CN112016131A

CN112016131A - Credibility verification system and method for distributed cloud forensics

Info

Publication number: CN112016131A
Application number: CN202010865984.5A
Authority: CN
Inventors: 伏晓; 叶飞; 郑韵芝; 骆斌
Original assignee: Nanjing University
Current assignee: Nanjing University
Priority date: 2020-08-25
Filing date: 2020-08-25
Publication date: 2020-12-01
Anticipated expiration: 2040-08-25
Also published as: CN112016131B

Abstract

A verification system and method for distributed cloud evidence collection credibility comprises a cloud evidence collection agent module, a source data collection module and an evidence credibility verification module; the cloud evidence obtaining agent module comprises a source tracing data generation module, a multi-layer compression bloom filter module, a data persistence module and an evidence transmission module; the invention is based on an improved multi-layer compressed bloom filter, and can be used in an untrusted multi-tenant cloud environment. According to the invention, the distrustability of participants in the evidence obtaining process is considered, and the data is protected in a distributed mode in a tamper-proof way, so that the privacy of users cannot be violated; each cloud node of the system is bound with a cloud evidence obtaining agent to carry out evidence collection, calculation, analysis and transmission, and a central reliability verification module sends a reliability verification command regularly or artificially to carry out reliability verification; based on event driving, any code of a target operating system is not modified, performance loss is low, flexibility is high, and the method is suitable for real-time cloud evidence obtaining and credibility analysis.

Description

Credibility verification system and method for distributed cloud forensics

Technical Field

The invention relates to the technical field of computer networks, in particular to a mechanism in the field of computer data behavior monitoring in a cloud environment, and particularly relates to a cloud evidence obtaining credibility verification system and method for the cloud evidence obtaining credibility verification system in the cloud environment.

Background

While cloud computing brings convenience, security issues have become a key that has restricted its development. The characteristics of a virtualization mechanism of cloud computing, multiple tenants, data remote storage, an anonymity mechanism and the like enable the cloud computing to be a place for network crimes more easily. To ensure the healthy development of the cloud service market, the above security problem must be properly solved. The best means for fighting illegal behaviors is undoubtedly to obtain relevant crime evidences, submit the crime evidences to the court, and ensure the safety of the cloud service market through legal means. Therefore, how to collect and analyze digital evidence in a cloud environment and implement investigation and evidence collection has become an important problem to be solved urgently.

The digital evidence obtaining technology is used for restoring an attack scene according to various data information in a computer after network attack, analyzing residual data such as a memory, a hard disk and the like to obtain attacker information, however, under a cloud environment, the common digital evidence obtaining technology of the computer is not suitable, the data volume is large and the number of computing nodes is large under the cloud environment, and the traditional evidence obtaining tool is not suitable any more. The cloud forensics process involves more survey objects than the traditional forensics process, and the survey objects comprise cloud users, cloud forensics surveyors, cloud service providers and the like. The current cloud forensics technology mainly starts from solving the problems of big data, credibility and volatility.

Bloom filter technology is a space-efficient random data structure that uses bit arrays to represent a set very compactly and to determine whether an element belongs to the set. This high efficiency of bloom filter technology comes at a cost: when determining whether an element belongs to a set, it is possible that elements not belonging to the set may be mistaken for belonging to the set. Therefore, bloom filter techniques are not suitable for "zero error" applications. In applications that can tolerate low error rates, bloom filter technology trades very few errors for significant savings in storage space. In a big data environment, the traditional bloom filter cannot use high-speed and efficient data access, and cannot perform privacy protection and correct insertion and deletion on data due to the inherent defects of the traditional bloom filter.

Disclosure of Invention

In order to solve the problems, the invention discloses a cloud evidence obtaining credibility verification system and a cloud evidence obtaining credibility verification method for a cloud environment. According to the invention, the cloud service provider acquires the authority to deploy on the cloud, and sets the authority to access the relevant module of the mechanism, so that the cloud service provider cannot modify the authority. The basic idea of the mechanism is that each node on the cloud calculates a Hash value of local traceability data as evidence proof, noise is introduced to increase tampering difficulty, then the noise is broadcasted to other nodes, and the difference is judged in a verification stage to determine an untrusted node, so that evidence tampering cost is increased, and the reliability problem is solved.

