:::

詳目顯示

回上一頁
題名:基於離散小波轉換與側寫分析的主機風險評估平台
作者:林俊吾
作者(外文):Jiunn-Wu Lin
校院名稱:國立中山大學
系所名稱:資訊管理學系研究所
指導教授:陳嘉玫
學位類別:博士
出版日期:2020
主題關鍵詞:雲端運算事件分析側寫行為離散小波風險評估隨機森林Risk AssessmentRandom ForestDiscover Wavelet TransformEvent Analysis SystemProfiling analysisCloud Computing
原始連結:連回原系統網址new window
相關次數:
  • 被引用次數被引用次數:期刊(0) 博士論文(0) 專書(0) 專書論文(0)
  • 排除自我引用排除自我引用:0
  • 共同引用共同引用:0
  • 點閱點閱:1
企業面臨駭客組織複雜多變的攻擊手法,須藉由持續強化其自建資安防禦設備用以防護駭客攻擊。而現今資安防護設備防禦也擴大到應用層級,現今多數資安設備多數利用特徵規則偵測已知的攻擊,卻對於複雜且多變新型或未知的攻擊束手無策,因此以特徵規則比對為基礎的資安設備無法有效的阻擋與攔截。為了偵測對企業伺服器的新型態攻擊,須藉由分析異質日誌檔並加以整合分析關聯性找出主機攻擊的行為。隨著多種單一功能資安設備的增多,其需分析資安設備的日誌檔資料量也隨之暴增,這對於以側寫伺服器並整合收集不同的日誌檔格式,以期能找出攻擊的紀錄將會變得困難與複雜。
為了偵測對於企業伺服器所面臨的新型態駭客攻擊,本研究以觀察伺服器網路行為的方式用以找出與平日行為異常軌跡,目的偵測對於伺服器的攻擊行為。本研究以側寫的方式為伺服器網路行為進行建模,建模側寫伺服器17種不同特徵行為以DWT與自建數學方程式建立伺服器的網路正常與異常行為模型,最後經由隨機森林方法找出異常網路行為的連線紀錄。為了識別伺服器異常的網路行為須藉由大量異質的日誌檔分析行為正常與異常的比對。本研究日誌檔雲端收集分析平台是以分散式雲端為架構,將資安設備紀錄串流主動寫入雲端分析平台,分散雲端優點用以提高分析平台紀錄收集的可靠性以及學習分析的效率。本研究以Spark為基礎建立運算分析的環境,系統具有分散式運算的優點,能在可視覺化的介面下快速的分析與處理龐大紀錄,系統以雲端分散式的架構結合側寫分析的能力與機器學習預測的機制以達到提前預警目的。
經由實驗結果證明本研究提出偵測系統相對於既有資安設備或SOC可更早預警對於伺服器威脅未知的攻擊。企業組織可藉由本系統所發出伺服器的偵測告警,更加提供其組織資訊安全人員發現伺服器可能攻擊的威脅並加以防堵資安事件發生,藉以減少企業資安事件所造成的經濟或聲譽的損失。
Enterprises face the sophisticated and varued methods of attack by hacker orginations and must continue to strengthen the defense equipment to protect enterprises from hackers. The scope of defense of rhe equipment of the security protection also extends to the application layer, and most of the equipment of the current security function uses feature rules to defense known attacks,but for the complex and variable new unknown attacks, information security equipment based on feature rules conparision cannot effectively block and intercept for attack.in order to detect attack enterprise hosts in a new stats,the threat to host attacks is identified by analyzing heterogeneous log files and consolidating them using analytics assocations. Faced with the increase of a variety of single security equipment, the amount of log file data to be analyzed also increased, which will be difficult and complex to write to the host on the side and consolidate the collection of different log files formats in order to find the record of the attack.
In order to detect the new state of hacking of enterprise, this study used to observe the behavior of the server network to find out the behavior of abnormal behavior on weekdays, with the aim of detecting passible attack behavior. This study models the network behavior of the server in the form of profile model the 17 different characteristic behavior of the side-writing host,establishs the network behavior model of the server by DWT and self-built mathematical equations,and finally finds the warning of abormal network behavior through the random forest.in order to identify the network behavior of server anomails,the comparison of normal behavior and abormal behavior must be analyxed by a large number of heterogeneous log files. The cloud collection and analysis platform of this research log files is based on distributed cloud as the architecture, and the equipment records are used to collect and transmit the real-time streaming mechanism, with the aim of improving the reliability of the system and the efficiency of analysis.
