| With the development of mobile communication technology, internet attacks inmobile communications are increasing. The high-technology and virtuality of Internetoften make the criminal escape the punishments and effective prevention due to the lackof evidence. Therefore, in order to obtain the network evidence which can reflect theobjective fact and associate with the case, acquiring and preserving the complexity andhuge data on the network in time is a problem in today’s network security.This thesis focuses on the CDMA2000packet domain core network to support thenetwork security departments for solving the problem of real-time forensics in mobilecommunications network. Two technologies for network forensics based on theCDMA2000flow extraction system are proposed: A packet distribution method basedon the user terminal IP address and decompression method of the MicrosoftPoint-to-Point Compression packet. The main work of this thesis is as follows:Firstly, mobile communication core network often gather all the PS domainpackets from base stations of several municipal areas. The current capacity is large andpacket structure is complex. On one hand, to meet the basic requirements of line-speedprocessing and analyzing, several analytical equipments must be utilized parallely. Onthe other hand, in order to restore the user information and make sure the integrity ofevidence, we have to distribute the same user data stream to the same end analyticalequipment. To solve these problems, we propose a method through the analysis ofstructural characteristics of each packet in the packet domain core network: First get thePDSN address from the A11interface signaling message, and then judge the uplink anddownlink state of each GRE encapsulation packet, last obtain the user terminal IP anddistribute.Secondly, packets in CDMA2000packet domain core network are wide varied,each packet must be process accordingly, and any kind of neglect will reduce thecredibility of forensics results. Therefore, to further improve the reduction rate of userdata, we focus on Microsoft Point-to-Point compressed packet, propose adecompression method based on the the CDMA2000flow extraction system, and givethe processing of implementation.At last, a new data distribution method and MPPC packet decompression methodin CDMA2000flow extraction system are introduced. On one hand, we testload-balance and the integrity of user flow to demonstrate the effectiveness of themethod. On the other hand, we test the result of decompression of MPPC packet.Finally, use test instrument to large flow pressure tests to demonstrate CDMA2000flowextraction system can adapt to the actual link. |
PDF Full Text Request