主機端點之日誌分析及異常偵測

Abstract

中文摘要 對於有使用資訊科技的公司來說，資訊安全的議題往往至關重要。資訊設備每天產生大量的日誌，而這些日誌當中常常隱含了一些重要訊息，能讓資訊人員透過觀察這些日誌，知曉使用者的行為、網路流量是否發生異常，系統的停機時間、資安政策是否有被遵循、公司內部威脅等。如果管理者有做好日誌監控的流程的話，許多攻擊往往可以在早期就被偵測出來，亦或者根本不會有機會發生。因此，本篇論文以日誌做為分析資料，提出了一個偵測使用者行為異常的演算法，目的為偵測使用者在一段執行期間內，是否有行為異常。考慮到作業系統的使用人數，本篇論文將專注於研究Windows作業系統的日誌格式。Windows日誌事件有其標準的格式，它對於每一種事件都會鉅細靡遺的記錄所有資訊，是偵測資訊安全事件非常有用的資訊來源之一，但受限於它過於複雜的格式，以及數量龐大的日誌種類，有時候這些日誌事件難以被有效的使用。因此，本篇論文從眾多的日誌種類當中，挑出與稽核及系統有關較為重要的日誌事件，以解決日誌種類過多的問題；此外，本篇論文為每個挑選出來的日誌事件創造綱要，以萃取出該種日誌事件的重要資訊，解決日誌事件格式複雜的問題；最後，本篇論文提出一個演算法以偵測一段執行期間，使用者行為異常發生的時間點，達成異常偵測之目的。

Security is one of the biggest concerns of any company that has IT infrastructure. Organizations’ IT infrastructure generate huge amount of logs every day and these machine generated logs have vital information that can provide powerful insights and network security intelligence into user behaviors, network anomalies, system downtime, policy violations, internal threats, regulatory compliance, etc. Many attacks would not have happened or would have been stopped at the early stage if administrators cared to monitor the logs. Hence, in this thesis, we take log data as analysis data, proposed an anomaly detection algorithm to detect any user’s behavior abnormality over a period of time. Taking into account the number of users, we focus on the windows log format (Windows event log). Windows event log is a very useful source of data for security information, but sometimes can be nearly impossible to use due to the complexity of log data and many kinds of the events. To solve the problem of too many kinds of log event, we select important event log about audit and system. Then, to solve the problem of the complexity of log data format, we create many schemas to extract important information from different kinds of event logs. Last, we proposed a log analysis algorithm to detect any anomalous user behavior in a period of time.