Responsive image
博碩士論文 etd-0727120-090654 詳細資訊
Title page for etd-0727120-090654
論文名稱
Title
基於離散小波轉換與側寫分析的主機風險評估平台
Host risk assessment platform based on DWT and profile analysis
系所名稱
Department
畢業學年期
Year, semester
語文別
Language
學位類別
Degree
頁數
Number of pages
91
研究生
Author
指導教授
Advisor
召集委員
Convenor
口試委員
Advisory Committee
口試日期
Date of Exam
2020-07-21
繳交日期
Date of Submission
2020-08-27
關鍵字
Keywords
雲端運算、事件分析、側寫行為、離散小波、風險評估、隨機森林
Risk Assessment, Random Forest, Discover Wavelet Transform, Event Analysis System, Profiling analysis, Cloud Computing
統計
Statistics
本論文已被瀏覽 6253 次,被下載 0
The thesis/dissertation has been browsed 6253 times, has been downloaded 0 times.
中文摘要
企業面臨駭客組織複雜多變的攻擊手法,須藉由持續強化其自建資安防禦設備用以防護駭客攻擊。而現今資安防護設備防禦也擴大到應用層級,現今多數資安設備多數利用特徵規則偵測已知的攻擊,卻對於複雜且多變新型或未知的攻擊束手無策,因此以特徵規則比對為基礎的資安設備無法有效的阻擋與攔截。為了偵測對企業伺服器的新型態攻擊,須藉由分析異質日誌檔並加以整合分析關聯性找出主機攻擊的行為。隨著多種單一功能資安設備的增多,其需分析資安設備的日誌檔資料量也隨之暴增,這對於以側寫伺服器並整合收集不同的日誌檔格式,以期能找出攻擊的紀錄將會變得困難與複雜。
為了偵測對於企業伺服器所面臨的新型態駭客攻擊,本研究以觀察伺服器網路行為的方式用以找出與平日行為異常軌跡,目的偵測對於伺服器的攻擊行為。本研究以側寫的方式為伺服器網路行為進行建模,建模側寫伺服器17種不同特徵行為以DWT與自建數學方程式建立伺服器的網路正常與異常行為模型,最後經由隨機森林方法找出異常網路行為的連線紀錄。為了識別伺服器異常的網路行為須藉由大量異質的日誌檔分析行為正常與異常的比對。本研究日誌檔雲端收集分析平台是以分散式雲端為架構,將資安設備紀錄串流主動寫入雲端分析平台,分散雲端優點用以提高分析平台紀錄收集的可靠性以及學習分析的效率。本研究以Spark為基礎建立運算分析的環境,系統具有分散式運算的優點,能在可視覺化的介面下快速的分析與處理龐大紀錄,系統以雲端分散式的架構結合側寫分析的能力與機器學習預測的機制以達到提前預警目的。
經由實驗結果證明本研究提出偵測系統相對於既有資安設備或SOC可更早預警對於伺服器威脅未知的攻擊。企業組織可藉由本系統所發出伺服器的偵測告警,更加提供其組織資訊安全人員發現伺服器可能攻擊的威脅並加以防堵資安事件發生,藉以減少企業資安事件所造成的經濟或聲譽的損失。
Abstract
Enterprises face the sophisticated and varued methods of attack by hacker orginations and must continue to strengthen the defense equipment to protect enterprises from hackers. The scope of defense of rhe equipment of the security protection also extends to the application layer, and most of the equipment of the current security function uses feature rules to defense known attacks,but for the complex and variable new unknown attacks, information security equipment based on feature rules conparision cannot effectively block and intercept for attack.in order to detect attack enterprise hosts in a new stats,the threat to host attacks is identified by analyzing heterogeneous log files and consolidating them using analytics assocations. Faced with the increase of a variety of single security equipment, the amount of log file data to be analyzed also increased, which will be difficult and complex to write to the host on the side and consolidate the collection of different log files formats in order to find the record of the attack.
