CN100414554C - Electronic data evidence obtaining method and system for computer - Google Patents
Electronic data evidence obtaining method and system for computer Download PDFInfo
- Publication number
- CN100414554C CN100414554C CNB2006101408013A CN200610140801A CN100414554C CN 100414554 C CN100414554 C CN 100414554C CN B2006101408013 A CNB2006101408013 A CN B2006101408013A CN 200610140801 A CN200610140801 A CN 200610140801A CN 100414554 C CN100414554 C CN 100414554C
- Authority
- CN
- China
- Prior art keywords
- evidence
- data
- obtaining
- evidence obtaining
- case
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to computer electronic data evidence taking method. It includes the following steps: strategy creating used multistage evidence taking strategy to create new case evidence taking strategy according to the demand; customizing the procedure according to the demand used to set evidence taking range variable in dynamic state; real time evidence taking used to record corresponding evidence data in system running; evidence storing used to test validity and store the tested evidence file in the data base; security protecting used to filter calling request for the evidence taking system and its corresponding data. The method can realize real time evidence taking for the electronic data.
Description
Technical field
The present invention relates to a kind of computer system be carried out the technology of electronic data evidence obtaining, the particularly a kind of method and system that can collect evidence to computer system in real time belongs to information security and computer systems technology field.
Background technology
In recent years, along with rapid development of Internet, the quantity of network intrusions attack is also increasing with surprising rapidity year by year.According to the statistics [CERT2006] of CERT/CC, intrusion event annual during calendar year 2001 to 2003 year has wherein only just been handled 137529 intrusion events at CERT in 2003 all than increasing more than 50% last one year.
Computer safety protective technology [Bishop2004] is from the angle prevention invasion of access control.Access control policy is divided into two kinds of confidentiality strategy and integrality strategies.The confidentiality strategy is emphasized the protection to confidentiality, is used to the unauthorized leakage of the information that prevents.Famous Bell-LaPadula model [Bell1975] is used to describe the confidentiality strategy, and it represents the Confidentiality protection mechanism of security system inside with the form of lattice.Multics system [Organick1972] has realized the Bell-LaPadula model.The integrality strategy is emphasized the protection to integrality, is used to the unauthorized amendment of the information that prevents.Biba model [Biba1977] and Clark-Wilson model [Clark1987] are used for the integrality of protection system.The basis of security protection technology is the correct identification to user identity, gives corresponding authority according to the user of different stage.In case the invador has controlled service processes by buffer overflow attack, invador and service processes itself can't be distinguished by system, and security protection technology can't play effect.
Along with the explosivity expansion of Internet, computer security issue is serious day by day, and corresponding calculated machine forensic technologies more and more receives the concern of information security circle.The connotation of computer forensics is: for the details of reconstruct crime case with weigh the destructiveness of unauthorized behavior, and the scientific approach of verifying that in the protection of electronic evidence, collection, checking, discriminating, the process analyzing, translate, write down and state, adopts.At present general forensic technologies is mainly carried out time, place and the mode of event reconstruction to confirm that invasion is implemented by the data of collecting in the object computer hard disk.After the invasion of discovery system, the evidence obtaining personnel just carry out investigation works such as evidence collection, evidence recovery, evidence analysis to object computer.Yet this method has two serious problems, and at first the quantity of information of residual data is very limited in the hard disk, and secondly residual data itself is incredible.The bulk information that computer system produces in running status comprises file read-write operation, the process address space, interprocess communication or the like, can not leave a trace in hard disk.In addition, the invador can or destroy the vestige that data recording be covered invasion by deletion, and some are simple revises is enough to make hard disc data to lose ability as evidence.
In the research of the acquisition technique of electronic evidence, forensic technologies personnel have invented the whole bag of tricks and attempted to find the clues and traces that case is relevant in the suspicious systems that has shut down at present.Famous instrument comprises commercial EnCase[Encase2006] and The Coroner ' the s Toolkit forensics analysis kit [Farmer2004] of increasing income, Brian Carrier is on the basis of TCT kit, developed the more powerful The Sleuth Kit[Carrier2006 of function], this kit provides the evidence sampling instrument to file, file system, data block, disk sector respectively according to the abstraction hierarchy [Carrier2002] of different stage.The instrument of these automated analysiss has improved the efficient of computer forensics work effectively, but they all only are conceived to on-the-spot residual data after the crime, can not provide enough information so that the whole crime process of reconstruct, and experienced invador can destroy evidence by deletion or the method for covering sensitive data.According to the experimental result [Gutmann1996] [Gutmann2001] of Peter Gutmann, can almost thoroughly stop the possibility that data are recovered by repeatedly erasable repeatedly, even use scanning tunnel microscope all can't detect the magnetic track virgin state.Present someone has realized using the safe deletion instrument [Hauser2003] of Gutmann method for deleting, and the use meeting of this instrument further increases the tradition technical difficulty of evidence collecting method afterwards.These situations have greatly limited the actual operability of computer forensics technology, press for a kind of new evidence obtaining mechanism of design and strengthen invading the evidence obtaining ability of attack.
