LIN Guo-yuan,HUANG Hao

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.27.042

2006-01-01

Abstract:In this article,we analyze the condition of computer forensics and point out dynamic forensics is its trend. After reasoning the feasibility of adopting IDS into dynamic forensics,a dynamic forensics system model is presented and expounded in detail.Since it is the combo of IDS and justice parsing technique,it will be instructive for the dynamic forensics of computer crime.

胡敏,潘雪增,平玲娣

DOI: https://doi.org/10.3969/j.issn.1001-3695.2004.01.033

2004-01-01

Abstract:This paper focuses on issures related to deploying a data mining-based IDS (Intrusion Detection System) in a real time environment To overcome the limitations of traditional IDS, the corresponding solutions to accurracy, efficiency and usability is presented.These solutions impove efficiency of traditional DOS and maintain a desired accuracy level. This paper also proposed an architecture consisting of sensors, detectors, a data warehouse and model generation components. This architecture facilitates the sharing and storage of audit data and the distribution of new or updated models. Also, it improves the efficiency and scalability of the traditional IDS.

Lin Chen,Zhitang Li,Cuixia Gao,Lan Liu

DOI: https://doi.org/10.1109/ispa.2009.66

2009-01-01

Abstract:With the development of intrusion technologies, dynamic forensics is becoming more and more important. Dynamic forensics using IDS or honeypot are all based on a common hypothesis that the system is still in a reliable working situation and collected evidences are believable even if the system is suffered from intrusion. In fact, the system has already transferred into an insecurity and unreliable state, it is uncertain that whether the intrusion detectors and investigators could run as normal and whether the obtained evidences are credible. Although intrusion tolerance has been applied in many areas of security for years, few researches are referred to network forensics. The work presented in this paper is based on an idea to integrate Intrusion tolerance into dynamic forensics to make the system under control, ensure the reliability of evidences and aim to gather more useful evidences for investigation. A mechanism of dynamic forensics based on intrusion forensics is proposed. This paper introduces the architecture of the model which uses IDS as tolerance and forensics trigger and honeypot as shadow server, the finite state machine model is described to specify the mechanism, and then two cases are analyzed to illuminate the mechanism.

Jian Zhang,Xiao Fu,Xiaojiang Du,Bin Luo,Zhihong Zhao

DOI: https://doi.org/10.1109/ICDCSW.2013.7

2013-01-01

Abstract:An important data source for intrusion forensics is various types of logs from the systems and networks being investigated. However, there are still many problems when using these logs for forensic analysis. Firstly, with the development of computers and Internet, intrusion behaviors involve more types and more quantities of logs, and these massive and complex log evidences make forensics analyst overwhelmed. Secondly, among the large number of logs that investigators need to analyze, the data related to criminal behaviors only accounts for a very small proportion and most of the rest data are useless records resulted from normal behaviors. Large amount of forensic data and high proportion of useless records make it very difficult to investigate and collect evidences. In addition, this makes criminal behaviors that submerged in a large amount of useless records easily overlooked. This paper introduces a new method for the reduction of candidate log evidences for intrusion forensics. Its main idea is to extract the key attribute fields as features of log records and assign a score to each log record. This score is used to indicate the degree of redundancy of the record. The greater the score is, the more likely the records are redundant. Our experiments based on Darpa2000 and Snort real-world data show that this method can significantly reduce the interference caused by useless data for forensic analysis: it removes 57% and 82% useless data in Darpa2000 and the Snort real-world data, respectively.

陈琳,李之棠,高翠霞

DOI: https://doi.org/10.3969/j.issn.1002-137x.2009.11.015

2009-01-01

Computer Science

Abstract:With the development of intrusion and computer crime technologies,dynamic forensics is becoming more and more important.Dynamic forensics based on intrusion detection and honeypot technologies has great advantage in real-time performance,whereas these methods are defective in overcoming the difficulty of evidence and system reliability,and hard to seize the opportunity of investigation.A self-adaptive mechanwasm was proposed which used intrusion detection system as forensics trigger and shadow honeypot was used to verify the suspicious attack,observe and analyze the attack activities further more to gather key evidences.And then the finite state machine model of this mechanism was illuminated and key technologies such as shadow honeypot,state transition opportunity and evidence security storage method were described.The dynamic forensics system with this mechanism can tolerate intrusion in a certain degree and get the investigation process under control.Moreover,the amount of unnecessary evidences can be reduced obviously.

