摘要： 现有的网络取证系统假设当发生入侵行为时系统仍然处于可靠的工作状态，未考虑系统状态变化对取证的影响。该文提出一个具有入侵容忍能力的网络取证系统INFS，分析了该原型系统的入侵容忍机制、基于SMP的取证控制机制和安全传输机制，以及取证agent、攻击回溯agent的工作机理，讨论了对应于不同系统状态的取证分析方法，提出了协同取证技术。

关键词: 网络取证, 入侵容忍, 半马尔可夫过程, agent, 协同取证

Abstract: All the present network forensic systems assume that the system is still working on reliable state when intrusion occurs, and the effect of system state changes is not considered. This paper proposes a network forensic system with intrusion tolerance ability, INFS. Mechanisms and modules of this prototype system are presented, such as intrusion tolerance, forensic control based on SMP, security transition, forensic agent, attack trace agent and so on. This paper discusses different forensic analysis methods corresponding to different states, and brings forward the concept of cooperating forensic.

Key words: network forensic, intrusion tolerance, semi-Markov process(SMP), agent, cooperating forensic

中图分类号: 

• TP393