CN109254902B - Evidence obtaining system and method based on user intention detection and applied to cloud computing environment - Google Patents

Evidence obtaining system and method based on user intention detection and applied to cloud computing environment Download PDF

Info

Publication number
CN109254902B
CN109254902B CN201810753647.XA CN201810753647A CN109254902B CN 109254902 B CN109254902 B CN 109254902B CN 201810753647 A CN201810753647 A CN 201810753647A CN 109254902 B CN109254902 B CN 109254902B
Authority
CN
China
Prior art keywords
module
evidence obtaining
control
user
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810753647.XA
Other languages
Chinese (zh)
Other versions
CN109254902A (en
Inventor
伏晓
刘轩宇
骆斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University
Original Assignee
Nanjing University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University filed Critical Nanjing University
Priority to CN201810753647.XA priority Critical patent/CN109254902B/en
Publication of CN109254902A publication Critical patent/CN109254902A/en
Application granted granted Critical
Publication of CN109254902B publication Critical patent/CN109254902B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3438Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment monitoring of user actions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3466Performance evaluation by tracing or monitoring
    • G06F11/3476Data logging
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Quality & Reliability (AREA)
  • Databases & Information Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a computer evidence obtaining system and a computer evidence obtaining method based on user intention detection, which are applied to a cloud computing environment, wherein the system comprises a client and a cloud proxy server, wherein the client is provided with an initialization driving module, a system control center and a system support module group; the cloud proxy server is provided with a forensics function module group. According to the invention, a lightweight virtual machine monitor is realized at the client, so that the evidence obtaining tool can directly utilize the convenience and flexibility brought by a hardware virtualization technology, the tool is provided for rapid analysis and real-time evidence obtaining, and the server can directly use the functions of the evidence obtaining system without reconstructing a cloud system architecture by building a cloud proxy server between the client and the server. The method overcomes the defects of the current post evidence obtaining method, overcomes the flexibility defect of the virtualization technology, has wider application range compared with the traditional safety system, and ensures the reliability and the accuracy of evidence collection.