In order to detect the new state of hacking of enterprise, this study used to observe the behavior of the server network to find out the behavior of abnormal behavior on weekdays, with the aim of detecting passible attack behavior. This study models the network behavior of the server in the form of profile model the 17 different characteristic behavior of the side-writing host,establishs the network behavior model of the server by DWT and self-built mathematical equations,and finally finds the warning of abormal network behavior through the random forest.in order to identify the network behavior of server anomails,the comparison of normal behavior and abormal behavior must be analyxed by a large number of heterogeneous log files. The cloud collection and analysis platform of this research log files is based on distributed cloud as the architecture, and the equipment records are used to collect and transmit the real-time streaming mechanism, with the aim of improving the reliability of the system and the efficiency of analysis.
This study integrates Spark’s computing environment, which has the advantages of supporting in-momory computing and distributed operating, can quickly analysis with machine learning prediction mechanism through a distributed architecture in the cloud to achieve early warning and identify new state attacks on enterprise servers.
Experimental results show that this study suggests that the detection system can alert the server threat to an unknown attack earlier than the existing equipment or SOC.Enterprise orginations can use the system issued by server detection alert, more to provide their organization information security personnel to detect the threat of a possible server attack and prevent the event of blocking capital, in order to reduce the economic or reputational damage caused by the capital security incident.
目次 Table of Contents
目錄
論文審定書 i
摘要 ii
Abstract iii
目錄 v
圖次 viii
第1章 序論 1
1.1 研究背景 1
1.2 研究動機 3
第2章 文獻探討 5
2-1. 伺服器攻擊方式 5
2.1.1 SMB服務攻擊 5
2.1.2 遠端桌面網路服務攻擊 6
2.1.3 挖礦惡意程式攻擊 6
2.1.4 目標式攻擊 7
2.1.5 供應鏈攻擊 9
2-2. 基於側寫的異常偵測(Profile based anomaly detection) 9
2-3. 離散小波變換 10
2-4. 隨機森林 11
2-5. 風險管理 13
第3章 研究方法 16
3.1. 系統架構 16
3.2. 側寫特徵模型 17
3.3. 特徵行為轉換2D-DWT模式 31
3.4. 伺服器定量風險之計算模式 33
3.5. 特徵風險總值結合定量風險值計算 40
3.6. 隨機森林建模預測模型 41
3.7. SMOTE 樣本合成 42
第4章 系統評估與實驗結果 43
4.1. 系統規格說明 43
4.2. 實驗環境伺服器類型 44
4.3. 實驗 一:進行資料處理壓縮處理效率比較 46
4.4. 實驗二:內部伺服器互聯參數實驗 47
4.5. 實驗三:特徵門檻值計算 47
4.5.1 連線高風險網站門檻值計算 48
4.5.2 C&C連線數門檻值計算 49
4.6. 實驗四:偵測模型成效 49
4.6.1 隨機森林實驗 50
4.6.2決策樹: 50
4.6.3. SVM 51
4.7. 實驗:SMOTE 平衡資料實驗 52
4.7.1 隨機森林、決策樹、SVM SMOTE 與未做 SMOTE 的比較 52
4.8. 實驗六:有無增加資產風險值系統比較 53
4.8.1 DWT+隨機森林:實驗一 53
4.8.2 DWT+風險值+隨機森林:實驗二 54
4.9. 實驗七未經處理紀錄實驗 55
4.9.1 未經處理紀錄交由隨機森林、決策樹、SVM預測結果 55
4.9.2資料經由DWT與未經處理raw data比較 56
第5章 資安案例探討與分析 57
5.1本研究系統與現行偵測系統比較 57
5.1.1 矩陣計算三種偵測模式評價算法與偵測精確度的結果 59
5.1.2偵測 APT重大攻擊事件比較 59
5.1.3偵測 Ransomware重大攻擊事件比較 60
5.2本研究偵測系統與複迴歸建立側寫模型偵測模型之比較 61
5.3本研究以偵測到重大攻擊案例說明預測成效 62
5.4法規遵循性改善前後分析實驗 69
5.4.1法規應辦事項之差異: 69
5.4.2研究系統與既有攻擊偵測系統實驗區間驗證 70
5.4.3實驗一與實驗二攻擊種類分析 71
第六章 結論與未來展望 75
參考文獻 References
參考資料
[1] 羅正漢, "Palo Alto提2019網路安全5大預測," in "iThome," 2019-01-10. [Online]. Available: https://www.ithome.com.tw/news/128178
[2] N. Lewis, "防範內部威脅攻擊您的網路," 2018. [Online]. Available: https://blog.ipswitch.com/tw/how-to-safeguard-your-network-from-insider-threats
[3] 行政院國家資通安全會報技術服務中心, "政府機關資安弱點通報機制推動規劃," ed, 2019-7.
