Research And Implementation Of A Log Based Network Users' Behaviors Forensics And Analysis System

With the development and popularization of computer networks, more and more attention is being paid to network security by researchers. Increasing illegal intrusion behaviors in the network are heavily affecting the network performance and threatening personal privacies. Under such an application background, computer forensics, which analysize and get the electrolical evidence about the crimes happened in the computer system and computer networks, began to develop rapidly.In recently, the computer forensics is becoming one hot subject which people pay more attention to and research in. Many computer forensics theoretics and tools have been developed maturely. The study of the computer forensics is in its infancy in our country and we have not developed our own computer network forensics tools. This thesis does research in computer network forensics which places an emphasis on two issues: one is log analysis, another is the protection and verification of the integrity of log data. The thesis also give a design and implementation of a log based network users'behaviors forensics and analysis system.Firstly in this thesis, Computer forensics, electrolical evidece and system log have been addressed and summarized. This thesis also gives an introduction about common system logs and application program logs in Linux OS and Windows OS. Then the thesis gives an argumentation about using log records as electrolical evidence, and puts forward a system log based computer network forensics model.Secondly, This paper has research in some key issues about log forensics, such as log collection, transmission, preservation, analysis and presentation, in which log analysis and preservation are emphasized. Log analysis consists of statistic analysis and corelation analysis. Statistic analysis, which sets the values or scope of log fields and scan the log DB, stats the log records according to the event types. It can build the rules of network users'behaviors and cluster the log records. It can also reduce the scope of log records to be analyzed and help to detect anormal log records. Time-line sequence is an important character of log records. Most secure events consist of multi-stages. They will be loged in different network devices or in different system logs. These records have a partial sequence in time and same values in some fileds. The thesis presents a timestamp based multi-characters matching log correlation analysis method. The method correlates log records through justifying whether there are consequence and time order between log records, finding out the subset of log fields which have same values. It can help to reconstruct the secure events.How to protect and verify the integrity of log data is discussed in later chapter .The integrity of log data is a key issue which decide whether the computer forensics succeed and the results have law effects .The thesis presents many solutions to protect the integrity of log data through the log forensics procedure. The thesis mainly discusses using SSL protocal to protect the data tansmission, using CES (Content Extraction Signature) algorithm to protect log data during preserving and extracting log records, verifying the integrity of log contents through selecting the log types and using log templet.A design of architecture of system is given in the next chapter .The theis describes the module functions and working flow of sub-system in details. A log based computer network users'behaviors...