Description

Evidence obtaining system and method based on user intention detection and applied to cloud computing environment
Technical Field
The invention relates to the technical field of computer forensics, in particular to a computer forensics system and a computer forensics method based on user intention detection and applied to a cloud computing environment.
Background
Conventional host-based security systems place major efforts on attack detection, identifying attacks through predefined malicious models or detecting anomalies that do not arise from the correct input or operating environment. Unfortunately, accurately identifying the latest attack patterns has proven to be an endless loop. The replacement of the attack detection method seems to always go after the generation of a new attack. To this end, more and more security systems introduce a user-intent driven security model to ensure that the behavior of the system and the user's intent are matched. Since this type of model can be attack agnostic, it can have a wider range of applications than traditional security systems. The idea of defining the correct behavior of an application by detecting user intent is not entirely new, but previous attempts have often used overly simple or overly complex models to define user behavior. Thus, accurate detection of user intent appears to be impossible without proper and accurate application of the runtime context.
The purpose of computer forensics is to provide the trace of a perpetrator left on a computer to a court as valid evidence to combat computer and cyber crimes. Traditional computer forensics analysis is often followed by evidence, and the evidence of forensics is easily lost and easily tampered. Therefore, real-time acquisition of forensic evidence is crucial.
The hardware virtualization technology is firstly proposed in an IBM System/370, and the consistency of the running environment is ensured by the characteristics of the hardware virtualization technology, namely the behavior of computer software under a hardware virtual machine is consistent with the direct running of the computer software on a machine; the VMM can be ensured to completely control the resources of the virtual machine, including the execution of a memory, a register, I/O, interruption and instructions; and the high efficiency is ensured, namely the operation of the common instruction is not interfered by the VMM and can be operated at full speed. Currently, technologies supporting hardware virtualization under the x86 architecture include INTEL VT-x (2005) by INTEL and AMD-V (2006) by AMD, which are widely used in various personal computers and servers. Most commercial virtualization software such as Linux KVM, Microsoft Hyper-V, Xen, VMware, etc. already support this technology.
The lightweight virtual machine technology utilizes the convenience provided by hardware virtualization, and a complete virtualization platform can be realized by using a small amount of codes. Due to the reduced code amount of the lightweight virtual machine, the integrity check can be performed more quickly and completely, which ensures the security of the virtual machine monitor. ST King proposed a method for dynamically deploying a lightweight virtual machine under a running operating system in a 2006IEEE S & P conference, and proves that the lightweight virtual machine has flexibility capable of being deployed in running and transparency for a target system. Meanwhile, by combining a trusted execution environment technology, such as the trusted execution extension (TXT) of Intel, an anti-interference and measurable execution environment can be established, the correctness of the running environment can be easily detected, and whether the running environment runs in an unmodified real hardware environment can be remotely verified.
Disclosure of Invention
In order to solve the problems, the invention discloses a computer evidence obtaining system and a computer evidence obtaining method based on user intention detection, which are applied to a cloud computing environment, can ensure that the local operation intention of a user can be correctly transmitted between cloud platforms, and can also protect the cloud data of the user. According to the invention, a lightweight virtual machine monitor is realized at the client, so that the evidence obtaining tool can directly utilize the convenience and flexibility brought by a hardware virtualization technology, the tool is provided for rapid analysis and real-time evidence obtaining, and the server can directly use the functions of the evidence obtaining system without reconstructing a cloud system architecture by building a cloud proxy server between the client and the server.
In order to achieve the purpose, the invention provides the following technical scheme:
a computer forensics system based on user intent detection applied to a cloud computing environment, comprising: the system comprises a client and a cloud proxy server, wherein the client is used for acquiring evidence obtaining data, and the cloud proxy server is used for providing evidence obtaining function support; the client is provided with an initialization driving module, a system control center and a system support module group; the cloud proxy server side is provided with a forensics function module group;
the initialization driving module is used for deploying and unloading a evidence obtaining platform in a running client operating system and transferring control to a system control center after the initialization process is finished;
the system control center provides support for the hardware virtualization platform, controls the initialization process and the unloading process, preprocesses the events of the target operating system intercepted by the hardware virtualization platform and provides the events to the evidence obtaining function module group;
the system support module group realizes basic functions of the system based on a system control center, and comprises a signal module, an external control module, a system state detection module and a user intention detection module for acquiring important evidence in real time;
the evidence obtaining functional module group comprises a plurality of evidence obtaining modules and completes initialization, unloading and external control under the support of an evidence obtaining platform, the evidence obtaining functional module group is uniformly managed by the cloud proxy server, and a system control center of the client side utilizes an external interface to allocate and use.
Furthermore, the forensics function module group comprises a module group which comprises a data encryption protection module, a user scene reproduction module and a user intention drive access control module;
the data encryption protection module provides further encryption protection for the accessed cloud data. Firstly, using a general encryption algorithm to encrypt accessed cloud data in a first step by using a data key, and then using a control key to encrypt the data key in a second step, and binding time validity, space validity and other limiting conditions for the control key. The control key is managed and retained by the cloud proxy server; the encrypted data, the data key and the control key are provided to the data access requester;
important evidence in the operating system obtained by the user scene reappearing module in real time comprises the following steps: recording the running state of the current operating system when an event occurs, the behavior of a process currently running, the application interface structure when the event occurs, and the interaction behavior between a user and an application. The module is a lightweight and continuously-operating evidence-obtaining reappearing engine, provides abstract but semantically-sufficient user operation scene reappearance, and helps analyze the interactive process between a user and an application. The scene reproduction process is realized at the cloud end, and the reproduced result can be rendered on any equipment by using a frame buffer protocol;
the user intention driving access control module actively carries out access control protection on user data according to the user intention, dynamically configures an access control strategy according to the user intention, and rejects data access control requests which do not accord with the user intention.
Further, the initialization sequence of the client is to initialize the system control center, initialize the system support module group, initialize the external control interface of the evidence obtaining function module, and control the single threading of the initialization; the initialization sequence of the cloud proxy server side comprises the steps of initializing a evidence obtaining function management center, initializing an evidence obtaining function module and initializing an external control interface; otherwise, the unloading sequence of the client side is that the external control interface of the evidence obtaining function module is unloaded firstly, then the system support module group is unloaded, and finally the system control center returns the CPU control authority to the target operating system; the unloading sequence of the cloud proxy server side is that the external control interface is unloaded first, then the evidence obtaining function module is unloaded, and finally the evidence obtaining function management center is unloaded.
The invention also provides a computer forensics method based on user intention detection, which is applied to the cloud computing environment and comprises a client part and a cloud agent service part.
The client part implementation steps are as follows:
step one, a starting stage, initializing a driver to request a target operating system to allocate memory, starting a virtual machine mode, and configuring a hardware-related virtual machine control data structure, namely copying each register and running state of a current operating system to configure the registers and the running state into a virtual machine; the original CPU control authority is taken over by a system control center; executing an initialization process, and deploying a evidence obtaining platform at a client; resuming operation of the target operating system;
step two, in the operation stage, a hardware platform supporting hardware virtualization automatically intercepts and captures user hardware events generated in a target system according to the configuration of a system control center; after being preprocessed by the system control center, the event is dispatched to a forensics function module which is correspondingly registered at the cloud proxy server end through an external interface for processing, and finally, the result is returned to the client end;
