This paper proposes a dynamic real-time forensics method based on fuzzy C-means clustering for large -scale network non-self-invasion.According to the invasion evidence information acquisition module,the security level of intrusion information record is divided,and the fuzzy C-means clustering method is used to classify the nonself-invasion evidence information.The classification results of evidential information are sharpened by using the eigenvalues of intrusion record security state,and the weighted error within the class of invading feature objective function clustering is minimized according to confirming optimal weight index.Taking the intrusion signature sequence as a random observation sequence and the invasion step as a random sequence,the most probable invasion step is obtained by decoding the intrusion signature sequence,and the intrusion evidence chain is traced accordingly.Simulation results show that the subsets of intrusion evidence obtained by the proposed method improve the processing time of intrusion forensics to a certain extent,reduce the unnecessary evidence of intrusion and ensure the integrity and clarity of the evidence chain of evidence intrusion.%为了实现大规模网络入侵的动态取证,及时分析非自体入侵企图,传统的入侵动态取证方法采用Burp Suite报文分析将非自体入侵攻击过程中的不同行为作为证据,由于选取的入侵证据特征冗余项过多,没有考虑入侵行为数据属性类别之间差异度,导致无法满足实时处理入侵动态取证的要求,影响了证据链的清晰、完整性.提出一种基于模糊C均值聚类的大规模网络非自体入侵动态实时取证方法.根据入侵证据信息获取模块对入侵信息记录的安全等级进行划分,采用模糊C均值聚类方法对非自体入侵证据信息进行分类.采用入侵记录安全状态特征值使证据信息分类结果清晰化,根据确证最优权重指数使入侵特征目标函数聚类的类内加权误差为最小.以入侵特征序列作为随机观察序列,将入侵步骤视为随机状态序列,通过对入侵特征序列进行解码操作,获得最可能的入侵步骤并据此回溯入侵证据链.实验结果表明,所提方法获得的入侵证据特征子集在一定程度上提高了入侵取证处理时间,减少了不必要的入侵证据,保证了入侵取证证据链的完整性和清晰性.
展开▼
