Intelligent Analysis Research for Techniques of Network Intrusion Forensics

Abstract

网络取证分析技术是当今机器学习、计算机安全以及数字取证等领域的前沿课题。目前国内外在网络取证技术方面的研究才刚刚起步。 本文针对智能网络取证分析中存在的大数据量处理、分析方法的智能性以及分析过程的质疑性等问题进行了深入研究。论文的主要研究成果如下： 提出了一种基于比例积分微分模糊规则的取证分析算法。该方法利用模糊技术与人类思维模式相似的特点进行证据分析，增加了分析结果的可解释性；对提取的网络事件特征根据其性质进行分类，建立模糊比例积分微分规则库，进一步提高了推理的规则匹配效率。 结合决策树与模糊技术优点，设计了一种基于增强模糊决策树的证据分析算法。该算法对连续属性进行临界点自动划分，增强了算法的智能化程度和适应能力；基于网络服务类型分别构建独立的子树，使系统具有 较好的并行性和扩展性。 设计了一种两级的数字证据定位分析方法，在缺乏充足样本事例情况下，可实现潜在证据定位分析。该方法利用离群点检测技术对原数据集进行过滤，然后利用样本数据集以及专家知识构造的分类器组进行深入分析，进一步提高了证据分析的准确度。 提出了一种基于集成决策树的多级证据分析处理框架。该算法具有较好的扩展性，可集成优秀算法；集成层仅利用基层学习算法的结果进行集成运算，保护了用户的隐私性，减少了网络传输负荷。Network forensics is becoming a challenging research topic. Currently the research of network forensics is just beginning, and many problems still need to be resolved by security researchers. The thesis focuses on the problems in intelligent network forensics analysis and deeply researches the following topics: the processing of huge volumes of data; the high efficiency of the analyzing method; the interpretable capability of the analyzing method. The main research production consists of: 1 Proposes a network forensic analysis method based on the fuzzy proportional-integral-differential rules that employs the similarity between fuzzy logic and thinking mode of human beings to perform forensic analysis and improves the comprehensibility of the system output. It classifies the network event features by their character and builds the fuzzy proportional-integral-differential rule banks to further improve the rule matching efficiency. 2 Designes a forensic analysis method based on improved fuzzy decision tree which combines the strongpoints of fuzzy logic whose reasoning processes are easy to understand with decision tree that is structural. It constructs separate subtrees based on the network service type and makes it parallel and extensible. Besides these, during the construction of a decision tree we design an automatic partition algorithm of continuous attributes and the degree of automation and efficiency of the algorithm is further improved. 3 Designes a fast evidence location analysis method with two-level analysis structure. Firstly the algorithm uses the outlier detection technique to filter the dataset, then employs a classifier group constructed by using sample dataset and an expert knowledge bank to analyze deeply the filtered dataset. It provides fast guidance for forensic investigators under the condition of limited training samples. 4 Proposes an ensemble algorithm in order to employ the advantages of various intelligent algorithms in dealing with different events. The algorithm can integrate the most of popular data mining and machine learning algorithms and is extensible; it calculates a final classifier based on outputs from the base algorithms so the system needs not transfer the raw data to the ensemble algorithm and decreases the transmission overload and maintains the privacy of network users