step three, in the unloading stage, the initialization driver of the client informs the system control center of unloading, the system control center unloads the external control module of the evidence obtaining function module firstly, then unloads the system support module group, then returns the CPU control authority to the target operating system, and finally the initialization driver returns the memory allocated in the step one and finishes unloading;
the cloud proxy server end part comprises the following implementation steps:
step one, in a starting stage, a cloud proxy server starts a forensics function management center, registers a forensics function module, maintains the operation of the forensics function module, and opens an external interface;
step two, in the operation stage, the evidence obtaining function management center obtains the client request through an external interface and distributes the client request to the corresponding evidence obtaining function module for processing; the evidence obtaining function module processing of the cloud proxy server side specifically comprises the following steps: calling a user scene reappearing module to reappear the interaction behavior of the user and the target operating system, calling the user intention to drive an access control module to carry out access control protection on the cloud data of the user, and calling a data encryption protection module to further protect the accessed cloud data of the user; finally, feeding back a processing result to the client;
and step three, in the unloading stage, the unloading process of the cloud proxy server side comprises the steps of unloading the external control interface of the evidence obtaining function, unloading the evidence obtaining function module and unloading the evidence obtaining function management center.
Further, the first step in the client specifically includes the following steps:
(1) initializing a driver to request an operating system to allocate a memory, wherein the allocated memory is not returned in the life cycle of the whole evidence obtaining platform;
(2) the system control center initializes the memory management system, simultaneously records all memory allocation conditions, builds a page table structure of the virtual host, and builds mapping from a host linear address to a physical address;
(3) the system control center firstly calls the initialization interface of each module in the system support module group to initialize each module, and then calls the initialization interface of each module in the evidence obtaining function module group to initialize each module;
(4) initializing a drive CPU (Central processing Unit) to check and store the support condition of a hardware platform on hardware virtualization, starting a virtual machine mode, configuring a virtual machine control data structure related to hardware, and copying the running operating system state into a virtual machine;
(5) the original CPU control authority is taken over by a system control center, namely an instruction pointer register, a segment register, a flag register and a descriptor table of a virtual host are set in a virtual machine control data structure, and then the operation of a target operating system is recovered;
(6) when virtualization is completed, the startup phase ends.
Further, the client side comprises a second step.
For hardware events, the specific steps of the system control center preprocessing are as follows:
each module in the system is configured with a hardware data structure of hardware virtualization through a system control center, and the trapping of the virtual machine is guaranteed to be triggered only by events concerned by the evidence obtaining platform; when the control flow of a target operating system is trapped in a virtual machine monitor, a system control center firstly registers a hardware event as a logic event; if the virtual machine is abnormal and an error event, forcibly closing the function with the error, and if the function with the error cannot be recovered, reporting error information to the serial port; the system control center preprocesses the logic event and distributes the logic event to an external control interface of the corresponding registered evidence obtaining function module for further processing; the system control center calls a user intention detection module in the system support module group to acquire current interface structure information and user interaction behavior information and generate a user intention data structure;
for the external control event, the specific steps of the system control center preprocessing are as follows: the system control center distributes the external control event to the external control module, the external control module decrypts the control information in the external control event, and if the control information conforms to the defined format, the control information is forwarded to a control interface of a corresponding registered evidence obtaining function module of the cloud proxy server for processing; if the format is not matched with the defined format, the operation is discarded, and no action is generated.
Further, the system supports the user intention detection module in the module group to obtain important evidence in the operating system in real time, including: recording the running state of the current operating system and the behavior of the current running process when an event occurs; application interface structure at the time of the event, and interaction behavior between the user and the application; the interface structure of the current system is represented by a tree diagram structure, wherein the root node of the tree diagram is a system desktop, and the branch nodes and the leaf nodes correspond to windows and components containing data such as types, sizes, positions, texts, events, timestamps and the like; generating an interface structure data structure and a user intention data structure by combining the system running state and the process information on the basis of the tree diagram; the interface structure data structure is used by the user operating the scene reproduction module and the user intent data structure is used by the access control module.
Further, the cloud proxy server side performs a second step.
The data encryption protection module provides further encryption protection for the accessed cloud data. Firstly, using a general encryption algorithm to encrypt accessed cloud data in a first step by using a data key, and then using a control key to encrypt the data key in a second step, and binding time validity, space validity and other limiting conditions for the control key. The control key is managed and retained by the cloud proxy server; the encrypted data, the data key and the control key are provided to the data access requester;
important evidence in the operating system obtained by the user scene reappearing module in real time comprises the following steps: recording the running state of the current operating system when an event occurs, the behavior of a process currently running, the application interface structure when the event occurs, and the interaction behavior between a user and an application. The module is a lightweight and continuously-operating evidence-obtaining reappearing engine, provides abstract but semantically-sufficient user operation scene reappearance, and helps analyze the interactive process between a user and an application. The scene reproduction process is realized at the cloud end, and the reproduced result can be rendered on any equipment by using a frame buffer protocol;
the user intention driving access control module actively carries out access control protection on user data according to the user intention, dynamically configures an access control strategy according to the user intention, and rejects data access control requests which do not accord with the user intention.
Further, the system control center manages all modules of the client in a unified manner, and the specific management method includes the following steps:
(1) the system control center manages the initialization interface of each module of the client, controls the initialization sequence of each module, deploys a evidence obtaining platform in the operating client operating system, and gives control right to the system control center after the initialization process is completed; the initialization sequence of the client is that a system control center is initialized firstly, then a system support module group is initialized, and finally an external control interface of a evidence obtaining function module is initialized to control the single threading of the initialization;
(2) the system control center manages unloading interfaces of all modules of the client, controls unloading sequences of all modules, and unloads the evidence obtaining platform in an operating client operating system; the unloading sequence of the client is that the external control interface of the evidence obtaining function module is unloaded firstly, then the system support module group is unloaded, and finally the system control center returns the CPU control authority to the target operating system;
(3) the system control center manages the control interface of each module, registers the control interface into the external control module and receives the control of the external control module;
(4) the system control center manages the event response interface of each module and registers the event response interface into the event processing function of each target operating system.
Compared with the prior art, the invention has the following advantages and beneficial effects:
1. the method overcomes the defects of the current post evidence obtaining method by using a virtualization technology, namely, the evidence is obtained and the scene is reconstructed according to the post image, but the event of hardware configuration is directly monitored and intercepted in the target machine and is sent to the evidence obtaining module for analysis, so that real-time evidence is obtained, the evidence is prevented from being lost or tampered afterwards to the maximum extent, and the reliability of evidence obtaining is ensured.
2. The method also overcomes the flexibility defect of the virtualization technology, does not build a virtualization platform in advance, but builds a lightweight virtual machine and obtains the highest authority immediately based on the hardware virtualization technology, so that the operating system is moved into the virtual machine for monitoring; the modular design is used for reducing a large amount of repeated development work for realizing the evidence obtaining tool, internal data and logic are packaged in a modular mode, only interfaces are exposed, development difficulty is greatly simplified, and the modules can be reused.
