CN1246995C

CN1246995C - Network monitoring and dynamic evidence obtaining system and method

Info

Publication number: CN1246995C
Application number: CN 200410022157
Authority: CN
Inventors: 李涛
Original assignee: Sichuan University
Current assignee: Chengdu Century Summit Technology Co Ltd
Priority date: 2004-03-29
Filing date: 2004-03-29
Publication date: 2006-03-22
Anticipated expiration: 2024-03-29
Also published as: CN1567852A

Abstract

The invention provides a method for network monitoring and dynamic evidence collection, which belongs to the field of information security. It is characterized by real-time monitoring of large-scale network activities, timely extraction of attack scene evidence, and proper and safe processing and storage of evidence to ensure the reliability, security, and integrity of evidence. The invention can cope with the change of hacker attack technology, meet the needs of judicial organs for evidence collection, and can meet the needs of some companies, enterprises, individuals, etc. for evidence collection, and has broad application prospects.

Description

A method of network monitoring and dynamic evidence collection

技术领域technical field

本发明涉及信息安全技术领域。具体涉及信息安全技术中的网络监控、入侵检测、计算机取证技术、数字签名技术、虚拟专用网络(VPN)技术以及安全日志技术。The invention relates to the technical field of information security. It specifically involves network monitoring, intrusion detection, computer evidence collection technology, digital signature technology, virtual private network (VPN) technology and security log technology in information security technology.

背景技术Background technique

传统的计算机取证手段是一种静态方法，在事件发生后对数据进行提取、分析、抽取有效证据，这种方法费时且对取证人员有很高要求，并且不能对付高明的黑客攻击，这些黑客在完成攻击后会全面彻底销毁证据或者窜改证据，事后即便使用最好的数据分析工具也无能为力，因此，缺乏对证据的及时处理和有效保护。The traditional method of computer forensics is a static method, which extracts, analyzes and extracts effective evidence after the incident. This method is time-consuming and has high requirements for forensic personnel, and cannot deal with sophisticated hacker attacks. After the attack is completed, the evidence will be completely and completely destroyed or tampered with. Even the best data analysis tools will be powerless afterwards. Therefore, there is a lack of timely processing and effective protection of evidence.

另外，中国专利公开号为CN1310526的申请案，该发明原理为：利用现有网络安防产品收集网络安全相关信息，并生成标准格式信息，通过专用通道向网络监控中心传输采集的信息，监控中心向下传给客户端反控指令。不足之处在于：该方法不能对大规模的网络活动实施有效的实时监控，严重依赖市场上现有安全产品和防火墙、IDS系统的能力，且搜集到的信息由于缺乏不可抵赖性等严格的安全措施，因此导致其不具备权威性，因而无法作为呈堂证据。In addition, the application of Chinese Patent Publication No. CN1310526, the principle of the invention is: use the existing network security products to collect information related to network security, and generate information in a standard format, transmit the collected information to the network monitoring center through a dedicated channel, and the monitoring center sends Download the anti-control command to the client. The disadvantage is that this method cannot implement effective real-time monitoring of large-scale network activities, and relies heavily on the capabilities of existing security products, firewalls, and IDS systems on the market, and the collected information lacks strict security requirements such as non-repudiation. Measures, therefore, they are not authoritative and cannot be used as evidence in court.

发明内容Contents of the invention

本发明提供一种网络监控与动态取证方法，可以对整个内部网络中每台主机进行实时监控，收集监控时产生的信息，记录外来非法入侵，并实时提取攻击证据，同时将收集到的证据进行安全处理，妥善存放。The present invention provides a method for network monitoring and dynamic evidence collection, which can monitor each host in the entire internal network in real time, collect information generated during monitoring, record external illegal intrusions, and extract attack evidence in real time, and at the same time collect evidence for Handle safely and store properly.

本发明利用了生物免疫学基本原理，通过模拟人体免疫细胞对病原体的识别和分类作用，从而达到对外来网络入侵的识别并进行在线实时取证的功能。The invention utilizes the basic principle of biological immunology, and by simulating the identification and classification of human immune cells on pathogens, the function of identifying external network intrusions and performing online real-time evidence collection is achieved.

本发明所述的网络监控与动态取证系统由免疫细胞、动态取证细胞以及证据服务器等组成。系统中执行实时监控功能的模块为免疫细胞，执行证据提取工作的模块为动态取证细胞。这两种细胞分布于内部网络里每一台主机，形成一个分布式网络监控与动态取证系统。系统中定义抗原为网络请求，自体为正常网络请求，非自体为异常网络活动(网络攻击)。自体和非自体构成了抗原集合，且自体与非自体中不可能存在相同的网络活动。系统中还定义了抗体，抗体存在于免疫细胞中，用于检测和匹配抗原。系统首先对网络活动信息进行抗原提呈(特征提取)，得到抗原决定基(特征)。当实施免疫执行过程(抗体对抗原进行匹配)时，一旦匹配成功，则发现网络入侵，立即分泌激素刺激动态取证细胞，这些激素包括当前主机环境，攻击类型、攻击主机地址和端口号等。动态取证细胞执行证据提取功能，所取得的证据包括截获的抗原信息和攻击时的周围环境信息。之后对获得的证据进行数字签名处理，签名过程中加盖了时间戳；签名后的证据经安全VPN传输至证据服务器中，并以数字水印日志(本人申请的另一项专利：数字水印日志构造方法，申请号为03117842.1)的形式存放于证据服务器中。免疫细胞和动态取证细胞完成网络入侵的一次监控以及取证过程，取证的同时完成入侵检测功能。The network monitoring and dynamic evidence collection system of the present invention is composed of immune cells, dynamic evidence collection cells, evidence servers and the like. The module that performs real-time monitoring functions in the system is the immune cell, and the module that performs evidence extraction is the dynamic forensic cell. These two types of cells are distributed on every host in the internal network, forming a distributed network monitoring and dynamic evidence collection system. Antigens are defined in the system as network requests, self as normal network requests, and non-self as abnormal network activities (network attacks). Self and non-self constitute the antigen set, and the same network activities cannot exist in self and non-self. Also defined in the system are antibodies, which are present in immune cells to detect and match antigens. The system first performs antigen presentation (feature extraction) on network activity information to obtain epitopes (features). When implementing the immune execution process (matching antibodies to antigens), once the matching is successful, network intrusion is discovered, and hormones are immediately secreted to stimulate dynamic forensic cells. These hormones include the current host environment, attack type, attack host address and port number, etc. The dynamic forensic cell executes the function of evidence extraction, and the obtained evidence includes the intercepted antigen information and the surrounding environment information during the attack. Afterwards, the obtained evidence is digitally signed, and a time stamp is added during the signing process; the signed evidence is transmitted to the evidence server through a secure VPN, and the log is digitally watermarked (another patent I applied for: digital watermark log structure method, and the application number is 03117842.1) and stored in the evidence server. Immune cells and dynamic forensic cells complete the monitoring of network intrusion and the process of forensics, and complete the intrusion detection function while collecting evidence.

