Data Stream Frequent Item Mining And Its Application In Network Forensics

With the continuous improvement of the network speed, the flow attack which more than 300 G has already begun to popular, faced with the large flow attack, the network which is attacked often cannot cope with alone. We urgently need to use legal means to build a network self-defense mechanism, network forensics is one of the most important one of the means. But there are many areas need to explore and improve in the network forensic. Existing research shows that a large number of network evidence exists in the form of data streams, which has many characteristics, such as mass, real-time, volatile, these characteristics brought a huge challenge to the dynamic network forensics. Therefore, how to mining abnormal network data flow timely and analysis them rapidly, then get a dynamic network crime evidence has great significance to ensure the security of network information.Traditional static forensics method is difficult to meet the dynamic forensics of online crime. Along with the popularity of hacking, DDoS has gradually become the largest and the most serious harm on the Internet. DDoS attack crime is mostly through the network attacks, network congestion or service downtime. In this paper studies dynamic network forensics process, the main contributions are the following three points:(1) The parallel frequent term mining algorithm is applied to the DDoS attack forensics. Large traffic network attack packets are often initiated by the Trojan horse tool. They do not exist interactivity compared with normal packets. Its contents are relatively fixed code fragments(called fingerprint in this paper) and there is higher repetition rate. According to the fingerprint characteristics of the network data packet, frequent term mining algorithm was applied to the high speed network attack behavior detection in forensic analysis. It can rapidly detect high frequency attacking fingerprint in time. So we can defend attacking and obtain evidence. Furthermore, the baseline filtration method based on historical data was proposed due to the large network data flow. The data input of the frequent term mining algorithm was reduced through the baseline filtration method. The abnormal data flow out of the baseline was input forensics analysis server. In this way, the difficulty of cleaning data flow is reduced.(2) Improving the parallel frequent term mining algorithm which based on the load balancing and redundancy data cutting. Improve the original parallel algorithm for mining frequent item, reduce the recursive mining in time and space complexity of the algorithm by quickly pruning. And optimization strategy of load balance in the management node before tasks to anticipate the distribution of the formula node mining tasks, to share the load, as far as possible to avoid a child node overload situation, improve the mining efficiency and stability of the algorithm, on time and memory has lower resource consumption, reduce the response time of the forensic analysis further.(3) Finally, according to the above two improvements, this paper built a parallel frequent mining algorithms to DDOS attack forensics system. By a systematic analysis, we can quickly discover the source of attack and the attack characteristics. Then filter out DDOS attack packages with the attacks characteristics to ensure the normal operation of the network, and the attack packets are stored in the database. The system can successfully defense DDoS attack, at the same time, can obtain the network dynamic evidence.