| Notice of No. 11 [2006] of the General Office of the State Council on Several Issues about Construction of the Network Trust Infrastructure, the government has clearly pointed out the require to strengthen the research and construction work of the network trusted system. As the most important component of network trust infrastructure, accountability is a crucial approach to realize the verification of network behaviors and accountability of network events, as well as the fight against crimes.However, the audit mechanism can't just settle in the collecting, query and statistic of data if we want to realize the accountability effectively. It's important to take deep mining of the audit data and pick-up useful messages as many as possible, so as to provide a cogent guarantee for the effectual running of the accountability mechanism. In this thesis, the proposal of the research on Accountability Data Analysis System is based on such a background, the aim of which is to build a platform for the integrated analysis of data. The platform can give correlation analysis to all logs and audit data with different formats and locations in network, so as to provide more self-contained evidence for accountability and meet the need of the unity of responsibilities, rights and benefits of the secure network environment.With the advancing in construction of the network trust infrastructure, the object of computer surveillance and forensics changes from a single mainframe system to a network system consists of various servers, routers and other safeties. Besides, useful evidences always spread around various logs. But logs can hardly show the relations between each other because of the variety and multi-format, which brings infinite difficulty to the traditional manual analysis mode. Meanwhile, the proliferated amount of logs wraps much important information. In order to make good use of the distributed logs in aiding computer forensics, we need to process the analysis with higher level-event scenarios correlation.With the research and analysis of relative technology of data analysis in accountability, we propose an approach for event correlation based on "prerequisites/ consequences" idea, which is called PC-ECF. It helps the system we designed to solve the problem of auto-analysis in aiding forensics with heterogeneous event logs.Via the design of the pretreatment scheme of audit data based on fusing technology of event logs, our system well realizes the reduction of the huge amount of audit data. It helps to keep the original amount of data in a range which the correlation analysis work can deal with. Another keystone of this thesis is to have designed and realized the Event data model used for expressing the secure events, which is based on the extension of the standard format-IDMEF(intrusion detection message exchange format). It settles the problems of compatibility and mutual operation and provides the standard interface for standardization service, which makes it possible for the heterogeneous audit data to process centralized correlation analysis. |
PDF Full Text Request