在详细说明之前，首先定义系统中使用的一些名词、符号以及一些公式：Before going into details, some nouns, symbols and some formulas used in the system are first defined:

1)定义字符串集合为 $Ω = \cup_{i = 1}^{\infty} {0,1}^{l},$ IP包的集合为Ψ，并且ΨΩ；定义集合

其中D＝{0，1}^l，l为常自然数，|a|表示字符串a的长度。1) Define the collection of strings as

Ω = \cup_{i = 1}^{\infty} {0,1}^{l},

The set of IP packets is Ψ, and ΨΩ; define the set

Wherein D={0,1} ^l , l is a constant natural number, and |a| represents the length of the string a.

2)抗原集合Ag：为二进制串集合。对任意的抗原x∈Ag，x.b为原始的IP包，x.a为对原始IP包经过类似抗原提呈细胞(antigen presenting cells，APCs)后得到的特征(抗原决定基，antigenic determinant)，有x.a＝APCs(x.b)，x.a主要由源、目的IP地址、端口号、协议类型、协议状态等网络事务特征的二进制串组成。2) Antigen set Ag: is a collection of binary strings. For any antigen x∈Ag, xb is the original IP packet, xa is the feature (antigenic determinant) obtained after the original IP packet is passed through similar antigen presenting cells (APCs), and xa= APCs (xb), xa are mainly composed of binary strings of network transaction characteristics such as source and destination IP addresses, port numbers, protocol types, and protocol states.

3)自体、非自体集合：自体集合SelfAg，非自体集合NonselfAg。并且有Self∪Nonself＝Ag，Self∩Nonself＝φ。Self为正常网络服务，Nonself为来自网络的攻击。3) Self and non-self sets: SelfAg and NonselfAg. And there is Self∪Nonself=Ag, Self∩Nonself=φ. Self is a normal network service, and Nonself is an attack from the network.

4)定义sAgAg，且|sAg|＝η*|Ag|，(0＜η＜1)。4) Define sAgAg, and |sAg|=η*|Ag|, (0<η<1).

5)定义自体的属于运算∈_APCs，如下：5) Define the belonging operation ∈ _APCs of the self as follows:

其中x∈Ag，x.a为抗原决定基。Where x∈Ag, x.a is an epitope.

6)定义免疫细胞集合B，且B＝{<d，age，count>|d∈D，age，count∈N}，其中d为抗体，它与抗原决定基具有同样的表达形式，age为抗体年龄，count为匹配数，N为自然数集合。免疫细胞包括成熟免疫细胞T_b和记忆免疫细胞M_b，即B＝M_b∪T_b，且M_b∩T_b＝φ，这两种免疫细胞参与免疫执行过程。6) Define immune cell set B, and B={<d, age, count>|d∈D, age, count∈N}, where d is an antibody, which has the same expression form as an epitope, and age is an antibody Age, count is the number of matches, and N is a set of natural numbers. Immune cells include mature immune cells T _b and memory immune cells M _b , that is, B=M _b ∪ _{T b} , and M _b ∩T _b =φ, these two types of immune cells participate in the immune execution process.

7)亲和力(affinity)计算函数f_{r_con}(x，y)：可采用r连续位(r-contiguous bits)匹配函数，计算公式见公式(2)：7) Affinity (affinity) calculation function f _{r_con} (x, y): r-contiguous bits matching function can be used, and the calculation formula is shown in formula (2):

${f f}_{r r__con con} ((x x,, y the y)) = = \{\begin{matrix} 11 & &Exists; &Exists; i i,, j j,, j j - - i i &GreaterEqual; &Greater Equal; r r,, 00 < < i i < < j j \leq \leq l l,, x x . . {d d}_{i i} = = y the y . . {a a}_{i i},, x x . . {d d}_{i i + + 11} = = y the y . . {a a}_{i i + + 11},, . . . . . .,, x x . . {d d}_{j j} = = y the y . . {a a}_{j j} \\ 00 & otherwise otherwise \end{matrix} - - - - - - ((22))$

另外，亲和力计算函数也可采用其他函数，例如海明距离、欧拉距离等计算函数。In addition, the affinity calculation function may also use other functions, such as Hamming distance, Euler distance and other calculation functions.