The bloom filter technology adopted by the invention is suitable for a cloud big data environment, and is different from the traditional bloom filter, the improved multi-layer compression bloom filter introduces a multi-layer thought on the traditional bloom filter to compress the data volume, and simultaneously introduces noise for increasing the evidence tampering cost, and is suitable for storing and transmitting evidence in the cloud big data environment. The cloud evidence obtaining system is used on the cloud as an evidence obtaining tool in the cloud evidence obtaining field, and potential attackers (cloud service providers, cloud users, cloud evidence obtaining investigators and the like) in the evidence obtaining process are considered, so that the cloud evidence obtaining system is independently deployed at a cloud service place, the authority is increased, modification is forbidden, evidence collection and analysis are automatically carried out, and untrusted cloud nodes are judged. An agent evidence obtaining module can be deployed on each node on the basis of not interfering normal cloud activities, evidence data is collected, analyzed and transmitted, and a reliability verification module is started regularly or manually to carry out reliability evaluation.

In order to achieve the purpose, the invention provides the following technical scheme:

a credibility verification system for distributed cloud forensics comprises a cloud forensics agent module, a source data collection module and an evidence credibility verification module;

the source data collection modules are distributed in each node and used for providing initial cloud evidence, the modules selectively monitor partial key log files, and when data change, reading behaviors are sent to the cloud evidence obtaining agent module for further processing;

the cloud evidence obtaining agent module is used for controlling collection of cloud evidence obtaining under daily cloud activities and evidence verification under a credibility verification stage, processing, storing, transmitting and analyzing data, is distributed in each cloud node in a cloud environment, and carries out evidence obtaining work along with normal cloud activities;

the cloud evidence obtaining agent module comprises a source tracing data generation module, a multilayer compression bloom filter module, a data persistence module and an evidence transmission module;

the tracing data generation module is used for generating tracing data according to the original log data provided by the source data collection module and the generation time to obtain data behaviors in the period of time, and sending the data behaviors to the multilayer compressed bloom filter module, the data persistence module and the evidence transmission module;

the multi-layer compressed bloom filter module carries out encryption protection on the tracing data generated by the tracing data generation module through an improved bloom filter, introduces a layer concept on the basis of a basic bloom filter, carries out compression processing and introduces noise data;

the data persistence module backs up and stores the data processed by the bloom filter module and publishes the data on the network;

the evidence transmission module is used for providing a data transmission function among the cloud nodes, broadcasting the data to other cloud nodes after the source tracing data is generated, and receiving the data broadcasted by other nodes;

the evidence credibility verification module is used for starting and calculating the evidence credibility of each node after the attack in the cloud occurs, or starting a credibility verification process at regular time in daily cloud activities so as to judge whether the nodes in the cloud are attacked or not and further stop using and analyzing the attacked nodes.

Furthermore, the cloud forensics agent modules are bound to respective cloud nodes, and each node corresponds to one cloud forensics agent module; the source data collection module binds nodes and collects source data corresponding to the nodes one by one; the evidence credibility verification module is only globally provided with one, independently operates, and is started at regular time or manually for verification; the multi-layer compressed bloom filter module only occupies memory when recording forensic evidence.

