Research And Implementation Of Network Intrusion Tracking Technology Based On Access Record

Emergency response is an important step in handling cyber security incidents.The direction of the incident’s tracking can affect or even determine the outcome of the incident.Modern computer networks,due to the pursuit of the highest reliability use multi-level access structures in the architecture,or due to the pursuit of robustness use access path redundancy in the topology,or due to the pursuit of high-performance use such as re-mapping or connection re-mapping and other load balancing techniques.In addition,the huge amount of trace records data of emergencies may result in a large amount of data redundancy due to the maintenance responsibilities,or conversely may result in data incompleteness,due to the operation and maintenance cost pressure.This thesis studies the technology of network intrusion tracking.Based on audit logs and network topology,it realizes the extraction of the full access path of Tongda incident sinks.It uses Z method to carry out the multi-matrix synthesis of correlation,and the full path association and intrusion direction of trace chain fragmentation.This will provide direction for the next step in public security criminal investigation.The main work is summarized in the following five aspects:(1)The research background and significance of network intrusion tracking are elaborated.And the research status of the network intrusion tracking mechanism,the research status of the network forensics technology,as well as time the series similarity analysis technology which it relies on are summarized.Then point out the conceptual model of the current computer network intrusion tracking,under the influence of advanced technologies such as structural reliability and load balancing,still faces the challenge of conceptual reconstruction such as unclear steps.And thus make the current computer network intrusion tracking lack of applicable intrusion tracking mechanism and its integrated framework and other technological issues.(2)In order to solve the intrusion tracking model challenge,network intrusions and factual evidence related to their tracking which based on research scenarios and related emergencies and intrusion cases are abstracted and summarized.And the related concept like network intrusion events and their traces and trace chains are formally defined.Based on these concept establishes a formal description model of network intrusion traces;then continuously establishes an intrusion tracking mathematical model which handles the above trace models.That is,to identify,summarize,and formally define the basic activities involved in network intrusion tracking and their basic behaviors.Owing to the establishment of a formal model of network intrusion tracking,the structural connectivity of the tracking model is analyzed from a mathematical perspective andits behavioral characteristics are also deduced.On account of the above trace model and tracking model,a pushdown automaton for network intrusion tracking is established.From the aspect of computability,it is proved that the above process of network intrusion tracking has the terminal reachability nature.And then get a new computer system for network intrusion tracking.(3)Based on the above new computer system,a new framework algorithm for network intrusion tracking is constructed from the technical level;and the principle and pseudo code design of the three key algorithms integrated for the network intrusion tracking system are given and further elaborated.They are the construction of the correlation point sequence sub-algorithm,the associated suspicious process sequence sub-algorithm,and the connection to the suspicious access reverse sequence sub-algorithm;then the corresponding algorithm complexity analysis is given,which provides a technical basis for the design and implementation of the network intrusion tracking system.(4)According to the project requirements,using the above framework technology and key sub-algorithms as the technical basis,using object-oriented development methods,a prototype system for network intrusion tracking based on access records is designed and implemented.(5)On the basis of the pre-research project scenario,designs test cases and uses these to verify the functionality of the network intrusion tracking system.The experimental results show that the audit log-based network intrusion tracking system initially conforms to the project’s intent,that is,it can correlate suspicious access reverse sequences which related to specific operational database records according to the computer network topology and the start and end points of events,node access records,and a statistical evaluation is made for the reverse sequence of suspicious visit.Compared with the work results of Mohammad Rasmi et al.,the network intrusion tracking technology proposed in this thesis can enable emergency investigators to have greater technical flexibility in dealing with missing data.In addition,the correlation matrix synthesis method proposed on the basis of the Z method can be used in this thesis to synthesize various matrixes derived from multiple correlation methods,which in turn can better reduce the errors caused by defects in the single correlation method.The reliability of the reverse sequence for accessing suspicious processes and the recognition of SQL injection based on semantic recognition are the next research points or directions.