Network Forensics Scenario Reconstruction Method Based on Hidden Markov Models

Reconstruction Method of Network Forensics Scenario has grown into a mature and rich technology that provides advanced skills to get the chain of evidence. Using statistical methods to analyze intrusion logs in order to present evidentiary values in court are often refuted as baseless and inadmissible evidences which is not considering the input spent. These spendings is to generate the reports no matter they are well-grounded evidences or not. Thus, this paper presents the Scenario Reconstruction Method combines the Viterbi algorithm, the most likely sequence of Meta evidence which replaces the Meta evidence was acquired. With suspected evidence, thus obtaining the chain of evidence. However, the Viterbi algorithm parameters is derived from the Baum-Welch (B-W) algorithm, and the B-W algorithm is easy to fall into local optima solution. While an Adaptive Genetic Algorithm (AGA) is used to estimate parameters of the Hidden Markov model (HMM), where Chromosome coding method and genetic operation mode are designed. The experimental results show that, this method can accurately reproduce the crime scene of network intrusion, compared with the network forensic evidence fusion method which is based on the HMM. The method has been applied to forensics system, and has obtained good result.