請用此 Handle URI 來引用此文件:
http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/77681
完整後設資料紀錄
DC 欄位 | 值 | 語言 |
---|---|---|
dc.contributor.advisor | 孫雅麗 | |
dc.contributor.author | CHAN-CHI YEH | en |
dc.contributor.author | 葉展奇 | zh_TW |
dc.date.accessioned | 2021-07-10T22:15:34Z | - |
dc.date.available | 2021-07-10T22:15:34Z | - |
dc.date.copyright | 2017-09-04 | |
dc.date.issued | 2017 | |
dc.date.submitted | 2017-08-17 | |
dc.identifier.citation | 1. J. P. Morgan data breach. Available from: https://en.wikipedia.org/wiki/2014_JPMorgan_Chase_data_breach
2. W. Xu, and et al. Detecting large-scale system problems by mining console logs. In Proceeding of the 22nd ACM. Symposium on Operating Systems Principles (Big Sky, MT, Oct. 2009). 3. OSSEC. Available from: http://ossec.github.io/index.html 4. Linux world top 5 security. 2007; Available from: http://www.linuxworld.com/news/2007/031207-top-5-security.html 5. Windows registry introduction. Available from: http://jonghsin.pixnet.net/blog/post/3950800-Regedit登錄檔結構完整教學 6. Windows event log. Available from: https://technet.microsoft.com/en-us/library/cc722404(v=ws.11).aspx 7. C. Simache, M. Kaniche, and A. Saidane. Event Log based Dependability Analysis of Windows NT and 2K Systems. Proc. of the 2002 Pacific Rim International Symposium on Dependable Computing (PRDC’02), December 2002. 8. Usage share of operating systems. Available from: https://en.wikipedia.org/wiki/Usage_share_of_operating_systems 9. Windows event logging API. Available from: https://msdn.microsoft.com/en-us/library/windows/desktop/aa385784(v=vs.85).aspx 10. P. K. Sahoo and et al. Research Issues on Windows Event Log. International Journal of Computer Application(0975-8887), 19, March 2012. 11. Event Viewer. Available from: https://technet.microsoft.com/en-us/library/aa996634(v=exchg.65).aspx 12. MSDN(Microsoft Developer Network). Available from: https://msdn.microsoft.com/ 13. Description of security events. Available from: https://support.microsoft.com/en-us/help/977519/description-of-security-events-in-windows-7-and-in-windows-server-2008-r2 14. Technet. Available from: https://technet.microsoft.com/zh-tw/ms376608.aspx 15. Windows update. Available from: https://en.wikipedia.org/wiki/Windows_Update 16. Windows user rights list. Available from: https://technet.microsoft.com/en-us/library/dd277404.aspx 17. T.-F. Yen, A. Oprea, K. Onarlioglu, T. Leetham, W. Robertson, A. Juels, and E. Kirda. Beehive: Large-scale Log Analysis for Detecting Suspicious Activity in Enterprise Networks. In Proceedings of the 29th Annual Computer Security Applications Conference, pages 199–208. ACM, 2013. 18. John Dwyer, and Traian Marius Truta. Finding anomalies in windows event logs using standard deviation. Collaborative Computing: Networking, Applications and Worksharing (Collaboratecom), 2013 9th International Conference. 19. Weixi Li, “Automatic Log Analysis using Machine Learning: Awesome Automatic Log Analysis version 2.0”, Master's thesis, Uppsala Universitet, Department of Information Technology, Report number IT 13 080, November 2013, [Online]. Available from: http://uu.diva-portal.org/smash/get/diva2:667650/FULLTEXT01.pdf 20. J. Iglesias, P. Angelov, A. Ledezma, and A. Sanchis, “Creating evolving user behavior profiles automatically,” IEEE Trans. Knowl. Data Eng., vol. 24, no. 5, pp. 854–867, May 2012. 21. Y. Chen, B. Malin, Detection of anomalous insiders in collaborative environments via relational analysis of access logs, in: Proceedings of the 1st ACM Conference on Data and Application Security and Privacy, ACM, 2011, pp. 63–74. 22. X. Wu, V. Kumar, J.R. Quinlan, J. Ghosh, Q. Yang, H. Motoda, G.J. McLachlan, A.F.M. Ng, B. Liu, P.S. Yu, Z.-H. Zhou, M. Steinbach, D.J. Hand, D. Steinberg, 'Top 10 Algorithms in Data Mining', Knowledge and Information Systems, vol. 14, no. 1, pp. 1-37, 2008. 23. Shiffler, R. (1988) Maximum Z scores and outliers. American Statistician, 42, 79–80.3 | |
