Research And Implementation Of Network Forensics Based On Evidence Graph Technology

As the Internet becomes larger in scale,more complex in structure and more diversified in traffic,the number of crimes that utilize computer technologies is also increasing at a phenomenal rate.To react to the increasing number of computer crimes,the field of computer and network forensics has emerged.Evidence of potential criminal behavior on the Internet in the process of network forensics.Through the real-time monitoring,capture or search the network data stream,log information of network devices and hosts,analyze and find network intrusion activities effective legal evidence and intrusion according to the loss,in order to support the network of criminal charges.The problem of network forensics is a complicated problem,and it can be used as an important weapon to protect the security of network information.However,due to the large volume of Internet traffic,not all the traffic captured and analyzed is valuable for investigation or confirmation.After analyzing some existing network forensics methods to identify common shortcomings,we propose in this paper a new network forensics method that uses a combination of network vulnerability and network evidence graph.In our proposed method,we use vulnerability evidence and reasoning algorithm to reconstruct attack scenarios and then backtrack the network packets to find the original evidences.Our proposed method can reconstruct attack scenarios effectively and then identify multi-staged attacks through evidential reasoning.Nonetheless,current network forensics methods exhibit the following common shortcomings: Evidence from a single source(only network packets or alerts from network intrusion detection systems)may lead to incomplete or misleading evidences;Data preprocessing methods used in the network forensics may lead to accuracy problem since such methods are generally less accurate to ensure that the result data is truly related to the particular crime event;Some methods do not employ data preprocessing,resulting in low efficiency when dealing with a huge quantity of data.The network forensics method that we propose in this paper thus has the following merits:Proposed adding digital signature and timestamp to digital evidence to ensure the integrity of the data and converts them into a unified format and presents the results as an event vector.Event vectors are used to unify the collected data which will be used to construct the evidence graph to facilitate the analysis of evidence for investigation.Proposed to use Machine learning algorithm to filter out benign packets and suspicious packets with 41 features and then use the suspicious packets to construct an accurate evidence graph.Support vector machine is one of the most popular supervised learning algorithms for both regression and classification problems due to its robustness and high accuracy.SVM is capable of accurately classifying network traffic through using a small set of training samples,making it an effective tool to perform network packet classification.Proposed uses the vulnerability evidence reasoning algorithm(VERA)to infer attacked nodes as well as the attacking routes.Primary data can also be backtracked to provide more and clearer evidence,and provide valid electronic evidences about the activities of attackers to the court.Scanning network vulnerabilities and obtain the vulnerability scores for network hosts and store them in a network vulnerability database that provides information about vulnerabilities of each host in the network.At last,we proposed a network forensics framework and realize the network forensics method by programs.