摘要
首先定位网络攻击事件的源头,然后进行有效的电子数据证据的收集,是网络取证的任务之一.定位网络攻击事件源头需要使用网络攻击追踪溯源技术.然而,现有的网络攻击追踪溯源技术研究工作主要从防御的角度来展开,以通过定位攻击源及时阻断攻击为主要目标,较少会考虑到网络取证的要求,从而导致会在网络攻击追踪溯源过程中产生的大量有价值的数据无法成为有效电子数据证据在诉讼中被采用,因而无法充分发挥其在网络取证方面的作用.为此,提出了一套取证能力评估指标,用于评估网络攻击追踪溯源技术的取证能力.总结分析了最新的网络攻击追踪溯源技术,包括基于软件定义网络的追踪溯源技术,基于取证能力评估指标分析了其取证能力,并针对不足之处提出了改进建议.最后,提出了针对网络攻击追踪溯源场景的网络取证过程模型.该工作为面向网络取证的网络攻击追踪溯源技术的研究提供了参考.
Locating the source of cyber attack and then collecting digital evidence is one of the tasks of network forensics.Cyber attack traceback techniques are used to locate the source of cyber attack.However,current research on cyber attack traceback is mainly conducted from a defensive perspective,targeting at blocking cyber attack as soon as possible via locating the cyber attack source,and rarely considers digital evidence acquirement.As a result,the large amount of valuable digital evidence generated during the process of cyber attack traceback cannot be used in prosecutions,and their value in network forensics cannot be fully exploited.Therefore,a set of forensics capability metrics is proposed to assess the forensics capability of cyber attack traceback techniques.The latest cyber attack traceback techniques,including cyber attack traceback based on software defined network,are summarized and analyzed.Their forensics capability is analyzed and some suggestions are provided for improvement.At last,a specific forensics process model for cyber attack traceback is proposed.The work of this paper provides reference for research on cyber attack traceback technology targeting at network forensics.
作者
刘雪花
丁丽萍
郑涛
吴敬征
李彦峰
LIU Xue-Hua;DING Li-Ping;ZHENG Tao;WU Jing-Zheng;LI Yan-Feng(Laboratory of Parallel Software and Computational Science,Institute of Software,Chinese Academy of Sciences,Beijing 100190,China;School of Computer Science and Technology,University of Chinese Academy of Sciences,Beijing 100049,China;Digital Forensics Laboratory,Institute of Software Application Technology,Guangzhou&Chinese Academy of Sciences(GZIS),Guangzhou 511458,China;Guangdong Chinese Academy of Sciences&Realdata Science and Technology Co.Ltd.,Guangzhou 511458,China;China Unicom VSENS Communications Co.Ltd.,Beijing 100005,China;Intelligent Software Research Center,Institute of Software,Chinese Academy of Sciences,Beijing 100190,China)
出处
《软件学报》
EI
CSCD
北大核心
2021年第1期194-217,共24页
Journal of Software
基金
2019年度南沙区人工智能应用示范项目(2019SF01)
广州市科技计划(201802020015)
国家自然科学基金(61772507)
羊城创新创业领军人才支持计划(领军人才2016008)。
关键词
网络攻击追踪溯源
网络取证
电子数据证据可采性
电子数据证据证明力
取证过程模型
IP追踪
cyber attack traceback
network forensics
the admissibility of digital evidence
the probative force of digital evidence
forensics process model
IP traceback
