In this paper, we study the problem of employ ensemble learning for computer forensic. We propose a Lazy Local Learning based bagging (L3B) approach, where base learners are trained from a small instance subset surr...In this paper, we study the problem of employ ensemble learning for computer forensic. We propose a Lazy Local Learning based bagging (L3B) approach, where base learners are trained from a small instance subset surrounding each test instance. More specifically, given a test instance x, L3B first discovers x's k nearest neighbours, and then applies progressive sampling to the selected neighbours to train a set of base classifiers, by using a given very weak (VW) learner. At the last stage, x is labeled as the most frequently voted class of all base classifiers. Finally, we apply the proposed L3B to computer forensic.展开更多
A method to extract information of network connection status information from physical memory on Windows Vista operating system is proposed. Using this method, a forensic examiner can extract accurately the informatio...A method to extract information of network connection status information from physical memory on Windows Vista operating system is proposed. Using this method, a forensic examiner can extract accurately the information of current TCP/ IP network connection information, including IDs of processes which established connections, establishing time, local address, local port, remote address, remote port, etc., from a physical memory on Windows Xflsta operating system. This method is reliable and efficient. It is verified on Windows Vista, Windows Vista SP1, Windows Vista SP2.展开更多
基金the National High Technology Research and Development Program(863) of China(No.2007AA01Z456)the National Natural Science Foundation of China(No.60703030)
文摘In this paper, we study the problem of employ ensemble learning for computer forensic. We propose a Lazy Local Learning based bagging (L3B) approach, where base learners are trained from a small instance subset surrounding each test instance. More specifically, given a test instance x, L3B first discovers x's k nearest neighbours, and then applies progressive sampling to the selected neighbours to train a set of base classifiers, by using a given very weak (VW) learner. At the last stage, x is labeled as the most frequently voted class of all base classifiers. Finally, we apply the proposed L3B to computer forensic.
基金This work is supported by the National Natural Science Foundation of China (61070163) and Shandong Natural Science Foundation (Y2008G35).
文摘A method to extract information of network connection status information from physical memory on Windows Vista operating system is proposed. Using this method, a forensic examiner can extract accurately the information of current TCP/ IP network connection information, including IDs of processes which established connections, establishing time, local address, local port, remote address, remote port, etc., from a physical memory on Windows Xflsta operating system. This method is reliable and efficient. It is verified on Windows Vista, Windows Vista SP1, Windows Vista SP2.