A model of online attack detection for computer forensics

With frequently network attacks, network security products are practically impossible to guard against the intrusion methods. A model of online attack detection for computer forensics is proposed to collect crime evidence of attack. In this model, an algorithm of association rules mining is used to mine the association rules of attack event and build the attack signature database. After gaining network data package and pattern matching according to the protocol analysis result of primary data, the attack behavior is detected, and the signature database is unceasingly updated by new attack behavior signature. The SSL encryption authentication is used in data package transmission, which can prevent the information leakage and falsifying, and the data remain original. The serious attack behaviors are detected and saved in the evidence database, which can be used as primitive evidence for computer forensics. Simulation results show that the algorithm of association rules mining improves the efficiency of network attack behavior recognition. After the new attack behavior being discovered, the safety system integrally reconstructs the attack behavior. The model can be used for the next forensic step.