An Immune-based System For Dynamic Computer Forensics Against Network Intrusion

With the development of Internet, computer crime has been more and more rampant. Firewall and IDS (Intrusion Detection System) techniques have ever held back the hack intrusions in a certain extent. Yet, it is so difficult for the network security administrators to defense those crack hackers. As one of the active network defense techniques, the appearance of computer forensic technique makes up the limitations of the traditional defense methods. However, current solutions for computer forensics are mostly static methods. And the research of computer forensic technique is apart from the network surveillance technique such as network intrusion detection. After intrusions, the collected evidenced are so limited that can't deal with those hacks. Also it may take excessive time and require special training for forensic practitioners to use such static tools to collect useful evidences. Thus, their applications in computer forensics are generally limited and depends more on the forensic practitioners'experience. Artificial immune system (AIS) has been developing in the network security area, especially the intrusion detection system. But the former research lacks dynamic description for self. The defined self is static. The number of the collected selfs is large, and there is no quantitive description which results in more randomness. For this reason, in this paper, the computer forensic technique is tightly combined with the network surveillance technique, and a method of immune-based dynamic computer forensics against network intrusion is put forward. In this paper, firstly the general development of computer crime from the research overview of network security is introduced. And the necessity to computer forensics technique research is pointed out. The kinds of conventional computer forensics techniques are discussed in this paper. The static computer forensics techniques are analyzed and compared with dynamic computer forensic techniques. The method of immune-based dynamic computer forensics is described in details. And with the concepts and the formal definitions of self, nonself, antigen, lymphocyte and digital evidence are introduced in the network surveillance and computer forensics, the dynamic evolutive models and the recursive equations to the self, antigen, dynamic computer forensics, immunological tolerance, life cycle of lymphocyte and immune memory are presented. Therefore, a new model for immune-based dynamic computer forensics against network intrusion has thus been built. We also discuss how to keep digital evidences and its way to show out. The simulation for this model has been given. The contrastive experiment result shows that the new model has the features of real-time, self-learning, self-adaptive and diversity. Therefore, it is a good solution for dynamic computer forensics. Specifically, the contributions of the paper includes: analyzing the research overview of computer forensic techniques at home and aboard as to the theory development and application products, pointing out the endangering computer crime development; analyzing the application of artificial immune system in the network security area; introducing the existing computer forensic techniques, comparing static computer forensic techniques with dynamic ones, also discussing the existing dynamic computer forensic techniques; proposing an immune-based method for dynamic computer forensics against network intrusion; expounding the theory of the immune-based method of dynamic computer forensics against network intrusion; giving out the quantitive description of the theory, presenting the dynamic evolutive models and the recursive equations to self, antigen ,dynamic computer forensics, immunological tolerance, life cycle of lymphocytes and immune memory etc; building the model of the immune-based system for dynamic computer forensics against network intrusions; designing the system of dynamic computer forensics against network intrusions; implementing the system of dynamic computer forensics against network intrusion and comparing with the static tool.