心或计算机网络 ...
• 重点部分是对前人工作的介绍评述，也就是对这一课题前人已经做了哪些重要的创新工作，是一个简略的研究史，比如何时由何人发起，国内外哪些学者分别作了哪些创新贡献。要对每一作者每一篇参考文献的科学或技术贡献...
• ARM系统技术报告格式 作者 日期 基于的系统 设 计 报 告 学 校 院 系 专 业 姓 名 学 号 课程名称 目 录 TOC \o "3-3" \t "标题 1,1,标题 2,2,标题 1_无编号1,1" 第一章 引言 1 1.1 前言 1 1.2 课题背景 1 1.3 报告...
• 天津商业大学宝德学院 Java程序设计课程报告 2013 2014学年第二学期 题目 扫雷游戏的设计与开发 学号 11501120 学生姓名 张明 李晓 王丽红 所在专业 计算机科学与技术 1引言 TOC \o "1-5" \h \z 1.1设计目的 1 1.2...
• 棋第6章FEM般原理表达格式 态 61引言 析与发用终术一 本章将通过弹性力学变分原理建立弹性力学 问题有限单元法的表达格式最小势能原理的未知 场变量是位移以结点位移为基本未知量并基于 最小势能原理建立的有限...
• PAGE PAGE 20 中北大学 数 据 库 语 言 课 程 设 计 说 明 书 ? ? ? 学生姓名: 刘晓东 学 号 0906014118 学 ... 引言 当今时代是飞速发展的信息时代在各行各业中离不开信息处理这正是计算机被广泛应用于信息管理系统的
• 业分析报告经济形势分析报告社会问题分析报告等等下面是收 集的软件测试分析报告模板欢迎大家参考 1 引言 本章应分成以下几条 1.1 标识 本条应包含本文档适用的系统软件的完整标识 ( 若适用 ) 包 括标识号标题缩略...
• 文献格式 首先，我们先写引言，假设我们要引用的10篇文献在网上已经找到了。其中一篇的内容如下： 可以发现，上面这篇文献的第一作者是Kaiming He，发表时间是2016，介绍文章的时候有两种说法： 作者干了啥 —— He...
• 没想到csvkit能如此厉害，不仅可以转换csv格式文件，还能进行数据库操作数据分析操作，要收藏了。
• 组网实验周课程设计需求规格说明书 目录 1引言 . 1 1.1编写目的 . 1 1.2背景说明 . 1 2工程概述 . 2 2.1中北大学校园网项目说明 . 2 2.2 中北大学校园网设计目标 . 2 2.3中北大学校园网项目设计进度说明 . 4 3 需求...
• Linux下打包和解压rar格式和zip格式文件的方法
• 好不容易写完内容了，还要根据学校的要求调整格式，对于不怎么熟悉word排版的小伙伴来说，调整论文格式简直比些内容还要难。每次都是调整了前面的格式后面跟着发生了莫名其妙的变化，主要是有时候后面的跟前面的要求...

...