自适应动态网络取证方法研究

发布时间：2018-02-14 05:06

本文关键词： 网络取证动态取证自适应半马尔科夫灰关联分析入侵关联图证据保护　出处：《华中科技大学》2009年博士论文　论文类型：学位论文

【摘要】：网络取证就是获取网上犯罪行为之潜在证据的过程。它主要通过实时监测、捕获或搜寻网络数据流、网络设备及主机日志等中的可疑信息,来分析和发现反映网络入侵活动及所造成损失的有效法律证据,以支持对网络犯罪人的指控。网络取证问题交叉着复杂的技术与待定的法律,是保卫网络信息安全的重要武器,也是一个才刚刚开启的研究领域。目前,网络取证的研究主要集中在取证所采用的技术手段上。然而,网络取证不是一个孤立的行动,它是在不影响现行网络业务条件下,系统实施实时网流过滤、特征匹配、日志提取、行为检测、危害评估、危险分析、入侵发现、证据再收集的一个全过程,也就是证据的获取、分析、判别、记录、再获取的动态自适应过程。因此,实时综合自动化收集和分析入侵证据、评估入侵的威胁程度、保护证据可容侵、以及动态取证系统的体系结构等的研究是亟待解决的问题。提出自适应动态取证的思想和方法。结合入侵检测、入侵诱骗及入侵容忍技术,构建了自适应动态取证体系结构。采用入侵检测、入侵诱骗等技术来发现入侵、吸引入侵、获取实时的入侵证据,利用入侵容忍技术提高系统及证据的可靠性,延长取证过程,对入侵行为进行更完整地调查取证且不影响业务系统的正常运行。正确的自适应响应是以对系统的安全性定量评估为基础的,采用威胁评估技术评估入侵威胁程度,自适应调整取证时机和对象。对取证系统的动态转移过程进行分析,构建半马尔科夫模型对系统的取证能力和可用性进行分析,并通过入侵实例验证了模型的有效性。提出基于灰关联理论的入侵威胁度评估方法。在对自适应动态取证系统进行分析的基础上,提取了评估入侵威胁度的重要因素,对这些因素进行量化,考虑到因素之间存在未确定的影响关系,对存在“灰关系”的因素建立起灰关联分析模型,用以分析因素间的灰关联度,并兼顾评估者对不同因素的关注程度,从而建立一个入侵威胁的评估机制,其评估结果作为取证所需的评估入侵危害程度的依据,并根掘威胁程度触发自适应动态取证机制的状态转换。通过实际的入侵实验对该方法和已有方法进行评估效果的分析和对比,实验表明该方法的评估结果更合理,更具有实际意义。提出入侵关联图的概念和基于该关联图的入侵模式发现方法。在收集多源原始证据基础上,对原始证据进行格式标准化、聚合、消除冗余和误警的预处理之后形成可用告警序列,根据告警序列构造入侵关联图,进行事件因果关联匹配及频繁序列的挖掘,从中发现计算机犯罪的事实及相应的主体和客体。实验结果证明,该方法除了能发现一对主机之间的多步攻击之外,还能够发现涉及多个主机的入侵过程,以及主机的身份角色。为更好地描述入侵过程,便于出示证据,提出一种三维的事件时间线表示方法,对涉及多个主体的入侵事件在时间上的进展进行可视化描述。提出一种防范入侵及容忍入侵的多层证据保护方法。设计了证据信息的安全监督链方案,从收集到传输证据的过程中,综合采用加密、校验、数字签名、时间戳等方法对证据进行保护。在证据存储方面,提出一种具有检错功能的信息分片算法,根据密钥生成编码矩阵,对证据进行编码分片分布式存储,通过累计校验方法对数据片进行检错,该方法能在一定程度上容忍入侵者对证据的破坏,可以从冗余信息中恢复原始数据。对该方法进行安全性分析,分析参数对安全性的影响,从而指导实际参数的选择。
[Abstract]:The network forensics is the process of obtaining the latent evidence of cybercrime . It is mainly used to monitor , capture or search suspicious information in network data stream , network equipment and host log , etc . to analyze and discover effective legal evidence reflecting network invasion activity and loss , so as to support the charges against cybercriminals . At present , the research of network evidence collection is mainly focused on the technical means adopted by the evidence . However , the network evidence is not an isolated action , it is a whole process of real - time network flow filtering , feature matching , log extraction , behavior detection , hazard assessment , hazard analysis , intrusion detection and evidence re - collection under the condition that the current network service is not affected . Therefore , the real - time comprehensive automation collects and analyzes the intrusion evidence , evaluates the degree of threat of the intrusion , protects the evidence to be invaded , and the architecture of the dynamic forensics system , and the like . A self - adaptive dynamic evidence - based architecture is proposed in this paper . Based on intrusion detection , intrusion deception and intrusion tolerant techniques , an adaptive dynamic evidence - proof architecture is constructed . The intrusion detection , intrusion deception and other techniques are used to improve the reliability of the system and evidence , to extend the evidence process , to analyze the intrusion threat level and to adaptively adjust the evidence - taking time and object . The dynamic transfer process of the evidence - taking system is analyzed . The paper constructs the semi - Markov model to analyze the evidence - taking ability and usability of the system , and verifies the validity of the model by the intrusion example . Based on the analysis of self - adaptive dynamic evidence system , this paper presents an assessment method of intrusion threat based on the analysis of adaptive dynamic evidence system . On the basis of collecting multi - source original evidence , forming an available alarm sequence on the basis of collecting multi - source original evidence , standardizing the original evidence , aggregating , eliminating redundant and false alarm preprocessing , forming an available alarm sequence , constructing an intrusion association map according to the alarm sequence , carrying out event causal association matching and frequent sequence mining , and finding out the facts of the computer crime and the corresponding main body and object . A multi - layer evidence protection method for preventing invasion and tolerance intrusion is proposed . The safety supervision chain scheme of evidence information is designed . In the process of collecting transmission evidence , the evidence is protected by means of encryption , verification , digital signature and time stamp .

【学位授予单位】：华中科技大学
【学位级别】：博士
【学位授予年份】：2009
【分类号】：D918.2

【相似文献】