网络取证隐马尔可夫模型证据融合方法

针对网络取证因果关联证据融合方法存在的算法复杂、重现场景不够精确等问题，提出了基于隐马尔科夫模型的网络取证证据融合方法，阐述了应用隐马尔科夫模型进行证据融合的可行性。该方法以元证据序列作为随机观察序列，以网络入侵步骤作为随机状态序列，通过对元证据序列进行解码操作，找寻最可能的网络入侵步骤并据此回溯证据链。实验结果表明，与基于贝叶斯网络的多源证据融合方法相比，该方法的算法复杂度和抵御干扰项的能力均得到了明显的改善，该方法能够以较小的代价较精确地重现网络入侵的犯罪现场。

Evidence Fusion of the Network Forensics on the Hidden Markov Models

To improve the algorithm complexity and the accuracy of reproduced scene, a new method for the evidence fusion of the network forensics on the hidden Markov models (HMM) is proposed. The feasibility of this method is expounded. By taking the sequence of the meta-evidence as the random observation sequence, and the network intrusion step as the random state sequence, the most likely network intrusion step is inferred by the decoding operation aimed at the sequence of the meta-evidence and the chain of the evidence is backtracked accordingly. When they are applied in the same problem, the algorithm complexity and the anti-interference ability of the proposed method are dramatically modified compared with the method of Bayesian network. Therefore, the proposed method has a good ability in the cost to reproduce the scene of the crime.