Tian Zhihong,Jiang Wei,Li Yang,Dong Lan

DOI: https://doi.org/10.1109/CC.2014.6880464

2014-01-01

Abstract:Network intrusion forensics is an important extension to present security infrastructure, and is becoming the focus of forensics research field. However, comparison with sophisticated multi-stage attacks and volume of sensor data, current practices in network forensic analysis are to manually examine, an error prone, labor-intensive and time consuming process. To solve these problems, in this paper we propose a digital evidence fusion method for network forensics with Dempster-Shafer theory that can detect efficiently computer crime in networked environments, and fuse digital evidence from different sources such as hosts and sub-networks automatically. In the end, we evaluate the method on well-known KDD Cup 1999 dataset. The results prove our method is very effective for real-time network forensics, and can provide comprehensible messages for a forensic investigators.

Weicheng Qiu,Yinghua Ma,Xiuzhen Chen,Haiyang Yu,Lixing Chen

DOI: https://doi.org/10.1016/j.cose.2022.102709

IF: 5.105

2022-01-01

Computers & Security

Abstract:Cyber-attacks are becoming increasingly sophisticated, posing greater challenges in accurately detecting intrusions. Failure to prevent intrusions could degrade the credibility of security services. Intrusion Detection System (IDS) is one of the most effective paradigms to identify attack behaviors. This paper proposes a novel hybrid intrusion detection system called DST-IDS. The proposed method employs both packet-based and flow-based intrusion detection techniques and combines them with Dempster-Shafer Theory (DST). DST-IDS has an ensemble-like framework. It takes both traffic flows and their first N packets as inputs; flow-based IDS aims to predict traffic flows and packet-based IDS detects attacks in the corresponding packets; DST is then applied to fuse predictions of flow-based IDS and packet-based IDS to a final detection result. We also design a novel data collection/processing tool in DST-IDS to reduce the data volume required to perform intrusion detection and enable early detection. In addition, DST-IDS is designed to work with heterogeneous data distribution where the distribution of the training dataset can differ from the data distribution during implementation. This property drastically improves the practicality of DST-IDS. We run experiments on public datasets and real networks to evaluate the proposed method. The experimental results show that DST-IDS outperforms state-of-the-art benchmarks in terms of intrusion detection accuracy and detection speed. Particularly, DST-IDS provides real-time detection in real networks and handles well heterogeneous data distribution.

JI Yu-chen,FU Xiao,SHI Jin,LUO Bin,ZHAO Zhi-hong

DOI: https://doi.org/10.3969/j.issn.1000-3428.2014.01.068

2014-01-01

Abstract:According to characteristics of computer intrusion forensic evidence, such as easy revise, easy loss, numerous sources, multifarious content, this paper discusses the current developing states about intrusion event reconstruction, analyzes intrusion event reconstruction source from the system layer object/event and the operate system layer object/event, and introduces the main intrusion event reconstruction tools. It reviews the existing methods for intrusion event reconstruction, including log analysis based on timestamp, semantic integrity checking, tracking technologies based on operate system layer object, event reconstruction models based on finite state machine and so on, evaluates their performance in terms of several metrics, such as reconstruction efficiency, false positives rate, credibility of evidence, authenticity of evidence, reconstruction environment, and summarizes the pros and cons of each method. Some important future research directions in the field of intrusion event reconstruction of computer intrusion forensic are discussed.