Summary of the invention
At the problems referred to above, the purpose of this invention is to provide a kind of new computer forensics method that system is collected evidence in real time and relevant various supporting mechanisms, and realize an evidence-obtaining system that adopts this real-time evidence collecting method.Described evidence collecting method and evidence-obtaining system will be realized following target:
1. the operation of real time record user and process, and be not limited to the result that operation produces;
2. implement strict evidence protection mechanism, prevent that evidence from being distorted or deleting;
3. have versatility, can adapt to the requirement that different types of invasion is attacked.
In each stage that invasion is attacked, the invador is in order to reach their purpose, the system call service that must provide by means of operating system.The invasion attacker is in the call operation system service, can in internal memory, generate a large amount of system call information, comprised invador's attack step, target of attack, invasion means, invasion time etc. in these information, even can determine invador's geographic position by the IP of invasion machine.The purpose of evidence obtaining is exactly to gather the data that this part system produces in operational process in real time, is recorded in the shielded evidence database, so that in the future the invasion attack is analyzed reconstruct, obtains invador's evidence of crime.
Technical scheme
As shown in Figure 1, in real time the overall process of evidence collecting method comprises 5 subprocess, is respectively tactful generative process, on-demand customization process, the safeguard protection process of collecting evidence process, evidence storing process and carrying throughout in real time.At first, produce the evidence obtaining requirement description by tactful generative process according to the actual demand of current intrusion event; The on-demand customization process is determined the configuration parameter that evidence-obtaining system moves according to this evidence obtaining requirement description, starts real-time evidence obtaining process with these parameters; Actual evidence acquisition operations is finished by real-time evidence obtaining process, information when system can note the operation of consumer process in the evidence obtaining process in real time; The evidence data that collect in the last evidence obtaining process are in real time transferred to the preservation that the evidence storing process is finished evidence; In whole evidence obtaining process, each subprocess that has a safeguard protection process to be responsible for protecting to relate in the evidence obtaining process is correctly finished the evidence obtaining task effectively.
Below the mechanism of above-mentioned each subprocess inside carried out refinement describe:
1, tactful generative process:
Evidence obtaining strategy is determined is the scope of process need evidence obtaining of collecting evidence in real time.Preserve an evidence policy library in the strategy generative process requirement system, preserved a large amount of case types and corresponding evidence obtaining strategy in this policy library.When need collect evidence the strategy generation to a certain new case, this process at first converts the characteristics of new case or evidence obtaining demand to system understandable describing mode, is expressed as the N tuple structure; According to the value of each component in this N tuple structure all known case types of preserving in current case and the policy library are mated then; Result according to coupling determines corresponding evidence obtaining strategy, and as the input parameter of on-demand customization process.
2, on-demand customization process:
According to the evidence obtaining strategy that tactful generative process is submitted to, the on-demand customization process is made corresponding configuration to the evidence obtaining bound variable of evidence-obtaining system.
3, the process of collecting evidence in real time
In real-time evidence obtaining process, finish the collecting work of actual electronic evidence.Evidence obtaining scope according to the system that is provided with by the on-demand customization process in advance, in real time the evidence obtaining process need to determine in the system which operation of partly collecting evidence, it is the conclusion evidence data source, in the process of system operation, corresponding evidence data are recorded in the evidence buffer zone the inside of evidence-obtaining system inside then, at last with the electronic evidence batch data in the evidence buffer zone give the evidence storing process.Described evidence data source comprises critical data in process, file, system call, the kernel and each or several in the network data.
4, evidence storing process
The evidence storing process is responsible for the preservation of evidence data.This process is at first tested to the validity of evidence-obtaining system, prevents to write false wittness after the invador from controlling evidence-obtaining system in the evidence database, then will be the instrument of evidence of empirical tests write in the evidence database and preserve.
5, safeguard protection process
The safeguard protection process is carried out real-time protection through whole evidence obtaining process to the integrality and the validity of each subprocess.This process is filtered in the whole computer system request of access to evidence-obtaining system and related data thereof.At first obtain the authority information of visit main body, determine whether to allow this visit request according to this authority information then.
Technique effect of the present invention is, broken through the limitation that existing computer system evidence collecting method can only be collected evidence afterwards, adopt the strategy and the kernel level evidence collecting method of evidence obtaining as required, a kind of evidence collecting method with a high credibility is provided, this method can be collected evidence to all types of electronic evidences, evidence collecting method and system realize easily, and can obtain required electronic evidence in time, exactly, can effectively prevent and fight crime.In addition, the customization and the generation method of the evidence obtaining strategy that the present invention adopts, can utilize the historical data of similar case neatly, and, improve the availability and the reliability of evidence obtaining efficient and evidence in conjunction with working out the evidence obtaining strategy flexibly to the demand of new case or at the criminal type of required prevention.
