作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程

• 开发研究与工程应用 • 上一篇    

计算机入侵取证中的入侵事件重构技术研究

季雨辰1,伏 晓2a,石 进2b,骆 斌2a,赵志宏2a   

  1. (1. 安徽理工大学计算机科学与工程学院,安徽 淮南 232001;2. 南京大学 a. 软件学院;b. 国家保密学院,南京 210093)
  • 收稿日期:2012-11-14 出版日期:2014-01-15 发布日期:2014-01-13
  • 作者简介:季雨辰(1988-),男,硕士研究生,主研方向:计算机取证;伏 晓(通讯作者)、石 进,讲师、博士;骆 斌、赵志宏,教授、博士
  • 基金资助:
    国家自然科学基金资助项目(61100197, 61100198)

Research on Intrusion Event Reconstruction Technology of Computer Intrusion Forensic

JI Yu-chen 1, FU Xiao 2a, SHI Jin 2b, LUO Bin 2a, ZHAO Zhi-hong 2a   

  1. (1. School of Computer Science and Engineering, Anhui University of Science and Technology, Huainan 232001, China; 2a. Software Institute; 2b. College of National Secrecy, Nanjing University, Nanjing 210093, China)
  • Received:2012-11-14 Online:2014-01-15 Published:2014-01-13

摘要: 针对计算机入侵取证中计算机证据具有易删改、易丢失、来源众多、内容繁杂等特点,论述入侵事件重构技术的最新发展状况,从系统应用层对象/事件和操作系统层对象/事件2个方面分析入侵重构的主要证据来源,介绍现有入侵事件重构中主流的重构工具,研究常用的入侵事件重构方法,包括基于时间戳的日志分析、语义完整性检查、基于操作系统层对象的依赖追踪技术、基于有限状态机模型的事件重构模型等,总结各种方法的优缺点。在重构效率、重构误报率、证据可信度、证据真实性和重构环境等方面对入侵事件重构方法进行比较,讨论入侵事件重构技术未来的研究前景。

关键词: 计算机取证, 入侵取证, 入侵事件重构, 证据来源, 入侵重构方法

Abstract: According to characteristics of computer intrusion forensic evidence, such as easy revise, easy loss, numerous sources, multifarious content, this paper discusses the current developing states about intrusion event reconstruction, analyzes intrusion event reconstruction source from the system layer object/event and the operate system layer object/event, and introduces the main intrusion event reconstruction tools. It reviews the existing methods for intrusion event reconstruction, including log analysis based on timestamp, semantic integrity checking, tracking technologies based on operate system layer object, event reconstruction models based on finite state machine and so on, evaluates their performance in terms of several metrics, such as reconstruction efficiency, false positives rate, credibility of evidence, authenticity of evidence, reconstruction environment, and summarizes the pros and cons of each method. Some important future research directions in the field of intrusion event reconstruction of computer intrusion forensic are discussed.

Key words: computer forensic, intrusion forensic, intrusion event reconstruction, source of evidence, intrusion reconstruction method

中图分类号: