摘要： 针对基于关联规则的取证分析方法存在取证效率低的问题，提出带约束的免疫克隆取证分析方法。该方法以抗原对抗体的支持度作为亲和度函数，以关键属性作为约束条件，以最小支持度和最小置信度作为筛选条件，通过对抗体进行免疫克隆操作来构造行为轮廓。实验结果表明，与基于Apriori-CGA算法的取证分析方法相比，该方法的行为轮廓建立时间和行为轮廓规模均明显减小，能够有效地提高取证分析的效率和确立重点调查取证的范围。

关键词: 计算机安全, 计算机取证, 数据挖掘, 免疫克隆, 关联规则

Abstract: Aiming at the problem of low efficiency of the forensic analysis method based on the association rule, this paper proposes an immune clone forensic analysis method with constraint. Taking the support of the antigen to the antibody as the function of affinity, taking the key attribute as the constraint condition and taking the minimal support and the minimal confidence as the screening condition, the behavior profiling is built with the help of the immune clonal operation. Experimental result shows that compared with forensic analysis method based on Apriori-CGA algorithm, the setting up time of behavior profiling and the scale of behavior profiling of the method are remarkably reduced, it can effectively improve the efficiency of forensic analysis and confirm the range of electronic crime investigation.

Key words: computer security, computer forensic, data mining, immune clone, association rules

中图分类号: 

• TP309