建立系統日誌之 TTP 威脅狩獵深度學習模型

陳廷威; Ting-Wei Chen

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/97046

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	孫雅麗	zh_TW
dc.contributor.advisor	Yea-Li Sun	en
dc.contributor.author	陳廷威	zh_TW
dc.contributor.author	Ting-Wei Chen	en
dc.date.accessioned	2025-02-26T16:12:24Z	-
dc.date.available	2025-02-27	-
dc.date.copyright	2025-02-26	-
dc.date.issued	2025	-
dc.date.submitted	2025-01-20	-
dc.identifier.citation	[1] "Managing Information Security Risk: Organization, Mission, and Information System View," NIST SP 800-39, 2011. [2] P. Chen, L. Desmet and C. Huygens, "A Study on Advanced Persistent Threats," in Communications and Multimedia Security. CMS 2014., Springer, Berlin, Heidelberg., 2014. [3] F. Nalani, P. Fred, O. Jacqueline, C. Vincent, L. Raymond, P. Dan and S. Chi-en, "APT41: A Dual Espionage and Cyber Crime Operation," Mandiant, 7 August 2019. [Online]. Available: https://www.mandiant.com/resources/blog/apt41-dual-espionage-and-cyber-crime-operation. [4] N. Nelson, "Sandworm Cyberattackers Down Ukrainian Power Grid During Missile Strikes," DarkReading, 9 November 2023. [Online]. Available: https://www.darkreading.com/ics-ot-security/sandworm-cyberattackers-ukrainian-power-grid-missile-strikes. [5] 王宏仁, "【臺灣史上最大資安事件】深度剖析台積產線中毒大當機始末（上）," ithome, 10 August 2018. [Online]. Available: https://www.ithome.com.tw/news/125098. [6] The MITRE Corporation, "APT29 Emulation," GitHub, 2020. [Online]. Available: https://github.com/mitre-attack/attack-arsenal/tree/master/adversary_emulation/APT29. [Accessed July 2024]. [7] "A Scalable, Automated Adversary Emulation Platform," MITRE, 2023. [Online]. Available: https://caldera.mitre.org/. [8] "Process Monitor－Sysinternals," Microsoft Learn, 9 March 2023. [Online]. Available: learn.microsoft.com/en-us/sysinternals/downloads/procmon. [9] Bencherchali, Nasreddine; Roth, Florian; Burkard, Christian; Hubaut, François; Patzke, Thomas, "Sigma - Generic Signature Format for SIEM Systems," GitHub, December 2017. [Online]. Available: https://github.com/SigmaHQ/sigma. [Accessed July 2023]. [10] X. Han, T. Pasquier, A. Bates, J. Mickens and M. Seltzer, "Unicorn: Runtime provenance-based detector for advanced persistent threats," 2020. [Online]. Available: arXiv:2001.01525. [11] M. N. Hossain, S. M. Milajerdi, J. Wang, B. Eshete, R. Gjomemo, R. Sekar, S. D. Stoller and V. Venkatakrishnan, "SLEUTH: Real-time Attack Scenario Reconstruction from COTS Audit Data," In 26th USENIX Security Symposium (USENIX Security 17), pp. 487-504, 2017. [12] S. M. Milajerdi, R. Gjomemo, B. Eshete, R. Sekar and V. Venkatakrishnan, "HOLMES: Real-Time APT Detection through Correlation of Suspicious Information Flows," 2019 IEEE Symposium on Security and Privacy (SP), pp. 1137-1152, 2019. [13] Hassan, W. Ul, A. Bates and D. Marino, "Tactical Provenance Analysis for Endpoint Detection and Response Systems," 2020 IEEE Symposium on Security and Privacy (SP), pp. 1172-1189, 2020. [14] Bhattarai, Bibek and H. Huang, "SteinerLog: Prize Collecting the Audit Logs for Threat Hunting on Enterprise Network," Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security, pp. 97-108, 2022. [15] A. Alsaheel, Y. Nan, S. Ma, L. Yu, G. Walkup, Z. B. Celik, X. Zhang and D. Xu, "ATLAS: A Sequence-based Learning Approach for Attack Investigation," 30th USENIX security symposium (USENIX security 21), pp. 3005-3022, 2021. [16] J. Zengy, X. Wang, J. Liu, Y. Chen, Z. Liang, T.