节点文献
基于主动获取的计算机取证方法及实现技术研究
Research of Computer Forensics Method Based on Active Acquisition and Implementation Techniques
【作者】 吴姚睿;
【导师】 刘淑芬;
【作者基本信息】 吉林大学 , 计算机系统结构, 2009, 博士
【摘要】 随着危害通信网络与信息安全的犯罪活动日趋增多,计算机取证逐渐成为人们关注与研究的焦点。计算机取证,主要研究如何为调查计算机犯罪提供彻底、有效和安全的技术、程序及方法,其关键在于确保证据的真实性、可靠性、完整性和合法性。本文研究了计算机取证中侦查主体及相关对象在多种方式下针对不同目的的需求,提出了一种基于主动获取的动态取证、蜜网取证和远程取证相结合的计算机取证框架,通过将计算机取证技术与防火墙、入侵检测系统相结合实现动态取证,对可能的计算机犯罪行为进行实时数据获取和分析,并做出及时的响应,在保证系统安全的情况下获取最大量的证据。蜜网取证系统构成了一个黑客诱捕网络体系架构,可以学习黑客执行的攻击过程,获得大量的有用信息,从而对新攻击发出预警,延缓攻击和转移攻击目标,并实施模拟回应和触发警告进行响应。远程取证可以远程获取犯罪嫌疑人主机上的电子证据,在犯罪实施前获得其犯罪证据,同时根据攻击主机上的相关信息获取常与犯罪嫌疑人联系的人员及主机列表,判断此攻击行为是个人作案或团伙作案,从而达到侦破的目的。本文提出了基于主动获取的计算机取证模型(A2CFM),扩大了计算机取证源的范围并定义了取证源的不同层次,将取证范围延伸至攻击的前、中、后全过程。提出了安全审计辅助管理系统(UPAM),丰富了取证信息源。并通过对取证源分层过滤,加大了取证分析的力度。本文设计并实现了基于主动获取的远程取证系统(A2RFS),系统模拟了两种网络环境,可以对特定情况下的并不连通网络的计算机进行取证。在进行远程取证时自定义驱动程序在核心层的不同层次进行穿越,不仅能成功穿越当前主流的防火墙,而且对基于IMD技术进行网络监控的防火墙也有较好的穿越能力。本文还提出了一种通过关系图建立攻击群模型的方法,在时间特征及因果关系的约束条件下,判断攻击序列,重构复合攻击行为的攻击过程,在无须考虑攻击群中个体的响应成本与损失成本的比例的情况下,及时对攻击行为做出响应,从而达到最大程度地减少响应成本的目的。另外,本文还提出了一种多层次压缩决策树算法,克服了C4.5算法在构造树过程中对数据多次扫描和排序的缺点,从树的规模和分类精度上进行了优化,使决策效率明显提高。利用决策的分类来建立多层次决策树,不但可以加快决策树的生长,而且可以得到结构好的决策树,便于从中挖掘好的规则信息。
【Abstract】 Along with the popularization of computer and network application, the people rely on the computer and network more and more. The computer more and more participates in the work and life of people, and computer-related court cases also continue to appear. The computer-related crime with high tech is a new crime, which has the characteristics of criminal behavior more rampant and criminal means more secretive. Rely on traditional network security technologies, such as access control, network isolation and intrusion detection etc. to fight against computer crime is not very effective, therefore to strengthen law enforcement means and increase law enforcement efforts are needed to fight against computer crime. Under this kind of situation, the computer forensics is proposed, which is not only effective application of the law in computer science, but also the powerful supplement of the existing network security architecture. Computer forensics mainly research how to provide thorough, effective and safe technologies, procedures and methods for the investigation of computer crime, and the key is to ensure the evidence’s true, reliable, complete and legitimate.The existing technologies and products of computer forensics are mostly designed for static forensics. In recent years, as the development trend of computer forensics, dynamic forensics technologies has obtained the fast development, but also focus on the research of real-time monitoring, and rarely come down to forensics technologies of initiative obtainment. In this instance, this paper proposes computer forensics method based on initiative obtainment, which has very strong pertinence to discover computer-related crime, especially organized computer-related crime.In this paper, the primary research works include:1、Research of computer forensics model based on active acquisition. This paper researches in computer forensics requirements of investigation subject and related objects under a variety of ways for different purposes. By the combination of policy control, operation control and technology control and the enforcement of law, a framework for computer forensics based on active acquisition is given, which includes dynamic forensics, honeynet forensics and remote forensics. Combine computer forensics technology to firewall, intrusion detection system for the implementation of dynamic forensics. Obtain and analysis data in real-time to possible computer criminal acts, to identify the intruder’s purpose to take measures to cut off the link or other response method, under ensuring the system security, gain the most substantial evidence, and identify, preserve, submit the evidence. Honey net forensics system constitutes a network architecture of hacker entrap. It can learn hackers’ attack processes and obtain a lot of useful information, thereby it can forewarn new attacks, delay attacks and transfer target of attack, and implement simulation response and trigger warning to response attacks. Remote forensics can remotely get electronic evidence in the suspect’s hosts. To obtain crime evidences of suspect before crimes, at the same time acquire the list of persons and hosts who contact with criminal in accordance with the relevant information, to determine whether the aggressive behavior is a personal crime or gang crime, so as to achieve the purpose of detection.2、This paper presents a active acquisition computer forensics model (A2CFM), expanding the scope of computer forensics sources and defining the different levels of forensics sources, in order to extend the forensics scope to the whole attacking process including before, during and after attack. A security audit assistance management system (UPAM) is proposed, which provides write operation monitoring to physical ports, and gives a detailed log function, enhancing effective information sources for the computer forensics and making up for the disadvantage of current forensics sources. Furthermore filter forensics sources by layers to increase the strength of forensics analysis.3、This paper designs and implements a remote forensics system based on active acquisition (A2RFS). This system simulates two types of network environments, and it can obtain evidence for computer that can not access the computer network in specific circumstance. When carrying on the remote forensics, custom driver can traverse in different levels of the core layer, which not only can successfully traverse current mainstream firewalls, but also can preferably traverse IMD-based firewalls of carrying on network monitoring.4、A method for establishing the attack group model by means of the relationship