3. The invention introduces a safety model driven by user intention, and ensures that the system behavior is matched with the user intention; because the model can be attack agnostic, existing attack modes do not need to be analyzed, and therefore the model can have a wider application range compared with a traditional safety system.
4. The invention does not modify the running state of the target operating system, does not modify the source code of the operating system, does not virtualize additional hardware equipment, ensures the transparency of the platform to the target operating system, and ensures the consistency between the hardware environment and the software environment. The invention does not depend on the credibility of the target operating system, does not depend on the safety support provided by the target operating system, and does not need to trust other software in the target operating system, thereby ensuring the credibility and the accuracy of the collected evidence and being capable of running in an incredible environment.
5. The cloud platform can be deployed on a client platform supporting a hardware virtualization technology, is constructed when an operating system runs, does not need to stop or restart a target operating system, does not need to modify any operating system kernel code, does not need to modify any application logic, does not modify the running state of a cloud server, does not modify the underlying architecture of the cloud server, and can ensure the transparency of the platform to the cloud server; the evidence obtaining function is integrated into the cloud proxy server between the client and the server, and the expansibility of the cloud server is improved.
Drawings
Fig. 1 is a schematic structural diagram of a forensics system based on user intention detection applied to a cloud environment.
Fig. 2 is a flow chart of access control and data encryption protection driven by the user intent of the forensic system.
Fig. 3 is a view of a forensic system scene reproduction process.
Fig. 4 explanation of the interface structure data structure.
Detailed Description
The technical solutions provided by the present invention will be described in detail below with reference to specific examples, and it should be understood that the following specific embodiments are only illustrative of the present invention and are not intended to limit the scope of the present invention. Although a logical order is shown in the flow diagrams, in some cases, the steps shown or described may be performed in an order different than presented herein.
The evidence obtaining system applied to the cloud environment and based on the user intention detection is structurally shown in fig. 1, and the system applied to the cloud computing environment is divided into a client side and a cloud proxy server side. The client part mainly has the function of acquiring evidence obtaining information, and the cloud proxy server part mainly has the function of providing corresponding evidence obtaining service. The client is provided with an initialization driving module, a system control center and a system supporting module group. The cloud proxy server side is provided with a forensics function module group, and the module group comprises a data encryption protection module, a user scene reproduction module and a user intention drive access control module. In addition, the client is also provided with a virtual machine manager, and the cloud proxy server is also provided with three databases, including a control key database, a user intention data structure database and an interface structure data structure database. The evidence obtaining system provides convenience for realizing each evidence obtaining tool, each evidence obtaining tool is each module of the evidence obtaining function module group, the cloud proxy server is used for managing the evidence obtaining tools in a unified mode, the system control center of the client side is used for allocating and using the external interface, and basic support functions of the evidence obtaining system can be expanded by adding system support modules or modifying existing system support modules.
The initialization sequence of the client is that a system control center is initialized firstly, then a system support module group is initialized, and finally an external control interface of a evidence obtaining function module is initialized to control the single threading of the initialization; the cloud proxy server side is responsible for registration, operation and distribution of the evidence obtaining function module, and the initialization sequence is that the evidence obtaining function management center is initialized firstly, then the evidence obtaining function module is initialized, and finally the external control interface is initialized; the unloading sequence is that the external control interface is unloaded first, then the evidence obtaining function module is unloaded, and finally the evidence obtaining function management center is unloaded. Otherwise, the unloading sequence of the client side is that the external control interface of the evidence obtaining function module is unloaded firstly, then the system support module group is unloaded, and finally the system control center returns the CPU control authority to the target operating system; the unloading sequence of the cloud proxy server side is that the external control interface is unloaded first, then the evidence obtaining function module is unloaded, and finally the evidence obtaining function management center is unloaded.
The initialization driver is only used for occupying the memory of the operating system at the stage, and the system is prevented from being crashed due to the fact that the memory used for configuring the virtual machine is used for other purposes after being returned. Specifically, the initialization driver is used for deploying and uninstalling the forensics platform in the system, and after the initialization process is completed, the control right is handed to the system control center. The system control center provides support for the hardware virtualization platform, controls the initialization process and the unloading process, and processes basic events, for example, pre-processes the events of the target operating system intercepted by the hardware virtualization platform and provides the events to the forensics function module group. The system support module group realizes basic functions of the system based on the system control center, and comprises a signal module, an external control module, a user intention detection module for acquiring important evidence in real time, a system state information and application interface structure acquisition module and the like. The set of system support modules may continue to add additional modules to provide richer functionality. The system control center and the system support module group provide support for the evidence obtaining function module group, simplify the realization of the evidence obtaining function module, including providing cross-platform support for the evidence obtaining function module group, and enable the evidence obtaining module to pay attention to the development of the core function. The forensics function module group consists of a plurality of forensics modules, provides an event response interface for events needing to be monitored to track the system state and collect evidences, and completes initialization, unloading and external control under the support of a forensics platform.
The system control center manages all modules of the client in a unified way, and the specific management method comprises the following steps:
(1) the system control center manages the initialization interface of each module of the client, controls the initialization sequence of each module, deploys a evidence obtaining platform in the operating client operating system, and gives control right to the system control center after the initialization process is completed; the initialization sequence of the client is that a system control center is initialized firstly, then a system support module group is initialized, and finally an external control interface of a evidence obtaining function module is initialized to control the single threading of the initialization;
(2) the system control center manages unloading interfaces of all modules of the client, controls unloading sequences of all modules, and unloads the evidence obtaining platform in an operating client operating system; the unloading sequence of the client is that the external control interface of the evidence obtaining function module is unloaded firstly, then the system support module group is unloaded, and finally the system control center returns the CPU control authority to the target operating system;
(3) the system control center manages the control interface of each module, registers the control interface into the external control module and receives the control of the external control module;
(4) the system control center manages the event response interface of each module and registers the event response interface into the event processing function of each target operating system.
The invention further provides a computer forensics method based on user intention detection and applied to the cloud computing environment.
The specific steps of the client part are as follows:
step one, a starting stage, initializing a driver to request a target operating system to allocate memory, starting a virtual machine mode, and configuring a hardware-related virtual machine control data structure, namely copying each register and running state of a current operating system to configure the registers and the running state into a virtual machine; the original CPU control authority is taken over by a system control center; executing an initialization process, and deploying a evidence obtaining platform at a client; and restoring the running of the target operating system.
The method specifically comprises the following steps:
(1) initializing a driver to request an operating system to allocate a memory, wherein the allocated memory is not returned in the life cycle of the whole evidence obtaining platform;
(2) the system control center initializes the memory management system, simultaneously records all memory allocation conditions, builds a page table structure of the virtual host, and builds mapping from a host linear address to a physical address;