[4] 陳曉莉, "微軟3月更新遺漏一個未被修補的SMB蠕蟲漏洞,引發爭議," in "iThome," 2020. [Online]. Available: https://www.ithome.com.tw/news/136307
[5] T. Labs, "即使漏洞修補了兩年, WannaCry 仍是使用EternalBlue 漏洞攻擊手法中最多的," 2019. [Online]. Available: https://blog.trendmicro.com.tw/?p=62316
[6] R. A. Lika, D. Murugiah, S. N. Brohi, and D. Ramasamy, "NotPetya: Cyber Attack Prevention through Awareness via Gamification," in 2018 International Conference on Smart Computing and Electronic Enterprise (ICSCEE), 2018: IEEE, pp. 1-6.
[7] 陳曉莉, "Coveware:RDP為勒索軟體入侵的主要管道," in "iThome," 2019. [Online]. Available: https://www.ithome.com.tw/news/131843
[8] C. Cimpanu, "Microsoft: RDP brute-force attacks last 2-3 days on average," in "ZDnet," 2020. [Online]. Available: https://www.zdnet.com/article/microsoft-rdp-brute-force-attacks-last-2-3-days-on-average
[9] Z. Wang, C. Liu, J. Qiu, Z. Tian, X. Cui, and S. Su, "Automatically traceback RDP-based targeted ransomware attacks," Wireless Communications and Mobile Computing, vol. 2018, 2018.
[10] 陳炳宏, "威脅台企業惡意軟體 挖礦軟體仍居首," in "自由時報," 2109-04-29. [Online]. Available: https://ec.ltn.com.tw/article/breakingnews/2773768
[11] t. Labs, "挖礦惡意程式攻擊 Linux 系統,並利用 Rootkit 自我隱藏," 2018. [Online]. Available: https://blog.trendmicro.com.tw/?p=57986
[12] S. Chou, "資安威脅─挖礦殭屍網路構成新型態暗黑經濟," in "科技新報," 2018. [Online]. Available: https://technews.tw/2018/09/17/mining-dark-economy/
[13] A. Botta, W. De Donato, V. Persico, and A. Pescapé, "Integration of cloud computing and internet of things: a survey," Future generation computer systems, vol. 56, pp. 684-700, 2016.
[14] M. Sato, A. Sugimoto, N. Hayashi, Y. Isobe, and R. Sasaki, "Proposal of a Method for Identifying the Infection Route for Targeted Attacks Based on Malware Behavior in a Network," in 2015 Fourth International Conference on Cyber Security, Cyber Warfare, and Digital Forensic (CyberSec), 2015: IEEE, pp. 40-45.
[15] S. M. Milajerdi, R. Gjomemo, B. Eshete, R. Sekar, and V. Venkatakrishnan, "Holmes: real-time apt detection through correlation of suspicious information flows," in 2019 IEEE Symposium on Security and Privacy (SP), 2019: IEEE, pp. 1137-1152.
[16] D. Liu, H. Zhang, H. Yu, X. Liu, Y. Zhao, and G. Lv, "Research and Application of APT Attack Defense and Detection Technology Based on Big Data Technology," in 2019 IEEE 9th International Conference on Electronics Information and Emergency Communication (ICEIEC), 2019: IEEE, pp. 1-4.
[17] S. Team, "What are software supply chain attacks?," 2019. [Online]. Available: https://secureteam.co.uk/articles/web-application-security-articles/what-are-software-supply-chain-attacks/,.
[18] 李宗翰. (2020-01-09) 2020十大資安趨勢6:供應鏈安全. iThome. Available: https://www.ithome.com.tw/news/135178,
[19] A. T. T. Tiwari , A. Oprea, K. Olcoz and A. K. Coskun,, "User-profile-based analytics for detecting cloud security breaches," IEEE International Conference on Big Data, 2017.