-S. Chua and Z. L. Chua, "SHADEWATCHER: Recommendation-guided Cyber Threat Analysis using System Audit Records," 2022 IEEE Symposium on Security and Privacy (SP), pp. 489-506, 2022. [17] F. Yang, J. Xu, C. Xiong, Z. Li and K. Zhang, "PROGRAPHER: An Anomaly Detection System based on Provenance Graph Embedding," 32nd USENIX Security Symposium (USENIX Security 23), pp. 4355-4372, 2023. [18] C.-K. Chen, S.-C. Lin, S.-C. Huang, Y.-T. Chu, C.-L. Lei and C.-Y. Huang, "Building Machine Learning-based Threat Hunting System from Scratch," Digital Threats: Research and Practice (DTRAP), vol. 3, no. 3, pp. 1-21, 2022. [19] M. U. Rehman, H. Ahmadi and W. U. Hassan, "FLASH: A Comprehensive Approach to Intrusion Detection via Provenance Graph Representation Learning," in 2024 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 2024. [20] Z. Li, Q. A. Chen, R. Yang, Y. Chen and W. Ruan, "Threat detection and investigation with system-level provenance graphs: A survey," Computers & Security, vol. 106: 102282, 2021. [21] L. Cui and Y. Zhang, "Hierarchically-Refined Label Attention Network for Sequence Labeling," in In Proceedings of the 2019 Conference on Empirical Methods in Natural Language Processing and the 9th International Joint Conference on Natural Language Processing (EMNLP-IJCNLP), Hong Kong, China, 2019. [22] B. Luo, Y. Feng, Z. Wang, S. Huang, R. Yan and D. Zhao, "Marrying Up Regular Expressions with Neural Networks: A Case Study for Spoken Language Understanding," in In Proceedings of the 56th Annual Meeting of the Association for Computational Linguistics, Melbourne, Australia, 2018. [23] R. Daszczyszak, D. Ellis, S. Luke and S. Whitley, "TTP-Based Hunting," MITRE Corporation, Annapolis Junction, Maryland, 2019. [24] "Targeted Attack Lifecycle," Mandiant, [Online]. Available: https://www.mandiant.com/resources/insights/targeted-attack-lifecycle. [25] Z. Wang, "A systematic literature review on cyber threat hunting," December 2022. [Online]. Available: arXiv:2212.05310. [26] L. Chen, R. Jiang, C. Lin and A. Li, "A Survey on Threat Hunting: Approaches and Applications," 7th IEEE International Conference on Data Science in Cyberspace, pp. 340-344, July 2022. [27] N. Lukova-Chuiko, A. Fesenko, H. Papirna and S. Gnatyuk, "Threat Hunting as a Method of Protection Against Cyber Threats," IT&I-2020 Information Technology and Interactions, pp. 103-113, December 2020. [28] X. Han, T. Pasquier and M. Seltzer, "Provenance-based Intrusion Detection: Opportunities and Challenges," 10th USENIX Workshop on the Theory and Practice of Provenance (TaPP 2018), 2018. [29] Angelosk; ranok Jacob Torrey, "Transparent Computing," GitHub, 2018. [Online]. Available: https://github.com/darpa-i2o/Transparent-Computing/tree/master. [Accessed May 2024]. [30] L. R. Rabiner, "A tutorial on hidden Markov models and selected applications in speech recognition," Proceedings of the IEEE, vol. 77, no. 2, pp. 257-286, 1989. [31] Lafferty, John, A. McCallum and F. Pereira, "Conditional random fields: Probabilistic models for segmenting and labeling sequence data.," Icml, vol. 1, no. 2, p. 3, 2001. [32] K. Cho, B. v. Merrienboer, C. Gulcehre, D. Bahdanau, F. Bougares, H. Schwenk and Y. Bengio, "Learning Phrase Representations using RNN Encoder-Decoder for Statistical Machine Translation," in Proceedings of the 2014 Conference on Empirical Methods in Natural Language Processing (EMNLP), 2014. [33] A. Vaswani, N. Shazeer, N. Parmar, J. Uszkoreit, L. Jones, A. N. Gomez, Ł. Kaiser and I. Polosukhin, "Attention is All you Need," in Advances in neural information processing systems 30, 2017. [34] Z. Xu, Z. Wu, Z. Li, K. Jee, J. Rhee, X. Xiao, F. Xu, H. Wang and G. Jiang, "High Fidelity Data Reduction for Big Data Security Dependency Analyses," in CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna Austria, 2016. [35] E. Aghaei, X. Niu, W. Shadid and E. Al, "Securebert: A domain-specific language model for cybersecurity," in International Conference on Security and Privacy in Communication Systems, 2022. [36] "Vx underground," [Online]. Available: https://vx-underground.org. [Accessed July 2024]. [37] "Virus Total," [Online]. Available: https://www.virustotal.com/gui/home/upload. [Accessed July 2024]. [38] "Faker: A python package for generating fake data," GiHub, [Online]. Available: https://github.com/joke2k/faker. [Accessed July 2024]. [39] "What Are Sigma Rules?," Picus Labs, July 2023. [Online]. Available: https://www.picussecurity.com/resource/glossary/what-is-sigma-rule. [40] NetworkX Contributors, "NetworkX," GitHub, [Online]. Available: https://github.com/networkx/networkx. [Accessed July 2024]. [41] J. Devlin, M.-W. Chang, K. Lee and K. Toutanova, "Bert: Pre-training of deep bidirectional transformers for language understanding," arXiv preprint, 2018. [Online]. Available: https://arxiv.org/abs/1810.04805.	-
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/97046	-
dc.description.abstract	資安風險與威脅是數位時代最大的議題。如何利用有效地惡意威脅活動偵察、即早預警，達到主動式防禦（Proactive Defense），是目前全世界各國各領域的共識與希冀。而達到這個目標，我們認為深度掌握與充分瞭解惡意活動的特徵與所關連的各種系統、網路的資源接觸與操作是達到此目標的關鍵。本研究透過執行惡意攻擊腳本，收集其系統事件紀錄，標記出關鍵的攻擊手法 (Techniques) 等作業與行為特徵，建立MITRE ATT&CK攻擊手法辨識知識庫，並利用此知識庫訓練深度學習模型，進行以Technique為基準的威脅狩獵 (Technique-based Threat Hunting ) 任務。本研究分為兩階段，第一階段為建立 MITRE ATT&CK Technique 攻擊手法辨識知識庫，第二階段為利用知識庫的資料訓練深度學習模型完成 Technique 威脅狩獵的任務。在第一階段中，我們首先蒐集MITRE ATT&CK Technique 攻擊手法的系統日誌資料集。我們利用CALDERA 平台以及APT29 Evaluation 提供的多種 MITRE ATT&CK 攻擊手法標籤的攻擊腳本（Abilities），經由執行各個攻擊腳本，與利用Windows作業系統中的 Process Monitor收集其系統日誌（Audit log），並從中標記出關鍵的攻擊手法行為特徵。為了解決系統日誌資料量不足的問題，我們藉由替換攻擊手法行為特徵中的Artifacts（如user name、file name、C2 server IP等），擴增系統日誌資料集。此外，Sigma rules作為偵測Windows系統日誌的標準，也被納入知識庫的一部分。第二階段的重點在於開發能夠辨識系統日誌中MITRE Techniques攻擊手法的深度學習模型。我們首先將系統日誌建構成溯源圖，溯源圖可以有效地追蹤並理解事件發生的順序和因果關係，為了降低溯源圖的複雜度，我們採用了Causality Preserved Reduction (CPR)技術進行資料縮減。縮減後的資料經由SecureBERT轉換為詞嵌入(Embedding)作為模型輸入。本研究的模型使用序列模型結合注意力機制來進行威脅狩獵任務。此外，本研究探討了如何將由正則表達式（RE）組成的Sigma rules與深度學習模型結合，以增強模型對於Techniques的識別能力。研究結果顯示，我們的模型可以很好地從系統日誌中辨識出Technique攻擊手法，並且藉由Sigma rules與深度學習模型結合的方式，可以有效改善模型對於特定Techniques的辨識表現。	zh_TW
