Responsive image
博碩士論文 etd-0515121-162740 詳細資訊
Title page for etd-0515121-162740
論文名稱
Title
基於機器學習分析之整合鑑識系統
A Machine Learning Based Analyzing Integrated Forensics
系所名稱
Department
畢業學年期
Year, semester
語文別
Language
學位類別
Degree
頁數
Number of pages
67
研究生
Author
指導教授
Advisor
召集委員
Convenor
口試委員
Advisory Committee
口試日期
Date of Exam
2021-05-03
繳交日期
Date of Submission
2021-07-08
關鍵字
Keywords
數位鑑識、自動化分析、惡意偵測、工具整合、資安應變
Digital Forensics, Automatic analysis, Malware Detection, Tools Integrate, Incidents Response
統計
Statistics
本論文已被瀏覽 468 次,被下載 0
The thesis/dissertation has been browsed 468 times, has been downloaded 0 times.
中文摘要
隨著網路世界的蓬勃發展,電子設備的功能也越來越強大,大部分的企業與組織也仰賴科技產品來維持商業行為以及行銷方案。而在企業的伺服器中往往存有許多消費者的隱私資料和企業機密,若是遭到駭客的攻擊,往往會造成企業或是組織的商譽嚴重受損以及金錢損失。不但國家甚至企業面臨資安人才嚴重短缺的情況,在有限的人力和緊迫時間壓力下,私人企業、政府機關人員和一般使用者常常在攻擊時不知所措,藉由數位鑑識調查的幫助,得以在攻擊階段將損害降低不要擴大。數位鑑識,又稱為電腦鑑識,係指資安事件發生後,找尋駭客所遺留下來的足跡,藉此找到犯罪證據。然而駭客的手法越來越複雜,多種數位證據能幫助鑑識人員還原事件全貌。
本研究提出一套基於機器學習分析之整合鑑識系統,蒐集多種數位證據,包含網路證據、處理程序、Windows登錄檔、Windows事件紀錄檔以及Sysmon事件紀錄檔,並使用機器學習與關聯分析方法對其做分析。透過XGBoost所訓練出來的模型以及知識庫(Knowledge Base)來進行網路封包分析,提供快速且精準的數位證據給鑑識人員參考。除此之外,本系統整合其他學者的系統,透過關聯式分析,將兩位學者的處理程序相關數位證據與網路證據整合,提供鑑識人員更全面的鑑識報告。
最後藉由偵測模組實驗、多種良性軟體與惡意軟體的實驗、使用著名資料集進行驗證、不同時間惡意程式數位證據的實驗、與專業鑑識報告的比較以及與商用鑑識軟體的成效比較,證實本研究的系統可協助鑑識人員進行鑑識與分析。實驗結果顯示,網路證據偵測模型有99.01%的準確度和99.97%的召回率,能有效地找到惡意網路行為,整合系統也能分析多種數位證據並找到多種惡意行為。


關鍵字: 數位鑑識、自動化分析、惡意偵測、工具整合、資安應變
Abstract
With the emerge of internet and computational power increment of electronic equipment, most enterprises and organizations have implemented IT for daily business operations and sale solutions. In that case, many personal private credentials and business secrets are stored in servers. Once the servers are under cyber-attacks, the organizations or enterprises may encounter severe reputation detriment and financial loss. Not only governments and even enterprises are facing a serious shortage of information security talents. Under the pressure of limited manpower and urgent time, private enterprises, government agencies and general users are often at a loss when attacking. With the help of digital forensic investigations, In the early stages of the attack, the damage should be reduced and not expanded. Digital forensics, also known as computer forensics, is to search the criminal tracks left by hackers after incidents. However, hackers nowadays are much more sophisticated, resulting in the accumulative burdens for first front digital investigators owing to evidence being scattered around different devices and locations.
This research develops a machine learning based analyzing integrated forensic system, which collects multiple digital evidences including network evidences, process evidences, registry evidences, Windows Event Log files and Sysmon Event Log files, analyzes the evidences by using machine learning and correlation analysis approach. Providing fast and precise analysis results of network packets for digital investigators by utilizing model trained by XGBoost and knowledge base. In addition, this research integrates the systems of other scholars by correlation analysis approach , which integrates the digital evidence related to the process evidence of the two scholars with the network evidence. Thus, the proposed system will provide detailed forensic reports to aid digital investigators.
The experimental results show that this research can accurately assist forensics staff. Experimental results show that the network evidence detection model has an accuracy of 99.01% and a recall rate of 99.97%, which can effectively find malicious network behaviors. The integrated forensic system can also analyze a variety of digital evidence and find a variety of malicious behaviors.