The invention also provides a distributed cloud evidence obtaining credibility verification method, which comprises the following specific steps:

(1) a configuration stage: configuring a cloud forensics agent module into each cloud node of a cloud environment, and configuring internal agent information;

(2) and (3) starting an operation stage: after receiving an external starting command, the cloud evidence obtaining agent module forwards the starting command to a control interface corresponding to the module, starting both a corresponding internal traceability data generation module and an evidence transmission module, starting a source data collection module, increasing the read permission of the module to a monitored log file in a node, capturing any behavior trying to write in the log file, collecting, and after being collected, entering the evidence transmission module for data transmission after sequentially passing through the traceability data generation module, the multilayer compression bloom filter module and the data persistence module;

(3) a verification stage: the evidence credibility verification module is started regularly or manually, and sends a command to the cloud evidence collection agent module of each node; the cloud evidence obtaining agent module controls the data persistence module to deliver the data evidence in the specified time period indicated by the command to the evidence transmission module; the transmission module sorts and sends data certificates to the evidence credibility module;

(4) a reset phase: the evidence credibility verifying module carries out evidence credibility verifying calculation on the collected evidence to obtain an unreliable result, sends a stopping command to the corresponding node to control the node to stop, and empties all data after the module submits the data;

(5) and (3) after the resetting stage is finished, returning to the stage (2) again, and continuously monitoring each node.

Further, the configuration phase comprises the following steps:

the cloud evidence obtaining agent module and the target node source data collection module send commands to be bound with each other, and the operation parameters of the internal tracing data generation module, the multilayer compression bloom filter module, the data persistence module and the evidence transmission module are configured to prepare to receive the commands to operate at any time.

Further, the specific steps of the start-up operation stage are as follows:

a. the source data collection module starts monitoring data change of the binding cloud node and sends the change data to a source tracing data generation module in the evidence obtaining agent module;

b. the source tracing data generation module generates source tracing data according to the time distribution of the specific data by the generation module and uses the source tracing data as a source certificate of evidence for obtaining evidence;

c. the multi-layer compression bloom filter module encrypts and inserts the tracing data into an improved bloom filter according to the tracing data, performs data calculation according to the set layer number and encryption rules, and sends the calculated data to the data persistence module and the evidence transmission module;

d. after receiving data and original encrypted source tracing data generated by a multilayer compressed bloom filter module of the node, a data persistence module stores the data and the original encrypted source tracing data into a database according to time, the database provides read permission for all users, and the write permission is owned by only a local sub-module;

e. and after receiving the data generated by the multilayer compression bloom filter module of the node, the evidence transmission module broadcasts and transmits the data to all nodes in the cloud and transmits the encrypted tracing data.

Further, the data calculation process in the step c specifically includes the following steps:

(1) calculating a Hash value of the tracing data by using 4 Hash functions, and temporarily storing the Hash value;

(2) generating a new layer of bloom filter, introducing noise, sequentially inserting four Hash values, and if the position corresponding to the first layer is not inserted, inserting the four Hash values;

(3) if the first layer corresponding position has data, calculating the sum of the front numerical values of the position as 1, and obtaining the result of the second time inserting position;

(4) generating a new layer of bloom filter, and inserting by using the result of the previous layer until the insertion is successful;

(5) and (5) when the number of layers is 10, starting a persistence module to save the data, regenerating the bloom filter, and returning to the step (2) to continue inserting.

Further, the step (2) of generating a new layer of bloom filter and introducing noise includes the following sub-steps:

(i) determining the length of noise data, and randomly filling the positions of the noise lengths before and after the bloom filter of the layer by using a random function;

(ii) and generating a new layer, and filling random data into the bloom filter of the layer by adopting the noise data length of the previous layer, wherein the position outside the noise data is the effective data position.

Further, the specific steps of the evidence credibility verification module for performing evidence credibility verification calculation are as follows:

(1) sending a trusted verification starting instruction to the forensics agent module of each node, starting the cloud forensics agent module of each node, and entering the operation of the cloud forensics agent module in a starting operation stage;

(2) collecting data transmitted by each node into a memory, regenerating new bloom filter data one by one, comparing the data one by one, obtaining a batch of data with the most difference times on the basis of large data volume, and marking the corresponding node as an untrusted generation result;

(3) clearing all collected data and submitting results to a user;

(4) and sending a stop command to the untrusted node contained in the result to stop the operation of the untrusted node.