8)抗原与抗体的匹配：当抗原决定基与抗体的二进制串从某一位开始，有连续r位相同，则称抗原与抗体是匹配的，得到的值是1；反之，不匹配，得到的值是0。8) Matching of antigen and antibody: when the binary string of the epitope and the antibody starts from a certain position, and there are consecutive r positions that are the same, it is said that the antigen and the antibody match, and the obtained value is 1; otherwise, if they do not match, the obtained The value is 0.

9)定义未成熟免疫细胞I_b：I_b＝{<d，age>|d∈D，age∈N}，其中d，age的意义同免疫细胞中d，age的定义。9) Define immature immune cell I _b : I _b = {<d, age>|d∈D, age∈N}, where the meanings of d and age are the same as those of d and age in immune cells.

10)定义证据集合Γ{<t，x，y，s>|t∈N，x∈Ag，y∈Ω，s∈Ω}。其中t为提取证据的时刻(发生网络入侵的时刻)；x为捕获的侵入网络的IP包，x.b为原始证据(原始的IP包)，x.a相当于对原始证据进行初步分析提取(抗原提呈)的证据；y为t时刻网络环境现状，类似免疫系统中被捕获抗原周围的细胞状态，可以是当时CPU的利用率、系统进程状况、网络带宽的使用情况、内存状态等等；s为对<t，x，y>的数字签名。为了进一步说明本发明的原理及特征，以下结合附图进行详细说明。10) Define evidence set Γ{<t, x, y, s>|t∈N, x∈Ag, y∈Ω, s∈Ω}. Among them, t is the moment of evidence extraction (the moment of network intrusion); x is the captured IP packet intruding into the network, x.b is the original evidence (original IP packet), and x.a is equivalent to the preliminary analysis and extraction of the original evidence (antigen presentation ); y is the status quo of the network environment at time t, which is similar to the state of cells around the captured antigen in the immune system, which can be the utilization rate of the CPU, system process status, network bandwidth usage, memory status, etc.; Digital signature of <t, x, y>. In order to further illustrate the principles and features of the present invention, the following will be described in detail in conjunction with the accompanying drawings.

附图说明Description of drawings

图1是系统的体系架构图。Figure 1 is a system architecture diagram of the system.

图2是系统的工作流程图。Figure 2 is a flow chart of the system.

图3是记忆免疫细胞检测抗原流程图。Fig. 3 is a flowchart of antigen detection by memory immune cells.

图4是成熟免疫细胞检测抗原流程图。Fig. 4 is a flowchart of antigen detection by mature immune cells.

图5是未成熟免疫细胞自体耐受流程图。Fig. 5 is a flowchart of self-tolerance of immature immune cells.

图6是证据封装图。Figure 6 is an evidence package diagram.

图7是证据组织形式结构图。Figure 7 is a structure diagram of evidence organization form.

具体实施方式Detailed ways

图1是系统体系结构图。Figure 1 is a system architecture diagram.

图1显示了整个系统在网络中的分布：内部网络通过网关与Intemet相连，免疫细胞和动态取证细胞分布于内部网络里的每一台主机中，从而形成一个分布式网络入侵监控取证系统；证据服务器则通过 VPN与内部网相连，确保其安全性和独立性。Figure 1 shows the distribution of the entire system in the network: the internal network is connected to Internet through a gateway, and immune cells and dynamic forensic cells are distributed in each host in the internal network, thus forming a distributed network intrusion monitoring and forensics system; evidence The server is connected to the intranet through VPN to ensure its security and independence.

图2是系统的工作流程图。Figure 2 is a flow chart of the system.

免疫细胞为系统定义的执行实时监控功能的模块，动态取证细胞为执行动态取证功能的模块，证据服务器为系统的硬件设备部分，用于存放取得的证据。系统的任务是对一个输入的抗原集合(IP包)Ag，分δ代(δ为常数)，每代选出一定数量的抗原组成sAg抗原集合，通过B集合的检测把它分类为自体和非自体。整个过程分为三个阶段：第一阶段为0时刻到一个耐受期α结束的时刻，需要定义初始的自体集合Self(0)和未成熟细胞集合I_b(0)，后者经前者耐受后成为成熟细胞。第二阶段从α+1时刻到记忆细胞产生的时刻，为自学习阶段，成熟细胞通过克隆选择产生能识别大量不同非自体抗原的记忆细胞，而通过检测被分类为自体的抗原最后送给末成熟细胞进行耐受。第二阶段从记忆细胞产生剑系统终止，免疫系统各部件产生完毕，进行实际环境中的检测：首先由记忆细胞检测，然后成熟细胞对剩下的抗原进行检测，最后未成熟细胞以剩余抗原为白体进行耐受训练。在第二、三阶段中，当其免疫细胞识别非自体抗原时，亦即发现一个网络入侵时，立刻提取证据τ，同时将τ利用安全的传输方式(VPN)，送达证据服务器，完成证据的存档工作。The immune cell is a module defined by the system to perform real-time monitoring functions, the dynamic forensics cell is a module for performing dynamic forensics functions, and the evidence server is a hardware device part of the system for storing obtained evidence. The task of the system is to divide an input antigen set (IP packet) Ag into δ generations (δ is a constant), select a certain number of antigens in each generation to form the sAg antigen set, and classify it into autologous and non-aggressive antigens through the detection of B set. self. The whole process is divided into three stages: the first stage is from time 0 to the end of a tolerance period α, and it is necessary to define the initial self set Self(0) and immature cell set I _b (0), the latter undergoes the tolerance of the former. become mature cells. The second stage is from α+1 time to the time when memory cells are produced, which is the self-learning stage. Mature cells produce memory cells that can recognize a large number of different non-self antigens through clonal selection, and the antigens that are classified as self through detection are finally sent to the end. Mature cells are tolerant. In the second stage, the generation of memory cells is terminated, and all parts of the immune system are produced, and the detection in the actual environment is carried out: first, memory cells detect, then mature cells detect the remaining antigens, and finally immature cells use the remaining antigens as White body for endurance training. In the second and third stages, when the immune cells recognize non-self antigens, that is, when a network intrusion is discovered, the evidence τ is immediately extracted, and at the same time, τ is sent to the evidence server using a secure transmission method (VPN), and the evidence is completed. archiving work.