(3) the system control center firstly calls the initialization interface of each module in the system support module group to initialize each module, and then calls the initialization interface of each module in the evidence obtaining function module group to initialize each module;
(4) initializing a drive CPU (Central processing Unit) to check and store the support condition of a hardware platform on hardware virtualization, starting a virtual machine mode, configuring a virtual machine control data structure related to hardware, and copying the running operating system state into a virtual machine;
(5) the original CPU control authority is taken over by a system control center, namely an instruction pointer register, a segment register, a flag register and a descriptor table of a virtual host are set in a virtual machine control data structure, and then the operation of a target operating system is recovered;
(6) when virtualization is completed, the startup phase ends.
Step two, in the operation stage, a hardware platform supporting hardware virtualization automatically intercepts and captures user hardware events generated in a target system according to the configuration of a system control center; after being preprocessed by the system control center, the event is dispatched to a corresponding registered evidence obtaining function module of the cloud proxy server end through an external interface for processing, and finally, the result is returned to the client end.
For hardware events, the specific steps of the system control center preprocessing are as follows:
each module in the system is configured with a hardware data structure of hardware virtualization through a system control center, and the trapping of the virtual machine is guaranteed to be triggered only by events concerned by the evidence obtaining platform; when the control flow of a target operating system is trapped in a virtual machine monitor, a system control center firstly registers a hardware event as a logic event; if the virtual machine is abnormal and an error event, forcibly closing the function with the error, and if the function with the error cannot be recovered, reporting error information to the serial port; the system control center preprocesses the logic event and distributes the logic event to the external control interface of the corresponding registered evidence obtaining function module for further processing. The system control center calls a user intention detection module in the system support module group to acquire the current interface structure information and the user interaction behavior information and generate a user intention data structure.
The system support module group comprises a user intention detection module, a system support module group and a system management module, wherein the user intention detection module in the system support module group obtains evidences in an operating system in real time, and the evidences comprise the operation state of the current operating system and the behavior of the current running process when an event occurs; the structure of the application interface at the time of the event, and the interaction behavior between the user and the application. The interface structure of the current system is represented by a tree diagram structure, wherein the root node of the tree diagram is a system desktop, and the branch nodes and the leaf nodes respectively correspond to windows and components, including data such as types, sizes, positions, texts, events, timestamps and the like. And generating an interface structure data structure and a user intention data structure by combining the system running state and the process information on the basis of the tree diagram. The interface structure data structure is used by the user scene rendering module and the user intent data structure is used by the user intent driven access control module.
For the external control event, the specific steps of the system control center preprocessing are as follows: the system control center distributes the external control event to the external control module, the external control module decrypts the control information in the external control event, and if the control information conforms to the defined format, the control information is forwarded to a control interface of a corresponding registered evidence obtaining function module of the cloud proxy server for processing; if the format is not in accordance with the defined format, discarding the file and generating no action;
and step three, in the unloading stage, the initialization driver of the client informs the system control center of unloading, the system control center unloads the external control module of the evidence obtaining function module firstly, then unloads the system support module group, then returns the CPU control authority to the target operating system, and finally returns the memory allocated in the step one through the initialization driver, and the unloading is completed.
The cloud proxy server side comprises the following steps:
in the starting stage, the cloud proxy server starts a forensics function management center, registers the forensics function module, maintains the operation of the forensics function module, and opens an external interface.
And in the operation stage, the evidence obtaining function management center obtains the client request through an external interface and distributes the client request to the corresponding evidence obtaining function module for processing.
The evidence obtaining function module processing of the cloud proxy server side specifically comprises the following steps: and calling the user scene reappearing module to reappear the interaction behavior of the user and the target operating system, calling the user intention to drive the access control module to carry out access control protection on the cloud data of the user, and calling the data encryption protection module to further protect the accessed cloud data of the user. And finally, feeding back a processing result to the client.
Important evidence in the operating system obtained by the user scene reproduction module in real time includes: recording the running state of the current operating system and the behavior of the current running process when an event occurs; the structure of the application interface at the time of the event, and the interaction behavior between the user and the application. The module is characterized by being a lightweight and continuously-operating evidence-obtaining reappearing engine, providing abstract but semantically-sufficient user operation scene reappearance and helping to analyze the interactive process between a user and an application. The reproduction process is realized at the cloud end, and the reproduced result can be rendered on any equipment by using a frame buffer protocol, so that the privacy of the evidence obtaining data is ensured. Unnecessary information such as color, texture, pictures, etc. is discarded. Important information will be retained and presented in the reproduced scene.
Fig. 3 is a view of a forensic platform scene reproduction process. Fig. 3(1), (2), (3), (4) show different stages of scene reproduction, respectively. Fig. 3(1) is an original interface, fig. 3(2) is a representation of a tree diagram structure, fig. 3(3) is a representation of an interface structure data structure form, and fig. 3(4) is a representation of an interface after scene reproduction. The content within the dashed box is the different representation of the same component at different stages. An explanation of the interface structure data structure in fig. 3(3) is presented in fig. 4.
The user intention driving access control module is different from a passive and pre-configured access control strategy, actively carries out access control protection on user data according to the user intention, and dynamically configures the access control strategy according to the user intention. Data access control requests that do not meet the user's intent will be denied.
The data encryption protection module provides further encryption protection for the accessed cloud data. The method comprises the following steps: performing a first-step encryption on the accessed data by using a data key by using a general encryption algorithm; the control key is used for carrying out second-step encryption on the data key, and is a limiting condition for binding time validity and space validity of the control key, and the control key is managed and retained by the cloud proxy server; the encrypted data, the data key, and the control key are provided to the data requestor. When the time validity or the space validity fails, the control key is abandoned, and the data key cannot be decrypted, so that the data cannot be decrypted, and the cloud data is protected.
Fig. 2 is a flow chart of forensic platform user intent driven access control and data encryption protection. The method comprises the following steps: (1) the system control center intercepts and captures user operation time; (2) the control center carries out preprocessing, acquires necessary evidence obtaining data, generates a corresponding data structure and sends the corresponding data structure to the cloud proxy server through an external control interface; (3) the interface structure data structure database retains evidence-taking data; (4) the user intention data structure database retains forensics data; (5.1-5.2) the cloud data storage server receives the data access request and sends an access control verification request to the cloud proxy server; (6) the user intention driving access control module queries a user intention data structure database; (7) if so, encrypting the data by using the data key; (8) the data encryption protection module acquires a data key; (9) the data encryption protection module uses the control key to further encrypt the data key; (10) the control key is stored in the control key database; (11) and returning the encrypted data key to the cloud data storage server.
And step three, in the unloading stage, the unloading process of the cloud proxy server side comprises the steps of unloading the external control interface of the evidence obtaining function, unloading the evidence obtaining function module and unloading the evidence obtaining function management center.
The technical means disclosed in the invention scheme are not limited to the technical means disclosed in the above embodiments, but also include the technical scheme formed by any combination of the above technical features. It should be noted that those skilled in the art can make various improvements and modifications without departing from the principle of the present invention, and such improvements and modifications are also considered to be within the scope of the present invention.