于志宏,刘喆,赵阔,努尔布力,史光坤,胡亮

DOI: https://doi.org/10.3321/j.issn:1671-5489.2008.04.029

2008-01-01

Abstract:In order to solve the problems existed in static forensics technology,this paper presents the design and implementation of a dynamic computer forensics system based on network.Compared with the traditional tools of the system,it performs the work of gathering evidence in advance before criminal action has occurred or in the process of crime so as to avoid the evidence chain lost caused by evidence not scout timely.It can improve the efficiency of the work of gathering evidence;enhance data integrity and timeliness of evidence.This paper describes the architecture,function and work flow,and the implementation of main functions of the core module technology.

Gong Jian,Wang Zhuoran,Su Qi,Yang Wang

DOI: https://doi.org/10.13245/j.hust.161107

2016-01-01

Abstract:To improve the efficiency of the security incident response ,an intrusion detection and fo‐rensic analysis automation response model was designed and implemented .The model was based on the particular security event information ,OpenFlow switches were used for packet filtering and for‐warding ,PF- RING ZC Zero‐Copy tool was used to automatically collect packet traffic ,and open source intrusion detection software Suricata and multi‐feature associated redundancy elimination algo‐rithm were used to complete network intrusion detection and redundance elimination of intrusion e‐vent .Bro system was combined with application layer protocol analysis to complete forensic analysis of network traffic ,which could significantly reduce manual intervention .Various parts of the automa‐ted response model were analyzed in detail by bots detected experiment ,the results show the effective‐ness of the model for enhancing the efficiency of the security incident response .

Lin Chen,Zhitang Li,Cuixia Gao,Yingshu Liu

DOI: https://doi.org/10.1109/CIT.2009.108

2009-01-01

Abstract:As an important part of computer forensics, network forensics particularly places emphasis on dynamic network information collection and proactive defense. Most forensics systems based on intrusion detection or honeypot rarely emphasize the availability of actual servers. In addition, few of them discussed the occasion of dynamic forensics particularly. The work presented in this paper is based on an idea to assist dynamic forensics with intrusion tolerance and deception technology to enhance the availability of server system and gather more useful evidences on a proper occasion. A mechanism of dynamic forensics based on intrusion forensics is proposed and is modeled with finite state machine. The workflow is described. A semi Markov process based on the embedded Markov chain of the states transition model is built and described. Finally, the forensics capability and server availability are analysis. According to the numerical analysis result, the security performance and forensics capability of the forensics system are enhanced to a certain degree.

Tian Zhihong,Jiang Wei,Li Yang

DOI: https://doi.org/10.1109/cc.2015.7084411

2015-01-01

Abstract:Network forensics is a security infrastructure, and becomes the research focus of forensic investigation. However many challenges still exist in conducting network forensics: network has produced large amounts of data; the comprehensibility of evidence extracting from collected data; the efficiency of evidence analysis methods, etc. To solve these problems, in this paper we develop a network intrusion forensics system based on transductive scheme that can detect and analyze efficiently computer crime in networked environments, and extract digital evidence automatically. At the end of the paper, we evaluate our method on a series of experiments on KDD Cup 1999 dataset. The results demonstrate that our methods are actually effective for real-time network forensics, and can provide comprehensible aid for a forensic expert.

Chit-Jie Chew,Wei-Bin Lee,Tzu-Li Sung,Ying-Chin Chen,Shiuh-Jeng Wang,Jung-San Lee

DOI: https://doi.org/10.1109/tifs.2024.3368888

IF: 7.231

2024-06-07

IEEE Transactions on Information Forensics and Security

Abstract:Traditional industries rapidly transcend the time and place restrictions of the country according to the technology growth by leaps and bounds over the year. Regrettably, international cybercrime incidents simultaneously explode by 2,400 million from 2020 to 2021. Undoubtedly, the real-time incident response has become the primary subject of incident handling. In this article, we aim to propose lawful remote forensics mechanism for ensuring the optimal protection of potential evidence in stochastic and unpredictable transnational crime. Meanwhile, the entire process can be performed remotely and compliant with legal requirements, such as ISO/IEC and NIST regulations. Specifically, all the procedures can be retroactive based on the design of the chain of custody, which leads to the proof of evidence admissibility. Aside from the security essential confirmation by the formal tools Proverif, AVISPA, and Scyther, simulation results have demonstrated that remote forensics can fulfill the legal requirements and perform excellently in various incident scales.

