Study On Self-adaptive Dynamic Network Forensics

Network forensics is a procedure of obtaining the latent Evidences of network computer crimes. Network forensics analyze and discover valid legal evidences reflected network intrusion activities and the corresponding damnify through monitoring, capturing or searching abnormal information in network traffic or logs of network devices and hosts real time to indict the network criminal. Network forensics is taken as an important weapon to ensure network safety and is a rising research field as an interdisciplinary study of computer and law.At present, the researches of network forensics are focused on the technical means of investigation. However, network forensics is not an isolated activity but an integrated mechanism including traffic filtering, signature matching, log distilling, behavior detecting, threat evaluating, risk analyzing, intrusion discovering and evidences re-gathering, and also is a dynamic self-adaptive procedure of gathering, analyzing, determing, tracking and re-gathering. Thus, there are some problems to be solved involved with collecting and analyzing automatically intrusion evidences real time, evaluating the threat of intrusions, preserving evidences for toleranting intrusion and studying the architecture of dynamic forensics.The idea of self-adaptive dynamic forensics is put forward and a self-adaptive dynamic forensics architecture is built integrating intrusion detection, intrusion deception and intrusion tolerance technologies. The intrusion detection and intrusion deception technologies are used to discover intrusion activities and trich intruders into intrusion deception system. The intrusion tolerance technology is used to advance the reliability of system and evidences, to prolong the investigation procedure, to investigate intrusion activites fullier without impacting the natual production system. Accurate self-adaptive response is based on the security quantitative evaluation. Threat evaluation technology is used to evaluate the intrusion threats and the forensics occasions and objects are self-adaptively adjusted. The dynamic transition process of forensics system is analyzed and the forensics capability and server availability are analyzed through building semi-Markov process module. The intrusion experiment validates the architecture.A intrusion threat evaluation algorithm based on grey theory is proposed. Some key factors are picked up and quantified based on analyzing the self-adaptive dynamic forensics system. Considering that there are undetermined influences among the factors, a grey relation analysis module is built to analyze the grey relation degree at the same time the attentions to every factors of evaluator are considered. A intrusion threat evaluation mechanism is established. The self-adaptive dynamic forensics states transition is triggered according to the evaluation result. This method is compaired with other methods through practical experiments and experiments analysis result proves that this method is more reasonable and feasible.The Intrusion Correlation Graph (ICG) is defined and a novel approach of intrusion pattern discovery based on ICG is proposed. Raw evidences are collected from multiple sources and valuable alert sequences are built after standardization, aggregation and false positive reduction. The ICG is constructed with alert sequences and. The computer crime fact, main body and object are discovered through attack causal correlation and frequent sequences mining based on ICG. The experiment result attests that besides the multi-step attack between a pair of hosts, the step-stone attacks, worms and botnets are also be digged out and the role of host is reasoned. To describe intrusion process more vividly and present evidences more elaborately, a three-dimensional event timeline method is proposed to illuminate the intrusion activities and related hosts.A hiberarchy evidences preservation approache is proposed to prevent intrusion and tolerant intrusion. The evidence chain of custody scheme is designed to safeguard evidences from collection to transmission with encryption, checkout, digital signature and timestamp technologies. Considering the aspect of evidences storage, an information fragment with error detection algorithm is proposed. Coding matrix is created by secret key, evidences are coded and separated into fragments for distributed storage, and fragments is checked by cumulate checksum. This approach makes evidences storage tolerant intrusion and could resume from redundancy. The security performance of this approach is analyzed to find out the influence of every parameters and direct that how to choose appropriate parameters.