摘要
网络取证就是获取网上犯罪行为之潜在证据的过程。它主要通过实时监测、捕获或搜寻网络数据流、网络设备及主机日志等中的可疑信息,来分析和发现反映网络入侵活动及所造成损失的有效法律证据,以支持对网络犯罪人的指控。网络取证问题交叉着复杂的技术与待定的法律,是保卫网络信息安全的重要武器,也是一个才刚刚开启的研究领域。目前,网络取证的研究主要集中在取证所采用的技术手段上。然而,网络取证不是一个孤立的行动,它是在不影响现行网络业务条件下,系统实施实时网流过滤、特征匹配、日志提取、行为检测、危害评估、危险分析、入侵发现、证据再收集的一个全过程,也就是证据的获取、分析、判别、记录、再获取的动态自适应过程。因此,实时综合自动化收集和分析入侵证据、评估入侵的威胁程度、保护证据可容侵、以及动态取证系统的体系结构等的研究是函待解决的问题。
提出自适应动态取证的思想和方法。结合入侵检测、入侵诱骗及入侵容忍技术,构建了自适应动态取证体系结构。采用入侵检测、入侵诱骗等技术来发现入侵、吸引入侵、获取实时的入侵证据,利用入侵容忍技术提高系统及证据的可靠性,延长取证过程,对入侵行为进行更完整地调查取证且不影响业务系统的正常运行。正确的自适应响应是以对系统的安全性定量评估为基础的,采用威胁评估技术评估入侵威胁程度,自适应调整取证时机和对象。对取证系统的动态转移过程进行分析,构建半马尔科夫模型对系统的取证能力和可用性进行分析,并通过入侵实例验证了模型的有效性。提出基于灰关联理论的入侵威胁度评估方法。在对自适应动态取证系统进行分析的基础上,提取了评估入侵威胁度的重要因素,对这些因素进行量化,考虑到因素之间存在未确定的影响关系,对存在/灰关系0的因素建立起灰关联分析模型,用以分析因素间的灰关联度,并兼顾评估者对不同因素的关注程度,从而建立一个入侵威胁的评估机制,其评估结果作为取证所需的评估入侵危害程度的依据,并根据威胁程度触发自适应动态取证机制的状态转换。通过实际的入侵实验对该方法和已有方法进行评估效果的分析和对比,实验表明该方法的评估结果更合理,更具有实际意义。
提出入侵关联图的概念和基于该关联图的入侵模式发现方法。在收集多源原始证据基础上,对原始证据进行格式标准化、聚合、消除冗余和误警的预处理之后形成可用告警序列,根据告警序列构造入侵关联图,进行事件因果关联匹配及频繁序列的挖掘,从中发现计算机犯罪的事实及相应的主体和客体。实验结果证明,该方法除了能发现一对主机之间的多步攻击之外,还能够发现涉及多个主机的入侵过程,以及主机的身份角色。为更好地描述入侵过程,便于出示证据,提出一种三维的事件时间线表示方法,对涉及多个主体的入侵事件在时间上的进展进行可视化描述。
提出一种防范入侵及容忍入侵的多层证据保护方法。设计了证据信息的安全监督链方案,从收集到传输证据的过程中,综合采用加密、校验、数字签名、时间戳等方法对证据进行保护。在证据存储方面,提出一种具有检错功能的信息分片算法,根据密钥生成编码矩阵,对证据进行编码分片分布式存储,通过累计校验方法对数据片进行检错,该方法能在一定程度上容忍入侵者对证据的破坏,可以从冗余信息中恢复原始数据。对该方法进行安全性分析,分析参数对安全性的影响,从而指导实际参数的选择。
关键词:网络取证,动态取证,自适应,半马尔科夫,灰关联分析,入侵关联图,证据保护
Abstract
Network forensics is a procedure of obtaining the latent Evidences of networkcomputer crimes. Network forensics analyze and discover valid legal evidences reflectednetwork intrusion activities and the corresponding damnify through monitoring, capturingor searching abnormal information in network traffic or logs of network devices and hostsreal time to indict the network criminal. Network forensics is taken as an importantweapon to ensure network safety and is a rising research field as an interdisciplinary studyof computer and law.
At present, the researches of network forensics are focused on the technical means ofinvestigation. However, network forensics is not an isolated activity but an integratedmechanism including traffic filtering, signature matching, log distilling, behavior detecting,threat evaluating, risk analyzing, intrusion discovering and evidences re-gathering, andalso is a dynamic self-adaptive procedure of gathering, analyzing, determing, tracking andre-gathering. Thus, there are some problems to be solved involved with collecting andanalyzing automatically intrusion evidences real time, evaluating the threat of intrusions,preserving evidences for toleranting intrusion and studying the architecture of dynamicforensics.
The idea of self-adaptive dynamic forensics is put forward and a self-adaptivedynamic forensics architecture is built integrating intrusion detection, intrusion deceptionand intrusion tolerance technologies. The intrusion detection and intrusion deceptiontechnologies are used to discover intrusion activities and trich intruders into intrusiondeception system. The intrusion tolerance technology is used to advance the reliability ofsystem and evidences, to prolong the investigation procedure, to investigate intrusionactivites fullier without impacting the natual production system. Accurate self-adaptiveresponse is based on the security quantitative evaluation. Threat evaluation technology isused to evaluate the intrusion threats and the forensics occasions and objects areself-adaptively adjusted. The dynamic transition process of forensics system is analyzedand the forensics capability and server availability are analyzed through buildingsemi-Markov process module. The intrusion experiment validates the architecture.
A intrusion threat evaluation algorithm based on grey theory is proposed. Some keyfactors are picked up and quantified based on analyzing the self-adaptive dynamicforensics system. Considering that there are undetermined influences among the factors, agrey relation analysis module is built to analyze the grey relation degree at the same timethe attentions to every factors of evaluator are considered. A intrusion threat evaluationmechanism is established. The self-adaptive dynamic forensics states transition istriggered according to the evaluation result. This method is compaired with other methodsthrough practical experiments and experiments analysis result proves that this method ismore reasonable and feasible.
The Intrusion Correlation Graph (ICG) is defined and a novel approach of intrusionpattern discovery based on ICG is proposed. Raw evidences are collected from multiplesources and valuable alert sequences are built after standardization, aggregation and falsepositive reduction. The ICG is constructed with alert sequences and. The computer crimefact, main body and object are discovered through attack causal correlation and frequentsequences mining based on ICG. The experiment result attests that besides the multi-stepattack between a pair of hosts, the step-stone attacks, worms and botnets are also bedigged out and the role of host is reasoned. To describe intrusion process more vividly andpresent evidences more elaborately, a three-dimensional event timeline method isproposed to illuminate the intrusion activities and related hosts.
A hiberarchy evidences preservation approache is proposed to prevent intrusion andtolerant intrusion. The evidence chain of custody scheme is designed to safeguardevidences from collection to transmission with encryption, checkout, digital signature andtimestamp technologies. Considering the aspect of evidences storage, an informationfragment with error detection algorithm is proposed. Coding matrix is created by secretkey, evidences are coded and separated into fragments for distributed storage, andfragments is checked by cumulate checksum. This approach makes evidences storagetolerant intrusion and could resume from redundancy. The security performance of thisapproach is analyzed to find out the influence of every parameters and direct that how tochoose appropriate parameters.
Keywords:Network Forensics, Dynamic Forensics,Self-adaptive, Semi-Markov, GreyRelation Analysis, Intrusion CorrelationEvidence Preservation
返回本篇论文目录查看全文 下一章:自适应动态网络取证方法研究 摘要