Filtering Intrusion Forensic Data Based on Attack Signatures

Computer forensics is a new field on computer evidences process. This field is very important and practical, so it has drawn more and more attention in recent years. Intrusion forensics is a specific area of computer forensics, and has been applied to computer intrusion activities. It is a hot area because a large proportion of the computer crimes are intrusion activities. When investigating intrusion activities, one key step is obtaining intrusion evidences. In order to get this kind of evidences automatically, an attack-signature-based method for filtering intrusion forensic data is proposed. It mainly includes the following steps: Firstly, the detail behaviors of the attack being investigated are reconstructed based on its attack signatures; Then the attack features which are required by the filter are extracted from these details; Finally, according to the similarity between attack features and candidate data, all evidences related to the attack being investigated can be gotobtained. The experiment results on DARPA 2000 have proved that our method has high accuracy and its completeness is almost 100%. Compared with current methods, our method shows more advantages. For example it needs little manual work and can process more complex intrusion scenarios. Moreover, it has higher performance and can find more types of evidences.