其中，系统中自体的产生过徎是：Among them, the generation process of self in the system is:

初始自体集由系统管理员定义，也可以通过离线学习黑客攻击模式得到。以后则来自经过免疫执行过程存活的抗原。自体的动态演化用方程描述为：The initial self set is defined by the system administrator, and can also be obtained by offline learning of hacking patterns. Later comes from antigens that have survived the immune execution process. The dynamic evolution of the self is described by the equation:

$Self (t) = \{\begin{matrix} {x_{1}, x_{2}, . . ., x_{n}} & t = 0 \\ Self (t - 1) - {Self}_{variation} (t) \cup Sel f_{new} (t) & t &GreaterEqual; 1 \end{matrix}$ (3) $Self (t) = \{\begin{matrix} {x_{1}, x_{2}, . . ., x_{no}} & t = 0 \\ Self (t - 1) - {Self}_{variation} (t) \cup Sel f_{new} (t) & t &Greater Equal; 1 \end{matrix}$ (3)

(4)

Self_new(t)＝{y|y为t时刻新增加的自体串}(5)Self _new (t)={y|y is the newly added self string at time t}(5)

(6)

(7)

B(t)=M_b(t)∪T_b(t)，t≥0(8)B(t)=M _b (t)∪T _b (t), t≥0(8)

方程(3)模拟了自体的动态演化情况，其中

为初始自体集合，Self_new为t时刻系统新增的自体串。Self_variation为t时刻发生变异的自体，即删除自体集合中不再是自体的元素。f_check(y，x)(y∈B，x∈Ag)模拟免疫细胞对抗原的分类作用：若免疫细胞匹配了抗原，且抗原属于Self(t-1)，即检测到一个曾经是自体的抗原则返回2；若匹配但不属于Self(t-1)，即检测到一个非自体抗原则返回1；若未匹配，则该抗原为已知的自体抗原，返回0。f_{costimulation}模拟免疫系统的协同刺激，指示当前抗原是否为自体抗原，外部信号可以是系统管理员的应答等。Equation (3) simulates the dynamic evolution of the body, where

is the initial self set, and Self _new is the new self string added by the system at time t. Self _variation is the self that mutates at time t, that is, delete the elements in the self collection that are no longer self. f _check (y, x)(y∈B, x∈Ag) simulates the classification of immune cells on antigens: if the immune cells match the antigen, and the antigen belongs to Self(t-1), it detects a once-self The antigen principle returns 2; if it matches but does not belong to Self(t-1), that is, a non-self antibody is detected, the principle returns 1; if it does not match, the antigen is a known self antigen, and returns 0. f _{costimulation} simulates the co-stimulation of the immune system, indicating whether the current antigen is a self-antigen, the external signal can be the response of the system administrator, etc.

自体的动态演化主要关键有两点：①自身的免疫监视，随时清除发生变异的自体(Self_variation)，从而消除错误否定(false negative)：将非自体认为是自体。错误否定率的增加将导致漏报率的增加，自身免疫监视能很好地解决自体随时间变异的问题。②自身的动态生长，例如：随着时间的推移，网络将提供新的服务，开放新的端口等，即原来不允许的网络访问，现在开放了。通过及时地增加自体元素(Self_new)，扩大自体的描述范围，可以有效地降低错误肯定(false positive)率：将自体认为是非自体，产尘误报。自身的动态再生机制可以较好地解决目前IDS误报率较高这一严重问题。There are two key points in the dynamic evolution of the self: ① self-immune surveillance, which eliminates self _variation at any time, thereby eliminating false negatives: the non-self is regarded as the self. An increase in the false negative rate will lead to an increase in the false negative rate, and autoimmune surveillance can well address the problem of self variation over time. ②Dynamic growth of itself, for example: as time goes by, the network will provide new services, open new ports, etc., that is, network access that was not allowed before is now open. By timely adding self elements (Self _new ) and expanding the scope of self description, the rate of false positives can be effectively reduced: the self is regarded as non-self, resulting in false positives. Its own dynamic regeneration mechanism can better solve the serious problem of high false alarm rate of current IDS.

系统中抗原的收集过程为：将网络活动表示为抗原表达式——二进制串。网络请求中包含的信息有：源地址、目的地址、端口号、服务类型、协议类型等。抗原动态演化过程用方程描述为：The collection process of antigens in the system is as follows: express network activities as antigen expressions—binary strings. The information contained in the network request includes: source address, destination address, port number, service type, protocol type, etc. The dynamic evolution process of antigen is described by the equation:

$Ag (t) = \{\begin{matrix} Self (0) & t = 0 \\ Ag (t - 1) - {Ag}_{nonself} (t) & t > 0, t \mod δ &NotEqual; 0 \\ {Ag}_{new} (t) & t > 0, t \mod δ = 0 \end{matrix}$ (9) $Ag (t) = \{\begin{matrix} Self (0) & t = 0 \\ Ag (t - 1) - {Ag}_{nonself} (t) & t > 0, t \mod δ &NotEqual; 0 \\ {Ag}_{new} (t) & t > 0, t \mod δ = 0 \end{matrix}$ (9)

sAg(t)Ag(t)，|sAg(t)|＝η*|Ag(t)|，t≥0 (10)sAg(t)Ag(t), |sAg(t)|=η*|Ag(t)|, t≥0

(11)

