Research On Network Forensics Based On Scenario Reconstruction And Alert Aggregation

With the rapid development of computer and the extensive application of network technology, the whole world is rapidly integrated. The network has become the powerful driving force of social and economic development, and its position is increasingly important. However, the network technology is a "double-edged sword", which provides a new space and means for criminal activity. At present, the number of computer crimes is increasing. Phenomenon of network intrusion is becoming more and more serious. Hackers improve the level of attacks continuously and cybercrime is becoming diversified. The computer forensics technology emerges and develops in this situation. The main purpose of computer forensics is collecting the evidence in network packets and reconstructing the crime scene, in order to provide accurate and valid evidence.The difficulty of the network forensics is capturing fast packets, analyzing large amounts of data and ensuring the integrity of evidence.In order to solve the problem of high false negative rate and large amount of network data, a network forensics research methods combined scene reconstruction and alert aggregation was proposed in this thesis. This method includes alert standardization,alert reduction redundancy, scene reconstruction and alert aggregation.In the process of reduction redundancy, this thesis proposed the idea of removing the failed alert firstly. This method can reduce the interference of successful attacks.In the process of scene reconstruction, with the method of inversely association,the unnecessary chain of evidence can be reduced. Moreover,supplementing isolated alarm to ensure the integrity of the chain of evidence. In the process of alert aggregation, I proposed the idea of merging the different detailed alerts of the same steps. Finally, reconstruct the intrusion scenario at the abstraction layer and the specific layer. Specific layer focus on each victim host; abstracte layer focus on the intruder and the entire invasion process. This design not only ensure the clarity of high-level invasion process, but also ensure the integrity of the low-level intrusion scenario. Finally, feasibility of the method mentioned above is demonstrated by experiment.