Description of drawings
Fig. 1 is the process prescription synoptic diagram of real-time evidence collecting method;
Fig. 2 is the model synoptic diagram of real-time evidence-obtaining system;
Fig. 3 is the generative process process flow diagram of evidence obtaining strategy;
Fig. 4 is the structural representation of case automatic categorizer;
Fig. 5 is the process flow diagram of dynamic-configuration evidence obtaining scope;
Fig. 6 represents the specific implementation that evidence is gathered;
Fig. 7 represents the synoptic diagram to the protection mechanism of evidence obtaining module.
Embodiment
According to 5 processes implementing evidence collecting method, we realize the module of each process as evidence-obtaining system decision.Describe evidence collecting method of the present invention and system in detail below with reference to accompanying drawing.
As shown in Figure 2; this evidence-obtaining system mainly comprises five parts: tactful generation module, on-demand customization module, collect evidence module, evidence library module, security protection module in real time, each module cooperative is finished real-time evidence obtaining, dynamic-configuration, the safeguard protection design object of evidence-obtaining system.Wherein, tactful generation module adopts data digging method to determine the evidence obtaining strategy of current case.The on-demand customization module as input, generates current evidence obtaining range parameter with current evidence obtaining strategy, and dynamically the evidence obtaining scope of real-time evidence obtaining module is upgraded.In real time the evidence obtaining module is implemented online real-time monitoring according to current evidence obtaining scope to system call, and the information of system call is recorded in the instrument of evidence, is responsible for simultaneously the instrument of evidence is dumped to the evidence storehouse; The evidence storehouse can be another the independent database server that links with the evidence obtaining machine, also can be Database Systems in the operation of this machine, be responsible for the rear end storage of the instrument of evidence, it at first verifies the validity of evidence obtaining machine, then receive the evidence data if the verification passes from real-time evidence obtaining module, otherwise the rejection data, and the prompting keeper collect evidence machine may be invaded.Security protection module is responsible for protecting whole evidence-obtaining system and evidence data, prevents illegal manipulation of invaded person or destruction.
Below in conjunction with each module of above-mentioned evidence-obtaining system, describe each subprocess of evidence collecting method in detail, the concrete formation of each module also will embody in the description in each process in the system.
1, strategy generates
1) new case and evidence obtaining demand schedule are shown as the form of the case in the case library, as the input parameter of tactful generation module;
2) the case automatic categorizer finds K similar with it case according to the feature of new demand or new case in case library, and wherein, the case automatic categorizer that adopts in the present embodiment is the sorter based on kNN;
3) K the case sample of determining according to sorter determined corresponding case classification, matches corresponding evidence obtaining strategy in evidence obtaining policing rule storehouse, thereby generates the evidence obtaining strategy of new case, is referred to as multistage evidence obtaining strategy.
As shown in Figure 3, according to above-mentioned evidence obtaining strategy generative process, tactful generation module should comprise at least based on the sorter of kNN and evidence obtaining policing rule storehouse.Wherein, the case automatic categorizer is the key that realizes the tactful generative process of evidence obtaining, below sorter is described in detail.
As shown in Figure 4, the structure and the treatment scheme of expression case automatic categorizer.Usually, the whole work period of sorter can be divided into training process and assorting process.In training process, the training set example is expressed as vector form through after the pre-service.This set of eigenvectors is used for describing the classification pattern, uses in assorting process.Checksum set is the part of training set, by using the truncation threshold value that corresponding threshold strategies pre-determines each classification.In the case assorting process, a case document to be classified is through after pre-service and being expressed as vector, and the application class algorithm compares one by one with the classification pattern that training process obtains, and obtains candidate's list of categories.Then,, keep classification greater than threshold value with the threshold of each classification that obtains in the training process, and as the classification results of this case.
Therefrom as can be seen, the key factor of a sorter of structure comprises: pre-service, training set, Feature Selection algorithm, sorting algorithm and truncation algorithm etc.
The specific design of case sorter is as follows:
(1) pre-service.Pre-service can comprise carries out participle and Feature Selection processing to the case in the training set.For example, case according to the general judicial inquiry is described custom, we have chosen following characteristic item and have described case: Id is the numbering of case, Name is the title of case, as 211 homicide cases, 321 robbery cases etc., Time represents the crime time, Site is the incidence of criminal offenses place, Suspect is the suspect, Type is a case type, and Artifice represents crime means, and Victim represents the victim, Reasons is a cause of criminality, Results is a harmful consequences, and Receiver is the people's police of case of being informed of a case, and Criminal_characters is criminal's a feature, Criminals_number is criminal's quantity, Committing_process is that process of commission of crime is described, and Committing_tools is a guilty tool, and Committ_motivation is a crime motive, If_destroy_the_scene represents whether destroyed the scene of a crime, Vehicle is the vehicles that crime is used, and Detective means is preliminary investigation, and Evidences is the evidence that needs, Forensics_policy is the evidence obtaining strategy, represents with id here.Lawsuit represents the legal provision that is suitable for.The text description that adopts Chinese word segmentation to settle a case, the proper vector that generates case is described.The pre-service of case that Here it is.
(2) sorting algorithm.Present embodiment selects for use kNN (k-Nearest Neighbor) sorting algorithm to realize basic sorter.For example can choose k=10, promptly only keep 10 example cases of similarity maximum.Classification for the case of determining to wait to classify, at first need having the example of identical category and the similarity addition conduct between the case of waiting to classify wait the to classify classification similarity of case, at last the as a result classification of several the highest classifications of similarity (for example 3), so each case of waiting to classify is only got 3 classifications as a result here as this case.
(4) truncation algorithm.Adopt simple position truncation method (rank-based thresholding is designated as RCut).
(5) evaluation index of classification quality.
According to the structure of above-mentioned case automatic categorizer, below introduce three kinds of automatic sorting algorithms of case respectively:
A. general kNN algorithm:
Step 2. handles new case according to the case characteristic value after new case arrives, determine the vector representation of new case.
Step 3. concentrates in training cases and selects the K the most similar to a new case case, and computing formula is:
Wherein, the K value determine there is not good method at present, the general employing decided an initial value earlier, the result according to experiment test adjusts K value then, general initial value is decided to be hundreds of and arrives between several thousand.
Step 4. calculates the weight of every class successively in K neighbours of new case, computing formula is as follows:
Wherein,
Be the proper vector of new case,
Be calculating formula of similarity, the computing formula rapid with previous step is identical, and
Be the category attribute function, that is, if
Belong to class C
j, functional value is 1 so, otherwise is 0.
The weight of Step 5. comparing class is assigned to new case in that k classification of weight maximum.
B. the improvement of weight function:
If M case classification C1 arranged in the case library (in the sample space), C2 ..., CM, every class has Ni sample, supposes that the case of identical category has identical Forensics_policy.If K1, K2 ... Kc belongs to C1 in K the arest neighbors of unknown sample X, C2 ..., the sample number of CM class, and the distance of solstics and closest approach is respectively dmax, dmin in K arest neighbors, then defines weight function to be:
Wherein Xji represents i sample vector of j class.Decision function is defined as:
Then, from the decision function value, select to come the classification of preceding t position as the classification under the unknown case according to size
(3) based on the kNN case classifier algorithm of weighting weight function:
C. the case sorting algorithm based on weighting kNN sorter can be described as:
1) import the case X that waits to classify, the k value is set, 1≤k≤n makes n=1;
2) calculate distance between classification case X and the Xn, and IF (n≤k) THEN is included into Xn among k the neighbour of X, ELSEIF (Xn than original k the neighbour of X more near X), and THEN puts n=n+1 with the person farthest in k arest neighbors of Xn replacement;
3) IF (n≤k) THEN goes to the step 2);
4) calculate weight function ω
j i
5) calculate decision function gj (X);
6) IFg
m(X) ∈ { g
j(x) a preceding t max function }, j=1,2 ... m,
THEN assigns to the Cm class with X;
ELSE IF g
m(X) do not exist, then X is classified as a class separately.And eigenwerts such as Evidences, Forensics_policy are set manually.
7) other Evidences that output is sorted out, two eigenwerts of Forensics_policy are as the evidence obtaining strategy.
2, on-demand customization
The task of on-demand customization module is characteristics and some default parameterss of system of attacking according to invasion, and generating in real time, the evidence obtaining module starts required evidence obtaining range information.The on-demand customization module is transmitted information by a secure data buffer zone to real-time evidence obtaining module, and this data buffer is in the monitoring of security protection module, by the confidentiality and integrity of security protection module guarantee information transmission.Data according to tactful generation module output, the on-demand customization module can dynamically dispose the scope that current evidence obtaining object comprises, be the set of the system event be concerned about of current case, then the system event of being concerned about collected evidence, ignore the system event beyond the set.
For the dynamic-configuration of evidence obtaining scope, can adopt the method for the following stated, as shown in Figure 5:, determine whether this system call is collected evidence according to the current state of switching variable for each system call all is provided with an evidence obtaining switching variable.Before consumer process returned from system call, the evidence obtaining module was at first judged the switching variable state, if this system call need be collected evidence the record of the evidence in the process structure was write the instrument of evidence, directly returned otherwise abandon the evidence record.
3, evidence obtaining in real time
The realization of real-time evidence obtaining function: in kernel, this module loads automatically with system start-up the evidence obtaining module compiles, and with the form operation of background process, the intercepting system recalls information is monitored the also implementation of recording user process in real time then.The data collection point of the evidence-obtaining system of present embodiment is the entrance and exit of system call, the specific implementation method as shown in Figure 6:
Forensic_syscall_enter(int?syscall_num,void*args)
At this function of entry call of system call, be used for judging whether this system call is collected evidence and newly-built evidence obtaining record, obtain evidence information.Syscall_num is the numbering of system call; Args is an evidence information, and this parameter is a variable element, and different incidents is got different values, is a parameter list.
Forensic_syscall_exit(int?value)
Called this function before system call is returned, its effect is that the evidence obtaining record is stored.The rreturn value that parameter value representative system is called can be determined the operation result of system call by this rreturn value.
Wherein, the source of evidence data comprises critical data in process, file, system call, the kernel and each or several in the network data.
1) from the data of process
The process here is meant the set of the process composition that is moving in the system.The characteristic attribute of process class evidence can be used to describe the eigenwert of each process with a vector representation, the address space at place and operation authority etc. when described eigenwert can comprise ID as process, memory headroom that process takies and CPU time, operation.Based on this data source of process, just can determine the instruction sequence of the appointment codes space segment of process operation according to the eigenwert of obtaining, determine which type of system operation is process carry out with which type of authority.Certainly, different evidence obtaining strategies has different requirements for the eigenwert of the process of being obtained, therefore corresponding different evidence obtaining demands, and the concrete vector that is used to describe the process feature is variable.
2) from the data of file system
File system is the important component part of operating system.Here, be meant the set of the critical file of determining by the evidence obtaining strategy in the operating system as the file of evidence data source.The eigenwert of files classes evidence also can be used vector representation, is used for accessed form of the type of description document and content, file and the process ID of access rights and operation this document etc.Based on this data source of file, we can obtain the information relevant which type of file by which type of process with which type of authority was visited, and can determine that the form of visiting is reading and writing or revises.
3) from the data of system call
System call is the interface of the operational hardware equipment that provides to the user of operating system kernel, request kernel services.System call interfaces is between user's attitude and kernel mode.General system call process is: to operating system nucleus request service, operating system nucleus is finished service to user program, and the result is returned to consumer process by system call.System call provides the mechanism of visit kernel, and the security that has improved system has guaranteed portability of application programs.
The data that system call is relevant also can be used vector representation, and this vectorial eigenwert comprises: the title of system call and function, the object of system call and information thereof, and the entrance function of system call.
System call abduction technology can realize the system call abduction by the value of the corresponding list item of corresponding subsystem call table of modification and interrupt-descriptor table, obtains the system call formation.Here, two Hook Functions are set: a Hook Function is set in the porch of system call, obtains relevant parameter, insert a Hook Function in the end of system call and obtain the whether successful information of incident for each system call.
4) from other critical data in the kernel
Inner core managing all system threads, process, resource and resources allocation.In operating system, all information relevant with process all exist in the process control block (PCB) of this process, so that the control of process and management.By the evidence obtaining to the system kernel resource, we can obtain the system resource allocation situation relevant with relevant incident.Critical data from kernel should be able to be reacted system informations such as cpu load, memory headroom and disk space.
5) from the network data of system
Network data mainly comprises kernel data relevant with network in the main frame, and principal character comprises: information such as the IP address of connection, procotol, main frame bandwidth.Obtaining of grid data can reach the purpose that the network evidence obtains in real time.
Evidence collecting method of the present invention has more than been described and the operating system of can collecting evidence in real time in employed evidence data source.This 5 class data source comprised in have intersection, can avoid repeated acquisition by the method for setting priority and mark.
4, evidence storehouse
The evidence library module is an independent database server that links to each other with the evidence obtaining main frame, and it passes through the evidence data of a privately owned network reception from real-time evidence obtaining module, and according to the default data layout storage instrument of evidence.In order to prevent that the invaded person in evidence storehouse from attacking, we are with evidence storehouse server and Network Isolation.Simultaneously, in the evidence storehouse, added the authentication mechanism of the evidence data that send for the evidence obtaining module, to prevent transmitting false wittness to the evidence storehouse after the invador from distorting evidence.
The dump of the instrument of evidence is divided into two stages.First stage is the transmission of instrument of evidence identifying code, and the evidence obtaining module has generated after the instrument of evidence, at first calculate identifying code and send the evidence library module to for this instrument of evidence, and then the releasing document lock writes disk file system with file.In order to prevent that the invador from forging or eavesdropping identifying code, can adopt the public key encryption system to guarantee the safe transmission of identifying code.At first be respectively evidence obtaining machine and evidence storehouse server key is set, and PKI is sent to the other side.With the public key encryption identifying code of evidence storehouse server, the private key with oneself carries out superencipher to identifying code to the evidence obtaining machine more earlier, the identifying code after encrypting by the private network transmission then.After evidence storehouse server was received ciphertext, elder generation was that the evidence obtaining machine sends with the PKI deciphering of evidence obtaining machine with the checking sign indicating number really, and then deciphers the content that obtains identifying code with the private key of oneself, can prevent that so again other users from eavesdropping identifying code.
Second stage is the warehouse-in of the instrument of evidence itself, and the evidence library module receives after the complete instrument of evidence from the evidence obtaining module, calculates its identifying code and the current code value in the identifying code tabulation and compares, and both unanimities are then agreed the evidence warehouse-in; Otherwise, illustrate that the instrument of evidence has suffered invador's illegal modifications, the evidence library module file that can resist the evidence, and send intrusion alarm to the system manager.