∨f_check(y，x)＝1)}∨ f _check (y, x) = 1)}

其中sAg为系统每次进行处理的抗原，其元素按比例η(0＜η＜1)随机从Ag(由自体和非自体元素组成)中抽取，η为检测系数。Ag_nonself为t时刻被检测出来的非自体抗原。初始时刻抗原集合为初始自体集合(此时B为空)。δ为抗原更新周期，表示每δ代，就把Ag换为全新的抗原集合(Ag_new)。更新周期内抗原集合的变化只是删除掉被检测出来的非自体抗原，以完成把剩下的自体抗原送给未成熟免疫细胞I_b进行耐受的工作。Among them, sAg is the antigen processed by the system each time, and its elements are randomly extracted from Ag (composed of self and non-self elements) according to the ratio η (0<η<1), and η is the detection coefficient. Ag _nonself is the non-self antigen detected at time t. The antigen set at the initial moment is the initial self set (B is empty at this time). δ is the antigen renewal cycle, which means that Ag is replaced with a new antigen set (Ag _new ) every δ generation. The change of the antigen set in the renewal cycle is only to delete the detected non-self antigens, so as to complete the work of sending the remaining self-antigens to the immature immune cells _Ib for tolerance.

记忆免疫细胞对抗原进行匹配。将记忆免疫细胞的抗体与待处理抗原之决定基进行匹配，匹配时采用r连续位匹配规则。Memory immune cells match against antigens. The antibody of the memory immune cell is matched with the determinant of the antigen to be processed, and the r consecutive position matching rule is used for matching.

(1)匹配成功，判断检测到的抗原为上一时刻自体，则删除该免疫细胞；判断检测到的抗原为非自体，删除被检测抗原，并分泌激素。(1) If the matching is successful, if the detected antigen is judged to be self at the previous moment, the immune cell will be deleted; if the detected antigen is judged to be non-self, the detected antigen will be deleted and hormones will be secreted.

(2)匹配不成功，将待处理抗原交与成熟免疫细胞检测。(2) The matching is unsuccessful, and the antigen to be processed is sent to mature immune cells for detection.

用方程来刻画记忆免疫细胞的记忆过程为：Using the equation to describe the memory process of memory immune cells is:

$M_{b} (t) = \{\begin{matrix} φ & t = 0 \\ M_{b} (t - 1) - M_{dead} (t) \cup T_{memory} (t) & t &GreaterEqual; 1 \end{matrix}$ (12) $m_{b} (t) = \{\begin{matrix} φ & t = 0 \\ m_{b} (t - 1) - m_{dead} (t) \cup T_{memory} (t) & t &Greater Equal; 1 \end{matrix}$ (12)

(13)

经记忆免疫细胞检测后的抗原交给成熟免疫细胞检测，过程为：Antigens detected by memory immune cells are handed over to mature immune cells for detection. The process is as follows:

(1)判断成熟免疫细胞匹配数是否大于阈值.；(1) Determine whether the matching number of mature immune cells is greater than the threshold;

(2)大于阈值，升级为记忆免疫细胞；(2) If it is greater than the threshold, it will be upgraded to a memory immune cell;

(3)小于阈值，判断其是否年龄大于年龄阈值；(3) less than the threshold, judging whether its age is greater than the age threshold;

(4)年龄大于年龄阈值，则删除陔成熟免疫细胞；(4) If the age is greater than the age threshold, the mature immune cells are deleted;

(5)年龄小于大于年龄阈值，则开始与抗原匹配；(5) If the age is less than or greater than the age threshold, it starts to match the antigen;

(6)匹配成功，若检测到的抗原是上一时刻自体，则删除该免疫细胞，若检测到的抗原是非自体，则删除该抗原，并分泌激素；(6) If the matching is successful, if the detected antigen is self at the previous moment, the immune cell will be deleted; if the detected antigen is non-self, the antigen will be deleted and hormones will be secreted;

(7)匹配不成功，将这些剩余的抗原送到骨髓模型中参加耐受过程。(7) The matching is unsuccessful, and these remaining antigens are sent to the bone marrow model to participate in the tolerance process.

成熟免疫细胞的生命周期用方程刻画为：The life cycle of mature immune cells is described by the equation:

$T_{b} (t) = \{\begin{matrix} φ & t = 0 \\ T_{b}^{'} (t) \cup T_{new} (t) - T_{memory} (t) - T_{dead} (t) & t &GreaterEqual; 1 \end{matrix}$ (14) $T_{b} (t) = \{\begin{matrix} φ & t = 0 \\ T_{b}^{'} (t) \cup T_{new} (t) - T_{memory} (t) - T_{dead} (t) & t &Greater Equal; 1 \end{matrix}$ (14)

T′_b(t)＝T″_b(t)-P(t)∪T_clone(t) (15)T′ _b (t)=T″ _b (t)-P(t)∪T _clone (t) (15)

T″_b(t)＝{y|y.d＝x.d，y.age＝x.age+1，y.count＝x.count，x∈T_b(t-1)} (16)T″ _b (t)={y|yd=xd, y.age=x.age+1, y.count=x.count, x∈T _b (t-1)} (16)

$P P ((t t)) = = {{x x | | x x &Element; &Element; {T T}_{b b}^{' '' '} ((t t)),, &Exists; &Exists; y the y &Element; &Element; sAg sAg ((t t - - 11)) (({f f}_{check check} ((x x,, y the y)) = = 11$

(f_check(x，y)＝2f_{costimulation}(y)＝0)} (17)(f _check (x, y)=2f _{costimulation} (y)=0)} (17)

T_clone(t)＝{y|y.d＝x.d，y.age＝x.age，y.count＝x.count+1，x∈P(t)} (18)T _clone (t)={y|yd=xd, y.age=x.age, y.count=x.count+1, x∈P(t)} (18)

T_new(t)＝{y|y.d＝x.d，y.age＝0，y.count＝0，x∈I_maturation(t)} (19)T _new (t)={y|yd=xd, y.age=0, y.count=0, x∈I _maturation (t)} (19)

T_memory(t)＝{x|x∈T′_b(t)(x.count≥β)} (20)T _memory (t)＝{x|x∈T′ _b (t)(x.count≥β)} (20)

(21)

(twenty one)

图5是未成熟免疫细胞自体耐受流程图(骨髓模型)。Fig. 5 is a flowchart of self-tolerance of immature immune cells (bone marrow model).

