現今企業所面臨的攻擊日漸複雜化，從傳統的網路攻擊手法，到針對特定組織的進階持續性攻擊。為了防範如此複雜的網路攻擊，企業因此建置許多資安設備，伴隨而來的是設備和伺服器產出的大量警訊。其中大部分為資料的備份或事件紀錄清除等日常作業，使得資安人員在面對後續事件調查和人工分析等方式，花費過多時間在處理誤報警訊上，進而增加駭客入侵企業內部的時間。
為了提高事件紀錄分析效率和降低資安事件造成的危害，本研究提出一種識別關鍵警訊和事件紀錄的方法，以便資安人員進一步分析是否存在異常。Active Directory伺服器為攻擊者的首要目標，目的在於取得權限以控制企業內部資源並危及整個組織。因此本研究所提出的方法側重於識別特權帳號在企業Active Directory伺服器的異常事件。
本研究使用離群值檢測方法，分為兩個階段，第一階段將事件紀錄分群，其中各群代表例行的工作排程事件紀錄；第二階段挖掘各個群中的事件序列，構建特權帳號的正常行為。本研究真實企業事件紀錄為資料來源，對所提出之方法進行評估。實驗結果表明，該方法有效地減少了事件記錄量，能夠有效識別出更具風險的異常警訊，並能早於企業既有安全系統識別出尚未被偵測到的攻擊事件。

Businesses are facing more challenging security risks than before as cyberattacks have shifted from random attacks to advanced persistent threat attacks performed by professional hackers with well-plan and customized attack tactics. To protect against cyberattacks, multiple defense mechanisms have deployed. A massive amount of security alerts and event logs are generated by the defense sensors and servers, where most of them record routine administrative tasks such as data backup or cleaning up. However, each alert and log record requires administrators further examine to verify if there is a breach. Such human examination is labor intensive and time consuming, while in most cases they are normal. With limited time per day, administrators might not be able to finish inspecting all the alerts produced in a day.
To improve work efficiency and reduce security risk, this study proposes an approach to identifying critical alerts and event logs for administrators to further inspect if there is a compromise. Active Directory, is one of the most targets by adversaries in order to take over the control of internal network. Therefore, the proposed method focuses on identify abnormal events of privilege users on active directory.
The proposed method adopts outlier detection approach and consists of two stages: the first stage categorizes the event logs into groups, where a group of event logs indicates a routine administrative task; the second stage mines the sequence of events in each group to construct normal behaviors of the privilege users. This study evaluates the proposed method by using the real dataset retrieved from an institute. The experimental results demonstrate that the proposed method efficiently reduces the amount of the log record and identifies anomaly log records and could flag the undetected attack events in advance before the defense sensor.

論文審定書 i
論文公開授權書 ii
摘要 iii
Abstract iv
目錄 v
圖次 vii
表次 viii
第1章 序論 1
1.1 研究背景 1
1.2 研究動機 2
第2章 文獻探討 5
2.1 異常偵測 5
2.2 ACTIVE DIRECTORY 7
2.3 WINDOWS事件紀錄 10
2.4 DBSCAN 12
2.5 關聯規則分析 13
第3章 研究方法 15
3.1 系統架構 16
3.2 事件紀錄收集模組 17
3.3 前處理模組 18
3.4 側寫模組 19
3.4.1 事件紀錄分群 20
3.4.2 關聯規則分析 20
3.5 偵測模組 22
第4章 系統評估 27
4.1 實驗1 評估排程事件紀錄分群成效 28
4.1.1 參數評估實驗 28
4.1.2 事件紀錄分群成效 29
4.1.3 比較不同演算法之分群結果 30
4.2 實驗2 序列模式比對和參數實驗 32
4.3 實驗3 模擬攻擊事件注入 33
4.4 實驗4 與委外SOC平台警訊比較 35
4.4.1 SOC平台比較 35
4.4.2 風險分數評估 40
4.4.3 既有安全系統比對攻擊事件 40
4.4.4 攻擊案例分析 42
4.4.5 高風險警訊案例分析 45
第5章 結論與未來展望 46
參考資料 47
附錄 A. 50

[1] NETSCOUT, "層層資安設備依舊發生資料外洩？結合「威脅情資攔截」方能力挽狂瀾！," Available: https://www.netfos.com.tw/ArborNetworks/NetscoutArbor/NETSCOUT%20Arbor%20Edge%20Defense%20cover.pdf.
[2] Trendmicro, "< 資安報告>勒索病毒專挑特定對象下手, 政府機關飽受針對性勒索病毒危害," 2020, Available: https://blog.trendmicro.com.tw/?p=63955.
[3] 奧義智慧, "三秒入侵 Windows AD：Zerologon 災難級漏洞的完整解析," 2020, Available: https://www.cycarrier.com/blog/2020/09/22/%E4%B8%89%E7%A7%92%E5%85%A5%E4%BE%B5-windows-ad%EF%BC%9A-zerologon-%E7%81%BD%E9%9B%A3%E7%B4%9A%E6%BC%8F%E6%B4%9E%E7%9A%84%E5%AE%8C%E6%95%B4%E8%A7%A3%E6%9E%90.
[4] BleepComputer, "Eletrobras, Copel energy companies hit by ransomware attacks," 2021, Available: https://www.bleepingcomputer.com/news/security/eletrobras-copel-energy-companies-hit-by-ransomware-attacks/.
[5] 周峻佑, "中油與台塑遭攻擊事件的受害規模，首度被媒體揭露," May. 18, 2020, Available: https://www.ithome.com.tw/news/137685.
[6] P. Institute, "2020 Cost of an Insider Breach Report," 2020, Available: https://www.observeit.com/2020costofinsiderthreat/.
[7] P. Institute, "Ponemon Institute透露，安全團隊花費約25％的時間追逐誤報；響應時間," 2019.
[8] Gartner, "Gartner Top 10 Security Projects for 2019," June 18, 2019, Available: https://www.gartner.com/smarterwithgartner/gartner-top-10-security-projects-for-2019/.
[9] M. ATT&CK, "Enterprise Matrix," Available: https://attack.mitre.org/matrices/enterprise/.
[10] M. Ahmed and A. N. Mahmood, "Network traffic pattern analysis using improved information theoretic co-clustering based collective anomaly detection," in International conference on security and privacy in communication networks, 2014, pp. 204-219: Springer.
[11] B. D. J. d. D. Newton, "Anomaly Detection in Network Traffic Traces Using Latent Dirichlet Allocation," vol. 31, 2012.
[12] M. S. Gill, D. Lindskog, and P. Zavarsky, "Profiling Network Traffic Behavior for the Purpose of Anomaly-Based Intrusion Detection," in 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), 2018, pp. 885-890: IEEE.
[13] A. Ambre and N. J. P. C. S. Shekokar, "Insider threat detection using log analysis and event correlation," vol. 45, pp. 436-445, 2015.
[14] P. Chattopadhyay, L. Wang, and Y.-P. J. I. T. o. C. S. S. Tan, "Scenario-based insider threat detection from cyber activities," vol. 5, no. 3, pp. 660-675, 2018.
[15] P. A. Legg, O. Buckley, M. Goldsmith, and S. J. I. S. J. Creese, "Automated insider threat detection system using user and role-based profile assessment," vol. 11, no. 2, pp. 503-512, 2015.
[16] JPCERT/CC, "Detecting Lateral Movement in APTs "Analysis Approach on Windows Event Logs"," June 17, 2016, Available: https://www.first.org/resources/papers/conf2016/FIRST-2016-105.pdf.
[17] CERT-EU, "Detecting Lateral Movements in Windows Infrastructure," February 27, 2017, Available: https://cert.europa.eu/static/WhitePapers/CERT-EU_SWP_17-002_Lateral_Movements.pdf.
[18] C.-H. Hsieh, C.-M. Lai, C.-H. Mao, T.-C. Kao, and K.-C. Lee, "AD2: Anomaly detection on active directory log data for insider threat monitoring," in 2015 International Carnahan Conference on Security Technology (ICCST), 2015, pp. 287-292: IEEE.
[19] S. Muthuraj, M. Sethumadhavan, P. Amritha, and R. Santhya, "Detection and Prevention of Attacks on Active Directory Using SIEM," in International Conference on Information and Communication Technology for Intelligent Systems, 2020, pp. 533-541: Springer.
[20] W. Matsuda, M. Fujimoto, and T. Mitsunaga, "Detecting APT Attacks Against Active Directory Using Machine Leaning," in 2018 IEEE Conference on Application, Information and Network Security (AINS), 2018, pp. 60-65: IEEE.
[21] M. Fujimoto, W. Matsuda, and T. Mitsunaga, "Detecting Abuse of Domain Administrator Privilege Using Windows Event Log," in 2018 IEEE Conference on Application, Information and Network Security (AINS), 2018, pp. 15-20: IEEE.
[22] "Spotting the Adversary with Windows Event Log Monitoring," Aug. 07 2015.
[23] ADSecurity.org, "Detecting the Elusive Active Directory Threat Hunting," Apr. 04 2017, Available: https://adsecurity.org/wp-content/uploads/2017/04/2017-BSidesCharm-DetectingtheElusive-ActiveDirectoryThreatHunting-Final.pdf.
[24] microsoft, "基本安全性稽核原則設定," Available: https://docs.microsoft.com/zh-tw/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.
[25] Microsoft, "Monitoring Active Directory for Signs of Compromise," Available: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/monitoring-active-directory-for-signs-of-compromise.
[26] M. Ester, H.-P. Kriegel, J. Sander, and X. Xu, "A density-based algorithm for discovering clusters in large spatial databases with noise," in Kdd, 1996, vol. 96, no. 34, pp. 226-231.
[27] wikipedia. DBSCAN. Available: https://zh.wikipedia.org/wiki/DBSCAN
[28] A. Borah, B. J. C. Nath, and I. Systems, "Rare pattern mining: challenges and future perspectives," vol. 5, no. 1, pp. 1-23, 2019.
[29] J. Wang and Z. J. P. c. s. Cheng, "FP-Growth based regular behaviors auditing in electric management information system," vol. 139, pp. 275-279, 2018.
[30] J. Han, J. Pei, and Y. J. A. s. r. Yin, "Mining frequent patterns without candidate generation," vol. 29, no. 2, pp. 1-12, 2000.
[31] S. Yan, Y. Chen, Y. Song, and M. Zhu, "Frequent attack sequences-based network log mining," in Journal of Physics: Conference Series, 2019, vol. 1176, no. 3, p. 032052: IOP Publishing.
[32] J. Pei et al., "Mining sequential patterns by pattern-growth: The prefixspan approach," vol. 16, no. 11, pp. 1424-1440, 2004.
[33] R. Agrawal and R. Srikant, "Fast algorithms for mining association rules," in Proc. 20th int. conf. very large data bases, VLDB, 1994, vol. 1215, pp. 487-499: Citeseer.
[34] cnblogs. PrefixSpan算法原理总结. Available: https://www.cnblogs.com/pinard/p/6323182.html
[35] A. Rahman, Y. Xu, K. Radke, and E. Foo, "Finding anomalies in SCADA logs using rare sequential pattern mining," in International Conference on Network and System Security, 2016, pp. 499-506: Springer.
[36] C.-Y. Hsu, "基於側寫的雲端化異常偵測平台," 2020.
[37] FireEye, "FireEye：76%的勒索軟體攻擊發生在非上班時間," 2020, Available: https://www.ithome.com.tw/news/136435.
[38] A. G. Philippe Fournier-Viger, Ted Gueniche, Azadeh Soltani, Cheng-Wei Wu, Vincent S. Tseng. SPMF An Open-Source Data Mining Library. Available: http://www.philippe-fournier-viger.com/spmf/
[39] Microsoft, "稽核與入侵原則," Available: https://docs.microsoft.com/zh-tw/security-updates/security/20214425.
[40] iThome, "2019國家級資安事件：勒索軟體侵襲臺灣醫院," 2019, Available: https://www.ithome.com.tw/article/134112.