Keywords: Digital Forensics, Automatic analysis, Malware Detection, Tools Integrate,Incidents Response
目次 Table of Contents
論文審定書 ....................................................................................................................i
摘要 ...............................................................................................................................ii
Abstract.........................................................................................................................iii
目錄 ..............................................................................................................................iv
圖目錄 ..........................................................................................................................vi
表目錄 .........................................................................................................................vii
第 1 章 、緒論 ...........................................................................................................1
1.1 研究背景......................................................................................................................... 1
1.2 研究動機......................................................................................................................... 2
第 2 章 、文獻探討 ...................................................................................................5
2.1 鑑識流程........................................................................................................................ 5
2.2 數位證據........................................................................................................................ 6
2.3 網路封包........................................................................................................................ 7
2.4 數位鑑識工具.............................................................................................................. 10
2.5 機器學習...................................................................................................................... 14
第 3 章 、研究方法 .................................................................................................17
3.1 證據蒐集模組.............................................................................................................. 19
3.2 網路證據分析模組...................................................................................................... 20
3.3 關聯與分析模組.......................................................................................................... 24
3.4 匯出報告...................................................................................................................... 29
第 4 章 、系統評估 .................................................................................................30
4.1 實驗 1 網路證據分析模組偵測模型實驗結果 .......................................................... 34
4.2 實驗 2 網路證據分析模組偵測模型的成效 ............................................................. 36
4.2.1 良性軟體與惡意軟體紀錄................................................................................. 37
4.2.2 著名惡意軟體鑑識 ........................................................................................... 38
4.2.3 與著名資料集 UNSW-NB15 和 CICIDS2017 進行驗證................................ 40
4.3 實驗 3 不同時間惡意程式數位證據.......................................................................... 41
4.4 實驗 4 鑑識報告比較.................................................................................................. 44
4.5 實驗 5 與其他系統比較.............................................................................................. 47
第 5 章 、結論與未來展望 .....................................................................................49
參考資料 .....................................................................................................................51
附錄 .............................................................................................................................54
參考文獻 References
[1] 羅正漢. (2019). 【徹底揭露2019年臺灣最大規模病毒攻擊事件】勒索軟體衝擊!全臺醫療院所資安拉警報. Available: https://www.ithome.com.tw/news/134108
[2] 潘乃欣. (2019). 每月偵測1.5億次網路攻擊 台灣AI雲獲兩大資安認證. Available: https://udn.com/news/story/7088/4154640
[3] 劉煥彥. (2020). 「所有連假都是中國駭客攻擊台灣的重要時刻!」 5月全台加油站大當機 調查局攜手FBI三個月破案. Available: https://www.businesstoday.com.tw/article/category/80392/post/202009300038/%E3%80%8C%E6%89%80%E6%9C%89%E9%80%A3%E5%81%87%E9%83%BD%E6%98%AF%E4%B8%AD%E5%9C%8B%E9%A7%AD%E5%AE%A2%E6%94%BB%E6%93%8A%E5%8F%B0%E7%81%A3%E7%9A%84%E9%87%8D%E8%A6%81%E6%99%82%E5%88%BB%EF%BC%81%E3%80%8D%205%E6%9C%88%E5%85%A8%E5%8F%B0%E5%8A%A0%E6%B2%B9%E7%AB%99%E5%A4%A7%E7%95%B6%E6%A9%9F%E3%80%80%E8%AA%BF%E6%9F%A5%E5%B1%80%E6%94%9C%E6%89%8BFBI%E4%B8%89%E5%80%8B%E6%9C%88%E7%A0%B4%E6%A1%88
[4] Pin. 一鍵風暴》我們與資安風險的距離!數十兆元地下經濟來自你我的輕忽. Available: https://technews.tw/2020/11/19/information-security-special-story/
[5] K. Kent, S. Chevalier, T. Grance, and H. J. N. S. P. Dang, "Guide to integrating forensic techniques into incident response," vol. 10, no. 14, pp. 800-86, 2006.
[6] Encase. Available: https://security.opentext.com/encase-forensic
[7] R. M. Mohammad, "A neural network based digital forensics classification," in 2018 IEEE/ACS 15th International Conference on Computer Systems and Applications (AICCSA), 2018, pp. 1-7: IEEE.