被检测抗原在经过记忆免疫细胞和成熟免疫细胞两个阶段的检测之后剩下的均认为是白体抗原，未成熟免疫细胞与这些自体抗原进行耐受训练。After the detected antigens are detected by memory immune cells and mature immune cells, the remaining ones are considered as white body antigens, and immature immune cells conduct tolerance training with these self-antigens.

(1)新的自体抗原添加进骨髓模型中，同时随机生成一定数目的未成熟免疫细胞：(1) A new autologous antigen is added to the bone marrow model, and a certain number of immature immune cells are randomly generated at the same time:

(2)未成熟免疫细胞与骨髓模型中的自体抗原匹配；(2) The immature immune cells match the autologous antigens in the bone marrow model;

(3)匹配成功，删除该未成熟免疫细胞，即耐受失败：(3) If the matching is successful, delete the immature immune cells, that is, tolerance failure:

(4)匹配不成功，返回到(1)，进行下一次耐受，整个过程循环α次(α为耐受期)。(4) If the matching is unsuccessful, return to (1) for the next tolerance, and the whole process is repeated α times (α is the tolerance period).

(5)循环结束，存活的未成熟免疫细胞(即未成熟免疫细胞年龄大于α)升级为成熟免疫细胞，参与到免疫执行过程中。(5) At the end of the cycle, the surviving immature immune cells (that is, immature immune cells older than α) are upgraded to mature immune cells and participate in the immune execution process.

用方程来刻画该过程为：The process is described by the equation:

$I_{b} (t) = \{\begin{matrix} {x_{1}, x_{2}, . . ., x_{ξ}} & t = 0 \\ I_{tolerance} (t) - I_{maturation} (t) \cup I_{new} (t) & t &GreaterEqual; 1 \end{matrix}$ (22) $I_{b} (t) = \{\begin{matrix} {x_{1}, x_{2}, . . ., x_{ξ}} & t = 0 \\ I_{tolerance} (t) - I_{maturity} (t) \cup I_{new} (t) & t &Greater Equal; 1 \end{matrix}$ (twenty two)

I_tolerance(t)＝{y|y.d＝x.d，y.age＝x.age+1，I _tolerance (t)={y|yd=xd, y.age=x.age+1,

$x &Element; (I_{b} (t - 1) - {x | x &Element; I_{b}^{'} (t - 1), &Exists; y &Element; sAg (t - 1) (f_{r_con} (x, y) = 1)})$ (23) $x &Element; (I_{b} (t - 1) - {x | x &Element; I_{b}^{'} (t - 1), &Exists; the y &Element; sAg (t - 1) (f_{r_con} (x, the y) = 1)})$ (twenty three)

I_{maturatiio n}(t)＝{x|x∈I_tolerance(t)，x.age＞α} (24)I _{maturatiio n} (t)＝{x|x∈I _tolerance (t), x.age＞α} (24)

I_new(t)＝{y₁，y₂，…y_k} (25)I _new (t)={y ₁ , y ₂ ,...y _k } (25)

图6是证据封装图。Figure 6 is an evidence package diagram.

●提取证据包括：●Extraction of evidence includes:

(1)截获匹配的抗原，其上包含原始IP包和经抗原提呈出的决定基(特征值)，抗原决定基可视为对原始IP包的初步分析。(1) Intercepting the matching antigen, which contains the original IP packet and the determinant (characteristic value) presented by the antigen, the epitope can be regarded as a preliminary analysis of the original IP packet.

(2)快照攻击现场。得到的证据包括：系统日志文件、内外存状况、swap状况、进程类型、进程状态、攻击方源地址、目的地址、端口，使用协议、网络连接数量、连接时间、连接类型以及平均发送包数等。(2) Snapshot attack site. The evidence obtained includes: system log files, internal and external memory status, swap status, process type, process status, attacker source address, destination address, port, protocol used, number of network connections, connection time, connection type, and average number of packets sent, etc. .

用方程来刻画该过程为：The process is described by the equation:

$Γ (t) = \{\begin{matrix} φ & t = 0 \\ Γ (t - 1 \cup Γ_{new} (t) & t > 0 \end{matrix}$ (26) $Γ (t) = \{\begin{matrix} φ & t = 0 \\ Γ (t - 1 \cup Γ_{new} (t) & t > 0 \end{matrix}$ (26)

Г_new(t)＝{τ|τ∈Г，τ.t＝t，τ.x＝x，τ.y＝y′，τ.s＝s′，Г _new (t)={τ|τ∈Г, τ.t=t, τ.x=x, τ.y=y′, τ.s=s′,

s′＝E_kpv(H(τ.t+τ.x+τ.y))，x∈Ag_nonself(t)} (27)s′=E _kpv (H(τ.t+τ.x+τ.y)), x∈Ag _nonself (t)} (27)

其中Г_new(t)为t时刻面临网络入侵实时收集的证据；x为被截获的攻击数据，包含两个部分：①x.b为原始的IP包，作为原始证据．②x.a相当于对原始证据进行抗原提呈后得到的原始证据的基本特征，作为直接证据呈供；y′为收集证据时网络环境的一个快照，如CPU的使用情况、系统日志文件、内外存状况、swap状况、文件系统的变化情况、进程状态、网络连接数量、连接时间、连接类型以及平均发送包数等，作为间接证据呈供；s′如前所述为证据的数字签名，用以确保证据的权威性。Among them, Г _new (t) is the evidence collected in real time in the face of network intrusion at time t; x is the intercepted attack data, which includes two parts: ① x.b is the original IP packet as the original evidence. ②x.a is equivalent to the basic characteristics of the original evidence obtained after the antigen presentation of the original evidence, and presented as direct evidence; y′ is a snapshot of the network environment when collecting evidence, such as CPU usage, system log files, internal and external storage status, swap status, file system changes, process status, number of network connections, connection time, connection type, and average number of packets sent, etc., as indirect evidence; To ensure the authority of the evidence.