This study integrates Spark’s computing environment, which has the advantages of supporting in-momory computing and distributed operating, can quickly analysis with machine learning prediction mechanism through a distributed architecture in the cloud to achieve early warning and identify new state attacks on enterprise servers.
Experimental results show that this study suggests that the detection system can alert the server threat to an unknown attack earlier than the existing equipment or SOC.Enterprise orginations can use the system issued by server detection alert, more to provide their organization information security personnel to detect the threat of a possible server attack and prevent the event of blocking capital, in order to reduce the economic or reputational damage caused by the capital security incident.
參考資料
[1]羅正漢, "Palo Alto提2019網路安全5大預測," in "iThome," 2019-01-10. [Online]. Available: https://www.ithome.com.tw/news/128178
[2]N. Lewis, "防範內部威脅攻擊您的網路," 2018. [Online]. Available: https://blog.ipswitch.com/tw/how-to-safeguard-your-network-from-insider-threats
[3]行政院國家資通安全會報技術服務中心, "政府機關資安弱點通報機制推動規劃," ed, 2019-7.
[4]陳曉莉, "微軟3月更新遺漏一個未被修補的SMB蠕蟲漏洞,引發爭議," in "iThome," 2020. [Online]. Available: https://www.ithome.com.tw/news/136307
[5]T. Labs, "即使漏洞修補了兩年, WannaCry 仍是使用EternalBlue 漏洞攻擊手法中最多的," 2019. [Online]. Available: https://blog.trendmicro.com.tw/?p=62316
[6] R. A. Lika, D. Murugiah, S. N. Brohi, and D. Ramasamy, "NotPetya: Cyber Attack Prevention through Awareness via Gamification," in 2018 International Conference on Smart Computing and Electronic Enterprise (ICSCEE), 2018: IEEE, pp. 1-6.
[7]陳曉莉, "Coveware:RDP為勒索軟體入侵的主要管道," in "iThome," 2019. [Online]. Available: https://www.ithome.com.tw/news/131843
[8]C. Cimpanu, "Microsoft: RDP brute-force attacks last 2-3 days on average," in "ZDnet," 2020. [Online]. Available: https://www.zdnet.com/article/microsoft-rdp-brute-force-attacks-last-2-3-days-on-average
[9]Z. Wang, C. Liu, J. Qiu, Z. Tian, X. Cui, and S. Su, "Automatically traceback RDP-based targeted ransomware attacks," Wireless Communications and Mobile Computing, vol. 2018, 2018.
[10]陳炳宏, "威脅台企業惡意軟體 挖礦軟體仍居首," in "自由時報," 2109-04-29. [Online]. Available: https://ec.ltn.com.tw/article/breakingnews/2773768
[11]t. Labs, "挖礦惡意程式攻擊 Linux 系統,並利用 Rootkit 自我隱藏," 2018. [Online]. Available: https://blog.trendmicro.com.tw/?p=57986
[12]S. Chou, "資安威脅─挖礦殭屍網路構成新型態暗黑經濟," in "科技新報," 2018. [Online]. Available: https://technews.tw/2018/09/17/mining-dark-economy/
[13]A. Botta, W. De Donato, V. Persico, and A. Pescapé, "Integration of cloud computing and internet of things: a survey," Future generation computer systems, vol. 56, pp. 684-700, 2016.
[14] M. Sato, A. Sugimoto, N. Hayashi, Y. Isobe, and R. Sasaki, "Proposal of a Method for Identifying the Infection Route for Targeted Attacks Based on Malware Behavior in a Network," in 2015 Fourth International Conference on Cyber Security, Cyber Warfare, and Digital Forensic (CyberSec), 2015: IEEE, pp. 40-45.
[15] S. M. Milajerdi, R. Gjomemo, B. Eshete, R. Sekar, and V. Venkatakrishnan, "Holmes: real-time apt detection through correlation of suspicious information flows," in 2019 IEEE Symposium on Security and Privacy (SP), 2019: IEEE, pp. 1137-1152.