Claims (8)

1. A computer forensics system based on user intent detection for application to a cloud computing environment, comprising: the system comprises a client and a cloud proxy server, wherein the client is used for acquiring evidence obtaining data, and the cloud proxy server is used for providing evidence obtaining function support; the client is provided with an initialization driving module, a system control center and a system support module group; the cloud proxy server side is provided with a forensics function module group;
the initialization driving module is used for deploying and unloading a evidence obtaining platform in a running client operating system and transferring control to a system control center after the initialization process is finished;
the system control center provides support for the hardware virtualization platform, controls the initialization process and the unloading process, preprocesses the events of the target operating system intercepted by the hardware virtualization platform and provides the events to the evidence obtaining function module group;
the system support module group realizes basic functions of the system based on a system control center, and comprises a signal module, an external control module, a system state detection module and a user intention detection module for acquiring important evidence in real time; the user intention detection module obtains evidences in the operating system in real time, and records the running state of the current operating system and the behavior of the current running process when an event occurs; application interface structure at the time of the event, and interaction behavior between the user and the application; the interface structure of the current system is represented by a tree diagram structure, wherein the root node of the tree diagram is a system desktop, and the branch nodes and the leaf nodes respectively correspond to windows and components, including types, sizes, positions, texts, events and timestamps; generating an interface structure data structure and a user intention data structure by combining the system running state and the process information on the basis of the tree diagram; the interface structure data structure is used by the user scene reproduction module, and the user intention data structure is used by the user intention driving access control module;
the evidence obtaining functional module group comprises a plurality of evidence obtaining modules, initialization, unloading and external control are completed under the support of an evidence obtaining platform, the evidence obtaining functional module group is uniformly managed by the cloud proxy server, and a system control center of the client side utilizes an external interface for allocation and use; the evidence obtaining functional module group comprises a data encryption protection module, a user scene reproduction module and a user intention drive access control module; the user intention driving access control module actively carries out access control protection on user data according to the user intention, dynamically configures an access control strategy according to the user intention, and rejects data access control requests which do not accord with the user intention.
2. The computer forensics system based on user intention detection applied to cloud computing environment of claim 1, wherein the forensics function module group comprises a data encryption protection module, a user scene reproduction module and a user intention driving access control module;
the data encryption protection module provides further encryption protection for the accessed cloud data: firstly, using a general encryption algorithm to encrypt accessed cloud data in a first step by using a data key, then using a control key to encrypt the data key in a second step, and binding time validity and space validity for the control key, wherein the control key is managed and retained by a cloud proxy server; the encrypted data, the data key and the control key are provided to the data access requester;
important evidence in the operating system obtained by the user scene reappearing module in real time comprises the following steps: the method comprises the steps of recording the running state of a current operating system when an event occurs, the behavior of a process currently running, an application interface structure when the event occurs, and the interactive behavior between a user and an application, wherein the module is a lightweight forensics reappearing engine which continuously runs, provides abstract user operation scene reappearance with enough semantics, helps to analyze the interactive process between the user and the application, the scene reappearance process is realized at the cloud end, and the reappearance result can be rendered on any equipment by using a frame buffer protocol.
3. The computer forensics system based on user intention detection applied to cloud computing environment of claim 1, wherein the initialization sequence of the client is that a system control center is initialized first, then a system support module group is initialized, and finally an external control interface of the forensics function module is initialized to control the single threading of the initialization; the initialization sequence of the cloud proxy server side comprises the steps of initializing a evidence obtaining function management center, initializing an evidence obtaining function module and initializing an external control interface; otherwise, the unloading sequence of the client side is that the external control interface of the evidence obtaining function module is unloaded firstly, then the system support module group is unloaded, and finally the system control center returns the CPU control authority to the target operating system; the unloading sequence of the cloud proxy server side is that the external control interface is unloaded first, then the evidence obtaining function module is unloaded, and finally the evidence obtaining function management center is unloaded.
4. A computer forensics method based on user intention detection applied to a cloud computing environment is characterized by comprising a client end part and a cloud proxy server end part,
the client part implementation steps are as follows:
step one, a starting stage, initializing a driver to request a target operating system to allocate memory, starting a virtual machine mode, and configuring a hardware-related virtual machine control data structure, namely copying each register and running state of a current operating system to configure the registers and the running state into a virtual machine; the original CPU control authority is taken over by a system control center; executing an initialization process, and deploying a evidence obtaining platform at a client; resuming operation of the target operating system;
step two, in the operation stage, a hardware platform supporting hardware virtualization automatically intercepts and captures user hardware events generated in a target system according to the configuration of a system control center; after being preprocessed by the system control center, the event is dispatched to a forensics function module which is correspondingly registered at the cloud proxy server end through an external interface for processing, and finally, a processing result is returned to the client end; when the system control center carries out preprocessing, for a hardware event, the system control center calls a user intention detection module in a system support module group to acquire current interface structure information and user interaction behavior information and generate a user intention data structure; the method comprises the following steps that a user intention detection module in a system support module group obtains evidences in an operating system in real time, and the evidences comprise the steps of recording the running state of the current operating system and the behavior of the current running process when an event occurs; application interface structure at the time of the event, and interaction behavior between the user and the application; the interface structure of the current system is represented by a tree diagram structure, wherein the root node of the tree diagram is a system desktop, and the branch nodes and the leaf nodes respectively correspond to windows and components, including types, sizes, positions, texts, events and timestamps; generating an interface structure data structure and a user intention data structure by combining the system running state and the process information on the basis of the tree diagram; the interface structure data structure is used by the user scene rendering module and the user intent data structure is used by the user intent driven access control module
Step three, in the unloading stage, the initialization driver of the client informs the system control center to unload, the system control center unloads the external control module of the evidence obtaining function module firstly, then unloads the system support module group, then returns the CPU control authority to the target operating system, and finally the initialization driver returns the memory allocated in the step one and finishes unloading;