Compared with the prior art, the invention has the following advantages and beneficial effects:

(1) in the cloud evidence obtaining process, the scheme of the invention can obtain suspicious data activities of all cloud nodes in real time, monitor data behaviors on the cloud, effectively prevent potential intercommunication behaviors of cloud service providers, cloud users and cloud evidence obtaining investigators, and provide multi-level and multi-type evidence chains to identify the untrusted nodes on the cloud in a public manner.

(2) The data can be efficiently stored and deleted by using the multi-layer compression bloom filter, hash collision does not exist for the traditional bloom filter, false positive is avoided, for the field of cloud evidence obtaining, the technology can provide more detailed evidence obtaining conditions, the evidence obtaining data can be more accurately stored and managed in a network crime reduction scene, and evidence is proved to play a role in an evidence storage aspect when evidence credibility is judged, so that the judgment precision is improved. Noise data are introduced into the multi-layer compression bloom filter of each node, so that comparison can be performed on the bloom filters of different nodes in the mechanism, and attacks on the mechanism by cloud service providers, malicious users and the like can be prevented. The bloom filter of each node is stored and released to the network at regular time for the verification of credibility.

(3) As a cloud forensics system, the invention can be deployed under a public cloud which is operated really, so that a completely real cloud environment without any modification is provided for providing a forensics environment, and meanwhile, malicious cloud uplink can be monitored, detected and analyzed to identify an untrusted cloud node.

(4) The invention greatly improves the evidence tampering cost of the cloud forensics system, increases the tracing data tampering cost due to the introduction of noise data, has huge number of nodes on the cloud, and is impractical to effectively tamper the bloom filters stored in most nodes in the cloud, so that the tampered nodes and the correct Hash value can be identified according to a few principles which obey most principles.

(5) The invention reasonably protects the privacy of user data, and data privacy needs to be paid attention to particularly because the data needs to be broadcast and sent through the evidence transmission module after calculation processing.

(6) In the operation stage of the invention, the credibility verification module accesses the sub-module in the agent module through an instruction; the module ensures that different processes in the multi-core system access the evidence obtaining agent modules of all nodes at the same time in parallel, and can improve the efficiency.

Drawings

FIG. 1 is an overview of the architecture for implementing the method;

FIG. 2 is a block diagram of a forensics agent module;

FIG. 3 is a diagram of forensic agent module abstraction behavior;

FIG. 4 is a data flow diagram of a forensics agent module;

FIG. 5 is a view of a multi-layer compressed bloom filter;

FIG. 6 is a flowchart of trust verification.

Detailed Description

The technical solutions provided by the present invention will be described in detail below with reference to specific examples, and it should be understood that the following specific embodiments are only illustrative of the present invention and are not intended to limit the scope of the present invention.

Fig. 1 is an architecture overview diagram capable of implementing the solution of the present invention, which includes Cloud Nodes (CN), a forensics agent module (BFA) corresponding to each node, and a credibility verification module (ECV).

The invention provides a credibility verification system for distributed cloud forensics, which comprises: the system comprises a cloud evidence obtaining agent module, a source data collecting module and an evidence credibility verifying module. The cloud evidence obtaining agent modules are bound on respective cloud nodes, and each node corresponds to one evidence obtaining agent module; the source data collection module binds nodes and collects source data corresponding to the nodes one by one; the evidence credibility verification module is only one in the whole situation and runs independently, and is started regularly or manually for verification. The cloud evidence obtaining agent module comprises a tracing data generation module, a multi-layer compression bloom filter module, a data persistence module and an evidence transmission module, wherein the multi-layer compression bloom filter module only occupies a memory when evidence obtaining evidence is recorded.

The source data collection module is used for providing initial cloud evidence of the cloud forensics mechanism, and is the first step of the forensics method. The module is distributed in each node, selectively monitors partial key log files, and sends read behaviors to the cloud evidence obtaining agent module for further processing when data are changed. The source data collection module obtains log file data change behavior data in a client operating system in a cloud node computer, wherein the log files contain data which can record network attack or tampering behaviors, and the log files comprise/var/log/maillog,/var/log/secure,/var/log/audio/audio.log/,/var/log/messages,/var/log/xfer.log/, and a Hadoop-related log file $ { HADOOP HOME }/logs. And the tracing data generation module operates in a memory, generates tracing data for the change of the log file, restores an attack scene, and then inserts the generated tracing data into the multi-layer compressed bloom filter module, wherein the generated bloom filter is used for later evidence transmission, persistence and credibility verification. And the source data collection module bound to each cloud node is responsible for collecting log data changes in the nodes and transmitting the log data changes to the evidence obtaining agent module for further data processing. The source data collection module satisfies the following conditions: a. manually inputting a starting instruction by a user; b. verifying that the cycle time is up; and starting the operation of the source data collection module. Automatically closing after the result submission is complete.

The evidence credibility verification module is a key of the cloud evidence obtaining mechanism and is used for starting the module to calculate the evidence credibility of each node after the attack in the cloud is triggered, or starting a credibility verification process at regular time in daily cloud activities so as to judge whether the node in the cloud is attacked or not and further stop using and analyzing the attacked node.

The cloud forensics agent module is deployed on each Cloud Node (CNi) by using Docker (application container engine technology), and can be rapidly and efficiently deployed on numerous cloud nodes. As can be seen from the figure, each cloud node corresponds to a cloud forensics agent module (BFAi), the forensics agent module acts on the node to collect and transmit data in the present invention, the nodes do not have direct channels, but an evidence transmission channel exists between the forensics agent modules to facilitate transmission and reception after daily evidence collection, and meanwhile, each forensics agent module and the unique credibility verification module (ECV) in the present invention have a credible channel to transmit encrypted traceability data.

The cloud evidence obtaining agent module is used for controlling collection of cloud evidence obtaining under daily cloud activities and evidence verification under a credibility verification stage, is distributed in each cloud node in a cloud environment, and carries out evidence obtaining work along with normal cloud activities. The raw data collected by the source data collection module is sent to the source data collection module for further data processing, and data processing, storage, transmission and analysis are carried out in the agent module. The structure of the forensics agency module can refer to fig. 2. The tracing Data generation module (Provenance Data Generator), the multi-layer compression Bloom Filter module (Bloom Filter), the Data persistence module (Local Data Storage) and the evidence Transmission module (Data Transmission) are packaged. The operational flow diagram of the credibility verification module can refer to fig. 6.

The four submodules are respectively:

(1) the tracing data generation module: the source tracing data generation module receives potential forensic data (such as a system log, provided by the source data collection module), generates source tracing data according to the generation time, and simultaneously sends the data to the bloom filter module, the data persistence module and the evidence transmission module. And transmitting the tracing data to a data transmission module, and encrypting the information source data according to the insertion rules of different Bloom filter types. This step may prevent cloud user privacy from being compromised. Data behaviors in the period of time can be obtained through the source tracing data, and a network attack scene on the cloud is restored, so that cloud forensics is further analyzed.

(2) A data persistence module: the data persistence module periodically stores encrypted data and bloom filter structure data generated by the data via the bloom filter module. It is responsible for providing the retained encrypted provenance data and the required bloom filter data during proof trust verification. Specifically, the module backs up and stores the data processed by the bloom filter module, stores evidence by using a database with higher authority, and publishes the data on the internet.

(3) Multi-layer compressed bloom filter module: the bloom filter module is typically used to create a bloom filter structure that stores specific credential data. In the present invention, a bloom filter module inserts data into a multi-layer compressed count bloom filter (MLCCBF). Then, in verifying the trustworthiness of the evidence, all comparisons are made by MLCCBF. Bloom filters are key modules in tamper-proof verification processes for evidence trustworthiness verification and backup processes for bloom filter proxies. The present invention uses stored bloom filters to compute similarities to new bloom filters generated by encrypting source data to identify untrusted cloud nodes. In addition, to prevent potential attackers from tampering with the structure of the bloom filter, we introduce noisy data into the bloom filter to increase the difficulty of tampering. The noise data remains unchanged in one cloud node but is different from the noise data in other cloud nodes. In a cloud environment with a large number of cloud nodes, it is not feasible to tamper evidence by tampering with bloom filter data. The module carries out encryption protection on the tracing data generated by the tracing data generation module through an improved bloom filter, user privacy is prevented from being leaked in the cloud node and between the cloud nodes, meanwhile, the module introduces a layer concept and carries out compression processing on the basis of the basic bloom filter, and the module is more suitable for the environment with large data volume in the cloud.

(4) An evidence transmission module: the evidence transmission module is responsible for transmitting data between the cloud nodes. After the tracing data generation module generates the tracing data, the evidence transmission module broadcasts the backup data to all other cloud nodes except that the backup data is stored through the persistence module. Meanwhile, the encrypted tracing data sent by other modules are received and transmitted to the bloom filter module for data storage. The evidence transmission module is a key component of data backup in the evidence obtaining agent module. Since the tamper-proof mechanism for the evidence is obtained through distributed cloud evidence computing credibility, encrypted traceable data transmission needs to be performed between nodes after a traceable data generation stage and an evidence credibility verification stage. In the credibility verification stage, the module provides transmission of the tracing data within a specified time, and the evidence is transmitted from the local node to the evidence credibility verification module.

Fig. 3 is an abstract behavior diagram of the evidence collection agent module according to the present invention, wherein the evidence collection module completes evidence collection, analysis and transmission through the interaction of internal sub-modules. The behaviors include:

(1) and 1, transmitting the source data to a evidence obtaining agent module for encryption, and transmitting and receiving the encrypted data by a data transmitting data persistence module, a bloom filter encryption module and an evidence transmission module.

(2) And 2, inserting the encrypted tracing data sent to the bloom filter module into a bloom filter data structure and introducing noise data to increase the tampering cost. The data structure thereof can refer to fig. 5.

(3) And 3, uploading the saturated bloom filter data to a database on the public network for reference, and preventing malicious collusion of potential attackers such as cloud service providers, cloud users and cloud forensics investigators in the forensics process.

Fig. 4 is a data flow diagram of the forensics agent module of the present invention, in which the most important sub-module is a multi-layer compression bloom filter, which is a key module thereof, and is also a key technical module of the present invention, and the sub-module carries data processing, storage and transmission, thereby improving the overall forensics performance. FIG. 4 depicts the data flow around a multi-layer compressed bloom filter, with the main data flow being:

(1) the data is collected by the source data collection module and encrypted by the source data generation module to generate source data, and the source data flows to the multi-layer compressed bloom filter module.

(2) Each cloud node needs to send the encrypted tracing data to other nodes, so that the data of the multi-layer compressed bloom filter on each node are consistent, and therefore the untrusted node and the cloud evidence are judged. Therefore, the multi-layer compression bloom filter needs to encrypt the encrypted tracing data which is inserted into other cloud nodes to be sent.

(3) In order to prevent evidence of potential malicious attackers such as cloud service providers, cloud users and cloud evidence collection investigators from proving malicious tampering, noise data are introduced into the multilayer compression bloom filter, valid bits and noise data bits of the evidence data are collected, tampering cost of evidence certificates is increased, and accuracy of credibility verification is guaranteed.

(4) In the trusted verification process, the trusted verification module collects evidence credentials in a specified time period on each evidence obtaining agent module, and therefore, a data credential (a saturated multi-layer compression bloom filter) in the specified time period needs to be searched in the data persistence module and sent to the trusted verification module.

Fig. 5 is a diagram of a multi-layer compressed bloom filter structure, which describes a data structure of an improved multi-layer compressed bloom filter, which is a key technology in the present invention, and introduces noise data to a conventional bloom filter, besides introducing multiple layers and a compression concept to avoid false positives and reduce memory consumption, so as to increase the data tampering cost and increase the tampering difficulty of a malicious attacker.

As shown in the figure, the bloom filter is set to be 10 layers in total, a new layer is generated when each layer does not conform to the insertion position, and the bloom filter is in a saturated state when the 10 th layer is exhausted, and the saturated bloom filter is stored in the data persistence module at the moment. Each bloom filter randomizes the length of noise data, the lengths of the noise data of each layer are consistent, the lengths of the bloom filters of each layer are different, and the noise data are randomized at the position of the noise data of each layer, so that the tampering difficulty of the data structure is increased, and the malicious tampering of a malicious attacker is prevented. Once tampering occurs, identification can be effectively performed.

Fig. 6 shows the trusted verification stage of the trusted verification process, which describes the key trusted verification algorithm in the present invention. The method comprises the following specific steps:

(1) step 1, randomly selecting k cloud nodes (k >0.7 x n, wherein n is the total number of the cloud nodes) in a cloud environment and starting a cloud number counter i.

(2) And 2, selecting one cloud node from the k nodes which are not calculated, and acquiring the number of the encrypted tracing data stored at the starting time and the ending time.

(3) And 3, acquiring the stored encrypted source data according to time, and calculating a new multilayer compressed bloom filter.

(4) And 4, if the newly generated multi-layer compressed bloom filter is compared with the locally stored bloom filter to find inconsistency, the cloud node is considered to be tampered, and the evidence is not credible.

(5) Step 5, if the newly generated multi-layer compressed bloom filter is consistent with the locally stored bloom filter, the cloud node cannot be proved to be credible because the stored encrypted tracing data and the locally stored bloom filter are possibly tampered; therefore, please return to step (2).

(6) After all k cloud nodes have been computed, we consider the local bloom filter that repeats the most since k > n/2 to be trusted and the node is trusted.

Due to the fact that the nodes on the cloud are numerous, the improved bloom filter is difficult to tamper, and the tampering cost of the credibility verification framework is too high, the credibility verification accuracy can be effectively guaranteed.

Based on the system structure, the invention also provides a distributed cloud evidence obtaining credibility verification method, which comprises the following specific steps:

at this stage, the evidence obtaining agent module and the target node source data collection module send commands to be bound with each other, and the operation parameters of the internal tracing data generation module, the multilayer compression bloom filter module, the data persistence module and the evidence transmission module are configured to prepare to receive the commands to operate at any time.

(2) And (3) starting an operation stage: after receiving an external starting command, the cloud evidence obtaining agent module forwards the starting command to a control interface corresponding to the module, the corresponding internal traceability data generation module and the evidence transmission module are both started, the source data collection module is started, the read permission of the module to the monitored log file in the node is increased, any behavior trying to write in the log file is captured and collected, and the data are transmitted into the evidence transmission module after sequentially passing through the traceability data generation module, the multilayer compression bloom filter module and the data persistence module after being collected.

At this stage, the evidence obtaining module receives the operation instruction to start the internal sub-module and starts to receive the data of the source data collection module, and the specific steps of the internal behavior are as follows:

a. the source data collection module starts to monitor data change of the binding cloud node and sends the change data to the evidence obtaining agent module, namely the sub-module-source tracing data generation module

b. And the source tracing data generation module generates source tracing data according to the time distribution of the specific data by the generation module and uses the source tracing data as a source certificate of the evidence for obtaining evidence.

c. The multi-layer compression bloom filter module encrypts and inserts the data into the improved bloom filter according to the tracing data, performs data calculation according to the set layer number and the encryption rule, and sends the calculated data to the data persistence module and the evidence transmission module. The data calculation specifically comprises the following steps:

(1) and 4 Hash functions are used for calculating the Hash value of the tracing data, and the Hash value is temporarily stored.

(2) And generating a new layer of bloom filter, introducing noise, sequentially inserting four Hash values, and if the position corresponding to the first layer is not inserted, inserting the four Hash values. The process of generating a new layer of bloom filter and introducing noise comprises the sub-steps of:

(i) and determining the length of the noise data, and randomly filling the position of the noise length before and after the bloom filter of the layer by using a random function.

(3) If the first layer has data corresponding to the position, the sum of the values in front of the position is calculated to be 1, and the result is that the position should be inserted for the second time.

(4) And generating a new layer of bloom filter, and inserting by using the result of the previous layer until the insertion is successful.

d. And after receiving the data generated by the multilayer compressed bloom filter module of the node and the original encrypted source tracing data, the data persistence module stores the data and the original encrypted source tracing data into a database according to time, wherein the database provides read permission for all users, and the write permission is only owned by the sub-module.

(3) A verification stage: the evidence credibility verification module is started regularly or manually and sends a command to the evidence collection agent module of each node; the evidence obtaining agent module controls the sub-module persistence module after receiving the starting command of the evidence credibility verification module, and takes out the corresponding traceability data evidence in the specified time period indicated by the command and delivers the traceability data evidence to the evidence transmission module; the transmission module sorts and sends the data certificate to the evidence credibility module.

(4) A reset phase: and the evidence credibility verifying module performs evidence credibility verifying calculation on the collected evidence to obtain an unreliable result, sends a stopping command to the corresponding node to control the node to stop, and empties all data after the module submits the data.

The specific steps of the evidence credibility verification module for performing evidence credibility verification calculation are as follows:

(1) and sending a trusted verification starting instruction to the evidence obtaining agent module of each node, starting the cloud evidence obtaining agent module of each node, and entering the operation of the cloud evidence obtaining agent module in a starting operation stage.

(2) And collecting data transmitted by each node into a memory, regenerating new bloom filter data one by one, comparing the data one by one, obtaining a batch of data with the most difference times on the basis of large data volume, and marking the corresponding node as an untrusted generation result.

(3) All collected data is purged and the results are presented to the user.

The invention is based on an improved multi-layer compressed bloom filter, and can be used in an untrusted multi-tenant cloud environment. According to the invention, the distrustability of participants in the evidence obtaining process is considered, and the data is protected in a distributed mode in a tamper-proof way, so that the privacy of users cannot be violated; each cloud node is bound with a cloud evidence obtaining agent to carry out evidence collection, calculation, analysis and transmission, and a central reliability verification module sends a reliability verification command regularly or artificially to carry out reliability verification; the method is driven by events, does not modify any code of a target operating system, has low performance loss and high flexibility compared with the existing cloud evidence data monitoring, and is suitable for real-time cloud evidence collection and credibility analysis.

The technical means disclosed in the invention scheme are not limited to the technical means disclosed in the above embodiments, but also include the technical scheme formed by any combination of the above technical features. It should be noted that those skilled in the art can make various improvements and modifications without departing from the principle of the present invention, and such improvements and modifications are also considered to be within the scope of the present invention.

Claims

1. A credibility verification system for distributed cloud forensics is characterized in that: the system comprises a cloud evidence obtaining agent module, a source data collecting module and an evidence credibility verifying module;

2. The system for distributed cloud forensics trust verification system of claim 1, wherein: the cloud evidence obtaining agent modules are bound on respective cloud nodes, and each node corresponds to one cloud evidence obtaining agent module; the source data collection module binds nodes and collects source data corresponding to the nodes one by one; the evidence credibility verification module is only globally provided with one, independently operates, and is started at regular time or manually for verification; the multi-layer compressed bloom filter module only occupies memory when recording forensic evidence.

3. A method for verifying credibility of distributed cloud forensics is characterized by comprising the following specific steps:

4. The method for distributed cloud forensics trust verification of claim 3, wherein the configuration phase includes the steps of:

5. The method for verifying the distributed cloud forensics credibility according to claim 3, wherein the specific steps of the starting operation stage are as follows:

6. The method for verifying the credibility of the distributed cloud forensics according to claim 5, wherein the data calculation process in the step c specifically comprises the following steps:

7. The method for distributed cloud forensics credibility verification according to claim 6, wherein the step (2) of generating a new layer of bloom filter and introducing noise comprises the following sub-steps:

8. The method for verifying the credibility of the distributed cloud forensics according to claim 3, wherein the evidence credibility verifying module performs evidence credibility verification calculation by the following specific steps:

(3) clearing all collected data and submitting results to a user;