[16] D. Liu, H. Zhang, H. Yu, X. Liu, Y. Zhao, and G. Lv, "Research and Application of APT Attack Defense and Detection Technology Based on Big Data Technology," in 2019 IEEE 9th International Conference on Electronics Information and Emergency Communication (ICEIEC), 2019: IEEE, pp. 1-4.
[17]S. Team, "What are software supply chain attacks?," 2019. [Online]. Available: https://secureteam.co.uk/articles/web-application-security-articles/what-are-software-supply-chain-attacks/,.
[18]李宗翰. (2020-01-09) 2020十大資安趨勢6:供應鏈安全. iThome. Available: https://www.ithome.com.tw/news/135178,
[19]A. T. T. Tiwari , A. Oprea, K. Olcoz and A. K. Coskun,, "User-profile-based analytics for detecting cloud security breaches," IEEE International Conference on Big Data, 2017.
[20]B. D. Newton, "Anomaly Detection in Network Traffic Traces Using Latent Dirichlet Allocation," dated Dec, vol. 31, 2012.
[21]A. N. M. M. Ahmed, and J. Hu,, "A survey of network anomaly detection techniques,," Journal of Network and Computer Applications, vol. 60, pp. 19-31,, 2016.
[22]L. Sun, S. Versteeg, S. Boztas, and A. Rao, "Detecting anomalous user behavior using an extended isolation forest algorithm: an enterprise case study," arXiv preprint arXiv:1609.06676, 2016.
[23]K. Singh, K. S. Dhindsa, and B. Bhushan, "Threshold-based distributed DDoS attack detection in ISP networks," Turkish Journal of Electrical Engineering & Computer Sciences, vol. 26, no. 4, pp. 1796-1811, 2018.
[24]Z. Ma, Q. Li, and X. Meng, "Discovering suspicious APT families through a large-scale domain graph in information-centric IoT," IEEE Access, vol. 7, pp. 13917-13926, 2019.
[25]D. M. D. B. Percival, "Discrete Wavelet Transform”, Handbook of Statistics," 2012.
[26]Ł. Saganowski, M. Goncerzewicz, and T. Andrysiak, "Anomaly detection preprocessor for snort ids system," in Image Processing and Communications Challenges 4: Springer, 2013, pp. 225-232.
[27]F. S. Al-Kamal et al., "An efficient transceiver scheme for sc-fdma systems based on discrete wavelet transform and discrete cosine transform," Wireless Personal Communications, vol. 83, no. 4, pp. 3133-3155, 2015.
[28] R. F. Fouladi, C. E. Kayatas, and E. Anarim, "Frequency based DDoS attack detection approach using naive Bayes classification," in 2016 39th International Conference on Telecommunications and Signal Processing (TSP), 2016: IEEE, pp. 104-107.
[29]M. N. M. A. M. Hasan, B. Pal, and S. Ahmad, "Support vector machine and random forest modeling for intrusion detection system (IDS)," Journal of Intelligent Learning Systems and Applications, vol. 6, no. 01, p. 45, 2014.
[30]B. D. Y. Dong, and L. Zhang, "Target detection based on random forest metric learning," IEEE Journal of Selected Topics in Applied Earth Observations and Remote Sensing, vol. 8, no. 4, pp. 1830-1838, 2015.
[31]N. F. a. M. Jabbar, "Random forest modeling for network intrusion detection system," Procedia Computer Science, vol. 89, pp. 213-217, 2016.
[32]Y. L. H. Yao, and C. Fang, "An abnormal network traffic detection algorithm based on big data analysis," International Journal of Computers, Communications & Control, vol. 11, no. 4, 2016.
[33]G. L. a. A. L. Baldoni, "Malware Triage Based on Static Features and Public APT Reports," Lecture Notes in Computer Science, vol. LNCS, volume 10332, 02 June 2017.
[34]M. K. J. Nowak, R. Nowicki, R. Scherer, and A. Siwocha,, "Random forests for profiling computer network users," in International Conference on Artificial Intelligence and Soft Computing, pp. 734-739, 2018: Springer, .
[35]黃馨瑩, "事件解析】臺灣 22 間醫療院所遭到勒索軟體攻擊,10招防禦措施要做好!," 2019-09-11. [Online]. Available: https://secbuzzer.co/post/121
 
 
 
 
第一頁 上一頁 下一頁 最後一頁 top
QR Code
QRCODE