[8] M. Elkin, "Nature of fraud and computer misuse in England and Wales: year ending March 2019," 2019.
[9] R. Hunt and S. J. C. Zeadally, "Network forensics: an analysis of techniques, tools, and trends," vol. 45, no. 12, pp. 36-43, 2012.
[10] Z. X. Tsai, "自動化資安事件應變之鑑識系統," 2018.
[11] G. H. Syu, "分析系統記錄檔的神經網路為基礎之鑑識系統," 2019
[12] S. Dogan and E. Akbal, "Analysis of mobile phones in digital forensics," in 2017 40th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), 2017, pp. 1241-1244: IEEE.
[13] H. Park, S. Cho, and H.-C. Kwon, "Cyber forensics ontology for cyber criminal investigation," in International Conference on Forensics in Telecommunications, Information, and Multimedia, 2009, pp. 160-165: Springer.
[14] MITRE ATT&CK. Available: https://attack.mitre.org/
[15] PCAP Collection. Available: https://shield.mitre.org/techniques/DTE0028/
[16] Data Transfer Size Limits. Available: https://attack.mitre.org/techniques/T1030/
[17] Data Obfuscation. Available: https://attack.mitre.org/techniques/T1001/
[18] Automated Exfiltration. Available: https://attack.mitre.org/techniques/T1020/
[19] Ingress Tool Transfer. Available: https://attack.mitre.org/techniques/T1105/
[20] A. Lubis and A. P. U. J. I. J. C. E. Siahaan, "Network Forensic Application in General Cases," vol. 18, no. 6, pp. 41-44, 2016.
[21] R. CHANDEL, "Network Packet Forensic using Wireshark," CYBER FORENSICS JANUARY 6 2018.
[22] T. M. M. Thomas Mitchell, Machine Learning (1st Edition). 1997.
[23] A. BACHAR, N. EL MAKHFI, and O. E. Bannay, "Towards a behavioral network intrusion detection system based on the SVM model," in 2020 1st International Conference on Innovative Research in Applied Science, Engineering and Technology (IRASET), 2020, pp. 1-7: IEEE.
[24] A. Boukhalfa, A. Abdellaoui, N. Hmina, H. J. I. J. o. E. Chaoui, and C. Engineering, "LSTM deep learning method for network intrusion detection system," vol. 10, 2020.
[25] K. Greff, R. K. Srivastava, J. Koutník, B. R. Steunebrink, J. J. I. t. o. n. n. Schmidhuber, and l. systems, "LSTM: A search space odyssey," vol. 28, no. 10, pp. 2222-2232, 2016.
[26] T. K. Ho, "Random decision forests," in Proceedings of 3rd international conference on document analysis and recognition, 1995, vol. 1, pp. 278-282: IEEE.
[27] N. Farnaaz and M. J. P. C. S. Jabbar, "Random forest modeling for network intrusion detection system," vol. 89, no. 1, pp. 213-217, 2016.
[28] T. Chen and C. Guestrin, "Xgboost: A scalable tree boosting system," in Proceedings of the 22nd acm sigkdd international conference on knowledge discovery and data mining, 2016, pp. 785-794.
[29] S. S. Dhaliwal, A.-A. Nahid, and R. J. I. Abbas, "Effective intrusion detection system using XGBoost," vol. 9, no. 7, p. 149, 2018.
[30] 維基百科編者. Wireshark. Available: https://zh.wikipedia.org/wiki/Wireshark
[31] Cisco joy. Available: https://developer.cisco.com/codeexchange/github/repo/cisco/joy/
[32] Zeek. Available: https://docs.zeek.org/en/current/index.html
[33] CICFlowMeter. Available: https://github.com/ahlashkari/CICFlowMeter
[34] 臺灣學術網路危機處理中心團隊(TACERT)製, "個案分析–礦工木馬 PhotoMiner 病毒 感染校園主機事件分析報告," 1 月 2019
[35] mjcaparas. (2020). 了解威脅情報概念. Available: https://docs.microsoft.com/zh-tw/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts
[36] ISC Suspicious Domains. Available: https://isc.sans.edu/suspicious_domains.html
[37] Vxvault. Available: http://vxvault.net/ViriList.php
[38] us-cert. Available: https://us-cert.cisa.gov/
[39] VirusShare.com - Because Sharing is Caring. Available: https://virusshare.com/
[40] 臺灣學術網路危機處理中心團隊(TACERT), "NSA 攻擊工具事件分析報告," 6月 2019.
[41] W. Schroeder, Warner, J., Nelson, M. (n.d.), "Github PowerShellEmpire."
[42] M. Rouse, "port scan (port scan attack)," December 2019.
[43] 黃彥棻, "歐洲刑警破獲金融木馬駭客集團,偷遍全球洗錢近7千萬," 2015.
[44] J. Ellis. (2021). Sharp Increase in Emotet, Ransomware Droppers. Available: https://info.phishlabs.com/blog/sharp-increase-in-emotet-ransomware-droppers
[45] N. Moustafa and J. Slay, "UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set)," 2015 military communications and information systems conference (MilCIS), pp. 1-6, 2015.
[46] A. H. L. Iman Sharafaldin, and Ali A. Ghorbani, "Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization," 4th International Conference on Information Systems Security and Privacy (ICISSP), Portugal, January 2018.
[47] U. Azad, "Sleuth Kit Autopsy in-depth tutorial," Forensics 2020.
[48] J.-U. Lee and W.-Y. Soh, "Comparative analysis on integrated digital forensic tools for digital forensic investigation," in IOP Conference Series: Materials Science and Engineering, 2020, vol. 834, no. 1, p. 012034: IOP Publishing.
[49] 王旭正、柯宏叡、黃嘉宏、陳世豪、張躍瀚, "資安事件之電腦鑑識即時應變工具使用研究," 2006電子商務與數位生活研討會, 2006.

電子全文 Fulltext
本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。
論文使用權限 Thesis access permission:自定論文開放時間 user define
開放時間 Available:
校內 Campus:開放下載的時間 available 2026-07-08
校外 Off-campus:開放下載的時間 available 2026-07-08

您的 IP(校外) 位址是 3.144.114.8
現在時間是 2024-11-21
論文校外開放下載的時間是 2026-07-08

Your IP address is 3.144.114.8
The current date is 2024-11-21
This thesis will be available to you on 2026-07-08.

紙本論文 Printed copies
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊,請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。
開放時間 available 2026-07-08

QR Code