5, safeguard protection
(1) protection of evidence obtaining module
Because the evidence obtaining module often is present in unsafe system, so the security of evidence-obtaining system itself is the problem that at first should consider.The evidence obtaining security protection module is exactly that the module that will guarantee to collect evidence can not distorted in the process of configuration and operation, guarantees normally finishing of evidence obtaining function.Protection for the evidence obtaining module comprises 2 points: security configuration and safe operation.
A. security configuration: evidence obtaining modules configured file adopted encrypt and access control mechanisms is protected, prevent the integrality of malicious user destruction configuration file.
B. safe operation: the evidence obtaining module is to move with the form of system process, adopts the pressure access control mechanisms can guarantee to collect evidence and carries out not influenced by malicious user.
The present invention has made up the Process Protection in the kernel, in order to prevent the destruction of invador to the evidence obtaining process, hides for the evidence obtaining process.As shown in Figure 7, the operational process of this Process Protection mechanism is:
A) under the Non-Interference System environment, the security procedure in the operational system all sidedly, analyze and gathering system in the relevant information of these processes:
(Process_Id,Process_Name,Process_exe_mapping,Start_Time,Parent_Process)
Wherein, Process_Id is the ID of process, and Process_Name represents the title of process, and Process_exe_mapping is the executable image of process, and the start time of Start_Time process, Parent_Process represents the parent process information of process degree.So just formed one " security of system process list ", as the foundation of process monitoring.
B) monitor code information of operation process in the gathering system in real time in the process scheduling process.If the discovery process is not in the middle of " security of system process list ", then at once export PID number of this process, the information such as executable image of title, process by terminal, perhaps by sound to User Alarms, wait for that the user handles, in the process of this wait, stop this process of scheduling, make response (this process of letting pass or kill this process) up to the user.
C) judge whether the process of reporting to the police is the evidence obtaining process.If, operation and this process of hiding.
D) in step b), if special user (the evidence obtaining user who is different from the system manager) this process of having let pass then can add " security of system process list " with this process, to improve this tabulation; Certain process if the general user has let pass in the middle of use, so, need this user's user name and identity record are got off, and the process of letting pass noted save as daily record, as the strong foundation of evidence obtaining user when audit user behavior or the modification " security of system process list ".
E) in the middle of system's operational process; if some the important process (comprising kswapd, bdflush etc.) in the middle of " security of system process list " of finding is not in running status; then horse back deposits the information of this process " loss " in file; in order in the middle of the rejuvenation of system; they are recovered targetedly, and according to different situations, the needs that have are shut down at once; recovering process, what have then can on-the-spotly recover.
(2) the evidence Data Protection comprises following three main points:
A. the integrality of evidence: guarantee the authenticity of evidence, guarantee that evidence can be proved really not to be distorted when showing;
B. the confidentiality of evidence: the content that guarantees evidence can not obtained by the disabled user;
C. the identifiability of evidence: picker, processor and founder that can structure identification evidence.
Encryption is a kind of effective means of protection evidence data.Because the evidence record needs to form evidence supervision chain, thereby, preferably adopt cryptographic algorithm that the evidence data are encrypted one by one, the cryptographic algorithm that present embodiment adopts is MD5.D5 i.e. " Message-Digest Algorithm 5 (message digest algorithm) ", and it is developed and next a kind of unidirectional Hash function algorithm by MD2, MD3, MD4.MD5 is a kind of irreversible cryptographic algorithm, uses very extensively, and main application comprises the information encryption in digital signature, the database and the encryption of the communication information.
More than describe the present invention in detail by preferred embodiment, those skilled in the art will be understood that in the scope that does not break away from essence of the present invention, can carry out various changes and modifications to embodiments of the invention.For example, in tactful generative process, to training set and/or the pre-service of the case of waiting to classify be not limited to carry out Chinese word segmentation, can use various language according to concrete needs and carry out pre-service.And for example, the evidence library module also can be the data base server that runs in this machine.
Claims (8)
1. electronic data evidence obtaining method that is used for computing machine comprises:
1) tactful generative process according to new case or evidence obtaining demand, is shown as the form of the case in the case library with new case and evidence obtaining demand schedule, as the input parameter of tactful generation module;
The case automatic categorizer finds K similar with it case according to the feature of new demand or new case in case library;
According to K the case sample that sorter is determined, determine corresponding case classification, in evidence obtaining policing rule storehouse, match corresponding evidence obtaining strategy;
2) on-demand customization process, the evidence obtaining strategy of submitting to according to tactful generative process carries out dynamic-configuration to the evidence obtaining bound variable of evidence-obtaining system;
3) process of collecting evidence in real time, according to the evidence obtaining scope conclusion evidence data source that the on-demand customization process is provided with, the corresponding evidence data of record in the process of system's operation are given the evidence storing process at last then;
4) evidence storing process is at first tested to the validity of evidence-obtaining system, then will be the instrument of evidence of empirical tests write and preserve in the evidence database;
The safeguard protection process of 5) carrying throughout is filtered in the whole computer system request of access to evidence-obtaining system and related data thereof.