computer science, theory & methods,engineering, electrical & electronic

BAI Hao,WANG Kun-sheng,HU Chang-zhen,ZHANG Gang,JING Xiao-chuan

DOI: https://doi.org/10.15918/j.tbit1001-0645.2010.08.015

2010-01-01

Abstract:Limitations existed with current methods for attack intention recognition.For instance,they lacked compensatory intrusion evidences,cost enormous system resources and had low precision.To avoid the above flaws,a novel and effective method is proposed.The method generated compensatory intrusion evidences by fusing data from IDS and other security kits like scanner.Then,Bayesian-based attack scenarios were constructed where frequent attack patterns were identified using an efficient data-mining algorithm based on frequent patterns.Finally,attack paths were rebuilt by re-correlating frequent attack patterns mined in the scenarios to judge possible attack strategies precisely.The experimental results demonstrate the capability of the proposed method in rebuilding attack paths,recognizing attack intentions as well as in saving system resources.

Islam Debicha,Thibault Debatty,Wim Mees,Jean-Michel Dricot

DOI: https://doi.org/10.48550/arXiv.2103.08585

IF: 5.414

2021-03-15

Machine Learning

Abstract:Intrusion Detection Systems (IDS) are now an essential element when it comes to securing computers and networks. Despite the huge research efforts done in the field, handling sources' reliability remains an open issue. To address this problem, this paper proposes a novel contextual discounting method based on sources' reliability and their distinguishing ability between normal and abnormal behavior. Dempster-Shafer theory, a general framework for reasoning under uncertainty, is used to construct an evidential classifier. The NSL-KDD dataset, a significantly revised and improved version of the existing KDDCUP'99 dataset, provides the basis for assessing the performance of our new detection approach. While giving comparable results on the KDDTest+ dataset, our approach outperformed some other state-of-the-art methods on the KDDTest-21 dataset which is more challenging.

Loai Zomlot,Sathya Chandran Sundaramurthy,Kui Luo,Xinming Ou,Siva Raj Rajagopalan

DOI: https://doi.org/10.1145/2046684.2046694

2011-01-01

Abstract:Intrusion analysis and incident management remains a difficult problem in practical network security defense. The root cause of this problem is the large rate of false positives in the sensors used by Intrusion Detection System (IDS) systems, reducing the value of the alerts to an administrator. Standard Bayesian theory has not been effective in this regard because of the lack of good prior knowledge. This paper presents an approach to handling such uncertainty without the need for prior information, through the Dempster-Shafer (DS) theory. We address a number of practical but fundamental issues in applying DS to intrusion analysis, including how to model sensors' trustworthiness, where to obtain such parameters, and how to address the lack of independence among alerts. We present an efficient algorithm for carrying out DS belief calculation on an IDS alert correlation graph, so that one can compute a belief score for a given hypothesis, e.g. a specific machine is compromised. The belief strength can be used to sort incident-related hypotheses and prioritize further analysis by a human analyst of the hypotheses and the associated evidence. We have implemented our approach for the open-source IDS system Snort and evaluated its effectiveness on a number of data sets as well as a production network. The resulting belief scores were verified through both anecdotal experience on the production system as well as by comparing the belief rankings of hypotheses with the ground truths provided by the data sets we used in evaluation, showing thereby that belief scores can be effective in mitigating the high false positive rate problem in intrusion analysis.

Liang Hu,Kuo Tang,Guangkun Shi, Nurbol,Kuo Zhao

DOI: https://doi.org/10.1109/ICICTA.2009.729

2009-01-01

Abstract:With the increasing development of information technology, the computer crime problem is getting even serious. However traditional computer forensic that employs the static investigation after security events has inherent limitations. The authenticity, effectiveness and timeliness of the evidence are difficult to meet real needs. In order to solve the existing problems which static forensics technology has, this paper presents the design and implementation of DDCFS: a distributed dynamic computer forensics system based on network. Comparing with the traditional tools of the forensic system, it employs the work of gathering evidences of criminal actions before they occur or just they are ongoing, which avoid the evidence chain lose caused by traditional static forensic. It can improve the efficiency of the work of gathering evidences; enhance data integrity and timeliness of evidences. This paper describes the architecture, function and forensic procedure of DDCFS, and the implementation of the core module.

