Static forensics is short in timeliness,while dynamic forensics can achieve more authentic and real-time evidences.Evidence identification is pivotal to dynamic forensics.The essence of evidence identification is to classify the network data flow so as to judge whether the behaviours are legal or illegal.Bloom filter represents the data set with a bit string and effectively supports hash query on membership,so that it is used widely in packet classification algorithm.In this paper we first analyse the standard Bloom filter,and improve its defects. Based on these,we design a Bloom filters-based distributed dynamic computer forensics system,and employ secure and effective means to transmit evidences.Experiment shows that this system can dynamically detect network intrusion behaviours with high detection accurate rate and low false positives.%静态取证时效性不足,动态取证则可获得更为真实、实时的证据。动态取证最关键的是证据识别。证据识别本质上是对网络数据流进行分类,以判断其行为是合法还是非法。布鲁姆过滤器采用一个位串表示数据集合并有效支持元素的哈希查询,从而被广泛应用于包分类算法中。首先对标准布鲁姆过滤器算法进行分析,并对算法存在的缺陷进行改进。在此基础上,设计一个基于布鲁姆过滤器的分布式计算机动态取证系统,并采取安全有效措施对证据进行传送。实验表明:该系统能对网络攻击行为进行动态地检测,且检测准确率高、误判率低。
展开▼
