一种自适应的动态取证机制

随着网络入侵技术和计算机犯罪技术的发展,动态取证变得越来越重要.利用入侵检测系统和蜜罐来实现入侵取证的方法在取证的实时性方面有很大优势,但这些方法没有过多考虑系统被入侵时证据可靠性以及系统可靠性的问题,而且取证的时机难以掌握.提出了一种自适应的动态取证方法,该方法采用入侵检测系统作为取证触发器,利用影子蜜罐对疑似攻击进行确认和进一步观察分析,自适应调整取证过程,获取关键证据,最后采用有限状态机对该机制进行建模,并对该机制中的状态转换时机、影子蜜罐、证据安全存储等关键技术进行描述.利用该机制来实现动态取证,可以使得取证过程更可控,可以减少不必要的证据量,并增强系统的容侵性.

Self-adaptive Mechanism of Dynamic Forensics

With the development of intrusion and computer crime technologies,dynamic forensics is becoming more and more important. Dynamic forensics based on intrusion detection and honeypot technologies has great advantage in realtime performance,whcrcas these methods arc defective in overcoming the difficulty of evidence and system reliability,and hard to seize the opportunity of investigation. A self-adaptive mechanwasm was proposed which used intrusion detection system as forensics trigger and shadow honeypot was used to verify the suspicious attack, observe and analyze the attack activities further more to gather key evidences. And then the finite state machine model of this mechanism was illuminated and key technologies such as shadow honeypot, state transition opportunity and evidence security storage method were described. The dynamic forensics system with this mechanism can tolerate intrusion in a certain degree and get the investigation process under control. Moreover, the amount of unnecessary evidences can be reduced obviously.