●数字签名：对所获取的证据进行数字签名。用方程来刻画为：●Digital signature: digitally sign the acquired evidence. Described by the equation as:

s＝E_kprivate(H(t+x+y)) (28)s＝E _kprivate (H(t+x+y)) (28)

其中E为签名算法，可采用RSA、DSS签名算法等；k_private为系统对证据签名时的私钥，H为单向散列函数例如SHA-1等，+为字符串的连接运算。首先将字符串<t，x，y>合并成一个字符串，求取该字符串的散列值h，利用系统的私钥k_private采用公钥算法E对h进行加密得到数字签名。根据密码学理论，如果k_private足够长，则s是安全的，能抵御任何攻击。Among them, E is the signature algorithm, which can use RSA, DSS signature algorithm, etc.; k _private is the private key when the system signs the evidence, H is the one-way hash function such as SHA-1, etc., and + is the concatenation operation of strings. First, combine the strings <t, x, y> into one string, calculate the hash value h of the string, and use the system's private key k _private to encrypt h with the public key algorithm E to obtain a digital signature. According to cryptography theory, if k _private is long enough, s is safe and can resist any attack.

对任意的证据τ∈Γ，通过验证τ的数字签名，可提供证据的完整性、原始性(权威性、不可抵赖性)等，验证方法如(29)式所示：For any evidence τ∈Γ, by verifying the digital signature of τ, the integrity and originality (authority, non-repudiation) of the evidence can be provided. The verification method is shown in formula (29):

${f f}_{verify verify} ((τ τ)) = = \{\begin{matrix} 11 & {D D.}_{kpublic public} ((τ τ . . s the s)) = = H h ((τ τ . . t t + + τ τ . . x x + + τ τ . . y the y)) \\ 00 & otherwise otherwise \end{matrix} - - - - - - ((2929))$

其中D_kpublic(τ.s)为利用系统的公钥k_public采取相应的公钥算法对τ.s作解密运算得到原经加密存储的散列值，H(τ.t+τ.x+τ.y)为利用相应算法重新计算其散列值，若两者相等，则验证成功，证据τ完整有效；否则，则证据τ已被破坏，不可信。Among them, D _kpublic (τ.s) is to use the public key k _public of the system to adopt the corresponding public key algorithm to decrypt τ.s to obtain the original encrypted hash value, H(τ.t+τ.x+τ .y) is to use the corresponding algorithm to recalculate its hash value. If the two are equal, the verification is successful and the evidence τ is complete and valid; otherwise, the evidence τ has been destroyed and cannot be trusted.

●封装证据。● Encapsulation evidence.

将截取抗原的时间、抗原、周围环境以及对这三者的组合进行的数字签名一起封装成证据记录形式。The time of intercepting the antigen, the antigen, the surrounding environment, and the digital signature on the combination of the three are packaged together into an evidence record form.

在证据服务器中，证据的组织形式是生成的数字水印证据文件。In the evidence server, the organizational form of the evidence is the generated digital watermark evidence file.

根据数字水印日志构造方法将证据以数字水印日志形式存放在证据服务器中，即在证据中加入水印，水印为二进制串形式，可以是一段文字、标识、序列号以及图象等。According to the digital watermark log construction method, the evidence is stored in the evidence server in the form of a digital watermark log, that is, a watermark is added to the evidence. The watermark is in the form of a binary string, which can be a piece of text, logo, serial number, and image.

创建数字水印证据文件时，首先填写文件头的有关信息，如：文件标识符、摘要算法标识符、非对称加密算法标识符、水印等。其中，文件标识符标识数字水印证据文件；摘要算法标识符表示数字水印证据文件使用的摘要算法，可采用目前国内外常用的摘要算法，如：MD2、MD5及SHA-1等；非对称加密算法标识符表示数字水印证据文件使用的非对称加密算法，可采用国内外常用的非对称加密算法，如：RSA、DSA、ECC及DH等；文件签名数据字段主要包含水印、所有证据记录摘要信息等，这些信息由非对称加密算法标识符指定的算法加密后存储。初始时，文件签名数据字段为空，以后每增加一个证据记录，该字段均相应发生变化；文件签名数据实质上是证据文件中所有证据的摘要信息的数字签名，任何证据记录的细微改变，均将导致摘要信息的巨大差异，因此，验证此字段的签名信息，可验证整个证据文件的完整性。When creating a digital watermark evidence file, first fill in the relevant information of the file header, such as: file identifier, digest algorithm identifier, asymmetric encryption algorithm identifier, watermark, etc. Among them, the file identifier identifies the digital watermark evidence file; the digest algorithm identifier indicates the digest algorithm used by the digital watermark evidence file, which can use the digest algorithm commonly used at home and abroad, such as: MD2, MD5 and SHA-1, etc.; asymmetric encryption algorithm The identifier indicates the asymmetric encryption algorithm used by the digital watermark evidence file, which can be asymmetric encryption algorithm commonly used at home and abroad, such as: RSA, DSA, ECC and DH, etc.; the file signature data field mainly includes watermark, summary information of all evidence records, etc. , the information is stored after being encrypted by the algorithm specified by the asymmetric encryption algorithm identifier. Initially, the file signature data field is empty, and every time an evidence record is added in the future, this field will change accordingly; the file signature data is essentially the digital signature of the abstract information of all the evidence in the evidence file, and any slight change in the evidence record will be ignored. would result in a huge discrepancy in the digest information, so verifying the signature information for this field verifies the integrity of the entire evidence file.