graph of various attacks has been proposed. Under the constraints of time characteristics as well as the causality relation it can determine the attack sequence and reconstruct the attack sequence of the network compound attacks. Beside, make a timely response without considering the ratio of damage cost and response cost of the individual attack, so as to achieve the maximal reduction of the response cost.5、A multi-level compression based on decision tree algorithm has been proposed, which overcomes the disadvantage of C4.5 when constructing tree through several times data scanning and sorting. Optimize the size and classification accuracy of tree, improve the efficiency of decision-making. Use the classification decision-making to set up multi-level decision tree, which not only can speed up the growth of trees, but also get tree with good structures, to get better rule information.Innovations of this paper are mainly reflected in the following aspects:1、In this paper, when carrying on the remote forensics, custom driver can traverse in different levels of the core layer, which not only can successfully traverse current mainstream firewalls, but also can preferably traverse IMD-based firewalls of carrying on network monitoring.2、This paper presents a active acquisition computer forensics model (A2CFM), expanding the scope of computer forensics sources and defining the different levels of forensics sources, in order to extend the forensics scope to the whole attacking process including before, during and after attack. Describe main sources of computer forensics by unified knowledge representation, and define the different levels of sources. The output of forensics system depends on the available type, quantity and quality of the input data. So for a computer forensics system, how to acquire forensics information sources is the first issue to solve. This paper uses UPAM logs, honeynet logs and intrusion detection information sources as direct inputs of forensics information sources. Other information such as outside belt information, firewall logs, host data, network data etc. as intrusion detection information sources, first of all, execute the filter analysis of intrusion detection. The benefits of doing so are:1) Enhance safety and efficiency of forensics. The computer forensics is different from the intrusion detection, and the biggest difference is the requirement to the legitimacy. For evidences generated by the forensics, its extraction, storage and transmission process have special request in the confidentiality, integrity and availability compared to the process to generate intrusion logs. The use of hierarchical filtering and the use of filtering redundant log information by intrusion detection doesn’t only guarantee the diversity of forensics sources, but the minimum input of the forensics system.2) Intrusion detection is a more mature technology. Compared to computer forensics technology called a new technology, its technical means are rich and target-oriented. Using intrusion detection to filter information means to use mature technologies to complete the analysis and extraction of logs, providing the basic guarantee to the accuracy of crime analysis of the whole system. 3、This paper designs and implements a remote forensics system based on active acquisition (A2RFS). This system simulates two types of network environments, and it can obtain evidence for computer that can not access the computer network in specific circumstance.4、Propose intrusion response method based on cost. It researches the calculation method of the response cost under coordinated attack situation. Following by minimizing the cost to obtain the goal of maximum security. Using methods of graph theory establishes the attack group model, under constraints of time characteristic and causal relation, to determine the course of coordinated intrusion attack, and consider the overall relationship between the individual response cost and the coordinated attack whole response cost, to determine whether needs to make the response, thus achieve the goal of maximum reduction response cost.To sum up, this paper conducts the systematic research to the computer dynamic forensics methods of initiative obtainment, and proposes the computer dynamic forensics model base on initiative obtainment, through real-time monitoring attack occurrence, on the one hand may carry on the real-time synchronized forensics, to make the detailed records of intrusion behavior; On the other hand may activate the response system to call firewall or IRS to implement corresponding response to the intrusion behavior of different intensity. The dynamic computer forensics model makes forensics more real-time and continuous, and reduces the damage to the forensics system as much as possible by the interaction of firewalls and intrusion detection system, and can see the steps and methods of network attacks by the honeynet technologies thereby can know weaknesses and cracks of the system, in order to update the intrusion characteristics treasury and call the corresponding measures to response. Under the authority of the public security organs, long-distance forensics technologies can obtain electronic evidence in hosts of criminal suspects remotely. Before or during the crime, obtain evidence of the crime, at the same time acquire list of hosts who often contact with criminal suspects in accordance with the relevant information of attack hosts to determine that the attack is a personal crime or gang crime, and achieve the purpose of detection. Partial contents of this paper are very effective in practice. The research has a more important theoretical significance and application value.
【Key words】 Dynamic Forensic; Honeynet Forensic; Remote Forensic; Cost Response; Cooperative Attacks;