dc.identifier.uri | http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/77681 | - |
dc.description.abstract | 中文摘要
對於有使用資訊科技的公司來說,資訊安全的議題往往至關重要。資訊設備每天產生大量的日誌,而這些日誌當中常常隱含了一些重要訊息,能讓資訊人員透過觀察這些日誌,知曉使用者的行為、網路流量是否發生異常,系統的停機時間、資安政策是否有被遵循、公司內部威脅等。如果管理者有做好日誌監控的流程的話,許多攻擊往往可以在早期就被偵測出來,亦或者根本不會有機會發生。因此,本篇論文以日誌做為分析資料,提出了一個偵測使用者行為異常的演算法,目的為偵測使用者在一段執行期間內,是否有行為異常。考慮到作業系統的使用人數,本篇論文將專注於研究Windows作業系統的日誌格式。Windows日誌事件有其標準的格式,它對於每一種事件都會鉅細靡遺的記錄所有資訊,是偵測資訊安全事件非常有用的資訊來源之一,但受限於它過於複雜的格式,以及數量龐大的日誌種類,有時候這些日誌事件難以被有效的使用。因此,本篇論文從眾多的日誌種類當中,挑出與稽核及系統有關較為重要的日誌事件,以解決日誌種類過多的問題;此外,本篇論文為每個挑選出來的日誌事件創造綱要,以萃取出該種日誌事件的重要資訊,解決日誌事件格式複雜的問題;最後,本篇論文提出一個演算法以偵測一段執行期間,使用者行為異常發生的時間點,達成異常偵測之目的。 | zh_TW |
dc.description.abstract | Security is one of the biggest concerns of any company that has IT infrastructure. Organizations’ IT infrastructure generate huge amount of logs every day and these machine generated logs have vital information that can provide powerful insights and network security intelligence into user behaviors, network anomalies, system downtime, policy violations, internal threats, regulatory compliance, etc. Many attacks would not have happened or would have been stopped at the early stage if administrators cared to monitor the logs. Hence, in this thesis, we take log data as analysis data, proposed an anomaly detection algorithm to detect any user’s behavior abnormality over a period of time. Taking into account the number of users, we focus on the windows log format (Windows event log). Windows event log is a very useful source of data for security information, but sometimes can be nearly impossible to use due to the complexity of log data and many kinds of the events. To solve the problem of too many kinds of log event, we select important event log about audit and system. Then, to solve the problem of the complexity of log data format, we create many schemas to extract important information from different kinds of event logs. Last, we proposed a log analysis algorithm to detect any anomalous user behavior in a period of time. | en |
dc.description.provenance | Made available in DSpace on 2021-07-10T22:15:34Z (GMT). No. of bitstreams: 1 ntu-106-R04725042-1.pdf: 3669344 bytes, checksum: 1327ac15ce249bc8f7af56f174ebd12a (MD5) Previous issue date: 2017 | en |
dc.description.tableofcontents | 口試委員會審定書 I
誌謝 II 中文摘要 III ABSTRACT IV 圖目錄 VII 表目錄 X 第一章 介紹 1 第一節 研究背景 1 第二節 研究動機 1 第三節 研究貢獻 2 第二章 文獻探討 4 第一節 OSSEC 4 1.1 系統架構 4 1.2 分析技術及流程 5 第二節 如何從無結構的LOG訊息擷取有用資料,整理成結構化資料集 14 第三節 參考系統可靠性分析之文獻選擇系統事件檔的分析範圍 17 第三章 主機網域作業監控與日誌分析前置作業 20 第一節 系統環境 20 第二節 WINDOWS日誌管理 21 2.1 Windows Event Logging運作流程 21 2.2 Windows event log種類 22 2.3 Windows event log 格式 23 第三節 研究範圍 24 3.1 安全事件檔分析範圍 24 3.2 系統事件檔分析範圍 28 第四節 轉換非結構化資料為結構化資料 - SCHEMA 34 第五節 如何將整理出的SCHEMA應用於OSSEC 37 第四章 建立使用者行為側寫 42 第一節 分析單位 42 第二節 挑選每種事件描述欄位的重要資訊 43 第三節 LOG事件資料轉換 45 第四節 將LOG事件轉換為特徵向量,做為使用者的行為側寫 47 第五章 異常偵測 49 第一節 前處理(PREPROCESS)-特徵標準化 50 第二節 使用者整體行為之異常分析 50 第六章 實驗 54 第一節 數據來源 54 第二節 實驗設計 55 第三節 實驗結果 56 第七章 結論與建議 60 參考文獻(REFERENCE): 61 附錄(APPENDIX) 63 A. 安全事件檔挑選之事件列表 63 B. SCHEMA列表 68 | |
dc.language.iso | zh-TW | |
dc.title | 主機端點之日誌分析及異常偵測 | zh_TW |
dc.title | Endpoint log analysis and anomaly detection | en |
dc.type | Thesis | |
dc.date.schoolyear | 105-2 | |
dc.description.degree | 碩士 | |
dc.contributor.oralexamcommittee | 郁方,蕭舜文,陳孟彰 | |
dc.subject.keyword | 使用者行為,Windows日誌事件,異常偵測,綱要,日誌分析, | zh_TW |
dc.subject.keyword | user behavior,Windows event log,anomaly detection,schema of log,log analysis, | en |
dc.relation.page | 84 | |
dc.identifier.doi | 10.6342/NTU201703590 | |
dc.rights.note | 未授權 | |
dc.date.accepted | 2017-08-18 | |
dc.contributor.author-college | 管理學院 | zh_TW |
dc.contributor.author-dept | 資訊管理學研究所 | zh_TW |
顯示於系所單位: | 資訊管理學系 |
文件中的檔案:
檔案 | 大小 | 格式 | |
---|---|---|---|
ntu-106-R04725042-1.pdf 目前未授權公開取用 | 3.58 MB | Adobe PDF |
系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。