2. the method for claim 1 is characterized in that, described case automatic categorizer adopts the sorting algorithm based on kNN.
3. the method for claim 1 is characterized in that, described Dynamic Configuration is: for each system call all is provided with an evidence obtaining switching variable, determine whether this system call is collected evidence according to the current state of switching variable; Before consumer process returned from system call, the evidence obtaining module was at first judged the switching variable state, if this system call need be collected evidence the record of the evidence in the process structure was write the instrument of evidence, directly returned otherwise abandon the evidence record.
4. the method for claim 1, it is characterized in that, described evidence data source from: from the data of process, from the data of file system, from the data of system call, from other critical data in the kernel with from the network data of system.
5. the described method of claim 1 is characterized in that, described step 5) adopts the kernel process protection mechanism, and its concrete operational process is:
A) under the Non-Interference System environment, the security procedure in the operational system all sidedly, analyze and gathering system in the relevant information of these processes, form the foundation of a security of system process list as process monitoring;
B) monitor code information of operation process in the gathering system in real time in the process scheduling process is if the discovery process not in the security of system process list, then stops this process of scheduling and reports to the police at once;
C) judge whether the process of reporting to the police is the evidence obtaining process, if, operation and this process of hiding;
D) in step b), this process if the evidence obtaining user has let pass then adds the security of system process list with this process; Certain process if the general user has let pass in the middle of use is then carried out log record, as the foundation of audit.
6. electronic data evidence obtaining system that is used for computing machine comprises:
The strategy generation module comprises case automatic categorizer and evidence obtaining policing rule storehouse based on kNN at least, is used to adopt data digging method to determine the evidence obtaining strategy of current case;
The on-demand customization module is used for current evidence obtaining strategy generating current evidence obtaining range parameter, and dynamically the evidence obtaining scope of real-time evidence obtaining module being upgraded as input;
The evidence obtaining module is moved with the form of background process in real time, and the intercepting system recalls information is monitored the also implementation of recording user process in real time;
The evidence library module is responsible for the rear end storage of the instrument of evidence, and it at first verifies the validity of evidence obtaining machine, then receives the evidence data from real-time evidence obtaining module if the verification passes, otherwise the rejection data, and the prompting keeper collect evidence machine may be invaded;
Security protection module is used for the process of other each modules is monitored in real time.
7. system as claimed in claim 6 is characterized in that, the data collection point of described real-time evidence obtaining module is the entrance and exit of system call.
8. system as claimed in claim 6 is characterized in that, described evidence library module is independent database server linking to each other with the evidence obtaining main frame or the data base server in this machine of running on.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006101408013A CN100414554C (en) | 2006-10-10 | 2006-10-10 | Electronic data evidence obtaining method and system for computer |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006101408013A CN100414554C (en) | 2006-10-10 | 2006-10-10 | Electronic data evidence obtaining method and system for computer |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1949240A CN1949240A (en) | 2007-04-18 |
| CN100414554C true CN100414554C (en) | 2008-08-27 |
Family
ID=38018754
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2006101408013A Expired - Fee Related CN100414554C (en) | 2006-10-10 | 2006-10-10 | Electronic data evidence obtaining method and system for computer |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100414554C (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104252471A (en) * | 2013-06-27 | 2014-12-31 | 宁夏新航信息科技有限公司 | Intelligent file management system |
| CN103729397B (en) * | 2013-10-28 | 2017-03-08 | 公安部第三研究所 | Based on the method that time locus realizes electronic evidence data analysis |
| CN104809156B (en) * | 2015-03-24 | 2019-02-01 | 北京锐安科技有限公司 | The method and apparatus of taking of evidence information |
| CN105488029A (en) * | 2015-11-30 | 2016-04-13 | 西安闻泰电子科技有限公司 | KNN based evidence taking method for instant communication tool of intelligent mobile phone |
| CN107562707A (en) * | 2017-08-31 | 2018-01-09 | 湖北灰科信息技术有限公司 | Electronic evidence-collecting method and device |