dc.description.abstract	Cybersecurity risks and threats are among the most pressing issues in the digital age. Achieving proactive defense through effective reconnaissance of malicious activities and early threat detection is a shared goal across nations and industries worldwide. We believe that a deep understanding of the characteristics of malicious activities and their interactions with various system and network resources is key to this goal. In this study, we executed malicious attack scripts to collect system audit logs, identifying MITRE ATT&CK Techniques and behavioral patterns, and constructed a knowledge base of MITRE ATT&CK Techniques. This knowledge base was then used to train deep learning models for Technique-based threat hunting. The research is divided into two stages. The first stage involves building a comprehensive knowledge base of MITRE ATT&CK Techniques. The second stage focuses on training deep learning models using this knowledge base to perform Technique-based threat hunting tasks. In the first stage, we collected a dataset of audit logs associated with MITRE ATT&CK Techniques. By leveraging the CALDERA platform and APT29 Evaluation, which provide various labeled attack scripts (abilities) corresponding to MITRE ATT&CK Techniques, we executed these scripts and used the Process Monitor tool in Windows to collect audit logs, identifying key behavioral characteristics of the Techniques. To address the issue of limited audit log data, we augmented the dataset by varying artifacts within the Technique behaviors (e.g., user names, file names, C2 server IPs). Additionally, Sigma rules, widely used for detecting Windows system logs, were incorporated into the knowledge base. The second stage focuses on developing a deep learning model capable of identifying MITRE Techniques within audit logs. We first constructed provenance graphs from the audit logs to effectively trace and understand the sequence and causal relationships of events. To manage the complexity of these provenance graphs, we employed Causality Preserved Reduction (CPR) techniques for data reduction. The reduced data was then transformed into embeddings via SecureBERT for input into the model. Our model utilizes a sequence-based architecture combined with an attention mechanism to perform threat hunting tasks. Furthermore, this study explores how integrating Sigma rules, composed of regular expressions (RE), with the deep learning model can enhance its ability to identify Techniques. The results demonstrate that our model can effectively identify MITRE Techniques from audit logs. Additionally, the integration of Sigma rules with the deep learning model significantly improves its performance in recognizing specific Techniques.	en