数字水印证据文件建立后，每一条证据记录均写入文件末尾，每添加一条新的证据记录，重新对证据文件进行数字签名，并且写回至证据文件。After the digital watermark evidence file is established, each evidence record is written at the end of the file, and each time a new evidence record is added, the evidence file is digitally signed again and written back to the evidence file.

当需要验证整个文件的完整性时，取出文件头的文件签名数据，验证其签名的正确性，若通过签名验证，则说明所有证据记录没有遭到破坏，证据完整；否则，则说明证据文件已被破坏。When it is necessary to verify the integrity of the entire file, take out the file signature data in the file header and verify the correctness of the signature. If the signature verification is passed, it means that all evidence records have not been destroyed and the evidence is complete; otherwise, it means that the evidence file has been destroyed.

当需要验证某条证据记录的权威性和不可否认性时，取出该条记录的数字签名，验证其正确性，若通过签名验证，则说明该条证据记录没有遭到破坏，可信；否则，则说明该条证据已被破坏或是伪造的，不可信。When it is necessary to verify the authority and non-repudiation of an evidence record, take out the digital signature of the record and verify its correctness. If it passes the signature verification, it means that the evidence record has not been damaged and is credible; otherwise, It means that the piece of evidence has been destroyed or forged and cannot be trusted.

注意：文件签名验证成功，则意味着所有的证据记录均是可信的；若验证不成功，则说明证据文件中部分或全部证据记录已被破坏，此时，可利用证据记录数字签名来验证每一条证据的合法性。若某条证据记录验证通过，即使整个证据文件验证失败，该条证据也是可信的。Note: If the file signature verification is successful, it means that all the evidence records are credible; if the verification is unsuccessful, it means that some or all of the evidence records in the evidence file have been destroyed. At this time, the digital signature of the evidence record can be used to verify The legitimacy of each piece of evidence. If a piece of evidence record is verified, even if the whole evidence file fails to be verified, the piece of evidence is credible.

另外，证据服务器是一台可信度非常高的机器，并且极少人接触证据服务器。通过VPN与内部网络相连，确保其独立性和安全性。证据服务器用来存放通过取证细胞提取的证据，以供日后进行证据分析。当证据服务器接收到证据后也要对证据进行一次数据签名，完成证据的移交过程。In addition, the evidence server is a very reliable machine, and very few people touch the evidence server. It is connected to the internal network through VPN to ensure its independence and security. The evidence server is used to store the evidence extracted by the forensic cell for future evidence analysis. When the evidence server receives the evidence, it also needs to perform a data signature on the evidence to complete the handover process of the evidence.

Claims

1. A network monitoring and dynamic evidence collection method is characterized in that comprising the following steps: the step of network monitoring based on immunity; the step of real-time evidence extraction; the step of evidence storage; the step of evidence integrity verification; wherein:

(1) The steps of network monitoring based on immunization include the following steps:

Antigen presentation, i.e. feature extraction, for network activities;

The steps of the dynamic evolution of self collection;

The steps of the dynamic evolution of the antigen collection;

Steps of memorizing immune cells to detect antigens;

A step in which mature immune cells detect antigens;

Steps in self-tolerance of immature immune cells;

(2) The steps of real-time evidence extraction include the following steps:

Steps to record the moment when evidence was taken;

The step of extracting the original IP packet and its basic features;

Steps to take a snapshot of the environment surrounding the attack site;

Steps of digitally signing the moment of extracting the evidence, the original IP packet and its basic characteristics, and the snapshot information of the surrounding environment of the attack site;

the step of encapsulating the evidence in the form of an evidence record;

(3) The steps of evidence storage include the following steps:

The step of constructing the evidence file in the evidence server;

Steps of transmitting the evidence record to the evidence server through the VPN tunnel;

The steps of storing the evidence in the evidence server;

(4) The steps of evidence integrity verification include the following steps:

Steps to verify the integrity of evidence records;

Steps for integrity verification of evidence files.

2. A kind of network monitoring and dynamic forensics method according to claim 1, characterized in that in the step of real-time evidence extraction, the step of extracting snapshots of the surrounding environment of the attack site includes extracting CPU usage, system log files, internal and external Steps for storage status, swap status, file system changes, process status, number of network connections, connection time, connection type, and average number of packets sent.

3. A kind of network monitoring and dynamic evidence collection method according to claim 1, characterized in that in the step of evidence storage, the step of constructing the evidence file in the evidence server comprises the steps of constructing evidence file header and evidence record, wherein the file header consists of File identifier, digest algorithm identifier, asymmetric encryption algorithm identifier, watermark, file signature data, evidence record is composed of evidence content and digital signature, where evidence content includes the moment of extracting evidence, the original IP packet, the original IP packet Basic features, snapshots of the surrounding environment of the attack site, such as CPU usage, system log files, internal and external memory status, swap status, file system changes, process status, number of network connections, connection time, connection type, and average number of packets sent.

4. A kind of network monitoring and dynamic evidence collection method according to claim 1, characterized in that in the step of evidence storage, the step of evidence storage in the evidence server comprises the step of inserting the evidence record into the evidence file; Steps to digitally sign.