Unlock instant, AI-driven research and patent intelligence for your innovation.

Network forensics method and device based on alarm aggregation

A network and evidence technology, applied in the field of network security, can solve problems affecting the accuracy of network forensics results, achieve strong practicability and operability, and improve efficiency

Active Publication Date: 2020-12-08
PLA STRATEGIC SUPPORT FORCE INFORMATION ENG UNIV PLA SSF IEU
View PDF5 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

However, limited by the accuracy of the intrusion detection system, it affects the accuracy of the network forensics results. How to eliminate the influence of false positives and negative evidences on the forensics results is a difficult problem for these methods.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Network forensics method and device based on alarm aggregation
  • Network forensics method and device based on alarm aggregation
  • Network forensics method and device based on alarm aggregation

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0029] In order to make the purpose, technical solution and advantages of the present invention more clear and understandable, the present invention will be further described in detail below in conjunction with the accompanying drawings and technical solutions. The technical term involved in the embodiment is as follows:

[0030] Currently, for situations where intrusion detection relies on captured network data fragments, the obtained network alarm evidence is likely to be incomplete. To this end, the embodiment of the present invention provides a network forensics method based on alarm aggregation, see figure 1 shown, including:

[0031] A) Build an attack graph; and obtain the intrusion detection data of key nodes in the network, and use the intrusion detection data as an alarm evidence set for network forensics analysis;

[0032] B) Map the alarm evidence in the alarm evidence set to the attack graph, and obtain the alarm evidence chain;

[0033] C) Clustering the alarm...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention belongs to the technical field of network security, in particular to a network forensics method and a network forensics device based on alarm aggregation. And the intrusion detection data of the key nodes of the network are obtained, and the intrusion detection data are used as the alarm evidence set of the forensic analysis of the network; The alarm evidence in the alarm evidence set is mapped to the attack graph, and the alarm evidence chain is obtained. Clustering the alarm evidence chain to construct the network intrusion scene and recover the network crime scene. The invention aims at the problems of missing report and false report existing in the network forensics by using the intrusion detection system, and can accurately and completely display the intrusion panorama of the attacker and improve the network forensics efficiency through the alarm evidence mapping, the evidence chain generation, the evidence chain clustering and the intrusion scene construction. Alarmdata related to intrusion scenes become important electronic evidence, which has strong practicability and operability, and provides reliable basis for collecting network data evidence, returning tothe crime scene and litigation cases.

Description

technical field [0001] The invention belongs to the technical field of network security, in particular to a method and device for network evidence collection based on alarm aggregation. Background technique [0002] With the continuous improvement of the level of network attacks and the rapid change of attack tools and attack methods, the use of computer networks to commit crimes is becoming more and more serious. Network forensics is of great significance to combating network crimes. Network forensics is essentially dynamic forensics, that is, it intercepts when an attack event is in progress or during the transmission of evidence data, and reconstructs the criminal scene of network attack by collecting network alarm evidence data to provide accurate and effective evidence for litigation cases. [0003] At present, there are two main methods of network forensics: one is based on honey traps, and the other is based on the analysis of intrusion detection system alarm evidence...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Patents(China)
IPC IPC(8): H04L29/06
CPCH04L63/1416H04L63/145H04L63/20
Inventor 张玉臣胡浩张红旗汪永伟刘小虎张任川杨峻楠
Owner PLA STRATEGIC SUPPORT FORCE INFORMATION ENG UNIV PLA SSF IEU