[20] B. D. Newton, "Anomaly Detection in Network Traffic Traces Using Latent Dirichlet Allocation," dated Dec, vol. 31, 2012.
[21] A. N. M. M. Ahmed, and J. Hu,, "A survey of network anomaly detection techniques,," Journal of Network and Computer Applications, vol. 60, pp. 19-31,, 2016.
[22] L. Sun, S. Versteeg, S. Boztas, and A. Rao, "Detecting anomalous user behavior using an extended isolation forest algorithm: an enterprise case study," arXiv preprint arXiv:1609.06676, 2016.
[23] K. Singh, K. S. Dhindsa, and B. Bhushan, "Threshold-based distributed DDoS attack detection in ISP networks," Turkish Journal of Electrical Engineering & Computer Sciences, vol. 26, no. 4, pp. 1796-1811, 2018.
[24] Z. Ma, Q. Li, and X. Meng, "Discovering suspicious APT families through a large-scale domain graph in information-centric IoT," IEEE Access, vol. 7, pp. 13917-13926, 2019.
[25] D. M. D. B. Percival, "Discrete Wavelet Transform”, Handbook of Statistics," 2012.
[26] Ł. Saganowski, M. Goncerzewicz, and T. Andrysiak, "Anomaly detection preprocessor for snort ids system," in Image Processing and Communications Challenges 4: Springer, 2013, pp. 225-232.
[27] F. S. Al-Kamal et al., "An efficient transceiver scheme for sc-fdma systems based on discrete wavelet transform and discrete cosine transform," Wireless Personal Communications, vol. 83, no. 4, pp. 3133-3155, 2015.
[28] R. F. Fouladi, C. E. Kayatas, and E. Anarim, "Frequency based DDoS attack detection approach using naive Bayes classification," in 2016 39th International Conference on Telecommunications and Signal Processing (TSP), 2016: IEEE, pp. 104-107.
[29] M. N. M. A. M. Hasan, B. Pal, and S. Ahmad, "Support vector machine and random forest modeling for intrusion detection system (IDS)," Journal of Intelligent Learning Systems and Applications, vol. 6, no. 01, p. 45, 2014.
[30] B. D. Y. Dong, and L. Zhang, "Target detection based on random forest metric learning," IEEE Journal of Selected Topics in Applied Earth Observations and Remote Sensing, vol. 8, no. 4, pp. 1830-1838, 2015.
[31] N. F. a. M. Jabbar, "Random forest modeling for network intrusion detection system," Procedia Computer Science, vol. 89, pp. 213-217, 2016.
[32] Y. L. H. Yao, and C. Fang, "An abnormal network traffic detection algorithm based on big data analysis," International Journal of Computers, Communications & Control, vol. 11, no. 4, 2016.
[33] G. L. a. A. L. Baldoni, "Malware Triage Based on Static Features and Public APT Reports," Lecture Notes in Computer Science, vol. LNCS, volume 10332, 02 June 2017.
[34] M. K. J. Nowak, R. Nowicki, R. Scherer, and A. Siwocha,, "Random forests for profiling computer network users," in International Conference on Artificial Intelligence and Soft Computing, pp. 734-739, 2018: Springer, .
[35] 黃馨瑩, "事件解析】臺灣 22 間醫療院所遭到勒索軟體攻擊,10招防禦措施要做好!," 2019-09-11. [Online]. Available: https://secbuzzer.co/post/121
電子全文 Fulltext
本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。
論文使用權限 Thesis access permission:自定論文開放時間 user define
開放時間 Available:
校內 Campus:開放下載的時間 available 2025-08-27
校外 Off-campus:開放下載的時間 available 2025-08-27

您的 IP(校外) 位址是 3.238.117.130
現在時間是 2024-04-22
論文校外開放下載的時間是 2025-08-27

Your IP address is 3.238.117.130
The current date is 2024-04-22
This thesis will be available to you on 2025-08-27.

紙本論文 Printed copies
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊,請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。
開放時間 available 2025-08-27

QR Code