Trace Analysis Technique And Relalization Of Network Attack Tools Facing Source Evidence

With the rapid development of Internet,network technology is more and more widely used in all aspects of economy,education,culture,science and technology of society to make life more and more convenient.At the same time,the threat posed by it is also increasing.Among them APT(Advanced Persistent Threats)attacks are highly concealed and destructive due to their high-level,long-term and human involvement threat,making the traceability of APT attacks a hot research topic.According to statistics,as of December 2016,nearly 100 APT attack traceability studies have been published by 41 security agencies around the world.Traceability of traceages of network tools(such as EXE,docx and PDF files)collected after the APT attack has been analyzed The support point.However,so far,there is no unified model and method to trace APT attacks.Therefore,this paper studies the possible types of traces that can be traced in the sample files of network attack tools that may be collected after the attack,static trace extraction techniques of network attack tools,dynamic trace extraction techniques of network attack tools,trace analysis tools of network attack tools,This paper presents a trace analysis model of network attack tools based on dynamic and static combination of traceability and forensics,aiming to improve this situation.The main work of this paper is as follows:1)By analyzing the ideas and methods in the APT attack traceability report that has been released publicly,we summarize the rules of which are 5 W and 1 H,which are named Who,Why,When,Where,How,What,Want,What is meant by what people at what time in what place and in what way did a thing.2)Studying the network tools left behind by attackers,such as the types of traces that can be traced in EXE,docx and PDF files,the static trace extraction technology,and the development of static trace extraction tools.3)Researching on the dynamic trace extraction technology for EXE executable files,based on the Volatility of python open source forensics framework,completed the development of dynamic trace extraction tools;4)Integrated each module,to complete a set of semi-automated tools for network attack extraction and analysis of trace system.