Yulai Xie,Dan Feng,Zhipeng Tan,Junzhe Zhou

DOI: https://doi.org/10.1016/j.future.2016.02.005

IF: 7.307

2016-01-01

Future Generation Computer Systems

Abstract:The existing host-based intrusion detection methods are mainly based on recording and analyzing the system calls of the invasion processes (such as exploring the sequences of system calls and their occurring probabilities). However, these methods are not efficient enough on the detection precision as they do not reveal the inherent intrusion events in detail (e.g., where are the system vulnerabilities and what causes the invasion are both not mentioned). On the other hand, though the log-based forensic analysis can enhance the understanding of how these invasion processes break into the system and what files are affected by them, it is a very cumbersome process to manually acquire information from logs which consist of the users' normal behavior and intruders' illegal behavior together.This paper proposes to use provenance, the history or lineage of an object that explicitly represents the dependency relationship between the damaged files and the intrusion processes, rather than the underlying system calls, to detect and analyze intrusions. Provenance more accurately reveals and records the data and control flow between files and processes, reducing the potential false alarm caused by system call sequences. Moreover, the warning report during intrusion call explicitly output system vulnerabilities and intrusion sources, and provide detection points for further provenance graph based forensic analysis. Experimental results show that this framework call identify the intrusion with high detection rate, lower false alarm rate, and smaller detection time overhead compared to traditional system call based method. In addition, it can analyze the system vulnerabilities and attack sources quickly and accurately. (C) 2016 Elsevier B.V. All rights reserved.

QIAN Qin,ZHANG Jian,ZHANG Kun,FU Xiao,MAO Bing

2014-01-01

Computer Science

Abstract:For the past few years,the amount of computer crime has been increasing year by year,and it is threatening various aspects of human society such as national politics,economy,and culture,etc.In modern society,the research on intrusion forensics and intrusion detection plays a significant role for fighting against computer crime,tracing intrusion,patching vulnerability and improving security system of computer network.However,with the popularity of Internet and the improving capacity of computers' storage,we often need to handle mass data about GB size,even up to TB size for intrusion forensics and intrusion detection.It inevitably makes much useful information submerge in redundant events,which brings about a huge challenge and low accuracy of analysis result.So it will be a topmost breakthrough to design a kind of technology for reducing redundant data and improving its accuracy and efficiency.This paper summarized several methods on intrusion forensics and intrusion detection.Firstly,this paper discoursed the development course of redundancy-reducing techniques and the application in traditional field such as medical domain.Then it systematically introduced all kinds of redundancy-reducing methods in intrusion forensics and intrusion detection.Finally,it figured out the existing problems and research direction in the future.It also gave some conclusions through the comparison on current situation of redundant data reducing techniques.

W Ren,H Jin

DOI: https://doi.org/10.1109/aina.2005.164

2005-01-01

Abstract:Network forensics is a new approach for the network security, because the firewall and IDS cannot always stop and discover the misuse in the network. Once the system is compromised, the forensics and investigation always after the attacks and lose some useful instant evidence. The integrated analysis of the log and audit system and network traffic can lead to an efficient navigation of the traffic. The current network forensics approaches only focus on the network traffic capture and traffic replay, which always result in the performance bottleneck or forensics analysis difficulties. However, the adaptive capture without lose the potential sensitive traffic and real time investigation are seldom discussed. In this paper, we discuss the frameworks of distributed agent-based real time network intrusion forensics system, which is deployed in local area network environment. Some novel approaches for network forensics are discussed for the first time, such as network forensics server, network forensics database, network forensics agents, forensics data integration and active real time network forensic.