the cloud proxy server end part comprises the following implementation steps:
step one, in a starting stage, a cloud proxy server starts a forensics function management center, registers a forensics function module, maintains the operation of the forensics function module, and opens an external interface;
step two, in the operation stage, the evidence obtaining function management center obtains the client request through an external interface and distributes the client request to the corresponding evidence obtaining function module for processing; the evidence obtaining function module processing of the cloud proxy server side specifically comprises the following steps: calling a user scene reappearing module to reappear the interaction behavior of the user, a target operating system and the application, calling a user intention to drive an access control module to carry out access control protection on the cloud end data of the user, dynamically configuring an access control strategy according to the user intention, rejecting a data access control request which does not accord with the user intention, and calling a data encryption protection module to further protect the accessed cloud end user data; finally, feeding back a processing result to the client;
and step three, in the unloading stage, the unloading process of the cloud proxy server side comprises the steps of unloading the external control interface of the evidence obtaining function, unloading the evidence obtaining function module and unloading the evidence obtaining function management center.
5. The computer forensics method based on user intention detection applied to cloud computing environment according to claim 4, wherein the first step in the client specifically comprises the following steps:
(1) initializing a driver to request an operating system to allocate a memory, wherein the allocated memory is not returned in the life cycle of the whole evidence obtaining platform;
(2) the system control center initializes the memory management system, simultaneously records all memory allocation conditions, builds a page table structure of the virtual host, and builds mapping from a host linear address to a physical address;
(3) the system control center firstly calls the initialization interface of each module in the system support module group to initialize each module, and then calls the initialization interface of each module in the evidence obtaining function module group to initialize each module;
(4) initializing a drive CPU (Central processing Unit) to check and store the support condition of a hardware platform on hardware virtualization, starting a virtual machine mode, configuring a virtual machine control data structure related to hardware, and copying the running operating system state into a virtual machine;
(5) the original CPU control authority is taken over by a system control center, namely an instruction pointer register, a segment register, a flag register and a descriptor table of a virtual host are set in a virtual machine control data structure, and then the operation of a target operating system is recovered;
(6) when virtualization is completed, the startup phase ends.
6. The computer forensics method based on user intention detection applied to cloud computing environment according to claim 4, wherein in the client step two,
for the hardware event, the specific steps of the system control center preprocessing further comprise:
each module in the system is configured with a hardware data structure of hardware virtualization through a system control center, and the trapping of the virtual machine is guaranteed to be triggered only by events concerned by the evidence obtaining platform; when the control flow of a target operating system is trapped in a virtual machine monitor, a system control center firstly registers a hardware event as a logic event; if the virtual machine is abnormal and an error event, forcibly closing the function with the error, and if the function with the error cannot be recovered, reporting error information to the serial port; the system control center preprocesses the logic event and distributes the logic event to an external control interface of the corresponding registered evidence obtaining function module for further processing;
for the external control event, the specific steps of the system control center preprocessing are as follows: the system control center distributes the external control event to the external control module, the external control module decrypts the control information in the external control event, and if the control information conforms to the defined format, the control information is forwarded to a control interface of a corresponding registered evidence obtaining function module of the cloud proxy server for processing; if the format is not matched with the defined format, the operation is discarded, and no action is generated.
7. The computer forensics method based on user intention detection applied to cloud computing environment according to claim 4, wherein in the second step of cloud proxy server side,
the data encryption protection module provides further encryption protection for the accessed cloud data: firstly, using a general encryption algorithm to encrypt accessed cloud data in a first step by using a data key, then using a control key to encrypt the data key in a second step, and binding time validity and space validity for the control key, wherein the control key is managed and retained by a cloud proxy server; the encrypted data, the data key and the control key are provided to the data access requester;
important evidence in the operating system obtained by the user scene reappearing module in real time comprises the following steps: recording the running state of a current operating system when an event occurs, the behavior of a process currently running, an application interface structure when the event occurs, and the interactive behavior between a user and an application, wherein the module is a lightweight forensics reappearing engine which continuously runs, provides abstract user operation scene reappearance with enough semantics, helps to analyze the interactive process between the user and the application, the scene reappearance process is realized at the cloud end, and the reappearance result can be rendered on any equipment by using a frame buffer protocol;
the user intention driving access control module actively carries out access control protection on user data according to the user intention, dynamically configures an access control strategy according to the user intention, and rejects data access control requests which do not accord with the user intention.
8. The computer forensics method based on user intention detection applied to cloud computing environment according to claim 4, wherein the system control center manages all modules of the client in a unified way, and the specific management method comprises the following steps:
(1) the system control center manages the initialization interface of each module of the client, controls the initialization sequence of each module, deploys a evidence obtaining platform in the operating client operating system, and gives control right to the system control center after the initialization process is completed; the initialization sequence of the client is that a system control center is initialized firstly, then a system support module group is initialized, and finally an external control interface of a evidence obtaining function module is initialized to control the single threading of the initialization;
(2) the system control center manages unloading interfaces of all modules of the client, controls unloading sequences of all modules, and unloads the evidence obtaining platform in an operating client operating system; the unloading sequence of the client is that the external control interface of the evidence obtaining function module is unloaded firstly, then the system support module group is unloaded, and finally the system control center returns the CPU control authority to the target operating system;
(3) the system control center manages the control interface of each module, registers the control interface into the external control module and receives the control of the external control module;
(4) the system control center manages the event response interface of each module and registers the event response interface into the event processing function of each target operating system.
CN201810753647.XA 2018-07-10 2018-07-10 Evidence obtaining system and method based on user intention detection and applied to cloud computing environment Active CN109254902B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810753647.XA CN109254902B (en) 2018-07-10 2018-07-10 Evidence obtaining system and method based on user intention detection and applied to cloud computing environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810753647.XA CN109254902B (en) 2018-07-10 2018-07-10 Evidence obtaining system and method based on user intention detection and applied to cloud computing environment