dc.description.provenance	Submitted by admin ntu (admin@lib.ntu.edu.tw) on 2025-02-26T16:12:24Z No. of bitstreams: 0	en
dc.description.provenance	Made available in DSpace on 2025-02-26T16:12:24Z (GMT). No. of bitstreams: 0	en
dc.description.tableofcontents	Acknowledgement i 摘要 ii Abstract iv 目次 vi 圖次 ix 表次 x Chapter 1 研究動機與介紹 1 Chapter 2 研究背景 8 2.1. 威脅偵測方式介紹 8 2.1.1. 威脅特徵偵測 ( Signature-based detection ) 8 2.1.2. 異常偵測 ( Anomaly-based detection) 8 2.1.3. 攻擊戰術、手法暨程序威脅偵測 ( TTP-based detection, 後續簡稱 TTP 威脅偵測) 9 2.1.4. 威脅狩獵（Threat Hunting or Cyber Threat Hunting） 12 2.2. 基於溯源圖的異常偵測 13 2.3. 序列標註任務 15 Chapter 3 相關研究 17 3.1. Rule-based 相關研究 17 3.2. Learning-based 相關研究 19 3.3. 本研究與相關研究之差異 20 Chapter 4 研究方法 23 4.1. 背景介紹 25 4.1.1. CALDERA 25 4.1.2. Process monitor 與三元組表示 28 4.2. 建立 MITRE ATT&CK Technique 攻擊手法辨識知識庫 33 4.2.1. 系統日誌標記 33 4.2.2. Technique 攻擊執行軌跡 40 4.2.3. 擴增訓練資料 43 4.2.4. Sigma Rules 48 4.3. 建立 MITRE ATT&CK Technique 攻擊手法為基準的威脅狩獵深度學習模型 56 4.3.1. 溯源圖建立 57 4.3.2. 溯源圖縮減 (Graph Reduction) 57 4.3.3. 詞嵌入方式 (Embedding Module) 58 4.3.4. 深度學習模型 59 4.3.5. 融合 Sigma rules 資訊於深度學習模型 64 Chapter 5 實驗 67 5.1. BiGRU-LAN 於研究資料集的表現 (實驗一) 67 5.2. 消融實驗 (Ablation Study, 實驗二) 72 5.2.1. SecureBERT Embedding 在模型中的有效性 72 5.2.2. Label Representation在模型中的有效性 73 5.2.3. LAN在模型中的有效性 74 5.2.4. BiGRU在模型中的有效性 75 5.2.5. 消融實驗小結 76 5.3. Sigma rules的辨識結果資訊融入BiGRU-LAN 模型 76 5.3.1. 將辨識結果作為模型輸入的特徵資料，與三元組一起進入 BiGRU-LAN 模型訓練 (實驗三) 77 5.3.2. 將辨識結果作為特徵資料，加入模型的輸出層，以此為 BiGRU-LAN 模型輸出增添資訊 (實驗四) 81 5.4. BiGRU-LAN 模型能否有效從系統日誌中偵測 APT campaign，辨識其中使用的 Techniques？(實驗五) 85 Chapter 6 討論 89 6.1. Attention weight visualization 89 Chapter 7 結論 95 Chapter 8 未來研究方向 96 參考資料 97 Appendix A – 消融實驗完整數據 101 Appendix B – 模型參數量與訓練歷史 103 Appendix C – Synthetic Audit Log完整實驗數據 104	-
dc.language.iso	zh_TW	-
dc.subject	Technique威脅狩獵	zh_TW
dc.subject	溯源圖	zh_TW
dc.subject	深度學習	zh_TW
dc.subject	序列模型	zh_TW
dc.subject	注意力機制	zh_TW
dc.subject	序列標註	zh_TW
dc.subject	MITRE ATT&CK	zh_TW
dc.subject	Sequence Labeling	en
dc.subject	MITRE ATT&CK	en
dc.subject	Technique-based Threat Hunting	en
dc.subject	Provenance Graph	en
dc.subject	Deep Learning	en
dc.subject	Sequence Model	en
dc.subject	Attention Mechanism	en
dc.title	建立系統日誌之 TTP 威脅狩獵深度學習模型	zh_TW
dc.title	A Deep Learning Model for TTP-based Threat Hunting on Windows Audit Logs	en
dc.type	Thesis	-
dc.date.schoolyear	113-1	-
dc.description.degree	碩士	-
dc.contributor.oralexamcommittee	陳孟彰;黃意婷;李育杰;陳俊良	zh_TW
dc.contributor.oralexamcommittee	Meng-Chang Chen;Yi-Ting Huang;Yuh-Jye Lee;Jiann-Liang Chen	en
dc.subject.keyword	MITRE ATT&CK,Technique威脅狩獵,溯源圖,深度學習,序列模型,注意力機制,序列標註,	zh_TW
dc.subject.keyword	MITRE ATT&CK,Technique-based Threat Hunting,Provenance Graph,Deep Learning,Sequence Model,Attention Mechanism,Sequence Labeling,	en
dc.relation.page	111	-
dc.identifier.doi	10.6342/NTU202500110	-
dc.rights.note	同意授權(限校園內公開)	-
dc.date.accepted	2025-01-21	-
dc.contributor.author-college	管理學院	-
dc.contributor.author-dept	資訊管理學系	-
dc.date.embargo-lift	2025-02-27	-
顯示於系所單位：	資訊管理學系

文件中的檔案：

檔案	大小	格式
ntu-113-1.pdf 授權僅限NTU校內IP使用（校園外請利用VPN校外連線服務）	8.43 MB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。