| CN108229187A (en) * | 2017-12-28 | 2018-06-29 | 北京奇虎科技有限公司 | A kind of method and system intelligently collected evidence using movable memory equipment |
| CN111475465B (en) * | 2020-03-19 | 2023-05-05 | 重庆邮电大学 | Intelligent home evidence obtaining method based on body |
| CN115544320A (en) * | 2022-11-25 | 2022-12-30 | 北京数字众智科技有限公司 | Information storage device and method suitable for electronic evidence obtaining information storage |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1645382A (en) * | 2004-06-22 | 2005-07-27 | 上海金诺网络安全技术发展股份有限公司 | Computer long-distance electronic evidence obtaining method and system |
| CN1645381A (en) * | 2004-06-22 | 2005-07-27 | 上海金诺网络安全技术发展股份有限公司 | Method for arranging verification inserter structure of remote computer |
| US20060069540A1 (en) * | 2004-09-28 | 2006-03-30 | Krutz Ronald L | Methodology for assessing the maturity and capability of an organization's computer forensics processes |
-
2006
- 2006-10-10 CN CNB2006101408013A patent/CN100414554C/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1645382A (en) * | 2004-06-22 | 2005-07-27 | 上海金诺网络安全技术发展股份有限公司 | Computer long-distance electronic evidence obtaining method and system |
| CN1645381A (en) * | 2004-06-22 | 2005-07-27 | 上海金诺网络安全技术发展股份有限公司 | Method for arranging verification inserter structure of remote computer |
| US20060069540A1 (en) * | 2004-09-28 | 2006-03-30 | Krutz Ronald L | Methodology for assessing the maturity and capability of an organization's computer forensics processes |
Non-Patent Citations (12)
| Title |
|---|
| Investigative Profiling with Computer Forensics Log Data andassociation Rules. T.Abraham, O.de Vel.Computer Society IEEE International Conference on Data Mining 2002. 2002 |
| Investigative Profiling with Computer Forensics Log Data andassociation Rules. T.Abraham, O.de Vel.Computer Society IEEE International Conference on Data Mining 2002. 2002 * |
| 基于数据挖掘的动态取证技术研究. 钟秀玉.微机发展,第15卷第12期. 2005 |
| 基于数据挖掘的动态取证技术研究. 钟秀玉.微机发展,第15卷第12期. 2005 * |
| 基于数据挖掘的计算机动态取证***. 刘东辉,王树明,张庆生.微计算机信息,第21卷第11-3期. 2005 |
| 基于数据挖掘的计算机动态取证***. 刘东辉,王树明,张庆生.微计算机信息,第21卷第11-3期. 2005 * |
| 多维计算机取证模型研究. 丁丽萍,王永吉.计算机安全,第11期. 2005 |
| 多维计算机取证模型研究. 丁丽萍,王永吉.计算机安全,第11期. 2005 * |
| 计算机动态取证的数据分析技术研究. 钟秀玉,凌捷.计算机应用与软件,第21卷第9期. 2004 |
| 计算机动态取证的数据分析技术研究. 钟秀玉,凌捷.计算机应用与软件,第21卷第9期. 2004 * |
| 论计算机取证的原则和步骤,. 丁丽萍.中国人民公安大学学报(自然科学版),第11卷第1期. 2005 |
| 论计算机取证的原则和步骤,. 丁丽萍.中国人民公安大学学报(自然科学版),第11卷第1期. 2005 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1949240A (en) | 2007-04-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US5557742A (en) | Method and system for detecting intrusion into and misuse of a data processing system | |
| US20240223523A1 (en) | Endpoint agent extension of a machine learning cyber defense system for email | |
| CN100414554C (en) | Electronic data evidence obtaining method and system for computer | |
| Salem et al. | A survey of insider attack detection research | |
| Peddabachigari et al. | Intrusion detection systems using decision trees and support vector machines | |
| CN110213226B (en) | Network attack scene reconstruction method and system based on risk full-factor identification association | |
| JP2005259140A (en) | Method for monitoring database, computer-readable medium for keeping one or more sequences of instruction, and device | |
| Myers et al. | Towards insider threat detection using web server logs | |
| Sabri et al. | Identifying false alarm rates for intrusion detection system with data mining | |
| CN102906756A (en) | Security threat detection associated with security events and actor category model | |
| Botha et al. | The utilization of artificial intelligence in a hybrid intrusion detection system | |
| CN107846389B (en) | Internal threat detection method and system based on user subjective and objective data fusion | |
| US8572744B2 (en) | Information security auditing and incident investigation system | |
| Makarova | Determining the choice of attack methods approach | |
| Ghali | Feature selection for effective anomaly-based intrusion detection | |
| Mohammad et al. | A novel local network intrusion detection system based on support vector machine | |
| CN116260627A (en) | APT detecting system based on data tracing graph label | |
| Abraham et al. | A survey on preventing crypto ransomware using machine learning | |
| CN114124453A (en) | Network security information processing method and device, electronic equipment and storage medium | |
| Awodele et al. | A Multi-Layered Approach to the Design of Intelligent Intrusion Detection and Prevention System (IIDPS). | |
| Wagner et al. | Quantitative analysis of the mission impact for host-level cyber defensive mitigations. | |
| Liu et al. | AI electronic products information security research | |
| Prabu et al. | An Automated Intrusion Detection and Prevention Model for Enhanced Network Security and Threat Assessment | |
| Jun et al. | Research of intrusion detection system based on machine learning | |
| Kim et al. | A Model for Illegal File Access Tracking Using Windows Logs and Elastic Stack. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20080827 Termination date: 20191010 |