Publications (2)

Publication Number Publication Date
CN109254902A CN109254902A (en) 2019-01-22
CN109254902B true CN109254902B (en) 2022-02-08

Family

ID=65051565

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810753647.XA Active CN109254902B (en) 2018-07-10 2018-07-10 Evidence obtaining system and method based on user intention detection and applied to cloud computing environment

Country Status (1)

Country Link
CN (1) CN109254902B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111522625B (en) * 2020-04-23 2023-02-28 公安部第三研究所 Cloud data online evidence obtaining system and method
CN112016131B (en) * 2020-08-25 2023-11-07 南京大学 Distributed cloud evidence obtaining credibility verification system and method thereof
CN113326513B (en) * 2021-06-16 2022-09-02 百度在线网络技术(北京)有限公司 Application testing method and device, system, electronic equipment and computer readable medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104021063A (en) * 2014-05-14 2014-09-03 南京大学 Modular computer forensic system and method based on hardware virtualization
CN104392185A (en) * 2014-12-01 2015-03-04 公安部第三研究所 Method for verifying data integrity during log forensics in cloud environments
CN105138709A (en) * 2015-10-12 2015-12-09 山东省计算中心(国家超级计算济南中心) Remote evidence taking system based on physical memory analysis
CN106296528A (en) * 2015-05-24 2017-01-04 上海光阴信息科技有限公司 A kind of evidence-gathering and the method and system of process
US9887886B2 (en) * 2014-07-15 2018-02-06 Sap Se Forensic software investigation

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103051707A (en) * 2012-12-20 2013-04-17 浪潮集团有限公司 Dynamic user behavior-based cloud forensics method and dynamic user behavior-based cloud forensics system
CN104462996B (en) * 2014-12-03 2017-10-13 公安部第三研究所 Realize the method and system that cooperating forensic analysis is carried out to long-range evidence obtaining target terminal
CN106059772A (en) * 2016-05-17 2016-10-26 上海凭安网络科技有限公司 Autonomous electronic evidence obtaining method and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104021063A (en) * 2014-05-14 2014-09-03 南京大学 Modular computer forensic system and method based on hardware virtualization
US9887886B2 (en) * 2014-07-15 2018-02-06 Sap Se Forensic software investigation
CN104392185A (en) * 2014-12-01 2015-03-04 公安部第三研究所 Method for verifying data integrity during log forensics in cloud environments
CN106296528A (en) * 2015-05-24 2017-01-04 上海光阴信息科技有限公司 A kind of evidence-gathering and the method and system of process
CN105138709A (en) * 2015-10-12 2015-12-09 山东省计算中心(国家超级计算济南中心) Remote evidence taking system based on physical memory analysis

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
Distributed Cloud Forensic System with Decentralization and Multi-participation;Xuanyu Liu,Xiao Fu,Bin Luo,Xiaojiang Du;《ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018》;20180513;第230卷;全文 *
ICFF:一种IaaS模式下的云取证框架;谢亚龙,丁丽萍,林渝淇,赵晓柯;《通信学报》;20130531;第34卷(第5期);全文 *
基于云平台的取证方案应用研究;牟洋;《中国优秀硕士学位论文全文数据库 信息科技辑》;20180430;第19-33页和图3.3 *
基于云服务端的节点多层次数据协同分析研究;罗文华,王俊,孙媛媛;《信息网络安全》;20180331(第3期);第3部分以及图5 *
基于云的主动取证系统的研究与实现;周亮;《中国优秀硕士学位论文全文数据库 信息科技辑》;20170731;全文 *

Also Published As

Publication number Publication date
CN109254902A (en) 2019-01-22

Similar Documents

Publication Publication Date Title
US7624283B2 (en) Protocol for trusted platform module recovery through context checkpointing
US9229881B2 (en) Security in virtualized computer programs
US9832226B2 (en) Automatic curation and modification of virtualized computer programs
Jin et al. A VMM-based intrusion prevention system in cloud computing environment
US9256552B2 (en) Selective access to executable memory
EP2237181B1 (en) Virtual machine snapshotting and damage containment
Hohmuth et al. Reducing TCB size by using untrusted components: small kernels versus virtual-machine monitors
US20060026419A1 (en) Method, apparatus, and product for providing a scalable trusted platform module in a hypervisor environment
US20070261120A1 (en) Method & system for monitoring integrity of running computer system
CN109254902B (en) Evidence obtaining system and method based on user intention detection and applied to cloud computing environment
WO2002101504A2 (en) Secure machine platform that interfaces to operating systems and customized control programs
CN103077071B (en) The acquisition methods of a kind of KVM virtual machine progress information and system
US20160232354A1 (en) System memory integrity monitoring
US20220067147A1 (en) Secure deployment and operation of a virtual platform system
Jia et al. T-vmi: Trusted virtual machine introspection in cloud environments
US20170315854A1 (en) Error determination from logs
Abed et al. Resilient intrusion detection system for cloud containers
Mofrad et al. SecDATAVIEW: a secure big data workflow management system for heterogeneous computing environments
US20200117482A1 (en) Dynamic loading of a java agent into a running process through direct process memory manipulation
US20220129593A1 (en) Limited introspection for trusted execution environments
US11704408B1 (en) Threat scanning transplanted containers
Ver Dynamic load balancing based on live migration of virtual machines: Security threats and effects
Zhang et al. A survey on security of cloud environment: threats, solutions, and innovation
US11726922B2 (en) Memory protection in hypervisor environments
Taubmann Improving digital forensics and incident analysis in production environments by using virtual machine introspection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant